CN114003961A - Deep neural network reasoning method with privacy protection - Google Patents
Deep neural network reasoning method with privacy protection Download PDFInfo
- Publication number
- CN114003961A CN114003961A CN202111472835.3A CN202111472835A CN114003961A CN 114003961 A CN114003961 A CN 114003961A CN 202111472835 A CN202111472835 A CN 202111472835A CN 114003961 A CN114003961 A CN 114003961A
- Authority
- CN
- China
- Prior art keywords
- matrix
- layer
- result
- client
- neural network
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 40
- 238000013528 artificial neural network Methods 0.000 title claims abstract description 34
- 239000011159 matrix material Substances 0.000 claims abstract description 112
- 238000003062 neural network model Methods 0.000 claims abstract description 34
- 238000004364 calculation method Methods 0.000 claims abstract description 23
- 238000012795 verification Methods 0.000 claims abstract description 8
- 238000004422 calculation algorithm Methods 0.000 claims description 25
- 238000011176 pooling Methods 0.000 claims description 15
- 230000008569 process Effects 0.000 claims description 11
- 230000004913 activation Effects 0.000 claims description 10
- 238000010276 construction Methods 0.000 claims description 6
- 238000011084 recovery Methods 0.000 claims description 3
- 230000006870 function Effects 0.000 description 8
- 238000005516 engineering process Methods 0.000 description 4
- 238000010586 diagram Methods 0.000 description 3
- 238000012946 outsourcing Methods 0.000 description 3
- 238000013473 artificial intelligence Methods 0.000 description 2
- 230000008901 benefit Effects 0.000 description 2
- 238000011161 development Methods 0.000 description 2
- 238000010801 machine learning Methods 0.000 description 2
- 238000013507 mapping Methods 0.000 description 2
- 238000012549 training Methods 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000013527 convolutional neural network Methods 0.000 description 1
- 238000013135 deep learning Methods 0.000 description 1
- 238000005265 energy consumption Methods 0.000 description 1
- 238000000605 extraction Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000012545 processing Methods 0.000 description 1
- 238000011160 research Methods 0.000 description 1
- 238000011179 visual inspection Methods 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
- G06F21/6245—Protecting personal data, e.g. for financial or medical purposes
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N3/00—Computing arrangements based on biological models
- G06N3/02—Neural networks
- G06N3/04—Architecture, e.g. interconnection topology
- G06N3/045—Combinations of networks
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N3/00—Computing arrangements based on biological models
- G06N3/02—Neural networks
- G06N3/08—Learning methods
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N5/00—Computing arrangements using knowledge-based models
- G06N5/04—Inference or reasoning models
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Physics & Mathematics (AREA)
- Health & Medical Sciences (AREA)
- Software Systems (AREA)
- General Physics & Mathematics (AREA)
- General Health & Medical Sciences (AREA)
- General Engineering & Computer Science (AREA)
- Artificial Intelligence (AREA)
- Computational Linguistics (AREA)
- Data Mining & Analysis (AREA)
- Evolutionary Computation (AREA)
- Mathematical Physics (AREA)
- Computing Systems (AREA)
- Biophysics (AREA)
- Molecular Biology (AREA)
- Biomedical Technology (AREA)
- Life Sciences & Earth Sciences (AREA)
- Bioethics (AREA)
- Medical Informatics (AREA)
- Databases & Information Systems (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Storage Device Security (AREA)
Abstract
The invention discloses a deep neural network reasoning method with privacy protection, which comprises the following steps: the client generates a key; the client encrypts the input data matrix and the weight matrix of the trained deep neural network model by using the key and sends the encrypted input data matrix and the weight matrix to the edge server; the edge server performs linear layer calculation on the input data matrix by using the received weight matrix of the deep neural network model and returns the result to the client; the client verifies the returned result, if the result is correct, the client receives the result, and if the result is incorrect, the client refuses to receive the result; for the result of correct verification, the client recovers the actual output result of the linear layer by using the locally stored key and the bias matrix; and the client locally calculates the nonlinear layer, takes the calculation result as the input of the next linear layer, and circulates the steps until the final reasoning result is obtained. The invention can save the calculation expense of the user and simultaneously can ensure the privacy of the user data and the model.
