fast faster privacy preserving ml in secure hardware
play

Fast & Faster Privacy-Preserving ML in Secure Hardware Enclaves - PowerPoint PPT Presentation

Feb 09, 2024 •803 likes •1.41k views

Fast & Faster Privacy-Preserving ML in Secure Hardware Enclaves Nick Hynes, Raymond Cheng, Dawn Song | UC Berkeley & Oasis Labs with support from the TVM team and community! Ideal: data providers pool data to train a large, complex

  1. Fast & Faster Privacy-Preserving ML 
 in Secure Hardware Enclaves Nick Hynes, Raymond Cheng, Dawn Song | UC Berkeley & Oasis Labs with support from the TVM team and community!

  2. Ideal: data providers pool data to train a large, complex model

  3. Ideal: data providers pool data to train a large, complex model TransUnion Equifax Experian credit scoring model

  4. Ideal: data providers pool data to train a large, complex model Kaiser Permanente Mass. UCSF Medical General 
 Hospital health diagnosis model

  5. Ideal: data providers pool data to train a large, complex model your neighbor you me truly personal assistant

  6. Reality: data providers are mutually distrusting! data theft inappropriate use non-payment

  7. Solution: providers cooperate via a virtual trusted third party

  8. Secure Computation Techniques Support for practical 
 Performance Security mechanisms ML models Trusted Execution Env. (TEE) Secure hardware Cryptography, Secure multi-party computation distributed trust Cryptography, Zero-knowledge proof local computation Fully homomorphic encryption Cryptography

  9. Secure Enclaves Secure enclave

  10. Secure Enclaves Secure enclave Integrity Confidentiality

  11. Secure Enclaves Secure enclave Remote Attestation Integrity Confidentiality

  12. TEE Implementations • Intel SGX: in your laptop, Azure, Alibaba Cloud, and IBM Cloud

  13. TEE Implementations • Intel SGX: in your laptop, Azure, Alibaba Cloud, and IBM Cloud • Keystone: the first open-source end-to-end secure enclave • runs on RISCV chips and FPGAs • keystone-enclave/keystone

  14. TEE Implementations • Intel SGX: in your laptop, Azure, Alibaba Cloud, and IBM Cloud • Keystone: the first open-source end-to-end secure enclave • runs on RISCV chips and FPGAs • keystone-enclave/keystone • Ginseng: a drop-in enclave framework for FPGA ML accelerators

  15. 1. Privacy-Preserving ML & Secure Enclaves 2. Myelin: Efficient Private ML in CPU Enclaves 3. Ginseng: Accelerated Private ML in FPGA Enclaves 4. Sterling: A Privacy-Preserving Data Marketplace

  16. Myelin: Efficient Private ML in CPU Enclaves dmlc/tvm/apps/sgx 
 dmlc/tvm/rust

  17. Myelin: Efficient Private ML in CPU Enclaves [3] Efficient Per-Example Gradient Computations. Goodfellow. 2015

  18. Step 1: Get the ML in the Enclave

  19. Step 1: Get the ML in the Enclave

  20. Step 1: Get the ML in the Enclave

  21. Step 2: Add Differential Privacy

  22. Step 2: Add Differential Privacy • DP offers a strong, formal definition of privacy

  23. Step 2: Add Differential Privacy • DP offers a strong, formal definition of privacy • privacy risk to any individual is the same whether or not they contributed data

  24. Step 2: Add Differential Privacy • DP offers a strong, formal definition of privacy • privacy risk to any individual is the same whether or not they contributed data • adds noise so that that model trained on neighboring datasets are indistinguishable

  25. Step 2: Add Differential Privacy • DP offers a strong, formal definition of privacy • privacy risk to any individual is the same whether or not they contributed data • adds noise so that that model trained on neighboring datasets are indistinguishable • slow in standard frameworks

  26. Step 2: Add Differential Privacy • DP offers a strong, formal definition of privacy • privacy risk to any individual is the same whether or not they contributed data • adds noise so that that model trained on neighboring datasets are indistinguishable • slow in standard frameworks

  27. Step 2: Add Differential Privacy • DP offers a strong, formal definition of privacy • privacy risk to any individual is the same whether or not they contributed data add noise • adds noise so that that model trained on neighboring datasets are indistinguishable • slow in standard frameworks

