New GAZELLE system that provide security to cloud-based machine learning

A novel combination of two encryption techniques protects private data while keeping neural networks running quickly.

A novel encryption method devised by MIT researchers secures data used in online neural networks, without dramatically slowing their runtimes, which holds promise for medical-image analysis using cloud-based neural networks and other applications
A novel encryption method devised by MIT researchers secures data used in online neural networks, without dramatically slowing their runtimes, which holds promise for medical-image analysis using cloud-based neural networks and other applications. Image: Chelsea Turner

MIT scientists have recently developed a novel system that offers security to online neural networks. Scientists dubbed this system as GAZELLE, that blends two conventional techniques.

Using these techniques, homomorphic encryption, and garbled circuits, the system helps the networks run orders of magnitude faster than they do with conventional approaches.

Scientists believe that the system would be helpful for cloud-based neural networks for medical image analysis and other applications that use sensitive data. In addition, it could be used to train CNNs to diagnose diseases.

Scientists tested the system on two-party image-classification tasks. A user sends encoded picture information to an online server assessing a CNN running on GAZELLE. After this, the two both parties i.e., sender and receiver share encrypted information forward and backward with a specific end goal to order the user’s image.

All through the procedure, the system guarantees that the server never adapts any transferred information, while the user never learns anything about the system parameters. Contrasted with customary systems, be that as it may, GAZELLE ran 20 to 30 times speedier than best in class models, while diminishing the required system transmission capacity by an order of magnitude.

First author Chiraag Juvekar, a Ph.D. student in the Department of Electrical Engineering and Computer Science (EECS) said, “In this work, we show how to efficiently do this kind of secure two-party communication by combining these two techniques in a clever way. The next step is to take real medical data and show that, even when we scale it for applications real users care about, it still provides acceptable performance.”

The encryption technique used in the system, i.e, homomorphic encryption, usually uses in cloud computing. It receives and executes computation all in encrypted data, called ciphertext, and generates an encrypted result that can then be decrypted by a user. When applied to neural networks, this technique is particularly fast and efficient at computing linear algebra.

On the other hand, Garbled circuits are a form of secure two-party computation. It takes an input from both parties, does some computation, and sends two separate inputs to each party. In that way, the parties send data to one another, but they never see the other party’s data, only the relevant output on their side.

In their system, a user will transfer ciphertext to a cloud-based CNN. The user must have garbled circuits. The CNN does all the calculation in the linear layer, at that point sends the information to the nonlinear layer. By then, the CNN and user share the information. The user does some calculation on garbled circuits and sends the information back to the CNN.

By part and sharing the workload, the system confines the homomorphic encryption to doing complex math one layer at a given moment, so information doesn’t turn out to be excessively noisy. It likewise restrains the correspondence of the garbled circuits to only the nonlinear layers, where it performs ideally.

The final step was ensuring both homomorphic and garbled circuit layers maintained a common randomization scheme, called “secret sharing.” In this scheme, data is divided into separate parts that are given to separate parties. All parties synch their parts to reconstruct the full data.

Juvekar said, “At the end of the computation, we want the first party to get the classification results and the second party to get absolutely nothing. Additionally, “the first party learns nothing about the parameters of the model.”

Co-authors on the paper are Vinod Vaikuntanathan, an associate professor in EECS and a member of the Computer Science and Artificial Intelligence Laboratory, and Anantha Chandrakasan, dean of the School of Engineering and the Vannevar Bush Professor of Electrical Engineering and Computer Science.

The paper is presented at this week’s USENIX Security Conference.