Description
Technical Field
The invention relates to the technical field of information security, in particular to a deep neural network reasoning method with privacy protection.
Background
With the development of machine learning and the rise of artificial intelligence, various large research fields try to realize artificial intelligence by using a machine learning algorithm. For example, a generative confrontation network for image inpainting, a deep learning framework for image recognition, and the like. However, the inference task of a complex deep neural network typically involves a large number of computational operations, for example, based on some popular deep neural network architectures, billions of computational operations are required for a single inference task to perform visual inspection, which makes it a challenge to efficiently perform these operations on resource-limited internet-of-things devices.
The rapid development of edge computing provides an effective method for resource-constrained devices to perform complex deep neural network reasoning. The outsourcing calculation is one of the most important applications of edge calculation. It allows resource-constrained users to outsource complex computing to the edge server, charging only the users who use the computing resources. According to the provider of the deep neural network model, the existing outsourcing deep neural network reasoning work can be divided into two types: 1) the user submits data to be inferred, the cloud server/edge server provides a trained deep neural network model, and the service provided by the server is called as inference as service. 2) The trained model and the data to be inferred are provided by the same user, and the cloud server/edge server only provides computing resources. In these ways, the resource-limited user can utilize the computing power of the cloud server/edge server to complete complex computing operations in the deep neural network inference phase.
While users may benefit from outsourcing deep neural network reasoning to reduce computational and storage burden, protecting user data privacy and the effectiveness of reasoning results is a rather challenging problem. Some data collected by the terminal device may be very sensitive, such as medical diagnostic data. Once the data is leaked, a lot of trouble is brought to the user. In addition, some external factors, such as hacker attacks on the cloud server/edge server, may also cause the computing results to be invalid. How to make the deep neural network inference assisted by edge calculation safer and more efficient becomes a problem to be solved urgently.
Two common deep neural network inference techniques for privacy protection are homomorphic encryption and secure multiparty computation. The deep neural network inference scheme for constructing privacy protection by using homomorphic encryption technology and secure multi-party computing technology has strong security, but the computation efficiency is low. In order to avoid the complexity and inefficiency of homomorphic encryption and secure multiparty computing operations, a new double-edge server framework has emerged, which employs a lightweight encryption scheme to efficiently perform deep neural network inference under privacy protection. The inference efficiency of the deep neural network is greatly improved, and the computing energy consumption of the Internet of things equipment is remarkably saved. However, it can only protect the privacy of the input data, not the trained model of the user. Deep neural network models are also the core property of suppliers, as training an effective model requires a large investment in data sets, resources, and expertise. However, existing solutions either require time-consuming cryptographic operations or fail to protect the privacy of the training model. Therefore, how to realize safe and efficient deep neural network reasoning while protecting input data and model privacy is an important issue.
Disclosure of Invention
In view of the above problems, an object of the present invention is to provide a deep neural network inference method with privacy protection, in which a user may send data to be inferred and a trained model to an edge server, the edge server processes a computationally burdensome and time-consuming linear layer, and the user only needs to process a computationally efficient nonlinear layer and encryption/decryption operations, thereby saving computational overhead of the user and ensuring privacy of the user data and the model.
To solve the above technical problem, an embodiment of the present invention provides the following solutions:
a deep neural network reasoning method with privacy protection comprises the following steps:
the client generates a key;
the client encrypts an input data matrix and a weight matrix of the trained deep neural network model by using the secret key, and sends the encrypted input data matrix and the weight matrix to the first edge server and the second edge server, wherein the bias matrix of the deep neural network model is stored locally;
the first edge server and the second edge server perform linear layer calculation on the input data matrix by using the received weight matrix of the deep neural network model, and return results to the client;
the client verifies the returned result, if the result is correct, the client receives the result, and if the result is incorrect, the client refuses to receive the result;
for the result of correct verification, the client recovers the actual output result of the linear layer by using the locally stored key and the bias matrix;
and the client locally calculates the nonlinear layer, takes the calculation result as the input of the next linear layer, and circulates the steps until the final inference result of the deep neural network model is obtained.
