fast faster privacy preserving ml in secure hardware
play

Fast & Faster Privacy-Preserving ML in Secure Hardware Enclaves - PowerPoint PPT Presentation

Feb 09, 2024 •803 likes •1.41k views

Fast & Faster Privacy-Preserving ML in Secure Hardware Enclaves Nick Hynes, Raymond Cheng, Dawn Song | UC Berkeley & Oasis Labs with support from the TVM team and community! Ideal: data providers pool data to train a large, complex

  1. Fast & Faster Privacy-Preserving ML 
 in Secure Hardware Enclaves Nick Hynes, Raymond Cheng, Dawn Song | UC Berkeley & Oasis Labs with support from the TVM team and community!

  2. Ideal: data providers pool data to train a large, complex model

  3. Ideal: data providers pool data to train a large, complex model TransUnion Equifax Experian credit scoring model

  4. Ideal: data providers pool data to train a large, complex model Kaiser Permanente Mass. UCSF Medical General 
 Hospital health diagnosis model

  5. Ideal: data providers pool data to train a large, complex model your neighbor you me truly personal assistant

  6. Reality: data providers are mutually distrusting! data theft inappropriate use non-payment

  7. Solution: providers cooperate via a virtual trusted third party

  8. Secure Computation Techniques Support for practical 
 Performance Security mechanisms ML models Trusted Execution Env. (TEE) Secure hardware Cryptography, Secure multi-party computation distributed trust Cryptography, Zero-knowledge proof local computation Fully homomorphic encryption Cryptography

  9. Secure Enclaves Secure enclave

  10. Secure Enclaves Secure enclave Integrity Confidentiality

  11. Secure Enclaves Secure enclave Remote Attestation Integrity Confidentiality

  12. TEE Implementations • Intel SGX: in your laptop, Azure, Alibaba Cloud, and IBM Cloud

  13. TEE Implementations • Intel SGX: in your laptop, Azure, Alibaba Cloud, and IBM Cloud • Keystone: the first open-source end-to-end secure enclave • runs on RISCV chips and FPGAs • keystone-enclave/keystone

  14. TEE Implementations • Intel SGX: in your laptop, Azure, Alibaba Cloud, and IBM Cloud • Keystone: the first open-source end-to-end secure enclave • runs on RISCV chips and FPGAs • keystone-enclave/keystone • Ginseng: a drop-in enclave framework for FPGA ML accelerators

  15. 1. Privacy-Preserving ML & Secure Enclaves 2. Myelin: Efficient Private ML in CPU Enclaves 3. Ginseng: Accelerated Private ML in FPGA Enclaves 4. Sterling: A Privacy-Preserving Data Marketplace

  16. Myelin: Efficient Private ML in CPU Enclaves dmlc/tvm/apps/sgx 
 dmlc/tvm/rust

  17. Myelin: Efficient Private ML in CPU Enclaves [3] Efficient Per-Example Gradient Computations. Goodfellow. 2015

  18. Step 1: Get the ML in the Enclave

  19. Step 1: Get the ML in the Enclave

  20. Step 1: Get the ML in the Enclave

  21. Step 2: Add Differential Privacy

  22. Step 2: Add Differential Privacy • DP offers a strong, formal definition of privacy

  23. Step 2: Add Differential Privacy • DP offers a strong, formal definition of privacy • privacy risk to any individual is the same whether or not they contributed data

  24. Step 2: Add Differential Privacy • DP offers a strong, formal definition of privacy • privacy risk to any individual is the same whether or not they contributed data • adds noise so that that model trained on neighboring datasets are indistinguishable

  25. Step 2: Add Differential Privacy • DP offers a strong, formal definition of privacy • privacy risk to any individual is the same whether or not they contributed data • adds noise so that that model trained on neighboring datasets are indistinguishable • slow in standard frameworks

  26. Step 2: Add Differential Privacy • DP offers a strong, formal definition of privacy • privacy risk to any individual is the same whether or not they contributed data • adds noise so that that model trained on neighboring datasets are indistinguishable • slow in standard frameworks

  27. Step 2: Add Differential Privacy • DP offers a strong, formal definition of privacy • privacy risk to any individual is the same whether or not they contributed data add noise • adds noise so that that model trained on neighboring datasets are indistinguishable • slow in standard frameworks

