WO2023119421A1 - 情報処理システム、情報処理方法、および、情報処理プログラム - Google Patents

情報処理システム、情報処理方法、および、情報処理プログラム Download PDF

Info

Publication number
WO2023119421A1
WO2023119421A1 PCT/JP2021/047341 JP2021047341W WO2023119421A1 WO 2023119421 A1 WO2023119421 A1 WO 2023119421A1 JP 2021047341 W JP2021047341 W JP 2021047341W WO 2023119421 A1 WO2023119421 A1 WO 2023119421A1
Authority
WO
WIPO (PCT)
Prior art keywords
server device
client
model
secure
execution unit
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Ceased
Application number
PCT/JP2021/047341
Other languages
English (en)
French (fr)
Japanese (ja)
Inventor
綱人 中井
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Mitsubishi Electric Corp
Original Assignee
Mitsubishi Electric Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Mitsubishi Electric Corp filed Critical Mitsubishi Electric Corp
Priority to CN202180104928.2A priority Critical patent/CN118382866A/zh
Priority to PCT/JP2021/047341 priority patent/WO2023119421A1/ja
Priority to JP2023567036A priority patent/JP7466800B2/ja
Priority to DE112021008542.5T priority patent/DE112021008542T5/de
Publication of WO2023119421A1 publication Critical patent/WO2023119421A1/ja
Priority to US18/643,437 priority patent/US20240273220A1/en
Anticipated expiration legal-status Critical
Ceased legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/44Program or device authentication
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/008Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols involving homomorphic encryption

