Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Trying to better understand the framework beahavior #881

Closed
fbarusso opened this issue Apr 10, 2023 · 2 comments
Closed

Trying to better understand the framework beahavior #881

fbarusso opened this issue Apr 10, 2023 · 2 comments

Comments

@fbarusso
Copy link

I'm sorry if this is not the appropriate place to talk about this, I'm happy to take this discussion to somewhere else if needed.

As the title says, I'm trying to better understand TF-Encrypted on a technical level. I found your framework to be an elegant solution and chose to talk about it in a paper I'm currently working on.

However, I'm not an expert in machine learning nor cryptography, but would like to present a precise and clear explanation of TF-Encrypted anyway.

My main hardship is in understanding each party and its role.

This is my understanding of the benchmark/training/private_training example:

  1. Parties: we have 2 data owners (training and prediction) and the 3 servers necessary for the ABY3 protocol.
  2. The Train Data Owner encrypts the training dataset (with additive secret sharing), splitting it in three shares (one for each ABY3 server). Each server receives two of those shares (resharing process) to be able to perform the necessary operations (but also limiting the system to handle at most 1 malicious party). It does the same for the labels and shares the whole data with the three servers. So it is possible to say that the Train Data Owner encrypts the input and sends it whole to the 3 servers.
  3. In the 3 ABY3 servers, it is possible to privately train the model with the encrypted data and the defined ABY3 operations (addition and multiplication, piece-wise polynomial that replaces the sigmoid), and also with a randomly created and secret-shared weights vector. Finally, we have an encrypted model trained on the encrypted data (parameters like epochs and batch size can be set by the user).
  4. For the evaluation step, The Prediction Data Owner then encrypts the prediction data, the same way the training data was encrypted, and sends it to the 3 ABY3 servers. The servers then run private predictions with the encrypted data with the previously trained model. The servers then have access to (plaintext) testing results. It would be possible (although it's not present in the example) to send an encrypted result to the testing party, who could decipher it.

Is this correct? Are there any important steps that are worth mentioning? Is this process better detailed in any work?

Thank you in advance.
@zjn-code
Copy link
Contributor

The ABY3 protocol in TFE is an implementation of this paper, you could check that for more detail.
As for your understanding of the example, most of them are right, where you may get wrong are list below:
2. limiting the system to handle at most 1 malicious party: The ABY3 protocol does provide security against 1 malicious party, but TFE doesn't implement that, TFE only support semi-honest security for now.
4. The servers then have access to (plaintext) testing results: This example is used to benchmark training time, so we reveal the testing results to the servers for ease of coding. In practice, only Prediction Data Owner can get the (plaintext) testing results.

@fbarusso
Copy link
Author

Thank you for clarifying.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@zjn-code @fbarusso