  28. Step 2: Add Differential Privacy • DP offers a strong, formal definition of privacy • privacy risk to any individual is the same whether or not they contributed data add noise • adds noise so that that model trained on neighboring datasets are indistinguishable • slow in standard frameworks

  29. Step 3: Make it Fast Differentially Private SGD 1. compute forward pass for mini-batch of m examples 2. compute per-example gradients 3. rescale each example’s gradient to have unit norm 4. average them up 5. add noise 6. take gradient step

  30. Step 3: Make it Fast Differentially Private SGD 1. compute forward pass for mini-batch of m examples 2. compute per-example gradients 3. rescale each example’s gradient to have unit norm add a pass to fuse these 4. average them up 5. add noise 6. take gradient step

  31. Step 3: Make it Fast Differentially Private SGD 1. compute forward pass for batch of m autograd takes O(m) [4] 
 examples O(1) with custom IR ops 2. compute per-example gradients 3. rescale each example’s gradient to have unit norm 4. average + noise+ gradient step [4] Efficient Per-Example Gradient Computations. Goodfellow. 2015

  32. Step 4: Benchmark Performance on CIFAR-10 1 Myelin Enclave non-private CPU related work Chiron (4 enclaves) [5] 
 VGG-9 (training) 21.3 img/s 27.2 img/s 24.7 img/s ResNet-32 (training) 12.4 img/s 13.6 img/s – Slalom (enclave+GPU) MobileNet (inference) 32.4 img/s – [6] 
 35.7 img/s [5] Chiron: Privacy-preserving machine learning as a service. Hunt, Song, Shokri, Shmatikov, and Witchel. 2018 
 [6] Slalom: Fast, Verifiable and Private Execution of Neural Networks in Trusted Hardware. Tramer and

  33. State of the Art Performance for 
 ML in Single CPU Enclave • but a CPU is a CPU: ½ day to train a ResNet is emotionally unsatisfying • no GPU TEEs (yet), but we can do FPGAs!

  34. 1. Privacy-Preserving ML & Secure Enclaves 2. Myelin: Efficient Private ML in CPU Enclaves 3. Ginseng: Accelerated Private ML in FPGA Enclaves 4. Sterling: A Privacy-Preserving Data Marketplace

  35. Ginseng, the Learning TEE • Main idea: FPGA can be programmed with ML accelerator (VTA) and the components required to make a TEE • memory encryption • key generation • remote attestation • TEEs are general-purpose; ML is very particular 
 We get big efficiency wins from specializing TEE to ML workloads

  36. Ginseng = VTA + Tensor Encryption + Secure OS

  37. Ginseng = VTA + Tensor Encryption + Secure OS • Tensor Encryption Core (TEC) safeguards the tensors in memory • protects entire models’ tensors for virtually no overhead

  38. Ginseng = VTA + Tensor Encryption + Secure OS • Tensor Encryption Core (TEC) safeguards the tensors in memory • protects entire models’ tensors for virtually no overhead • Ginseng Secure OS protects the end-to-end workflow • built atop formally verified components • minimal trusted computing base • side-channel resistant

  39. Ginseng = VTA + Tensor Encryption + Secure OS • Tensor Encryption Core (TEC) safeguards the tensors in memory • protects entire models’ tensors for virtually no overhead • Ginseng Secure OS protects the end-to-end workflow • built atop formally verified components • minimal trusted computing base • side-channel resistant • End result: an end-to-end secure, speedy ML pipeline

  40. Ginseng = VTA + Tensor Encryption + Secure OS

  41. 1. Privacy-Preserving ML & Secure Enclaves 2. Myelin: Efficient Private ML in CPU Enclaves 3. Ginseng: Accelerated Private ML in FPGA Enclaves 3. Sterling: A Privacy-Preserving Data Marketplace

  42. Sterling: A Privacy-Preserving Data Marketplace built on the Oasis blockchain and TVM [1] A Demonstration of Sterling: A Privacy-Preserving Data Marketplace. VLDB 2018. [2] Ekiden: A Platform for Confidentiality-Preserving, Trustworthy, and Performant Smart Contract Execution. 2018

