Security-preserving Support Vector Machine with Fully Homomorphic Encryption

Security-preserving Support Vector Machine with Fully Homomorphic Encryption SaeromPark drsaerompark@gmail.com Seoul National University

1 ; Gwanak-ro, Gwanak-gu 08826 Seoul South Korea

JaeyunKim Seoul National University

1 ; Gwanak-ro, Gwanak-gu 08826 Seoul South Korea

JooheeLee Seoul National University

1 ; Gwanak-ro, Gwanak-gu 08826 Seoul South Korea

JunyoungByun Seoul National University

1 ; Gwanak-ro, Gwanak-gu 08826 Seoul South Korea

JungHeeCheon Seoul National University

1 ; Gwanak-ro, Gwanak-gu 08826 Seoul South Korea

JaewookLee jaewook@snu.ac.kr Seoul National University

1 ; Gwanak-ro, Gwanak-gu 08826 Seoul South Korea

Security-preserving Support Vector Machine with Fully Homomorphic Encryption BD57BE4F5EF5C4B3447558278A6E0110 GROBID - A machine learning software for extracting information from scholarly documents

Recently, security issues have become more and more important to apply machine learning models to a real-world problem. It is necessary to preserve the data privacy for using sensitive data and to protect the information of a trained model for defending the intentional attacks. In this paper, we want to propose a security-preserving learning framework using fully homomorphic encryption for support vector machine model. Our approach aims to train the model on encrypted domain to preserve data and model privacy with the reduced communication between the servers. The proposed procedure includes our protocol, data structure and homomorphic evaluation.

As machine learning models have been effectively applied to various real-world problems, collecting data from various sources became crucial for many service providers (Park, Hah, and Lee 2017). In this situation, privacy issues have become a major problem in the learning society. Therefore, it is necessary to preserve the privacy of the data and the security of the learning process without compromising the performance of the learning algorithms.

Homomorphic encryption (HE) enables computations on encrypted data (ciphertext) which are equivalent to operations on decrypted data (plaintext) (Gentry 2009). In recent years, privacy-preserving machine learning applications have developed, but they have high computational cost and huge memory burden. Cheon et al. developed a homomorphic encryption scheme for approximate arithmetic (HEAAN) (Cheon et al. 2017).

Support vector machine (SVM) is one of the most effective machine learning algorithms for classification (Cortes and Vapnik 1995). The training data and the model parameters should be protected to apply the SVM model to the security-preserving scenario. Therefore, in this paper, we propose the implementation for the training phase of the SVM classifier on the encrypted domain with the HEAAN scheme.

Design Components Fully Homomorphic Encryption

Fully homomorphic encryption (FHE) is a cryptographic scheme which aims to enable homomorphic operations such Copyright held by authors as additions and multiplications on encrypted data. Recently, HEAAN scheme (Cheon et al. 2017) was developed to carry out approximate computations efficiently.

For the (leveled) HEAAN of depth L, we set the parameters such as a power of two M , integers p, q 0 , q L = p L • q 0 , h and P , and a real σ for λ-bit security. The specifications of the algorithm are as follows.

(pk, sk, evk) ← KeyGen(1 λ ) -c ←Encrypt(pk, m): Sample r ∈ R 2 and e 0 , e 1 ← DG q L (σ 2 ). Output c ← r • pk + (m + e 0 , e 1 ) ∈ R 2 q L . -m ←Decrypt(sk, c = (c 0 , c 1 )): Output m ← c 0 + c 1 • s mod q . -c add ←Add( c 1 , c 2 ): Output c add ← c 1 + c 2 mod q . -c mult ←Mult( c 1 , c 2 ): Set c 1 = (b 1 , a 1 ) and c 2 = (b 2 , a 2 ). Let (d 0 , d 1 , d 2 ) ← (b 1 •b 2 , a 1 •b 2 +a 2 •b 1 , a 1 •a 2 ) ∈ R 3 q . Out- put c mult ← (d 0 , d 1 ) + 1 P • (d 2 • evk (mod P • q )) ∈ R 2 q . -c ←Rescaling → ( c): For a level ciphertext c, output c ← q q • c ∈ R 2

q at level . For more details, we recommend to see (Cheon et al. 2017).

Least Square Support Vector Machine

The SVM aims to find the maximum margin hyperplane, given the training examples {(x 1 , y 1 ), ...,

(x n , y n )} ⊂ R d × {−1, 1}.

To train the SVM model over encrypted data, we used a nonlinear least-square SVM with a basis function φ(x) : R d → R l that minimizes the following optimization problem (Suykens and Vandewalle 1999):

min w,b,ei 1 n n i=1 e i + λ w 2 (1) s.t. y i [w • φ(x i ) + b] = 1 − e i , ∀i = 1, . . . , n,

where w ∈ R l . To solve the problem (1), we construct the Lagrangian function:

L(w, b, e, α) = λ w 2 + 1 n n i=1 e 2 i − n i=1 α i {[w•φ(x i )+b]+e i −1}.

With the optimality conditions of the Lagrangian function, the following linear system is obtained by removing w and e:

Ab = 0 y T y Ω + λI n b α = 0 1 n = 1 (2)

where Ω ∈ R (n+1)×(n+1) s.t. Ω i,j = k(x i , x j ). We introduce an additional least square problem with gradient descent method for the system (2), which convergence can be

A = ( 1 y 1 y T ) 0 1 T 1 Ω + η 0 0 T 0 I n (3)

where represents a Hadmard product. By Schur product theorem, the first term becomes PSD with Mercer kernel. Therefore, the linear system (2) is well-posed with some η > 0, and the convergence of iterative method can be gauranteed. With these design components, the intermediate dycryptions for training the SVM model can be reduced.

Implementation

In this paper, we propose a protocol which can reduce the communication to construct kernel matrix and to learn the model parameters with FHE operations. Figure 1 illustrates the whole procedure of our protocol which secures serverside and data provider-side information because all operations can be performed on encrypted domain.

Data Structure

As mentioned previously, we first compute the kernel matrix from the encrypted data. For simplicity, we assume that the kernel matrix is encrypted as a ciphertext. We want to build a parallelizable procedure because of computational cost and large memory of ciphertext. The HEAAN scheme supports slot-wise operation over ciphertext, so the operations of matrices should be replaced with addition and Hadmard product. We propose data structure for calculating the inner product matrix. Assume that Z ∈ R n×d and ZZ T , Ẑj ∈ R n×n .

ZZ T = Ẑ1 ẐT 1 + • • • + Ẑd ẐT d , Z =    z 11 • • • z 1d . . . . . . . . . z n1 • • • z nd    , Ẑj =    z 1j z 2j • • • z nj . . . . . . . . . . . . z 1j z 2j • • • z nj    .

The multiplication of cihpertexts in this operation can be performed on d different machines in parallel.

Secure-Preserving Iterative Training

In this study, to efficiently implement the gradient descent method, we utilize the symmetricity of the matrix (3) in

Comparison

Our procedure replaces the dual convex optimization with numerical gradient descent to implement the securitypreserving LSSVM. To illustrate the result of this replacement, we compare the classification performances with RBF and polynomial kernels for some real datasets used in (Suykens and Vandewalle 1999). Table 1 shows that the replacement does not severely affect the performances. From this results, we can expect to develop a secure-preserving SVM without compromising the performance.

Conclusion

In this paper, we present a new framework to train the LSSVM model using HEAAN. This framework includes protocol, data structure and secure-preserving iterative training procedure. Our method considers the reduction of computational cost and memory burden that are the common problem for the application of HE scheme. The proposed solution can be helpful to show the potential for the practical utilization of machine learning models without concerns on security and privacy issues.

Figure 1 :1Figure 1: Our procedure with protocol

Table 1 :1Classification accuracy for real datasets matrix multiplication. To learn b, the updated equation is b k+1 = b k − αA T (Ab k − 1). Matrix-vector multiplication on the encrypted domain is efficiently implemented by rotating the slots. We used pre-computed A T A by using the symmetric property instead of two matrix-vector multiplications per iteration. Therefore, the resulting update equation is b k+2 = Mb k − c, where M = (I − αA T A) 2 and c = ((1 + α)I − αA T A)A T b are pre-computed.

Acknowledgement

This work was supported in part by NRF of Korea grants No. 2018R1D1A1A02085851, 2016R1A2B3014030 and 2017R1A5A1015626.

Homomorphic encryption for arithmetic of approximate numbers Cheon ASIACRYPT 2017 Springer 2017. 2017. 1995. 2009 20 Stanford University Support-vector networks. Gentry 2009. A fully homomorphic encryption scheme. Ph.D. Dissertation Inductive ensemble clustering using kernel support matching HahPark LeePark SHah JLee J Electronics Letters 53 25 2017 Least squares support vector machine classifiers Vandewalle ;Suykens JASuykens JVandewalle Neural processing letters 9 3 1999. 1999