Definitions

  • the present disclosure relates to an information processing system, an information processing method, and an information processing program.
  • the present invention relates to an information processing system, an information processing method, and an information processing program, which are distributed machine learning systems represented by federated learning.
  • TEE which is a secure execution environment on the server, is used to process the client model within the TEE, thereby learning a model that takes privacy information into consideration.
  • TEE is an abbreviation for Trusted Execution Environment.
  • Distributed machine learning systems represented by conventional federated learning have the following three major security and privacy issues. (1) Problem of privacy information leakage from client models transmitted from devices or edges (2) Problem of learning contamination and interference due to false information from malicious devices or edges (3) Problem of stealing or duplicating global models
  • Non-Patent Document 1 proposes a solution to the above problems (1) and (2) using a secure execution environment such as TEE. However, no solution to problem (3) is disclosed. Furthermore, in Non-Patent Document 1, there is a problem that the load on the system increases due to the use of the secure execution environment.
  • the purpose of this disclosure is to provide an information processing system that realizes federated learning that takes security and privacy into consideration while reducing the load on the system due to security measures.
  • the information processing system is In an information processing system comprising a server device and a client device, wherein model information used for learning is exchanged between the server device and the client device, each device of the server device and the client device, As virtually separated execution environments, a normal execution part that is a normal execution environment and a secure execution part that is a secure execution environment are provided, The normal execution unit of each device of the server device and the client device, Mutual authentication of the correctness of activation of the secure execution part of each device, and transmission and reception of encrypted data between the secure execution parts of each device when the correctness of activation of the secure execution part of each device is authenticated establish a secure communication path to The secure execution unit of the server device, executing aggregation processing for decrypting and aggregating the model information provided from the client device via the secure communication path, encrypting the model information obtained by the aggregation processing, and transmitting the model information to the normal execution unit of the server device; death, The normal execution unit of the server device, The model information obtained by the aggregati
  • the secure execution unit of the server device decrypts and aggregates the model information provided from the client device via the secure communication channel. Then, the secure execution unit of the server device encrypts the model information obtained by aggregation and transmits it to the normal execution unit of the server device.
  • the normal execution unit of the server device stores the model information obtained by aggregation in an encrypted state in the storage unit. Therefore, according to the information processing system according to the present disclosure, it is possible to provide an information processing system that realizes federated learning in consideration of security and privacy while reducing the load on the system due to security measures.
  • FIG. 1 is a diagram showing a configuration example of an information processing system according to Embodiment 1;
  • FIG. 2 is a diagram showing a hardware configuration example of a server device according to Embodiment 1;
  • FIG. 4 is a sequence diagram showing the operation of client model collection in the information processing system according to the first embodiment;
  • FIG. 4 is a sequence diagram showing the operation of global model distribution in the information processing system according to the first embodiment;
  • FIG. FIG. 4 is a diagram showing a hardware configuration example of an information processing system according to a modification of the first embodiment;
  • FIG. FIG. 11 is a diagram showing a configuration example of an information processing system according to a second embodiment;
  • FIG. FIG. 11 is a sequence diagram showing the operation of client model collection in the information processing system according to the second embodiment;
  • FIG. 11 is a sequence diagram showing the operation of global model distribution in the information processing system according to the second embodiment;
  • FIG. 11 is a diagram showing a configuration example of an information processing system according to Embodiment 3;
  • FIG. 12 is a sequence diagram showing the operation of client model collection in the information processing system according to the third embodiment;
  • FIG. 12 is a sequence diagram showing the operation of global model distribution in the information processing system according to the third embodiment;
  • FIG. 11 is a diagram showing a configuration example of an information processing system according to Embodiment 4;
  • FIG. 1 is a diagram showing a configuration example of an information processing system 100 according to this embodiment.
  • the information processing system 100 includes a server device 101 , a client device 102 and an authentication server device 103 .
  • the server device is also called a server section.
  • the client device is also called a client unit.
  • the authentication server device is also called an authentication server unit.
  • Model information includes client models and global models.
  • a client model is a learning model provided from the client device 102 to the server device 101 .
  • a global model is a learning model distributed from the server device 101 to the client device 102 .
  • a global model is generated by aggregating client models collected from client devices 102 .
  • the server device 101, the client device 102, and the authentication server device 103 are computers, and exchange information via a network.
  • the server device 101, the client device 102, and the authentication server device 103 may be installed in separate computers.
  • the server device 101, the client device 102, and the authentication server device 103 may be installed in one computer to virtually configure three computers.
  • one part such as the server device 101 and the authentication server device 103 may be installed in one computer to virtually configure a plurality of computers. .
  • each of the server device 101, the client device 102, and the authentication server device 103 may be called each device of the information processing system 100.
  • Each device of the information processing system 100 is a computer.
  • Each device of the information processing system 100 includes a processor and other hardware such as memory, auxiliary storage device, input interface, output interface, and communication device.
  • the processor is connected to other hardware via signal lines and controls these other hardware.
  • Each device of the server device 101 and the client device 102 includes a normal execution part as a normal execution environment and a secure execution part as a secure execution environment as virtually separated execution environments. Virtually separated execution environments will be described later.
  • the server device 101 includes a normal execution unit 104 and a secure execution unit 105 as functional elements.
  • the normal execution unit 104 has an association learning management unit 108 and an authentication management unit 109 .
  • Secure execution unit 105 includes authentication unit 110 , encryption/decryption unit 111 , re-encryption/decryption unit 112 , aggregation unit 113 , and contamination detection unit 114 .
  • the normal execution unit 104 and the secure execution unit 105 each have a storage unit.
  • the storage unit stores information such as a client model, a global model, a key, and authentication information used for information processing.
  • stored in the normal execution part or “stored in the normal execution part” means “stored in the memory allocated to the normal execution part” or “stored in the memory allocated to the normal execution part”. “stored in the storage unit”. Also, when “stored in the secure execution unit” or “stored in the secure execution unit” is described, “stored in the storage unit allocated to the secure execution unit” or “stored in the storage unit allocated to the secure execution unit” shall mean “stored in The same applies to the client device 102 and the authentication server device 103 described below.
  • the client device 102 includes a normal execution unit 106 and a secure execution unit 107 as functional elements.
  • the normal execution unit 106 includes a federated learning management unit 115 , an authentication management unit 116 and a learning/inference management unit 117 .
  • Secure execution unit 107 includes authentication unit 118 , encryption/decryption unit 119 , learning unit 120 and inference unit 121 .
  • the normal execution unit 106 and the secure execution unit 107 each have a storage unit.
  • the storage unit stores information such as a client model, a global model, a key, and authentication information used for information processing.
  • Authentication server device 103 includes verification unit 122 as a functional element. Although not shown, the authentication server device 103 has a storage unit. Information such as authentication information to be verified by the verification unit 122 is stored in the storage unit.
  • FIG. 2 is a diagram showing a hardware configuration example of the server apparatus 101 according to this embodiment.
  • a hardware configuration example of each device of the information processing system 100 will be described with the server device 101 in FIG. 2 as an example.
  • An example of the hardware configuration of the client device 102 and the authentication server device 103 is the same as that of the server device 101, so illustration thereof is omitted.
  • the server device 101 is a computer.
  • the server device 101 includes a processor 910 and other hardware such as a memory 921 , an auxiliary storage device 922 , an input interface 930 , an output interface 940 and a communication device 950 .
  • the processor 910 is connected to other hardware via signal lines and controls these other hardware.
  • the functions of the normal execution unit 104 and the secure execution unit 105 are realized by software.
  • a storage unit is provided in the memory 921 . Note that the storage unit may be provided in the auxiliary storage device 922 or may be distributed between the memory 921 and the auxiliary storage device 922 .
  • Processor 910 is a device that executes an information processing program in server device 101 .
  • the information processing program is a program that realizes the function of each device of the information processing system 100 .
  • the processor 910 is an IC) that performs arithmetic processing. Examples of processor 910 are CPU, DSP, or GPU.
  • IC is an abbreviation for Integrated Circuit.
  • CPU is an abbreviation for Central Processing Unit.
  • DSP is an abbreviation for Digital Signal Processor.
  • GPU is an abbreviation for Graphics Processing Unit.
  • the memory 921 is a storage device that temporarily stores data.
  • a specific example of the memory 921 is SRAM or DRAM.
  • SRAM is an abbreviation for Static Random Access Memory.
  • DRAM is an abbreviation for Dynamic Random Access Memory.
  • Auxiliary storage device 922 is a storage device that stores data.
  • a specific example of the auxiliary storage device 922 is an HDD.
  • the auxiliary storage device 922 may be a portable storage medium such as an SD (registered trademark) memory card, CF, NAND flash, flexible disk, optical disk, compact disk, Blu-ray (registered trademark) disk, or DVD.
  • SD registered trademark
  • SD® is an abbreviation for Secure Digital
  • CF is an abbreviation for CompactFlash®.
  • DVD is an abbreviation for Digital Versatile Disk.
  • the input interface 930 is a port connected to an input device such as a mouse, keyboard, or touch panel.
  • the input interface 930 is specifically a USB terminal. Note that the input interface 930 may be a port connected to a LAN.
  • USB is an abbreviation for Universal Serial Bus.
  • LAN is an abbreviation for Local Area Network.
  • the output interface 940 is a port to which a cable of an output device such as a display is connected.
  • the output interface 940 is specifically a USB terminal or an HDMI (registered trademark) terminal.
  • the display is specifically an LCD.
  • Output interface 940 is also referred to as a display interface.
  • HDMI registered trademark
  • LCD is an abbreviation for Liquid Crystal Display.
  • the communication device 950 has a receiver and a transmitter.
  • a communication device 950 is connected to a communication network such as a LAN, the Internet, or a telephone line.
  • the communication device 950 is specifically a communication chip or NIC.
  • NIC is an abbreviation for Network Interface Card.
  • the information processing program is executed on the server device 101 .
  • the information processing program is loaded into the processor 910 and executed by the processor 910 .
  • the memory 921 stores not only the information processing program but also the OS (Operating System).
  • the processor 910 executes an information processing program while executing the OS.
