Formal Privacy Proof of Data Encoding: The Possibility and Impossibility of Learnable Encryption

Xiao, Hanshen; Suh, G. Edward; Devadas, Srinivas

Author(s)

Xiao, Hanshen; Suh, G. Edward; Devadas, Srinivas

Download3658644.3670277.pdf (1.464Mb)

Publisher with Creative Commons License

Terms of use

Creative Commons Attribution https://creativecommons.org/licenses/by/4.0/

Metadata

Show full item record

Abstract

We initiate a formal study on the concept of learnable obfuscation and aim to answer the following question: is there a type of data encoding that maintains the "learnability" of encoded samples, thereby enabling direct model training on transformed data, while ensuring the privacy of both plaintext and the secret encoding function? This long-standing open problem has prompted many efforts to design such an encryption function, for example, NeuraCrypt and TransNet. Nonetheless, all existing constructions are heuristic without formal privacy guarantees, and many successful reconstruction attacks are known on these constructions assuming an adversary with substantial prior knowledge. We present both generic possibility and impossibility results pertaining to learnable obfuscation. On one hand, we demonstrate that any non-trivial, property-preserving transformation which enables effectively learning over encoded samples cannot offer cryptographic computational security in the worst case. On the other hand, from the lens of information-theoretical security, we devise a series of new tools to produce provable and useful privacy guarantees from a set of heuristic obfuscation methods, including matrix masking, data mixing and permutation, through noise perturbation. Under the framework of PAC Privacy, we show how to quantify the leakage from the learnable obfuscation built upon obfuscation and perturbation methods against adversarial inference. Significantly sharpened utility-privacy tradeoffs are achieved compared to state-of-the-art accounting methods when measuring privacy against data reconstruction and membership inference attacks.

Description

CCS ’24, October 14–18, 2024, Salt Lake City, UT, USA

Date issued

2024-12-02

URI

https://hdl.handle.net/1721.1/158081

Department

Massachusetts Institute of Technology. Department of Electrical Engineering and Computer Science

Publisher

ACM|Proceedings of the 2024 ACM SIGSAC Conference on Computer and Communications Security

Citation

Xiao, Hanshen, Suh, G. Edward and Devadas, Srinivas. 2024. "Formal Privacy Proof of Data Encoding: The Possibility and Impossibility of Learnable Encryption."

Version: Final published version

ISBN

979-8-4007-0636-3

Collections

MIT Open Access Articles

The following license files are associated with this item:

Creative Commons