321 likes | 599 Vues
Blind Vision Shai Avidan, Moshe Butman. Yuval Schwartz. Ethic Problems. Proliferation of surveillance cameras leads to privacy concerns Protection by all-the-way video encryption Problems: What happens if a virus attacks the server? What if the service provider is not trusted?
E N D
Blind VisionShai Avidan, Moshe Butman Yuval Schwartz
Ethic Problems • Proliferation of surveillance cameras leads to privacy concerns • Protection by all-the-way video encryption • Problems: • What happens if a virus attacks the server? • What if the service provider is not trusted? • Common Examples: • Web face detection • Government agency compares private images to suspects • CPU shortage • Blind OCR
Introduction • Face Detection: • Alice: a set of images privacy is a must • Bob: a face detection algorithm a secret algorithm • Demands: • Alice: will learn nothing about Bob’s detector • Bob: will learn nothing about Alice’s images nor the detector’s result • Apply secure multi-party techniques to vision algorithms to enforce the demands • Computationally intensive • Domain specific constaints new schemes secure enough (?)
Agenda • Secure multi-party computation • Secure two-party problem and algorithm • Oblivious Transfer • Specific: • Millionaire problem • Secure dot-product • Secure Classifier • Complexity and Efficiency • New Scheme to Accelerate: • Image Hashing using HoG • Experiments • Results
Secure two-party problem1 • Problem description: • F – polytime function • X – Alice’s input • Y – Bob’s input • F(X,Y) – output • Demands: • Alice won’t know Y • Bob won’t know X • Alice and/or Bob will know F(X,Y) 1. A.C. Yao, How to generate and exchange secrets, 27th FOCS, pp. 162-167, 1986
Yao’s Protocol • General Idea: • Imagine F as a boolean circuit C (has boolean gates) • A method to run the circuit: • without revealing the input wires values • The output must be exposed
Boolean Gate 1 3 2 Wire Boolean Gate • Demands: Can’t reveal input bits and if it’s a middle gate then also the output bit • Problem: Seams impossible to calculate the gate with values unknown
Boolean Gate 1 3 2 Input Wire W1 Input Wire W1 Input Wire W2 Input Wire W2 Output Wire W3 Output Wire W3 Input Wire W1 Input Wire W2 Output Wire W3 Garbled Wire W3 Boolean Gate Computation Table: Example: OR Gate
K K K K K K K K K K K K K E(E(K) E(E(K) E(E(K) E(E(K) E(E(K) E(E(K) E(E(K) E(E(K) E(E(K) E(E(K) E(E(K) E(E(K) E(E(K) G2 G6 G4 G5 G3 G1 GB G7 GA G9 GD GC G8 K K K K K K K K K K K K K Garbled Circuit Output Decryption Table
Yao’s Protocol • Problem: • Alice doesn’t have the input map • Bob can’t give the whole input map • Solution: • Oblivious Transfer Alice Bob
Oblivious Transfer2,3 2. M.O. Rabin, How to exchange secrets by oblivious transfer, Tech. Memo TR-81, Aiken Computation Laboratory, 1984 3. S. Even, O. Goldreich and A. Lempel, A Randomized Protocol for Signing Contracts, Communications of the ACM 28, pp. 637-647, 1985
K K K’ S0 S0 K1 K0 K0 S1 Oblivious Transfer
Secure Dot-Product • Input: • Alice: • Bob: • Output: • Demands: Bob won’t know x and Alice won’t know y • Idea: • Break the result of the dot product to a+b,where a is known only to Alice and b is known only to Bob.
OT OT OT Secure Dot-Product Bob Alice
Secure Dot-Product • Security: • From Alice to Bob: the use of OT hides xi • From Bob to Alice: b as a random vector hides y • Complexity:L – the dimensionality of x and y
> < = Secure Millionaire • Idea: represent the two numbers in binary format and scan it from the MSB to the LSB with a map made by Bob and Alice traversing the map
Input: Alice has a number x = 855 = 1101010111 Bob has a number y = 810 = 1100101010 Secure Millionaire Output: Alice and Bob find out if x > y 1. Bob defines three states: 2. For MSB, Bob constructs a 2-entry lookup table z(n) Alice uses with xn as her index to obtain s(n)=z(n)(xn)
yi=0 yi=1 A A B B U B A A B B A U Secure Millionaire x = 855 = 1101010111 y = 810 = 1100101010 3. For each i=n-1,…,1: (a) Bob constructs a 6-entry lookup table z(i) that is indexed by s(i+1) and xi: (b) Alice uses with s(i+1) and xi as her indices to obtain s(i)=Z(i)(s(i+1),xi) 4. Bob sends Alice the meaning of the three states of s(1) Alice knows which number is larger (and can send the result to Bob)
Secure Millionaire • Security: • From Alice to Bob: Alice uses OT so Bob can’t learn nothing about x • From Bob to Alice: the values of the state s are represented using random numbers for each bit • Complexity: n – number of bits in x and y
> < = Secure Dot-Product Secure Millionaire Secure Classifier Input: Alice has input test pattern Bob has a strong classifier of the form Output: Alice has the result H(x) and nothing else Bob learns nothing about the test pattern x
Secure Classifier • Security: • Secure dot-product • s as a random vector for obfuscating the real parameters • Alice can learn the number of week classifiers • Complexity: O(NLK)N – number of weak classifiersL – dimensionality of the test vector xK – number of bits in the dot-product xTyn • Problem: a few seconds to a few minutes to classify a detection window
Accelerating Blind Vision • Reduce number of operations taken for OT • Bob reveals stripped-down classifier to Alice • One-way hash functions: • Hides Alice’s Image • Still let Bob correctly classify the patterns • Classifier won’t work on hashed space
HoG • Usefull in a variety of object recognition and detection applications • Parameters for hash function: • Destroys the spatial order of the pixels • Destroys the absolute values of the pixels • Coarsely binned
HoG • 18 bins • Build an image for every bin (18 response images) where a pixel’s intensity represents the bin value • Scrambling the order of pixelsdestroys spatial relationship between the HoGs
Experiments • Secure Viola-Jones type face detector: • Small number of critical visual features from a larger set • Cascade rejectors • Adjustments were made • Alice and Bob are allowed to a decide after every level of the cascade
Results • A single 24x24 detection window can be classified in several minutes using all cascade levels • Usually the first two levels are enough to reject a pattern • Accelerating: using scrambled HoGs and neural network to analyse – several seconds to process a single 240x320 image (rejects 90%)
Flaws • No mathematical security proofs
More Reading… • S. Avidan, M. Butman, Efficient Methods for Privacy Preserving Face Detection, Advances in Neural Information Systems (NIPS 18), 2006 • A.C. Yao, How to generate and exchange secrets, 27th FOCS, pp. 162-167, 1986