  • the information processing program and OS may be stored in the auxiliary storage device 922 .
  • the information processing program and OS stored in the auxiliary storage device 922 are loaded into the memory 921 and executed by the processor 910 . Note that part or all of the information processing program may be incorporated into the OS.
  • the server device 101 may include multiple processors that substitute for the processor 910 . These multiple processors share the execution of the information processing program. Each processor, like the processor 910, is a device that executes an information processing program.
  • Data, information, signal values, and variable values that are used, processed, or output by the information processing program are stored in the memory 921, the auxiliary storage device 922, or the register or cache memory within the processor 910.
  • the "part" of each part of the normal execution part 104 and the secure execution part 105 may be read as “circuit", “process”, “procedure”, “processing”, or “circuitry”.
  • the information processing program causes the computer to execute normal execution processing and secure execution processing. Replacing "processing" of normal execution processing and secure execution processing with "program”, “program product”, “computer-readable storage medium storing program”, or “computer-readable recording medium storing program” good too.
  • the information processing method is a method performed by each device of the information processing system 100 executing an information processing program.
  • the information processing program may be provided by being stored in a computer-readable recording medium. Also, the information processing program may be provided as a program product.
  • An information processing system 100 shown in FIG. 1 is an information processing system in a distributed machine learning system represented by federated learning, which is composed of a server device 101 and a client device 102, and an authentication server device 103 is added. be.
  • Each device of the server device 101 and the client device 102 includes a normal execution part as a normal execution environment and a secure execution part as a secure execution environment as virtually separated execution environments.
  • the server device 101 can be virtually separated into a normal execution unit 104 and a secure execution unit 105 .
  • the normal execution unit 104 is provided with an associated learning management unit 108 and an authentication management unit 109 .
  • the federated learning management unit 108 manages execution of distributed machine learning represented by federated learning.
  • Authentication management unit 109 verifies the correctness of secure execution unit 105 .
  • secure execution unit 105 includes authentication unit 110 , encryption/decryption unit 111 , re-encryption/decryption unit 112 , aggregation unit 113 , and contamination detection unit 114 .
  • Authentication unit 110 provides authentication information for verifying the correctness of secure execution unit 105 .
  • the encryption/decryption unit 111 encrypts or decrypts model information exchanged with the client device 102 .
  • the model information exchanged with the client device 102 is the client model and the global model.
  • the re-encryption/decryption unit 112 re-encrypts or decrypts information exchanged with the normal execution unit 104 .
  • the aggregation unit 113 aggregates client models.
  • the contamination detection unit 114 detects contamination of the client model.
  • the client device 102 can be virtually separated into a normal execution unit 106 and a secure execution unit 107 .
  • the normal execution unit 106 includes an associated learning management unit 115 , an authentication management unit 116 , and a learning/inference management unit 117 .
  • the federated learning management unit 115 manages execution of distributed machine learning represented by federated learning.
  • Authentication management unit 116 verifies the correctness of secure execution unit 107 .
  • the learning/inference management unit 117 manages learning of model information and execution of inference.
  • secure execution unit 107 includes authentication unit 118 , encryption/decryption unit 119 , learning unit 120 , and inference unit 121 .
  • Authentication unit 118 provides authentication information for verifying the correctness of secure execution unit 107 .
  • the encryption/decryption unit 119 encrypts or decrypts model information exchanged with the server device 101 .
  • Model information exchanged with the server device 101 is a client model or a global model.
  • the learning unit 120 executes learning of model information.
  • the inference unit 121 performs inference using the model information.
  • the authentication server device 103 has a verification section 122 .
  • Verification unit 122 verifies the authentication information of each of secure execution unit 105 and secure execution unit 107 .
  • the secure execution unit 105 of the server device 101 and the secure execution unit 107 of the client device 102 may be described.
  • component names may be omitted such as secure execution units 105 and 107, secure execution units 105 or 107, or secure execution units 105 and 107.
  • the client model and the global model are protected, and the correctness of each of the secure execution units 105 and 107 and contamination of the client model are detected. As a result, federated learning that takes security and privacy into consideration is realized.
  • a distributed machine learning algorithm typified by federated learning is executed in an exchange 123 between the federated learning management units 108 and 115 of the server device 101 and the client device 102, respectively. It is assumed that there are multiple client devices 102 .
  • Virtual separation of the normal execution units 104 and 106 and the secure execution units 105 and 107 is realized by TEE technology such as Arm Trustzone or Intel (registered trademark) SGX, for example.
  • Federated learning managers 108 and 115 collect client models for federated learning or deliver global models. Also, the federated learning management units 108 and 115 verify the correctness of each other's secure execution units 105 and 107 with the authentication management units 109 and 116 (processes 124 and 125).
  • FIG. 1 arrows between constituent elements are numbered. The arrows indicate interactions between components. In the following description, the exchange indicated by this arrow will be called "processing". The same applies to FIGS. 6, 9, and 12 below.
  • the authentication management units 109 and 116 acquire authentication information for verifying the correctness of the secure execution units 105 and 107 from the authentication units 110 and 118 in the secure execution units 105 and 107 (processes 126 and 127).
  • the authentication units 110 and 118 output authentication information (processes 126 and 127).
  • the authentication information is, for example, the hash value and signature of the activated secure execution unit.
  • Authentication of the secure execution units 105 and 107 is realized by, for example, Remote Attestation technology.
  • Verification unit 122 acquires the authentication information from each of authentication management units 109 and 116, and verifies whether each of secure execution units 105 and 107 is properly activated (processes 128 and 129).
  • the encryption/decryption unit 111 decrypts the client model collected from the client device 102 by the federated learning management unit 108 (processing 130). Alternatively, the encryption/decryption unit 111 encrypts the global model distributed to the client device 102 by the federated learning management unit 108 for each client (process 130).
  • the re-encryption/decryption unit 112 re-encrypts the collected client models with a temporary common key (processes 131 and 132) and stores them in the storage unit of the normal execution unit 104. Alternatively, the re-encryption/decryption unit 112 acquires the re-encrypted client model from the normal execution unit 104 and decrypts it (process 132).
  • the aggregating unit 113 acquires the collected decrypted client models (processing 133) and aggregates them. Aggregation is, for example, calculating an average value of client models.
  • the contamination detection unit 114 acquires the collected decrypted client model (processing 134), and detects contamination of the client model. Contamination detection is, for example, calculating the inter-model distance between client models, and detecting that the client model is contaminated when the distance is large.
  • the encryption/decryption unit 119 encrypts the client model provided to the server device 101 by the federated learning management unit 115 (process 135). Alternatively, the encryption/decryption unit 119 decrypts the global model distributed from the server device 101 by the federated learning management unit 115 (process 136).
  • the learning/inference management unit 117 uses the global model distributed from the server device 101 to manage execution of learning or inference processing (process 136).
  • the learning unit 120 performs learning using the global model decrypted by the encryption/decryption unit 119 from the learning/inference management unit 117 (process 137).
  • the inference unit 121 executes inference from the learning/inference management unit 117 using the global model decrypted by the encryption/decryption unit 119 (process 138).
  • the learning/inference management unit 117, learning unit 120, and inference unit 121 for executing machine learning operations are not limited to deep learning.
  • the learning/inference management unit 117, the learning unit 120, and the inference unit 121 may perform calculations using techniques such as regression, decision tree learning, Bayesian methods, or clustering.
  • An operation procedure of the information processing system 100 corresponds to an information processing method.
  • a program that implements the operation of the information processing system 100 corresponds to an information processing program.
  • FIG. 3 is a sequence diagram showing the operation of client model collection in information processing system 100 according to the present embodiment.
  • FIG. 4 is a sequence diagram showing global model distribution operations in the information processing system 100 according to the present embodiment.
  • This sequence diagram shows the exchanges between the server device 101 and the client device 102 in the information processing system 100, divided into normal execution units 104 and 106 and secure execution units 105 and 107.
  • the normal execution units 104 and 106 of each of the server device 101 and the client device 102 mutually authenticate the correctness of activation of the secure execution units of each device.
  • a secure communication path is established for transmitting and receiving encrypted data between the secure execution units of each device. That is, a secure communication path is established between the secure execution environments of each device. Specifically, it is as follows.
  • step S ⁇ b>101 the normal execution unit 104 of the server device 101 transmits a client model provision request to the normal execution unit 106 of the client device 102 .
  • step S ⁇ b>102 normal execution unit 106 of client device 102 transmits a secure execution unit authentication request to normal execution unit 104 of server device 101 in order to verify the correctness of secure execution unit 105 of server device 101 .
  • step S ⁇ b>103 normal execution unit 104 of server device 101 transmits a request for provision of authentication information to secure execution unit 105 of server device 101 .
  • step S ⁇ b>104 secure execution unit 105 of server device 101 transmits authentication information and public key PKs to normal execution unit 104 of server device 101 .
  • step S105 the normal execution unit 104 of the server device 101 transfers the authentication information and the public key PKs to the normal execution unit 106 of the client device 102.
  • the normal execution unit 106 of the client device 102 transmits a verification request for authentication information to the verification unit 122 of the authentication server device 103 .
  • Verification unit 122 of authentication server device 103 transmits the verification result to normal execution unit 106 of client device 102 . If normal execution unit 106 of client device 102 can verify the correctness of secure execution unit 105 of server device 101 , normal execution unit 106 transmits public key PKs to secure execution unit 107 of client device 102 .
  • step S106 the secure execution unit 107 of the client device 102 exchanges keys with the secure execution unit 105 of the server device 101 using the public key PKs, and establishes a secure communication path in which transmitted and received data is encrypted.
  • step S107 the secure execution unit 107 of the client device 102 transmits the client model M to the secure execution unit 105 of the server device 101 over the secure communication channel.
  • the server device 101 operates as follows in order to reduce the memory consumption of the secure execution unit 105.
  • FIG. The secure execution unit 105 of the server device 101 decrypts the client model provided from the client device 102 via the secure communication path. Then, secure execution unit 105 of server device 101 re-encrypts the decrypted client model and transmits it to normal execution unit 104 of server device 101 .
  • the normal execution unit 104 of the server device 101 stores the re-encrypted client model in the storage unit. Specifically, it is as follows.
