[Cryptography] pseudo-homomorphic encryption ??

Mon Jan 14 16:23:52 EST 2019

On Mon, Jan 14, 2019 at 1:08 PM Henry Baker <hbaker1 at pipeline.com> wrote:
>
> Perhaps there are "homomorphic" encryption
> systems that do *just enough* and AI/ML systems
> that are dumbed down *just enough* that the
> two constraints can meet in the middle.
>

Deep neural network (specifically CNN) classifiers are the go-to ML
technique in the context of image classification. Maybe there is a
less complex algorithm, but it will be at the expense of capability
and elegance. For instance, SVMs do work for image classification when
combined with feature extraction techniques [1]. But how do we extract
topological features from an image in HE? I have no idea. If your
image is small enough, then the pixels could suffice as features, and
*maybe* this would work without much issue.

Ignoring the omnipresent computational difficulties for a moment,
there are lots of questions to be answered at the intersection of HE
(homomorphic encryption) and deep neural networks: How do we perform
functions like softmax, tanh, relu (introduces nonlinearity) over HE?
What is the performance of SGD or other optimization methods? How does
HE introduced variance affect the model in practice? Are the biases
fundamentally different between non-HE and HE models? Could there be
new/special neural structures that work well specifically over HE?

> After all, AI/ML systems don't seem to care
> about most kinds of image distortions, so
> perhaps they could still be capable of
> characterizing certain pictures even after
> encryption ?

We could perhaps find some features/structure in the encrypted images,
but traditionally the features are very characteristic of qualities
inherent in the image (i.e. early layers would identify low level
features like edges, later layers would identify some kind of abstract
features [2]). Without that in the encrypted space, no model would
perform well, but perhaps the encrypted space has a parallel set of
features that could be learned. I am unsure if homomorphic encryption
could potentially guarantee the preservation of spatial (or temporal
or abstract) patterns even with a restricted set of operations -- I'll
leave this question to the people more knowledgeable than myself.

>
> So you send him/her only an encrypted dataset
> along with the classification data (yes/no or
> perhaps a finite set of possibilities); this
> classification data isn't encrypted, and there
> isn't any easy way to figure out from the
> sequence of classifications any useful info
> about the encrypted dataset.
>

One thing to note is the potential for information leakage by way of
learned features within the intermediate layers of a ML model if our
dataset is encrypted and our classifications are not. Perhaps there is
some method of interpolation between unencrypted data based models and
encrypted data based models or some form of extrapolation based on
Yosinski2015 [2].

There is a great paper by Microsoft and Princeton from 2016 that is
worth a read. Their model is a really great adaptation of deep neural
network methods into one suitable for homomorphic encryption:
https://www.microsoft.com/en-us/research/wp-content/uploads/2016/04/CryptonetsTechReport.pdf

[1] Decent discussion on SVMs for IC:
https://medium.com/@dataturks/understanding-svms-for-image-classification-cf4f01232700
[2] http://yosinski.com/media/papers/Yosinski__2015__ICML_DL__Understanding_Neural_Networks_Through_Deep_Visualization__.pdf