CN114003961A - Deep neural network reasoning method with privacy protection - Google Patents

Deep neural network reasoning method with privacy protection Download PDF

Info

Publication number
CN114003961A
CN114003961A CN202111472835.3A CN202111472835A CN114003961A CN 114003961 A CN114003961 A CN 114003961A CN 202111472835 A CN202111472835 A CN 202111472835A CN 114003961 A CN114003961 A CN 114003961A
Authority
CN
China
Prior art keywords
matrix
layer
result
client
neural network
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202111472835.3A
Other languages
Chinese (zh)
Other versions
CN114003961B (en
Inventor
于佳
郭丽
郝蓉
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Qingdao University
Original Assignee
Qingdao University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Qingdao University filed Critical Qingdao University
Priority to CN202111472835.3A priority Critical patent/CN114003961B/en
Publication of CN114003961A publication Critical patent/CN114003961A/en
Application granted granted Critical
Publication of CN114003961B publication Critical patent/CN114003961B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • G06F21/6245Protecting personal data, e.g. for financial or medical purposes
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N3/00Computing arrangements based on biological models
    • G06N3/02Neural networks
    • G06N3/04Architecture, e.g. interconnection topology
    • G06N3/045Combinations of networks
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N3/00Computing arrangements based on biological models
    • G06N3/02Neural networks
    • G06N3/08Learning methods
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N5/00Computing arrangements using knowledge-based models
    • G06N5/04Inference or reasoning models

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • Health & Medical Sciences (AREA)
  • Software Systems (AREA)
  • General Physics & Mathematics (AREA)
  • General Health & Medical Sciences (AREA)
  • General Engineering & Computer Science (AREA)
  • Artificial Intelligence (AREA)
  • Computational Linguistics (AREA)
  • Data Mining & Analysis (AREA)
  • Evolutionary Computation (AREA)
  • Mathematical Physics (AREA)
  • Computing Systems (AREA)
  • Biophysics (AREA)
  • Molecular Biology (AREA)
  • Biomedical Technology (AREA)
  • Life Sciences & Earth Sciences (AREA)
  • Bioethics (AREA)
  • Medical Informatics (AREA)
  • Databases & Information Systems (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Storage Device Security (AREA)

Abstract

The invention discloses a deep neural network reasoning method with privacy protection, which comprises the following steps: the client generates a key; the client encrypts the input data matrix and the weight matrix of the trained deep neural network model by using the key and sends the encrypted input data matrix and the weight matrix to the edge server; the edge server performs linear layer calculation on the input data matrix by using the received weight matrix of the deep neural network model and returns the result to the client; the client verifies the returned result, if the result is correct, the client receives the result, and if the result is incorrect, the client refuses to receive the result; for the result of correct verification, the client recovers the actual output result of the linear layer by using the locally stored key and the bias matrix; and the client locally calculates the nonlinear layer, takes the calculation result as the input of the next linear layer, and circulates the steps until the final reasoning result is obtained. The invention can save the calculation expense of the user and simultaneously can ensure the privacy of the user data and the model.