  • step S108 the secure execution unit 105 of the server device 101 re-encrypts the client model M with the temporary key MKs for calculation. Specifically, the secure execution unit 105 of the server device 101 decrypts the client model M received from the client device 102 in step S107, and re-encrypts it with the temporary key MKs for calculation. Secure execution unit 105 of server device 101 then transmits client model EncMKs(M) re-encrypted with temporary key MKs to normal execution unit 104 of server device 101 . The normal execution unit 104 of the server device 101 stores the client model EncMKs(M) re-encrypted with the temporary key MKs in the storage unit. By the process of step S108, the server device 101 can reduce the memory consumption of the secure execution unit 105. FIG.
  • step S101 to step S108 are executed by each client device 102, and client models are collected from each client device 102. After all client models have been collected, proceed to the next step.
  • the server device 101 aggregates the client models to generate a global model.
  • the secure execution unit 105 of the server device 101 executes aggregation processing for decrypting and aggregating the model information provided from the client device 102 via the secure communication path.
  • the secure execution unit 105 of the server device 101 encrypts the model information obtained by the aggregation processing and transmits it to the normal execution unit 104 of the server device 101 .
  • the model information is the client model.
  • the normal execution unit 104 of the server device 101 stores the model information obtained by the aggregation process as a global model in an encrypted state in the storage unit. Specifically, it is as follows.
  • step S109 the normal execution unit 104 of the server device 101 transmits the re-encrypted client model EncMKs(M) to the secure execution unit 105 of the server device 101.
  • normal execution unit 104 of server device 101 divides all re-encrypted client models EncMKs(M) and transmits them to secure execution unit 105 of server device 101 .
  • the secure execution unit 105 of the server device 101 divides the re-encrypted all client models EncMKs(M) into several parts and transmits them.
  • the secure execution unit 105 of the server device 101 decrypts the divided client model EncMKs(M).
  • Secure execution unit 105 of server device 101 stores the decrypted client model DecMKs(M).
  • the client model DecMKs(M) stored in the secure execution unit 105 is part of the total client model.
  • the server device 101 can reduce the memory consumption of the secure execution unit 105. FIG.
  • Secure execution unit 105 of server device 101 generates a global model by performing aggregation processing on the client model transmitted from normal execution unit 104 of server device 101 . At this time, the secure execution unit 105 of the server device 101 performs contamination detection processing on the client model, and does not aggregate the client models in which contamination is detected. Specifically, it is as follows.
  • step S110 the secure execution unit 105 of the server device 101 uses the decrypted client model DecMKs(M) to execute contamination detection and aggregation.
  • the secure execution unit 105 of the server device 101 executes aggregation processing for each divided client model DecMKs(M).
  • the secure execution unit 105 of the server device 101 also executes contamination detection processing for detecting whether or not the decrypted client model DecMKs(M) is tainted. Then, the secure execution unit 105 of the server device 101 does not aggregate client models in which contamination is detected.
  • step S110 In the information processing system 100, the processing from step S109 to step S110 is repeatedly executed for each division unit of all client models. After the aggregation of all client models is completed, the process proceeds to the next step S111. It should be noted that in step S110, one global model may be generated by aggregating the client models for the number of divisions aggregated in units of divisions. Alternatively, the client models for the number of divisions aggregated in units of divisions may be used as the global models for the number of divisions.
  • secure execution unit 105 of server device 101 encrypts the global model and transmits it to normal execution unit 104 of server device 101 .
  • the normal execution unit 104 of the server device 101 stores the encrypted global model in the storage unit. Specifically, it is as follows.
  • step S111 the secure execution unit 105 of the server device 101 encrypts the aggregated client model as a global model G with a temporary key GKs for distribution.
  • Secure execution unit 105 of server device 101 transmits encrypted global model EncGKs(G) to normal execution unit 104 of server device 101 .
  • the normal execution unit 104 of the server device 101 stores the encrypted global model EncGKs(G).
  • step S112 the normal execution unit 104 of the server device 101 transmits a distribution notification of the global model to the normal execution unit 106 of the client device 102.
  • the normal execution unit 106 of the client device 102 may transmit a global model distribution request to the normal execution unit 104 of the server device 101 .
  • step S113 the normal execution unit 104 of the server device 101 transmits a secure execution unit authentication request to the normal execution unit 106 of the client device 102 in order to verify the correctness of the secure execution unit 107 of the client device 102.
  • step S ⁇ b>114 normal execution unit 106 of client device 102 transmits a request for provision of authentication information to secure execution unit 107 of client device 102 .
  • step S ⁇ b>115 secure execution unit 107 of client device 102 transmits authentication information and public key PKc to normal execution unit 106 of client device 102 .
  • step S116 the normal execution unit 106 of the client device 102 transfers the authentication information and the public key PKc to the normal execution unit 104 of the server device 101.
  • the normal execution unit 104 of the server device 101 transmits a verification request for authentication information to the verification unit 122 of the authentication server device 103 .
  • Verification unit 122 of authentication server device 103 transmits the verification result to normal execution unit 104 of server device 101 . If normal execution unit 104 of server device 101 can verify the correctness of secure execution unit 107 of client device 102 , normal execution unit 104 transmits public key PKc to secure execution unit 105 of server device 101 .
  • step S117 the secure execution unit 105 of the server device 101 exchanges keys with the secure execution unit 107 of the client device 102 using the public key PKc, and establishes a secure communication path in which transmitted and received data is encrypted.
  • step S118 the secure execution unit 105 of the server device 101 transmits the temporary key GKs for distribution to the secure execution unit 107 of the client device 102 over the secure communication channel.
  • step S119 the normal execution unit 104 of the server device 101 transmits the encrypted global model EncGKs(G) to the normal execution unit 106 of the client device 102.
  • step S120 the normal execution unit 106 of the client device 102 sends the encrypted global model EncGKs(G) to the secure execution unit 107 of the client device 102 to perform learning or inference processing.
  • the secure execution unit 107 of the client device 102 decrypts the encrypted global model EncGKs(G) with the temporary key GKs for distribution, and executes learning or inference processing.
  • the client model and the global model are encrypted and exchanged between the server device 101 and the client device 102 . Also, the client model and global model are decrypted only by secure execution units 105 and 107 . Therefore, according to the information processing system 100 according to the present embodiment, the privacy of the client and the security of the global model can be ensured.
  • the correctness of the secure execution units 105 and 107 of the server device 101 and the client device 102 is verified. Therefore, according to the information processing system 100 according to the present embodiment, it is possible to prevent unauthorized processing by the unauthorized server device 101 and the client device 102 .
  • the resource load on the secure execution part can be reduced.
  • the global model is encrypted with a temporary key for distribution, separate from the encryption key for the client model. This also allows the model vendor to have a temporary key for distribution and adjust the global model. At this time, the model vendor does not possess the encryption key of the client model, so the privacy of the client is protected.
  • the functions of the server device 101, the client device 102, and the authentication server device 103 are realized by software.
  • the functions of the server device 101, the client device 102, and the authentication server device 103 may be realized by hardware.
  • the information processing system 100 includes an electronic circuit 909 instead of the processor 910 .
  • FIG. 5 is a diagram showing a hardware configuration example of an information processing system 100 according to a modification of this embodiment.
  • the electronic circuit 909 is a dedicated electronic circuit that implements the functions of the server device 101 , the client device 102 , and the authentication server device 103 .
  • Electronic circuit 909 is specifically a single circuit, a composite circuit, a programmed processor, a parallel programmed processor, a logic IC, GA, ASIC, or FPGA.
  • GA is an abbreviation for Gate Array.
  • ASIC is an abbreviation for Application Specific Integrated Circuit.
  • FPGA is an abbreviation for Field-Programmable Gate Array.
  • the functions of the server device 101, the client device 102, and the authentication server device 103 may be realized by one electronic circuit, or may be distributed and realized by a plurality of electronic circuits.
  • part of the functions of each of the server device 101, the client device 102, and the authentication server device 103 may be realized by electronic circuits, and the remaining functions may be realized by software. Also, part or all of the functions of the server device 101, the client device 102, and the authentication server device 103 may be realized by firmware.
  • Each processor and electronic circuit is also called processing circuitry. That is, the functions of the server device 101, the client device 102, and the authentication server device 103 are implemented by processing circuitry.
  • Embodiment 2 points different from the first embodiment and points added to the first embodiment will be mainly described.
  • the same reference numerals are assigned to components having the same functions as those of the first embodiment, and the description thereof will be omitted.
  • the server device 101 is configured to have a virtual separated execution environment by TEE.
  • a mode using homomorphic encryption that enables operations to be performed while encrypted is shown when server apparatus 101 does not have a virtual separated execution environment based on TEE.
  • FIG. 6 is a diagram showing a configuration example of the information processing system 100 according to this embodiment.
  • the server device 101 only has a normal execution unit 104, which is a normal execution environment.
  • the normal execution unit 104 of the server device 101 includes a federated learning management unit 108 , an aggregation unit 113 and a contamination detection unit 114 .
  • the client device 102 of the present embodiment has a configuration in which the normal execution unit 106 and the secure execution unit 107 can be virtually separated, as in the first embodiment.
  • the configuration of the normal execution unit 106 of the client device 102 is the same as that of the first embodiment.
  • Secure execution unit 107 of client device 102 includes homomorphic encryption/decryption unit 140 in addition to the same configuration as in the first embodiment.
  • a homomorphic encryption/decryption unit 140 homomorphically encrypts/decrypts model information exchanged with the server device 101 .
  • the model information is a client model and a global model.
  • the encryption/decryption unit 119 of the client device 102 encrypts/decrypts model information exchanged with the server device 101 .
  • the authentication server device 103 includes a verification unit 122 as in the first embodiment.
  • verification section 122 verifies the authentication information of secure execution section 107 .
  • the information processing system 100 in FIG. 6 protects the client model and the global model and verifies the correctness of the secure execution unit 107 by configuring as described above. Further, in the information processing system 100 of FIG. 6, the normal execution unit 104 of the server device 101 performs taint detection and aggregating of client models while homomorphically encrypted. As a result, federated learning that takes security and privacy into consideration is realized.
  • the hardware configuration example of the information processing system 100 according to the present embodiment is the same as that of the first embodiment.
  • the secure execution unit of the client device 102 executes homomorphic encryption on the client model, which is model information to be provided to the server device 101 .
