Detailed Description
It should be noted that the following detailed description is exemplary and is intended to provide further explanation of the disclosure. Unless defined otherwise, all technical and scientific terms used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this application belongs.
It is noted that the terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of example embodiments according to the present application. As used herein, the singular forms "a", "an", and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise, and it should be understood that the terms "comprises" and "comprising", and any variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed, but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.
The embodiments and features of the embodiments in the present application may be combined with each other without conflict.
Interpretation of terms:
SecureNN: SecureNN is a three-party secure computing protocol proposed by Wagh et al in 2018, and can support the training and prediction of neural networks. The protocol is mainly based on a secret sharing technology, compared with the prior protocol which can only support the security under the half-honest enemy, the SecureNN protocol ensures that the input or the output of the honest client can not be known even if any single server is corrupted by the malicious enemy. The protocol comprises three servers, wherein S0,S1Holding a secret input share of 2-out-of-2 at the beginning of protocol execution and a secret output share of 2-out-of-2 at the end of computation, S2Assist the other two servers in protocol execution. For the nonlinear activation function, in addition to fitting the nonlinear activation function by using a linear polynomial, for the ReLu function, the SecureNN is indirectly calculated by calculating the derivative thereof first, so that the calculation error caused by fitting by using the linear function is reduced. Fig. 3 shows the dependencies between the SecureNN base protocols. The following are some of the primitives of the secret sharing technique.
The shared value is: shared value for a<a>We have<a>0+<a>1≡ a (modF), wherein<a>0,<a>1And a is equal to F, and F is a finite field.
Sharing share0(a):SiSelecting a value r ∈ F, then<a>iA-r and sends r to S1-iAt S1-iIn<a>1-i=r。
Reconstruction of Reci(a):S1-iWill share a value<a>1-iIs sent to Si,SiCalculating a ═<a>0+<a>1。
Addition operation<c>=<a>+<b>:SiCan directly calculate locally<c>i=<a>i+<b>i
Multiplication operations<c>=<a>·<b>: multiplication needs to be carried out by virtue of pre-existing multiplication triples<u>i,<v>i,<z>iWherein<z>i=<u>i·<v>imod F。SiNeed to calculate first<e>i=<a>i-<u>i,<f>i=<b>i-<v>iThen both parties calculate Rec (e) and Rec (f) locally and will<c>i=-i·e·f+f·<u>i+e·<v>i+<z>i
Intel SGX: the Intel software protection extension is a set of new instructions and memory access mechanisms added to the Intel architecture. These extensions allow an application to instantiate a safe zone, called Enclave. The operations can be executed in a safe environment, and confidentiality and integrity protection can be provided even if a privileged system or a malicious program exists, so that the codes and data in the operations are prevented from being maliciously tampered and acquired. Enclave code and data are optionally examined and analyzed before creating the Enclave. Once the code and data of the application program are loaded into an Enclave, all external software access to it is protected and any attempt to access and modify the contents of the Enclave is prohibited. The SGX provides two authentication mechanisms, local authentication and remote authentication, to ensure that an authenticated application can safely run in a trusted environment.
Example one
The embodiment provides a machine learning security aggregation prediction method supporting bidirectional privacy protection;
the machine learning security aggregation prediction method supporting bidirectional privacy protection comprises the following steps:
s101: the method comprises the steps that a calculation server receives data share of data to be predicted, wherein the data share is sent by a client;
s102: the calculation server processes the data share to obtain a prediction result share;
s103: the calculation server carries out blind processing on the prediction result share to obtain a blind prediction result share;
s104: the computing server sends the blinded prediction result share to an aggregation server;
s105: and the aggregation server performs blind removing processing and noise adding processing on the blind prediction result share, and feeds back the result to the client.
As one or more embodiments, before the step of the method S101, the method further includes:
s1001: dividing the locally trained machine learning model into a plurality of model shares by a model holder; sending the model share to a corresponding calculation server;
s1002: and the aggregation server randomly generates a blind matrix in the credible region and sends the blind matrix to the corresponding calculation server.
