Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

How to only encrypte the ML model and make local model predictions based on the encrypted model #81

Closed
Daihongwei1900 opened this issue Jun 7, 2023 · 5 comments
Closed

How to only encrypte the ML model and make local model predictions based on the encrypted model #81

Daihongwei1900 opened this issue Jun 7, 2023 · 5 comments

Comments

@Daihongwei1900
Copy link

Daihongwei1900 commented Jun 7, 2023
edited by bcm-at-zama

Feature request

[edit by @bcm-at-zama]: info are given by @Daihongwei1900 here

Motivation

[edit by @bcm-at-zama]: info are given by @Daihongwei1900 here
@bcm-at-zama
Copy link
Collaborator

Hello @Daihongwei1900 . Could you be a bit more precise on what the "feature request" is and what is the "motivation". Thank you

@Daihongwei1900
Copy link
Author

Ok, currently concrete uses plaintext training models. Then, by encrypting the input parameters, the model prediction calculation is compiled into a Fhe calculation circuit. so the predict algorithm is fixed, the circuit is also fixed. But there is the following scenario, alice has a model but does not want to expose it to bob, so she wants to encrypt the model and send it to bob, bob makes predictions based on the encrypted model, and bob can also use sparse matrix to filter type 0 data, but the problem is if Assuming that the model weight is used as an encrypted input, bob data can only be compiled into an FHE circuit when it is certain, but the data that bob needs to predict it‘s be uncertain, and it is impossible to predict once and then need to compile a new fhe circuit.

@Daihongwei1900
Copy link
Author

Ok, currently concrete uses plaintext training models. Then, by encrypting the input parameters, the model prediction calculation is compiled into a Fhe calculation circuit. so the predict algorithm is fixed, the circuit is also fixed. But there is the following scenario, alice has a model but does not want to expose it to bob, so she wants to encrypt the model and send it to bob, bob makes predictions based on the encrypted model, and bob can also use sparse matrix to filter type 0 data, but the problem is if Assuming that the model weight is used as an encrypted input, bob data can only be compiled into an FHE circuit when it is certain, but the data that bob needs to predict it‘s be uncertain, and it is impossible to predict once and then need to compile a new fhe circuit.

@bcm-at-zama

@RomanBredehoft
Copy link
Collaborator

Hello @Daihongwei1900,
Just to make things clear, here's a summary of what you are trying to achieve :

  • Bob has some local clear inputs
  • Alice has a defined model with encrypted weights, which she sends to Bob (FHE circuit + encrypted weights)
  • Bob executes the model's inference locally using his clear inputs

What you seem to be afraid of is that Bob might always need to compile before being able to compute the predictions, but is not possible because the weights are encrypted. Am I right ? 🙂

If so, then there are a few things to comment here. The short answer is that, in theory, your use case could be done as Bob will never need to compile, but it's not available in Concrete ML. Also, Bob won't be able to decrypt the model's predictions, only Alice will.

More precisely :

  • No, Bob does not need to compile before computing the predictions. This is because Alice can easily compile (in the clear) on her own using clear values, which should be representative of what kind of inputs Bob could give, as parameters. Once this is done, the FHE circuit will be able to evaluate any kind of clear inputs without having to be compiled again.
  • Once Bob executes the inference in FHE on his clear inputs, he'll get encrypted predictions but won't be able to decrypt them. This is because only Alice possess the private key needed for decryption, as she is the one that encrypted the weights. Is this what you had in mind ?
  • Unfortunately, this feature is not available in Concrete ML and we are not planning on working on it. Could you maybe indicate to use what kind of use case you are thinking ? Maybe it will help us better understand why such a feature could be important. In the mean time, if you really need to make this work, I can advise you to dig into our source code and try implement it yourself. This could probably be done by modifying the models' compile methods so that they include clear inputs and encrypted weights, and then update the predict methods accordingly as well. But I can't guarantee that this will automatically make it working. Again, I might be able to help you further if you detail your use case a bit more 😉

Hope this helps !

@Daihongwei1900
Copy link
Author

Thank you very much, your answer solved my problem very well, I need to implement clear inputs and encrypted weights.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@Daihongwei1900 @RomanBredehoft @bcm-at-zama