  • the normal execution unit 104 of the server device 101 executes an aggregation process of aggregating homomorphically encrypted client models while they are homomorphically encrypted. Then, the normal execution unit 104 of the server device 101 stores the global model obtained by the aggregation process in the storage unit in a homomorphically encrypted state.
  • the normal execution unit 104 of the server device 101 executes contamination detection processing for detecting contamination while homomorphically encrypted on the homomorphically encrypted client model.
  • a distributed machine learning algorithm typified by federated learning is executed in an exchange 123 between the federated learning management units 108 and 115 of the server device 101 and the client device 102, respectively. It is assumed that there are multiple client devices 102 .
  • the virtual separation of the normal execution unit 106 and the secure execution unit 107 of the client device 102 is realized by TEE technology such as Arm Trustzone or Intel (registered trademark) SGX, for example.
  • the federated learning management units 108 and 115 collect client models for federated learning or deliver global models. Also, the federated learning management unit 115 of the client device 102 verifies the correctness of the secure execution unit 107 by means of the authentication management unit 116 (process 125).
  • Authentication management unit 116 acquires authentication information for verifying the correctness of secure execution unit 107 from authentication unit 118 in secure execution unit 107 (process 127).
  • the authentication unit 118 outputs authentication information (process 127).
  • the authentication information is, for example, the hash value and signature of the activated secure execution unit.
  • Authentication of the secure execution unit 107 is realized by, for example, Remote Attestation technology.
  • the verification unit 122 acquires the authentication information from the authentication management unit 116 and verifies whether the secure execution unit 107 has started correctly (process 129).
  • the aggregation unit 113 acquires the homomorphically encrypted client models collected by the federated learning management unit 108 (process 225) and aggregates them. Aggregation is, for example, calculating an average value of client models. However, the operation remains homomorphically encrypted.
  • the contamination detection unit 114 acquires the homomorphically encrypted client model collected by the federated learning management unit 108 (process 226), and detects contamination of the client model. Contamination detection is, for example, calculating the inter-model distance between client models, and detecting that the client model is contaminated when the distance is large. However, since the calculation is performed while the data is homomorphically encrypted, the client device 102 determines the magnitude of the distance.
  • the learning/inference management unit 117 uses the global model distributed from the server device 101 to manage execution of learning or inference processing (process 136).
  • the homomorphic encryption/decryption unit 140 performs homomorphic encryption processing on the client model provided to the server device 101 by the federated learning management unit 115 (process 223). Alternatively, the homomorphic encryption/decryption unit 140 decrypts the homomorphically encrypted global model distributed from the server device 101 (process 224).
  • the encryption/decryption unit 119 re-encrypts the global model decrypted by homomorphic encryption. Alternatively, the encryption/decryption unit 119 decrypts the encrypted model information (process 223).
  • the learning unit 120 performs learning using the global model decrypted by the encryption/decryption unit 119 from the learning/inference management unit 117 (process 137).
  • the inference unit 121 executes inference from the learning/inference management unit 117 using the global model decrypted by the encryption/decryption unit 119 (process 138).
  • An operation procedure of the information processing system 100 corresponds to an information processing method.
  • a program that implements the operation of the information processing system 100 corresponds to an information processing program.
  • FIG. 7 is a sequence diagram showing the operation of client model collection in information processing system 100 according to the present embodiment.
  • FIG. 8 is a sequence diagram showing global model distribution operations in the information processing system 100 according to the present embodiment.
  • This sequence diagram shows exchanges between server device 101 and client device 102 in information processing system 100 according to the present embodiment, divided into normal execution units 104 and 106 and secure execution unit 107 .
  • step S ⁇ b>201 the normal execution unit 104 of the server device 101 transmits a client model provision request to the normal execution unit 106 of the client device 102 .
  • step S ⁇ b>202 the normal execution unit 106 of the client device 102 acquires the homomorphically encrypted client model HEMKc(M) from the secure execution unit 107 of the client device 102 .
  • step S203 the normal execution unit 106 of the client device 102 transmits the homomorphically encrypted client model HEMKc(M) to the normal execution unit 104 of the server device 101.
  • the above steps S201 to S203 are executed by each client, and the server device 101 collects client models. After the collection of all client models is completed, the next step S204 is executed.
  • step S204 the normal execution unit 104 of the server device 101 uses the homomorphically encrypted client model HEMKc(M) to perform contamination detection and aggregation while still encrypted.
  • the normal execution unit 104 of the server device 101 stores the homomorphically encrypted global model HEGKs(G) and the contamination detection result in the storage unit using the aggregated client model as a global model.
  • step S205 the normal execution unit 104 of the server device 101 transmits a distribution notification of the global model to the normal execution unit 106 of the client device 102.
  • a global model distribution request may be transmitted from the normal execution unit 106 of the client device 102 to the normal execution unit 104 of the server device 101 .
  • step S206 the normal execution unit 104 of the server device 101 transmits a secure execution unit authentication request to the normal execution unit 106 of the client device 102 in order to verify the correctness of the secure execution unit 107 of the client device 102.
  • step S ⁇ b>207 normal execution unit 106 of client device 102 transmits a request for provision of authentication information to secure execution unit 107 of client device 102 .
  • step S ⁇ b>208 secure execution unit 107 of client device 102 transmits authentication information and public key PKc to normal execution unit 106 of client device 102 .
  • step S209 the normal execution unit 106 of the client device 102 transfers the authentication information and the public key PKc to the normal execution unit 104 of the server device 101.
  • the normal execution unit 104 of the server device 101 transmits a verification request for authentication information to the verification unit 122 of the authentication server device 103 .
  • Verification unit 122 of authentication server device 103 transmits the verification result to normal execution unit 104 of server device 101 . If the correctness of the secure execution unit 107 of the client device 102 can be verified, the normal execution unit 104 of the server device 101 transmits the public key PKc to the normal execution unit 104 of the server device 101 .
  • step S210 the normal execution unit 104 of the server device 101 exchanges keys with the secure execution unit 107 of the client device 102 using the public key PKc, and establishes a secure communication path in which transmitted and received data is encrypted.
  • step S211 the normal execution unit 104 of the server device 101 transmits the homomorphically encrypted global model HEGKs(G) and the contamination detection result to the secure execution unit 107 of the client device 102 over a secure communication channel.
  • step S212 the secure execution unit 107 of the client device 102 decrypts the homomorphically encrypted global model HEGKs(G) and the contamination detection result.
  • the secure execution unit 107 of the client device 102 encrypts the global model with the model protection key GKc of the client if the client model is not tainted from the contamination detection result.
  • Secure execution unit 107 of client device 102 then transmits the encrypted global model EncGKc(G) to normal execution unit 106 of client device 102 .
  • step S214 the normal execution unit 106 of the client device 102 sends the encrypted global model EncGKc(G) to the secure execution unit 107 of the client device 102 to perform learning or inference processing.
  • the secure execution unit 107 of the client device 102 decrypts the encrypted global model EncGKc(G) with the client's model protection key GKc, and executes learning or inference processing.
  • the client model and the global model are homomorphically encrypted and exchanged between the server device 101 and the client device 102 . Then, the client model and the global model are operated while encrypted by homomorphic encryption, or decrypted only by the secure execution unit of the client device 102 . Therefore, the privacy of the client and the security of the global model can be ensured.
  • the correctness of the secure execution unit of the client device 102 has been verified. Therefore, unauthorized processing by an unauthorized client device 102 can be prevented. Furthermore, by confirming the contamination detection result together with the global model by the secure execution unit of the client device 102, learning interference from a malicious client can be prevented.
  • the resource load on the secure execution part can be reduced.
  • Embodiment 3 differences from Embodiments 1 and 2 and points added to Embodiments 1 and 2 will be mainly described.
  • the same reference numerals are given to components having the same functions as in the first and second embodiments, and the description thereof is omitted.
  • FIG. 9 is a diagram showing a configuration example of an information processing system 100 according to this embodiment.
  • Server device 101 has a configuration that can be virtually separated into normal execution unit 104 and secure execution unit 105, as in the first embodiment.
  • the client device 102 also has a configuration that can be virtually separated into a normal execution unit 106 and a secure execution unit 107, as in the first and second embodiments.
  • the normal execution unit 104 of the server device 101 includes an association learning management unit 108 , an authentication management unit 109 , an aggregation unit 113 and a contamination detection unit 114 .
  • Secure execution unit 105 of server device 101 includes authentication unit 110 , encryption/decryption unit 111 , and homomorphic encryption/decryption unit 140 .
  • the homomorphic encryption/decryption unit 140 homomorphically encrypts/decrypts information exchanged with the normal execution unit 104 of the server device 101 .
  • the normal execution unit 104 of the client device 102 includes a federated learning management unit 115, an authentication management unit 116, and a learning/inference management unit 117, as in the first embodiment.
  • Secure execution unit 107 of client device 102 includes authentication unit 118, encryption/decryption unit 119, learning unit 120, and inference unit 121, as in the first embodiment.
  • the authentication server device 103 has a verification section 122 .
  • Verification unit 122 verifies the authentication information of each of secure execution unit 105 and secure execution unit 107 .
  • the information processing system 100 in FIG. 9 protects the client model and the global model, and detects the correctness of each of the secure execution units 105 and 107 and contamination of the client model by configuring as described above. As a result, federated learning that takes security and privacy into consideration is realized.
  • the hardware configuration example of the information processing system 100 according to the present embodiment is the same as that of the first embodiment.
  • Normal execution units 104 and 106 mutually authenticate the correctness of activation of secure execution units 105 and 107 .
  • a secure communication path is established between the secure execution units 105 and 107 to exchange encrypted data.
  • Secure execution unit 105 of server device 101 executes homomorphic encryption on a client model, which is model information provided from client device 102 via a secure communication channel. Then, the secure execution unit 105 of the server device 101 stores the homomorphically encrypted model information in the storage unit in a homomorphically encrypted state.
  • the normal execution unit 104 of the server device 101 executes an aggregation process of aggregating homomorphically encrypted model information while it is homomorphically encrypted. Then, the normal execution unit 104 of the server device 101 stores the global model, which is the model information obtained by the aggregation processing, in the storage unit in a homomorphically encrypted state.
  • the normal execution unit 104 of the server device 101 executes contamination detection processing for detecting contamination while the client model, which is homomorphically encrypted model information, remains homomorphically encrypted.
