Privacy-Preserving Machine Learning with Fully Homomorphic Encryption for Deep Neural Network (2106.07229v1)

Abstract: Fully homomorphic encryption (FHE) is one of the prospective tools for privacypreserving machine learning (PPML), and several PPML models have been proposed based on various FHE schemes and approaches. Although the FHE schemes are known as suitable tools to implement PPML models, previous PPML models on FHE encrypted data are limited to only simple and non-standard types of machine learning models. These non-standard machine learning models are not proven efficient and accurate with more practical and advanced datasets. Previous PPML schemes replace non-arithmetic activation functions with simple arithmetic functions instead of adopting approximation methods and do not use bootstrapping, which enables continuous homomorphic evaluations. Thus, they could not use standard activation functions and could not employ a large number of layers. The maximum classification accuracy of the existing PPML model with the FHE for the CIFAR-10 dataset was only 77% until now. In this work, we firstly implement the standard ResNet-20 model with the RNS-CKKS FHE with bootstrapping and verify the implemented model with the CIFAR-10 dataset and the plaintext model parameters. Instead of replacing the non-arithmetic functions with the simple arithmetic function, we use state-of-the-art approximation methods to evaluate these non-arithmetic functions, such as the ReLU, with sufficient precision [1]. Further, for the first time, we use the bootstrapping technique of the RNS-CKKS scheme in the proposed model, which enables us to evaluate a deep learning model on the encrypted data. We numerically verify that the proposed model with the CIFAR-10 dataset shows 98.67% identical results to the original ResNet-20 model with non-encrypted data. The classification accuracy of the proposed model is 90.67%, which is pretty close to that of the original ResNet-20 CNN model...

• The paper implements the standard ResNet-20 deep learning model using RNS-CKKS Fully Homomorphic Encryption with bootstrapping, achieving 90.67% accuracy on encrypted CIFAR-10 data.
• The study successfully integrates RNS-CKKS bootstrapping and advanced approximation methods, enabling homomorphic evaluation for deeper networks and complex functions like ReLU and Softmax.
• This work demonstrates the feasibility of high-accuracy privacy-preserving AI for sensitive data using FHE, highlighting the significant remaining challenge of improving operational speed for practical real-time applications.

Privacy-Preserving Machine Learning with Fully Homomorphic Encryption

The work titled "Privacy-Preserving Machine Learning with Fully Homomorphic Encryption for Deep Neural Network" by Joon-Woo Lee et al. addresses the significant challenge of integrating Fully Homomorphic Encryption (FHE) with deep learning models for privacy-preserving machine learning (PPML). This paper specifically focuses on the application of FHE in advanced machine learning models, aiming to facilitate operations on encrypted data without compromising the information privacy.

The research particularly explores the use of the RNS-CKKS FHE scheme in the implementation of a standard deep learning model, ResNet-20, for the CIFAR-10 dataset. This approach contrasts with previous models that relied on non-standard machine learning models limited in efficiency and accuracy when applied to advanced datasets. Moreover, earlier models often replaced complex activation functions with simpler ones and avoided the use of FHE bootstrapping, thus limiting the model depth and performance.

Key Contributions

1. Implementation of Standard Models: The paper successfully implements the ResNet-20 model using the RNS-CKKS scheme with bootstrapping, achieving a classification accuracy of 90.67% on the CIFAR-10 dataset. This performance closely approaches the 91.89% accuracy of the original, non-encrypted ResNet-20 model.
2. Utilization of State-of-the-Art Approximation Methods: The authors employ advanced approximation techniques for evaluating non-arithmetic functions, such as the ReLU activation function, with sufficient precision, which is critical given the limitations of FHE in directly performing these operations.
3. Integration and Use of Bootstrapping: For the first time, the RNS-CKKS bootstrapping is employed in this context, enabling the evaluation of deeper neural networks on encrypted data. This technique is a pivotal advancement that supports continuous homomorphic evaluations necessary for complex models.
4. Softmax Function Evaluation: The paper addresses the security concerns related to model extraction attacks by implementing the softmax function homomorphically within the FHE framework. This development prevents the extraction of model information by clients and maintains succinct communication.

Implications and Future Directions

The implications of this paper are significant for the development of privacy-preserving applications in sensitive data environments, such as medical, financial, or personal data processing. The achieved near-native accuracy levels represent a crucial step towards practical deployment. However, the constraints related to operational speed (approximately 4 hours per inference) highlight a considerable area for future optimization, potentially through hardware acceleration or refined algorithmic strategies.

Moreover, advancing FHE implementation with higher security levels without excessive computational overhead remains an ongoing challenge. Future research could enhance the trade-offs between security, accuracy, and efficiency, fostering more widespread adoption of FHE in real-time applications.

In conclusion, this paper serves as an important milestone in demonstrating feasible high-accuracy classifications using FHE in lateral deep learning architectures, moving towards securing privacy in AI applications without significant performance trade-offs.