Security protocol leverages quantum mechanics to protect data from attackers during cloud-based computations

Deep learning models are used in many fields, from medical diagnosis to financial forecasting. However, these models require so much computing power that they require the use of powerful cloud-based servers.

This reliance on cloud computing poses significant security risks, particularly in areas like healthcare, where hospitals may be hesitant to use AI tools to analyze confidential patient data due to privacy concerns.

To address this pressing problem, MIT researchers have developed a security protocol that exploits the quantum properties of light to ensure that data sent to and from a cloud server remains secure during deep learning calculations.

By encoding data in the laser light used in fiber optic communications systems, the protocol exploits fundamental principles of quantum mechanics, making it impossible for attackers to copy or intercept the information without detection.

Additionally, the technique ensures security without compromising the accuracy of deep learning models. In testing, the researchers demonstrated that their protocol could maintain 96% accuracy while ensuring robust security measures.

“Deep learning models like GPT-4 have unprecedented capabilities but require massive computational resources.

“Our protocol allows users to leverage these powerful models without compromising the privacy of their data or the proprietary nature of the models themselves,” says Kfir Sulimany, a postdoctoral fellow at MIT’s Research Laboratory for Electronics (RLE) and lead author of a paper published on the site arXiv preprint server on this security protocol.

Sulimany is joined on the paper by Sri Krishna Vadlamani, an MIT postdoc; Ryan Hamerly, a former postdoc now at NTT Research, Inc.; Prahlad Iyengar, a graduate student in electrical engineering and computer science (EECS); and lead author Dirk Englund, a professor in EECS, principal investigator in the Quantum Photonics and Artificial Intelligence Group and the RLE.

The research was recently presented at the annual Quantum Cryptography Conference (Qcrypt 2024).

A Two-Way Street for Security in Deep Learning

The cloud-based computing scenario the researchers focused on involves two parties: a client that has confidential data, such as medical images, and a central server that controls a deep learning model.

The customer wants to use the deep learning model to make a prediction, for example whether a patient has cancer based on medical images, without revealing any information about the patient.

In this scenario, sensitive data needs to be sent to generate a prediction. However, during the process, patient data must remain secure.

Additionally, the server doesn’t want to reveal any part of the proprietary model that a company like OpenAI spent years and millions of dollars building.

“Both sides have something to hide,” Vadlamani adds.

In digital computing, a bad actor could easily copy the data sent from the server or client.

Quantum information, on the other hand, cannot be perfectly copied. The researchers exploit this property, known as the no-cloning principle, in their security protocol.

For the researchers’ protocol, the server encodes the weights of a deep neural network into an optical field using laser light.

A neural network is a deep learning model composed of layers of interconnected nodes, or neurons, that perform computations on data. Weights are the components of the model that perform the mathematical operations on each input, one layer at a time. The output of one layer is passed to the next layer until the final layer generates a prediction.

The server transmits the network weights to the client, which implements operations to obtain a result based on its private data. The data remains protected from the server.

At the same time, the security protocol allows the client to measure only one result and prevents the client from copying the weights due to the quantum nature of light.

Once the client feeds the first result into the next layer, the protocol is designed to roll back the first layer so that the client cannot learn anything else about the model.

“Instead of measuring all the incoming light from the server, the client only measures the light needed to run the deep neural network and feed the result into the next layer. The client then sends the residual light back to the server for security checks,” Sulimany explains.

Due to the no-cloning theorem, the client inevitably applies tiny errors to the model when measuring its result. When the server receives the residual light from the client, it can measure these errors to determine whether any information has been leaked. It is important to note that this residual light does not reveal the client’s data.

A practical protocol

Modern telecommunications equipment typically uses optical fibers to transfer information due to the need to support massive bandwidth over long distances. Since these devices already incorporate optical lasers, researchers can encode the data into light for their security protocol without any special hardware.

When they tested their approach, the researchers found that it could ensure the security of both the server and the client while allowing the deep neural network to achieve 96% accuracy.

The tiny model information that leaks when the client performs operations is less than 10% of what an adversary would need to retrieve hidden information. In the other direction, a malicious server could only obtain about 1% of the information it would need to steal the client’s data.

“You can be assured that the system is secure in both directions: from client to server and from server to client,” Sulimany explains.

“A few years ago, when we were developing our distributed machine learning inference demonstration between MIT’s main campus and MIT Lincoln Lab, I realized we could do something entirely new to provide physical-layer security, building on years of work in quantum cryptography that had also been demonstrated on that testbed,” Englund says.

“However, many major theoretical challenges had to be overcome to see if this prospect of privacy-enhancing distributed machine learning could be realized. This only became possible when Kfir joined our team, as he uniquely understood the experimental and theoretical components to develop the unified framework underlying this work.”

In the future, the researchers want to explore how this protocol could be applied to a technique called federated learning, where multiple parties use their data to train a central deep learning model. It could also be used in quantum operations, rather than the classical operations they studied for this work, which could offer advantages in terms of accuracy and security.

“This work cleverly and intriguingly combines techniques from fields that don’t usually meet, including deep learning and quantum key distribution. By using methods from the latter, it adds a layer of security to the former, while allowing what appears to be a realistic implementation.

“This could be interesting for preserving confidentiality in distributed architectures. I am looking forward to seeing how the protocol behaves in the face of experimental imperfections and its practical implementation,” explains Eleni Diamanti, CNRS research director at Sorbonne University, who was not involved in this work.

This article is republished with kind permission from MIT News (web.mit.edu/newsoffice/), a popular site covering the latest research, innovation, and teaching at MIT.