WO2024004212A1 - 推論検証システムおよび推論検証方法 - Google Patents

推論検証システムおよび推論検証方法 Download PDF

Info

Publication number
WO2024004212A1
WO2024004212A1 PCT/JP2022/026498 JP2022026498W WO2024004212A1 WO 2024004212 A1 WO2024004212 A1 WO 2024004212A1 JP 2022026498 W JP2022026498 W JP 2022026498W WO 2024004212 A1 WO2024004212 A1 WO 2024004212A1
Authority
WO
WIPO (PCT)
Prior art keywords
inference
verification
protocol
proof
layer
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Ceased
Application number
PCT/JP2022/026498
Other languages
English (en)
French (fr)
Japanese (ja)
Inventor
悠太郎 西田
聖 安田
義博 小関
悟一郎 花岡
ナッタポン アッタラパドゥン
祐介 坂井
ヤコブ クロイス ナカムラ シュルツ
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Mitsubishi Electric Corp
Original Assignee
Mitsubishi Electric Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Mitsubishi Electric Corp filed Critical Mitsubishi Electric Corp
Priority to PCT/JP2022/026498 priority Critical patent/WO2024004212A1/ja
Priority to DE112022007141.9T priority patent/DE112022007141T5/de
Priority to JP2024519956A priority patent/JP7493697B1/ja
Priority to CN202280097511.2A priority patent/CN119452366A/zh
Publication of WO2024004212A1 publication Critical patent/WO2024004212A1/ja
Priority to US18/966,341 priority patent/US20250094783A1/en
Anticipated expiration legal-status Critical
Ceased legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N3/00Computing arrangements based on biological models
    • G06N3/02Neural networks
    • G06N3/04Architecture, e.g. interconnection topology
    • G06N3/0464Convolutional networks [CNN, ConvNet]
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N3/00Computing arrangements based on biological models
    • G06N3/02Neural networks
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N3/00Computing arrangements based on biological models
    • G06N3/02Neural networks
    • G06N3/04Architecture, e.g. interconnection topology
    • G06N3/045Combinations of networks
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N3/00Computing arrangements based on biological models
    • G06N3/02Neural networks
    • G06N3/04Architecture, e.g. interconnection topology
    • G06N3/048Activation functions
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N3/00Computing arrangements based on biological models
    • G06N3/02Neural networks
    • G06N3/08Learning methods
    • G06N3/084Backpropagation, e.g. using gradient descent

