[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to main content

Encrypted-Input Obfuscation of Image Classifiers

  • Conference paper
  • First Online:
Data and Applications Security and Privacy XXXV (DBSec 2021)

Part of the book series: Lecture Notes in Computer Science ((LNISA,volume 12840))

Included in the following conference series:

  • 1197 Accesses

Abstract

We consider the problem of protecting image classifiers simultaneously from inspection attacks (i.e., attacks that have read access to all details in the program’s code) and black-box attacks (i.e., attacks where have input/output access to the program’s code). Our starting point is cryptographic program obfuscation, which guarantees some provable security against inspection attacks, in the sense that any such attack is not significantly more successful than a related black-box attack. We actually consider the recent model of encrypted-input cryptographic program obfuscation, which uses a key shared between the obfuscation deployer and the input encryptor to generate the obfuscated program. In this model we design an image classifier program and an encrypted-input obfuscator for it, showing that the classifier program is secure against both inspection and black-box attacks, under the existence of symmetric encryption schemes. We evaluate the accuracy of our classifier and show that it is significantly better than the random classifier and not much worse than more powerful classifiers (e.g., k-nearest neighbor) for which however no efficient obfuscator is known.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Subscribe and save

Springer+ Basic
£29.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
GBP 19.95
Price includes VAT (United Kingdom)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
GBP 35.99
Price includes VAT (United Kingdom)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
GBP 44.99
Price includes VAT (United Kingdom)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others

References

  1. National Institute of Advanced Industrial Science and Technology (AIST) and Japan Electronics and Information Technology Industries Association: The ETL Character Database. http://etlcdb.db.aist.go.jp/

  2. Bahler, L., DiCrescenzo, G., Polyakov, Y., Rohloff, K., Cousins, D.B.: Practical implementations of lattice-based program obfuscators for point functions. In: International Conference on High Performance Computing & Simulation, HPCS 2017 (2017)

    Google Scholar 

  3. Barak, B., et al.: On the (im)possibility of obfuscating programs. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 1–18. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-44647-8_1

    Chapter  Google Scholar 

  4. Barak, B., et al.: On the (im)possibility of obfuscating programs. J. ACM 59(2), 6 (2012)

    Article  MathSciNet  Google Scholar 

  5. Bellare, M., Stepanovs, I.: Point-function obfuscation: a framework and generic constructions. In: Kushilevitz, E., Malkin, T. (eds.) TCC 2016. LNCS, vol. 9563, pp. 565–594. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-49099-0_21

    Chapter  Google Scholar 

  6. Canetti, R., Micciancio, D., Reingold, O.: Perfectly one-way probabilistic hash functions (preliminary version). In: Proceedings of 30th ACM STOC, pp. 131–140 (1998)

    Google Scholar 

  7. Cousins, D.B., et al.: Implementing conjunction obfuscation under entropic ring LWE. In: IEEE Symposium on Security and Privacy (SP), pp. 68–85 (2018)

    Google Scholar 

  8. DiCrescenzo, G., Bahler, L., Coan, B.A., Polyakov, Y., Rohloff, K., Cousins, D.B.: Practical implementations of program obfuscators for point functions. In: Proceedings of HPCS 2016, pp. 460–467 (2016)

    Google Scholar 

  9. DiCrescenzo, G., Bahler, L., Coan, B.A., Rohloff, K., Polyakov, Y.: Intrusion-resilient classifier approximation: from wildcard matching to range membership. In: Proceedings of IEEE TrustCom/BigDataSE (2018)

    Google Scholar 

  10. DiCrescenzo, G., Bahler, L., McIntosh, A.: Encrypted-input program obfuscation: simultaneous security against white box and black box attacks. In: 8th IEEE Conference on Communications and Network Security, CNS 2020 (2020)

    Google Scholar 

  11. Dodis, Y., Smith, A.D.: Correcting errors without leaking partial information. In: Proceedings of 37th ACM STOC, pp. 654–663. ACM (2005)

