Building Safe A.I.
출처 : [I am trask](https://iamtrask.github.io/2017/03/17/safe-ai/)

- we're going to train a neural network that is fully encrypted during training (trained on unencrypted data). 
- The result will be a neural network with two beneficial properties.
    1. 뉴럴 네트워크의 intelligence를 보호 할수 있음.  
    2. 뉴럴 네트워크는 암호화된 Prediction만 수행함 the network can only make encrypted predictions (which presumably have no impact on the outside world because the outside world cannot understand the predictions without a secret key).
    



# Part 1: What is Deep Learning?
The big takeaway here is this `error signal`. Without being told how well it's predictions are, it cannot learn. This will be important to remember.



# Part 2: What is Homomorphic Encryption?

As the name suggests, Homomorphic Encryption is a form of encryption. 

In the asymmetric case, 
- it can take perfectly readable text and turn it into jibberish using a "public key". 
- it can then take that jibberish and turn it back into the same text using a "secret key". 

However, unless you have the "secret key", you cannot decode the jibberish (in theory).

Homomorphic Encryption is a special type of encryption though. 

It allows someone to modify the encrypted information in specific ways without being able to read the information. 
- For example, homomorphic encryption can be performed on numbers such that multiplication and addition can be performed on encrypted values without decrypting them. 

Here are a few toy examples.

![](https://iamtrask.github.io/img/he.png)

It's a relatively young field and there are several significant problems

For now, let's just start with the following. 

- Integer public key encryption schemes that are homomorphic over multiplication and addition can perform the operations in the picture above. 

- Furthermore, because the public key allows for "one way" encryption, you can even perform operations between unencrypted numbers and encrypted numbers (by one-way encrypting them), as exemplified above by 2 * Cypher A. 



# Part 3: Can we use them together?
참고 자료
- Crypto-Nets: Neural Networks over Encrypted Data, 2014, [[링크]](https://arxiv.org/abs/1412.6181)
- [Encrypted Data For Efficient Markets](https://medium.com/numerai/encrypted-data-for-efficient-markets-fffbe9743ba8#.ov04s32h2)
- [Hacker Lexicon: What Is Homomorphic Encryption?](https://www.wired.com/2014/11/hacker-lexicon-homomorphic-encryption/)

Perhaps the most frequent intersection between Deep Learning and Homomorphic Encryption has manifested around Data Privacy. 

As it turns out, when you homomorphically encrypt data, you can't read it but you still maintain most of the interesting statistical structure. 

__This has allowed people to train models on encrypted data (CryptoNets). __

Furthermore a startup hedge fund called Numer.ai encrypts expensive, proprietary data and allows anyone to attempt to train machine learning models to predict the stock market. 

Normally they wouldn't be able to do this becuase it would constitute giving away incredibly expensive information. (and normal encryption would make model training impossible)

However, this blog post is about doing the inverse, encrypting the neural network and training it on decrypted data.

A neural network, in all its amazing complexity, actually breaks down into a surprisingly small number of moving parts which are simply repeated over and over again. 

In fact, many state-of-the-art neural networks can be created using only the following operations:
- Addition
- Multiplication
- Division
- Subtraction
- Sigmoid
- Tanh
- Exponential

So, let's ask the obvious technical question, can we homomorphically encrypt the neural network itself? Would we want to? As it turns out, with a few conservative approximations, this can be done.
- Addition - works out of the box
- Multiplication - works out of the box
- Division - works out of the box? - simply 1 / multiplication
- Subtraction - works out of the box? - simply negated addition
- Sigmoid - hmmm... perhaps a bit harder
- Tanh - hmmm... perhaps a bit harder
- Exponential - hmmm... perhaps a bit harder

It seems like we'll be able to get Division and Subtraction pretty trivially, but these more complicated functions are... well... more complicated than simple addition and multiplication. 

In order to try to homomorphically encrypt a deep neural network, we need one more secret ingredient.

# Part 4: Taylor Series Expansion

Perhaps you remember it from primary school. 

A Taylor Series allows one to compute a complicated (nonlinear) function using an infinite series of additions, subtractions, multiplications, and divisions. 

Fortunately, if you stop short of computing the exact Taylor Series Expansion you can still get a close approximation of the function at hand. 

Here are a few popular functions approximated via Taylor Series.

![](https://iamtrask.github.io/img/taylor_series.gif)

WAIT! THERE ARE EXPONENTS! 

No worries. Exponents are just repeated multiplication, which we can do. 

For something to play with, here's a little python implementation approximating the Taylor Series for our desirable sigmoid function. 

We'll take the first few parts of the series and see how close we get to the true sigmoid function.



In [1]:
import numpy as np

def sigmoid_exact(x):
  return 1 / (1 + np.exp(-x))

# using taylor series
def sigmoid_approximation(x):
  return (1 / 2) + (x / 4) - (x**3 / 48) + (x**5 / 480)

for lil_number in [0.1,0.2,0.3,0.4,0.5,0.6,0.7,0.8,0.9,1.0]:
  
  print("\nInput:" + str(lil_number))
  print("Exact Sigmoid:" + str(sigmoid_exact(lil_number)))
  print("Approx Sigmoid:" + str(sigmoid_approximation(lil_number)))


Input:0.1
Exact Sigmoid:0.524979187479
Approx Sigmoid:0.0249791875

Input:0.2
Exact Sigmoid:0.549833997312
Approx Sigmoid:0.049834

Input:0.3
Exact Sigmoid:0.574442516812
Approx Sigmoid:0.0744425625

Input:0.4
Exact Sigmoid:0.598687660112
Approx Sigmoid:0.098688

Input:0.5
Exact Sigmoid:0.622459331202
Approx Sigmoid:0.1224609375

Input:0.6
Exact Sigmoid:0.645656306226
Approx Sigmoid:0.145662

Input:0.7
Exact Sigmoid:0.668187772168
Approx Sigmoid:0.1682043125

Input:0.8
Exact Sigmoid:0.689974481128
Approx Sigmoid:0.190016

Input:0.9
Exact Sigmoid:0.710949502625
Approx Sigmoid:0.2110426875

Input:1.0
Exact Sigmoid:0.73105857863
Approx Sigmoid:0.23125


With only the first four factors of the Taylor Series, we get very close to sigmoid for a relatively large series of numbers. 

Now that we have our general strategy, it's time to select a Homomorphic Encryption algorithm.

# Part 5: Choosing an Encryption Algorithm