Preferably, the client generating the key specifically includes:
for the trained deep neural network model, the linear layers of the Q layer are included together, and the input data matrix corresponding to the linear layer of the ith layer of the model uses Xi1 < i < Q, and the weight matrix is WiRepresenting the bias matrix by BiRepresents;
generating a key by using a KeyGen key generation algorithm, inputting a security parameter k, and outputting a random number matrix RiAnd a random number ciAs a key, RiEach element of which is a random number of k bits for blinding the weight matrix WiIts size and WiAre the same in size, ciIs also a k-bit random number, and is used for blinding the input data matrix X of the i-th layeri。
Preferably, the encrypting the input data matrix and the trained weight matrix of the deep neural network model specifically includes:
encrypting the Input data matrix and the weight matrix by using an Input Encryption algorithm, and inputting a random number matrix RiAnd a random number ciAnd to transportInto data matrix XiAnd weight matrix WiOutputs four matrices Xi,a,Xi,b,Wi,aAnd Wi,b;
The encryption process is as follows: first using a random number ciConstruction matrix CiThe matrix CiIs ciIts size and XiThe consistency is achieved; to blind XiDivide it into two matrices Xi,aAnd Xi,bThen using a random number matrix RiBlind weight matrix WiInto two matrices Wi,aAnd Wi,b(ii) a After encryption is completed, X is addedi,aAnd Wi,aSend to the first edge server ESAIs mixing Xi,bAnd Wi,bSend to the second edge server ESB。
Preferably, in the encryption process, two matrices Xi,aAnd Xi,bThe following conditions are satisfied:
Xi=Xi,a+Xi,b;
Ci=Xi,a-Xi,b;
the method is simplified and can be obtained:
Xi,a=1/2(Xi+Ci);
Xi,b=1/2(Xi-Ci);
then, the random number matrix Ri is used for blinding the weight matrix WiInto two matrices Wi,aAnd Wi,b;
Wi,a=Wi+Ri;
Wi,b=Wi-Ri。
Preferably, the performing, by the first edge server and the second edge server, the linear layer calculation on the input data matrix by using the received weight matrix of the deep neural network model specifically includes:
the first edge server ES and the second edge server ES perform linear layer calculation on the input data matrix by using a Privacy-forecasting calculation algorithmAReceives Xi,aAnd Wi,aThen, the convolution of the two is calculated to obtain a result Si,a(ii) a Second edge server ESBReceives Xi,bAnd Wi,bThen, the convolution of the two is calculated to obtain a result Si,b(ii) a The output of the algorithm is Si,aAnd Si,b。
Preferably, the verifying the returned result by the client specifically includes:
the client verifies the returned result by utilizing a Verification algorithm, and the client randomly selects Si,aOr Si,bReuse X of the value of any positioni、WiAnd locally stored keys, i.e. a matrix of random numbers RiAnd a random number ciCalculating a convolution value of the corresponding position; the client compares whether the values of the two are equal; if not, the client refuses to receive the returned result; if so, continuing to execute the next step.
Preferably, the recovering, by the client, the actual output result of the linear layer by using the locally stored key and the bias matrix specifically includes:
the client recovers the encrypted result by using Recovery algorithm, and the input of the algorithm is the result S returned by the first edge server and the second edge serveri,aAnd Si,b(ii) a The client first uses the random number ciConstruction matrix CiThe matrix CiIs ciIts size and XiThe consistency is achieved; then client uses CiLocally stored random number matrix RiAnd a bias matrix BiTo recover the actual output result Oi;Oi=Si,a+Si,b-Ci·Ri+BiThen O isiIs the actual output result of the i-th layer linear layer.
Preferably, the input X of the (i + 1) th linear layeri+1=NF(Oi) NF is the activation function of the nonlinear layer; and circularly executing the algorithms until a final inference result Res (NF (O)) of the deep neural network model is obtainedQ)。
Preferably, the deep neural network model comprises an input layer, a hidden layer and an output layer, wherein the hidden layer comprises a convolutional layer, an activation layer, a pooling layer and a full-link layer; wherein, the convolution layer and the full connecting layer are linear layers, and the activation layer and the pooling layer are non-linear layers.