Further, before the step S1001, the method further includes:
s1000: and the aggregation server creates an Enclave trusted zone, and the model holder and the computing server perform remote authentication to ensure that the computing server operates in a safe SGX environment.
Further, the S1001: the model holder divides the locally trained model into two model shares; the method refers to a model holder, and a locally trained model is divided into a plurality of model shares by adopting secret sharing.
Illustratively, the S1001: the model holder divides the locally trained model into two model shares; the specific implementation mode is as follows:
Pimodel W using secret sharing locallyiDivided into two model shares, i.e. PiRandomly selecting one r epsilon ZLWherein Z is a ring, L-264Calculating model share0(Wi)=Wi-r(mod L),share1(Wi) R and sends the model shares to two computation servers S0,S1. The computation server cannot directly contact the original model, and can only obtain the model share.
Illustratively, the S1002: the aggregation server randomly generates a blinded matrix in the credible region and sends the blinded matrix to the corresponding calculation server; the specific implementation mode is as follows:
aggregation server randomly generates blind matrix mask in Enclave0And mask1And sending the blinded matrix to a computing server through a secure channel.
The blinding matrix protects the share of the prediction result after the calculation server completes the prediction calculation, and avoids being attacked in an untrusted area of the aggregation server.
It should be understood that the blinding matrix is a random matrix used to protect the prediction shares. The method is generated in credible Enclave and then sent to two computing servers through a secure channel, and after model prediction is completed by the computing servers, the predicted result share is blinded.
Considering that if no blinding matrix exists, two servers calculate the share of the completion prediction0(Yi) (ii) a Share prediction1(Yi) And directly sending the data to the aggregation server.
The untrusted aggregation server can directly reconstruct the prediction result Yi=share0(Yi)+share1(Yi) Thereby directly revealing the privacy of the user prediction result; on the other hand, the adversary can also indirectly attack the training model by predicting the result using, for example, membership inference attack.
After protection of the blinding matrix is added, the untrusted server can only receive the blinding prediction share, and the blinding prediction result Y is obtained after reconstructionmask=share0(Yi)+mask0+share1(Yi)+mask1=Yi+ mask, and the removal of the blinded matrix can only be done in Encalve, so the prediction result is not revealed.
The generation mode of the blind matrix is as follows: randomly sampling a random matrix from the uniform distribution, wherein the data type of the matrix needs to be consistent with the data type of the predicted secret share.
As will be appreciated, Encalve: the intel SGX program consists of two parts, namely untrusted application and trusted Enclave, wherein the intel SGX instruction creates a trusted encalve in a specific protected memory area during running to store data and codes to be protected, and the data leakage can be effectively prevented.
Further, the S1000, S1001 and S1002 are all completed in the offline stage, as shown in fig. 1.
As one or more embodiments, the S101: the method comprises the steps that a calculation server receives data share of data to be predicted, wherein the data share is sent by a client; the method comprises the following specific steps:
a first computing server receives a first data share of data to be predicted, which is sent by a client; and the second computing server receives a second data share of the data to be predicted, which is sent by the client.
Illustratively, the S101: the method comprises the steps that a calculation server receives data share of data to be predicted, wherein the data share is sent by a client; the method comprises the following specific steps:
the client side and the computing server perform remote authentication to ensure the safety authenticity and integrity of the computing server hardware, and after the authentication is passed, the client side C divides the data x to be predicted into two data share shares0(x) R and share1(x) X-r (mod L) to the server S0,S1。
share () and share operation, the client selects a random value r belonging to Z for protecting the input x of the local privacyLWherein Z is a ring, L-264As the first secret share0(x);
Re-computing x-r (mod L) as a second secret share1(x) The two secret shares are sent to the server, where mod is a modulo operation.
As one or more embodiments, the S102: the calculation server processes the data share to obtain a prediction result; the method comprises the following specific steps:
the first calculation server calculates a first prediction result based on the first data share; the second computing server computes a second prediction result based on the second data share.
Illustratively, the S102: the calculation server processes the data share to obtain a prediction result share; the method comprises the following specific steps:
server S0,S1,S2Carrying out safe three-party prediction calculation based on a SecureNN protocol and obtaining a prediction result share0(Yi) And share0(Yi)。
It should be understood that the computation between servers in this application is essentially a secret share based computation.
