Privacy-Preserving SVM Computing by Using Random Unitary Transformation

09/19/2018 ∙ by Takahiro Maekawa, et al. ∙ 0

A privacy-preserving Support Vector Machine (SVM) computing scheme is proposed in this paper. Cloud computing has been spreading in many fields. However, the cloud computing has some serious issues for end users, such as unauthorized use and leak of data, and privacy compromise. We focus on templates protected by using a random unitary transformation, and consider some properties of the protected templates for secure SVM computing, where templates mean features extracted from data. The proposed scheme enables us not only to protect templates, but also to have the same performance as that of unprotected templates under some useful kernel functions. Moreover, it can be directly carried out by using well-known SVM algorithms, without preparing any algorithms specialized for secure SVM computing. In the experiments, the proposed scheme is applied to a face-based authentication algorithm with SVM classifiers to confirm the effectiveness.

READ FULL TEXT VIEW PDF
POST COMMENT

Comments

There are no comments yet.

Authors

page 3

This week in AI

Get the week's most popular data science and artificial intelligence research sent straight to your inbox every Saturday.

I Introduction

Cloud computing and edge computing have been spreading in many fields, with the development of cloud services. However, the computing environment has some serious issues for end users, such as unauthorized use and leak of data, and privacy compromise, due to unreliability of providers and some accidents. While, a lot of studies on secure, efficient and flexible communications, storage and computation have been reported [1, 2, 3]. For securing data, full encryption with provable security (like RSA, AES, etc) is the most secure option. However, many multimedia applications have been seeking a trade-off in security to enable other requirements, e.g., low processing demands, retaining bitstream compliance, and flexible processing in the encrypted domain, so that a lot of perceptual encryption schemes have been studied as one of the schemes for achieving a trade-off [4, 5, 6, 7, 8, 9, 10, 11, 12, 13]

In the recent years, considerable efforts have been made in the fields of fully homomorphic encryption and multi-party computation [14, 15, 16, 17]. However, these schemes can not be applied yet to SVM algorithms, although it is possible to carry out some statistical analysis of categorical and ordinal data. Moreover, the schemes have to prepare algorithms specialized for computing encrypted data.

Because of such a situation, we propose a privacy-preserving SVM computing scheme in this paper . We focus on templates protected by using a random unitary transformation, which have been studied as one of methods for cancelable biometrics [18, 19, 20, 21, 22, 23, 24]

, and then consider some properties of the protected templates for secure SVM computing, where templates mean features extracted from data. As a result, the proposed scheme enables us not only to protect templates, but also to have the same performance as that of unprotected templates under some useful kernel functions as isotropic stationary kernels. Moreover, it can be directly carried out by using well-known SVM algorithms, without preparing any algorithms specialized for secure SVM computing. In the experiments, the proposed scheme is applied to a face recognition algorithm with SVM classifiers to confirm the effectiveness.

Ii preparation

Ii-a Support Vector Machine

Support Vector Machine (SVM) is a supervised machine learning algorithm which can be used for both classification or regression challenges, but it is mostly used in classification problems. In SVM, we input a feature vector

to the discriminant function as

where is a weight parameter, and is a bias.

SVM also has a technique called the kernel trick, which is a function that takes low dimensional input space and transform it to a higher dimensional space. These functions are called kernels. The kernel trick could be applied to Eq. (II-A) to map an input vector on further high dimension feature space, and then to linearly classify it on that space as

(1)

The function maps an input vector on high dimension feature space , where is the number of the dimensions of features. In this case, feature space includes parameter (). The kernel function of two vectors , is defined as

(2)

where

is an inner product. There are various kernel functions. For example, Radial Basis Function(RBF) kernel is given by

(3)

and polynomial kernel is provided by

(4)

where is a high parameter to decide the complexity of boundary determination, is a parameter to decide the degree of the polynomial, and indicates transpose.

This paper aims to propose a new framework to carry out SVM with protected vectors.

Ii-B Scenario

Figure 1 illustrates the scenario used in this paper. In the enrollment, client , , prepares training samples such as images, and a feature set , called a template, is extracted from the samples. Next the client creates a protected template set by a secret key and sends the set to a cloud server. The server stores it and implements learning with the protected templates for a classification problem.

In the authentication, Client creates a protected template as a query and sends it to the server. The server carries out a classification problem with a learning model prepared in advance, and then returns the result to Client .

Note that the cloud server has no secret keys and the classification problem can be directly carried out by using well-known SVM algorithms. In the other words, the server does not have to prepare any algorithms specialized for the classification in the encrypted domain.

Fig. 1: Scenario

Iii Proposed framework

In this section, protected templates generated by using a random unitary matrix are conducted, and a SVM computation scheme with the protected templates is proposed under some kernel functions.

Iii-a Template Protection

Template protection schemes based on unitary transformations have been studied as one of methods for cancelable biometrics[18, 21, 22, 23, 19, 20]. This paper has been inspired by those studies.

A template is protected by a unitary matrix having randomness with a key , as,

(5)

where is the protected template. Various generation schemes of have been studied to generate unitary or orthogonal random matrices such as Gram-Schmidt method, random permutation matrices and random phase matrices[23, 22]

. For example, the Gram-Schmidt method can be applied to a pseudo-random matrix to generate

. Security analysis of the protection schemes have been also considered in terms of brute-force attacks, diversity and irreversibility.

Iii-B SVM with protected templates

Iii-B1 Properties

Protected templates generated according to Eq. (5) have the following properties under [23].

Property 1 : Conservation of the Euclidean distances:


Property 2 : Conservation of inner products:


Property 3 : Conservation of correlation coefficients:


where is a template of another client , who has M training samples .

Iii-B2 Classes of kernels

We consider applying the protected templates to a kernel function. In the case of using RBF kernel, the following relation is satisfied from property 1 and Eq.(3)

(6)

A stationary kernel is one which is translation invariant:

(7)

that is, it depends only on the lag vector separating the two vectors and . Moreover, when a stationary kernel depends only on the norm of the lag vectors between two vectors, the kernel is said to be isotropic (or homogeneous)[25], and is thus only a function of distance:

(8)

For examples, RBF, WAVE and Rational quadratic kernels belong to this class, i.e, isotropic stationary kernel, called kernel class 1 in this paper. If kernels are isotropic, the propose scheme is useful under the kernels.

Besides, from property 3, we can also use a kernel that depends only on the inner products between two vectors given as

(9)

Polynomial kernel and linear kernel are in this class, referred to as class 2.

Some kernels such as Fisher and p-spectrum ones, to which the protected templates can not be applied, belong to other classes. We focus on using kernel class 1 and class 2.

Iii-B3 Dual problem

Next, we consider binary classification that is the task of classifying the elements of a given set. A dual problem to implement a SVM classifier with protected templates is expressed as

(10)

where and are correct labels for each training data, and are dual variables and C is a regular coefficient. If we use kernel class 1 or class 2 described above, the inner product is equal to . Therefore, even in the case of using protected templates, the dual problem with protected templates is reduced to the same problem as that of the original templates. This conclusion means that the use of the proposed templates gives no effect to the performance of the SVM classifier under kernel class 1 and class 2.

Iii-C Relation among keys

As shown in Fig 1, a protected template is generated from training data by using a key . Two relations among keys are summarized, here.

Iii-C1 Key condition 1:

The first key choice is to use a common key in all clients, namely, . In this case, all protected templates satisfy the properties described in III-B, so the SVM classifier has the same performance as that of using the original templates.

Iii-C2 Key condition 2:

The second key choice is to use a different key in each client, namely . In this case, the three properties are satisfied only among templates with a common key. This key condition allows us to enhance the robustness of the security against various attacks as discussed later.

Iv Experimental Results

The propose scheme was applied to face recognition experiments which were carried out as a dual problem.

Iv-a Data Set

We used Extended Yale Face Database B[24] that consists of 2432 frontal facial images with -pixels of persons like Fig 2. 64 images for each person were divided into half randomly for training data samples and queries. We used random permutation matrices as unitary matrices to produce protected templates. Besides, RBF kernel and linear kernel were used, where they belong to kernel class 1 and class 2, respectively. The protection was applied to templates with 1216 dimensions generated by the down-sampling method[21]. The down-sampling method divides an image into non-overlapped blocks and then calculates the mean value in each block. Figure 3 shows the examples of an original template and the protected one.

(a) person1 (b) person2
Fig. 2: Examples of Extended Yale Face Database B
(a) template (b) protected
Fig. 3: An example of protection

Iv-B Results and Discussion

In face recognition with SVM classifiers, one classifier is created for each enrollee. The classifier outputs a predicted class label and a classification score for each query template , where is a protected template generated from the template of a query, . The classification score is the distance from the query to the boundary ranging. The relation between the classification score and a threshold for the positive label of is given as

(11)

In the experiment, False Reject Rate(FRR), False Accept Rate(FAR), and Equal Error Rate(EER) at which FAR is equal to FRR were used to evaluate the performance.

Iv-B1

Figure 4 shows results in the case of using key condition 1. The results demonstrate that SVM classifiers with protected templates (protected in Fig 4) had the same performances as those fo SVM classifiers with the original templates (not protected in Fig 4). From the results, it is confirmed that the proposed framework gives no effect to the performance of SVM classifiers under key condition 1.

Iv-B2

Figure 5 shows results in the case of using key condition 2. In this condition, it is expected that a query will be authenticated only when it meets two requirements, i.e. the same key and the same person, although only the same person is required under key condition1. Therefore, the performances in Fig. 5 were slightly different from those in Fig. 4, so the FAR performances for key condition 2 were better due to the strict requirements.

Iv-B3 Unauthorized outflow ()

Figure 6 shows the FAR performance in the case that a key leaks out. In this situation, other clients could use the key without any authorization as spoofing attacks. As shown in Fig.6, the FAR (key leaked in Fig.6) still had low vales due to two requirements, although it was slightly degraded, compared to Fig.5.

Figure 7 is the FAR performance in the case that a template leaks out. It is confirmed that the FAR (template leaked in Fig.7) still had low vales as well as in Fig.6.

From these results, the use of key condition 2 enhances the robustness of the security against spoofing attacks.

(a) Linear kernel ()
(b) RBF kernel (, )
Fig. 4: FAR and FFR ()
Fig. 5: FAR and FAR (RBF kernel, )
Fig. 6: FAR with leaked keys (RBF kernel)
Fig. 7: FAR with leaked original templates (RBF kernel)

V conclusion

In this paper, we proposed a privacy-preserving SVM computing scheme with protected templates. It was shown that templates protected by a unitary transform has some useful properties, and the properties allow us to securely compute SVM algorithms without any degradation of the performances. Besides, two key conditions were considered to enhance the robustness of the security against various attacks. Some face-based authentication experiments using SVM classifiers were also demonstrated to experimentally confirm the effectiveness of the proposed framework.

Acknowledgements

This work was partially supported by Grant-in-Aid for Scientific Research(B), No.17H03267, from the Japan Society for the Promotion Science.










References

  • [1] C. T. Huang, L. Huang, Z. Qin, H. Yuan, L. Zhou, V. Varadharajan, and C-C. J. Kuo, “Survey on securing data storage in the cloud,” APSIPA Transactions on Signal and Information Processing, vol. 3, 2014.
  • [2] R. Lazzeretti and M. Barni, “Private computing with garbled circuits [applications corner],” IEEE Signal Processing Magazine, vol. 30, no. 2, pp. 123–127, 2013.
  • [3] M. Barni, G. Droandi, and R. Lazzeretti, “Privacy protection in biometric-based recognition systems: A marriage between cryptography and signal processing,” IEEE Signal Processing Magazine, vol. 32, no. 5, pp. 66–76, 2015.
  • [4] R. L. Lagendijk, Z. Erkin, and M. Barni, “Encrypted signal processing for privacy protection: Conveying the utility of homomorphic encryption and multiparty computation,” IEEE Signal Processing Magazine, vol. 30, no. 1, pp. 82–105, 2013.
  • [5] I. Ito and H. Kiya, “One-time key based phase scrambling for phaseonly correlation between visually protected images,” in EURASIP J. Information Security, vol. 2009, no. 841045, 2010.
  • [6] T. Chuman, K. Kurihara, and H. Kiya, “On the security of block scrambling-based etc systems against jigsaw puzzle solver attacks,” in IEEE International Conference on Acoustics, Speech and Signal Processing (ICASSP), 2017, pp. 2157–2161.
  • [7] J. Zhou, X. Liu, O. C. Au, and Y. Y. Tang, “Designing an efficient image encryption-then-compression system viapredictionerrorclusteringandrandompermutation,” in IEEE transactions on information forensics and security, vol. 9, no. 1, 2014, pp. 39–50.
  • [8] K. Kurihara, S. Shiota, and H. Kiya, “2015 an encryption-then-compression system for jpeg standard,” in Picture Coding Symposium (PCS), 2015, pp. 119–123.
  • [9] K. Kurihara, M. Kikuchi, S. Imaizumi, S. Shiota, and H. Kiya, “An encryption-then-compression system for jpeg/motion jpeg standard,” in IEICE Transactions on Fundamentals of Electronics, Communications and Computer Sciences, vol. 98, no. 11, 2015, pp. 2238–2245.
  • [10] T. Chuman, K. Kurihara, and H. Kiya, “On the security of block scrambling-based etc systems against jigsaw puzzle solver attacks,” in 2017 IEEE International Conference on Acoustics, Speech and Signal Processing (ICASSP), 2017, pp. 2157–2161.
  • [11] T. Chuman, K. Kurihara, and H. Kiya, “Security evaluation for block scrambling-based etc systems against extended jigsaw puzzle solver attacks,” in 2017 IEEE International Conference on Multimedia and Expo (ICME), 2017, pp. 229–234.
  • [12] T. Chuman, K. Iida, and H. Kiya, “Image manipulation on social media for encryption-then-compression systems,” in 2017 Asia-Pacific Signal and Information Processing Association Annual Summit and Conference (APSIPA ASC), 2017.
  • [13] T. Chuman, K. Kurihara, and H. Kiya, “On the security of block scrambling-based etc systems against extended jigsaw puzzle solver attacks,” IEICE Transactions on Information and Systems, vol. E101.D, no. 1, pp. 37–44, 2018.
  • [14] T. Araki, A. Barak, J. Furukawa, T. Lichter, Y. Lindell, A. Nof, K. Ohara, A. Watzman, and O. Weinstein, “Optimized honest-majority mpc for malicious adversaries - breaking the 1 billion-gate per second barrier,” in IEEE Symposium on Security and Privacy (SP), 2017, pp. 843–862.
  • [15] T. Araki, J. Furukawa, Y. Lindell, A. Nof, and K. Ohara, “High-throughput semi-honest secure three-party computation with an honest majority,” in Proceedings of ACM SIGSAC Conference on Computer and Communications Security, 2016, pp. 805–817.
  • [16] W. Lu, S. Kawasaki, and J. Sakuma, “Using fully homomorphic encryption for statistical analysis of categorical, ordinal and numerical data,” in IACR Cryptology ePrint Archive, vol. 2016, 2016, p. 1163.
  • [17]

    Y. Aono and T. Hayashi and L. Phong and L. Wang, “Privacy-preserving logistic regression with distributed data sources via homomorphic encryption,”

    IEICE Transactions on Information and Systems, vol. E99.D, no. 8, pp. 2079–2089, 2016.
  • [18] C. Rathgeb, and A. Uhl, “A survey on biometric cryptosystems and cancelable biometrics,” in EURASIP J. Information Security, vol. 2011, no. 1, 2011, pp. 1–25.
  • [19] K. Nandakumar, A. K. Jain, “Biometric template protection: Bridging the performance gap between theory and practice,” in Signal Processing Magazine, IEEE, vol. 32, no. 5, 2015, pp. 88–100.
  • [20] S. Rane, “Standardization of biometric template protection,” in Signal Processing Magazine, IEEE, vol. 21, no. 4, 2014.
  • [21] J. Wright, A. Yang, A. Ganesh, S. Sastry, and Y. Ma, “Robust face recognition via sparse representation,” in IEEE Trans. Pattern Analysis and Machine Intelligence, vol. 31, no. 2, 2009.
  • [22] I. Nakamura, Y. Tonomura, and H. Kiya, “Unitary transform-based template protection and its properties,” in European Signal Processing Conference, vol. SIPA-P3.4, 2015, pp. 2466–2470.
  • [23] I. Nakamura, Y. Tonomura, and H. Kiya, “Unitary transform-based template protection and its application to l2-norm minimization problems,” in IEICE Transactions on Information and Systems, vol. E99-D, no. 1, 2016, pp. 60–68.
  • [24] A.S. Georghiades, P.N. Belhumeur, and D.J. Kriegman, “From few to many: Illumination cone models for face recognition under variable lighting and pose,” in IEEE Trans. Pattern Analysis and Machine Intelligence, vol. 23, no. 6, 2001, pp. 643–660.
  • [25] M. G. Genton, “Classes of kernels for machine learning: A statistics perspective,” J. Mach. Learn. Res., vol. 2, pp. 299–312, 2002.