Description

Deep neural network reasoning method with privacy protection
Technical Field
The invention relates to the technical field of information security, in particular to a deep neural network reasoning method with privacy protection.
Background
With the development of machine learning and the rise of artificial intelligence, various large research fields try to realize artificial intelligence by using a machine learning algorithm. For example, a generative confrontation network for image inpainting, a deep learning framework for image recognition, and the like. However, the inference task of a complex deep neural network typically involves a large number of computational operations, for example, based on some popular deep neural network architectures, billions of computational operations are required for a single inference task to perform visual inspection, which makes it a challenge to efficiently perform these operations on resource-limited internet-of-things devices.
The rapid development of edge computing provides an effective method for resource-constrained devices to perform complex deep neural network reasoning. The outsourcing calculation is one of the most important applications of edge calculation. It allows resource-constrained users to outsource complex computing to the edge server, charging only the users who use the computing resources. According to the provider of the deep neural network model, the existing outsourcing deep neural network reasoning work can be divided into two types: 1) the user submits data to be inferred, the cloud server/edge server provides a trained deep neural network model, and the service provided by the server is called as inference as service. 2) The trained model and the data to be inferred are provided by the same user, and the cloud server/edge server only provides computing resources. In these ways, the resource-limited user can utilize the computing power of the cloud server/edge server to complete complex computing operations in the deep neural network inference phase.
While users may benefit from outsourcing deep neural network reasoning to reduce computational and storage burden, protecting user data privacy and the effectiveness of reasoning results is a rather challenging problem. Some data collected by the terminal device may be very sensitive, such as medical diagnostic data. Once the data is leaked, a lot of trouble is brought to the user. In addition, some external factors, such as hacker attacks on the cloud server/edge server, may also cause the computing results to be invalid. How to make the deep neural network inference assisted by edge calculation safer and more efficient becomes a problem to be solved urgently.
Two common deep neural network inference techniques for privacy protection are homomorphic encryption and secure multiparty computation. The deep neural network inference scheme for constructing privacy protection by using homomorphic encryption technology and secure multi-party computing technology has strong security, but the computation efficiency is low. In order to avoid the complexity and inefficiency of homomorphic encryption and secure multiparty computing operations, a new double-edge server framework has emerged, which employs a lightweight encryption scheme to efficiently perform deep neural network inference under privacy protection. The inference efficiency of the deep neural network is greatly improved, and the computing energy consumption of the Internet of things equipment is remarkably saved. However, it can only protect the privacy of the input data, not the trained model of the user. Deep neural network models are also the core property of suppliers, as training an effective model requires a large investment in data sets, resources, and expertise. However, existing solutions either require time-consuming cryptographic operations or fail to protect the privacy of the training model. Therefore, how to realize safe and efficient deep neural network reasoning while protecting input data and model privacy is an important issue.
Disclosure of Invention
In view of the above problems, an object of the present invention is to provide a deep neural network inference method with privacy protection, in which a user may send data to be inferred and a trained model to an edge server, the edge server processes a computationally burdensome and time-consuming linear layer, and the user only needs to process a computationally efficient nonlinear layer and encryption/decryption operations, thereby saving computational overhead of the user and ensuring privacy of the user data and the model.
To solve the above technical problem, an embodiment of the present invention provides the following solutions:
a deep neural network reasoning method with privacy protection comprises the following steps:
the client generates a key;
the client encrypts an input data matrix and a weight matrix of the trained deep neural network model by using the secret key, and sends the encrypted input data matrix and the weight matrix to the first edge server and the second edge server, wherein the bias matrix of the deep neural network model is stored locally;