The technical scheme provided by the embodiment of the invention has the beneficial effects that at least:
1) the resource-constrained user can also cost less to implement efficient deep neural network reasoning.
2) The low efficiency of a fussy homomorphic encryption technology and a safe multi-party computing technology is avoided.
3) The method can ensure the privacy of the input data to be inferred of the user and the privacy of the deep neural network model trained by the user.
Drawings
In order to more clearly illustrate the technical solutions in the embodiments of the present invention, the drawings needed to be used in the description of the embodiments will be briefly introduced below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and it is obvious for those skilled in the art to obtain other drawings based on these drawings without creative efforts.
FIG. 1 is a flow chart of a deep neural network inference method with privacy protection provided by an embodiment of the present invention;
FIG. 2 is a schematic diagram of a deep neural network inference system with privacy protection provided by an embodiment of the present invention;
fig. 3 is a schematic diagram of a basic structure of a deep neural network model hidden layer according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, embodiments of the present invention will be described in detail with reference to the accompanying drawings.
The embodiment of the invention provides a deep neural network reasoning method with privacy protection, the flow of the method is shown in fig. 1, and a system model involved in the method is shown in fig. 2 and comprises a client (a data and deep neural network model owner) and two outsourced edge servers (a first edge server and a second edge server).
The method comprises the following steps:
the client generates a key;
the client encrypts an input data matrix and a weight matrix of the trained deep neural network model by using the secret key, and sends the encrypted input data matrix and the weight matrix to the first edge server and the second edge server, wherein the bias matrix of the deep neural network model is stored locally;
the first edge server and the second edge server perform linear layer calculation on the input data matrix by using the received weight matrix of the deep neural network model, and return results to the client;
the client verifies the returned result, if the result is correct, the client receives the result, and if the result is incorrect, the client refuses to receive the result;
for the result of correct verification, the client recovers the actual output result of the linear layer by using the locally stored key and the bias matrix;
and the client locally calculates the nonlinear layer, takes the calculation result as the input of the next linear layer, and circulates the steps until the final inference result of the deep neural network model is obtained.
In the embodiment of the invention, a user at a client can send data needing to be inferred and a trained model to the edge server, the edge server processes a linear layer which is heavy in calculation and time-consuming, and the user only needs to process a nonlinear layer with high calculation efficiency and encryption and decryption operations. The method of the invention can not only save the calculation cost of the user, but also ensure the privacy of the user data and the model.
In the embodiment of the present invention, the deep neural network model includes an input layer, a hidden layer, and an output layer, where the hidden layer includes a convolutional layer, an active layer, a pooling layer, and a full-link layer, as shown in fig. 3; wherein, the convolution layer and the full connecting layer are linear layers, and the activation layer and the pooling layer are non-linear layers.
The function of the convolutional layer is to perform feature extraction on the input data matrix, and usually contains multiple convolutional kernels. The convolution operation is to multiply the convolution kernel and the matrix data in the corresponding input one by one and then sum. The convolution operation starts from the top left corner of the input data matrix and ends at the bottom right corner of the image. The matrix obtained by convolving the original matrix is called a characteristic diagram.
Typically, each convolutional layer is followed by an active layer. The activation layer typically enhances the model's ability to handle non-linear problems by using an activation function. The main activation functions are the sigmoid function, tanh function and the ReLU function.
The pooling layer is mainly used to reduce the dimensionality of each feature map while retaining most important information. There are generally two ways of pooling operation, maximum pooling and average pooling. The difference between the two methods lies in that the median processing modes of the pooling windows are different, the maximum pooling means taking the maximum value of the values in the pooling windows, and the average pooling means taking the average value of the values in the pooling windows.
The fully-connected layer acts as a "classifier" in the overall convolutional neural network. In practical use, the input data of the fully-connected layer needs to be preprocessed into a vector form, and the calculation mode is similar to that of the convolutional layer.