Before performing secure multiparty computation, S0Possession of model secret share0(Wi) And data share from user0(x),S1Possession of model secret share1(Wi) And share of data to be predicted of user1(x) In that respect Two servers are at S2With the assistance of SecureNN protocol, interactive calculation is completed, and respective prediction results share are calculated0(Yi) And share0(Yi)。
The SecureNN protocol comprises basic protocols such as addition, multiplication, matrix multiplication, activation function, privacy comparison and the like based on secret sharing, and can complete machine learning prediction calculation.
As one or more embodiments, the S103: the calculation server carries out blind processing on the prediction result share to obtain a blind prediction result share; the method comprises the following specific steps:
the first calculation server carries out blind processing on the first prediction result share to obtain a first blind prediction result share; and the second calculation server performs blind processing on the second prediction result share to obtain a second blind prediction result share.
Further, the first calculation server performs blinding processing on the first prediction result share to obtain a first blinded prediction result share; the method comprises the following steps: and the first computing server performs blinding processing on the first prediction result share through the first blinding matrix to obtain a first blinded prediction result share.
Further, the second calculation server performs blinding processing on the second prediction result share to obtain a second blinded prediction result share; the method comprises the following steps: and the second calculation server performs blinding processing on the second prediction result share through a second blinding matrix to obtain a second blinded prediction result share.
Illustratively, the S103: the calculation server carries out blind processing on the prediction result share to obtain a blind prediction result share; the method comprises the following specific steps:
calculation server S
0,S
1Blinding the respectively owned prediction result shares, i.e. using a previously obtained blinding matrix
It should be understood that if the prediction share is not blinded, the aggregation server is obtaining share0(Yi) And share1(Yi) Then, Y can be directly reconstructedi=share0(Yi)+share1(Yi) And leaking the prediction result.
Further, the step S103: the calculation server carries out blind processing on the prediction result share to obtain a blind prediction result share; the method comprises the following specific steps:
and the calculation server performs blind processing on the share of the prediction result by adopting a blind matrix to obtain the share of the blind prediction result.
Further, the step of obtaining the blinding matrix includes:
and the aggregation server randomly generates a blinding matrix in the credible region.
As one or more embodiments, the S104: the computing server sends the blinded prediction result share to an aggregation server; the method comprises the following specific steps:
the first computing server sends the first blinded prediction result share to the aggregation server; the second computing server sends the second blinded prediction result share to the aggregation server.
As one or more embodiments, the S105: the aggregation server carries out blind removing processing and noise adding processing on the blind prediction result share, and feeds back the result to the client; the method comprises the following specific steps:
s1051: the aggregation server reconstructs the blind prediction result from the first blind prediction result share and the second blind prediction result share in the untrusted area to obtain a third blind prediction result share;
s1052: the aggregation server carries out de-blinding processing on the third blinded prediction result share in the credible area to obtain an intermediate result; the aggregation server calculates an aggregation prediction result based on the intermediate result;
s1053: and the aggregation server performs noise processing on the aggregation prediction result and sends the aggregation prediction result subjected to the noise processing to the client.
Further, the S1051 aggregation server reconstructs the blind prediction result from the first blind prediction result share and the second blind prediction result share in the untrusted region, to obtain a third blind prediction result share; the method comprises the following specific steps:
the aggregation server obtains the share of the blinded prediction result and rebuilds the blinded prediction result, namely Y in advance in the untrusted regionmask=share0(Yi)+mask0+share1(Yi)+mask1=Yi+mask。
It should be understood that the prediction Y is not revealed here since there is no blinding matrix in the untrusted regioni。
Further, the S1052: the aggregation server carries out de-blinding processing on the third blinded prediction result share in the credible area to obtain an intermediate result; the method comprises the following specific steps:
the aggregation server removes the blinded matrix from the trusted zone Encalve to obtain a prediction result:
Yi=Ymask-mask。
further, the S1052: the aggregation server calculates an aggregation prediction result based on the intermediate result; the method comprises the following specific steps:
the aggregation server calculates the aggregated prediction result after voting by using a soft voting method
Soft voting has a higher accuracy than hard voting.