the first edge server and the second edge server perform linear layer calculation on the input data matrix by using the received weight matrix of the deep neural network model, and return results to the client;
the client verifies the returned result, if the result is correct, the client receives the result, and if the result is incorrect, the client refuses to receive the result;
for the result of correct verification, the client recovers the actual output result of the linear layer by using the locally stored key and the bias matrix;
and the client locally calculates the nonlinear layer, takes the calculation result as the input of the next linear layer, and circulates the steps until the final inference result of the deep neural network model is obtained.
Preferably, the client generating the key specifically includes:
for the trained deep neural network model, the linear layers of the Q layer are included together, and the input data matrix corresponding to the linear layer of the ith layer of the model uses Xi1 < i < Q, and the weight matrix is WiRepresenting the bias matrix by BiRepresents;
generating a key by using a KeyGen key generation algorithm, inputting a security parameter k, and outputting a random number matrix RiAnd a random number ciAs a key, RiEach element of which is a random number of k bits for blinding the weight matrix WiIts size and WiAre the same in size, ciIs also a k-bit random number, and is used for blinding the input data matrix X of the i-th layeri
Preferably, the encrypting the input data matrix and the trained weight matrix of the deep neural network model specifically includes:
encrypting the Input data matrix and the weight matrix by using an Input Encryption algorithm, and inputting a random number matrix RiAnd a random number ciAnd to transportInto data matrix XiAnd weight matrix WiOutputs four matrices Xi,a,Xi,b,Wi,aAnd Wi,b
The encryption process is as follows: first using a random number ciConstruction matrix CiThe matrix CiIs ciIts size and XiThe consistency is achieved; to blind XiDivide it into two matrices Xi,aAnd Xi,bThen using a random number matrix RiBlind weight matrix WiInto two matrices Wi,aAnd Wi,b(ii) a After encryption is completed, X is addedi,aAnd Wi,aSend to the first edge server ESAIs mixing Xi,bAnd Wi,bSend to the second edge server ESB
Preferably, in the encryption process, two matrices Xi,aAnd Xi,bThe following conditions are satisfied:
Xi=Xi,a+Xi,b
Ci=Xi,a-Xi,b
the method is simplified and can be obtained:
Xi,a=1/2(Xi+Ci);
Xi,b=1/2(Xi-Ci);
then, the random number matrix Ri is used for blinding the weight matrix WiInto two matrices Wi,aAnd Wi,b
Wi,a=Wi+Ri
Wi,b=Wi-Ri
Preferably, the performing, by the first edge server and the second edge server, the linear layer calculation on the input data matrix by using the received weight matrix of the deep neural network model specifically includes:
the first edge server ES and the second edge server ES perform linear layer calculation on the input data matrix by using a Privacy-forecasting calculation algorithmAReceives Xi,aAnd Wi,aThen, the convolution of the two is calculated to obtain a result Si,a(ii) a Second edge server ESBReceives Xi,bAnd Wi,bThen, the convolution of the two is calculated to obtain a result Si,b(ii) a The output of the algorithm is Si,aAnd Si,b
Preferably, the verifying the returned result by the client specifically includes:
the client verifies the returned result by utilizing a Verification algorithm, and the client randomly selects Si,aOr Si,bReuse X of the value of any positioni、WiAnd locally stored keys, i.e. a matrix of random numbers RiAnd a random number ciCalculating a convolution value of the corresponding position; the client compares whether the values of the two are equal; if not, the client refuses to receive the returned result; if so, continuing to execute the next step.
Preferably, the recovering, by the client, the actual output result of the linear layer by using the locally stored key and the bias matrix specifically includes:
the client recovers the encrypted result by using Recovery algorithm, and the input of the algorithm is the result S returned by the first edge server and the second edge serveri,aAnd Si,b(ii) a The client first uses the random number ciConstruction matrix CiThe matrix CiIs ciIts size and XiThe consistency is achieved; then client uses CiLocally stored random number matrix RiAnd a bias matrix BiTo recover the actual output result Oi;Oi=Si,a+Si,b-Ci·Ri+BiThen O isiIs the actual output result of the i-th layer linear layer.
Preferably, the input X of the (i + 1) th linear layeri+1=NF(Oi) NF is the activation function of the nonlinear layer; and circularly executing the algorithms until a final inference result Res (NF (O)) of the deep neural network model is obtainedQ)。
Preferably, the deep neural network model comprises an input layer, a hidden layer and an output layer, wherein the hidden layer comprises a convolutional layer, an activation layer, a pooling layer and a full-link layer; wherein, the convolution layer and the full connecting layer are linear layers, and the activation layer and the pooling layer are non-linear layers.
