CN117786768B

CN117786768B - Safety parameter exchange method for federal data learning

Info

Publication number: CN117786768B
Application number: CN202410199786.8A
Authority: CN
Inventors: 邢刚; 贾晓丰; 齐红威; 章敏; 王大亮
Original assignee: Beijing Big Data Center; Datatang Beijing Technology Co ltd
Current assignee: Beijing Big Data Center; Datatang Beijing Technology Co ltd
Priority date: 2024-02-23
Filing date: 2024-02-23
Publication date: 2024-05-14
Anticipated expiration: 2044-02-23
Also published as: CN117786768A

Abstract

The invention provides a secure parameter exchange method for federal data learning, and belongs to the technical field of data security. The invention adopts a third party signature to protect the parameter convergence security of the parameter server, and at present, no patent for protecting the server exists. The invention also protects the safe communication of the password and the parameters in the unsafe environment by adopting an RSA algorithm, ensures the safety of the communication link and leads the hijacking of the link to be invalid. The invention also adopts the training node parameter encryption measures with configurable encryption strength, and meets various security scene requirements of practical application by adopting different encryption strengths aiming at different training nodes, thereby carrying out security protection on the training nodes.

Description

Safety parameter exchange method for federal data learning

Technical Field

The invention belongs to the technical field of data security, and particularly relates to a secure parameter exchange method for federal data learning.

Background

Related laws and regulations make strict regulations on data security, sensitive data cannot leave a saved original location, and traditional centralized utilization modes of data are not feasible. The value of the data is reflected in sharing and utilization, a safe data sharing method is needed to be adopted to play the value of the data, and privacy security calculation is a scheme capable of meeting the requirement of data security and sharing the data.

Privacy security computing mainly includes three modes, namely a viable execution environment (Trustedexecutionenvironment, TEE), multiparty security computing (SecureMulti-partyComputation, MPC) and federal learning (FEDERATEDLEARNING, FL).

The trusted execution environment is an independent processing environment with operation and storage functions and can provide security and integrity protection. The basic idea is: an isolated memory is allocated for sensitive data in hardware, all computation of the sensitive data is performed in the isolated memory, and other parts of the hardware except for authorized interfaces cannot access information in the isolated memory. Intel, ARM and AMD processors all have respective developed TEE environments.

Secure multiparty computing securely computes a contract function for the case of no trusted third party. The participants participate in secret calculation by utilizing the private data under the condition of not revealing the respective private data, and complete a certain calculation task together. The method can meet the requirement of people for secret calculation by using private data, and effectively solve the contradiction between confidentiality and sharing of the data. Mainly used are: secret sharing, inadvertent transmission, garbled circuits, homomorphic encryption, zero knowledge proof, and other key technologies.

The federal learning is a distributed machine learning technology, and the core idea is to construct a global model based on virtual fusion data by performing distributed model training among a plurality of data sources with local data and only exchanging model parameters or intermediate results on the premise of not exchanging the local data, so as to realize balance between data privacy protection and data sharing calculation, namely, a new application paradigm of 'data available invisible' and 'data motionless model'.

The TEE protects the safe operation of data from the chip, the memory and the OS layer by layer, and isolates the safe environment. The multiparty security calculation encrypts the data through an algorithm, then calculates, and finally restores the calculation result. Federal learning deploys the model to the data party, and calculates through exchanging parameters, so as to finally obtain the model.

The TEE is characterized by safety, rapidness, high cost, difficulty in realizing the distributed learning of a plurality of machines and suitability for special scenes. The MPC is characterized by safety, low speed and higher cost, because the data is encrypted and the calculated amount is hundreds of times that before being encrypted, the application of a model with large data amount is limited. FL features a fast, low cost distributed scheme, but with potential safety hazards.

Federal learning is a distributed machine learning technique, and parameter server model (PARAMETERSERVER) is one way to implement distributed machine learning, which mainly includes two parts:

Server node (parameter server): machine learning model parameters are stored, gradients from the worker nodes are accumulated, and then the model parameters are updated.