  28. Step 2: Add Differential Privacy • DP offers a strong, formal definition of privacy • privacy risk to any individual is the same whether or not they contributed data add noise • adds noise so that that model trained on neighboring datasets are indistinguishable • slow in standard frameworks

  29. Step 3: Make it Fast Differentially Private SGD 1. compute forward pass for mini-batch of m examples 2. compute per-example gradients 3. rescale each example’s gradient to have unit norm 4. average them up 5. add noise 6. take gradient step

  30. Step 3: Make it Fast Differentially Private SGD 1. compute forward pass for mini-batch of m examples 2. compute per-example gradients 3. rescale each example’s gradient to have unit norm add a pass to fuse these 4. average them up 5. add noise 6. take gradient step

  31. Step 3: Make it Fast Differentially Private SGD 1. compute forward pass for batch of m autograd takes O(m) [4] 
 examples O(1) with custom IR ops 2. compute per-example gradients 3. rescale each example’s gradient to have unit norm 4. average + noise+ gradient step [4] Efficient Per-Example Gradient Computations. Goodfellow. 2015

  32. Step 4: Benchmark Performance on CIFAR-10 1 Myelin Enclave non-private CPU related work Chiron (4 enclaves) [5] 
 VGG-9 (training) 21.3 img/s 27.2 img/s 24.7 img/s ResNet-32 (training) 12.4 img/s 13.6 img/s – Slalom (enclave+GPU) MobileNet (inference) 32.4 img/s – [6] 
 35.7 img/s [5] Chiron: Privacy-preserving machine learning as a service. Hunt, Song, Shokri, Shmatikov, and Witchel. 2018 
 [6] Slalom: Fast, Verifiable and Private Execution of Neural Networks in Trusted Hardware. Tramer and

  33. State of the Art Performance for 
 ML in Single CPU Enclave • but a CPU is a CPU: ½ day to train a ResNet is emotionally unsatisfying • no GPU TEEs (yet), but we can do FPGAs!

  34. 1. Privacy-Preserving ML & Secure Enclaves 2. Myelin: Efficient Private ML in CPU Enclaves 3. Ginseng: Accelerated Private ML in FPGA Enclaves 4. Sterling: A Privacy-Preserving Data Marketplace

  35. Ginseng, the Learning TEE • Main idea: FPGA can be programmed with ML accelerator (VTA) and the components required to make a TEE • memory encryption • key generation • remote attestation • TEEs are general-purpose; ML is very particular 
 We get big efficiency wins from specializing TEE to ML workloads

  36. Ginseng = VTA + Tensor Encryption + Secure OS

  37. Ginseng = VTA + Tensor Encryption + Secure OS • Tensor Encryption Core (TEC) safeguards the tensors in memory • protects entire models’ tensors for virtually no overhead

  38. Ginseng = VTA + Tensor Encryption + Secure OS • Tensor Encryption Core (TEC) safeguards the tensors in memory • protects entire models’ tensors for virtually no overhead • Ginseng Secure OS protects the end-to-end workflow • built atop formally verified components • minimal trusted computing base • side-channel resistant

  39. Ginseng = VTA + Tensor Encryption + Secure OS • Tensor Encryption Core (TEC) safeguards the tensors in memory • protects entire models’ tensors for virtually no overhead • Ginseng Secure OS protects the end-to-end workflow • built atop formally verified components • minimal trusted computing base • side-channel resistant • End result: an end-to-end secure, speedy ML pipeline

  40. Ginseng = VTA + Tensor Encryption + Secure OS

  41. 1. Privacy-Preserving ML & Secure Enclaves 2. Myelin: Efficient Private ML in CPU Enclaves 3. Ginseng: Accelerated Private ML in FPGA Enclaves 3. Sterling: A Privacy-Preserving Data Marketplace

  42. Sterling: A Privacy-Preserving Data Marketplace built on the Oasis blockchain and TVM [1] A Demonstration of Sterling: A Privacy-Preserving Data Marketplace. VLDB 2018. [2] Ekiden: A Platform for Confidentiality-Preserving, Trustworthy, and Performant Smart Contract Execution. 2018

