How to show others that the tfe is calculated on encrypted data

Question

How to show others that the tfe is calculated on encrypted data

giraffeCjl opened this issue 4 years ago · comments

How to prove that the tfe is calculated on encrypted data, and how to output the cipher text on the screen

Klee · Answer 1 · Wed Jul 01 2020 22:10:12 GMT+0800 (China Standard Time)

Same question. It seems only one party has the code of all participants. The participants runs a Server and execute whatever serialized tensorflow codes from the party who has codes.
I cannot figure out how to prevent the attack from the code-owning-party.

Cheng (Vince) Hong · Answer 2 · Tue Jul 07 2020 10:57:22 GMT+0800 (China Standard Time)

Same question. It seems only one party has the code of all participants. The participants runs a Server and execute whatever serialized tensorflow codes from the party who has codes.
I cannot figure out how to prevent the attack from the code-owning-party.

It's true, the assumption is that TFE is working under a "semi-honest" model, which assumes each party will not input malicious codes.

Cheng (Vince) Hong · Answer 3 · Tue Jul 07 2020 10:57:59 GMT+0800 (China Standard Time)

How to prove that the tfe is calculated on encrypted data, and how to output the cipher text on the screen

I think you can print the tensors' private shares ?

jvmncs · Answer 4 · Thu Jul 09 2020 04:24:07 GMT+0800 (China Standard Time)

FWIW, we are thinking quite deeply about how to fix this problem in future versions of TFE. But for now we only offer semi-honest (aka honest-but-curious) security, and protocols have been chosen to reflect that.

giraffeCjl · Answer 5 · Sat Jul 11 2020 11:20:16 GMT+0800 (China Standard Time)

How to prove that the tfe is calculated on encrypted data, and how to output the cipher text on the screen

I think you can print the tensors' private shares ?

Yes, thank you very much. I output the res of share0 share1 received by the client and the result of the reconstruction in serving.queue.py. However, I would like to confirm whether the server queue can only output ‘PrivateVariableTensor’, and cannot output more specific cipher text data?

Cheng (Vince) Hong · Answer 6 · Mon Jul 13 2020 11:10:41 GMT+0800 (China Standard Time)

How to prove that the tfe is calculated on encrypted data, and how to output the cipher text on the screen

I think you can print the tensors' private shares ?

Yes, thank you very much. I output the res of share0 share1 received by the client and the result of the reconstruction in serving.queue.py. However, I would like to confirm whether the server queue can only output ‘PrivateVariableTensor’, and cannot output more specific cipher text data?

Not sure about what does "more specific" mean ? Another idea is to use a wireshark and prove that all the client sends are garbage.

After all, for "self explanation of encryption", it's a non-technical problem. If we are explaining to experts: they can read the code and principles of tensorflow and understand. If we are explaining to amateurs: we can do little but turn to some authorities.

Think about TLS. We cannot prove to the amateur users they are using TLS. The browser knows and display the small green lock.

giraffeCjl · Answer 7 · Tue Jul 14 2020 12:14:36 GMT+0800 (China Standard Time)

How to prove that the tfe is calculated on encrypted data, and how to output the cipher text on the screen

I think you can print the tensors' private shares ?

Yes, thank you very much. I output the res of share0 share1 received by the client and the result of the reconstruction in serving.queue.py. However, I would like to confirm whether the server queue can only output ‘PrivateVariableTensor’, and cannot output more specific cipher text data?

Not sure about what does "more specific" mean ? Another idea is to use a wireshark and prove that all the client sends are garbage.

After all, for "self explanation of encryption", it's a non-technical problem. If we are explaining to experts: they can read the code and principles of tensorflow and understand. If we are explaining to amateurs: we can do little but turn to some authorities.

Think about TLS. We cannot prove to the amateur users they are using TLS. The browser knows and display the small green lock.

Thanks for your reply, wireshark is a viable solution. The so-called "more specific cipher text data" in my previous reply specifically means that the received cipher text results res0 and res1 can be displayed in the client's queue after the serving.queue is modified. As follows：

client receive res0=[[ 5730197383056108649 -8044159209635188031 -6474695322747194592
4117684784137995022 2279567127167594191 2195900835685255744
7954257491915333116 9125929943490188473 -8193924721796951882
267470554535613555]]
Client receive res1=[[-5730197383056487038 8044159209635275887 6474695322746924586
-4117684704138289542 -2279567127167787597 -2195900835685573887
-7954257491915669889 -9125929943490388354 8193924721796770674
-267470554535841591]]
Client receive result=[[-57.67245846669715 13.390641670477061 -41.15317786922725
-44.88949855204999 -29.478128334095413 -48.49001676573693
-51,32952293857644 -30.46502057613169 -27.618960524310317
-34.75628715134888]]
The image had label 1 and was correctly classified as 1

However, on the server side, I can currently only output ‘PondPrivateTensor’ in the queue as shown below. I don’t know if there is any way to output the ciphertext, proving that the server is calculating the ciphertext.

server1 received input=PondPrivateTensor(shape=(l, 784))
served encrypted prediction 1 to client.
server1 received input=PondPrivateTensor(shape=(l, 784))
served encrypted prediction 2 to client.
server1 received input=PondPrivateTensor(shape=(l, 784))
served encrypted prediction 3 to client.

jvmncs · Answer 8 · Tue Jul 14 2020 12:56:45 GMT+0800 (China Standard Time)

The individual shares of a PondPrivateTensor are attributes share0 and share1