  43. Sterling workflow

  44. Sterling workflow 1. data provider encrypts data and uploads to Oasis blockchain 
 access to data is controlled by a confidential smart contract

  45. Sterling workflow 1. data provider encrypts data and uploads to Oasis blockchain 
 access to data is controlled by a confidential smart contract 2. data consumer uploads a model training smart contract 
 which satisfies constraints of provider contract

  46. Sterling workflow 1. data provider encrypts data and uploads to Oasis blockchain 
 access to data is controlled by a confidential smart contract 2. data consumer uploads a model training smart contract 
 which satisfies constraints of provider contract 3. consumer contract requests data from provider contract 
 sends over payment and credentials

  47. Sterling workflow 1. data provider encrypts data and uploads to Oasis blockchain 
 access to data is controlled by a confidential smart contract 2. data consumer uploads a model training smart contract 
 which satisfies constraints of provider contract 3. consumer contract requests data from provider contract 
 sends over payment and credentials 4. provider contract checks that consumer contract satisfies constraints and sends back data

Recommend

DPM 2013 Privacy-Preserving Multi-Party Reconciliation Secure in the Malicious Model 8th ACM

DPM 2013 Privacy-Preserving Multi-Party Reconciliation Secure in the Malicious Model 8th ACM

DPM 2013 Privacy-Preserving Multi-Party Reconciliation Secure in the Malicious Model 8th ACM International Workshop on Data Privacy Management 2013 Georg Neugebauer 1 , Lucas Brutschy 1 , Ulrike Meyer 1 and Susanne Wetzel 2 UMIC LuFG IT-Security,

212 views • 17 slides
Secure Multiparty Computation Introduction to Privacy Preserving Distributed Data Mining Li

Secure Multiparty Computation Introduction to Privacy Preserving Distributed Data Mining Li

CS573 Data Privacy and Security Secure Multiparty Computation Introduction to Privacy Preserving Distributed Data Mining Li Xiong Slides credit: Chris Clifton, Purdue University; Murat Kantarcioglu, UT Dallas Outline Overview Data

901 views • 42 slides
BLAZE: BLAZING FAST PRIVACY-PRESERVING MACHINE LEARNING ARPITA PATRA AND AJITH SURESH Ajith

BLAZE: BLAZING FAST PRIVACY-PRESERVING MACHINE LEARNING ARPITA PATRA AND AJITH SURESH Ajith

BLAZE: BLAZING FAST PRIVACY-PRESERVING MACHINE LEARNING ARPITA PATRA AND AJITH SURESH Ajith Suresh CrIS Lab, IISc https://www.csa.iisc.ac.in/~cris Outline q Secure Multi-party Computation (MPC) q MPC for small number of parties (3PC) q Our

2.46k views • 53 slides
Secure and Privacy Preserving Vehicular Communication Systems: Identity and Credential Management

Secure and Privacy Preserving Vehicular Communication Systems: Identity and Credential Management

KTH ROYAL INSTITUTE OF TECHNOLOGY Secure and Privacy Preserving Vehicular Communication Systems: Identity and Credential Management Infrastructure Mohammad Khodaei Networked Systems Security Group (NSS) November 1, 2016 July 2, 2018

1.03k views • 38 slides
GNUnet A network protocol stack for building secure, distributed, and privacy-preserving

GNUnet A network protocol stack for building secure, distributed, and privacy-preserving

GNUnet A network protocol stack for building secure, distributed, and privacy-preserving application FOSDEM20 Martin Schanzenbach 2/2/2020 The Internet is under attack The Internet HTTP, Facebook, Google, Libra ... DNS / X.509 TCP /

631 views • 34 slides
Deploying Secure Computing for Real-world Applications Dan Bogdanov, PhD Head of Privacy

Deploying Secure Computing for Real-world Applications Dan Bogdanov, PhD Head of Privacy

Deploying Secure Computing for Real-world Applications Dan Bogdanov, PhD Head of Privacy Technology Development Cybernetica dan@cyber.ee The Sharemind Privacy-preserving Computing Platform Components for Privacy Encrypted Privacy