    Google Scholar 

  12. Fredrikson, M., Jha, S., Ristenpart, T.: Model inversion attacks that exploit confidence information and basic countermeasures. In: Proceedings of 22nd ACM SIGSAC Conference on Computer and Communications Security, pp. 1322–1333 (2015)

    Google Scholar 

  13. Galbraith, S.D., Zobernig, L.: Obfuscated fuzzy hamming distance and conjunctions from subset product problems. In: Hofheinz, D., Rosen, A. (eds.) TCC 2019. LNCS, vol. 11891, pp. 81–110. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-36030-6_4

    Chapter  Google Scholar 

  14. Hada, S.: Zero-knowledge and code obfuscation. In: Okamoto, T. (ed.) ASIACRYPT 2000. LNCS, vol. 1976, pp. 443–457. Springer, Heidelberg (2000). https://doi.org/10.1007/3-540-44448-3_34

    Chapter  Google Scholar 

  15. Jolliffe, I.T.: Principal Component Analysis. Springer Series in Statistics, 2nd edn. Springer, New York (1986). https://doi.org/10.1007/978-1-4757-1904-8

    Book  MATH  Google Scholar 

  16. LeCun, Y., Cortes, C., Burges, C.J.: The mnist database of handwritten digits. http://yann.lecun.com/exdb/mnist/

  17. Lynn, B., Prabhakaran, M., Sahai, A.: Positive results and techniques for obfuscation. In: Cachin, C., Camenisch, J.L. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 20–39. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-24676-3_2

    Chapter  Google Scholar 

  18. Mowforth, P., Shepherd, B.: Statlog (vehicle silhouettes) data set. https://archive.ics.uci.edu/ml/datasets/Statlog+%28Vehicle+Silhouettes%29

  19. Shokri, R., Stronati, M., Song, C., Shmatikov, V.: Membership inference attacks against machine learning models. In: IEEE Symposium on Security and Privacy, SP 2017, pp. 3–18 (2017)

    Google Scholar 

  20. Song, L., Shokri, R., Mittal, P.: Membership inference attacks against adversarially robust deep learning models. In: 2019 IEEE Security and Privacy Workshops, SP Workshops, pp. 50–56 (2019)

    Google Scholar 

  21. Souri, H., Dhraief, A., Tlili, S., Drira, K., Belghith, A.: Smart metering privacy-preserving techniques in a nutshell. In: Proceedings of 5th ANT and 4th SEIT. Procedia Comput. Sci. 32 (2014)

    Google Scholar 

  22. Wee, H.: On obfuscating point functions. In: 2005 Proceedings of 37th ACM STOC, pp. 523–532 (2005)

    Google Scholar 

  23. Wichs, D., Zirdelis, G.: Obfuscating compute-and-compare programs under LWE. In: Proceedings of 58th IEEE FOCS 2017, pp. 600–611 (2017)

    Google Scholar 

  24. Yao, A.C.: How to generate and exchange secrets (extended abstract). In: Proceedings of 27th IEEE FOCS 1986, pp. 162–167 (1986)

    Google Scholar 

Download references

Acknowledgements

Part of this work was supported by the Defense Advanced Research Projects Agency (DARPA) via U.S. Army Research Office (ARO), contract number W911NF-15-C-0233. The U.S. Government is authorized to reproduce and distribute reprints for Governmental purposes notwithstanding any copyright annotation hereon. Disclaimer: The views and conclusions contained herein are those of the authors and should not be interpreted as necessarily representing the official policies or endorsements, either expressed or implied, of DARPA, ARO or the U.S. Government.

Author information

Authors and Affiliations

Authors

Corresponding author

Correspondence to Giovanni Di Crescenzo .

Editor information

Editors and Affiliations

Appendices

A Basic Notations and Definitions

The expression \(\{0,1\}^n\) denotes the set of n-bit strings, where n is a positive integer. If S is a set, the expression \(x\leftarrow S\) denotes the probabilistic process of uniformly and independently choosing x from S. If A is an algorithm, the expression \(y\leftarrow A(x_1,x_2,\ldots )\) denotes the probabilistic process of running algorithm A on input \(x_1,x_2,\ldots \) and any random coins, and obtaining y as output.

A function \(\epsilon \) over the set of natural numbers \(\mathbb {N}\) is negligible in n if for every polynomial p, there exists an \(n_0\) such that \(\epsilon (n)<1/p(n)\), for all integers \(n\ge n_0\).

Two distribution ensembles \(\{D^0_\sigma :\sigma \in \mathbb {N}\}\) and \(\{D^1_\sigma :\sigma \in \mathbb {N}\}\) are computationally indistinguishable if for any efficient algorithm A, the quantity

$$|\mathrm{Prob}\left[ x\leftarrow D^0_\sigma :A(x)=1\right] -\mathrm{Prob}\left[ x\leftarrow D^1_\sigma :A(x)=1\right] {}|$$

is negligible in \(\sigma \) (i.e., no efficient algorithm can distinguish if a random sample came from one distribution or the other).

B Cryptographic Program Obfuscation: Previous Models

1.1 B.1 Cryptographic Program Obfuscation: Original Model

Cryptographic program obfuscation schemes are usually defined as a pair of algorithms: an obfuscation generator and an obfuscation evaluator. On input the original program, the obfuscation generator returns an obfuscated version of it, called the obfuscated program. On input the obfuscated program and a program input, the obfuscation evaluator, returns an output, which is intended to be the same as the original program’s output for this program input. Program obfuscation schemes are required to satisfy the following requirements: preserving the same computation, adding low runtime overhead and offering the same security as a (virtual) black box. The latter says, informally, that any efficient adversary’s output bit on input the obfuscated program can be efficiently simulated given access to a black box computing the program. Now we proceed more formally.

Definition 1

We define a program obfuscation scheme for family of functions F as a pair (oGenoEval) of algorithms satisfying the following syntax

  1. 1.

    on input parameter values pvsv of function \(f_{pv,sv}\in F\), the obfuscation generator algorithm oGen returns an output, denoted as gout, which is intended to be an obfuscated version of \(f_{pv,sv}\).

  2. 2.

    on input parameter values pv and the obfuscation gout, the obfuscation evaluator algorithm oEval returns an output, which we denote as eout, which is intended to be the original program’s output, when run on input x;

and the following requirements:

  1. 1.

    Computation Correctness: Except with very small probability, it holds that \(eout=f_{pv,sv}(x)\).

  2. 2.

    Low Runtime Overhead: oGen’s runtime is only polynomially slower than the circuit computing \(f_{pv,sv}\).

  3. 3.

    Virtual-Black-Box Obfuscation: Any efficient adversary’s output bit on input the obfuscated program can be efficiently simulated given access to a black box computing the program. A bit more formally: for any efficient adversary Adv given pvgout as input, there exists an efficient simulator algorithm Sim given pv as input and given oracle access to a black box computing \(f_{pv,sv}\), such that the probability that Adv returns 1 and the probability that Sim returns 1 only differ by a negligible amount.

1.2 B.2 Cryptographic Obfuscation of Classifiers

We review the definition of cryptographic obfuscation of classifiers, from [9].

In line with the Kerckhoff’s principle of modern cryptography, this definition assumes that the description of algorithms CTrain and CMatch is known to an adversary, while the dataset ds and the matching auxiliary input maux returned by CTrain are not. An intrusion attack to a classifier is defined as an attack capable of obtaining the matching auxiliary input maux returned by CTrain on input ds and a class number c. Accordingly, classifiers are defined so that an intrusion attack does not leak any true/false property about maux, other than what possibly leaked by the capability of performing remote calls to algorithm CMatch\((\cdot ,maux)\). In other words, the classifier CMatch\((\cdot ,maux)\) would look to an adversary very much like a virtual black box, in the sense of Definition 1. Specifically, this intrusion-resiliency notion for classifiers says that an adversary’s 1-bit output obtained when given as input the output maux of algorithm CTrain can be simulated, up to a small error, by the output of an efficient algorithm Sim that does not know maux but can query the algorithm CMatch as an oracle. More formally, the classifier (CTrain, CMatch) satisfies intrusion resiliency with respect to dataset distribution D if for all probabilistic polynomial-time algorithms A, there exists a probabilistic polynomial-time algorithm Sim with black-box access to Cmatch\((\cdot ,maux)\) such that the quantity

$$|\mathrm{Prob}\left[ \mathrm{AdvExp}_\mathrm{IR}(1^k,c)=1\right] - \mathrm{Prob}\left[ \mathrm{SimExp}_\mathrm{IR}(1^k)=1\right] |$$

is negligible in the security parameter k, where the probability experiments \(\mathrm{AdvExp}_\mathrm{A},\mathrm{SimExp}_\mathrm{Sim}\) are detailed below.

figure b

1.3 B.3 Encrypted-Input Obfuscation: The Model

This model, introduced in [10], extends the original 2-algorithm model of program obfuscation (including an obfuscation generator an an obfuscation evaluator, as reviewed in Appendix B.1) to a 4-algorithm model that additionally includes a key generator and an input encryptor. The key generator returns a random key to be used by the obfuscation generator to generate its obfuscation of the program and by the input encryptor to generate an encrypted input on which the obfuscation evaluator can be run. The changes to the computation correctness requirement are only of syntactic nature. The runtime requirements extend to the input generation algorithm as well. The obfuscation property is strengthened in that the adversary’s output on input the obfuscated program can be efficiently simulated by an algorithm given only public information and, in particular, without need for black-box access to the original program.

Definition 2

Let F be a family of functions. We define an encrypted-input program obfuscator for F as a 4-tuple (kGenoGeniEncoEval) of algorithms satisfying the following syntax:

  1. 1.

    on input a security parameter, the key generator algorithm kGen returns a random key k

  2. 2.

    on input k, and parameter values pvsv of function \(f_{pv,sv}\in F\), the obfuscation generator algorithm oGen returns an output, denoted as gout, which is intended to be an obfuscated version of \(f_{pv,sv}\), and an output, denoted as iaux, intended to be an auxiliary input for the input encryptor algorithm.

  3. 3.

    on input k, parameter values pv of function \(f_{pv,sv}\in F\), auxiliary input iaux, and input x, the input encryptor algorithm iEnc returns an output, denoted as iout, intended to be an encrypted version of input x to function \(f_{pv,sv}\);

  4. 4.

    on input parameter values pv, the obfuscation gout and the encrypted input iout, the obfuscation evaluator algorithm oEval returns an output, which we denote as eout, which is intended to be the original program’s output, when run on input x;

and the following requirements:

  1. 1.

    Computation Correctness: Except with very small probability, it holds that \(eout=f_{pv,sv}(x)\).

  2. 2.

    Low Runtime Overhead: the sum of iEnc and oGen’s runtime is only polynomially slower than the circuit computing \(f_{pv,sv}\).

  3. 3.

    Simulated-view Obfuscation: The obfuscated program returned by algorithm oGen can be efficiently simulated given only the program’s public parameters. Formally, there exists a polynomial-time algorithm Sim such that for any function \(f_{pv,sv}\) from the class of function F, and any distribution hD returning secret parameter values sv with high min-entropy, the distributions \(D_{view}\) and \(D_{sim}\) are computationally indistinguishable, where

    $$\begin{aligned} D_{view} \, =&\{sv\leftarrow hD;\, k\leftarrow kGen(1^\sigma ); gout\leftarrow oGen(k,pv,sv)\,:\, gout\}, \\ D_{sim} \, =&\{gout\leftarrow Sim(1^\sigma ,pv)\,:\, gout\}. \end{aligned}$$

CEncrypted-Input Classifier Obfuscation: Formal Model

Let F be a function and let MC = (CTrain,CMatch) a matching classifier for F, as defined in Sect. 2.1. The public parameter values of MC, denoted as pv(MC), are available to all parties, including an attacker. The secret parameter values of MC, denoted as sv(MC), are only available to the obfuscation generator. In our model, we will consider the description of CTrain and CMatch as being known to the attacker, while the dataset, the secret data sample and its class as unknown to the attacker. Thus, we have that pv = (desc(CTrain), desc(CMatch), nN) and \(sv=(ds,cl,d_0,c_0)\), where \(c_0=cF(d_0)\). An encrypted-input obfuscator for MC is defined as a 4-tuple of algorithms: a key generator, an obfuscation generator, an input encryptor, and an obfuscation evaluator; which need to satisfy 3 properties: computation correctness, low runtime overhead and simulated-view obfuscation.

Definition 3

Let F be a function and let MC = (CTrain, CMatch) be a matching classifier for F. We define an encrypted-input program obfuscator for matching classifier MC as a 4-tuple icO = (kGen, oGen, iEnc, oEval) of algorithms satisfying the following syntax

  1. 1.

    on input a security parameter, the key generator algorithm kGen returns a random key k

  2. 2.

    on input key k, public parameter values pv(MC) and secret parameter values sv(MC) for classifier MC, the obfuscation generator algorithm oGen returns an output, denoted as gout, which is intended to be an obfuscated version of MC, and an output, denoted as iaux, which is intended to be an encryption auxiliary input for the input encryptor algorithm iEnc.

  3. 3.

    on input key k, public parameter values pv(MC) for MC, encryption auxiliary input iaux, and data input d, the input encryptor algorithm iEnc returns an output, denoted as iout, which is intended to be an encrypted version of input d to algorithm CMatch;

  4. 4.

    on input public parameter values pv(MC), the obfuscation gout and the encrypted input iout, the obfuscation evaluator algorithm oEval returns an output, which we denote as eout. The latter is intended to be equal to CMatch’s output, when run on input dmaux, where maux has been returned by algorithm CTrain on input \(ds,cl,d_0\);

and the following requirements:

  1. 1.

    Computation Correctness: Except with very small probability, it holds that \(eout=\) CMatch(dmaux), where \(maux=\) CTrain\((ds,cl,d_0)\).

  2. 2.

    Low Runtime Overhead: the sum of iEnc and oGen’s runtime is not significantly slower than the program computing CMatch with public parameter values pv(MC) and secret parameter values sv(MC).

  3. 3.

    Simulated-view Obfuscation: The obfuscated program returned by algorithm oGen can be efficiently simulated given only the program’s public parameters pv(MC). Formally, there exists a polynomial-time algorithm Sim such that for any matching classifier MC for function F, and any distribution hD returning secret parameter values sv(MC) with high min-entropy, the distributions \(D_{view}\) and \(D_{sim}\) are computationally indistinguishable, where

    • \(D_{view} \, = \{sv(MC)\leftarrow hD;\, k\leftarrow kGen(1^n);\)

      \(\qquad \qquad gout\leftarrow oGen(k,pv(MC),sv(MC))\,:\, gout\},\)

    • \(D_{sim} \, = \{gout\leftarrow Sim(1^n,pv(MC))\,:\, gout\}\).

Rights and permissions

Reprints and permissions

Copyright information

© 2021 IFIP International Federation for Information Processing

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Di Crescenzo, G., Bahler, L., Coan, B.A., Rohloff, K., Cousins, D.B., Polyakov, Y. (2021). Encrypted-Input Obfuscation of Image Classifiers. In: Barker, K., Ghazinour, K. (eds) Data and Applications Security and Privacy XXXV. DBSec 2021. Lecture Notes in Computer Science(), vol 12840. Springer, Cham. https://doi.org/10.1007/978-3-030-81242-3_8

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-81242-3_8

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-81241-6

  • Online ISBN: 978-3-030-81242-3

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics