-
Trustworthy AI Inference Systems: An Industry Research View
Authors:
Rosario Cammarota,
Matthias Schunter,
Anand Rajan,
Fabian Boemer,
Ágnes Kiss,
Amos Treiber,
Christian Weinert,
Thomas Schneider,
Emmanuel Stapf,
Ahmad-Reza Sadeghi,
Daniel Demmler,
Joshua Stock,
Huili Chen,
Siam Umar Hussain,
Sadegh Riazi,
Farinaz Koushanfar,
Saransh Gupta,
Tajan Simunic Rosing,
Kamalika Chaudhuri,
Hamid Nejatollahi,
Nikil Dutt,
Mohsen Imani,
Kim Laine,
Anuj Dubey,
Aydin Aysu
, et al. (4 additional authors not shown)
Abstract:
In this work, we provide an industry research view for approaching the design, deployment, and operation of trustworthy Artificial Intelligence (AI) inference systems. Such systems provide customers with timely, informed, and customized inferences to aid their decision, while at the same time utilizing appropriate security protection mechanisms for AI models. Additionally, such systems should also…
▽ More
In this work, we provide an industry research view for approaching the design, deployment, and operation of trustworthy Artificial Intelligence (AI) inference systems. Such systems provide customers with timely, informed, and customized inferences to aid their decision, while at the same time utilizing appropriate security protection mechanisms for AI models. Additionally, such systems should also use Privacy-Enhancing Technologies (PETs) to protect customers' data at any time. To approach the subject, we start by introducing current trends in AI inference systems. We continue by elaborating on the relationship between Intellectual Property (IP) and private data protection in such systems. Regarding the protection mechanisms, we survey the security and privacy building blocks instrumental in designing, building, deploying, and operating private AI inference systems. For example, we highlight opportunities and challenges in AI systems using trusted execution environments combined with more recent advances in cryptographic techniques to protect data in use. Finally, we outline areas of further development that require the global collective attention of industry, academia, and government researchers to sustain the operation of trustworthy AI inference systems.
△ Less
Submitted 10 February, 2023; v1 submitted 10 August, 2020;
originally announced August 2020.
-
CryptoSPN: Privacy-preserving Sum-Product Network Inference
Authors:
Amos Treiber,
Alejandro Molina,
Christian Weinert,
Thomas Schneider,
Kristian Kersting
Abstract:
AI algorithms, and machine learning (ML) techniques in particular, are increasingly important to individuals' lives, but have caused a range of privacy concerns addressed by, e.g., the European GDPR. Using cryptographic techniques, it is possible to perform inference tasks remotely on sensitive client data in a privacy-preserving way: the server learns nothing about the input data and the model pr…
▽ More
AI algorithms, and machine learning (ML) techniques in particular, are increasingly important to individuals' lives, but have caused a range of privacy concerns addressed by, e.g., the European GDPR. Using cryptographic techniques, it is possible to perform inference tasks remotely on sensitive client data in a privacy-preserving way: the server learns nothing about the input data and the model predictions, while the client learns nothing about the ML model (which is often considered intellectual property and might contain traces of sensitive data). While such privacy-preserving solutions are relatively efficient, they are mostly targeted at neural networks, can degrade the predictive accuracy, and usually reveal the network's topology. Furthermore, existing solutions are not readily accessible to ML experts, as prototype implementations are not well-integrated into ML frameworks and require extensive cryptographic knowledge.
In this paper, we present CryptoSPN, a framework for privacy-preserving inference of sum-product networks (SPNs). SPNs are a tractable probabilistic graphical model that allows a range of exact inference queries in linear time. Specifically, we show how to efficiently perform SPN inference via secure multi-party computation (SMPC) without accuracy degradation while hiding sensitive client and training information with provable security guarantees. Next to foundations, CryptoSPN encompasses tools to easily transform existing SPNs into privacy-preserving executables. Our empirical results demonstrate that CryptoSPN achieves highly efficient and accurate inference in the order of seconds for medium-sized SPNs.
△ Less
Submitted 3 February, 2020;
originally announced February 2020.
