Blind Vision Shai Avidan, Moshe Butman Yuval Schwartz

Ethic Problems Proliferation of surveillance cameras leads to privacy concerns Protection by all-the-way video encryption Problems: –What happens if a virus attacks the server? –What if the service provider is not trusted? Common Examples: –Web face detection –Government agency compares private images to suspects –CPU shortage –Blind OCR

Introduction Face Detection: –Alice: a set of images  privacy is a must –Bob: a face detection algorithm  a secret algorithm Demands: –Alice: will learn nothing about Bob ’ s detector –Bob: will learn nothing about Alice ’ s images nor the detector ’ s result Apply secure multi-party techniques to vision algorithms to enforce the demands –Computationally intensive –Domain specific constaints  new schemes  secure enough (?)

Agenda Secure multi-party computation –Secure two-party problem and algorithm –Oblivious Transfer –Specific: Millionaire problem Secure dot-product Secure Classifier –Complexity and Efficiency New Scheme to Accelerate: –Image Hashing using HoG Experiments Results

Secure two-party problem 1 Problem description: –F – polytime function –X – Alice ’ s input –Y – Bob ’ s input –F(X,Y) – output –Demands: Alice won ’ t know Y Bob won ’ t know X Alice and/or Bob will know F(X,Y) 1. A.C. Yao, How to generate and exchange secrets, 27th FOCS, pp , 1986

Yao ’ s Protocol General Idea: –Imagine F as a boolean circuit C (has boolean gates) –A method to run the circuit: without revealing the input wires values The output must be exposed

Boolean Gate Demands: Can ’ t reveal input bits and if it ’ s a middle gate then also the output bit Wire Problem: Seams impossible to calculate the gate with values unknown

Boolean Gate Computation Table: Output Wire W 3 Input Wire W 2 Input Wire W 1 Example: OR Gate Output Wire W 3 Input Wire W 2 Input Wire W 1 Output Wire W 3 Input Wire W 2 Input Wire W 1 Garbled Wire W 3

Garbled Circuit G1 E(E(K) K K G2 E(E(K) K K G3 E(E(K) K K G4 E(E(K) K K G5 E(E(K) K K G6 E(E(K) K K G7 E(E(K) K K G8 E(E(K) K K G9 E(E(K) K K GB E(E(K) K K GC E(E(K) K K GD E(E(K) K K GA E(E(K) K K Output Decryption Table

Yao ’ s Protocol Problem: Alice doesn ’ t have the input map Bob can ’ t give the whole input map Solution: Oblivious Transfer

Oblivious Transfer 2,3 2. M.O. Rabin, How to exchange secrets by oblivious transfer, Tech. Memo TR-81, Aiken Computation Laboratory, S. Even, O. Goldreich and A. Lempel, A Randomized Protocol for Signing Contracts, Communications of the ACM 28, pp , 1985

Oblivious Transfer S0S0 S1S1 K1K1 K0K0 K K0K0 K K’K’ S0S0

Secure Dot-Product Input: –Alice: –Bob: Output: –Demands: Bob won ’ t know x and Alice won ’ t know y Idea: –Break the result of the dot product to a+b, where a is known only to Alice and b is known only to Bob.

Secure Dot-Product OT

Secure Dot-Product Security: –From Alice to Bob: the use of OT hides x i –From Bob to Alice: b as a random vector hides y Complexity: L – the dimensionality of x and y

Secure Millionaire Idea: represent the two numbers in binary format and scan it from the MSB to the LSB with a map made by Bob and Alice traversing the map > < =

Secure Millionaire Input: Alice has a number x = 855 = Bob has a number y = 810 = Output: Alice and Bob find out if x > y 1. Bob defines three states: Alice has a larger numberA Bob has a larger numberB UndecidedU 2. For MSB, Bob constructs a 2-entry lookup table z (n) y n =1y n =0 BUx n =0 UAx n =1 Alice uses with x n as her index to obtain s (n)= z (n) (x n )

