Co-Designing AI and Homomorphic Architectures for Secure AI

Pixel Biometrics Seminar

Slides: hal.cse.msu.edu/talks VishnuBoddeti

Michigan State University

Progress In Artificial Intelligence

Speech Processing

Image Analysis

Natural Language Processing

Physical Sciences

Key Drivers Data, Compute, Algorithms
Widespread deployment in the real-world, especially as cloud services.

Today: Data is Encrypted Only During Communication

Privacy of user data is not guaranteed.

Privacy and Security Requirements in AI

...consent should be given for all purposes...

What are we trying to secure?

Secure Data

Both, input $x$ and outcome $f(x)$
All intermediate computations are encrypted.
Preserves user privacy.

Secure Function

$f$: parameters and architecture.
All intermediate computations are encrypted.
Preserves intellectual property and user privacy.

Example: Healthcare AI-based SaaS

However, both the data $x$ and the circuit $f$ are sensitive.

Securing User Data

Privacy of Alice's data is cryptographically guaranteed, but Bob has to give away his circuit to CCS.

Consequences of circuit cleartext FHE evaluation

Circuits are usually
- Proprietary functions (e.g., ML trained models)
- Directly derived from personal data (e.g., health data)

Circuits can be leaked from
- Noise term analysis
- Timing attacks

Circuit protection is also as crucial as data protection.

Privacy protection of both data and circuit

Today's Agenda

AI + Encryption

Is there an encryption scheme that satisfies our security requirements?

Fully Homomorphic Encryption

A Primer

What is Fully Homomorphic Encryption?

Run programs on encrypted data without ever decrypting it. FHE can—in theory—handle universal computation.

Conway's Game of Life

Microprocessor Simulation

Apple: Secure Caller ID and Secure Photo Search

Microsoft: Secure Password Search in Edge Browser

Private Information Retreival

Computational complexity $\mathcal{O}\left( K \cdot \left( \#\mathrm{M}_{\mathrm{HE}} + \#\mathrm{R}_{\mathrm{HE}} + \#\mathrm{A}_{\mathrm{HE}} \right) \right)$

Tutorial at biometric-privacy-security.github.io

Homomorphic Evaluation of Encrypted Data

Packing
Encoding

Encryption
Processing

Primitive Operations Supported by Arithmetic FHE Schemes

Main Idea: Noisy Inner Products

Private Key
$\mathbf{s} = \begin{bmatrix}10 \\ 82 \\ 50 \\ 51\end{bmatrix}$

Public Key

\[ \begin{align} 77w + 7x + 28y + 23z &= 2859 \text{ } \nonumber \\ 21w + 19x + 30y + 48z &= 3508 \text{ } \nonumber \\ 4w + 24x + 33y + 38z &= 3848 \text{ } \nonumber \\ 8w + 20x + 84y + 61z &= 6225 \text{ } \nonumber \\ \end{align} \]

\[ \begin{align} 77w + 7x + 28y + 23z &= 2859 \text{ } \color{#ff8080}{ + \text{ } (-3)} \nonumber \\ 21w + 19x + 30y + 48z &= 3508 \text{ } \color{#ff8080}{ + \text{ } (+2)} \nonumber \\ 4w + 24x + 33y + 38z &= 3848 \text{ } \color{#ff8080}{ + \text{ } (-1)} \nonumber \\ 8w + 20x + 84y + 61z &= 6225 \text{ } \color{#ff8080}{ \underbrace{+ \text{ } (+0)}_{noise}}\nonumber \\ \end{align} \]

\[ \begin{align} 77w + 7x + 28y + 23z &= 2859 \text{ } \color{#ff8080}{ + \text{ } (-3)} \color{cyan}{\text{ (mod 89)}} \nonumber \\ 21w + 19x + 30y + 48z &= 3508 \text{ } \color{#ff8080}{ + \text{ } (+2)} \color{cyan}{\text{ (mod 89)}} \nonumber \\ 4w + 24x + 33y + 38z &= 3848 \text{ } \color{#ff8080}{ + \text{ } (-1)} \color{cyan}{\text{ (mod 89)}} \nonumber \\ 8w + 20x + 84y + 61z &= 6225 \text{ } \color{#ff8080}{ \underbrace{+ \text{ } (+0)}_{noise}}\text{ }\color{cyan}{\underbrace{\text{(mod 89)}}_{ring}} \nonumber \\ \end{align} \]

Adversary's Goal: Solve for private key from public key.

Domain	Noise	Problem	Solution
$\mathbb{R}$	$\times$	System of Linear Equations	Gaussian Elimination
$\mathbb{R}$	$\checkmark$	Least Squares Problem	Least Squares Estimator
$\mathbb{Z}_q$	$\checkmark$	Learning with Errors Problem	Infeasible in Polynomial Time

Encryption and Decryption

a: fixed random vector
e: noise from discrete Gaussian

m: message
s: private key
$p=(a, b)$: public key with $b=\langle a,s \rangle + e$
$\Delta$: scale factor
Encryption: $c = (b + \Delta m) \text{ mod } q$
Decryption: $\tilde{m} = round\left(\frac{c - \langle a,s \rangle}{\Delta}\right)$

Relies on hardness of the Learning with Errors problem.

Data Encoding

Operating with cyclotomic polynomials enables operations on vectors.

\[ \begin{align} \text{Secret Key: } s &= s(x) \text{ sampled with coefficients from } \{-1, 0, 1\} \nonumber \\ \text{Public Key: } p &= (a(x), b(x)) \nonumber \\ \text{with } a(x) &= \text{ random polynomial sampled from } \mathbb{Z}_q[x]/(x^N+1) \nonumber \\ \text{with } b(x) &= (\langle a(x), s(x) \rangle + e) \text{ mod } \mathbb{Z}_q[x]/(x^N+1) \nonumber \end{align} \]

message: $m(x)$ polynomial in $\mathbb{Z}_q[x]/(x^N+1)$
Encryption: $c(x) = b(x) + \Delta m(x) \text{ mod } \mathbb{Z}_q[x]/(x^N+1)$
Decryption: $\tilde{m}(x) = (c(x) - \langle a(x), s(x) \rangle)/\Delta$

Data Packing

Packing affects computation cost significantly.
Many advanced packing schemes exist.

Data Privacy

AutoFHE

CryptoFace

Data and Circuit Privacy

PrivaCT

AutoFHE

Efficient CNN Evaluation over FHE