Deep neural networks are essentially a mapping from input to output that is capable of learning a large number of mappings between inputs and outputs without requiring any precise mathematical expression between inputs and outputs.
As an embodiment of the invention, it is assumed that a trained deep neural network model is already available, and Q layers of linear layers (convolutional layers and full-link layers) are included together. X for input data corresponding to i-th linear layer of modeli(1 < i < Q), and the weight matrix is represented by Wi(1 < i < Q), and the bias matrix is represented by Bi(1 < ═ i < ═ Q). In the following description, the subscript i denotes the i-th layer linear layer.
For the i-th linear layer, firstly, the client generates a key by using a KeyGen key generation algorithm, inputs a security parameter k and outputs a random number matrix RiAnd a random number ciAsSecret key, RiEach element of which is a random number of k bits for blinding the weight matrix WiIts size and WiAre the same in size, ciIs also a k-bit random number, and is used for blinding the input data matrix X of the i-th layeri。
Then, the Input Encryption algorithm is used for encrypting the Input data matrix and the weight matrix, and the random number matrix R is InputiAnd a random number ciAnd an input data matrix XiAnd weight matrix WiOutputs four matrices Xi,a,Xi,b,Wi,aAnd Wi,b。
The encryption process is as follows: first using a random number ciConstruction matrix CiThe matrix CiIs ciIts size and XiThe consistency is achieved; to blind XiDivide it into two matrices Xi,aAnd Xi,bWherein two matrices Xi,aAnd Xi,bThe following conditions are satisfied:
Xi=Xi,a+Xi,b;
Ci=Xi,a-Xi,b;
the method is simplified and can be obtained:
Xi,a=1/2(Xi+Ci);
Xi,b=1/2(Xi-Ci);
then, the random number matrix Ri is used for blinding the weight matrix WiInto two matrices Wi,aAnd Wi,b;
Wi,a=Wi+Ri;
Wi,b=Wi-Ri。
After encryption is completed, X is addedi,aAnd Wi,aSend to the first edge server ESAIs mixing Xi,bAnd Wi,bSend to the second edge server ESB。
The first edge server and the second edge server receive the encrypted numberThen, linear layer calculation is carried out on the input data matrix by using the Privacy-forecasting calculation algorithm, and the first edge server ESAReceives Xi,aAnd Wi,aThen, the convolution of the two is calculated to obtain a result Si,a(ii) a Second edge server ESBReceives Xi,bAnd Wi,bThen, the convolution of the two is calculated to obtain a result Si,b(ii) a The output of the algorithm is Si,aAnd Si,b。
And after the two edge servers finish the calculation, returning the result to the client. The client verifies the returned result by utilizing a Verification algorithm, and the client randomly selects Si,aOr Si,bReuse X of the value of any positioni、WiAnd locally stored keys, i.e. a matrix of random numbers RiAnd a random number ciCalculating a convolution value of the corresponding position; the client compares whether the values of the two are equal; if not, the client refuses to receive the returned result; if so, continuing to execute the next step.
And for the correct verification result, the client recovers the encryption result by using a Recovery algorithm, wherein the input of the algorithm is the result S returned by the first edge server and the second edge serveri,aAnd Si,b(ii) a The client first uses the random number ciConstruction matrix CiThe matrix CiIs ciIts size and XiThe consistency is achieved; then client uses CiLocally stored random number matrix RiAnd a bias matrix BiTo recover the actual output result Oi;Oi=Si,a+Si,b-Ci·Ri+BiThen O isiIs the actual output result of the i-th layer linear layer.
And the client locally performs calculation of the nonlinear layer, and takes the calculation result as the input of the next linear layer. Input X of i +1 th layer of linear layeri+1=NF(Oi) NF is the activation function of the nonlinear layer; and circularly executing the algorithms until a final inference result Res (NF (O)) of the deep neural network model is obtainedQ)。
In summary, the deep neural network inference method provided by the invention effectively utilizes the edge server to process the linear layer which is heavy and time-consuming in computation, and the user only needs to process the nonlinear layer with high computation efficiency and encryption and decryption operations, so that the user with limited resources can also spend less cost to realize high-efficiency deep neural network inference, and meanwhile, the privacy of the user input data and the deep neural network model can be ensured.
The above description is only for the purpose of illustrating the preferred embodiments of the present invention and is not to be construed as limiting the invention, and any modifications, equivalents, improvements and the like that fall within the spirit and principle of the present invention are intended to be included therein.
Claims (9)
1. A deep neural network reasoning method with privacy protection is characterized by comprising the following steps:
the client generates a key;
the client encrypts an input data matrix and a weight matrix of the trained deep neural network model by using the secret key, and sends the encrypted input data matrix and the weight matrix to the first edge server and the second edge server, wherein the bias matrix of the deep neural network model is stored locally;
the first edge server and the second edge server perform linear layer calculation on the input data matrix by using the received weight matrix of the deep neural network model, and return results to the client;
the client verifies the returned result, if the result is correct, the client receives the result, and if the result is incorrect, the client refuses to receive the result;
for the result of correct verification, the client recovers the actual output result of the linear layer by using the locally stored key and the bias matrix;
and the client locally calculates the nonlinear layer, takes the calculation result as the input of the next linear layer, and circulates the steps until the final inference result of the deep neural network model is obtained.
2. The deep neural network inference method of claim 1, wherein the client generating a key specifically comprises:
for the trained deep neural network model, the linear layers of the Q layer are included together, and the input data matrix corresponding to the linear layer of the ith layer of the model uses Xi1 < i < Q, and the weight matrix is WiRepresenting the bias matrix by BiRepresents;
generating a key by using a KeyGen key generation algorithm, inputting a security parameter k, and outputting a random number matrix RiAnd a random number ciAs a key, RiEach element of which is a random number of k bits for blinding the weight matrix WiIts size and WiAre the same in size, ciIs also a k-bit random number, and is used for blinding the input data matrix X of the i-th layeri。
3. The deep neural network inference method of claim 2, wherein the encrypting the input data matrix and the weight matrix of the trained deep neural network model specifically comprises:
encrypting the Input data matrix and the weight matrix by using an Input Encryption algorithm, and inputting a random number matrix RiAnd a random number ciAnd an input data matrix XiAnd weight matrix WiOutputs four matrices Xi,a,Xi,b,Wi,aAnd Wi,b;
The encryption process is as follows: first using a random number ciConstruction matrix CiThe matrix CiIs ciIts size and XiThe consistency is achieved; to blind XiDivide it into two matrices Xi,aAnd Xi,bThen using a random number matrix RiBlind weight matrix WiInto two matrices Wi,aAnd Wi,b(ii) a After encryption is completed, X is addedi,aAnd Wi,aSend to the first edge server ESAIs mixing Xi,bAnd Wi,bSend to the second edge server ESB。
4. The deep neural network inference method of claim 3, wherein in the encryption process, two matrices Xi,aAnd Xi,bThe following conditions are satisfied:
Xi=Xi,a+Xi,b;
Ci=Xi,a-Xi,b;
the method is simplified and can be obtained:
Xi,a=1/2(Xi+Ci);
Xi,b=1/2(Xi-Ci);
then, the random number matrix Ri is used for blinding the weight matrix WiInto two matrices Wi,aAnd Wi,b;
Wi,a=Wi+Ri;
Wi,b=Wi-Ri。
5. The deep neural network inference method of claim 3, wherein the linear layer computation of the input data matrix by the first edge server and the second edge server using the received weight matrix of the deep neural network model specifically comprises:
the first edge server ES and the second edge server ES perform linear layer calculation on the input data matrix by using a Privacy-forecasting calculation algorithmAReceives Xi,aAnd Wi,aThen, the convolution of the two is calculated to obtain a result Si,a(ii) a Second edge server ESBReceives Xi,bAnd Wi,bThen, the convolution of the two is calculated to obtain a result Si,b(ii) a The output of the algorithm is Si,aAnd Si,b。
6. The deep neural network inference method of claim 5, wherein the verifying the returned result by the client specifically comprises:
customerThe client verifies the returned result by utilizing a Verification algorithm, and the client randomly selects Si,aOr Si,bReuse X of the value of any positioni、WiAnd locally stored keys, i.e. a matrix of random numbers RiAnd a random number ciCalculating a convolution value of the corresponding position; the client compares whether the values of the two are equal; if not, the client refuses to receive the returned result; if so, continuing to execute the next step.
7. The deep neural network inference method of claim 6, wherein the recovering, by the client, the actual output result of the linear layer using the locally stored key and the bias matrix specifically comprises:
the client recovers the encrypted result by using Recovery algorithm, and the input of the algorithm is the result S returned by the first edge server and the second edge serveri,aAnd Si,b(ii) a The client first uses the random number ciConstruction matrix CiThe matrix CiIs ciIts size and XiThe consistency is achieved; then client uses CiLocally stored random number matrix RiAnd a bias matrix BiTo recover the actual output result Oi;Oi=Si,a+Si,b-Ci·Ri+BiThen O isiIs the actual output result of the i-th layer linear layer.
8. The deep neural network inference method of claim 7, wherein input X of the i +1 th layer of linear layersi+1=NF(Oi) NF is the activation function of the nonlinear layer; and circularly executing the algorithms until a final inference result Res (NF (O)) of the deep neural network model is obtainedQ)。
9. The deep neural network inference method of any one of claims 1-8, wherein the deep neural network model comprises an input layer, a hidden layer, and an output layer, the hidden layer comprising a convolutional layer, an active layer, a pooling layer, and a fully-connected layer; wherein, the convolution layer and the full connecting layer are linear layers, and the activation layer and the pooling layer are non-linear layers.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202111472835.3A CN114003961B (en) | 2021-12-03 | 2021-12-03 | Deep neural network reasoning method with privacy protection |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202111472835.3A CN114003961B (en) | 2021-12-03 | 2021-12-03 | Deep neural network reasoning method with privacy protection |
Publications (2)
Publication Number | Publication Date |
---|---|
CN114003961A true CN114003961A (en) | 2022-02-01 |
CN114003961B CN114003961B (en) | 2024-04-26 |
Family
ID=79931306
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202111472835.3A Active CN114003961B (en) | 2021-12-03 | 2021-12-03 | Deep neural network reasoning method with privacy protection |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN114003961B (en) |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN115001748A (en) * | 2022-04-29 | 2022-09-02 | 北京奇艺世纪科技有限公司 | Model processing method and device and computer readable storage medium |
CN115345307A (en) * | 2022-10-17 | 2022-11-15 | 杭州世平信息科技有限公司 | Secure convolution neural network reasoning method and system on ciphertext image |
Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN108259158A (en) * | 2018-01-11 | 2018-07-06 | 西安电子科技大学 | Efficient and secret protection individual layer perceptron learning method under a kind of cloud computing environment |
CN108647525A (en) * | 2018-05-09 | 2018-10-12 | 西安电子科技大学 | The secret protection single layer perceptron batch training method that can verify that |
CN109194507A (en) * | 2018-08-24 | 2019-01-11 | 曲阜师范大学 | The protection privacy neural net prediction method of non-interactive type |
CN111324870A (en) * | 2020-01-22 | 2020-06-23 | 武汉大学 | Outsourcing convolution neural network privacy protection system based on safe two-party calculation |
CN112152806A (en) * | 2020-09-25 | 2020-12-29 | 青岛大学 | Cloud-assisted image identification method, device and equipment supporting privacy protection |
US20210019428A1 (en) * | 2019-07-19 | 2021-01-21 | Fuzhou University | Preservation system for preserving privacy of outsourced data in cloud based on deep convolutional neural network |
-
2021
- 2021-12-03 CN CN202111472835.3A patent/CN114003961B/en active Active
Patent Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN108259158A (en) * | 2018-01-11 | 2018-07-06 | 西安电子科技大学 | Efficient and secret protection individual layer perceptron learning method under a kind of cloud computing environment |
CN108647525A (en) * | 2018-05-09 | 2018-10-12 | 西安电子科技大学 | The secret protection single layer perceptron batch training method that can verify that |
CN109194507A (en) * | 2018-08-24 | 2019-01-11 | 曲阜师范大学 | The protection privacy neural net prediction method of non-interactive type |
US20210019428A1 (en) * | 2019-07-19 | 2021-01-21 | Fuzhou University | Preservation system for preserving privacy of outsourced data in cloud based on deep convolutional neural network |
CN111324870A (en) * | 2020-01-22 | 2020-06-23 | 武汉大学 | Outsourcing convolution neural network privacy protection system based on safe two-party calculation |
CN112152806A (en) * | 2020-09-25 | 2020-12-29 | 青岛大学 | Cloud-assisted image identification method, device and equipment supporting privacy protection |
Non-Patent Citations (1)
Title |
---|
谢四江;许世聪;章乐;: "基于同态加密的卷积神经网络前向传播方法", 计算机应用与软件, no. 02, 12 February 2020 (2020-02-12) * |
Cited By (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN115001748A (en) * | 2022-04-29 | 2022-09-02 | 北京奇艺世纪科技有限公司 | Model processing method and device and computer readable storage medium |
CN115001748B (en) * | 2022-04-29 | 2023-11-03 | 北京奇艺世纪科技有限公司 | Model processing method and device and computer readable storage medium |
CN115345307A (en) * | 2022-10-17 | 2022-11-15 | 杭州世平信息科技有限公司 | Secure convolution neural network reasoning method and system on ciphertext image |
CN115345307B (en) * | 2022-10-17 | 2023-02-14 | 杭州世平信息科技有限公司 | Secure convolution neural network reasoning method and system on ciphertext image |
Also Published As
Publication number | Publication date |
---|---|
CN114003961B (en) | 2024-04-26 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US11301571B2 (en) | Neural-network training using secure data processing | |
Brutzkus et al. | Low latency privacy preserving inference | |
CN109194507B (en) | Non-interactive privacy protection neural network prediction method | |
US11222138B2 (en) | Privacy-preserving machine learning in the three-server model | |
US11575502B2 (en) | Homomorphic encryption processing device, system including the same and method of performing homomorphic encryption processing | |
CN110782044A (en) | Method and device for multi-party joint training of neural network of graph | |
CN114003961A (en) | Deep neural network reasoning method with privacy protection | |
CN114417414A (en) | Privacy protection method based on edge calculation | |
CN109684603B (en) | A kind of Efficient Solution large scale matrix determinant can verify that outsourcing calculation method, client and cloud computing system | |
CN117439731B (en) | Privacy protection big data principal component analysis method and system based on homomorphic encryption | |
Liu | Efficient processing of encrypted data in honest-but-curious clouds | |
CN116595589B (en) | Secret sharing mechanism-based distributed support vector machine training method and system | |
Huang et al. | Encrypted domain secret medical-image sharing with secure outsourcing computation in IoT environment | |
CN115130568A (en) | Longitudinal federated Softmax regression method and system supporting multiple parties | |
CN109818944A (en) | It is a kind of to support pretreated cloud data outsourcing and integrity verification method and device | |
Lemtenneche et al. | Permutation-based optimization using a generative adversarial network | |
Jiang et al. | Quantum image sharpness estimation based on the Laplacian operator | |
Alkateb | QIS-Box: Pioneering Ultralightweight S-Box Generation with Quantum Inspiration | |
Du et al. | Secure and efficient outsourcing of large-scale nonlinear programming | |
Rath et al. | Privacy-Preserving Outsourcing Algorithm for Solving Large Systems of Linear Equations | |
Baklaga | NEURO-CRYPTOGRAPHIC HYBRID SYSTEMS: UNLEASHING THE POWER OF NEURAL NETWORKS FOR CRYPTANALYSIS AND ENCRYPTION | |
CN112163228B (en) | Ridge regression safety outsourcing method and system based on unimodular matrix encryption | |
CN115276950B (en) | Processing method and device of private data and computing equipment | |
WO2024140141A1 (en) | Doubled-point quantum computing method in elliptic curve, generic-point-addition quantum computing method in elliptic curve, and decryption method | |
CN117874825B (en) | LU decomposition-based user privacy protection method, device, equipment and medium |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |