Deep learning models are utilized in many fields, from healthcare diagnostics to financial forecasting, but these models are so computationally intensive that they require using powerful cloud-based servers.
This reliance on cloud computing poses significant security risks, especially in areas corresponding to healthcare, where hospitals could also be hesitant to make use of AI tools to research confidential patient data as a result of privacy concerns.
To solve this pressing problem, researchers at MIT have developed a security protocol that uses the quantum properties of sunshine to make sure that data sent to and from a cloud server stays secure during deep learning computations.
By encoding data into the laser light utilized in fiber optic communication systems, the protocol takes advantage of fundamental principles of quantum mechanics and makes it inconceivable for attackers to repeat or intercept the knowledge undetected.
In addition, the technique guarantees security without compromising the accuracy of the deep learning models. In tests, the researcher was in a position to reveal that his protocol could maintain 96 percent accuracy while ensuring robust security measures.
“Deep learning models like GPT-4 have unprecedented capabilities but require enormous computational resources. Our protocol enables users to leverage these powerful models without compromising the privacy of their data or the proprietary nature of the models themselves,” says Kfir Sulimany, an MIT postdoc within the Research Laboratory for Electronics (RLE) and lead creator of a Paper on this safety protocol.
Sulimany's work includes Sri Krishna Vadlamani, a postdoc at MIT, Ryan Hamerly, a former postdoc now at NTT Research, Inc., Prahlad Iyengar, a PhD student in Electrical Engineering and Computer Science (EECS), and lead creator Dirk Englund, a professor in EECS, principal investigator of the Quantum Photonics and Artificial Intelligence Group, and RLE. The research was recently presented on the Annual Conference on Quantum Cryptography.
A two-way street for security in deep learning
The cloud-based computing scenario the researchers focused on involves two parties – a client that holds sensitive data corresponding to medical images and a central server that runs a deep learning model.
The customer wants to make use of the deep learning model to make a prediction based on medical images, corresponding to whether a patient has cancer, without revealing any information concerning the patient.
In this scenario, sensitive data should be transmitted to make a prognosis, but patient data must remain protected.
In addition, the server doesn’t need to reveal any parts of the proprietary model that an organization like OpenAI has spent years and hundreds of thousands of dollars developing.
“Both parties need to hide something,” adds Vadlamani.
In digital computations, a malicious actor could easily copy the info sent by the server or client.
Quantum information, then again, can’t be copied perfectly. The researchers make use of this property, the so-called no-cloning principle, of their security protocol.
For the researchers' protocol, the server encodes the weights of a deep neural network into an optical field using laser light.
A neural network is a deep learning model made up of layers of interconnected nodes, or neurons, that perform calculations on data. The weights are the components of the model that perform the mathematical operations on each input, one layer at a time. The output of 1 layer is fed into the following layer until the ultimate layer generates a prediction.
The server transmits the weights of the network to the client, which performs operations to acquire a result based on its private data. The data stays shielded from the server.
At the identical time, the safety protocol allows the client to measure just one result and, as a result of the quantum nature of sunshine, prevents the client from copying the weights.
Once the client feeds the primary result into the following layer, the protocol is designed to interrupt the primary layer in order that the client cannot learn anything further concerning the model.
“Instead of measuring all the sunshine coming in from the server, the client measures only the sunshine needed to run the deep neural network and feeds the result into the following layer. Then the client sends the remaining light back to the server for safety checking,” explains Sulimany.
Due to the no-cloning theorem, the client inevitably adds small errors to the model when measuring its result. When the server receives the residual light from the client, it may measure these errors to find out if information has been lost. Importantly, this residual light is proven to not leak client data.
A practical protocol
Modern telecommunications devices typically use optical fibers to transmit information because they should support enormous bandwidths over long distances. Since these devices already contain optical lasers, the researchers can convert data into light for his or her security protocol with none special hardware.
When the researchers tested their approach, they found that it could ensure security for each server and client while enabling the deep neural network to realize 96 percent accuracy.
The tiny bits of knowledge concerning the model which can be leaked when the client performs operations are lower than 10 percent of what an attacker would want to get better hidden information. Conversely, a malicious server could only obtain about 1 percent of the knowledge it will have to steal the client's data.
“You could be confident that it’s secure in each directions – from client to server and from server to client,” says Sulimany.
“A number of years ago, after we Demonstration of distributed machine learning inference between MIT's principal campus and MIT Lincoln Laboratory, it dawned on me that we could do something completely recent to offer security on the physical level, constructing on years of labor in quantum cryptography that was also shown on this test bench,” says Englund. “However, there have been many deep theoretical challenges that needed to be overcome to see if this prospect of privacy-preserving distributed machine learning might be realized. This only became possible when Kfir joined our team, as Kfir understood the experimental and theoretical components like no other to develop the unified framework underlying this work.”
In the long run, the researchers would love to explore how this protocol might be applied to a method called federated learning, wherein multiple parties use their data to coach a central deep learning model. It is also utilized in quantum operations as a substitute of the classical operations they studied for this work, which could offer advantages when it comes to each accuracy and security.
“This work combines, in a clever and interesting way, techniques from fields that don’t normally meet, particularly deep learning and quantum key distribution. By using methods from the latter, it adds a layer of security to the previous while allowing for a seemingly realistic implementation. This could be interesting for privacy protection in distributed architectures. I sit up for seeing how the protocol behaves under experimental imperfections and its practical implementation,” says Eleni Diamanti, CNRS research director at Sorbonne University in Paris, who was not involved on this work.
This work was supported partially by the Israel Council for Higher Education and the Zuckerman STEM Leadership Program.
