# Secure Serving

This is a modified version of [Part 11 - Secure Deep Learning Classification](https://slack-redir.net/link?url=https%3A%2F%2Fgithub.com%2FOpenMined%2FPySyft%2Fblob%2Fdev%2Fexamples%2Ftutorials%2FPart%252011%2520-%2520Secure%2520Deep%2520Learning%2520Classification.ipynb).

## Your data matters, your model too

Data is the driver behind Machine Learning. Organizations who create and collect data are able to build and train their own machine learning models. This allows them to offer the use of such models as a service (MLaaS) to outside organizations. This is useful as other organizations who might not be able to create these models themselves but who still would like to use this model to make predictions on their own data. 

However, a model hosted in the cloud still presents a privacy/IP issue. In order for external organizations to use it - they must either upload their input data (such as images to be classified) or download the model. Uploading input data can be problematic from a privacy perspective, but downloading the model might not be an option if the organization who created/owns the model is worried about losing their IP.


## Computing over encrypted data

In this context, one potential solution is to encrypt both the model and the data in a way which allows one organization to use a model owned by another organization without either disclosing their IP to one another. Several encryption schemes exist that allow for computation over encrypted data, among which Secure Multi-Party Computation (SMPC), Homomorphic Encryption (FHE/SHE) and Functional Encryption (FE) are the most well known types. We will focus here on Secure Multi-Party Computation ([introduced in detail here in tutorial 5](https://github.com/OpenMined/PySyft/blob/dev/examples/tutorials/Part%205%20-%20Intro%20to%20Encrypted%20Programs.ipynb)) which consists of private additive sharing. It relies on crypto protocols such as SecureNN and SPDZ, the details of which are given [in this excellent blog post](https://mortendahl.github.io/2017/09/19/private-image-analysis-with-mpc/). 

These protocols achieve remarkable performances over encrypted data, and over the past few months we have been working to make these protocols easy to use. Specifically, we're building tools to allow you to use these protocols without having to re-implement the protocol yourself (or even necessarily know the cryptography behind how it works). Let's jump right in.

## Set up

The exact setting in this tutorial is the following: consider that you are the server and you have some data. First, you define and train a model with this private training data. Then, you get in touch with a client who holds some of their own data who would like to access your model to make some predictions. 

You encrypt your model (a neural network). The client encrypts their data. You both then use these two encrypted assets to use the model to classify the data. Finally, the result of the prediction is sent back to the client in an encrypted way so that the server (_i.e._ you) learns nothing about the client's data (you learn neither the inputs or the prediction).

Ideally we would additively share the `client`'s input between itself and the `server` and vice versa for the model. For the sake of simplicity, the shares will be held by two other workers `alice` and `bob`. If you consider that alice is owned by the client and bob by the server, it's completely equivalent.

The computation is secure in the honest-but-curious adversary model which is standard in [many MPC frameworks](https://arxiv.org/pdf/1801.03239.pdf).

**We have now everything we need, let's get started!**


Authors:
- Théo Ryffel - Twitter: [@theoryffel](https://twitter.com/theoryffel) · GitHub: [@LaRiffle](https://github.com/LaRiffle)

- Marianne Monteiro - Twitter: [@hereismari](https://twitter.com/hereismari) · GitHub: [@mari-linhares](https://github.com/mari-linhares)

**Let's get started!**

### Imports and model specifications

In [1]:
import torch
import torch.nn as nn
import torch.nn.functional as F
import torch.optim as optim
from torchvision import datasets, transforms

import grid as gr

We also need to execute commands specific to importing/starting PySyft. We create a few workers (named `alice` and `bob`). Lastly, we define the `crypto_provider` who gives all the crypto primitives we may need ([See our tutorial on SMPC for more details](https://github.com/OpenMined/PySyft/blob/dev/examples/tutorials/Part%205%20-%20Intro%20to%20Encrypted%20Programs.ipynb)).

In [2]:
import syft as sy
hook = sy.TorchHook(torch) 

bob = gr.WebsocketGridClient(hook, "http://localhost:3000", id="bob")
alice =  gr.WebsocketGridClient(hook, "http://localhost:3001", id="alice")
crypto_provider = gr.WebsocketGridClient(hook, "http://localhost:3002", id="james")
bob.connect()
alice.connect()
crypto_provider.connect()






In [3]:
import time

bob.connect_grid_node(alice.uri, alice.id)
time.sleep(0.5)
bob.connect_grid_node(crypto_provider.uri, crypto_provider.id)
time.sleep(0.5)

alice.connect_grid_node(crypto_provider.uri, crypto_provider.id)
time.sleep(0.5)
alice.connect_grid_node(bob.uri, bob.id)
time.sleep(0.5)

crypto_provider.connect_grid_node(alice.uri, alice.id)
time.sleep(0.5)
crypto_provider.connect_grid_node(bob.uri, bob.id)

In [4]:
'''
import torchvision.models as models

def make_model(num_classes: int):
    """Load a vgg16 and add a new head to it."""
    model = models.vgg16(pretrained=True)
    num_ftrs = model.classifier[6].in_features
    model.classifier[6] = torch.nn.Linear(num_ftrs, num_classes)
    return model

model = make_model(7)
'''

'\nimport torchvision.models as models\n\ndef make_model(num_classes: int):\n    """Load a vgg16 and add a new head to it."""\n    model = models.vgg16(pretrained=True)\n    num_ftrs = model.classifier[6].in_features\n    model.classifier[6] = torch.nn.Linear(num_ftrs, num_classes)\n    return model\n\nmodel = make_model(7)\n'

In [5]:
model = torch.nn.Linear(1, 1)

We define the setting of the learning task

Second, the client has some data and would like to have predictions on it using the server's model. This client encrypts its data by sharing it additively across two workers `alice` and `bob`.
> SMPC uses crypto protocols which require to work on integers. We leverage here the PySyft tensor abstraction to convert PyTorch Float tensors into Fixed Precision Tensors using `.fix_precision()`. For example 0.123 with precision 2 does a rounding at the 2nd decimal digit so the number stored is the integer 12. 


In [6]:
data_shape = (1, 1)
data = torch.zeros(data_shape)
target = torch.zeros(1)

In [7]:
data, target

(tensor([[0.]]), tensor([0.]))

Our model is now trained and ready to be provided as a service!

## Secure evaluation

Now, as the server, we send the model to the workers holding the data. Because the model is sensitive information (you've spent time optimizing it!), you don't want to disclose its weights so you secret share the model just like we did with the dataset earlier.

In [8]:
%%time
model.fix_precision().share(alice, bob, crypto_provider=crypto_provider)

CPU times: user 3.47 ms, sys: 7.98 ms, total: 11.4 ms
Wall time: 10.3 ms


Linear(in_features=1, out_features=1, bias=True)

This test function performs the encrypted evaluation. The model weights, the data inputs, the prediction and the target used for scoring are encrypted!

However, the syntax is very similar to pure PyTorch testing of a model, isn't it nice?!

The only thing we decrypt from the server side is the final score at the end to verify predictions were on average good.

In [15]:
def test(model, data, target):
    model.eval()
    n_correct_priv = 0
    n_total = 0
    with torch.no_grad():
        shared_data = data.fix_precision().share(alice, bob, crypto_provider=crypto_provider)
        shared_target = target.fix_precision().share(alice, bob, crypto_provider=crypto_provider)
        output = model(shared_data)
        pred = output.argmax(dim=1)
        n_correct_priv += pred.eq(shared_target.view_as(pred)).sum()
        n_total += 1
# This 'test' function performs the encrypted evaluation. The model weights, the data inputs, the prediction and the target used for scoring are all encrypted!

# However as you can observe, the syntax is very similar to normal PyTorch testing! Nice!

# The only thing we decrypt from the server side is the final score at the end of our 200 items batches to verify predictions were on average good.      
        n_correct = n_correct_priv.copy().get().float_precision().long().item()

        print('Test set: Accuracy: {}/{} ({:.0f}%)'.format(
            n_correct, n_total,
            100. * n_correct / n_total))

        print('Prediction = {}, Label = {}'.format(pred.copy().get().float_precision(),
                                                   shared_target.copy().get().float_precision()))


In [16]:
%%time
test(model, data, target)

Test set: Accuracy: 1/1 (100%)
Prediction = tensor([0.]), Label = tensor([0.])
CPU times: user 1.48 s, sys: 381 ms, total: 1.86 s
Wall time: 1.66 s


Et voilà! Here you are, you have learned how to do end to end secure predictions: the weights of the server's model have not leaked to the client and the server has no information about the data input nor the classification output!

Regarding performance, classifying one image takes **less than 0.1 second**, approximately **33ms** on my laptop (2,7 GHz Intel Core i7, 16GB RAM). However, this is using very fast communication (all the workers are on my local machine). Performance will vary depending on how fast different workers can talk to each other.

## Conclusion

You have seen how easy it is to leverage PyTorch and PySyft to perform practical Secure Machine Learning and protect users data, without having to be a crypto expert!

More on this topic will come soon, including convolutional layers to properly benchmark PySyft performance with respect to other libraries, as well as private encrypted training of neural networks, which is needed when a organisation resorts to external sensitive data to train its own model. Stay tuned!

If you enjoyed this and would like to join the movement toward privacy preserving, decentralized ownership of AI and the AI supply chain (data), you can do so in the following ways! 

### Star PySyft on GitHub

The easiest way to help our community is just by starring the repositories! This helps raise awareness of the cool tools we're building.

- [Star PySyft](https://github.com/OpenMined/PySyft)

### Pick our tutorials on GitHub!

We made really nice tutorials to get a better understanding of what Federated and Privacy-Preserving Learning should look like and how we are building the bricks for this to happen.

- [Checkout the PySyft tutorials](https://github.com/OpenMined/PySyft/tree/master/examples/tutorials)


### Join our Slack!

The best way to keep up to date on the latest advancements is to join our community! 

- [Join slack.openmined.org](http://slack.openmined.org)

### Join a Code Project!

The best way to contribute to our community is to become a code contributor! If you want to start "one off" mini-projects, you can go to PySyft GitHub Issues page and search for issues marked `Good First Issue`.

- [Good First Issue Tickets](https://github.com/OpenMined/PySyft/issues?q=is%3Aopen+is%3Aissue+label%3A%22good+first+issue%22)

### Donate

If you don't have time to contribute to our codebase, but would still like to lend support, you can also become a Backer on our Open Collective. All donations go toward our web hosting and other community expenses such as hackathons and meetups!

- [Donate through OpenMined's Open Collective Page](https://opencollective.com/openmined)