TF Encrypted is a Python library built on top of TensorFlow for researchers and practitioners to experiment with privacy-preserving machine learning. It provides an interface similar to that of TensorFlow, and aims at making the technology readily available without first becoming an expert in machine learning, cryptography, distributed systems, and high performance computing.
In particular, the library focuses on:
- Usability: The API and its underlying design philosophy make it easy to get started, use, and integrate privacy-preserving technology into pre-existing machine learning processes.
- Extensibility: The architecture supports and encourages experimentation and benchmarking of new cryptographic protocols and machine learning algorithms.
- Performance: Optimizing for tensor-based applications and relying on TensorFlow's backend means runtime performance comparable to that of specialized stand-alone frameworks.
- Community: With a primary goal of pushing the technology forward the project encourages collaboration and open source over proprietary and closed solutions.
- Security: Cryptographic protocols are evaluated against strong notions of security and known limitations are highlighted.
The project has benefitted enormously from the efforts of several contributors following its original implementation, most notably Dropout Labs and members of the OpenMined community. See below for further details.
TF Encrypted is available as a package on PyPI supporting Python 3.5+ and TensorFlow 1.12.0+ which can be installed using:
pip3 install tf-encrypted
Alternatively, installing from source can be done using:
git clone https://github.com/mortendahl/tf-encrypted.git cd tf-encrypted pip3 install -r requirements.txt pip3 install -e .
This latter is useful on platforms for which the pip package has not yet been compiled but is also needed for development. Note that this will get you a working basic installation, yet a few more steps are required to match the performance and security of the version shipped in the pip package, see the installation instructions.
Custom build of TensorFlow For 1.12.0
TF Encrypted officially supports TensorFlow 1.13.1 but if you have a need to run on 1.12.0 and want to take advantage of the int64 tensor speed improvements you'll have to make use of a custom build.
Such builds are available for macOS and Linux as a temporary solution until the next official release of TensorFlow is out (version 1.13), but no guarantees are made about them and they should be treated as pre-alpha. See more in the installation instructions.
The following is an example of simple matmul on encrypted data using TF Encrypted:
import tensorflow as tf import tf_encrypted as tfe def provide_input(): # normal TensorFlow operations can be run locally # as part of defining a private input, in this # case on the machine of the input provider return tf.ones(shape=(5, 10)) # define inputs w = tfe.define_private_variable(tf.ones(shape=(10,10))) x = tfe.define_private_input('input-provider', provide_input) # define computation y = tfe.matmul(x, w) with tfe.Session() as sess: # initialize variables sess.run(tfe.global_variables_initializer()) # reveal result result = sess.run(y.reveal())
Background & Further Reading
The following texts provide further in-depth presentations of the project:
- Secure Computations as Dataflow Programs describes the initial motivation and implementation
- Private Machine Learning in TensorFlow using Secure Computation further elaborates on the benefits of the approach, outlines the adaptation of a secure computation protocol, and reports on concrete performance numbers
- Experimenting with tf-encrypted walks through a simple example of turning an existing TensorFlow prediction model private
TF Encrypted is experimental software not currently intended for use in production environments. The focus is on building the underlying primitives and techniques, with some practical security issues postponed for a later stage. However, care is taken to ensure that none of these represent fundamental issues that cannot be fixed as needed.
- Elements of TensorFlow's networking subsystem does not appear to be sufficiently hardened against malicious users. Proxies or other means of access filtering may be sufficient to mitigate this.
Don't hesitate to send a pull request, open an issue, or ask for help! Check out our contribution guide for more information!
Several individuals have already had an impact on the development of this library (in alphabetical order):
- Ben DeCoste (Dropout Labs)
- Yann Dupis (Dropout Labs)
- Morgan Giraud (while at Dropout Labs)
- Ian Livingstone (Dropout Labs)
- Jason Mancuso (Dropout Labs)
- Justin Patriquin (Dropout Labs)
- Andrew Trask (OpenMined)
- Koen van der Veen (OpenMined)
and several companies have invested significant resources:
- Dropout Labs continues to sponsor a large amount of both research and engineering
- OpenMined was the breeding ground for the initial idea and continues to support discussions and guidance