-
Privacy-Preserving Speaker Recognition with Cohort Score Normalisation
Authors:
Andreas Nautsch,
Jose Patino,
Amos Treiber,
Themos Stafylakis,
Petr Mizera,
Massimiliano Todisco,
Thomas Schneider,
Nicholas Evans
Abstract:
In many voice biometrics applications there is a requirement to preserve privacy, not least because of the recently enforced General Data Protection Regulation (GDPR). Though progress in bringing privacy preservation to voice biometrics is lagging behind developments in other biometrics communities, recent years have seen rapid progress, with secure computation mechanisms such as homomorphic encry…
▽ More
In many voice biometrics applications there is a requirement to preserve privacy, not least because of the recently enforced General Data Protection Regulation (GDPR). Though progress in bringing privacy preservation to voice biometrics is lagging behind developments in other biometrics communities, recent years have seen rapid progress, with secure computation mechanisms such as homomorphic encryption being applied successfully to speaker recognition. Even so, the computational overhead incurred by processing speech data in the encrypted domain is substantial. While still tolerable for single biometric comparisons, most state-of-the-art systems perform some form of cohort-based score normalisation, requiring many thousands of biometric comparisons. The computational overhead is then prohibitive, meaning that one must accept either degraded performance (no score normalisation) or potential for privacy violations. This paper proposes the first computationally feasible approach to privacy-preserving cohort score normalisation. Our solution is a cohort pruning scheme based on secure multi-party computation which enables privacy-preserving score normalisation using probabilistic linear discriminant analysis (PLDA) comparisons. The solution operates upon binary voice representations. While the binarisation is lossy in biometric rank-1 performance, it supports computationally-feasible biometric rank-n comparisons in the encrypted domain.
△ Less
Submitted 8 July, 2019;
originally announced July 2019.
-
A Comment on Privacy-Preserving Scalar Product Protocols as proposed in "SPOC"
Authors:
Thomas Schneider,
Amos Treiber
Abstract:
Privacy-preserving scalar product (PPSP) protocols are an important building block for secure computation tasks in various applications. Lu et al. (TPDS'13) introduced a PPSP protocol that does not rely on cryptographic assumptions and that is used in a wide range of publications to date. In this comment paper, we show that Lu et al.'s protocol is insecure and should not be used. We describe speci…
▽ More
Privacy-preserving scalar product (PPSP) protocols are an important building block for secure computation tasks in various applications. Lu et al. (TPDS'13) introduced a PPSP protocol that does not rely on cryptographic assumptions and that is used in a wide range of publications to date. In this comment paper, we show that Lu et al.'s protocol is insecure and should not be used. We describe specific attacks against it and, using impossibility results of Impagliazzo and Rudich (STOC'89), show that it is inherently insecure and cannot be fixed without relying on at least some cryptographic assumptions.
△ Less
Submitted 1 September, 2019; v1 submitted 11 June, 2019;
originally announced June 2019.
-
Fully automated entanglement-based quantum cryptography system for telecom fiber networks
Authors:
Alexander Treiber,
Andreas Poppe,
Michael Hentschel,
Daniele Ferrini,
Thomas Lorünser,
Edwin Querasser,
Thomas Matyus,
Hannes Hübel,
Anton Zeilinger
Abstract:
We present a quantum key distribution (QKD) system based on polarisation entanglement for use in telecom fibers. A QKD exchange up to 50km was demonstrated in the laboratory with a secure key rate of 550 bit/s. The system is compact, portable with a fully automated start-up and stabilisation modules for polarisation, synchronisation and photon coupling allow a hands-off operation. Stable and rel…
▽ More
We present a quantum key distribution (QKD) system based on polarisation entanglement for use in telecom fibers. A QKD exchange up to 50km was demonstrated in the laboratory with a secure key rate of 550 bit/s. The system is compact, portable with a fully automated start-up and stabilisation modules for polarisation, synchronisation and photon coupling allow a hands-off operation. Stable and reliable key exchange in a deployed optical fiber of 16km length was demonstrated. In this fiber network we achieved over two weeks an automatic key generation with an average key rate of 2000 bit/s without manual intervention. During this period, the system had an average entanglement visibility of 93%, highlighting the technical level and stability achieved for entanglement-based quantum cryptography.
△ Less
Submitted 30 April, 2009; v1 submitted 18 January, 2009;
originally announced January 2009.