Secure Millionaire 3. For each i=n-1, …,1: (a) Bob constructs a 6-entry lookup table z (i) that is indexed by s (i+1) and x i : UA BB AA BU BB AA y i =1y i =0 (b) Alice uses with s (i+1) and x i as her indices to obtain s (i) =Z (i) (s (i+1),x i ) 4. Bob sends Alice the meaning of the three states of s (1)  Alice knows which number is larger (and can send the result to Bob) x = 855 = y = 810 =

Secure Millionaire Security: –From Alice to Bob: Alice uses OT so Bob can ’ t learn nothing about x –From Bob to Alice: the values of the state s are represented using random numbers for each bit Complexity: n – number of bits in x and y

Secure Classifier Input: Alice has input test pattern Bob has a strong classifier of the form Output: Alice has the result H(x) and nothing else Bob learns nothing about the test pattern x Secure Dot-Product Secure Millionaire > < =

Secure Classifier Security: –Secure dot-product –s as a random vector for obfuscating the real parameters –Alice can learn the number of week classifiers Complexity: O(NLK) N – number of weak classifiers L – dimensionality of the test vector x K – number of bits in the dot-product x T y n Problem: a few seconds to a few minutes to classify a detection window

Accelerating Blind Vision Reduce number of operations taken for OT Bob reveals stripped-down classifier to Alice One-way hash functions: –Hides Alice ’ s Image –Still let Bob correctly classify the patterns –Classifier won ’ t work on hashed space

HoG Usefull in a variety of object recognition and detection applications Parameters for hash function: –Destroys the spatial order of the pixels –Destroys the absolute values of the pixels –Coarsely binned

HoG

18 bins Build an image for every bin (18 response images) where a pixel ’ s intensity represents the bin value Scrambling the order of pixels destroys spatial relationship between the HoGs

Experiments Secure Viola-Jones type face detector: –Small number of critical visual features from a larger set –Cascade rejectors –Adjustments were made –Alice and Bob are allowed to a decide after every level of the cascade

Results A single 24x24 detection window can be classified in several minutes using all cascade levels Usually the first two levels are enough to reject a pattern Accelerating: using scrambled HoGs and neural network to analyse – several seconds to process a single 240x320 image (rejects 90%)

Results

Flaws No mathematical security proofs

More Reading … S. Avidan, M. Butman, Efficient Methods for Privacy Preserving Face Detection, Advances in Neural Information Systems (NIPS 18), 2006 A.C. Yao, How to generate and exchange secrets, 27th FOCS, pp , 1986

Questions

Oblivious Transfer Protocol (based on public-key encryption): –Bob sends Alice two different public encryption keys K 0,K 1 –Alice generates a random key K and encrypts it with Bob ’ s public key that suites the message index she wants K i –Bob decrypts with both private keys. He thus obtains both the real key K and a bogus one K ’ –Bob sends Alice E(M i,K) and E(E(M 1-i,K ’ ) (in the same order he send the keys) –Alice Decrypts her message with K and obtains M i Security Issue: Can Alice or Bob learn something they shouldn ’ t? 1-out-of-2 oblivious transfer algorithm can be easily extended to 1-out-of-M oblivious transfer

Secure Dot-Product Bob generates a random vector For each i=1 … L: –Bob enumerates all possible x i values and constructs a 256D vector a, s.t. –Alice uses with x i as her index, to choose the appropriate element from the vector a and stores it as a i Alice and Bob sum their private vectors a and b, respectively, to obtain the shares and of the dot-product

Secure Classifier Input: Alice has input test pattern Bob has a strong classifier of the form Output: Alice has the result H(x) and nothing else Bob learns nothing about the test pattern x 1. Bob generates a set of N random numbers: s 1, …,s n, such that 2. For n=1 … N: (a) using secure dot-product of x T y n, Alice and Bob obtain private shared a and b (b) using the secure Millionaire protocol to detemine which number is larger: a or Instead of returning A or B, Alice will get or Alice will store the result in c n 3. Using the secure Millionaire to determine which number is larger: s or c. If c is larger then x is positively classified, otherwise x is negatively classified