The technical scheme provided by the embodiment of the invention has the beneficial effects that at least:
1) the resource-constrained user can also cost less to implement efficient deep neural network reasoning.
2) The low efficiency of a fussy homomorphic encryption technology and a safe multi-party computing technology is avoided.
3) The method can ensure the privacy of the input data to be inferred of the user and the privacy of the deep neural network model trained by the user.
Drawings
In order to more clearly illustrate the technical solutions in the embodiments of the present invention, the drawings needed to be used in the description of the embodiments will be briefly introduced below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and it is obvious for those skilled in the art to obtain other drawings based on these drawings without creative efforts.
FIG. 1 is a flow chart of a deep neural network inference method with privacy protection provided by an embodiment of the present invention;
FIG. 2 is a schematic diagram of a deep neural network inference system with privacy protection provided by an embodiment of the present invention;
fig. 3 is a schematic diagram of a basic structure of a deep neural network model hidden layer according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, embodiments of the present invention will be described in detail with reference to the accompanying drawings.
The embodiment of the invention provides a deep neural network reasoning method with privacy protection, the flow of the method is shown in fig. 1, and a system model involved in the method is shown in fig. 2 and comprises a client (a data and deep neural network model owner) and two outsourced edge servers (a first edge server and a second edge server).
The method comprises the following steps:
the client generates a key;
the client encrypts an input data matrix and a weight matrix of the trained deep neural network model by using the secret key, and sends the encrypted input data matrix and the weight matrix to the first edge server and the second edge server, wherein the bias matrix of the deep neural network model is stored locally;
the first edge server and the second edge server perform linear layer calculation on the input data matrix by using the received weight matrix of the deep neural network model, and return results to the client;
the client verifies the returned result, if the result is correct, the client receives the result, and if the result is incorrect, the client refuses to receive the result;
for the result of correct verification, the client recovers the actual output result of the linear layer by using the locally stored key and the bias matrix;
and the client locally calculates the nonlinear layer, takes the calculation result as the input of the next linear layer, and circulates the steps until the final inference result of the deep neural network model is obtained.
In the embodiment of the invention, a user at a client can send data needing to be inferred and a trained model to the edge server, the edge server processes a linear layer which is heavy in calculation and time-consuming, and the user only needs to process a nonlinear layer with high calculation efficiency and encryption and decryption operations. The method of the invention can not only save the calculation cost of the user, but also ensure the privacy of the user data and the model.
In the embodiment of the present invention, the deep neural network model includes an input layer, a hidden layer, and an output layer, where the hidden layer includes a convolutional layer, an active layer, a pooling layer, and a full-link layer, as shown in fig. 3; wherein, the convolution layer and the full connecting layer are linear layers, and the activation layer and the pooling layer are non-linear layers.
The function of the convolutional layer is to perform feature extraction on the input data matrix, and usually contains multiple convolutional kernels. The convolution operation is to multiply the convolution kernel and the matrix data in the corresponding input one by one and then sum. The convolution operation starts from the top left corner of the input data matrix and ends at the bottom right corner of the image. The matrix obtained by convolving the original matrix is called a characteristic diagram.
Typically, each convolutional layer is followed by an active layer. The activation layer typically enhances the model's ability to handle non-linear problems by using an activation function. The main activation functions are the sigmoid function, tanh function and the ReLU function.
The pooling layer is mainly used to reduce the dimensionality of each feature map while retaining most important information. There are generally two ways of pooling operation, maximum pooling and average pooling. The difference between the two methods lies in that the median processing modes of the pooling windows are different, the maximum pooling means taking the maximum value of the values in the pooling windows, and the average pooling means taking the average value of the values in the pooling windows.
The fully-connected layer acts as a "classifier" in the overall convolutional neural network. In practical use, the input data of the fully-connected layer needs to be preprocessed into a vector form, and the calculation mode is similar to that of the convolutional layer.
Deep neural networks are essentially a mapping from input to output that is capable of learning a large number of mappings between inputs and outputs without requiring any precise mathematical expression between inputs and outputs.
As an embodiment of the invention, it is assumed that a trained deep neural network model is already available, and Q layers of linear layers (convolutional layers and full-link layers) are included together. X for input data corresponding to i-th linear layer of modeli(1 < i < Q), and the weight matrix is represented by Wi(1 < i < Q), and the bias matrix is represented by Bi(1 < ═ i < ═ Q). In the following description, the subscript i denotes the i-th layer linear layer.
For the i-th linear layer, firstly, the client generates a key by using a KeyGen key generation algorithm, inputs a security parameter k and outputs a random number matrix RiAnd a random number ciAsSecret key, RiEach element of which is a random number of k bits for blinding the weight matrix WiIts size and WiAre the same in size, ciIs also a k-bit random number, and is used for blinding the input data matrix X of the i-th layeri
Then, the Input Encryption algorithm is used for encrypting the Input data matrix and the weight matrix, and the random number matrix R is InputiAnd a random number ciAnd an input data matrix XiAnd weight matrix WiOutputs four matrices Xi,a,Xi,b,Wi,aAnd Wi,b
The encryption process is as follows: first using a random number ciConstruction matrix CiThe matrix CiIs ciIts size and XiThe consistency is achieved; to blind XiDivide it into two matrices Xi,aAnd Xi,bWherein two matrices Xi,aAnd Xi,bThe following conditions are satisfied:
Xi=Xi,a+Xi,b
Ci=Xi,a-Xi,b
the method is simplified and can be obtained:
Xi,a=1/2(Xi+Ci);
Xi,b=1/2(Xi-Ci);
then, the random number matrix Ri is used for blinding the weight matrix WiInto two matrices Wi,aAnd Wi,b
Wi,a=Wi+Ri
Wi,b=Wi-Ri
After encryption is completed, X is addedi,aAnd Wi,aSend to the first edge server ESAIs mixing Xi,bAnd Wi,bSend to the second edge server ESB
The first edge server and the second edge server receive the encrypted numberThen, linear layer calculation is carried out on the input data matrix by using the Privacy-forecasting calculation algorithm, and the first edge server ESAReceives Xi,aAnd Wi,aThen, the convolution of the two is calculated to obtain a result Si,a(ii) a Second edge server ESBReceives Xi,bAnd Wi,bThen, the convolution of the two is calculated to obtain a result Si,b(ii) a The output of the algorithm is Si,aAnd Si,b
And after the two edge servers finish the calculation, returning the result to the client. The client verifies the returned result by utilizing a Verification algorithm, and the client randomly selects Si,aOr Si,bReuse X of the value of any positioni、WiAnd locally stored keys, i.e. a matrix of random numbers RiAnd a random number ciCalculating a convolution value of the corresponding position; the client compares whether the values of the two are equal; if not, the client refuses to receive the returned result; if so, continuing to execute the next step.
And for the correct verification result, the client recovers the encryption result by using a Recovery algorithm, wherein the input of the algorithm is the result S returned by the first edge server and the second edge serveri,aAnd Si,b(ii) a The client first uses the random number ciConstruction matrix CiThe matrix CiIs ciIts size and XiThe consistency is achieved; then client uses CiLocally stored random number matrix RiAnd a bias matrix BiTo recover the actual output result Oi;Oi=Si,a+Si,b-Ci·Ri+BiThen O isiIs the actual output result of the i-th layer linear layer.
And the client locally performs calculation of the nonlinear layer, and takes the calculation result as the input of the next linear layer. Input X of i +1 th layer of linear layeri+1=NF(Oi) NF is the activation function of the nonlinear layer; and circularly executing the algorithms until a final inference result Res (NF (O)) of the deep neural network model is obtainedQ)。
In summary, the deep neural network inference method provided by the invention effectively utilizes the edge server to process the linear layer which is heavy and time-consuming in computation, and the user only needs to process the nonlinear layer with high computation efficiency and encryption and decryption operations, so that the user with limited resources can also spend less cost to realize high-efficiency deep neural network inference, and meanwhile, the privacy of the user input data and the deep neural network model can be ensured.
The above description is only for the purpose of illustrating the preferred embodiments of the present invention and is not to be construed as limiting the invention, and any modifications, equivalents, improvements and the like that fall within the spirit and principle of the present invention are intended to be included therein.

