A Scalable Approach for Privacy-Preserving Collaborative Machine Learning

11/03/2020 ∙ by Jinhyun So, et al. ∙ University of Southern California University of California, Riverside 0

We consider a collaborative learning scenario in which multiple data-owners wish to jointly train a logistic regression model, while keeping their individual datasets private from the other parties. We propose COPML, a fully-decentralized training framework that achieves scalability and privacy-protection simultaneously. The key idea of COPML is to securely encode the individual datasets to distribute the computation load effectively across many parties and to perform the training computations as well as the model updates in a distributed manner on the securely encoded data. We provide the privacy analysis of COPML and prove its convergence. Furthermore, we experimentally demonstrate that COPML can achieve significant speedup in training over the benchmark protocols. Our protocol provides strong statistical privacy guarantees against colluding parties (adversaries) with unbounded computational power, while achieving up to 16× speedup in the training time against the benchmark protocols.



There are no comments yet.


page 1

page 2

page 3

page 4

This week in AI

Get the week's most popular data science and artificial intelligence research sent straight to your inbox every Saturday.

I Introduction

Machine learning applications can achieve significant performance gains by training on large volumes of data. In many applications, the training data is distributed across multiple data-owners, such as patient records at multiple medical institutions, and furthermore contains sensitive information, e.g., genetic information, financial transactions, and geolocation information. Such settings give rise to the following key problem that is the focus of this paper: How can multiple data-owners jointly train a machine learning model while keeping their individual datasets private from the other parties?

More specifically, we consider a distributed learning scenario in which data-owners (clients) wish to train a logistic regression model jointly without revealing information about their individual datasets to the other parties, even if up to out of clients collude. Our focus is on the semi-honest adversary setup, where the corrupted parties follow the protocol but may leak information in an attempt to learn the training dataset. To address this challenge, we propose a novel framework, COPML111COPML stands for collaborative privacy-preserving machine learning., that enables fast and privacy-preserving training by leveraging information and coding theory principles. COPML has three salient features:

  • [leftmargin=0.4cm]

  • speeds up the training time significantly, by distributing the computation load effectively across a large number of parties,

  • advances the state-of-the-art privacy-preserving training setups by scaling to a large number of parties, as it can distribute the computation load effectively as more parties are added in the system,

  • utilizes coding theory principles to secret share the dataset and model parameters which can significantly reduce the communication overhead and the complexity of distributed training.

At a high level, COPML can be described as follows. Initially, the clients secret share their individual datasets with the other parties, after which they carry out a secure multi-party computing (MPC) protocol to encode the dataset. This encoding operation transforms the dataset into a coded form that enables faster training and simultaneously guarantees privacy (in an information-theoretic sense). Training is performed over the encoded data via gradient descent. The parties perform the computations over the encoded data as if they were computing over the uncoded dataset. That is, the structure of the computations are the same for computing over the uncoded dataset versus computing over the encoded dataset. At the end of training, each client should only learn the final model, and no information should be leaked (in an information-theoretic sense) about the individual datasets or the intermediate model parameters, beyond the final model.

We characterize the theoretical performance guarantees of COPML, in terms of convergence, scalability, and privacy protection. Our analysis identifies a trade-off between privacy and parallelization, such that, each additional client can be utilized either for more privacy, by protecting against a larger number of collusions , or more parallelization, by reducing the computation load at each client. Furthermore, we empirically demonstrate the performance of COPML by comparing it with cryptographic benchmarks based on secure multi-party computing (MPC) [1, 2, 3, 4], that can also be applied to enable privacy-preserving machine learning tasks (e.g. see [5, 6, 7, 8, 9, 10, 11, 12]). Given our focus on information-theoretic privacy, the most relevant MPC-based schemes for empirical comparison are the protocols from [2] and [3, 4] based on Shamir’s secret sharing [13]. While several more recent works have considered MPC-based learning setups with information-theoretic privacy [11, 12], their constructions are limited to three or four parties.

We run extensive experiments over the Amazon EC2 cloud platform to empirically demonstrate the performance of COPML. We train a logistic regression model for image classification over the CIFAR-10 

[14] and GISETTE [15] datasets. The training computations are distributed to up to parties. We demonstrate that COPML can provide significant speedup in the training time against the state-of-the-art MPC baseline (up to ), while providing comparable accuracy to conventional logistic regression. This is primarily due to the parallelization gain provided by our system, which can distribute the workload effectively across many parties.

Other related works. Other than MPC-based setups, one can consider two notable approaches. The first one is Homomorphic Encryption (HE) [16], which enables computations on encrypted data, and has been applied to privacy-preserving machine learning  [17, 18, 19, 20, 21, 22, 23, 24]. The privacy protection of HE depends on the size of the encrypted data, and computing in the encrypted domain is computationally intensive. The second approach is differential privacy (DP), which is a noisy release mechanism to protect the privacy of personally identifiable information. The main application of DP in machine learning is when the model is to be released publicly after training, so that individual data points cannot be backtracked from the released model [25, 26, 27, 28, 29, 30, 31]. On the other hand, our focus is on ensuring privacy during training, while preserving the accuracy of the model.