Worker node (training node): requesting the current model parameters of the server node, calculating the gradient, and sending the gradient to the server node.

The potential safety hazard of federal study is mainly expressed in that: 1. the exchanged parameters have risks, and if intercepted, the parameters are not data, but may implicitly include information of part of the data. 2. Participants in federal learning all have a risk of parameter leakage. Therefore, how to secure the parameter exchange in federal learning is a problem to be solved.

The Chinese patent application CN115169589A discloses a parameter updating method, a data processing method and related equipment, and obtains a first parameter of a model, a second parameter of the model, first data and a label value of training data; sending the homomorphic encrypted second parameter to second equipment; acquiring a first vector and a second vector; determining a predicted value of the model based on the first vector and the second vector; calculating a first gradient based on the first data and the error, and updating a first parameter by using the first gradient; and sending the homomorphic encrypted error to the second device so that the second device updates the homomorphic encrypted second parameter by using the homomorphic encrypted error. Initializing the whole model by the first device, homomorphic encrypting the second parameter and then sending the second parameter to the second device. And the errors sent by the first device to the second device are homomorphic encrypted. The second device uses ciphertext in the process of parameter updating, thereby reducing the risk of the second device guessing the tag value at the first device. The scheme has the following defects: 1. the method has the advantages that the speed is low, the calculation safety is guaranteed by adopting homomorphic encryption, the time consumption is hundreds of times that before homomorphic, and the more complex the model is, the higher the time consumption proportion is. 2. The application range is limited, the method is only suitable for simple algorithms such as traditional regression, decision trees, clustering and the like, the existing models such as identification, classification and the like of text, voice and image unstructured data are all 100M or more in minimum, homomorphic encryption calculation is adopted, and the method is completely infeasible in speed. 3. The server for combining the parameters lacks a safety guarantee measure, all the parameters are combined in the server plaintext, and if the server is permeated, the plaintext of the parameters uploaded each time of each training node is leaked.

Chinese patent application CN115186285A discloses a federally learned parameter aggregation method and apparatus, the method comprising: the method comprises the steps of obtaining a model parameter ciphertext, a model accuracy rate and a ciphertext audit evidence uploaded by a current aggregation node of a target user, aggregating the model parameter ciphertext based on the model parameter ciphertext, the model accuracy rate and the ciphertext audit evidence to obtain a model parameter update value corresponding to the current aggregation node of the power data analysis model, wherein the model parameter ciphertext is obtained by encrypting local model parameters corresponding to the current aggregation node by the target user based on respective encryption random number sets, the local model parameters corresponding to the current aggregation node are obtained by training the local power data analysis model by the target user, the encryption random number sets are determined based on shared random numbers between every two users, the model accuracy rate is obtained by testing the local model of the target user based on a test set, the model accuracy and training efficiency can be ensured, and data leakage is prevented. This solution has several drawbacks: 1. the encryption of the model parameters is to share the encryption parameters by using 2 training nodes. If the training nodes are not even, they cannot. The main problem is the encryption mode, one node is added with one value, the other node is reduced with one same value, the correct value is obtained by adding when the nodes are converged, and the risk is that the correct value is obtained by adding after the nodes are obtained by a third party. 2. The accuracy of the model is used for checking whether the nodes are honest or not, but the nodes are transmitted in clear text, and the accuracy is possibly modified. 3. The parameter server has no safety protection measures, and the convergence point serving as all the parameters lacks necessary protection.

Disclosure of Invention

Aiming at the problems in the prior art, the invention provides a safety parameter exchange method for federal data learning. The invention adopts a third party signature to protect the parameter convergence security of the parameter server, and at present, no patent for protecting the server exists. The invention also adopts RSA algorithm (an asymmetric encryption algorithm, two different keys are generated, one is public key and the other is private key, and the encryption mechanism is that deriving a decryption key from a known encryption key is not feasible in calculation) to protect the secure communication of the password and parameters in an unsafe environment, ensure the security of a communication link and disable the hijacking of the link. The invention also adopts the training node parameter encryption measures with configurable encryption strength, and meets various security scene requirements of practical application by adopting different encryption strengths aiming at different training nodes, thereby carrying out security protection on the training nodes.

