INFERENCE VERIFICATION SYSTEM AND INFERENCE VERIFICATION METHOD

Abstract

An inference device (400) obtains an inference result by executing an inference model by expressing a decimal value that is data on which inference processing is to be performed as an integer value and treating the integer value as a parameter of a convolutional neural network. A proving device (500) obtains a proof by executing a proof generation algorithm using the inference result as input. A verification device (600) obtains a verification result by executing a verification algorithm using the proof as input.

Description

TECHNICAL FIELD

The present disclosure relates to verification of an inference model using zero-knowledge proofs.

BACKGROUND ART

AI inference techniques using neural networks have been used with great success in machine learning tasks such as data classification. AI is an abbreviation for artificial intelligence.

In order to perform data analysis using a neural network, it is necessary to train an inference model using a large amount of training data in advance. At this time, it may be difficult for a user to build an inference model in the user's own environment due to the difficulty of preparing training data, constraints of computational resources, and so on.

In this context, in recent years, there have been services that provide data analysis using neural networks on a cloud (MLaaS). These services allow clients to perform inference using provided inference models by uploading data to be analyzed onto the cloud. Therefore, the clients do not need to incur costs in building inference models.

MLaaS is an abbreviation for machine learning as a service.

In MLaaS, when a client sends data to be analyzed and entrusts inference processing to a provider of an inference model, the service provider needs to prove to the client that an inference result is actually a result of analysis performed by the inference model.

The simplest solution is for the service provider to publish the inference model itself. However, since the inference model is the intellectual property of the service provider, it is difficult to disclose the inference model to the client.

Non-Patent Literature 1 proposes a method that makes it possible to prove, using a zero-knowledge proof, that inference processing using an inference model has been actually performed.

This method allows the service provider to prove to the client that the inference result has been obtained by analysis processing by the inference model.

CITATION LIST

Non-Patent Literature

• • Non-Patent Literature 1: zkCNN: Zero Knowledge Proofs for Convolutional Neural Network Predictions and Accuracy. Tianyi Liu, Xiang Xie, and Yupeng Zhang. 2021.

SUMMARY OF INVENTION

Technical Problem

The method of Non-Patent Literature 1 can only handle integer values as parameters of the inference model due to constraints of protocols for zero-knowledge proofs that are used.

An object of the present disclosure is to make it possible to verify an inference model whose parameters are decimals.

Solution to Problem

An inference verification system according to the present disclosure includes an inference unit to obtain an inference result by executing an inference model by expressing a decimal value that is data on which inference processing is to be performed as an integer value and treating the integer value as a parameter of a convolutional neural network;

• • a proving unit to obtain a proof by executing a proof generation algorithm using the inference result as input; and
  • a verification unit to obtain a verification result by executing a verification algorithm using the proof as input.

Advantageous Effects of Invention

According to the present disclosure, an inference model whose parameters are decimals can be verified.

BRIEF DESCRIPTION OF DRAWINGS

FIG. 1 is a configuration diagram of an inference verification system 100 in Embodiment 1;

FIG. 2 is a configuration diagram of a parameter generation device 200 in Embodiment 1;

FIG. 3 is a configuration diagram of a key generation device 300 in Embodiment 1;

FIG. 4 is a configuration diagram of an inference device 400 in Embodiment 1;

FIG. 5 is a configuration diagram of a proving device 500 in Embodiment 1;

FIG. 6 is a configuration diagram of a verification device 600 in Embodiment 1;

FIG. 7 is a flowchart of an inference verification method (parameter generation) in Embodiment 1;

FIG. 8 is a flowchart of the inference verification method (key generation) in Embodiment 1;

FIG. 9 is a flowchart of the inference verification method (inference) in Embodiment 1;

FIG. 10 is a flowchart of the inference verification method (proving) in Embodiment 1;

FIG. 11 is a flowchart of the inference verification method (verification) in Embodiment 1;

FIG. 12 is a hardware configuration diagram of the parameter generation device 200 in Embodiment 1;

FIG. 13 is a hardware configuration diagram of the key generation device 300 in Embodiment 1;

FIG. 14 is a hardware configuration diagram of the inference device 400 in Embodiment 1;

FIG. 15 is a hardware configuration diagram of the proving device 500 in Embodiment 1; and

FIG. 16 is a hardware configuration diagram of the verification device 600 in Embodiment 1.

DESCRIPTION OF EMBODIMENTS

In the embodiment and drawings, the same elements or corresponding elements are denoted by the same reference sign. Description of an element denoted by the same reference sign as that of an element that has been described will be omitted or simplified as appropriate. Arrows in figures mainly indicate flows of data or flows of processing.

Embodiment 1

An inference verification system 100 will be described based on FIGS. 1 to 16.

The inference verification system 100 is a system that can verify inference processing.

Description of Configurations

Based on FIG. 1, a configuration of the inference verification system 100 will be described.

The inference verification system 100 includes devices such as a parameter generation device 200, a key generation device 300, an inference device 400, a proving device 500, and a verification device 600.

There devices communicate with one another through a network. A specific example of the network is the Internet.

Based on FIG. 2, a configuration of the parameter generation device 200 will be described.

The parameter generation device 200 is a computer that includes hardware such as a processor 201, a memory 202, an auxiliary storage device 203, a communication device 204, and an input/output interface 205. These hardware components are connected with one another through signal lines.

The processor 201 is the processor of the parameter generation device 200.

The processor is an IC that performs operational processing and controls other hardware components. For example, the processor is a CPU.

IC is an abbreviation for integrated circuit.

CPU is an abbreviation for central processing unit.

The memory 202 is the memory of the parameter generation device 200.

The memory is a volatile or non-volatile storage device. The memory is also called a main storage device or a main memory. For example, the memory is a RAM.

Data stored in the memory 202 is saved in the auxiliary storage device 203 as necessary.

RAM is an abbreviation for random access memory.

The auxiliary storage device 203 is the auxiliary storage device of the parameter generation device 200.

The auxiliary storage device is a non-volatile storage device. For example, the auxiliary storage device is a ROM, an HDD, a flash memory, or a combination of these.

Data stored in the auxiliary storage device 203 is loaded into the memory 202 as necessary.

ROM is an abbreviation for read only memory.

HDD is an abbreviation for hard disk drive.

The communication device 204 is the communication device of the parameter generation device 200.

The communication device is a receiver and a transmitter. For example, the communication device is a communication chip or a NIC.

Communication of the parameter generation device 200 is performed using the communication device 204.

NIC is an abbreviation for network interface card.

The input/output interface 205 is the input/output interface of the parameter generation device 200.

The input/output interface is a port to which an input device and an output device are connected. For example, the input/output interface is a USB terminal, the input device is a keyboard and a mouse, and the output device is a display.

Input to and output from the parameter generation device 200 is performed using the input/output interface 205.

USB is an abbreviation for Universal Serial Bus.

The parameter generation device 200 includes elements such as an acceptance unit 210, a generation unit 220, and an output unit 230. These elements are realized by software.

The auxiliary storage device 203 stores a parameter generation program to cause a computer to function as the acceptance unit 210, the generation unit 220, and the output unit 230. The parameter generation program is loaded into the memory 202 and executed by the processor 201.

The auxiliary storage device 203 further stores an OS. At least part of the OS is loaded into the memory and executed by the processor.

The processor 201 executes the parameter generation program while executing the OS.

OS is an abbreviation for operating system.

Input data and output data of the parameter generation program are stored in a storage unit 290.

The memory 202 functions as the storage unit 290. However, a storage device such as the auxiliary storage device 203, a register in the processor 201, and a cache memory in the processor 201 may function as the storage unit 290 in place of the memory 202 or together with the memory 202.

The parameter generation device 200 may include a plurality of processors as an alternative to the processor 201.

Based on FIG. 3, a configuration of the key generation device 300 will be described.

The key generation device 300 is a computer that includes hardware such as a processor 301, a memory 302, an auxiliary storage device 303, a communication device 304, and an input/output interface 305. These hardware components are connected with one another through signal lines.

The processor 301 is the processor of the key generation device 300.

The memory 302 is the memory of the key generation device 300.

The auxiliary storage device 303 is the auxiliary storage device of the key generation device 300.

The communication device 304 is the communication device of the key generation device 300.

The input/output interface 305 is the input/output interface of the key generation device 300.

The key generation device 300 includes elements such as an acceptance unit 310, a generation unit 320, and an output unit 330. These elements are realized by software.

The auxiliary storage device 303 stores a key generation program to cause a computer to function as the acceptance unit 310, the generation unit 320, and the output unit 330. The key generation program is loaded into the memory 302 and executed by the processor 301.

The key generation device 300 further stores an OS.

The processor 301 executes the key generation program while executing the OS.

Input data and output data of the key generation program are stored in a storage unit 390.

The memory 302 functions as the storage unit 390. However, a storage device such as the auxiliary storage device 303, a register in the processor 301, and a cache memory in the processor 301 may function as the storage unit 390 in place of the memory 302 or together with the memory 302.