714 views • 28 slides
Efficient Scheme for Secure and Privacy-Preserving Electric Vehicle Dynamic Charging System IEEE

Efficient Scheme for Secure and Privacy-Preserving Electric Vehicle Dynamic Charging System IEEE

Efficient Scheme for Secure and Privacy-Preserving Electric Vehicle Dynamic Charging System IEEE ICC 2017 Paris, France May 21 - 25, 2017 Presenter: Outline I ntroduction Proposed Scheme Evaluations Conclusion W hat is EV

560 views • 20 slides
Privacy Preserving Protocols Workshop on Cryptography for the Internet of Things Jens Hermans KU

Privacy Preserving Protocols Workshop on Cryptography for the Internet of Things Jens Hermans KU

Privacy Preserving Protocols Privacy Preserving Protocols Workshop on Cryptography for the Internet of Things Jens Hermans KU Leuven - COSIC 20 November 2012 Privacy Preserving Protocols Introduction Cryptography in Daily Life RFID Privacy

1.04k views • 60 slides
Design of a Privacy-preserving Document Submission and Grading System Benjamin Greschbach,

Design of a Privacy-preserving Document Submission and Grading System Benjamin Greschbach,

NordSec15 20th Nordic Conference on Secure IT Systems KTH ROYAL INSTITUTE OF TECHNOLOGY STOCKHOLM SWEDEN Design of a Privacy-preserving Document Submission and Grading System Benjamin Greschbach, Guillermo Rodrguez-Cano, Tomas

224 views • 10 slides
CHES Tutorial Cryptographic hardware: how to make it cool, fast and secure Junfeng Fan KULeuven,

CHES Tutorial Cryptographic hardware: how to make it cool, fast and secure Junfeng Fan KULeuven,

9/9/2012 CHES Tutorial Cryptographic hardware: how to make it cool, fast and secure Junfeng Fan KULeuven, ESAT/SCD-COSIC CHES 2012 Crypto hardware 9/9/2012 CHES Tutorial: Crypto hardware design 3 1 9/9/2012 Smart card SoC (NXP P60C080)

826 views • 54 slides
Privacy Preserving Data Mining Moheeb Rajab Agenda Overview and Terminology Motivation

Privacy Preserving Data Mining Moheeb Rajab Agenda Overview and Terminology Motivation

Privacy Preserving Data Mining Moheeb Rajab Agenda Overview and Terminology Motivation Active Research Areas Secure Multi-party Computation (SMC) Randomization approach Limitations Summary and Insights Overview

716 views • 53 slides
Efficient Privacy-Preserving Biometric Identification Yan Huang Lior Malka David Evans Jonathan

Efficient Privacy-Preserving Biometric Identification Yan Huang Lior Malka David Evans Jonathan

Efficient Privacy-Preserving Biometric Identification Yan Huang Lior Malka David Evans Jonathan Katz http://www.mightbeevil.org/secure-biometrics/ Feb 9, 2011 Motivating Scenario: Private No-Fly Checking Threat Models Semi-honest adversary

1.4k views • 40 slides
Privacy-preserving Information Sharing: Crypto Tools and Applications Emiliano De Cristofaro

Privacy-preserving Information Sharing: Crypto Tools and Applications Emiliano De Cristofaro

Privacy-preserving Information Sharing: Crypto Tools and Applications Emiliano De Cristofaro University College London (UCL) https://emilianodc.com Privacy-preserving what ? Parties with limited mutual trust willing or required to share

1.1k views • 66 slides
Sec Secure ure Hardware Hardware and Hardware and Hardware- En Enabled abled Security

Sec Secure ure Hardware Hardware and Hardware and Hardware- En Enabled abled Security

SP SPACE ACE 201 2016 Sec Secure ure Hardware Hardware and Hardware and Hardware- En Enabled abled Security Security: : New Front New Frontiers iers Swarup Bhunia Professor Electrical & Computer Engineering SPACE | Dec 2016 1

607 views • 29 slides
Easily programmable secure multi-party computation on integers, strings and floating point

Easily programmable secure multi-party computation on integers, strings and floating point

Easily programmable secure multi-party computation on integers, strings and floating point numbers Dan Bogdanov Sharemind project lead dan@cyber.ee https://sharemind.cyber.ee/ sharemind a machine for fast privacy-preserving computations