Claims (9)

1. A deep neural network reasoning method with privacy protection is characterized by comprising the following steps:
the client generates a key;
the client encrypts an input data matrix and a weight matrix of the trained deep neural network model by using the secret key, and sends the encrypted input data matrix and the weight matrix to the first edge server and the second edge server, wherein the bias matrix of the deep neural network model is stored locally;
the first edge server and the second edge server perform linear layer calculation on the input data matrix by using the received weight matrix of the deep neural network model, and return results to the client;
the client verifies the returned result, if the result is correct, the client receives the result, and if the result is incorrect, the client refuses to receive the result;
for the result of correct verification, the client recovers the actual output result of the linear layer by using the locally stored key and the bias matrix;
and the client locally calculates the nonlinear layer, takes the calculation result as the input of the next linear layer, and circulates the steps until the final inference result of the deep neural network model is obtained.
2. The deep neural network inference method of claim 1, wherein the client generating a key specifically comprises:
for the trained deep neural network model, the linear layers of the Q layer are included together, and the input data matrix corresponding to the linear layer of the ith layer of the model uses Xi1 < i < Q, and the weight matrix is WiRepresenting the bias matrix by BiRepresents;
generating a key by using a KeyGen key generation algorithm, inputting a security parameter k, and outputting a random number matrix RiAnd a random number ciAs a key, RiEach element of which is a random number of k bits for blinding the weight matrix WiIts size and WiAre the same in size, ciIs also a k-bit random number, and is used for blinding the input data matrix X of the i-th layeri
3. The deep neural network inference method of claim 2, wherein the encrypting the input data matrix and the weight matrix of the trained deep neural network model specifically comprises:
encrypting the Input data matrix and the weight matrix by using an Input Encryption algorithm, and inputting a random number matrix RiAnd a random number ciAnd an input data matrix XiAnd weight matrix WiOutputs four matrices Xi,a,Xi,b,Wi,aAnd Wi,b
The encryption process is as follows: first using a random number ciConstruction matrix CiThe matrix CiIs ciIts size and XiThe consistency is achieved; to blind XiDivide it into two matrices Xi,aAnd Xi,bThen using a random number matrix RiBlind weight matrix WiInto two matrices Wi,aAnd Wi,b(ii) a After encryption is completed, X is addedi,aAnd Wi,aSend to the first edge server ESAIs mixing Xi,bAnd Wi,bSend to the second edge server ESB
4. The deep neural network inference method of claim 3, wherein in the encryption process, two matrices Xi,aAnd Xi,bThe following conditions are satisfied:
Xi=Xi,a+Xi,b
Ci=Xi,a-Xi,b
the method is simplified and can be obtained:
Xi,a=1/2(Xi+Ci);
Xi,b=1/2(Xi-Ci);
then, the random number matrix Ri is used for blinding the weight matrix WiInto two matrices Wi,aAnd Wi,b
Wi,a=Wi+Ri
Wi,b=Wi-Ri
5. The deep neural network inference method of claim 3, wherein the linear layer computation of the input data matrix by the first edge server and the second edge server using the received weight matrix of the deep neural network model specifically comprises:
the first edge server ES and the second edge server ES perform linear layer calculation on the input data matrix by using a Privacy-forecasting calculation algorithmAReceives Xi,aAnd Wi,aThen, the convolution of the two is calculated to obtain a result Si,a(ii) a Second edge server ESBReceives Xi,bAnd Wi,bThen, the convolution of the two is calculated to obtain a result Si,b(ii) a The output of the algorithm is Si,aAnd Si,b
6. The deep neural network inference method of claim 5, wherein the verifying the returned result by the client specifically comprises:
customerThe client verifies the returned result by utilizing a Verification algorithm, and the client randomly selects Si,aOr Si,bReuse X of the value of any positioni、WiAnd locally stored keys, i.e. a matrix of random numbers RiAnd a random number ciCalculating a convolution value of the corresponding position; the client compares whether the values of the two are equal; if not, the client refuses to receive the returned result; if so, continuing to execute the next step.
7. The deep neural network inference method of claim 6, wherein the recovering, by the client, the actual output result of the linear layer using the locally stored key and the bias matrix specifically comprises:
the client recovers the encrypted result by using Recovery algorithm, and the input of the algorithm is the result S returned by the first edge server and the second edge serveri,aAnd Si,b(ii) a The client first uses the random number ciConstruction matrix CiThe matrix CiIs ciIts size and XiThe consistency is achieved; then client uses CiLocally stored random number matrix RiAnd a bias matrix BiTo recover the actual output result Oi;Oi=Si,a+Si,b-Ci·Ri+BiThen O isiIs the actual output result of the i-th layer linear layer.
8. The deep neural network inference method of claim 7, wherein input X of the i +1 th layer of linear layersi+1=NF(Oi) NF is the activation function of the nonlinear layer; and circularly executing the algorithms until a final inference result Res (NF (O)) of the deep neural network model is obtainedQ)。
9. The deep neural network inference method of any one of claims 1-8, wherein the deep neural network model comprises an input layer, a hidden layer, and an output layer, the hidden layer comprising a convolutional layer, an active layer, a pooling layer, and a fully-connected layer; wherein, the convolution layer and the full connecting layer are linear layers, and the activation layer and the pooling layer are non-linear layers.
CN202111472835.3A 2021-12-03 2021-12-03 Deep neural network reasoning method with privacy protection Active CN114003961B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111472835.3A CN114003961B (en) 2021-12-03 2021-12-03 Deep neural network reasoning method with privacy protection

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111472835.3A CN114003961B (en) 2021-12-03 2021-12-03 Deep neural network reasoning method with privacy protection

Publications (2)

Publication Number Publication Date
CN114003961A true CN114003961A (en) 2022-02-01
CN114003961B CN114003961B (en) 2024-04-26

Family

ID=79931306

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111472835.3A Active CN114003961B (en) 2021-12-03 2021-12-03 Deep neural network reasoning method with privacy protection

Country Status (1)

Country Link
CN (1) CN114003961B (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115001748A (en) * 2022-04-29 2022-09-02 北京奇艺世纪科技有限公司 Model processing method and device and computer readable storage medium
CN115345307A (en) * 2022-10-17 2022-11-15 杭州世平信息科技有限公司 Secure convolution neural network reasoning method and system on ciphertext image

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108259158A (en) * 2018-01-11 2018-07-06 西安电子科技大学 Efficient and secret protection individual layer perceptron learning method under a kind of cloud computing environment
CN108647525A (en) * 2018-05-09 2018-10-12 西安电子科技大学 The secret protection single layer perceptron batch training method that can verify that
CN109194507A (en) * 2018-08-24 2019-01-11 曲阜师范大学 The protection privacy neural net prediction method of non-interactive type
CN111324870A (en) * 2020-01-22 2020-06-23 武汉大学 Outsourcing convolution neural network privacy protection system based on safe two-party calculation
CN112152806A (en) * 2020-09-25 2020-12-29 青岛大学 Cloud-assisted image identification method, device and equipment supporting privacy protection
US20210019428A1 (en) * 2019-07-19 2021-01-21 Fuzhou University Preservation system for preserving privacy of outsourced data in cloud based on deep convolutional neural network