Definitions

  • This disclosure relates to verification of inference models using zero-knowledge proofs.
  • AI inference techniques using neural networks have had great success in machine learning tasks such as data classification.
  • AI is an abbreviation for artificial intelligence.
  • In order to perform data analysis using a neural network it is necessary to train an inference model using a large amount of training data in advance. At this time, it may be difficult for the user to construct an inference model in his or her own environment due to difficulties in preparing learning data and constraints on computational resources.
  • MLaaS provides data analysis using neural networks on the cloud.
  • This service allows clients to perform inference using the provided inference model by uploading the data they wish to analyze to the cloud. Therefore, the client does not need to spend any cost on building an inference model.
  • MLaaS is an abbreviation for Machine Learning as a Service.
  • MLaaS when a client sends the data it wants to analyze to an inference model provider and outsources inference processing, the service provider informs the client that the inference results are actually the results of analysis performed using the inference model. It is necessary to prove that there is.
  • the simplest solution is for the service provider to publish the inference model itself.
  • the inference model is the intellectual property of the service provider, it is difficult to disclose the inference model to the client.
  • Non-Patent Document 1 proposes a method that uses zero-knowledge proof to prove that inference processing using an inference model has actually been executed. With this method, the service provider can prove to the client that the inference result was obtained through analytical processing using the inference model.
  • zkCNN Zero Knowledge Proofs for Convolutional Neural Network Predictions and Accuracy. Tianyi Liu, Xiang Xie, and Yupeng Zhang. 2021.
  • Non-Patent Document 1 can only handle integer values as parameters of the inference model due to the restrictions of the zero-knowledge proof protocol used.
  • the present disclosure aims to enable verification of inference models with decimal parameters.
  • the inference verification system of the present disclosure includes: an inference unit that expresses a decimal value, which is data to be subjected to inference processing, as an integer value, treats the integer value as a parameter of a convolutional neural network, executes an inference model, and obtains an inference result; a proof section that receives the inference result as input and executes a proof generation algorithm to obtain a proof; a verification unit that receives the proof as input and executes a verification algorithm to obtain a verification result; Equipped with.
  • FIG. 1 is a configuration diagram of an inference verification system 100 in Embodiment 1.
  • FIG. FIG. 2 is a configuration diagram of a parameter generation device 200 in the first embodiment.
  • FIG. 3 is a configuration diagram of a key generation device 300 in Embodiment 1.
  • FIG. 4 is a configuration diagram of an inference device 400 in Embodiment 1.
  • FIG. 5 is a configuration diagram of a proving device 500 in Embodiment 1.
  • FIG. 6 is a configuration diagram of a verification device 600 in the first embodiment.
  • 5 is a flowchart of the inference verification method (parameter generation) in the first embodiment.
  • 2 is a flowchart of an inference verification method (key generation) in Embodiment 1.
  • 5 is a flowchart of the inference verification method (inference) in the first embodiment.
  • FIG. 5 is a flowchart of the inference verification method (proof) in the first embodiment.
  • 2 is a flowchart of an inference verification method (verification) in Embodiment 1.
  • FIG. 2 is a hardware configuration diagram of a parameter generation device 200 in the first embodiment.
  • 1 is a hardware configuration diagram of a key generation device 300 in Embodiment 1.
  • FIG. 4 is a hardware configuration diagram of an inference device 400 in Embodiment 1.
  • FIG. 5 is a hardware configuration diagram of a proving device 500 in the first embodiment.
  • FIG. 6 is a hardware configuration diagram of a verification device 600 in the first embodiment.
  • Embodiment 1 The inference verification system 100 will be explained based on FIGS. 1 to 16.
  • the inference verification system 100 is a system that can verify inference processing.
  • the inference verification system 100 includes devices such as a parameter generation device 200, a key generation device 300, an inference device 400, a proof device 500, and a verification device 600. These devices communicate with each other via a network.
  • a network A specific example of a network is the Internet.
  • the configuration of the parameter generation device 200 will be explained based on FIG. 2.
  • the parameter generation device 200 is a computer that includes hardware such as a processor 201, a memory 202, an auxiliary storage device 203, a communication device 204, and an input/output interface 205. These pieces of hardware are connected to each other via signal lines.
  • Processor 201 is a processor of parameter generation device 200.
  • a processor is an IC that performs arithmetic processing and controls other hardware.
  • the processor is a CPU.
  • IC is an abbreviation for Integrated Circuit.
  • CPU is an abbreviation for Central Processing Unit.
  • Memory 202 is a memory of parameter generation device 200.
  • Memory is a storage device that can be volatile or non-volatile. Memory is also called main storage or main memory.
  • the memory is RAM.
  • the data stored in memory 202 is stored in auxiliary storage device 203 as needed.
  • RAM is an abbreviation for Random Access Memory.
  • Auxiliary storage device 203 is an auxiliary storage device of parameter generation device 200.
  • the auxiliary storage device is a non-volatile storage device.
  • the auxiliary storage device is ROM, HDD, flash memory, or a combination thereof. Data stored in auxiliary storage device 203 is loaded into memory 202 as needed.
  • ROM is an abbreviation for Read Only Memory.
  • HDD is an abbreviation for Hard Disk Drive.
  • the communication device 204 is a communication device of the parameter generation device 200.
  • Communication devices are receivers and transmitters.
  • the communication device is a communication chip or NIC.
  • Communication between the parameter generation device 200 is performed using a communication device 204.
  • NIC is an abbreviation for Network Interface Card.
  • the input/output interface 205 is an input/output interface of the parameter generation device 200.
  • An input/output interface is a port to which input devices and output devices are connected.
  • the input/output interface is a USB terminal
  • the input device is a keyboard and mouse
  • the output device is a display.
  • Input/output of the parameter generation device 200 is performed using an input/output interface 205.
  • USB is an abbreviation for Universal Serial Bus.
  • the parameter generation device 200 includes elements such as a reception section 210, a generation section 220, and an output section 230. These elements are implemented in software.