The key generation device 300 may include a plurality of processors as an alternative to the processor 301.

Based on FIG. 4, a configuration of the inference device 400 will be described.

The inference device 400 is a computer that includes hardware such as a processor 401, a memory 402, an auxiliary storage device 403, a communication device 404, and an input/output interface 405. These hardware components are connected with one another through signal lines.

The processor 401 is the processor of the inference device 400.

The memory 402 is the memory of the inference device 400.

The auxiliary storage device 403 is the auxiliary storage device of the inference device 400.

The communication device 404 is the communication device of the inference device 400.

The input/output interface 405 is the input/output interface of the inference device 400.

The inference device 400 includes elements such as an acceptance unit 410, an inference unit 420, and an output unit 430. These elements are realized by software.

The auxiliary storage device 403 stores an inference program to cause a computer to function as the acceptance unit 410, the inference unit 420, and the output unit 430. The inference program is loaded into the memory 402 and executed by the processor 401.

The inference device 400 further stores an OS.

The processor 401 executes the inference program while executing the OS.

Input data and output data of the inference program are stored in a storage unit 490.

The memory 402 functions as the storage unit 490. However, a storage device such as the auxiliary storage device 403, a register in the processor 401, and a cache memory in the processor 401 may function as the storage unit 490 in place of the memory 402 or together with the memory 402.

The inference device 400 may include a plurality of processors as an alternative to the processor 401.

Based on FIG. 5, a configuration of the proving device 500 will be described.

The proving device 500 is a computer that includes hardware such as a processor 501, a memory 502, an auxiliary storage device 503, a communication device 504, and an input/output interface 505. These hardware components are connected with one another through signal lines.

The processor 501 is the processor of the proving device 500.

The memory 502 is the memory of the proving device 500.

The auxiliary storage device 503 is the auxiliary storage device of the proving device 500.

The communication device 504 is the communication device of the proving device 500.

The input/output interface 505 is the input/output interface of the proving device 500.

The proving device 500 includes elements such as an acceptance unit 510, a storing unit 520, a proving unit 530, and an output unit 540. The storing unit 520 includes a key storing unit 521 and an inference result storing unit 522. These elements are realized by software.

The auxiliary storage device 503 stores a proving program to cause a computer to function as the acceptance unit 510, the storing unit 520, the proving unit 530, and the output unit 540. The proving program is loaded into the memory 502 and executed by the processor 501.

The proving device 500 further stores an OS.

The processor 501 executes the proving program while executing the OS.

Input data and output data of the proving program are stored in a storage unit 590.

The memory 502 functions as the storage unit 590. However, a storage device such as the auxiliary storage device 503, a register in the processor 501, and a cache memory in the processor 501 may function as the storage unit 590 in place of the memory 502 or together with the memory 502.

The proving device 500 may include a plurality of processors as an alternative to the processor 501.

Based on FIG. 6, a configuration of the verification device 600 will be described.

The verification device 600 is a computer that includes hardware such as a processor 601, a memory 602, an auxiliary storage device 603, a communication device 604, and an input/output interface 605. These hardware components are connected with one another through signal lines.

The processor 601 is the processor of the verification device 600.

The memory 602 is the memory of the verification device 600.

The auxiliary storage device 603 is the auxiliary storage device of the verification device 600.

The communication device 604 is the communication device of the verification device 600.

The input/output interface 605 is the input/output interface of the verification device 600.

The verification device 600 includes elements such as an acceptance unit 610, a storing unit 620, a verification unit 630, and an output unit 640. The storing unit 620 includes a key storing unit 621 and a proof storing unit 622. These elements are realized by software.

The auxiliary storage device 603 stores a verification program to cause a computer to function as the acceptance unit 610, the storing unit 620, the verification unit 630, and the output unit 640. The verification program is loaded into the memory 602 and executed by the processor 601.

The verification device 600 further stores an OS.

The processor 601 executes the verification program while executing the OS.

Input data and output data of the verification program are stored in a storage unit 690.

The memory 602 functions as the storage unit 690. However, a storage device such as the auxiliary storage device 603, a register in the processor 601, and a cache memory in the processor 601 may function as the storage unit 690 in place of the memory 602 or together with the memory 602.

The verification device 600 may include a plurality of processors as an alternative to the processor 601.

Description of Notation

The notation in the following description will be indicated.

When “A” is a distribution, “y←A” denotes that y is randomly selected from A according to that distribution.

When “A” is a set, “y←A” denotes that y is uniformly selected from A for input x.

• • “p” is any prime number.
  • “G” is a group of order p.
  • “m” and “n” are any natural numbers.
  • “e” is the base of a natural logarithm.
  • “H” is a hash function.
  • “D” is a set of input data of an inference model.
  • “x” is input data on which inference processing is to be performed.
  • “M” is an inference model.

When “n” is a natural number, [n] is a set {1, . . . , n}.

• • “Z” is a set of integers.
  • “R” is a set of real numbers.

Description of Operation

The operation of the inference verification system 100 is equivalent to an inference verification method. A procedure for the operation of the inference verification system 100 is equivalent to a procedure for processing by an inference verification program.

The inference verification program includes the parameter generation program, the key generation program, the inference program, the proving program, and the verification program.

Each program can be recorded (stored) in a computer readable format in a non-volatile recording medium such as an optical disc or a flash memory.

Based on FIG. 7, the operation of the parameter generation device 200 in the inference verification method will be described.

In step S210, the acceptance unit 210 accepts parameters (λ, D) that are input into the parameter generation device 200.

For example, the parameters (λ, D) are input into the parameter generation device 200 by an administrator.

In step S220, the generation unit 220 executes a setup algorithm using as the parameters (λ, D) as input.

This generates a public parameter pp.

The setup algorithm is an algorithm for generating the public parameter pp.

For example, the setup algorithm (Setup) is expressed as indicated below.

$\begin{array}{cc}\begin{array}{c}\mathrm{Setup}\left(1^{\lambda },D\right):\\ g_i\leftarrow 𝒢\\ \mathrm{pp}:=\left(g_1,\dots ,g_n\right)\end{array}& \left[\mathrm{Formula}1\right]\end{array}$

In step S230, the output unit 230 outputs the public parameter pp.

Specifically, the output unit 230 transmits the public parameter pp to the key generation device 300.

Based on FIG. 8, the operation of the key generation device 300 in the inference verification method will be described.

In step S310, the acceptance unit 310 accepts the public parameter pp that is input into the key generation device 300.

Specifically, the acceptance unit 310 receives the public parameter pp from the parameter generation device 200.

In step S320, the generation unit 320 executes a key generation algorithm using the public parameter pp as input.

This generates a public key pk and a secret key sk.

The key generation algorithm is an algorithm for generating the public key pk and the secret key sk.

For example, the key generation algorithm (Kg) is expressed as indicated below.

$\begin{array}{cc}\begin{array}{c}\mathrm{Kg}\left(\mathrm{pp}\right):\\ h_i\leftarrow 𝒢\\ s_j\leftarrow Z_p\\ pk:=\left(g_1,\dots ,g_n,h_1,\dots ,h_m\right)\\ \mathrm{sk}:=\left(s_1,\dots ,s_l\right)\end{array}& \left[\mathrm{Formula}2\right]\end{array}$

In step S330, the output unit 330 outputs the public key pk and the secret key sk.

Specifically, the output unit 330 transmits the public key pk and the secret key sk to the proving device 500. The output unit 330 transmits the public key pk to the verification device 600.

Based on FIG. 4, the operation of the inference device 400 in the inference verification method will be described.

In step S410, the acceptance unit 410 accepts parameters (M, x) that are input into the inference device 400.

For example, an inference model M is input into the inference device 400 by a provider of the inference model M. Data x is transmitted to the inference device 400 by a client.

The inference model M is a model for inference processing.

The data x is data on which inference processing is to be performed.

In step S420, the inference unit 420 executes an inference processing algorithm using the inference model M and the data x as input.

This generates an inference result c.

The inference processing algorithm is an algorithm for generating the inference result c.

For example, the inference processing algorithm (Classify) is expressed as indicated below.

CNN is a convolutional neural network that is executed by the inference model M.

$\begin{array}{cc}\begin{array}{c}\mathrm{Classify}\left(M,x\right):\\ c:=\mathrm{CNN}\left(x\right)\end{array}& \left[\mathrm{Formula}3\right]\end{array}$

In step S430, the output unit 430 outputs the inference result c.

Specifically, the output unit 430 transmits the inference result c to the proving device 500.

Based on FIG. 10, the operation of the proving device 500 in the inference verification method will be described.

In step S510, the acceptance unit 510 accepts the public key pk, the secret key sk, and the inference result c.

Specifically, the acceptance unit 510 receives the public key pk and the secret key sk from the key generation device 300. The acceptance unit 510 receives the inference result c from the inference device 400.