  • a distributed machine learning algorithm typified by federated learning is executed in an exchange 123 between the federated learning management units 108 and 115 of the server device 101 and the client device 102, respectively. It is assumed that there are multiple client devices 102 .
  • the virtual separation of the normal execution unit 106 and the secure execution unit 107 of the client device 102 is realized by TEE technology such as Arm Trustzone or Intel (registered trademark) SGX, for example.
  • the federated learning management units 108 and 115 verify the correctness of each other's secure execution units 105 and 107 with the respective authentication management units 109 and 116 . This processing is the same as that described in the first embodiment.
  • the encryption/decryption unit 111 decrypts client models collected from the client devices 102 by the federated learning management unit 108 for each client. Alternatively, the encryption/decryption unit 111 encrypts the global model distributed to the client device 102 by the federated learning management unit 108 for each client (process 130).
  • the homomorphic encryption/decryption unit 140 homomorphically encrypts the collected client models using a temporary common key (process 331 ) and stores them in the normal execution unit 104 .
  • the homomorphic encryption/decryption unit 140 acquires the homomorphically encrypted global model from the normal execution unit 104 and decrypts it (process 332).
  • the aggregating unit 113 acquires the collected homomorphically encrypted client models (process 332) and aggregates them. Aggregation is, for example, calculating an average value of client models. However, in the present embodiment, the calculation is performed as it is homomorphically encrypted.
  • the contamination detection unit 114 acquires the collected homomorphically encrypted client models (process 333), and detects contamination of the client models while homomorphically encrypted. Contamination detection is, for example, calculating the inter-model distance between client models, and detecting that the client model is contaminated when the distance is large. However, in the present embodiment, since the calculation is performed while the data is homomorphically encrypted, the determination of the magnitude of the distance is performed after decryption by the secure execution unit 105 of the server device 101 .
  • the function of providing the client model in the client device 102 to the server device 101 and the function of learning or inferring using the global model distributed from the server device 101 are the same as those described in the first embodiment. be.
  • An operation procedure of the information processing system 100 corresponds to an information processing method.
  • a program that implements the operation of the information processing system 100 corresponds to an information processing program.
  • FIG. 10 is a sequence diagram showing the operation of client model collection in information processing system 100 according to the present embodiment.
  • FIG. 11 is a sequence diagram showing the operation of global model distribution in information processing system 100 according to the present embodiment.
  • This sequence diagram shows the exchanges between the server device 101 and the client device 102 in the information processing system 100, divided into normal execution units 104 and 106 and secure execution units 105 and 107.
  • step S301 to step S307 The processing from step S301 to step S307 is the same as the processing from step S101 to step S107 described in the first embodiment. That is, in step S307, secure execution unit 107 of client device 102 transmits client model M to secure execution unit 105 of server device 101 over a secure communication channel.
  • step S308 the secure execution unit 105 of the server device 101 once homomorphically encrypts the client model M with the temporary key MKs for calculation in order to reduce the memory consumption of the secure execution unit 105. Then, secure execution unit 105 of server device 101 transmits homomorphically encrypted client model HEMKs(M) to normal execution unit 104 of server device 101 . The normal execution unit 104 of the server device 101 stores the homomorphically encrypted client model HEMKs(M).
  • step S301 to S308 are executed by each client, and client models are collected from all client devices 102. After the collection of all client models is completed, the next step S309 is executed.
  • step S309 the normal execution unit 104 of the server device 101 uses the homomorphically encrypted client model HEMKs (M) to execute contamination detection and aggregation while still encrypted.
  • M homomorphically encrypted client model HEMKs
  • step S310 the normal execution unit 104 of the server device 101 sends the homomorphically encrypted global model HEGKs(G) and the contamination detection result to the secure execution unit 105 of the server device 101 using the aggregated client model as a global model. Send.
  • step S311 the secure execution unit 105 of the server device 101 decrypts the homomorphically encrypted global model HEGKs(G) and the contamination detection result. If contamination is detected, the tainted client model will not be aggregated. For example, the global model may be discarded if a tainted client model is detected.
  • Secure execution unit 105 of server device 101 encrypts global model G with temporary key GKs for distribution, and transmits encrypted global model EncGKs(G) to normal execution unit 104 of server device 101 .
  • the normal execution unit 104 of the server device 101 stores the encrypted global model EncGKs(G).
  • step S320 The processing from step S312 to step S320 is the same as the processing from step S112 to step S120 described in the first embodiment. That is, finally, in step S320, the normal execution unit 106 of the client device 102 sends the encrypted global model EncGKs(G) to the secure execution unit 107 of the client device 102 to perform learning or inference processing. do.
  • the secure execution unit 107 of the client device 102 decrypts the encrypted global model EncGKs(G) with the temporary key GKs for distribution, and executes learning or inference processing.
  • the client model and the global model are encrypted and exchanged between the server device 101 and the client device 102 .
  • the normal execution unit of the server device 101 computation is performed while encrypted by homomorphic encryption.
  • it is decrypted only by the secure execution unit of each device of the server device 101 and the client device 102 . Therefore, the privacy of the client and the security of the global model can be ensured.
  • the correctness of each secure execution unit of the server device 101 and the client device 102 is verified. Therefore, unauthorized processing by the unauthorized server device 101 and the client device 102 can be prevented. Furthermore, by detecting model pollution when aggregating client models, learning interference from malicious clients can be prevented.
  • aggregation of client models and detection of model contamination in the server device 101 are performed by the normal execution unit, which has abundant memory and computational resources while encrypted using homomorphic encryption, due to the limited memory resources of the secure execution unit. It is realized by
  • the global model is encrypted with a temporary key for distribution, separate from the encryption key of the client model. This also allows the model vendor to have a temporary key for distribution and adjust the global model. At this time, since the model vendor does not possess the encryption key of the client model, the privacy of the client is protected.
  • Embodiment 4 points different from the first embodiment and points added to the first embodiment will be mainly described.
  • the same reference numerals are assigned to components having the same functions as those of the first embodiment, and the description thereof will be omitted.
  • the secure execution unit 105 of the server device 101 is configured to include the contamination detection unit 114 .
  • a mode in which secure execution unit 107 of client device 102 includes contamination detection unit 114 will be described.
  • FIG. 12 is a diagram showing a configuration example of an information processing system 100 according to this embodiment.
  • the secure execution unit 105 of the server device 101 described in the first embodiment does not have the contamination detection unit 114 .
  • a contamination detection unit 114 is provided in the secure execution unit 107 of the client device 102 described in the first embodiment.
  • the secure execution unit 107 of the client device 102 executes contamination detection processing for detecting whether or not the client model provided to the server device 101 is tainted. Then, the secure execution unit 107 of the client device 102 does not provide the server device 101 with a contaminated client model.
  • the configuration is the same as that of the information processing system 100 described in the first embodiment.
  • secure execution unit 107 includes authentication unit 118 , encryption/decryption unit 119 , contamination detection unit 114 , learning unit 120 , and inference unit 121 .
  • the contamination detection unit 114 detects contamination of the client model provided to the server device 101 .
  • the information processing system 100 in FIG. 12 protects the client model and the global model, and detects the correctness of each of the secure execution units 105 and 107 and contamination of the client model. As a result, federated learning that takes security and privacy into consideration is realized.
  • a distributed machine learning algorithm typified by federated learning is executed in an exchange 123 between the federated learning management units 108 and 115 of the server device 101 and the client device 102, respectively. It is assumed that there are multiple client devices 102 .
  • the federated learning management units 108 and 115 verify the correctness of each other's secure execution units 105 and 107 with the respective authentication management units 109 and 116 . This processing is the same as that described in the first embodiment.
  • the processing by the encryption/decryption unit 111, the processing by the re-encryption/decryption unit 112, and the processing by the aggregating unit 113 in the server device 101 are also the same as in the first embodiment.
  • the processing by the encryption/decryption unit 119 in the client device 102 is also the same as in the first embodiment.
  • the contamination detection unit 114 of the client device 102 detects contamination of the client model provided to the server device 101 (process 435).
  • Dirty detection means for example, calculating the inter-model distance between the client model and the original global, and detecting that the client model is tainted if the distance is large, or detecting contamination from the output results for specific test data. It is to detect that
  • the processing by the learning/inference management unit 117, the processing by the learning unit 120, and the processing by the inference unit 121 in the client device 102 are the same as in the first embodiment. However, the processing by the learning/inference management unit 117, the processing by the learning unit 120, and the processing by the inference unit 121 do not use client models in which contamination is detected.
  • the hardware configuration example of the information processing system 100 according to the present embodiment is the same as that of the first embodiment.
  • the secure execution unit 107 of the client device 102 may include the contamination detection unit 114 .
  • the secure execution unit 107 of the client device 102 executes contamination detection processing for detecting whether or not the client model provided to the server device 101 is tainted. Then, the secure execution unit 107 of the client device 102 does not provide the server device 101 with a contaminated client model.
  • each part of each device of the information processing system has been described as an independent functional block.
  • the configuration of each device of the information processing system does not have to be the configuration of the above-described embodiment.
  • the functional blocks of each device of the information processing system may have any configuration as long as they can implement the functions described in the above embodiments.
  • each device in the information processing system may be a single device, or may be a system composed of a plurality of devices.
  • first to fourth embodiments it is also possible to combine a plurality of portions of the first to fourth embodiments. Alternatively, one portion of these embodiments may be implemented. In addition, these embodiments may be implemented in any combination as a whole or in part. That is, in Embodiments 1 to 4, it is possible to freely combine each embodiment, modify any component of each embodiment, or omit any component from each embodiment.
  • 100 information processing system 101 server device, 102 client device, 103 authentication server device, 104, 106 normal execution unit, 105, 107 secure execution unit, 108, 115 federated learning management unit, 109, 116 authentication management unit, 110, 118 Authentication unit, 111, 119 encryption/decryption unit, 112 re-encryption/decryption unit, 113 aggregation unit, 114 contamination detection unit, 117 learning/inference management unit, 120 learning unit, 121 inference unit, 122 verification unit, 140 homomorphic encryption Decoding/decoding unit 909 electronic circuit 910 processor 921 memory 922 auxiliary storage device 930 input interface 940 output interface 950 communication device.

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Computer Hardware Design (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • General Health & Medical Sciences (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • Storage Device Security (AREA)
  • Computer And Data Communications (AREA)
PCT/JP2021/047341 2021-12-21 2021-12-21 情報処理システム、情報処理方法、および、情報処理プログラム Ceased WO2023119421A1 (ja)

Priority Applications (5)

Application Number Priority Date Filing Date Title
CN202180104928.2A CN118382866A (zh) 2021-12-21 2021-12-21 信息处理系统、信息处理方法和信息处理程序
PCT/JP2021/047341 WO2023119421A1 (ja) 2021-12-21 2021-12-21 情報処理システム、情報処理方法、および、情報処理プログラム
JP2023567036A JP7466800B2 (ja) 2021-12-21 2021-12-21 情報処理システム、情報処理方法、および、情報処理プログラム
DE112021008542.5T DE112021008542T5 (de) 2021-12-21 2021-12-21 Informationsverarbeitungssystem, informationsverarbeitungsverfahren und informationsverarbeitungsprogramm
US18/643,437 US20240273220A1 (en) 2021-12-21 2024-04-23 Information processing system, information processing method and computer readable medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/JP2021/047341 WO2023119421A1 (ja) 2021-12-21 2021-12-21 情報処理システム、情報処理方法、および、情報処理プログラム

Related Child Applications (1)

Application Number Title Priority Date Filing Date
US18/643,437 Continuation US20240273220A1 (en) 2021-12-21 2024-04-23 Information processing system, information processing method and computer readable medium

Publications (1)

Publication Number Publication Date
WO2023119421A1 true WO2023119421A1 (ja) 2023-06-29

Family

ID=86901624

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/JP2021/047341 Ceased WO2023119421A1 (ja) 2021-12-21 2021-12-21 情報処理システム、情報処理方法、および、情報処理プログラム

Country Status (5)

Country Link
US (1) US20240273220A1 (https=)
JP (1) JP7466800B2 (https=)
CN (1) CN118382866A (https=)
DE (1) DE112021008542T5 (https=)
WO (1) WO2023119421A1 (https=)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2025150100A1 (ja) * 2024-01-09 2025-07-17 三菱電機株式会社 機械学習システム、サーバ装置、クライアント装置、機械学習方法、および機械学習プログラム

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114091653B (zh) * 2021-11-06 2024-07-16 支付宝(杭州)信息技术有限公司 模型的运行方法和装置
JP2024017375A (ja) * 2022-07-27 2024-02-08 日本電気株式会社 情報処理装置、脆弱性判定方法、および脆弱性判定プログラム

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20200394518A1 (en) * 2019-06-12 2020-12-17 Commissariat A L'energie Atomique Et Aux Energies Alternatives Method for collaborative learning of an artificial neural network without disclosing training data
WO2021111540A1 (ja) * 2019-12-04 2021-06-10 富士通株式会社 評価方法、評価プログラム、および情報処理装置

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20200394518A1 (en) * 2019-06-12 2020-12-17 Commissariat A L'energie Atomique Et Aux Energies Alternatives Method for collaborative learning of an artificial neural network without disclosing training data
WO2021111540A1 (ja) * 2019-12-04 2021-06-10 富士通株式会社 評価方法、評価プログラム、および情報処理装置

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
ARUP MONDAL; YASH MORE; RUTHU HULIKAL ROOPARAGHUNATH; DEBAYAN GUPTA: "Flatee: Federated Learning Across Trusted Execution Environments", ARXIV.ORG, CORNELL UNIVERSITY LIBRARY, 201 OLIN LIBRARY CORNELL UNIVERSITY ITHACA, NY 14853, 12 November 2021 (2021-11-12), 201 Olin Library Cornell University Ithaca, NY 14853, XP091098876, DOI: 10.48550/arXiv.2111.06867 *

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2025150100A1 (ja) * 2024-01-09 2025-07-17 三菱電機株式会社 機械学習システム、サーバ装置、クライアント装置、機械学習方法、および機械学習プログラム
JP7774775B1 (ja) * 2024-01-09 2025-11-21 三菱電機株式会社 機械学習システム、サーバ装置、クライアント装置、機械学習方法、および機械学習プログラム

Also Published As

Publication number Publication date
DE112021008542T5 (de) 2024-10-24
CN118382866A (zh) 2024-07-23
JPWO2023119421A1 (https=) 2023-06-29
US20240273220A1 (en) 2024-08-15
JP7466800B2 (ja) 2024-04-12

Similar Documents

Publication Publication Date Title
US12353608B2 (en) Secure collaboration between processors and processing accelerators in enclaves
US11971980B2 (en) Using trusted execution environments to perform a communal operation for mutually-untrusted devices
US11223485B2 (en) Verifiable encryption based on trusted execution environment
US10338957B2 (en) Provisioning keys for virtual machine secure enclaves
KR100737628B1 (ko) 고정형 토큰 및 이동형 토큰 모두를 이용한 어테스테이션
US11947659B2 (en) Data distribution across multiple devices using a trusted execution environment in a mobile device
US20240273220A1 (en) Information processing system, information processing method and computer readable medium
WO2022250927A1 (en) Binding with cryptographic key attestation
US8612753B2 (en) Method and apparatus for protected code execution on clients
CN107911567A (zh) 一种抵抗打印机物理攻击的系统和方法
US11775692B2 (en) Method and system for encrypting data using a kernel
CN112995109B (zh) 数据加密系统、方法、数据处理方法、装置及电子设备
CN102750479A (zh) 一种分层软件版权保护方法和系统
CN112910641A (zh) 用于跨链交易监管的验证方法、装置、中继链节点及介质
CN118153075B (zh) 一种数据存储加密方法、装置及电子设备
JP6253168B2 (ja) 集約データの耐タンパー性の改善
US11537689B2 (en) Method and system for signing an artificial intelligence watermark using a kernel
CN113468610A (zh) 去中心化可信访问控制框架及其运行方法
US11809611B2 (en) Protecting device detachment with bus encryption
JP7643676B2 (ja) 認証要素ファイル
CN120200859B (zh) 一种数据传输控制方法、设备、程序产品和存储介质
CN115051801B (zh) 访问许可状态确定系统、方法、电子设备及存储介质
US11457002B2 (en) Method and system for encrypting data using a command
CN121351162A (zh) 用于数据处理的方法、装置、设备和存储介质
CN120915471A (zh) 一种数据加密方法

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 21968858

Country of ref document: EP

Kind code of ref document: A1

WWE Wipo information: entry into national phase

Ref document number: 2023567036

Country of ref document: JP

WWE Wipo information: entry into national phase

Ref document number: 202180104928.2

Country of ref document: CN

WWE Wipo information: entry into national phase

Ref document number: 112021008542

Country of ref document: DE

122 Ep: pct application non-entry in european phase

Ref document number: 21968858

Country of ref document: EP

Kind code of ref document: A1