Ii Problem Setting

We consider a collaborative learning scenario in which the training dataset is distributed across clients. Client holds an individual dataset denoted by a matrix consisting of data points with

features, and the corresponding labels are given by a vector

. The overall dataset is denoted by consisting of data points with features, and corresponding labels , which consists of individual datasets each one belonging to a different client. The clients wish to jointly train a logistic regression model over the training set with labels

, by minimizing a cross entropy loss function,



is the probability of label

being equal to , is the row of matrix , and

denotes the sigmoid function

. The training is performed through gradient descent, by updating the model parameters in the opposite direction of the gradient,


where is the gradient for (1),

holds the estimated parameters from iteration

, is the learning rate, and function acts element-wise over the vector .

During training, the clients wish to protect the privacy of their individual datasets from other clients, even if up to of them collude, where is the privacy parameter of the system. There is no trusted party who can collect the datasets in the clear and perform the training. Hence, the training protocol should preserve the privacy of the individual datasets against any collusions between up to adversarial clients. More specifically, this condition states that the adversarial clients should not learn any information about the datasets of the benign clients beyond what can already be inferred from the adversaries’ own datasets.

To do so, client initially secret shares its individual dataset and with the other parties. Next, clients carry out a secure MPC protocol to encode the dataset by using the received secret shares. In this phase, the dataset is first partitioned into submatrices for some . Parameter characterizes the computation load at each client. Specifically, our system ensures that the computation load (in terms of gradient computations) at each client is equal to processing only of the entire dataset . The clients then encode the dataset by combining the submatrices together with some randomness to preserve privacy. At the end of this phase, client learns an encoded dataset , whose size is equal to of the dataset . This process is only performed once for the dataset .

Fig. 1: The multi-client distributed training setup with clients. Client holds a dataset with labels . At the beginning of training, client secret shares and to guarantee their information-theoretic privacy against any collusions between up to clients. The secret share of and assigned from client to client is represented by and , respectively.

At each iteration of training, clients also encode the current estimation of the model parameters using a secure MPC protocol, after which client obtains the encoded model . Client then computes a local gradient over the encoded dataset and encoded model . After this step, clients carry out another secure MPC protocol to decode the gradient and update the model according to (2). As the decoding and model updates are performed using a secure MPC protocol, clients do not learn any information about the actual gradients or the updated model. In particular, client only learns a secret share of the updated model, denoted by . Using the secret shares , clients encode the model for the next iteration, after which client learns an encoded model . Figure 1 demonstrates our system architecture.

Iii The COPML Framework

COPML consists of four main phases: quantization; encoding and secret sharing; polynomial approximation; decoding and model update, as demonstrated in Figure 2. In the first phase, quantization, each client converts its own dataset from the real domain to finite field. In the second phase, clients create a secret share of their quantized datasets and carry out a secure MPC protocol to encode the datasets. At each iteration, clients also encode and create a secret share of the model parameters. In the third phase, clients perform local gradient computations over the encoded datasets and encoded model parameters by approximating the sigmoid function with a polynomial. Then, in the last phase, clients decode the local computations and update the model parameters using a secure MPC protocol. This process is repeated until the convergence of the model parameters.

Fig. 2: Flowchart of COPML.

Phase 1: Quantization. Computations involving secure MPC protocols are bound to finite field operations, which requires the representation of real-valued data points in a finite field . To do so, each client initially quantizes its dataset from the real domain to the domain of integers, and then embeds it in a field of integers modulo a prime . Parameter is selected to be sufficiently large to avoid wrap-around in computations. For example, in a -bit implementation with the CIFAR-10 dataset, we select . The details of the quantization phase are provided in Appendix A-A.

Phase 2: Encoding and secret sharing. In this phase, client creates a secret share of its quantized dataset designated for each client (including client itself). The secret shares are constructed via Shamir’s secret sharing with threshold [13], to protect the privacy of the individual datasets against any collusions between up to clients. To do so, client creates a random polynomial, where for

are i.i.d. uniformly distributed random matrices, and selects

distinct evaluation points from . Then, client sends client a secret share of its dataset . Client also sends a secret share of its labels to client , denoted by . Finally, the model is initialized randomly within a secure MPC protocol between the clients, and at the end client obtains a secret share of the initial model .

After obtaining the secret shares for , clients encode the dataset using a secure MPC protocol and transform it into a coded form, which speeds up the training by distributing the computation load of gradient evaluations across the clients. Our encoding strategy utilizes Lagrange coding from [32]222Encoding of Lagrange coded computing is the same as a packed secret sharing [33]. , which has been applied to other problems such as privacy-preserving offloading of a training task [34] and secure federated learning [35]. However, we encode (and later decode) the secret shares of the datasets and not their true values. Therefore, clients do not learn any information about the true value of the dataset during the encoding-decoding process.

The individual steps of the encoding process are as follows. Initially, the dataset is partitioned into submatrices where for . To do so, client locally concatenates for and partitions it into parts, for . Since this operation is done over the secret shares, clients do not learn any information about the original dataset . Parameter quantifies the computation load at each client, as will be discussed in Section IV.

The clients agree on distinct elements and distinct elements  from such that . Client

then encodes the dataset using a Lagrange interpolation polynomial

with degree at most ,


where for and . The matrices are generated uniformly at random333The random parameters can be generated by a crypto-service provider in an offline manner, or by using pseudo-random secret sharing [36]. from  and is the secret share of at client . is the secret share of at client . Client  then computes and sends to client . Upon receiving , client can recover the encoded matrix .444In fact, gathering only secret shares is sufficient to recover , due to the construction of Shamir’s secret sharing [13]. Using this fact, one can speed up the execution by dividing the clients into subgroups of and performing the encoding locally within each subgroup. We utilize this property in our experiments. The role of ’s are to mask the dataset so that the encoded matrices reveal no information about the dataset , even if up to clients collude, as detailed in Section IV.

Using the secret shares and , clients also compute using a secure multiplication protocol (see Appendix A-C for details). At the end of this step, clients learn a secret share of , which we denote by for client .

At iteration , client initially holds a secret share of the current model, , and then encodes the model via a Lagrange interpolation polynomial with degree at most ,


where for and . The vectors are generated uniformly at random from . Client  then sends to client . Upon receiving , client recovers the encoded model .

Phase 3: Polynomial Approximation and Local Computations. Lagrange encoding can be used to compute polynomial functions only, whereas the gradient computations in (2) are not polynomial operations due to the sigmoid function. To this end, we approximate the sigmoid with a polynomial,


where and represent the degree and coefficients of the polynomial, respectively. The coefficients are evaluated by fitting the sigmoid to the polynomial function via least squares estimation. Using this polynomial approximation, we rewrite the model update from (2) as,


Client then locally computes the gradient over the encoded dataset, by evaluating a function,


and secret shares the result with the other clients, by sending a secret share of (7), , to client . At the end of this step, client holds the secret shares corresponding to the local computations from clients . Note that (7) is a polynomial function evaluation in the finite field arithmetic and the degree of function is .

Phase 4: Decoding and Model Update. In this phase, clients perform the decoding of the gradient using a secure MPC protocol, through polynomial interpolation over the secret shares . The minimum number of clients needed for the decoding operation to be successful, which we call the recovery threshold of the protocol, is equal to . In order to show this, we first note that, from the definition of Lagrange polynomials in (3) and (4), one can define a univariate polynomial such that


for . Moreover, from (7), we know that client performs the following computation,


The decoding process is based on the intuition that, the computations from (9) can be used as evaluation points to interpolate the polynomial . Since the degree of the polynomial is , all of its coefficients can be determined as long as there are at least evaluation points available. After is recovered, the computation results in (8) correspond to for .

Our decoding operation corresponds to a finite-field polynomial interpolation problem. More specifically, upon receiving the secret shares of the local computations from at least clients, client locally computes


for , where denotes the set of the fastest clients who send their secret share to client .

After this step, client locally aggregates its secret shares to compute , which in turn is a secret share of since,


Let denote the secret share of (11) at client . Client then computes , which in turn is a secret share of the gradient . Since the decoding operations are carried out using the secret shares, at the end of the decoding process, the clients only learn a secret share of the gradient and not its true value.

Next, clients update the model according to (6) using a secure MPC protocol, using the secret shared model and the secret share of the gradient . A major challenge in performing the model update in (6) in the finite field is the multiplication with parameter , where . In order to perform this operation in the finite field, one potential approach is to treat it as a computation on integer numbers and preserve full accuracy of the results. This in turn requires a very large field size as the range of results grows exponentially with the number of multiplications, which becomes quickly impractical as the number of iterations increase [7]. Instead, we address this problem by leveraging the secure truncation technique from [37]. This protocol takes secret shares of a variable as input as well as two public integer parameters and such that and . The protocol then returns the secret shares for such that where is a random bit with probability . Accordingly, the protocol rounds to the closest integer with probability , with being the distance between and that integer. The truncation operation ensures that the range of the updated model always stays within the range of the finite field.

Since the model update is carried out using a secure MPC protocol, at the end of this step, client learns only a secret share of the updated model , and not its actual value. In the next iteration, using , client locally computes from (4) and sends it to client . Client then recovers the encoded model , which is used to compute (7).

The implementation details of the MPC protocols are provided in Appendix A-C. The overall algorithm for COPML is presented in Appendix A-E.

Iv Convergence and Privacy Guarantees

Consider the cost function in (1) with the quantized dataset, and denote as the optimal model parameters that minimize (1). In this subsection, we prove that COPML guarantees convergence to the optimal model parameters (i.e., ) while maintaining the privacy of the dataset against colluding clients. This result is stated in the following theorem.

Theorem 1.

For training a logistic regression model in a distributed system with clients using the quantized dataset , initial model parameters , and constant step size (where ), COPML guarantees convergence,


in iterations, for any , where is the degree of the polynomial in (5) and

is the variance of the quantization error of the secure truncation protocol.


The proof of Theorem 1 is presented in Appendix A-B. ∎

As for the privacy guarantees, COPML protects the statistical privacy of the individual dataset of each client against up to colluding adversarial clients, even if the adversaries have unbounded computational power. The privacy protection of COPML follows from the fact that all building blocks of the algorithm guarantees either (strong) information-theoretic privacy or statistical privacy of the individual datasets against any collusions between up to clients. Information-theoretic privacy of Lagrange coding against colluding clients follows from [32]. Moreover, encoding, decoding, and model update operations are carried out in a secure MPC protocol that protects the information-theoretic privacy of the corresponding computations against colluding clients [2, 3, 4]. Finally, the (statistical) privacy guarantees of the truncation protocol follows from [37].

Remark 1.

(Privacy-parallelization trade-off) Theorem 1 reveals an important trade-off between privacy and parallelization in COPML. Parameter reflects the amount of parallelization. In particular, the size of the encoded matrix at each client is equal to of the size of . Since each client computes the gradient over the encoded dataset, the computation load at each client is proportional to processing of the entire dataset. As increases, the computation load at each client decreases. Parameter reflects the privacy threshold of COPML. In a distributed system with clients, COPML can achieve any and as long as . Moreover, as the number of clients increases, parallelization () and privacy () thresholds of COPML can also increase linearly, providing a scalable solution. The motivation behind the encoding process is to distribute the load of the computationally-intensive gradient evaluations across multiple clients (enabling parallelization), and to protect the privacy of the dataset.

Remark 2.

Theorem 1

also holds for the simpler linear regression problem.

V Experiments

(a) CIFAR-10 (for accuracy )
(b) GISETTE (for accuracy )
Fig. 3: Performance gain of COPML over the MPC baseline ([BH08] from [3]). The plot shows the total training time for different number of clients with iterations.

We demonstrate the performance of COPML compared to conventional MPC baselines by examining two properties, accuracy and performance gain, in terms of the training time on the Amazon EC2 Cloud Platform.

V-a Experiment setup

Setup. We train a logistic regression model for binary image classification on the CIFAR-10 [14] and GISETTE [15] datasets, whose size is and , respectively. The dataset is distributed evenly across the clients. The clients initially secret share their individual datasets with the other clients.555This can be done offline as it is an identical one-time operation for both MPC baselines and COPML. Computations are carried out on Amazon EC2 m3.xlarge machine instances. We run the experiments in a WAN setting with an average bandwidth of . Communication between clients is implemented using the MPI4Py [38] interface on Python.

Implemented schemes. We implement four schemes for performance evaluation. For COPML, we consider two set of key parameters to investigate the trade-off between parallelization and privacy. For the baselines, we apply two conventional MPC protocols (based on [2] and [3]) to our multi-client problem setting.666As described in the Section I, there is no prior work at our scale (beyond 3-4 parties), hence we implement two baselines based on well-known MPC protocols which are also the first implementations at our scale.

  1. [leftmargin=0.6cm]

  2. COPML. In COPML, MPC is utilized to enable secure encoding and decoding for Lagrange coding. The gradient computations are then carried out using the Lagrange encoded data. We determine (privacy threshold) and (amount of parallelization) in COPML as follows. Initially, we have from Theorem 1 that these parameters must satisfy for our framework. Next, we have considered both and for the degree of the polynomial approximation of the sigmoid function and observed that the degree one approximation achieves good accuracy, as we demonstrate later. Given our choice of , we then consider two setups:

    Case 1: (Maximum parallelization gain) Allocate all resources to parallelization (fastest training), by letting and ,

    Case 2: (Equal parallelization and privacy gain) Split resources almost equally between parallelization and privacy, i.e., .

  3. Baseline protocols. We implement two conventional MPC protocols (based on [2] and [3]). In a naive implementation of these protocols, each client would secret share its local dataset with the entire set of clients, and the gradient computations would be performed over the secret shared data whose size is as large as the entire dataset, which leads to a significant computational overhead. For a fair comparison with COPML, we speed up the baseline protocols by partitioning the clients into three groups, and assigning each group one third of the entire dataset. Hence, the total amount of data processed at each client is equal to one third of the size of the entire dataset, which significantly reduces the total training time while providing a privacy threshold of , which is the same privacy threshold as Case 2 of COPML. The details of these implementations are presented in Appendix A-D.

In all schemes, we apply the MPC truncation protocol from Section III to carry out the multiplication with during model updates, by choosing and for the CIFAR-10 and GISETTE datasets, respectively.

(a) CIFAR-10 dataset for binary classification between plain and car images (using samples for the training set and samples for the test set).
(b) GISETTE dataset for binary classification between digits and (using samples for the training set and samples for the test set).
Fig. 4: Comparison of the accuracy of COPML (demonstrated for Case 2 and clients) vs conventional logistic regression that uses the sigmoid function without quantization.

V-B Performance evaluation

Protocol Comp. Comm. Enc/Dec Total run
time (s) time (s) time (s) time (s)
MPC using [BGW88] 918 21142 324 22384
MPC using [BH08] 914 6812 189 7915
COPML (Case 1) 141 284 15 440
COPML (Case 2) 240 654 22 916
TABLE I: Breakdown of the running time with clients.

Training time. In the first set of experiments, we measure the training time. Our results are demonstrated in Figure 3, which shows the comparison of COPML with the protocol from [3], as we have found it to be the faster of the two baselines. Figures 3(a) and 3(b) demonstrate that COPML provides substantial speedup over the MPC baseline, in particular, up to and with the CIFAR-10 and GISETTE datasets, respectively, while providing the same privacy threshold . We observe that a higher amount of speedup is achieved as the dimension of the dataset becomes larger (CIFAR-10 vs. GISETTE datasets), suggesting COPML to be well-suited for data-intensive distributed training tasks where parallelization is essential.

To further investigate the gain of COPML, in Table I we present the breakdown of the total running time with the CIFAR-10 dataset for clients. We observe that COPML provides times speedup for the computation time of matrix multiplication in (7), which is given in the first column. This is due to the fact that, in the baseline protocols, the size of the data processed at each client is one third of the entire dataset, while in COPML it is of the entire dataset. This reduces the computational overhead of each client while computing matrix multiplications. Moreover, COPML provides significant improvement in the communication, encoding, and decoding time. This is because the two baseline protocols require intensive communication and computation to carry out a degree reduction step for secure multiplication (encoding and decoding for additional secret shares), which is detailed in Appendix A-C. In contrast, COPML only requires secure addition and multiplication-by-a-constant operations for encoding and decoding. These operations require no communication. In addition, the communication, encoding, and decoding overheads of each client are also reduced due to the fact that the size of the data processed at each client is only of the entire dataset.

Accuracy. We finally examine the accuracy of COPML. Figures 4(a) and 4(b) demonstrate that COPML with degree one polynomial approximation provides comparable test accuracy to conventional logistic regression. For the CIFAR-10 dataset in Figure 4(a), the accuracy of COPML and conventional logistic regression are and , respectively, in iterations. For the GISETTE dataset in Figure 4(b), the accuracy of COPML and conventional logistic regression have the same value of in 50 iterations. Hence, COPML has comparable accuracy to conventional logistic regression while also being privacy preserving.

Communication Computation Encoding
TABLE II: Complexity summary of COPML.

V-C Complexity Analysis

In this section, we analyze the asymptotic complexity of each client in COPML with respect to the number of users , model dimension , number of data points , parallelization parameter , privacy parameter , and total number of iterations . Client ’s communication cost can be broken to three parts: 1) sending the secret shares in (3) to client , 2) sending the secret shares in (4) to client for , and 3) sending the secret share of local computation in (7) to client for . The communication cost of the three parts are , , and , respectively. Therefore, the overall communication cost of each client is . User ’s computation cost of encoding can be broken into two parts, encoding the dataset by using (3) and encoding the model by using (4). The encoded dataset from (3) is a weighted sum of matrices where each matrix belongs to . As there are encoded dataset and each encoded dataset requires a computation cost of , the computation cost of encoding the dataset is in total. Similarly, computation cost of encoding from (4) is . Computation cost of client to compute , the dominant part of local computation in (7), is . We summarize the asymptotic complexity of each client in Table II.

When we set and (Case 2), increasing has two major impacts on the training time: 1) reducing the computation per worker by choosing a larger , 2) increasing the encoding time. In this case, as is typically much larger than other parameters, dominate terms in communication, computation, and encoding cost are , and , respectively. For small datasets, i.e., when the computation load at each worker is very small, the gain from increasing the number of workers beyond a certain point may be minimal and system may saturate, as encoding may dominate the computation. This is the reason that a higher amount of speedup of training time is achieved as the dimension of the dataset becomes larger.

Vi Conclusions

We considered a collaborative learning scenario in which multiple data-owners jointly train a logistic regression model without revealing their individual datasets to the other parties. To the best of our knowledge, even for the simple logistic regression, COPML is the first fully-decentralized training framework to scale beyond 3-4 parties while achieving information-theoretic privacy. Extending COPML to more complicated (deeper) models is a very interesting future direction. An MPC-friendly (i.e., polynomial) activation function is proposed in

[7] which approximates the softmax and shows that the accuracy of the resulting models is very close to those trained using the original functions. We expect to achieve a similar performance gain even in those setups, since COPML can similarly be leveraged to efficiently parallelize the MPC computations.

Broader Impact

Our framework has the societal benefit of protecting user privacy in collaborative machine learning applications, where multiple data-owners can jointly train machine learning models without revealing information about their individual datasets to the other parties, even if some parties collude with each other. Collaboration can significantly improve the accuracy of trained machine learning models, compared to training over individual datasets only. This is especially important in applications where data labelling is costly and can take a long time, such as data collected and labeled in medical fields. For instance, by using our framework, multiple medical institutions can collaborate to train a logistic regression model jointly, without revealing the privacy of their datasets to the other parties, which may contain sensitive patient healthcare records or genetic information. Our framework can scale to a significantly larger number of users compared to the benchmark protocols, and can be applied to any field in which the datasets contain sensitive information, such as healthcare records, financial transactions, or geolocation data. In such applications, protecting the privacy of sensitive information is critical and failure to do so can result in serious societal, ethical, and legal consequences. Our framework can provide both application developers and users with positive societal consequences, application developers can provide better user experience with better models as the volume and diversity of data will be increased greatly, and at the same time, users will have their sensitive information kept private. Another benefit of our framework is that it provides strong privacy guarantees that is independent from the computational power of the adversaries. Therefore, our framework keeps the sensitive user information safe even if adversaries gain quantum computing capabilities in the future.

A potential limitation of our framework is that our current training framework is bound to polynomial operations. In order to compute functions that are not polynomials, such as the sigmoid function, we utilize a polynomial approximation. This can pose a challenge in the future for applying our framework to deep neural network models, as the approximation error may add up at each layer. In such scenarios, one may need to develop additional techniques to better handle the non-linearities and approximation errors.


This material is based upon work supported by Defense Advanced Research Projects Agency (DARPA) under Contract No. HR001117C0053, ARO award W911NF1810400, NSF grants CCF-1703575 and CCF-1763673, ONR Award No. N00014-16-1-2189, and research gifts from Intel and Facebook. The views, opinions, and/or findings expressed are those of the author(s) and should not be interpreted as representing the official views or policies of the Department of Defense or the U.S. Government.


  • [1] Andrew C Yao. Protocols for secure computations. In IEEE Symp. on Foundations of Computer Science, pages 160–164, 1982.
  • [2] Michael Ben-Or, Shafi Goldwasser, and Avi Wigderson. Completeness theorems for non-cryptographic fault-tolerant distributed computation. In ACM Symp. on Th. of Comp., pages 1–10, 1988.
  • [3] Zuzana Beerliová-Trubíniová and Martin Hirt. Perfectly-secure MPC with linear communication complexity. In Theory of Cryptography Conference, pages 213–230. Springer, 2008.
  • [4] Ivan Damgård and Jesper Buus Nielsen. Scalable and unconditionally secure multiparty computation. In Annual International Cryptology Conference, pages 572–590. Springer, 2007.
  • [5] Valeria Nikolaenko, Udi Weinsberg, Stratis Ioannidis, Marc Joye, Dan Boneh, and Nina Taft.

    Privacy-preserving ridge regression on hundreds of millions of records.

    In IEEE Symposium on Security and Privacy, pages 334–348, 2013.
  • [6] Adrià Gascón, Phillipp Schoppmann, Borja Balle, Mariana Raykova, Jack Doerner, Samee Zahur, and David Evans.

    Privacy-preserving distributed linear regression on high-dimensional data.

    Proceedings on Privacy Enhancing Tech., 2017(4):345–364, 2017.
  • [7] Payman Mohassel and Yupeng Zhang. SecureML: A system for scalable privacy-preserving machine learning. In 38th IEEE Symposium on Security and Privacy, pages 19–38. IEEE, 2017.
  • [8] Yehuda Lindell and Benny Pinkas. Privacy preserving data mining. In Int. Cryptology Conf., pages 36–54. Springer, 2000.
  • [9] Morten Dahl, Jason Mancuso, Yann Dupis, Ben Decoste, Morgan Giraud, Ian Livingstone, Justin Patriquin, and Gavin Uhma. Private machine learning in TensorFlow using secure computation. arXiv:1810.08130, 2018.
  • [10] Valerie Chen, Valerio Pastro, and Mariana Raykova. Secure computation for machine learning with SPDZ. arXiv:1901.00329, 2019.
  • [11] Sameer Wagh, Divya Gupta, and Nishanth Chandran. Securenn: 3-party secure computation for neural network training. Proceedings on Privacy Enhancing Technologies, 2019(3):26–49, 2019.
  • [12] Payman Mohassel and Peter Rindal. ABY 3: A mixed protocol framework for machine learning. In ACM SIGSAC Conference on Computer and Communications Security, pages 35–52, 2018.
  • [13] Adi Shamir. How to share a secret. Communications of the ACM, 22(11):612–613, 1979.
  • [14] Alex Krizhevsky and Geoffrey Hinton. Learning multiple layers of features from tiny images.

    Technical report, Citeseer, 2009.

  • [15] Isabelle Guyon, Steve Gunn, Asa Ben-Hur, and Gideon Dror.

    Result analysis of the nips 2003 feature selection challenge.