In step S520, the key storing unit 521 stores the public key pk and the secret key sk.

The inference result storing unit 522 stores the inference result c.

For example, the public key pk, the secret key sk, and the inference result c are stored in the auxiliary storage device 503.

In step S530, the proving unit 530 executes a proof generation algorithm using the public key pk, the secret key sk, and the inference result c as input.

This generates a proof P.

The proof generation algorithm is an algorithm for generating the proof P.

An example of the proof generation algorithm (Prove) will be described below.

The inference result c is expressed as indicated below, where c_i is a computation result of the i-th layer of the CNN.

c=c ₁ , . . . , c _n

Prove_i is an algorithm for generating a proof P_i for the computation result c_i.

For example, the proof generation algorithm (Prove) is expressed as indicated below.

$\begin{array}{cc}\begin{array}{c}\mathrm{Prove}\left(pk,sk,c\right):\\ P_1:={\mathrm{Prove}}_1\left(pk,\mathrm{sk},c_1\right),\dots ,P_n:={\mathrm{Prove}}_n\left(pk,\mathrm{sk},c_n\right)\\ P:=\left(P_1,\dots ,P_n\right)\end{array}& \left[\mathrm{Formula}4\right]\end{array}$

Types (P_a to P_f) of Prove_i are as described below.

• • (P_a) When the i-th layer of the CNN is the ReLU Activation layer, the type of Prove_i is Prove_ReLU.
  • (P_b) When the i-th layer of the CNN is the Affine layer, the type of Prove_i is Prove_Affine.
  • (P_c) When the i-th layer of the CNN is the Convolution layer, the type of Prove_i is Prove_conv.
  • (P_d) When the i-th layer of the CNN is the Average Pooling layer, the type of Prove_i is Prove_AP.
  • (P_e) When the i-th layer of the CNN is the Max Pooling layer, the type of Prove_i is Prove_MP.
  • (P_f) When the i-th layer of the CNN is the Soft Max layer, the type of Prove_i is Prove_SoftMax.

The types (P_a to P_f) of Prove_i will be described later.

In step S540, the output unit 540 outputs the proof P.

Specifically, the output unit 540 transmits the proof P to the verification device 600.

Based on FIG. 11, the operation of the verification device 600 in the inference verification method will be described.

In step S610, the acceptance unit 610 accepts the public key pk and the proof P.

Specifically, the acceptance unit 610 receives the public key pk from the key generation device 300. The acceptance unit 610 receives the proof P from the proving device 500.

In step S620, the key storing unit 621 stores the public key pk.

The proof storing unit 622 stores the proof P.

For example, the public key pk and the proof P are stored in the auxiliary storage device 603.

In step S630, the verification unit 630 executes a verification algorithm using the public key pk and the proof P as input.

This generates a verification result V.

The verification algorithm is an algorithm for generating the verification result V.

An example of the verification algorithm (Verify) will be described below.

Verify_i is an algorithm for verifying a proof P_i.

For example, the verification algorithm (Verify) is expressed as indicated below.

$\begin{array}{cc}\begin{array}{c}\mathrm{Verify}\left(pk,P\right):\\ V_1:={\mathrm{Verify}}_1\left(pk,P_1\right),\dots ,{\mathrm{Verify}}_n\left(pk,P_n\right)\\ \mathrm{if}\left(V_1\wedge \dots \wedge V_n=\mathrm{true}\right)\\ V:=c\\ \mathrm{if}(V_1\wedge \dots \wedge V_n=\mathrm{false}\\ V:=\perp \end{array}& \left[\mathrm{Formula}5\right]\end{array}$

Types (V_a to V_f) of Verify; are as described below.

• • (V_a) When the i-th layer of the CNN is the ReLU Activation layer, the type of Verify_i is Verify_ReLU.
  • (V_b) When the i-th layer of the CNN is the Affine layer, the type of Verify_i is Verify_Affine.
  • (V_c) When the i-th layer of the CNN is the Convolution layer, the type of Verify_i is Verify_Conv.
  • (V_d) When the i-th layer of the CNN is the Average Pooling layer, the type of Verify_i is Verify_AP.
  • (V_e) When the i-th layer of the CNN is the Max Pooling layer, the type of Verify₁ is Verify_MP.
  • (V_f) When the i-th layer of the CNN is the SoftMax layer, the type of Verify_i is Verify_SoftMax.

The types (V_a to V_f) of Verify_i will be described later.

In step S640, the output unit 640 outputs the verification result V.

For example, the output unit 640 displays the verification result V on a display.

Description of Protocols and Representation as an Integer Value

With regard to zero-knowledge proof protocols used in Embodiment 1, the following protocols will be described. In addition, representation of a decimal as an integer value in Embodiment 1 will be described.

• • (1) Schnorr protocol
  • (2) Schnorr protocol for multiple exponents
  • (3) Generalized Schnorr protocol
  • (4) OR Proof protocol
  • (5) nOR Proof protocol
  • (6) Representation of a decimal as an integer value
  • (7) Range Proofs protocol
  • (8) Multiplication Proofs protocol
  • (9) The ReLU Layer protocol [P_a, V_a]
  • (10) The Affine Layer protocol [P_b, V_b]
  • (11) The Convolution Layer protocol [P_c, V_c]
  • (12) The Average Pooling Layer protocol [P_d, V_d]
  • (13) The Max Pooling Layer protocol [P_e, V_e]
  • (14) The SoftMax Layer protocol [P_f, V_f]

(1) The Schnorr protocol will be described.

• • “g” is a generator of G. In this case, y=g^x holds for x ∈ Z_p.

The Schnorr protocol is a protocol for proving that a prover knows x in y=g^x without providing a verifier with any information about x.

The Schnorr protocol is composed of a proof generation algorithm Prove_Schnorr and a verification algorithm Verify_Schnorr.

Prove_Schnorr outputs the proof P.

$\begin{array}{cc}\begin{array}{c}{\mathrm{Prove}}_{\mathrm{Schnorr}}\left(g,y,x\right):\\ r\leftarrow Z_p\\ R:=g^r\\ C:=H\left(g,y,R\right)\\ s:=r+\mathrm{Cx}\\ P=\left(g,y,C,s\right)\end{array}& \left[\mathrm{Formula}11\right]\end{array}$

Verify_Schnorr outputs true or false.

$\begin{array}{cc}\begin{array}{c}{\mathrm{Verify}}_{Schnorr}\left(g,y,C,s\right):\\ \mathrm{HV}:=H\left(g,y,g^s/y^C\right)\\ \begin{array}{cc}\mathrm{if}\left(C=\mathrm{HV}\right)& \mathrm{true}\end{array}\\ \begin{array}{cc}\mathrm{if}\left(C\ne \mathrm{HV}\right)& \mathrm{false}\end{array}\end{array}& \left[\mathrm{Formula}12\right]\end{array}$

(2) The Schnorr protocol for multiple exponents will be described. The Schnorr protocol for multiple exponents is obtained by generalizing (1) the Schnorr protocol.

Note that g₁, . . . , g_n are generators of G. In this case, expression (2A) holds for x₁ ∈ Z_p, . . . , x_n ∈ Z_p.

$\begin{array}{cc}\left[\mathrm{Formula}13\right]& \\ y={\Pi }_{i=1}^n{g}_i^{x_i}& \left(2A\right)\end{array}$

The Schnorr protocol for multiple exponents is a protocol for proving that the prover knows (x₁, . . . , x_n) in expression (2A) without providing the verifier with any information about (x₁, . . . , x_n).

The Schnorr protocol for multiple exponents is composed of a proof creation algorithm Prove_MultiSchnorr and a verification algorithm Verify_MultiSchnorr.

Prove_MultiSchnorr outputs the proof P.

$\begin{array}{cc}\begin{array}{c}{\mathrm{Prove}}_{\mathrm{MultiSchnorr}}\left(g_1,\dots ,g_n,y,x_1,\dots ,x_n\right):\\ \begin{array}{cc}{r}_i\leftarrow Z_p& \left(i\in \left\{0,\dots ,n\right\}\right)\end{array}\\ R:={\Pi }_{i=1}^n{g}_i^{r_i}\\ C:=H\left(g_1,\dots ,g_n,y,R\right)\\ \begin{array}{cc}{s}_i:=r_i+{\mathrm{Cx}}_i& \left(i\in \left\{0,\dots ,n\right\}\right)\end{array}\\ P=\left(g_1,\dots ,g_n,y,C,s_1,\dots ,s_n\right)\end{array}& \left[\mathrm{Formula}14\right]\end{array}$

Verify_MultiSchnorr outputs true or false.

$$\begin{gathered} \begin{array}{cc}\left[\mathrm{Formula}15\right]& \\ {\mathrm{Verify}}_{\mathrm{MultiSchnorr}}\left(g_1,\dots ,g_n,y,C,s_1,\dots ,s_n\right):\text{ \\ HV:=H⁡(g1,…,gn,y,∏i=1ngisi/yC)⁢ \\ if⁢(C=HV)⁢true⁢ \\ if⁢(C≠HV)⁢false}& \end{array} \end{gathered}$$

(3) The generalized Schnorr protocol will be described. The generalized Schnorr protocol is obtained by generalizing (2) the Schnorr protocol for multiple exponents.