In order to solve the technical problems, the invention provides a secure parameter exchange method for federal data learning, which comprises the following steps:

the monitoring server signs the parameters of the parameter server: before decrypting the parameters into plaintext, the parameter server signs the parameters, and sends the passwords obtained from the training nodes to the monitoring server as the next signed content of the monitoring server;

negotiating a shared key between the training node and the parameter server and between the parameter server and the monitoring server: communication links between the training node and the parameter server and between the parameter server and the monitoring server adopt RSA encryption algorithm, and the shared secret key and the encryption algorithm for secure communication are negotiated and determined by utilizing the public keys, and the communication is carried out between the training node and the parameter server and between the parameter server and the monitoring server by utilizing the shared secret key;

different training nodes encrypt the parameters with the same or different encryption intensities, and the encryption intensities are expressed as password change periods.

Preferably, the monitoring server signs the parameters of the parameter server: before decrypting the parameters into plaintext, the monitoring server signs the parameters, the parameter server decrypts the previous round of parameters after obtaining the signature from the monitoring server, performs parameter aggregation, encrypts the aggregated parameters by using the passwords obtained from the training nodes, transmits the encrypted parameters to the corresponding training nodes, and then transmits the passwords obtained from the training nodes to the monitoring server to serve as the next signed content of the monitoring server.

Preferably, when parameter aggregation is performed, the parameter server decrypts the parameter file received from the training node by using the password obtained from the training node, and aggregates the previous round of parameters and the parameter file to obtain the aggregated parameters.

Preferably, negotiating the shared key between the training node and the parameter server comprises the steps of:

The training node sends a training node public key and a supported encryption algorithm list to a parameter server;

after the parameter server receives the data, encrypting the selected encryption algorithm by using the training node public key, and sending the parameter server public key and the selected encryption algorithm encrypted by using the training node public key to the training node;

After the training node receives the data, the data is decrypted by using the private key to obtain an encryption algorithm to be utilized by the communication;

The training node generates a password by using the received public key of the parameter server according to the encryption algorithm selected by the parameter server, encrypts and transmits the generated password to the parameter server by using the public key of the parameter server, and the parameter server decrypts the password by using the private key of the parameter server after receiving the password.

Preferably, the monitoring server periodically collects monitoring information of the parameter server and periodically transmits a signature, and the content of the signature is agreed initial content before the first round of parameter acquisition.

Preferably, the parameter server receives the signature sent by the monitoring server before the first round of parameter acquisition, judges whether the signature is the agreed initial content, if so, continues, otherwise, stops training.

Preferably, training is stopped when the number of times the signature is not received reaches a certain threshold.

Preferably, after the first round of parameter acquisition, the monitoring server sends out a signature periodically according to the monitoring result of the parameter server, if abnormality is found, the signed content is the contracted stop training content, otherwise, the signed content is the password received last time.

Preferably, the secure parameter exchange method for federal data learning includes the following steps:

step S1: the parameter server encrypts the initialization parameters according to the passwords negotiated with each training node and sends the encrypted initialization parameters to the corresponding training nodes;

Step S2: the monitoring server periodically collects monitoring information periodically sent by the parameter server and periodically sends a signature to the parameter server, wherein the signed content is agreed initial content;

step S3: the parameter server receives the signature sent by the monitoring server, judges whether the content of the signature is the agreed initial content, if so, continues, otherwise, all training nodes stop training;

Step S4: the training node completes training learning, communicates with the parameter server to agree on a password, encrypts the parameter by using the password and then sends the encrypted parameter to the parameter server, the parameter server decrypts the parameter, gathers the first round of parameter obtained by gathering the parameter with the unencrypted initialization parameter, encrypts the first round of parameter and then sends the first round of parameter to the training node, and sends the password to the monitoring server safely;

Step S5: the monitoring server sends out a signature periodically according to the monitoring result of the parameter server, if abnormality is found, the signed content is the appointed stop training content, otherwise, the signed content is the password received last time;

Step S6: after the subsequent training node finishes training, the subsequent training node communicates with the parameter server to agree on a password, the parameter server encrypts the parameter and sends the encrypted parameter to the parameter server, the parameter server decrypts the parameter, the previous round of parameter is decrypted by using the password sent by the monitoring server, the parameter after the previous round of parameter and the previous round of parameter are converged, the converged parameter is encrypted and sent to the training node, and the encrypted password is safely sent to the monitoring server.

Preferably, the parameters are stored in the memory, and the previous round of parameters stored before are covered by the parameter convergence processing sent back by the training node each time.

Preferably, the anomaly displays that the data volume of the parameter server is greater than a preset threshold for the acquired monitoring information.

Preferably, the different training nodes encrypt the parameters by adopting different encryption intensities, the encryption algorithm can provide different passwords for the different training nodes, and an RSA encryption algorithm is adopted.

Preferably, each training node is trained with a different password for each round;

Preferably, the password is replaced for a preset learning number or a preset interval time;

preferably, after the training node obtains a password, the password is not modified any more during the whole learning process.

Compared with the prior art, the invention has at least the following beneficial effects:

1. The invention adopts the monitoring server signature to protect the parameter convergence security of the parameter server, adopts the white list to control the read-write of the parameters in the parameter server, stores the parameters in the memory, and each time the parameter convergence processing sent back by the training node can cover the previous round of parameters stored before, thereby realizing the security monitoring of the landing, carrying out signature before the parameters are decoded into plaintext by the monitoring server, carrying out password negotiation by two communication parties, and changing the password mode, thereby ensuring the security of network transmission, and further ensuring the security of the plaintext parameter convergence carried out by the parameter server.

2. The invention adopts RSA algorithm and provides different passwords for different training nodes, thereby protecting the safe communication of the passwords and parameters in unsafe environment and disabling the hijacking of the link.

3. The invention adopts the training node parameter encryption measures with configurable encryption strength, and meets the requirements of various security scenes of practical application by adopting different encryption strengths aiming at different training nodes.

Drawings

FIG. 1 is a schematic diagram of a secure parameter exchange method for federal data learning in accordance with one embodiment of the present invention;

FIG. 2 is a timing diagram of federal training using a security parameter exchange method for federal data learning according to an embodiment of the present invention;

fig. 3 is a timing diagram illustrating negotiating a shared key between a training node and a parameter server according to one embodiment of the present invention.

Detailed Description

For the purpose of making the objects, technical solutions and advantages of the embodiments of the present invention more apparent, the technical solutions of the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present invention, and it is apparent that the described embodiments are some embodiments of the present invention, but not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the present invention without making any inventive effort, are intended to fall within the scope of the present invention.

Thus, the following detailed description of the embodiments of the invention, as presented in the figures, is not intended to limit the scope of the invention, as claimed, but is merely representative of selected embodiments of the invention. All other embodiments, which can be made by those skilled in the art based on the embodiments of the present invention without making any inventive effort, are intended to fall within the scope of the present invention.

It should be noted that: like reference numerals and letters denote like items in the following figures, and thus once an item is defined in one figure, no further definition or explanation thereof is necessary in the following figures.

In the present invention, unless explicitly specified and limited otherwise, the terms "mounted," "connected," "secured," and the like are to be construed broadly, and may be, for example, fixedly connected, detachably connected, or integrally formed; can be directly connected or indirectly connected through an intermediate medium, and can be communicated with the inside of two elements or the interaction relationship of the two elements. The specific meaning of the above terms in the present invention can be understood by those of ordinary skill in the art according to the specific circumstances.

The present invention will be described in further detail with reference to the accompanying drawings for a better understanding of the objects, structures and functions of the present invention.

Example 1

The method for exchanging security parameters for federal data learning according to the present invention is described in detail below in accordance with one embodiment of the present invention.

The invention provides a secure parameter exchange method for federal data learning, which comprises the following steps:

Example 2

The monitoring server signs parameters of the parameter server: before decrypting the parameters into plaintext, the monitoring server signs the parameters, the parameter server decrypts the previous round of parameters after obtaining the signature from the monitoring server, performs parameter aggregation, encrypts the aggregated parameters by using the passwords obtained from the training nodes, transmits the encrypted parameters to the corresponding training nodes, and then transmits the passwords obtained from the training nodes to the monitoring server to serve as the next signed content of the monitoring server.

And when the parameters are converged, the parameter server decrypts the parameter file received from the training node by utilizing the password obtained from the training node, and converges the previous round of parameters and the parameter file to obtain the converged parameters.

Example 3

The negotiation of the shared key between the training node and the parameter server comprises the following steps:

Example 4

The monitoring server periodically collects monitoring information of the parameter server and periodically sends a signature, and the content of the signature is agreed initial content before the first round of parameter acquisition.

Example 5

The parameter server receives the signature sent by the monitoring server before the first round of parameter acquisition, judges whether the signature is the agreed initial content, if so, continues, otherwise, stops training.

After the first round of parameter acquisition, the monitoring server sends out a signature periodically according to the monitoring result of the parameter server, if the abnormal condition is found, the signed content is the appointed stop training content, otherwise, the signed content is the password received last time.

Example 6

Example 7

The above description is only of the preferred embodiments of the present invention and is not intended to limit the present invention, but various modifications and variations can be made to the present invention by those skilled in the art. Any modification, equivalent replacement, improvement, etc. made within the spirit and principle of the present invention are included in the protection scope of the present invention.

Claims

1. A method for exchanging security parameters for federal data learning, comprising:

Different training nodes encrypt the parameters by adopting the same or different encryption intensities, wherein the encryption intensity is expressed as a password change period;

The monitoring server signs parameters of the parameter server specifically as follows: before decrypting the parameters into plaintext, the monitoring server signs the parameters, the parameter server decrypts the previous round of parameters after obtaining the signature from the monitoring server, performs parameter aggregation, encrypts the aggregated parameters by using the passwords obtained from the training nodes, transmits the encrypted parameters to the corresponding training nodes, and then transmits the passwords obtained from the training nodes to the monitoring server to serve as the next signed content of the monitoring server.

2. The secure parameter exchange method for federal data learning according to claim 1, wherein, when parameter aggregation is performed, the parameter server decrypts the parameter file received from the training node by using the password obtained from the training node, and aggregates the previous round of parameters and the parameter file to obtain the aggregated parameters.

3. The federal data-learning security parameter exchange method according to claim 1, wherein negotiating a shared key between the training node and the parameter server comprises the steps of:

4. The method of claim 1, wherein the monitoring server periodically collects monitoring information from the parameter server and periodically transmits a signature, the content of the signature being the agreed initial content prior to the first round of parameter acquisition.

5. The method of claim 4, wherein the parameter server receives a signature from the monitoring server before the first round of parameter acquisition, determines whether the signature is the agreed initial content, and if so, continues, otherwise, stops training.

6. The method according to claim 5, wherein after the first round of parameter acquisition, the monitoring server periodically sends out a signature according to the monitoring result of the parameter server, if an abnormality is found, the signed content is the contracted stop training content, otherwise, the signed content is the last received password.

7. The federal data-learned safety parameter exchange method according to any one of claims 1 to 6, wherein the federal data-learned safety parameter exchange method comprises the steps of:

8. The secure parameter exchange method for federal data learning according to claim 1, wherein the different training nodes encrypt the parameters with different encryption intensities, and the encryption algorithm can provide different passwords for the different training nodes, and adopts the RSA encryption algorithm.