Further, the S1053: the aggregation server carries out noise processing on the aggregation prediction result and sends the aggregation prediction result subjected to the noise processing to the client; the method comprises the following specific steps:
aggregating server first computes entropy of results
For predictors with higher entropy, less noise is added, whereas for predictors with lower entropy, more noise is added.
According to the entropy, the aggregation server calculates the corresponding noise coefficient
Wherein d is the distribution of classes of training data;
finally, the aggregation Server adds noise, Y ', to the prediction'a=Ya+N*c*(d-Ya) Wherein c is a control coefficient for controlling the magnitude of the noise addition.
In order to solve the privacy disclosure problem of the PATE framework in knowledge transfer from a teacher model to a student model and solve the performance limitation of the PATE framework, the scheme combining secret sharing and trusted computing SGX is provided. In the off-line stage, a model holder (teacher) uses secret sharing to divide the technology into two model shares to be uploaded and stored in two computing servers, and moreover, an aggregation server generates a blinding matrix in a credible region and sends the blinding matrix to the two computing servers so as to protect the prediction result. In the online prediction stage, as shown in fig. 2, the client (student) also uploads private data to be predicted to two servers in a share form for prediction calculation, the calculation server protects the share of the prediction result through a blinding matrix, the aggregation server receives the blinded prediction share and removes the blinding matrix in the trusted zone, the prediction results from a plurality of privacy models are aggregated, noise is added to the aggregation result for optimization protection, and the aggregation result is returned to the client as shown in fig. 4.
The method is divided into three parts, namely a model holder, a server (comprising two omega computing servers and an aggregation server), and a client specifically comprises the following steps:
1. model holder PiThe locally trained model W is usediShare divided into two models0(Wi) And share1(Wi) Sent to a calculation server S0,S1。
2. Aggregation server S2Randomly generating a blind matrix mask in a trusted zone Encalve0,mask1,mask=mask0+mask1And sent to the calculation server S through a secure channel0,S1。
3. The client C divides the data x to be predicted into two data share shares share0(x) And share1(x) Is sent to the server S0,S1。
4. Server S0,S1Calculating a prediction result, namely share, on owned model shares0(Yi) And share1(Yi) Where Y is the predicted vector ═ Y1,y2,.....yj) J is the category of the prediction result, and y is the prediction probability.
5. Server S0,S1Blinded prediction of the result share is:
and sending the blinded result to an aggregation server.
6. Aggregation server calculates blinded prediction result Y in untrusted zonemask=share0(Yi)+mask0+share1Yi+mask1=Yi+mask
7. Aggregation server removes blinding Y in trusted zone Encalvei=Ymask-mask
8. Aggregation server computing aggregated prediction results using soft voting
9. The aggregation server optimizes the aggregation result, adds noise, reduces the information entropy of the prediction result, and adds the noise-added prediction result Y'aAnd sending the data to the client C.
Table 1 algorithm 1: execution of the framework
Example two
The embodiment provides a machine learning security aggregation prediction system supporting bidirectional privacy protection;
machine learning security aggregation prediction system supporting bi-directional privacy protection, comprising: the system comprises a client, a computing server and an aggregation server;
the method comprises the steps that a calculation server receives data share of data to be predicted, wherein the data share is sent by a client; the calculation server processes the data share to obtain a prediction result share; the calculation server carries out blind processing on the prediction result share to obtain a blind prediction result share; the computing server sends the blinded prediction result share to an aggregation server; and the aggregation server performs blind removing processing and noise adding processing on the blind prediction result share, and feeds back the result to the client.
In the foregoing embodiments, the descriptions of the embodiments have different emphasis, and for parts that are not described in detail in a certain embodiment, reference may be made to related descriptions of other embodiments.
The above description is only a preferred embodiment of the present application and is not intended to limit the present application, and various modifications and changes may be made by those skilled in the art. Any modification, equivalent replacement, improvement and the like made within the spirit and principle of the present application shall be included in the protection scope of the present application.