Note that g_1,1, . . . , g_1,n, g_2,1, . . . , g_m,n are an mn number of generators of G. In this case, expression (3A) holds for x₁ ∈ Z_p, . . . , x_n ∈ Z_p.

$\begin{array}{cc}\left[\mathrm{Formula}16\right]& \\ \stackrel{m}{\underset{j=1}{\wedge }}\left(\prod _{i=1}^n{g}_{j,i}^{x_i}=y_j\right)& \left(3A\right)\end{array}$

The generalized Schnorr protocol is a protocol for proving that the prover knows (x₁, . . . , x_n) in expression (3A) without providing the verifier with any information about (x₁, . . . , x_n).

The generalized Schnorr protocol is composed of a proof creation algorithm Prove_GenSchnorr and a verification algorithm Verify_Genschnorr.

Prove_GenSchnorr outputs the proof P.

$$\begin{gathered} \begin{array}{cc}\left[\mathrm{Formula}17\right]& \\ {\mathrm{Prove}}_{\mathrm{GenSchnorr}}\left({\left(g_{j,i}\right)}_{j\in \left[m\right],i\in \left[n\right]},{\left(y_i\right)}_{j\in \left[m\right]},{\left(x_i\right)}_{i\in \left[n\right]}\right):\text{ \\ r1,…,rn←Zp, \\ R1:=∏i=1ng1,iri,…,Rm:=∏i=1ngm,iri⁢ \\ C:=H⁡((gj,i)j∈[m],i∈[n],(yj)j∈[m],(Rj)j∈[m])⁢ \\ s1:=r1+C⁢x1,…,sn:=rn+C⁢xn⁢ \\ P:=((gj,i)j∈[m],i∈[n],(yj)j∈[m],C,s1,…,sn)}& \end{array} \end{gathered}$$

Verify_GenSchnorr outputs true or false.

$\begin{array}{cc}\left[\mathrm{Formula}18\right]& \\ {\mathrm{Verify}}_{\mathrm{GenSchnorr}}\left({\left(g_{j,i}\right)}_{j\in \left[m\right],i\in \left[n\right]},{\left(y_j\right)}_{j\in \left[m\right]},C,s_1,\dots ,s_n\right):\mathrm{HV}:=H\left({\left(g_{j,i}\right)}_{j\in \left[m\right]},{\left(y_j\right)}_{j\in \left[m\right]},{\left({\prod }_{i=1}^n{g}_{j,i}^{s_i}/y_j^C\right)}_{j\in \left[m\right]}\right)\mathrm{if}\left(C=\mathrm{HV}\right)\mathrm{true}\mathrm{if}\left(C\ne \mathrm{HV}\right)\mathrm{false}& \end{array}$

(4) The OR Proof protocol will be described.

Note that g_1,1, . . . , g_1,n, g_2,1, . . . , g_m,n are an mn number of generators of G. In this case, expression (4A) holds for x=(x₁, . . . , x_n).

$\begin{array}{cc}\left[\mathrm{Formula}19\right]& \\ f\left(x\right)={\left(\prod _{i=1}^n{g}_{j,i}^{x_i}\right)}_{j=1,\dots ,m}& \left(4A\right)\end{array}$

For i=1, 2, the following expressions hold.

x ⁽ⁱ⁾=(x₁⁽ⁱ⁾, . . . , x_n⁽ⁱ⁾) ∈(Z_p)ⁿ

y ⁽ⁱ⁾ =f(x⁽ⁱ⁾)

The OR Proof protocol is a protocol for proving that the prover knows x⁽¹⁾ in y⁽¹⁾=f(x⁽¹⁾) or x⁽²⁾ in y⁽²⁾=f(x⁽²⁾) without providing the verifier with any information about x⁽¹⁾ and x⁽²⁾.

The OR Proof protocol is composed of a proof creation algorithm Prove_OR and a verification algorithm Verify_OR.

Prove_OR outputs the proof P.

$$\begin{gathered} \begin{array}{cc}\left[\mathrm{Formula}20\right]& \\ {\mathrm{Prove}}_{\mathrm{OR}}\left({\left(g_{j,i}\right)}_{j\in \left[m\right],i\in \left[n\right]},{\left(y^{\left(i\right)},x^{\left(i\right)}\right)}_{i=1,2}\right):\text{ \\ j:=3-i⁢(i=1⁢or⁢2)⁢ \\ s(j)←(Zp)n⁢ \\ C(j)←Zp⁢ \\ R(j):=f⁡(s(j))/(y(j))c(j)⁢ \\ r(i)←(Zp)n⁢ \\ R(i):=f⁡(r(i))⁢ \\ C:=H⁡(y(1),y(2),R(1),R(2))⁢ \\ C(i):=C-C(j)⁢ \\ s(i):=r(i)+C(i)⁢x(i)⁢ \\ P:=((gj,i)j∈[m],i∈[n],y(1),y(2),C(1),C(2),s(1),s(2))}& \end{array} \end{gathered}$$

Verify_OR outputs true or false.

$$\begin{gathered} \begin{array}{cc}\left[\mathrm{Formula}21\right]& \\ {\mathrm{Verify}}_{\mathrm{OR}}\left({\left(g_{j,i}\right)}_{j\in \left[m\right],i\in \left[n\right]},y^{\left(1\right)},y^{\left(2\right)},C^{\left(1\right)},C^{\left(2\right)},s^{\left(1\right)},s^{\left(2\right)}\right):\text{ \\ HV:=H⁡((gj,i)j∈[m],i∈[n]⁢y(1),y(2),f⁡(s(1))/(y(1))c(1),f⁡(s(2))/(y(2))c(2))⁢ \\ if⁢(C(1)+C(2)=HV)⁢true⁢ \\ if⁢(C(1)+c(2)≠HV)⁢false}& \end{array} \end{gathered}$$

(5) The nOR Proof protocol will be described. The nOR Proof protocol is obtained by generalizing (4) the OR Proof protocol.

Note that g_1,1, . . . , g_1,n, g_2,1, . . . , g_m,n are an mn number of generators of G. In this case, expression (5A) holds for x=(x₁, . . . , x_n).

$\begin{array}{cc}\left[\mathrm{Formula}22\right]& \\ f\left(x\right)={\left(\prod _{i=1}^n{g}_{j,i}^{x_i}\right)}_{j=1,\dots ,m}& \left(5A\right)\end{array}$

The following expressions hold for i ∈ [n].

x ⁽ⁱ⁾=(x₁⁽ⁱ⁾, . . . , x_n⁽ⁱ⁾) ∈(Z_p)ⁿ

y ⁽ⁱ⁾ =f(x⁽ⁱ⁾)

The nOR Proof protocol is a protocol for proving that the prover knows at least one x⁽ⁱ⁾ in y⁽ⁱ⁾=f(x⁽ⁱ⁾) without providing the verifier with any information about each x⁽ⁱ⁾.

The nOR Proof protocol is composed of a proof creation algorithm Proven_OR and a verification algorithm Verifyn_OR.

Proven_OR computes three expressions s(j), C(j), and R(j) for all j ∈ [n]{i}, and outputs the proof P.

$$\begin{gathered} \begin{array}{cc}\left[\mathrm{Formula}23\right]& \\ {\mathrm{Prove}}_{nOR}\left({\left(g_{j,i}\right)}_{j\in \left[m\right],i\in \left[n\right]},{\left(y^{\left(i\right)},x^{\left(i\right)}\right)}_{i\in \left[n\right]}\right):\text{ \\ s(j)←(Zp)n⁢ \\ C(j)←Zp⁢ \\ R(j):=f⁡(s(j))/(y(j))c(j)⁢ \\ r(i)←(Zp)n⁢ \\ R(i):=f⁡(r(i))⁢ \\ C:=H⁡((y(i),R(i))i∈[n])⁢ \\ C(i):=C-∑j∈[n]∖{i}⁢C(j)⁢ \\ s(i):=r(i)+C(i)⁢x(i)⁢ \\ P:=((gj,i)j∈[m],i∈[n],(y(i),C(i),s(i))i∈[n])}& \end{array} \end{gathered}$$

Verify_nOR outputs true or false.

$$\begin{gathered} \begin{array}{cc}\left[\mathrm{Formula}24\right]& \\ {\mathrm{Verify}}_{\mathrm{nOR}}\left({\left(g_{j,i}\right)}_{j\in \left[m\right],i\in \left[n\right]}{\left(y^{\left(i\right)},C^{\left(i\right)},s^{\left(i\right)}\right)}_{i\in \left[n\right]}\right):\text{ \\ HV:=H⁡((y(i),f⁡(s(i))/(y(i))c(i))i∈[n])⁢ \\ if⁢(C(1)+…+C(n)=HV)⁢true⁢ \\ if⁢(C(1)+…+C(n)≠HV)⁢false}& \end{array} \end{gathered}$$

(6) The representation of a decimal as an integer value will be described.