    In Advances in Neural Inf. Processing Systems, pages 545–552. 2005.
  • [16] Craig Gentry and Dan Boneh. A fully homomorphic encryption scheme, volume 20. Stanford University, Stanford, 2009.
  • [17] Ran Gilad-Bachrach, Nathan Dowlin, Kim Laine, Kristin Lauter, Michael Naehrig, and John Wernsing. Cryptonets: Applying neural networks to encrypted data with high throughput and accuracy. In Int. Conf. on Machine Learning, pages 201–210, 2016.
  • [18] Ehsan Hesamifard, Hassan Takabi, and Mehdi Ghasemi. CryptoDL: Deep neural networks over encrypted data. arXiv:1711.05189, 2017.
  • [19] Thore Graepel, Kristin Lauter, and Michael Naehrig. ML confidential: Machine learning on encrypted data. In Int. Conf. on Information Security and Cryptology, pages 1–21. Springer, 2012.
  • [20] Jiawei Yuan and Shucheng Yu. Privacy preserving back-propagation neural network learning made practical with cloud computing. IEEE Trans. on Parallel and Dist. Sys., 25(1):212–221, 2014.
  • [21] Ping Li, Jin Li, Zhengan Huang, Chong-Zhi Gao, Wen-Bin Chen, and Kai Chen. Privacy-preserving outsourced classification in cloud computing. Cluster Computing, pages 1–10, 2017.
  • [22] Andrey Kim, Yongsoo Song, Miran Kim, Keewoo Lee, and Jung Hee Cheon. Logistic regression model training based on the approximate homomorphic encryption. BMC Med. Genom., 11(4):23–55, Oct 2018.
  • [23] Q. Wang, M. Du, X. Chen, Y. Chen, P. Zhou, X. Chen, and X. Huang. Privacy-preserving collaborative model learning: The case of word vector training. IEEE Trans. on Knowledge and Data Engineering, 30(12):2381–2393, Dec 2018.
  • [24] Kyoohyung Han, Seungwan Hong, Jung Hee Cheon, and Daejun Park. Logistic regression on homomorphic encrypted data at scale.

    Annual Conf. on Innovative App. of Artificial Intelligence (IAAI-19)

    , 2019.
  • [25] Kamalika Chaudhuri and Claire Monteleoni. Privacy-preserving logistic regression. In Adv. in Neural Inf. Proc. Sys., pages 289–296, 2009.
  • [26] Reza Shokri and Vitaly Shmatikov.

    Privacy-preserving deep learning.

    In ACM SIGSAC Conference on Computer and Communications Security, pages 1310–1321, 2015.
  • [27] Martin Abadi, Andy Chu, Ian Goodfellow, H Brendan McMahan, Ilya Mironov, Kunal Talwar, and Li Zhang. Deep learning with differential privacy. In ACM SIGSAC Conference on Computer and Communications Security, pages 308–318, 2016.
  • [28] Manas Pathak, Shantanu Rane, and Bhiksha Raj.

    Multiparty differential privacy via aggregation of locally trained classifiers.

    In Advances in Neural Inf. Processing Systems, pages 1876–1884, 2010.
  • [29] H. Brendan McMahan, Daniel Ramage, Kunal Talwar, and Li Zhang. Learning differentially private recurrent language models. In Int. Conf. on Learning Representations, 2018.
  • [30] Arun Rajkumar and Shivani Agarwal.

    A differentially private stochastic gradient descent algorithm for multiparty classification.

    In Int. Conf. on Artificial Intelligence and Statistics (AISTATS’12), volume 22, pages 933–941, La Palma, Canary Islands, Apr 2012.
  • [31] Bargav Jayaraman, Lingxiao Wang, David Evans, and Quanquan Gu. Distributed learning without distress: Privacy-preserving empirical risk minimization. Adv. in Neur. Inf. Pro. Sys., pages 6346–6357, 2018.
  • [32] Qian Yu, Songze Li, Netanel Raviv, Seyed Mohammadreza Mousavi Kalan, Mahdi Soltanolkotabi, and A Salman Avestimehr. Lagrange coded computing: Optimal design for resiliency, security and privacy. In Int. Conf. on Artificial Intelligence and Statistics (AISTATS), 2019.
  • [33] Matthew Franklin and Moti Yung. Communication complexity of secure computation. In

    Proceedings of the twenty-fourth annual ACM symposium on Theory of computing

    , pages 699–710. ACM, 1992.
  • [34] Jinhyun So, Basak Guler, A Salman Avestimehr, and Payman Mohassel. Codedprivateml: A fast and privacy-preserving framework for distributed machine learning. arXiv preprint arXiv:1902.00641, 2019.
  • [35] Jinhyun So, Basak Guler, and A Salman Avestimehr. Turbo-aggregate: Breaking the quadratic aggregation barrier in secure federated learning. arXiv preprint arXiv:2002.04156, 2020.
  • [36] Ronald Cramer, Ivan Damgård, and Yuval Ishai. Share conversion, pseudorandom secret-sharing and applications to secure computation. In Theory of Cryptography Conference, pages 342–362. Springer, 2005.
  • [37] Octavian Catrina and Amitabh Saxena. Secure computation with fixed-point numbers. In International Conference on Financial Cryptography and Data Security, pages 35–50. Springer, 2010.
  • [38] Lisandro Dalcín, Rodrigo Paz, and Mario Storti. MPI for Python. Journal of Parallel and Distributed Comp., 65(9):1108–1115, 2005.
  • [39] J. Brinkhuis and V. Tikhomirov. Optimization: Insights and Applications. Princeton Series in Applied Mathematics. Princeton University Press, 2011.
  • [40] Yurii Nesterov. Introductory Lectures on Convex Optimization: A Basic Course. Springer Publishing Company, Incorporated, 1 edition, 2014.
  • [41] Zuzana Beerliová-Trubíniová. Efficient multi-party computation with information-theoretic security. PhD thesis, ETH Zurich, 2008.

Appendix A Supplementary Materials

A-a Details of the Quantization Phase

For quantizing its dataset , client employs a scalar quantization function , where the rounding operation


is applied element-wise to the elements of matrix and is an integer parameter to control the quantization loss. is the largest integer less than or equal to , and function is a mapping defined to represent a negative integer in the finite field by using two’s complement representation,


To avoid a wrap-around which may lead to an overflow error, prime should be large enough, . Its value also depends on the bitwidth of the machine as well as the dimension of the dataset. For example, in a -bit implementation with the CIFAR-10 dataset whose dimension is , we select , which is the largest prime needed to avoid an overflow on intermediate multiplications. In particular, in order to speed up the running time of matrix-matrix multiplication, we do a modular operation after the inner product of vectors instead of doing a modular operation per product of each element. To avoid an overflow on this, should be smaller than a threshold given by . For ease of exposition, throughout the paper, refers to the quantized dataset.

A-B Proof of Theorem 1

First, we show that the minimum number of clients needed for our decoding operation to be successful, i.e., the recovery threshold of COPML, is equal to . To do so, we demonstrate in the following that the decoding process will be successful as long as . As described in Section III, given the polynomial approximation of the sigmoid function in (5), the degree of in (8) is at most . The decoding process uses the computations from the clients as evaluation points to interpolate the polynomial . If at least evaluation results of are available, then, all of the coefficients of can be evaluated. After is recovered, the sub-gradient can be decoded by computing for , from which the gradient from (11) can be computed. Hence, the recovery threshold of COPML is , as long as , the protocol can correctly decode the gradient using the local evaluations of the clients, and the decoding process will be successful. Since the decoding operations are performed using a secure MPC protocol, throughout the decoding process, the clients only learn a secret share of the gradient and not its actual value. Next, we consider the update equation in (6) and prove its convergence to . As described in Section III, after decoding the gradient, the clients carry out a secure truncation protocol to multiply with parameter to update the model as in (6). The update equation from (6) can then be represented by


where represents the quantization noise introduced by the secure multi-party truncation protocol  [37], and . From [37], has zero mean and bounded variance, i.e., and where is the norm and is the truncation parameter described in Section III.

Next, we show that

is an unbiased estimator of the true gradient,

, and its variance is bounded by with sufficiently large . From , we obtain


From the Weierstrass approximation theorem [39], for any , there exists a polynomial that approximates the sigmoid arbitrarily well, i.e., for all in the constrained interval. Hence, as there exists a polynomial making the norm of (17) arbitrarily small, and .

Next, we consider the update equation in (16) and prove its convergence to . From the -Lipschitz continuity of (Theorem 2.1.5 of [40]), we have


where is the inner product. For a cross entropy loss , the Lipschitz constant

is equal to the largest eigenvalue of the Hessian

for all , and is given by . By taking the expectation with respect to the quantization noise on both sides in (18), we have


where (19) and (22) hold since and , (20) follows from , (21) follows from the convexity of , and (23) follows from .

By taking the expectation on both sides in (23

) with respect to the joint distribution of all random variables

where denotes the total number of iterations, we have


Summing both sides of the inequality in (24) for , we find that,

Finally, since is convex, we observe that,

which completes the proof of convergence.

A-C Details of the Multi-Party Computation (MPC) Implementation

We consider two well-known MPC protocols, the notable BGW protocol from [2], and the more recent, efficient MPC protocol from [3, 4]. Both protocols allow the computation of any polynomial function in a privacy-preserving manner by untrusted parties. Computations are carried out over the secret shares, and at the end, parties only learn a secret share of the actual result. Any collusions between up to out of parties do not reveal information (in an information-theoretic sense) about the input variables. The latter protocol is more efficient in terms of the communication cost between the parties, which scales linearly with respect to the number of parties, whereas for the former protocol this cost is quadratic. As a trade-off, it requires a considerable amount of offline computations and higher storage cost for creating and secret sharing the random variables used in the protocol.

For creating secret shares, we utilize Shamir’s -out-of- secret sharing [13]. This scheme embeds a secret in a degree polynomial