  • the auxiliary storage device 203 stores a parameter generation program for causing the computer to function as a reception section 210, a generation section 220, and an output section 230.
  • the parameter generation program is loaded into memory 202 and executed by processor 201.
  • the auxiliary storage device 203 further stores an OS. At least a portion of the OS is loaded into memory and executed by the processor.
  • the processor 201 executes the parameter generation program while executing the OS.
  • OS is an abbreviation for Operating System.
  • Input/output data of the parameter generation program is stored in the storage unit 290.
  • Memory 202 functions as storage section 290.
  • storage devices such as the auxiliary storage device 203, a register in the processor 201, and a cache memory in the processor 201 may function as the storage unit 290 instead of the memory 202 or together with the memory 202.
  • the parameter generation device 200 may include a plurality of processors that replace the processor 201.
  • the configuration of the key generation device 300 will be explained based on FIG. 3.
  • the key generation device 300 is a computer that includes hardware such as a processor 301, a memory 302, an auxiliary storage device 303, a communication device 304, and an input/output interface 305. These pieces of hardware are connected to each other via signal lines.
  • Processor 301 is a processor of key generation device 300.
  • Memory 302 is a memory of key generation device 300.
  • Auxiliary storage device 303 is an auxiliary storage device of key generation device 300.
  • the communication device 304 is a communication device of the key generation device 300.
  • the input/output interface 305 is an input/output interface of the key generation device 300.
  • the key generation device 300 includes elements such as a reception section 310, a generation section 320, and an output section 330. These elements are implemented in software.
  • the auxiliary storage device 303 stores a key generation program for causing the computer to function as a reception section 310, a generation section 320, and an output section 330.
  • the key generation program is loaded into memory 302 and executed by processor 301.
  • the key generation device 300 further stores an OS.
  • the processor 301 executes the key generation program while executing the OS.
  • Input/output data of the key generation program is stored in the storage unit 390.
  • Memory 302 functions as storage section 390.
  • storage devices such as the auxiliary storage device 303, a register in the processor 301, and a cache memory in the processor 301 may function as the storage unit 390 instead of the memory 302 or together with the memory 302.
  • the key generation device 300 may include a plurality of processors that replace the processor 301.
  • the configuration of the inference device 400 will be explained based on FIG. 4.
  • the inference device 400 is a computer that includes hardware such as a processor 401, a memory 402, an auxiliary storage device 403, a communication device 404, and an input/output interface 405. These pieces of hardware are connected to each other via signal lines.
  • Processor 401 is a processor of inference device 400.
  • Memory 402 is a memory of inference device 400.
  • Auxiliary storage device 403 is an auxiliary storage device of inference device 400.
  • the communication device 404 is a communication device of the inference device 400.
  • the input/output interface 405 is an input/output interface of the inference device 400.
  • the inference device 400 includes elements such as a reception section 410, an inference section 420, and an output section 430. These elements are implemented in software.
  • the auxiliary storage device 403 stores an inference program for causing the computer to function as a reception section 410, an inference section 420, and an output section 430.
  • the inference program is loaded into memory 402 and executed by processor 401.
  • the inference device 400 further stores an OS.
  • the processor 401 executes the inference program while executing the OS.
  • Input/output data of the inference program is stored in the storage unit 490.
  • Memory 402 functions as storage section 490.
  • storage devices such as the auxiliary storage device 403, a register in the processor 401, and a cache memory in the processor 401 may function as the storage unit 490 instead of the memory 402 or together with the memory 402.
  • the inference device 400 may include a plurality of processors that replace the processor 401.
  • the configuration of the proving device 500 will be explained based on FIG. 5.
  • the proving device 500 is a computer that includes hardware such as a processor 501, a memory 502, an auxiliary storage device 503, a communication device 504, and an input/output interface 505. These pieces of hardware are connected to each other via signal lines.
  • Processor 501 is a processor of proving device 500.
  • Memory 502 is the memory of proving device 500.
  • Auxiliary storage device 503 is an auxiliary storage device of proving device 500.
  • the communication device 504 is a communication device of the certification device 500.
  • the input/output interface 505 is an input/output interface of the certification device 500.
  • the certification device 500 includes elements such as a reception section 510, a storage section 520, a certification section 530, and an output section 540.
  • the storage unit 520 includes a key storage unit 521 and an inference result storage unit 522. These elements are implemented in software.
  • the auxiliary storage device 503 stores a certification program for making the computer function as a reception section 510, a storage section 520, a certification section 530, and an output section 540.
  • the proof program is loaded into memory 502 and executed by processor 501.
  • the certification device 500 further stores an OS.
  • Processor 501 executes the certification program while executing the OS.
  • the input/output data of the proof program is stored in the storage section 590.
  • Memory 502 functions as a storage unit 590.
  • storage devices such as the auxiliary storage device 503, a register in the processor 501, and a cache memory in the processor 501 may function as the storage unit 590 instead of the memory 502 or together with the memory 502.
  • the certification device 500 may include a plurality of processors that replace the processor 501.
  • the configuration of the verification device 600 will be explained based on FIG. 6.
  • the verification device 600 is a computer that includes hardware such as a processor 601, a memory 602, an auxiliary storage device 603, a communication device 604, and an input/output interface 605. These pieces of hardware are connected to each other via signal lines.
  • Processor 601 is a processor of verification device 600.
  • Memory 602 is a memory of verification device 600.
  • Auxiliary storage device 603 is an auxiliary storage device of verification device 600.
  • the communication device 604 is a communication device of the verification device 600.
  • the input/output interface 605 is an input/output interface of the verification device 600.
  • the verification device 600 includes elements such as a reception section 610, a storage section 620, a verification section 630, and an output section 640.
  • the storage unit 620 includes a key storage unit 621 and a certificate storage unit 622. These elements are implemented in software.
  • the auxiliary storage device 603 stores verification programs for causing the computer to function as a reception section 610, a storage section 620, a verification section 630, and an output section 640.
  • the verification program is loaded into memory 602 and executed by processor 601.
  • Verification device 600 further stores an OS.
  • the processor 601 executes the verification program while executing the OS.
  • Input/output data of the verification program is stored in storage section 690.
  • Memory 602 functions as a storage unit 690.
  • storage devices such as the auxiliary storage device 603, a register in the processor 601, and a cache memory in the processor 601 may function as the storage unit 690 instead of the memory 602 or together with the memory 602.
  • the verification device 600 may include a plurality of processors that replace the processor 601.
  • the operation procedure of the inference verification system 100 corresponds to an inference verification method. Further, the operation procedure of the inference verification system 100 corresponds to the processing procedure by the inference verification program.
  • the inference verification program includes a parameter generation program, a key generation program, an inference program, a proof program, and a verification program. Each parameter generation program can be recorded (stored) in a computer-readable manner on a non-volatile recording medium such as an optical disk or a flash memory.
  • step S210 the accepting unit 210 accepts the parameters ( ⁇ , D) input to the parameter generating device 200.
  • the parameters ( ⁇ , D) are input into the parameter generation device 200 by the administrator.
  • step S220 the generation unit 220 executes the setup algorithm using the parameters ( ⁇ , D) as input. As a result, public parameters pp are generated.
  • the setup algorithm is an algorithm for generating public parameters pp.
  • the setup algorithm (Setup) is expressed as follows.
  • step S230 the output unit 230 outputs the public parameter pp. Specifically, the output unit 230 transmits the public parameter pp to the key generation device 300.
  • step S310 the reception unit 310 receives the public parameter pp input to the key generation device 300. Specifically, the reception unit 310 receives the public parameters pp from the parameter generation device 200.
  • step S320 the generation unit 320 executes a key generation algorithm using the public parameter pp as input. As a result, a public key pk and a private key sk are generated.
  • the key generation algorithm is an algorithm for generating a public key pk and a private key sk.
  • the key generation algorithm (Kg) is expressed as follows.
  • step S330 the output unit 330 outputs the public key pk and the private key sk. Specifically, the output unit 330 transmits the public key pk and the private key sk to the certification device 500. Furthermore, the output unit 330 transmits the public key pk to the verification device 600.
  • step S410 the accepting unit 410 accepts parameters (M, x) input to the inference device 400.
  • the inference model M is input to the inference device 400 by a provider of the inference model M.
  • data x is sent to the inference device 400 by the client.
  • the inference model M is a model for inference processing.
  • Data x is data to be subjected to inference processing.
  • step S420 the inference unit 420 inputs the inference model M and data x and executes an inference processing algorithm. As a result, inference result c is generated.
  • the inference processing algorithm is an algorithm for generating the inference result c.
  • the inference processing algorithm (Classify) is expressed as follows.
  • CNN is a convolutional neural network implemented by an inference model M.
  • step S430 the output unit 430 outputs the inference result c. Specifically, the output unit 430 transmits the inference result c to the proving device 500.
  • step S510 the accepting unit 510 accepts the public key pk, private key sk, and inference result c. Specifically, reception unit 510 receives public key pk and private key sk from key generation device 300. Further, the reception unit 510 receives the inference result c from the inference device 400.
  • step S520 the key storage unit 521 stores the public key pk and private key sk. Further, the inference result storage unit 522 stores the inference result c. For example, the public key pk, private key sk, and inference result c are stored in the auxiliary storage device 503.
  • step S530 the proving unit 530 inputs the public key pk, private key sk, and inference result c and executes a proof generation algorithm. As a result, proof P is generated.
  • the proof generation algorithm is an algorithm for generating proof P.
  • An example of the proof generation algorithm (Prove) will be described below.
  • the inference result c is expressed as follows.
  • c i is the calculation result of the i-th layer of CNN.
  • c c 1 ,...,c n
  • Prove i is an algorithm for generating proof P i for calculation result c i .
  • the proof generation algorithm (Prove) is expressed as follows.
  • the types of Prove i are as follows.
  • P a When the i-th layer of the CNN is a ReLU activation layer, the type of Prove i is Prove ReLU .
  • P b When the i-th layer of the CNN is an Affine layer, the type of Prove i is Prove Affine .
  • P c When the i-th layer of CNN is a convolutional layer, the type of Prove i is Prove Conv .
  • P d When the i-th layer of the CNN is the Average Pooling layer, the type of Prove i is Prove AP .
  • Prove i Prove MP .
  • P f When the i-th layer of the CNN is a Soft Max layer, the type of Prove i is Prove SoftMax .
  • step S540 the output unit 540 outputs proof P. Specifically, the output unit 540 transmits the proof P to the verification device 600.
  • step S610 the accepting unit 610 accepts the public key pk and the certificate P. Specifically, reception unit 610 receives public key pk from key generation device 300. Further, the receiving unit 610 receives the proof P from the proving device 500.
  • step S620 the key storage unit 621 stores the public key pk. Further, the certificate storage unit 622 stores the certificate P. For example, public key pk and certificate P are stored in auxiliary storage device 603.
  • step S630 the verification unit 630 inputs the public key pk and proof P and executes the verification algorithm. As a result, a verification result V is generated.
  • the verification algorithm is an algorithm for generating the verification result V.
  • An example of the verification algorithm (Verify) will be described below.
  • Verify i is an algorithm for verifying proof P i .
  • the verification algorithm (Verify) is expressed as follows.
  • the types of Verify i are as follows.
  • V a When the i-th layer of the CNN is a ReLU activation layer, the type of Verify i is Verify ReLU .
  • V b When the i-th layer of the CNN is an Affine layer, the type of Verify i is Verify Affine .
  • V c When the i-th layer of CNN is a convolutional layer, the type of Verify i is Verify Conv .
  • V d When the i-th layer of CNN is the Average Pooling layer, the type of Verify i is Verify AP .
  • V e When the i-th layer of the CNN is a Max Pooling layer, the type of Verify i is Verify MP .