“1” and “d” are positive integers, and expression (6A) holds.

$\begin{array}{cc}\left[\mathrm{Formula}25\right]& \\ 2^{2\left(l+d\right)+1}+2^d\le \left(p-1\right)/2& \left(6A\right)\end{array}$

In this case, the fixed-point representation of a decimal x is expressed as an integer <X>.

$$\begin{gathered} \begin{array}{cc}\left[\mathrm{Formula}26\right]& \\ x=x_0+x_1{2}^{-d}\left(x_0\in \left\{-2^l,\dots ,2^l-1\right\},x_1\in \left\{0,\dots ,2^d-1\right\}\right)\text{ \\ 〈x〉=x0⁢2d+x1∈Zp}& \end{array} \end{gathered}$$

This allows model parameters of the convolutional neural network, which are usually expressed as real numbers, to be treated as integer values.

(7) The Range Proofs protocol will be described.

“g” and “h” are generators of G.

“t” is an integer.

The Range Proofs protocol is a protocol for proving by the prover that the integer t is an integer equal to or greater than 0 and less than 2^m without providing the verifier with information about the integer t.

The Range Proofs protocol is composed of a proof creation algorithm Prove_Range and a verification algorithm Verify_Range.

Prove_Range computes a binary number representation of t.

$$\begin{gathered} \begin{array}{cc}\left[\mathrm{Formula}27\right]& \\ t={\sum }_{i=1}^{m-1}{2}^i{t}_i\left(t_i\in 0,1\right)\text{ \\ s1←Zp,…,sm-1←Zp⁢ \\ B1:=gs1⁢ht1,…,Bm-1:=gsm-1⁢htm-1}& \end{array} \end{gathered}$$

Then, Prove_Range calculates the proof P for the following four expressions using Prove_GenSchnorr in (3) the generalized Schnorr protocol.

$$\begin{gathered} \begin{array}{cc}\left[\mathrm{Formula}28\right]& \\ {\mathrm{Prove}}_{R\mathrm{ange}}\left(g,h,t\right):\text{ \\ A=gs⁢ht⁢ \\ Bi=gsi⁢hti⁢(i∈{0,…,m-1})⁢ \\ Biti/Bi=gsi⁢ti→si⁢(i∈{0,…,m-1})⁢ \\ A=gs⁢∏i=1m-1h2i⁢ti}& \end{array} \end{gathered}$$

Verify_Range outputs the verification result V.

$$\begin{gathered} \begin{array}{cc}\left[\mathrm{Formula}29\right]& \\ {\mathrm{Verify}}_{\mathrm{Range}}\left(P\right):\text{ \\ V:=VerifyGenSchorr(P)}& \end{array} \end{gathered}$$

(8) The Multiplication Proofs protocol will be described.

“g” and “h” are generators of G. In this case, the following expressions hold for integers x, y, and z.

$\langle x\rangle =x_0+x_1^{2d}\langle y\rangle =y_0+y_1^{2d}\langle z\rangle =z_0+z_1^{2d}$

The Multiplication Proofs protocol is a protocol for proving by the prover that a relationship <z>=<xy> holds for the integers x, y, and z excluding truncation without providing the verifier with information about z, x, and y.

The Multiplication Proofs protocol is composed of a proof creation algorithm Prove_Mult and a verification algorithm Verify_Mult.

In Prove_Mult, the meaning of each symbol is as indicated below.

$$\begin{gathered} \begin{array}{cc}{r}_x,r_y,r_z\leftarrow Z_p\text{ \\ w:=x1⁢y1⁢mod⁢2d⁢ \\ rw←Zp⁢ \\ Cw:=grw⁢hw}& \left[\mathrm{Formula}30\right]\end{array} \end{gathered}$$

Prove_Mult calculates the proof P for the following nine expressions using (3) the generalized Schnorr protocol and (7) the Range Proofs protocol.

$$\begin{gathered} \begin{array}{cc}{\mathrm{Prove}}_{\mathrm{Mult}}\left(g,h,x,y,z\right):\text{ \\ Cx=grx⁢h〈x〉⁢ \\ Cy=gry⁢h〈y〉⁢ \\ 〈x〉∈{-2l+d,…,2l+d-1}⁢ \\ 〈y〉∈{-2l+d,…,2l+d-1}⁢ \\ Cz=grz⁢h〈z〉⁢ \\ 〈z〉∈{-2l+d,…,2l+d-1}⁢ \\ Cw=grw⁢h〈w〉⁢ \\ 〈w〉∈{-2l+d,…,2l+d-1}⁢ \\ Cx〈y〉/(Cz2d⁢hw)=grx⁢〈y〉-rz⁢2d}& \left[\mathrm{Formula}31\right]\end{array} \end{gathered}$$

Verify_Mult outputs the verification result V.

$$\begin{gathered} \begin{array}{cc}{\mathrm{Verify}}_{\mathrm{Mult}}\left(P\right):\text{ \\ V:=VerifyGenSchnorr(P)}& \left[\mathrm{Formula}32\right]\end{array} \end{gathered}$$

(9) The ReLU Layer protocol will be described.

A ReLU function is a function that is used in the Activation layer of the convolutional neural network.

$\begin{array}{cc}\mathrm{ReLU}\left(x\right)=\{\begin{array}{cc}0& \left(x<0\right)\\ x& \left(0\le x\right)\end{array}& \left[\mathrm{Formula}33\right]\end{array}$

The ReLU Layer protocol is a protocol for proving by the prover that a relation y=ReLU(x) holds for the integers x and y without providing the verifier with information about the integers x and y.

The ReLU Layer protocol is composed of a (P_a) proof generation algorithm Prove_ReLU and a (V_a) verification algorithm Verify_ReLU.

In Prove_ReLU, the meaning of each symbol is as indicated below.

$$\begin{gathered} \begin{array}{cc}a:=0\text{ \\ rx,ry,ra,rneg←Zp⁢ \\ Cneg:=grneg⁢h〈a⁢x〉}& \left[\mathrm{Formula}34\right]\end{array} \end{gathered}$$

Prove_ReLU calculates the proof P for the following expressions using (4) the OR proof protocol, (7) the Range Proof protocol, and (8) the Multiplication Proofs protocol.

$$\begin{gathered} \begin{array}{cc}{\mathrm{Prove}}_{\mathrm{ReLU}}\left(g,h,x,y\right)\text{ \\ Cx=grx⁢h〈x〉⁢ \\ 〈x〉∈{-2l+d,…,2l+d-1}⁢ \\ Cy=gry⁢h〈y〉⁢ \\ 〈y〉∈{-2l+d,…,2l+d-1}⁢ \\ Ca=gra⁢h〈a〉⁢ \\ 〈a〉∈{-2l+d,…,2l+d-1}⁢ \\ 〈a⁢x〉=〈a〉⁢〈x〉}& \left[\mathrm{Formula}35\right]\end{array} \end{gathered}$$

The proof P proves that one of the following two expressions holds.

$$\begin{gathered} \begin{array}{cc}\langle x\rangle \in \left\{-2^{l+d},\dots ,2^{l+d}-1\right\}\wedge C_{\mathrm{neg}}/C_y=g^{\delta }\text{ \\ 〈x〉∈{0,…,2l+d-1}∧Cx/Cy=gδ}& \left[\mathrm{Formula}36\right]\end{array} \end{gathered}$$

Verify_ReLU outputs the verification result V

$$\begin{gathered} \begin{array}{cc}{\mathrm{Verify}}_{\mathrm{ReLU}}\left(P\right):\text{ \\ V:=VerifyOR(P)}& \left[\mathrm{Formula}37\right]\end{array} \end{gathered}$$

(10) The Affine Layer protocol will be described.

The Affine Layer protocol is a protocol for proving by the prover that y=Ax+b holds for A ∈ R^n×n, b ∈ Rⁿ, and x, y ∈ Rⁿ without providing the verifier with information about x, y, A, and b.

A, b, x, and y are as indicated below.

$$\begin{gathered} \begin{array}{cc}A=\left(\begin{array}{ccc}{a}_{1,1}& \dots & a_{1,n}\\ ⋮& \ddots & ⋮\\ a_{n,1}& \dots & a_{n,n}\end{array}\right),\text{ \\ b=(b1,…,bn),x=(x1,…,xn),y=(y1,…,yn)}& \left[\mathrm{Formula}38\right]\end{array} \end{gathered}$$

The Affine Layer Protocol is composed of a (P_b) proof generation algorithm Prove_Affine and a (V_b) verification algorithm Verify_Affine.

In Prove_Affine, the meaning of each symbol is as indicated below.

$\begin{array}{cc}{r}_{a_{i,j}},r_{x_i},r_{y_i},r_{i,j},r_{b_i}\leftarrow Z_p\left(\left(i,j\right)\in \left[n\right]\times \left[n\right]\right)C_{i,j}^{\prime }:=g^{r_{i,j}}{h}^{\langle a_i{x}_j\rangle }\left(\left(i,j\right)\in \left[n\right]\times \left[n\right]\right)& \left[\mathrm{Formula}39\right]\end{array}$

Prove_Affine calculates the proof P for the following expressions using (3) the generalized Schnorr protocol, (7) the Range Proofs protocol, and (8) the Multiplication Proofs protocol.

$$\begin{gathered} \begin{array}{cc}{\mathrm{Prove}}_{\mathrm{Affine}}\left(g,h,x,y,b,A\right):\text{ \\ Cai,j=grai,j⁢h〈ai,j〉((i,j)∈[n]×[n]), \\ 〈ai,j〉∈{-2l+d,…,2l+d-1}⁢((i,j)∈[n]×[n]), \\ Cbi=grbi⁢h〈bi〉(i∈[n]), \\ 〈bi〉∈{-2l+d,…,2l+d-1}⁢(i∈[n]), \\ Cxi=grxi⁢h〈xi〉(i∈[n]), \\ 〈xi〉∈{-2l+d,…,2l+d-1}⁢(i∈[n]), \\ Cyi=gryi⁢h〈yi〉(i∈[n]), \\ 〈yi〉∈{-2l+d,…,2l+d-1}⁢(i∈[n]), \\ 〈ai,j⁢xi〉=〈ai,j〉⁢〈xi〉⁢((i,j)∈[n]×[n]), \\ Cyi/(∏j=1nCi,j′)⁢Cbi=gδi(i∈[n]).}& \left[\mathrm{Formula}40\right]\end{array} \end{gathered}$$

Verify_Affine outputs the verification result V.

$$\begin{gathered} \begin{array}{cc}{\mathrm{Verify}}_{\mathrm{ReLU}}\left(P\right):\text{ \\ V:=VerifyGenShnorr(P)}& \left[\mathrm{Formula}41\right]\end{array} \end{gathered}$$

(11) The Convolution Layer protocol will be described.

The Convolution Layer protocol is a protocol for proving by the prover that y=Conv(x) holds for x, y ∈ R^mm′ without providing the verifier with information about x, y, and Conv.

Conv is an operation that is performed on input data x in the Convolution layer of the convolutional neural network.

The Convolution Layer protocol is composed of a (P_c) proof generation algorithm Prove_Conv and a (V_c) verification algorithm Verify_Conv.

(a_i,j) is a weight parameter of Conv. In this case, for input x=(x_1,1, . . . x_1,m′, . . . , x_m,1, . . . , x_m,m′) and output y=(y_1,1, . . . , y_1,m′, . . . ,y_{m, 1}, . . . , y_m,m′), y_i,j can be expressed as the following expression.

$$\begin{gathered} \begin{array}{cc}{y}_{i,j}={\sum }_{i^{\prime }=0}^{s-1}{\sum }_{j^{\prime }=0}^{t-1}{a}_{i,j}{x}_{i+i^{\prime },j+j^{\prime }}\text{ \\ (1≤i≤m-s+1,1≤j≤m′-t+1)}& \left[\mathrm{Formula}42\right]\end{array} \end{gathered}$$

Therefore, the proof P and the verification result V can be generated in a similar manner to that of (10) the Affine Layer protocol.

$$\begin{gathered} \begin{array}{cc}{\mathrm{Prove}}_{\mathrm{Co𝔫v}}\left(g,h,x,y,b,A\right):\text{ \\ P:=ProveAffinev(g,h,x,y,b,A)⁢ \\ VerifyC⁢o⁢n⁢v(P)⁢ \\ V:=VerifyAffine(P)}& \left[\mathrm{Formula}43\right]\end{array} \end{gathered}$$

(12) The Average Pooling Layer protocol will be described.

The Average Pooling Layer protocol is a protocol for proving by the prover that y=AP(x) holds for x, y ∈ R^m×m without providing the verifier with information about x, y, and AP.

AP is an operation that is performed on input data x in the Average Pooling layer of the convolutional neural network.

The Average Pooling Layer protocol is composed of a (P_d) proof generation algorithm Prove_AP and a (V_d) verification algorithm Verify_AP.

For y and x, the following relationship holds.

“1” is the size of rows and columns and a stride in an AP filter.

$\begin{array}{cc}x=\left(\begin{array}{ccc}{x}_{1,1}& \dots & x_{1,m}\\ ⋮& \ddots & ⋮\\ x_{m,1}& \dots & x_{m,m}\end{array}\right),y=\left(\begin{array}{ccc}{y}_{1,1}& \dots & y_{1,m}\\ ⋮& \ddots & ⋮\\ y_{m,1}& \dots & y_{m,m}\end{array}\right)& \left[\mathrm{Formula}44\right]\end{array}$ $y_{i,j}={\sum }_{s=0}^{l-1}{\sum }_{t=0}^{l-1}\frac{1}{l^2}{x}_{\left(l_i+s-1\right),\left(l_j+t-1\right)}$ $\left(1\le i\le \sqrt{m},1\le j\le \sqrt{m}\right).$

Therefore, y can be expressed as a linear transformation of x.

Therefore, the proof P and the verification result V can be generated in a similar manner to (10) the Affine Layer protocol.

$\begin{array}{cc}{\mathrm{Prove}}_{\mathrm{AP}}\left(g,h,x,y,l\right):& \left[\mathrm{Formula}45\right]\end{array}$ $P:={\mathrm{Prove}}_{\mathrm{Affinev}}\left(g,h,x,y,l\right)$ ${\mathrm{Verify}}_{\mathrm{AP}}\left(P\right):$ $V:={\mathrm{Verify}}_{\mathrm{Affine}}\left(P\right)$

(13) The Max Pooling Layer protocol will be described.

The Max Pooling Layer protocol is a protocol for proving by the prover that y=MP(x) holds for x ∈ R^km×km and y ∈ R^m×m without providing the verifier with information about x, y, and MP.

MP is an operation that is performed on input data x in the Max Pooling layer of the convolutional neural network.

The Max Pooling Layer protocol is composed of a (P_e) proof generation algorithm Prove_MP and a (V_e) verification algorithm Verify_MP.

For y and x, the following relationship holds.

“k” is the size of rows and columns and a stride in an MP filter.

$\begin{array}{cc}x=\left(\begin{array}{ccc}{x}_{1,1}& \dots & x_{1,km}\\ ⋮& \ddots & ⋮\\ x_{km,1}& \dots & x_{km,km}\end{array}\right),y=\left(\begin{array}{ccc}{y}_{1,1}& \dots & y_{1,m}\\ ⋮& \ddots & ⋮\\ y_{m,1}& \dots & y_{m,m}\end{array}\right)& \left[\mathrm{Formula}46\right]\end{array}$ $y_{i,j}=\max \left\{x_{k\left(i-1\right)+s,k\left(j-1\right)+t}|s,t,\in \left[1,k\right]\right\}.$

In order to prove that this relationship holds, it is proved that the following expression holds.

$\begin{array}{cc}\underset{s=0}{\overset{k}{\bigwedge }}\underset{t=0}{\overset{k}{\bigwedge }}\left(y_{i,j}\ge x_{k\left(i-1\right)+s,k\left(j-1\right)+t}\right)\wedge \underset{s=0}{\overset{k}{\bigvee }}\underset{t=0}{\overset{k}{\bigvee }}\left(y_{i,j}=x_{k\left(i-1\right)+s,k\left(j-1\right)+t}\right).& \left[\mathrm{Formula}47\right]\end{array}$

Prove_MP performs the following computation for all (i, j) ∈ [m]×[m].

$\begin{array}{cc}{\mathrm{Prove}}_{\mathrm{MP}}\left(g,h,x,y,k\right):& \left[\mathrm{Formula}48\right]\end{array}$ $r_{k\left(i-1\right)+s,k\left(j-1\right)+t}\leftarrow Z_p\left(s,t\right)\in \left[k\right]\times \left[k\right]$ $r_{i,j}^{\prime }\leftarrow Z_p$ $C_{k\left(i-1\right)+s,k\left(j-1\right)+t}:=g^{r_{k\left(i-1\right)+s,k\left(j-1\right)+t}}{h}^{\langle x_{k\left(i-1\right)+s,k\left(j-1\right)+t}\rangle }\left(s,t\right)\in \left[k\right]\times \left[k\right]$ $C_{i,j}^{\prime }:=g^{r_{i,j}^{\prime }}{h}^{\langle y_{i,j}\rangle }$

Prove_MP calculates the proof P for the following formula using (7) the Range Proofs protocol and the nOR Proof protocol.