  43. Sterling workflow

  44. Sterling workflow 1. data provider encrypts data and uploads to Oasis blockchain 
 access to data is controlled by a confidential smart contract

  45. Sterling workflow 1. data provider encrypts data and uploads to Oasis blockchain 
 access to data is controlled by a confidential smart contract 2. data consumer uploads a model training smart contract 
 which satisfies constraints of provider contract

  46. Sterling workflow 1. data provider encrypts data and uploads to Oasis blockchain 
 access to data is controlled by a confidential smart contract 2. data consumer uploads a model training smart contract 
 which satisfies constraints of provider contract 3. consumer contract requests data from provider contract 
 sends over payment and credentials

  47. Sterling workflow 1. data provider encrypts data and uploads to Oasis blockchain 
 access to data is controlled by a confidential smart contract 2. data consumer uploads a model training smart contract 
 which satisfies constraints of provider contract 3. consumer contract requests data from provider contract 
 sends over payment and credentials 4. provider contract checks that consumer contract satisfies constraints and sends back data

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

DPM 2013 Privacy-Preserving Multi-Party Reconciliation Secure in the Malicious Model 8th ACM

DPM 2013 Privacy-Preserving Multi-Party Reconciliation Secure in the Malicious Model 8th ACM

DPM 2013 Privacy-Preserving Multi-Party Reconciliation Secure in the Malicious Model 8th ACM International Workshop on Data Privacy Management 2013 Georg Neugebauer 1 , Lucas Brutschy 1 , Ulrike Meyer 1 and Susanne Wetzel 2 UMIC LuFG IT-Security,

212 views • 17 slides
Secure Multiparty Computation Introduction to Privacy Preserving Distributed Data Mining Li

Secure Multiparty Computation Introduction to Privacy Preserving Distributed Data Mining Li

CS573 Data Privacy and Security Secure Multiparty Computation Introduction to Privacy Preserving Distributed Data Mining Li Xiong Slides credit: Chris Clifton, Purdue University; Murat Kantarcioglu, UT Dallas Outline Overview Data

901 views • 42 slides
BLAZE: BLAZING FAST PRIVACY-PRESERVING MACHINE LEARNING ARPITA PATRA AND AJITH SURESH Ajith

BLAZE: BLAZING FAST PRIVACY-PRESERVING MACHINE LEARNING ARPITA PATRA AND AJITH SURESH Ajith

BLAZE: BLAZING FAST PRIVACY-PRESERVING MACHINE LEARNING ARPITA PATRA AND AJITH SURESH Ajith Suresh CrIS Lab, IISc https://www.csa.iisc.ac.in/~cris Outline q Secure Multi-party Computation (MPC) q MPC for small number of parties (3PC) q Our

2.46k views • 53 slides
Secure and Privacy Preserving Vehicular Communication Systems: Identity and Credential Management

Secure and Privacy Preserving Vehicular Communication Systems: Identity and Credential Management

KTH ROYAL INSTITUTE OF TECHNOLOGY Secure and Privacy Preserving Vehicular Communication Systems: Identity and Credential Management Infrastructure Mohammad Khodaei Networked Systems Security Group (NSS) November 1, 2016 July 2, 2018

1.03k views • 38 slides
GNUnet A network protocol stack for building secure, distributed, and privacy-preserving

GNUnet A network protocol stack for building secure, distributed, and privacy-preserving

GNUnet A network protocol stack for building secure, distributed, and privacy-preserving application FOSDEM20 Martin Schanzenbach 2/2/2020 The Internet is under attack The Internet HTTP, Facebook, Google, Libra ... DNS / X.509 TCP /

631 views • 34 slides
Deploying Secure Computing for Real-world Applications Dan Bogdanov, PhD Head of Privacy

Deploying Secure Computing for Real-world Applications Dan Bogdanov, PhD Head of Privacy

Deploying Secure Computing for Real-world Applications Dan Bogdanov, PhD Head of Privacy Technology Development Cybernetica dan@cyber.ee The Sharemind Privacy-preserving Computing Platform Components for Privacy Encrypted Privacy

714 views • 28 slides
Efficient Scheme for Secure and Privacy-Preserving Electric Vehicle Dynamic Charging System IEEE

Efficient Scheme for Secure and Privacy-Preserving Electric Vehicle Dynamic Charging System IEEE

Efficient Scheme for Secure and Privacy-Preserving Electric Vehicle Dynamic Charging System IEEE ICC 2017 Paris, France May 21 - 25, 2017 Presenter: Outline I ntroduction Proposed Scheme Evaluations Conclusion W hat is EV

560 views • 20 slides
Privacy Preserving Protocols Workshop on Cryptography for the Internet of Things Jens Hermans KU

Privacy Preserving Protocols Workshop on Cryptography for the Internet of Things Jens Hermans KU

Privacy Preserving Protocols Privacy Preserving Protocols Workshop on Cryptography for the Internet of Things Jens Hermans KU Leuven - COSIC 20 November 2012 Privacy Preserving Protocols Introduction Cryptography in Daily Life RFID Privacy

1.04k views • 60 slides
Design of a Privacy-preserving Document Submission and Grading System Benjamin Greschbach,

Design of a Privacy-preserving Document Submission and Grading System Benjamin Greschbach,

NordSec15 20th Nordic Conference on Secure IT Systems KTH ROYAL INSTITUTE OF TECHNOLOGY STOCKHOLM SWEDEN Design of a Privacy-preserving Document Submission and Grading System Benjamin Greschbach, Guillermo Rodrguez-Cano, Tomas

224 views • 10 slides
CHES Tutorial Cryptographic hardware: how to make it cool, fast and secure Junfeng Fan KULeuven,

CHES Tutorial Cryptographic hardware: how to make it cool, fast and secure Junfeng Fan KULeuven,

9/9/2012 CHES Tutorial Cryptographic hardware: how to make it cool, fast and secure Junfeng Fan KULeuven, ESAT/SCD-COSIC CHES 2012 Crypto hardware 9/9/2012 CHES Tutorial: Crypto hardware design 3 1 9/9/2012 Smart card SoC (NXP P60C080)

826 views • 54 slides
Privacy Preserving Data Mining Moheeb Rajab Agenda Overview and Terminology Motivation

Privacy Preserving Data Mining Moheeb Rajab Agenda Overview and Terminology Motivation

Privacy Preserving Data Mining Moheeb Rajab Agenda Overview and Terminology Motivation Active Research Areas Secure Multi-party Computation (SMC) Randomization approach Limitations Summary and Insights Overview

716 views • 53 slides
Efficient Privacy-Preserving Biometric Identification Yan Huang Lior Malka David Evans Jonathan

Efficient Privacy-Preserving Biometric Identification Yan Huang Lior Malka David Evans Jonathan

Efficient Privacy-Preserving Biometric Identification Yan Huang Lior Malka David Evans Jonathan Katz http://www.mightbeevil.org/secure-biometrics/ Feb 9, 2011 Motivating Scenario: Private No-Fly Checking Threat Models Semi-honest adversary

1.4k views • 40 slides
Privacy-preserving Information Sharing: Crypto Tools and Applications Emiliano De Cristofaro

Privacy-preserving Information Sharing: Crypto Tools and Applications Emiliano De Cristofaro

Privacy-preserving Information Sharing: Crypto Tools and Applications Emiliano De Cristofaro University College London (UCL) https://emilianodc.com Privacy-preserving what ? Parties with limited mutual trust willing or required to share

1.1k views • 66 slides
Sec Secure ure Hardware Hardware and Hardware and Hardware- En Enabled abled Security

Sec Secure ure Hardware Hardware and Hardware and Hardware- En Enabled abled Security

SP SPACE ACE 201 2016 Sec Secure ure Hardware Hardware and Hardware and Hardware- En Enabled abled Security Security: : New Front New Frontiers iers Swarup Bhunia Professor Electrical & Computer Engineering SPACE | Dec 2016 1

607 views • 29 slides
Easily programmable secure multi-party computation on integers, strings and floating point

Easily programmable secure multi-party computation on integers, strings and floating point

Easily programmable secure multi-party computation on integers, strings and floating point numbers Dan Bogdanov Sharemind project lead dan@cyber.ee https://sharemind.cyber.ee/ sharemind a machine for fast privacy-preserving computations

643 views • 42 slides
Privacy-Preserving Search of Similar Patients in Genomic Data Gilad Asharov Shai Halevi

Privacy-Preserving Search of Similar Patients in Genomic Data Gilad Asharov Shai Halevi

Privacy-Preserving Search of Similar Patients in Genomic Data Gilad Asharov Shai Halevi Yehuda Lindell Tal Rabin Secure Computation Computation on private inputs without revealing anything but the output Applications :

299 views • 25 slides
Ginseng, the Learning TEE Fast, Confidential Machine Learning in FPGA Enclaves Nick Hynes |

Ginseng, the Learning TEE Fast, Confidential Machine Learning in FPGA Enclaves Nick Hynes |

Ginseng, the Learning TEE Fast, Confidential Machine Learning in FPGA Enclaves Nick Hynes | Oasis Labs Id Idea eal : data providers pool data to train a large, complex model Id Idea eal : data providers pool data to train a large, complex

608 views • 13 slides
National Lifespan Respite Conference October 13, 2017 1 Agenda About the Society &

National Lifespan Respite Conference October 13, 2017 1 Agenda About the Society &

National Lifespan Respite Conference October 13, 2017 1 Agenda About the Society & Multiple Sclerosis Societys Advocacy Caregiving Legislation Affordable Care Act & Medicaid Threats 2 About the Society The

392 views • 17 slides
for the Social Sciences (9/22/14) Instructors : Benot, Ewart, Rebecca, Caitie, Kara Topics

for the Social Sciences (9/22/14) Instructors : Benot, Ewart, Rebecca, Caitie, Kara Topics

Psychology 252: Statistical Methods for the Social Sciences (9/22/14) Instructors : Benot, Ewart, Rebecca, Caitie, Kara Topics include: GLM (ANOVA, Regression) and GLMM , or Mixed Models Texts : Howell, Intros to R (the stat package) Handouts

1.33k views • 79 slides
2/24/16 February 24, 2016 Simulation 3 highlights, a. unmyelinated axon MRO

2/24/16 February 24, 2016 Simulation 3 highlights, a. unmyelinated axon MRO

2/24/16 February 24, 2016 Simulation 3 highlights, a. unmyelinated axon MRO Analysis Sim 3 AP conduction Refractory period Intracellular Recording Electrical noise Warming up axon Why

230 views • 4 slides
One year of developments and collaborations around the MinION on the Genomic facility of the

One year of developments and collaborations around the MinION on the Genomic facility of the

One year of developments and collaborations around the MinION on the Genomic facility of the IBENS. Laurent Jourdren (CNRS IBENS) Sophie Lemoine (CNRS IBENS) Brengre Laffay (CNRS IBENS) 13th of December 2017 An on-going

475 views • 22 slides
Ps Psychoneur ychoneuroimmunol oimmunology ogy CNELM Webinar | Leo Pruimboom Contents

Ps Psychoneur ychoneuroimmunol oimmunology ogy CNELM Webinar | Leo Pruimboom Contents

Post Post-Graduate Graduate Co Course urse in in Cl Clinical inical Ps Psychoneur ychoneuroimmunol oimmunology ogy CNELM Webinar | Leo Pruimboom Contents Contents Introductions: CNELM & Natura Foundation What is

610 views • 29 slides
An En-lyte-ening case of osmotic injury Amy Miles, PGY-3 Internal Medicine Nadia Gabarin, PGY-2

An En-lyte-ening case of osmotic injury Amy Miles, PGY-3 Internal Medicine Nadia Gabarin, PGY-2

An En-lyte-ening case of osmotic injury Amy Miles, PGY-3 Internal Medicine Nadia Gabarin, PGY-2 Internal Medicine University of Toronto DISCLOSURES No conflicts of interest to disclose Consent was received from the patient for this

377 views • 26 slides
5/11/2013 None related to this study E. Tabaraee, D. Shearer, C. Ames, S. Burch, V. Deviren, S.

5/11/2013 None related to this study E. Tabaraee, D. Shearer, C. Ames, S. Burch, V. Deviren, S.

5/11/2013 None related to this study E. Tabaraee, D. Shearer, C. Ames, S. Burch, V. Deviren, S. Berven, S. Hu, D. Chou, P. Mummaneni, B. Tay University of California, San Francisco 5/11/2013 Cervical Myelopathy Inc incidence

296 views • 7 slides

More recommend