  • V f When the i-th layer of the CNN is a SoftMax layer, the type of Verify i is Verify SoftMax .
  • Verify i V a to V f .
  • step S640 the output unit 640 outputs the verification result V.
  • the output unit 640 displays the verification result V on the display.
  • the Schnorr protocol includes a proof generation algorithm Prove Schnorr and a verification algorithm Verify Schnorr .
  • the Schnorr protocol for multiple indices is obtained by (1) generalizing the Schnorr protocol.
  • g 1 , . . . , g n are the generators of G.
  • equation (2A) holds true for x 1 ⁇ Z p , . . . , x n ⁇ Z p .
  • the Schnorr protocol for multiple indexes allows the prover to calculate (x 1 , ..., x n ) in equation (2A) without giving any information about (x 1 , ..., x n ) to the verifier.
  • This is a protocol to prove that you know the The Schnorr protocol for multiple indices is composed of a proof creation algorithm Prove MultiSchnorr and a verification algorithm Verify MultiSchnorr .
  • the generalized Schnorr protocol will be explained.
  • the generalized Schnorr protocol is obtained by (2) generalizing the Schnorr protocol for multiple indices.
  • g 1,1 ,..., g 1,n , g 2,1 ,..., g m,n are mn generators of G.
  • equation (3A) holds for x 1 ⁇ Z p , . . . , x n ⁇ Z p .
  • the prover calculates (x 1 , ..., x n ) in equation (3A) without giving any information about (x 1 , ..., x n ) to the verifier.
  • This is a protocol for proving what you know.
  • the generalized Schnorr protocol includes a proof generation algorithm Prove GenSchnorr and a verification algorithm Verify GenSchnorr .
  • Verify GenSchnorr outputs true or false.
  • the OR Proof protocol is composed of a proof creation algorithm Prove OR and a verification algorithm Verify OR .
  • the nOR Proof protocol will be explained.
  • the nOR Proof protocol is obtained by generalizing the (4) OR Proof protocol.
  • g 1,1 ,..., g 1,n , g 2,1 ,..., g m,n are mn generators of G.
  • the nOR Proof protocol is composed of a proof creation algorithm Proven OR and a verification algorithm Verify OR .
  • Proven OR calculates three expressions, s(j), C(j), and R(j), for all j ⁇ [n] ⁇ i ⁇ and outputs a proof P.
  • the fixed point representation of the decimal number x is expressed as an integer ⁇ X>.
  • the Range Proofs protocol will be explained. "g” and “h” are the generators of G. "t” is an integer.
  • the Range Proofs protocol is a protocol for a prover to prove that an integer t is an integer greater than or equal to 0 and less than 2 m , without providing information regarding the integer t to the verifier.
  • the Range Proofs protocol is composed of a proof creation algorithm Prove Range and a verification algorithm Verify Range .
  • Prove Range calculates the binary representation of t.
  • Prove Range calculates proof P for the following four equations using (3) Prove GenSchnorr in the generalized Schnorr protocol.
  • Verify Range outputs the verification result V.
  • the Multiplication Proofs protocol is composed of a proof creation algorithm Prove Mult and a verification algorithm Verify Mult .
  • Prove Mult uses (3) Generalized Schnorr protocol and (7) Range Proofs protocol to calculate proofs P for the following nine equations.
  • Verify Mult outputs the verification result V.
  • the ReLU layer protocol will be explained.
  • the ReLU function is a function used in the activation layer of the convolutional neural network.
  • the ReLU Layer protocol is composed of (P a ) a proof generation algorithm Prove ReLU and (V a ) a verification algorithm Verify ReLU .
  • Prove ReLU calculates proof P for the following equation using (4) OR proof protocol, (7) Range Proof protocol, and (8) Multiplication Proofs protocol.
  • Verify ReLU outputs a verification result V.
  • the Affine Layer protocol will be explained.
  • This is a protocol for a prover to prove.
  • A, b, x, y are as follows.
  • the Affine Layer Protocol is composed of (P b ) a proof generation algorithm Prove Affine and (V b ) a verification algorithm Verify Affine .
  • Prove Affine calculates the proof P for the following equation using (3) Generalized Shnorr protocol, (7) Range Proofs protocol, and (8) Multiplication Proofs protocol.
  • Conv is an operation performed on input data x in the convolution layer of the convolutional neural network.
  • the Convolution Layer protocol is composed of (P c ) a proof generation algorithm Prove Conv and (V c ) a verification algorithm Verify Conv .
  • (a i,j ) is the weight parameter of Conv.
  • the proof P and the verification result V can be generated using a method similar to (10) The Affine Layer protocol.
  • AP is an operation performed on input data x in the Average Pooling layer of the convolutional neural network.
  • the Average Pooling Layer protocol is composed of (P d ) a proof generation algorithm Prove AP and (V d ) a verification algorithm Verify AP . The following relationship holds true for y and x. “l” is the row and column size and stride in the AP filter.
  • y can be expressed in the form of a linear transformation of x. Therefore, the proof P and the verification result V can be generated using a method similar to (10) The Affine Layer protocol.
  • This is a protocol for proving MP is an operation performed on input data x in the Max Pooling layer of the convolutional neural network.
  • the Max Pooling Layer protocol is composed of (P e ) a proof generation algorithm Prove MP and (V e ) a verification algorithm Verify MP .
  • "k" is the row and column size and stride in the MP filter.
  • Prove MP performs the following calculation for all (i, j) ⁇ [m] ⁇ [m].
  • Prove MP uses (7) Range Proofs protocol and nOR Proof protocol to calculate proof P for the following equation.
  • Verify MP generates a verification result V using Verify nOR .
  • c 0 to c 8 are as follows.
  • x 0 '[i] is the i-th bit of x 0 '.
  • the SoftMax Layer protocol is composed of (P f ) a proof generation algorithm Prove SoftMax and (V f ) a verification algorithm Verify SoftMax .
  • Prove SoftMax uses Prove exp and Prove Mult to calculate the proof P for the following equation.
  • Verify SoftMax outputs a verification result V.
  • Embodiment 1 has the following features.
  • model parameters of an inference model are converted into integer values, and the inference model is verified.
  • the algorithm of the zero-knowledge proof protocol for each layer is a feature of the first embodiment.
  • the inference model verification method is realized by combining the conversion of weight parameters (model parameters) into integer values and a zero-knowledge proof protocol.
  • the inference device (400) expresses a decimal value, which is data (x) to be inferred, as an integer value, treats the integer value as a parameter of a convolutional neural network, and executes an inference model (M) to perform inference.
  • the proving device (500) receives the inference result and executes a proof generation algorithm to obtain a proof (P).
  • the verification device (600) receives the proof and executes a verification algorithm to obtain a verification result (V).
  • the inference result includes calculation results of each layer of the convolutional neural network.
  • the proof device For each layer of the convolutional neural network, the proof device (500) inputs the calculation results of the layer and executes the proof generation algorithm of the protocol according to the type of the layer.
  • the proof includes execution results of the proof generation algorithm for each layer of the convolutional neural network.
  • the verification device 600) inputs the execution results of each layer of the convolutional neural network and executes the verification algorithm of the protocol according to the type of the layer.
  • the verification result includes an execution result of the verification algorithm for each layer of the convolutional neural network.
  • Embodiment 1 realizes a zero-knowledge proof protocol that can handle decimal parameters by displaying fixed-point representations of decimal numbers as integer values. This makes it possible to verify an inference model with a decimal number of parameters.
  • Embodiment 1 has the following effects, for example.
  • Data is analyzed by a third party.
  • the third party is a person who provides an inference service using a machine learning model.
  • Embodiment 1 proves, without disclosing information about the inference model, that the inference result of analyzed data is actually obtained by inference of data using a machine learning model. be able to.
  • Embodiment 1 uses a zero-knowledge proof that uses the difficulty of the discrete logarithm problem by displaying fixed-point representations of decimals as integer values. This realizes a zero-knowledge proof protocol that can handle a small number of parameters. Then, it becomes possible to verify an inference model for which the parameters are decimal numbers.
  • the parameter generation device 200, the key generation device 300, the inference device 400, and the proof device 500 may be combined with each other. That is, the inference verification system 100 may include one or more computers that function as the parameter generation device 200, the key generation device 300, the inference device 400, and the proof device 500.
  • the generation unit 220 of the parameter generation device 200 may have a random number generation function or the like in order to generate the public parameters pp.
  • the generation unit 320 of the key generation device 300 may have a random number generation function or the like in order to generate the public key pk and the private key sk.
  • the parameter generation device 200 includes a processing circuit 209.
  • the processing circuit 209 is a processing circuit that implements the reception section 210, the generation section 220, and the output section 230.
  • the processing circuit may be dedicated hardware or a processor that executes a program stored in memory. If the processing circuit is dedicated hardware, the processing circuit is, for example, a single circuit, a composite circuit, a programmed processor, a parallel programmed processor, an ASIC, an FPGA, or a combination thereof.
  • ASIC is an abbreviation for Application Specific Integrated Circuit.
  • FPGA is an abbreviation for Field Programmable Gate Array.
  • the parameter generation device 200 may include a plurality of processing circuits that replace the processing circuit 209.
  • processing circuit 209 some functions may be realized by dedicated hardware, and the remaining functions may be realized by software or firmware.
  • the functions of the parameter generation device 200 can be realized by hardware, software, firmware, or a combination thereof.
  • the hardware configuration of the key generation device 300 will be explained based on FIG. 13.
  • the key generation device 300 includes a processing circuit 309.
  • the processing circuit 309 is a processing circuit that implements the reception section 310, the generation section 320, and the output section 330.
  • the key generation device 300 may include a plurality of processing circuits that replace the processing circuit 309.
  • processing circuit 309 some functions may be realized by dedicated hardware, and the remaining functions may be realized by software or firmware.
  • the functions of the key generation device 300 can be realized by hardware, software, firmware, or a combination thereof.
  • the inference device 400 includes a processing circuit 409 .
  • the processing circuit 409 is a processing circuit that implements the reception section 410, the inference section 420, and the output section 430.
  • the inference device 400 may include a plurality of processing circuits that replace the processing circuit 409.
  • processing circuit 409 some functions may be realized by dedicated hardware, and the remaining functions may be realized by software or firmware.
  • the functions of the inference device 400 can be realized by hardware, software, firmware, or a combination thereof.
  • the hardware configuration of the proving device 500 will be explained based on FIG. 15.
  • the proving device 500 includes a processing circuit 509.
  • the processing circuit 509 is a processing circuit that implements the receiving section 510, the storage section 520, the proving section 530, and the output section 540.
  • the proving device 500 may include a plurality of processing circuits that replace the processing circuit 509.
  • processing circuit 509 some functions may be realized by dedicated hardware, and the remaining functions may be realized by software or firmware.
  • the functions of the certification device 500 can be realized by hardware, software, firmware, or a combination thereof.
  • Verification device 600 includes a processing circuit 609.
  • the processing circuit 609 is a processing circuit that implements the reception section 610, the storage section 620, the verification section 630, and the output section 640.
  • the verification device 600 may include a plurality of processing circuits that replace the processing circuit 609.
  • processing circuit 609 some functions may be realized by dedicated hardware, and the remaining functions may be realized by software or firmware.
  • the functions of the verification device 600 can be realized by hardware, software, firmware, or a combination thereof.
  • Embodiment 1 is an illustration of a preferred embodiment and is not intended to limit the technical scope of the present disclosure. Embodiment 1 may be implemented partially or in combination with other embodiments. The procedures described using flowcharts and the like may be modified as appropriate.
  • the "unit" of each element of the inference verification system 100 may be read as “process”, “process”, “circuit”, or “circuitry”.
  • 100 inference verification system 200 parameter generation device, 201 processor, 202 memory, 203 auxiliary storage device, 204 communication device, 205 input/output interface, 209 processing circuit, 210 reception section, 220 generation section, 230 output section, 290 storage section, 300 key generation device, 301 processor, 302 memory, 303 auxiliary storage device, 304 communication device, 305 input/output interface, 309 processing circuit, 310 reception unit, 320 generation unit, 330 output unit, 390 storage unit, 400 inference device, 401 Processor, 402 Memory, 403 Auxiliary storage device, 404 Communication device, 405 Input/output interface, 409 Processing circuit, 410 Reception unit, 420 Reasoning unit, 430 Output unit, 490 Storage unit, 500 Proving device, 501 Processor, 502 Memory, 503 Auxiliary storage device, 504 communication device, 505 input/output interface, 509 processing circuit, 510 reception unit, 520 storage unit, 521 key storage unit, 522 inference result storage unit, 530 proof

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Health & Medical Sciences (AREA)
  • Computing Systems (AREA)
  • Biomedical Technology (AREA)
  • Biophysics (AREA)
  • Computational Linguistics (AREA)
  • Data Mining & Analysis (AREA)
  • Evolutionary Computation (AREA)
  • Life Sciences & Earth Sciences (AREA)
  • Molecular Biology (AREA)
  • Artificial Intelligence (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Mathematical Physics (AREA)
  • Software Systems (AREA)
  • Health & Medical Sciences (AREA)
  • Test And Diagnosis Of Digital Computers (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)
  • Computer And Data Communications (AREA)
  • Storage Device Security (AREA)
  • Communication Control (AREA)
PCT/JP2022/026498 2022-07-01 2022-07-01 推論検証システムおよび推論検証方法 Ceased WO2024004212A1 (ja)

Priority Applications (5)

Application Number Priority Date Filing Date Title
PCT/JP2022/026498 WO2024004212A1 (ja) 2022-07-01 2022-07-01 推論検証システムおよび推論検証方法
DE112022007141.9T DE112022007141T5 (de) 2022-07-01 2022-07-01 Inferenzverifizierungssystem und inferenzverifizierungsverfahren
JP2024519956A JP7493697B1 (ja) 2022-07-01 2022-07-01 推論検証システムおよび推論検証方法
CN202280097511.2A CN119452366A (zh) 2022-07-01 2022-07-01 推断验证系统和推断验证方法
US18/966,341 US20250094783A1 (en) 2022-07-01 2024-12-03 Inference verification system and inference verification method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/JP2022/026498 WO2024004212A1 (ja) 2022-07-01 2022-07-01 推論検証システムおよび推論検証方法

Related Child Applications (1)

Application Number Title Priority Date Filing Date
US18/966,341 Continuation US20250094783A1 (en) 2022-07-01 2024-12-03 Inference verification system and inference verification method

Publications (1)

Publication Number Publication Date
WO2024004212A1 true WO2024004212A1 (ja) 2024-01-04

Family

ID=89381821

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/JP2022/026498 Ceased WO2024004212A1 (ja) 2022-07-01 2022-07-01 推論検証システムおよび推論検証方法

Country Status (5)

Country Link
US (1) US20250094783A1 (https=)
JP (1) JP7493697B1 (https=)
CN (1) CN119452366A (https=)
DE (1) DE112022007141T5 (https=)
WO (1) WO2024004212A1 (https=)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN118114208A (zh) * 2024-01-16 2024-05-31 深圳市华汇数据服务有限公司 一种神经网络输出结果产权证明方法、系统和装置

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20210406436A1 (en) * 2020-06-30 2021-12-30 Iucf-Hyu (Industry-University Cooperation Foundation Hanyang University) Method for verifying convolutional neural network model and device thereof

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20210406436A1 (en) * 2020-06-30 2021-12-30 Iucf-Hyu (Industry-University Cooperation Foundation Hanyang University) Method for verifying convolutional neural network model and device thereof

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
FENG BOYUAN, QIN LIANKE, ZHANG ZHENFEI, DING YUFEI, CHU SHUMO: "ZEN: An Optimizing Compiler for Verifiable, Zero-Knowledge Neural Network Inferences", CRYPTOLOGY EPRINT ARCHIVE, PAPER 2021/087, 1 January 2021 (2021-01-01), XP093122101, Retrieved from the Internet <URL:https://eprint.iacr.org/2021/087> *

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN118114208A (zh) * 2024-01-16 2024-05-31 深圳市华汇数据服务有限公司 一种神经网络输出结果产权证明方法、系统和装置
CN118114208B (zh) * 2024-01-16 2025-02-11 深圳市华汇数据服务有限公司 一种神经网络输出结果产权证明方法、系统和装置

Also Published As

Publication number Publication date
JPWO2024004212A1 (https=) 2024-01-04
CN119452366A (zh) 2025-02-14
JP7493697B1 (ja) 2024-05-31
DE112022007141T5 (de) 2025-02-27
US20250094783A1 (en) 2025-03-20

Similar Documents

Publication Publication Date Title
Liu et al. Zkcnn: Zero knowledge proofs for convolutional neural network predictions and accuracy
EP3903247B1 (en) Method, apparatus and system for secure vertical federated learning
CN108664221B (zh) 一种数据持有证明方法、装置及可读存储介质
JP5488596B2 (ja) 署名装置、署名検証装置、匿名認証システム、署名方法、署名認証方法およびそれらのプログラム
CN111989893A (zh) 证明链和分解
Liu et al. Privacy-preserving collaborative analytics on medical time series data
Sheybani et al. Zero-knowledge proof frameworks: A systematic survey
JP2023147234A (ja) 寄与度の評価方法、装置及び記憶媒体
CN113517986B (zh) 基于量子行走的身份认证方法及相关设备
JP4818663B2 (ja) 同種写像ベースの署名の生成および検証のためのシステムおよび方法
US20250094783A1 (en) Inference verification system and inference verification method
CN109120606B (zh) 一种具有隐私保护的特征属性的处理方法及装置
Juaristi et al. Benchmarking post-quantum cryptography in Ethereum-based blockchains
Riasi et al. Privacy-preserving verifiable neural network inference service
JP6777816B2 (ja) 秘密改ざん検知システム、秘密改ざん検知装置、秘密改ざん検知方法、およびプログラム
CN112989044B (zh) 文本分类方法、装置、设备及存储介质
Sathe et al. State of the art in zero-knowledge machine learning: A comprehensive survey
US10333697B2 (en) Nondecreasing sequence determining device, method and program
US12457118B1 (en) Verification of quantum randomness using classical hardware with one round of communication
JP6367959B2 (ja) 部分文字列位置検出装置、部分文字列位置検出方法及びプログラム
Huang et al. Predicting adaptively chosen observables in quantum systems
Mao et al. Q-gen: A parameterized quantum circuit generator
CN109241411A (zh) 推荐信息生成方法和装置,存储介质和电子设备
CN116318725A (zh) 零知识范围证明方法、装置、终端设备及计算机存储介质
Xie et al. Flexible blind quantum computation with unnecessarily universal quantum servers

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 22949485

Country of ref document: EP

Kind code of ref document: A1

ENP Entry into the national phase

Ref document number: 2024519956

Country of ref document: JP

Kind code of ref document: A

WWE Wipo information: entry into national phase

Ref document number: 202280097511.2

Country of ref document: CN

WWE Wipo information: entry into national phase

Ref document number: 112022007141

Country of ref document: DE

WWP Wipo information: published in national office

Ref document number: 202280097511.2

Country of ref document: CN

WWP Wipo information: published in national office

Ref document number: 112022007141

Country of ref document: DE

122 Ep: pct application non-entry in european phase

Ref document number: 22949485

Country of ref document: EP

Kind code of ref document: A1