$\begin{array}{cc}\langle y_{i,j}\rangle -\langle x_{k\left(i-1\right)+s,k\left(j-1\right)+t}\rangle \in \left\{0,\dots ,2^{l+d+1}-1\right\}\left(s,t\right)\in \left[k\right]\times \left[k\right]& \left[\mathrm{Formula}49\right]\end{array}$ ${\bigvee }_{\left(s,t\right)\in \left[k\right]\times \left[k\right]}{C}_{k\left(i-1\right)+s,k\left(j-1\right)+t}/C_{i,j}^{\prime }$ $C_{i,j}^{\prime }=\delta s,t\left({\delta }_{s,t}=r_{k\left(i-1\right)+s,k\left(j-1\right)+t}-r_{i,j}^{\prime }\right)$

Verify_MP generates the verification result V using Verify_nOR.

$\begin{array}{cc}{\mathrm{Verify}}_{\mathrm{MP}}\left(P\right):& \left[\mathrm{Formula}50\right]\end{array}$ $V:={\mathrm{Verify}}_{\mathrm{nOR}}\left(P\right)$

(14) The SoftMax Layer protocol will be described.

The SoftMax Layer protocol is a protocol for proving by the prover that y=SoftMax(x) holds for x, y ∈ Rⁿ without providing the verifier with information about x and y.

SoftMax is an operation that is performed on input data x in the SoftMax layer of the convolutional neural network.

For x=(x₁, . . . , x_n) and y=(y₁, . . . , y_n), y_i is expressed as expression (13A).

$\begin{array}{cc}\left[\mathrm{Formula}51\right]& \\ y_i=e^{x_i}/{\sum }_{j=1}^n{e}^{x_j}& \left(13A\right)\end{array}$

The SoftMax Layer protocol performs computation by replacing the input x with x′=log₂e^x.

Therefore, a proof for expression (13A) can be constructed as described below. A protocol for proving that y′=2x‘ holds for x’, y′ ∈ R is constructed. By combining this protocol with (8) the Multiplication Proofs protocol, the proof can be constructed.

The protocol for proving that y′=2^x′ holds is composed of a proof generation algorithm Prove_exp and a verification result generation algorithm Verify_exp.

<x′>=x₀′2^d+x₁′ holds. This protocol computes expression (13D) using polynomial with degree 8 (13C) instead of computing expression (13B).

$\begin{array}{cc}\left[\mathrm{Formula}52\right]& \\ 2^{x_0^{\prime }+x_1^{\prime }/2^d}=2^{x_0^{\prime }}{2}^{x_1^{\prime }/2^d}& \left(13B\right)\end{array}$ $\begin{array}{cc}{P}_{1045}\left(X\right)=c_8{X}^8+\dots +c_0& \left(13C\right)\end{array}$ $\begin{array}{cc}{2}^{x_1^{\prime }}{P}_{1045}\left(x_0^{\prime }\right)& \left(13D\right)\end{array}$

Note that c₀ to c₈ are as indicated below.

$\begin{array}{cc}{c}_0=0.100000000000077443021686·{10}^1& \left[\mathrm{Formula}53\right]\end{array}$ $c_1=0.693147180426163827795756·{10}^0$ $c_2=0.24022651071017064605384·{10}^0$ $c_3=0.55504068620466379157744·{10}^{-1}$ $c_4=0.9618341225880462374977·{10}^{-2}$ $c_5=0.1332730359281437819329·{10}^{-2}$ $c_6=0.155107460590052573978·{10}^{-3}$ $c_7=0.14197847399765606711·{10}^{-4}$ $c_8=0.1863347724137967076·{10}^{-5}$

The proof generation algorithm Prove_exp is indicated below.

Note that x₀′[i] is the i-th bit of x₀′.

$\begin{array}{cc}{\mathrm{Prove}}_{\exp }\left(g,h,x^{\prime }\right):& \left[\mathrm{Formula}54\right]\end{array}$ $z_1:=\langle x_1^{\mathrm{\prime 1}}\rangle ,\dots ,z_g:=\langle x_1^{\prime 8}\rangle ,$ $u:=\langle 2^{x_0^{\prime }}\rangle ,$ $d:=\langle P_{1045}\left(x_1^{\prime }\right)\rangle ,$ $r_{\mathrm{int}},r_{\mathrm{int}}^{\left(0\right)},\dots ,r_{\mathrm{int}}^{\left(l-1\right)},r_{\mathrm{real}},r_{\mathrm{real}}^{\left(2\right)},\dots ,r_{\mathrm{real}}^{\left(8\right)},r_d,r_u\leftarrow Z_p,$

• • Prove_exp creates the proof P for the following expressions using (7) the Range Proofs protocol, (8) the Multiplication Proofs protocol, and (3) the generalized Schnorr protocol.

$C_{\mathrm{int}}=g^{r_{\mathrm{int}}}{h}^{x_0^{\prime }},$ $C_{\mathrm{int}}^{\left(i\right)}=g^{r_{\mathrm{int}}^{\left(i\right)}}{h}^{x_0^{\prime }\left[i\right]}i\in \left\{0,\dots ,l-1\right\},$ $C_{\mathrm{real}}=g^{r_{\mathrm{real}}}{h}^{\langle x_1^{\prime }\rangle },$ $C_{\mathrm{real}}^{\left(i\right)}=g^{r_{\mathrm{real}}^{\left(i\right)}}{h}^{z_i}i\in \left\{2,\dots ,8\right\},$ $C_d=g^{r_d}{h}^d,$ $C_u=g^{r_u}{h}^u,$ $\langle x_0^{\prime }\rangle \in \left\{2^d,\dots ,2^{d+l-1}\right\},\langle x_1^{\prime }\rangle \in \left\{0,\dots ,2^d-1\right\},\langle x^{\prime }\rangle =\langle x_0^{\prime }\rangle +\langle x_1^{\prime }\rangle ,$ $x_1={\prod }_{i=0}^{l-1}{x}_1^{\prime }\left[i\right]·2^i,$ $u={\prod }_{i=0}^{l-1}\left(x_1^{\prime }\left[i\right]·2^{2^i}+1-x_1^{\prime }\left[i\right]\right),$ $z_i=z_{i-1}·\langle x_i^{\prime }\rangle ,z_1=\langle x_0^{\prime }\rangle i\in \left\{2,\dots ,8\right\},$ $d=c_8·z_8+\dots +c_0=\langle P_{1045}\left(x_0^{\prime }\right)\rangle ,$ $\langle y\rangle =\langle u\rangle ·\langle d\rangle .$

The verification algorithm Verify_exp is indicated below.

$\begin{array}{cc}{\mathrm{Verify}}_{\exp }\left(P\right):& \left[\mathrm{Formula}56\right]\end{array}$ $V:={\mathrm{Verify}}_{\mathrm{GenShnorr}}\left(P\right)$

The SoftMax Layer protocol is composed of a (P_f) proof generation algorithm Prove_SoftMax and a (V_f) verification algorithm Verify_SoftMax.

Prove_SoftMax calculates the proof P for the following expressions using Prove_exp and Prove_Mult.

$\begin{array}{cc}{\mathrm{Prove}}_{\mathrm{SoftMax}}\left(g,h,x,y\right):& \left[\mathrm{Formula}57\right]\end{array}$ $y_i^{\prime }=2^{x_i^{\prime }}i\in \left\{1,\dots ,n\right\},$ $y_i=y_i^{\prime }/{\sum }_{j=1}^n{y}_j^{\prime }.$

Verify_SoftMax outputs the verification result V.

$\begin{array}{cc}{\mathrm{Verify}}_{\mathrm{SoftMax}}\left(P\right):& \left[\mathrm{Formula}58\right]\end{array}$ $V:={\mathrm{Verify}}_{\mathrm{GenShnorr}}\left(P\right)$

Features of Embodiment 1

Embodiment 1 has the following features.

Embodiment 1 converts model parameters of an inference model into integer values and verifies the inference model.

The algorithms of the zero-knowledge proof protocols of the respective layers are features of Embodiment 1.

The verification method of the inference model is realized by combining conversion of weight parameters (model parameters) into integer values and the zero-knowledge proof protocols.

The features of Embodiment 1 will be presented with reference sings indicated in parentheses.

An inference device (400) obtains an inference result (c) by executing an inference model (M) by expressing a decimal value that is data (x) on which inference processing is to be performed as an integer value and treating the integer value as a parameter of a convolutional neural network.

A proving device (500) obtains a proof (P) by executing a proof generation algorithm using the inference result as input.

A verification device (600) obtains a verification result (V) by executing a verification algorithm using the proof as input.

The inference result includes a computation result of each layer of the convolutional neural network.

For each layer of the convolutional neural network, the proving device (500) executes the proof generation algorithm of a protocol corresponding to the type of the layer, using the computation result of the layer as input.