643 views • 42 slides
Privacy-Preserving Search of Similar Patients in Genomic Data Gilad Asharov Shai Halevi

Privacy-Preserving Search of Similar Patients in Genomic Data Gilad Asharov Shai Halevi

Privacy-Preserving Search of Similar Patients in Genomic Data Gilad Asharov Shai Halevi Yehuda Lindell Tal Rabin Secure Computation Computation on private inputs without revealing anything but the output Applications :

299 views • 25 slides
New Directions in Privacy- preserving Machine Learning Kamalika Chaudhuri University of

New Directions in Privacy- preserving Machine Learning Kamalika Chaudhuri University of

New Directions in Privacy- preserving Machine Learning Kamalika Chaudhuri University of California, San Diego Sensitive Data Medical Records Genetic Data Search Logs AOL Violates Privacy AOL Violates Privacy Netflix Violates Privacy [NS08]

957 views • 92 slides
Privacy-Preserving Computation with Trusted Computing via Scramble-then-Compute Hung Dang, Anh

Privacy-Preserving Computation with Trusted Computing via Scramble-then-Compute Hung Dang, Anh

Privacy-Preserving Computation with Trusted Computing via Scramble-then-Compute Hung Dang, Anh Dinh, Ee-Chien Chang, Beng Chin Ooi School of Computing National University of Singapore PETS 2017 Privacy-Preserving Computation with Trusted

477 views • 34 slides
Preserving the Privacy of Sensitive Relationships in Graph Data Motivation Valuable Data! No

Preserving the Privacy of Sensitive Relationships in Graph Data Motivation Valuable Data! No

Preserving the Privacy of Sensitive Relationships in Graph Data Motivation Valuable Data! No privacy breaches! Public Data Anonymization Data representation? Privacy breach? Value of data? Data publisher Privacy Analyst Work by: Elena

80 views • 3 slides
Collaborative Privacy Preserving Data Mining in Vertically Partitioned Databases Ehud Gudes

Collaborative Privacy Preserving Data Mining in Vertically Partitioned Databases Ehud Gudes

Collaborative Privacy Preserving Data Mining in Vertically Partitioned Databases Ehud Gudes Ben-Gurion University, Israel This talk presents joint work with Boris Rozenberg Talk Outline Motivation for Privacy-Preserving Distributed Data

1.48k views • 68 slides
Privacy preserving data mining randomized response and association rule hiding Li Xiong

Privacy preserving data mining randomized response and association rule hiding Li Xiong

Privacy preserving data mining randomized response and association rule hiding Li Xiong CS573 Data Privacy and Anonymity Partial slides credit: W. Du, Syracuse University, Y. Gao, Peking University Privacy Preserving Data Mining

659 views • 39 slides
Privacy-preserving statistical analysis Liina Kamm liina@cyber.ee http://sharemind.cyber.ee/

Privacy-preserving statistical analysis Liina Kamm liina@cyber.ee http://sharemind.cyber.ee/

Privacy-preserving statistical analysis Liina Kamm liina@cyber.ee http://sharemind.cyber.ee/ Rmind: a tool for cryptographically secure statistical analysis Dan Bogdanov, Liina Kamm, Sven Laur and Ville Sokk ePrint report 2014/512 Sharemind

526 views • 16 slides
Privacy-preserving Biometrics in practice: diffjcult to sell Carmela Troncoso (Gradiant) My

Privacy-preserving Biometrics in practice: diffjcult to sell Carmela Troncoso (Gradiant) My

Privacy-preserving Biometrics in practice: diffjcult to sell Carmela Troncoso (Gradiant) My experience with biometrics and privacy Academic background on privacy Gradiants goal: transfer of knowledge to industry We bring state of

193 views • 6 slides
Network Privacy Mostly issues of preserving privacy of data flowing through network Start

Network Privacy Mostly issues of preserving privacy of data flowing through network Start

Network Privacy Mostly issues of preserving privacy of data flowing through network Start with encryption With good encryption, data values not readable So whats the problem? Lecture 17 Page 1 CS 236 Online Traffic Analysis

532 views • 21 slides

More recommend