CRYPTML - An hybrid machine learning model using homomorphic encryption
Ingénierie et Architecture Genève
Today, the explosive development of artificial intelligence (AI) and machine learning (ML) models means that more and more potentially sensitive data needs to be collected. This intensifies the demand for privacy-preserving techniques. One promising avenue in this respect is fully homomorphic encryption (FHE), a cryptographic method that allows calculations to be performed on encrypted data without decrypting it, unlike traditional encryption, thereby preserving users’ confidentiality. The data content is not visible at the time of calculation. The result after the calculation is exact, but not visible either. This minimizes security risks.
In this project, we present an approach that combines ML with FHE. This is a real challenge since FHE requires that the input data is encrypted and the ML model performs computations using FHE operations, which are very demanding in terms of hardware resources. FHE also imposes several limitations in terms of what mathematical operations can be performed on the encrypted data, as it only maintains addition and multiplication operations, rendering their usefulness rather limited for all but the most trivial scenarios. To circumvent these limitations, we use a hybrid and modular client-server architecture, where the client sends encrypted images to the server which in turn responds with the predicted (encrypted) class. The ML model is first trained on unencrypted data, and the resulting unencrypted trained model weights are directly applied to the encrypted data during inference. We break down the ML model layers, choosing which layers must be computed on the client or on the server, and identify all possible combinations rather than performing all computations server-side.
Finally, we assess each combination from a performance perspective (computation time and memory usage). This strategy enables us to select the best combination in terms of performance, while raising awareness regarding security implications.