The proof includes the execution result of the proof generation algorithm for each layer of the convolutional neural network.

For each layer of the convolutional neural network, the verification device (600) executes the verification algorithm of the protocol corresponding to the type of the layer, using the execution result of the layer as input.

The verification result includes the execution result of the verification algorithm for each layer of the convolutional neural network.

Effects of Embodiment 1

Embodiment 1 realizes zero-knowledge proof protocols that can handle decimal parameters by representing fixed-point representations of decimals as integer values.

This makes it possible to verify an inference model whose parameters are decimals.

Embodiment 1 has, for example, the following effects.

Data is analyzed by a third party. The third party provides an inference service using a machine learning model.

Embodiment 1 makes it possible to prove that an inference result for the analyzed data is a result obtained by actually performing inference on the data using the machine learning model without disclosing information about an inference model.

The method of Embodiment 1 represents fixed-point representations of decimals as integer values, and uses zero-knowledge proofs using the difficulty of the discrete logarithm problem. This realizes zero-knowledge proof protocols that can handle decimal parameters. Then, it is possible to verify an inference model whose parameters are decimals.

Supplement to Embodiment 1

The parameter generation device 200, the key generation device 300, the inference device 400, and the proving device 500 may be combined with each other. That is, the inference verification system 100 may include one or more computers that function as the parameter generation device 200, the key generation device 300, the inference device 400, and the proving device 500.

The generation unit 220 of the parameter generation device 200 may include a random number generation function or the like for generating the public parameter pp.

The generation unit 320 of the key generation device 300 may include a random number generation function or the like for generating the public key pk and the secret key sk.

Based on FIG. 12, a hardware configuration of the parameter generation device 200 will be described.

The parameter generation device 200 includes processing circuitry 209.

The processing circuitry 209 is the processing circuitry that realizes the acceptance unit 210, the generation unit 220, and the output unit 230.

The processing circuitry may be dedicated hardware, or may be a processor that executes programs stored in a memory.

When the processing circuitry is dedicated hardware, the processing circuitry is, for example, a single circuit, a composite circuit, a programmed processor, a parallel-programmed processor, an ASIC, an FPGA, or a combination of these.

ASIC is an abbreviation for application specific integrated circuit.

FPGA is an abbreviation for field programmable gate array.

The parameter generation device 200 may include a plurality of processing circuits as an alternative to the processing circuitry 209.

In the processing circuitry 209, some functions may be realized by dedicated hardware and the remaining functions may be realized by software or firmware.

As described above, the functions of the parameter generation device 200 can be realized by hardware, software, firmware, or a combination of these.

Based on FIG. 13, a hardware configuration of the key generation device 300 will be described.

The key generation device 300 includes processing circuitry 309.

The processing circuitry 309 is the processing circuitry that realizes the acceptance unit 310, the generation unit 320, and the output unit 330.

The key generation device 300 may include a plurality of processing circuits as an alternative to the processing circuitry 309.

In the processing circuitry 309, some functions may be realized by dedicated hardware and the remaining functions may be realized by software or firmware.

As described above, the functions of the key generation device 300 can be realized by hardware, software, firmware, or a combination of these.

Based on FIG. 14, a hardware configuration of the inference device 400 will be described.

The inference device 400 includes processing circuitry 409.

The processing circuitry 409 is the processing circuitry that realizes the acceptance unit 410, the inference unit 420, and the output unit 430.

The inference device 400 may include a plurality of processing circuits as an alternative to the processing circuitry 409.

In the processing circuitry 409, some functions may be realized by dedicated hardware and the remaining functions may be realized by software or firmware.

As described above, the functions of the inference device 400 can be realized by hardware, software, firmware, or a combination of these.

Based on FIG. 15, a hardware configuration of the proving device 500 will be described.

The proving device 500 includes processing circuitry 509.

The processing circuitry 509 is the processing circuitry that realizes the acceptance unit 510, the storing unit 520, the proving unit 530, and the output unit 540.

The proving device 500 may include a plurality of processing circuits as an alternative to the processing circuitry 509.

In the processing circuitry 509, some functions may be realized by dedicated hardware and the remaining functions may be realized by software or firmware.

As described above, the functions of the proving device 500 can be realized by hardware, software, firmware, or a combination of these.

Based on FIG. 16, a hardware configuration of the verification device 600 will be described.

The verification device 600 includes processing circuitry 609.

The processing circuitry 609 is the processing circuitry that realizes the acceptance unit 610, the storing unit 620, the verification unit 630, and the output unit 640.

The verification device 600 may include a plurality of processing circuits as an alternative to the processing circuitry 609.

In the processing circuitry 609, some functions may be realized by dedicated hardware and the remaining functions may be realized by software or firmware.

As described above, the functions of the verification device 600 can be realized by hardware, software, firmware, or a combination of these.

Embodiment 1 is an example of a preferred embodiment, and is not intended to limit the technical scope of the present disclosure. Embodiment 1 may be partially implemented or may be implemented in combination with another embodiment. The procedures described using flowcharts or the like may be suitably changed.

Each “unit” that is an element of the inference verification system 100 may be interpreted as “process”, “step”, “circuit”, or “circuitry”.

REFERENCE SIGNS LIST

• • 100: inference verification system, 200: parameter generation device, 201: processor, 202: memory, 203: auxiliary storage device, 204: communication device, 205: input/output interface, 209: processing circuitry, 210: acceptance unit, 220: generation unit, 230: output unit, 290: storage unit, 300: key generation device, 301: processor, 302: memory, 303: auxiliary storage device, 304: communication device, 305: input/output interface, 309: processing circuitry, 310: acceptance unit, 320: generation unit, 330: output unit, 390: storage unit, 400: inference device, 401: processor, 402: memory, 403: auxiliary storage device, 404: communication device, 405: input/output interface, 409: processing circuitry, 410: acceptance unit, 420: inference unit, 430: output unit, 490: storage unit, 500: proving device, 501: processor, 502: memory, 503: auxiliary storage device, 504: communication device, 505: input/output interface, 509: processing circuitry, 510: acceptance unit, 520: storing unit, 521: key storing unit, 522: inference result storing unit, 530: proving unit, 540: output unit, 590: storage unit, 600: verification device, 601: processor, 602: memory, 603: auxiliary storage device, 604: communication device, 605: input/output interface, 609: processing circuitry, 610: acceptance unit, 620: storing unit, 621: key storing unit, 622: proof storing unit, 630: verification unit, 640: output unit, 690: storage unit, c: inference result, D: parameter, M: inference model, P: proof, pk: public key, pp: public parameter, sk: secret key, V: verification result, x: data, a: parameter.

Claims

1. An inference verification system comprising processing circuitry to:obtain an inference result by executing an inference model by expressing a decimal value that is data on which inference processing is to be performed as an integer value and treating the integer value as a parameter of a convolutional neural network, the inference result including a computation result of each layer of the convolutional neural network;obtain a proof by executing, for each layer of the convolutional neural network, a proof generation algorithm of a protocol corresponding to a type of the layer using the computation result of the layer as input, the proof including an execution result of the proof generation algorithm for each layer of the convolutional neural network; andobtain a verification result by executing, for each layer of the convolutional neural network, a verification algorithm of the protocol corresponding to the type of the layer using the execution result of the layer as input, the verification result including an execution result of the verification algorithm for each layer of the convolutional neural network.

2. The inference verification system according to claim 1, wherein a ReLU Layer protocol is protocol corresponding to a ReLU Activation layer of the convolutional neural network.

3. The inference verification system according to claim 1, wherein an Affine Layer protocol is the protocol corresponding to an Affine layer of the convolutional neural network.

4. The inference verification system according to claim 1, wherein a Convolution Layer protocol is the protocol corresponding to a Convolution layer of the convolutional neural network.

5. The inference verification system according to claim 1, wherein an Average Pooling Layer protocol is the protocol corresponding to an Average Pooling layer of the convolutional neural network.

6. The inference verification system according to claim 1, wherein a Max Pooling Layer protocol is the protocol corresponding to a Max Pooling layer of the convolutional neural network.

7. The inference verification system according to claim 1, wherein a SoftMax Layer protocol is the protocol corresponding to a SoftMax layer of the convolutional neural network.

8. An inference verification method comprising: obtaining an inference result by executing an inference model by expressing a decimal value that is data on which inference processing is to be performed as an integer value and treating the integer value as a parameter of a convolutional neural network, the inference result including a computation result of each layer of the convolutional neural network;obtaining a proof by executing, for each layer of the convolutional neural network, a proof generation algorithm of a protocol corresponding to a type of the layer using the computation result of the layer as input, the proof including an execution result of the proof generation algorithm for each layer of the convolutional neural network; andobtaining a verification result by executing, for each layer of the convolutional neural network, a verification algorithm of the protocol corresponding to the type of the layer using the execution result of the layer as input, the verification result including an execution result of the verification algorithm for each layer of the convolutional neural network.