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108259158A (en) * 2018-01-11 2018-07-06 西安电子科技大学 Efficient and secret protection individual layer perceptron learning method under a kind of cloud computing environment
CN108647525A (en) * 2018-05-09 2018-10-12 西安电子科技大学 The secret protection single layer perceptron batch training method that can verify that
CN109194507A (en) * 2018-08-24 2019-01-11 曲阜师范大学 The protection privacy neural net prediction method of non-interactive type
US20210019428A1 (en) * 2019-07-19 2021-01-21 Fuzhou University Preservation system for preserving privacy of outsourced data in cloud based on deep convolutional neural network
CN111324870A (en) * 2020-01-22 2020-06-23 武汉大学 Outsourcing convolution neural network privacy protection system based on safe two-party calculation
CN112152806A (en) * 2020-09-25 2020-12-29 青岛大学 Cloud-assisted image identification method, device and equipment supporting privacy protection

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
谢四江;许世聪;章乐;: "基于同态加密的卷积神经网络前向传播方法", 计算机应用与软件, no. 02, 12 February 2020 (2020-02-12) *

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115001748A (en) * 2022-04-29 2022-09-02 北京奇艺世纪科技有限公司 Model processing method and device and computer readable storage medium
CN115001748B (en) * 2022-04-29 2023-11-03 北京奇艺世纪科技有限公司 Model processing method and device and computer readable storage medium
CN115345307A (en) * 2022-10-17 2022-11-15 杭州世平信息科技有限公司 Secure convolution neural network reasoning method and system on ciphertext image
CN115345307B (en) * 2022-10-17 2023-02-14 杭州世平信息科技有限公司 Secure convolution neural network reasoning method and system on ciphertext image

Also Published As

Publication number Publication date
CN114003961B (en) 2024-04-26

Similar Documents

Publication Publication Date Title
US11301571B2 (en) Neural-network training using secure data processing
Brutzkus et al. Low latency privacy preserving inference
CN109194507B (en) Non-interactive privacy protection neural network prediction method
US11222138B2 (en) Privacy-preserving machine learning in the three-server model
US11575502B2 (en) Homomorphic encryption processing device, system including the same and method of performing homomorphic encryption processing
CN110782044A (en) Method and device for multi-party joint training of neural network of graph
CN114003961A (en) Deep neural network reasoning method with privacy protection
CN114417414A (en) Privacy protection method based on edge calculation
CN109684603B (en) A kind of Efficient Solution large scale matrix determinant can verify that outsourcing calculation method, client and cloud computing system
CN117439731B (en) Privacy protection big data principal component analysis method and system based on homomorphic encryption
Liu Efficient processing of encrypted data in honest-but-curious clouds
CN116595589B (en) Secret sharing mechanism-based distributed support vector machine training method and system
Huang et al. Encrypted domain secret medical-image sharing with secure outsourcing computation in IoT environment
CN115130568A (en) Longitudinal federated Softmax regression method and system supporting multiple parties
CN109818944A (en) It is a kind of to support pretreated cloud data outsourcing and integrity verification method and device
Lemtenneche et al. Permutation-based optimization using a generative adversarial network
Jiang et al. Quantum image sharpness estimation based on the Laplacian operator
Alkateb QIS-Box: Pioneering Ultralightweight S-Box Generation with Quantum Inspiration
Du et al. Secure and efficient outsourcing of large-scale nonlinear programming
Rath et al. Privacy-Preserving Outsourcing Algorithm for Solving Large Systems of Linear Equations
Baklaga NEURO-CRYPTOGRAPHIC HYBRID SYSTEMS: UNLEASHING THE POWER OF NEURAL NETWORKS FOR CRYPTANALYSIS AND ENCRYPTION
CN112163228B (en) Ridge regression safety outsourcing method and system based on unimodular matrix encryption
CN115276950B (en) Processing method and device of private data and computing equipment
WO2024140141A1 (en) Doubled-point quantum computing method in elliptic curve, generic-point-addition quantum computing method in elliptic curve, and decryption method
CN117874825B (en) LU decomposition-based user privacy protection method, device, equipment and medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant