SaTC: CORE: Small: Decentralized Attribution and Secure Training of Generative Models

SaTC：核心：小型：生成模型的去中心化归因和安全训练

• 批准号: 2101052
• 负责人: Yi Ren
• 金额: $ 50万
• 依托单位: Arizona State University
• 依托单位国家: 美国
• 项目类别: Standard Grant
• 财政年份: 2021
• 资助国家: 美国
• 起止时间: 2021-10-01 至 2024-09-30
• 项目状态: 已结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=2101052&HistoricalAwards=false
• 关键词: SaTC; CORE; Small; Decentralized; Attribution

Generative models describe real-world data distributions such as images, texts, and human motions, and are playing an essential role in a large and growing range of applications from photo editing to natural language processing to autonomous driving. There are two open challenges regarding the development and dissemination of generative models: (1) Adversarial applications of generative models have created concerning socio-technical disturbances (e.g., espionage operations and malicious impersonation); and (2) developing generative models using multiple proprietary datasets (which are needed to reduce data biases) raises privacy concerns about data leakage. Legislative efforts have recently been taken in the wake of these challenges, so far with limited consensus on the format of regulations and knowledge about their technological or social feasibility. To this end, this project will develop new mathematical theories and computational tools to assess the feasibility of two connected solutions to these challenges: Model attribution enforces the owners to be correctly identified based on their generated contents; secure training ensures zero data leakage during the collaborative training of attributable generative models. If successful, the outcomes of the project will provide technical guidance for future regulation design towards secure development and dissemination of generative models. Project results will be disseminated through a project website, open-source software, and public datasets. The impacts of the project will be broadened through educational activities, including new course modules on Artificial Intelligence (AI) security, undergraduate research projects, and outreach to the local community through lab tours, to prepare underrepresented groups with skills to mitigate risks from malicious impersonation and biased data/model representations targeting these groups.This project will focus on synergistic research tasks towards decentralized model attribution and secure training of generative models. In the former, the research team will study the systematic design of a set of user-end generative models that can be certifiably attributed by a set of binary classifiers, which are stored in a decentralized manner to mitigate security risks. The technical feasibility of decentralized attribution will be measured by the tradeoffs between attributability, generation quality, and model capacity. In the latter, the research team will study secure multi-party training of generative models and the associated binary classifiers for attribution. Data privacy and training scalability will be balanced through the design of security-friendly model architectures and learning losses. New knowledge will be created that differentiates this project from the existing state-of-the-art literature in digital forensics and secure computation: (1) Sufficient conditions for decentralized attribution will be developed, which will reveal analytical connections between attributability, data geometry, model architecture, and generation quality. (2) The sufficient conditions will enable estimation of the capacity of attributable models for a given dataset and generation quality tolerance. (3) Feasibility of sublinear secure vector multiplication will be studied, which will fundamentally improve the scalability of secure collaborative training. (4) Privacy-friendly activation and loss functions will be designed for the training of user-end generative models and the classifiers for attribution.This award reflects NSF's statutory mission and has been deemed worthy of support through evaluation using the Foundation's intellectual merit and broader impacts review criteria.

生成模型描述真实世界的数据分布，如图像、文本和人体运动，并且在从照片编辑到自然语言处理再到自动驾驶的大量且不断增长的应用中发挥着重要作用。关于生成模型的开发和传播存在两个公开的挑战：（1）生成模型的对抗性应用已经造成了关于社会技术的干扰（例如，间谍活动和恶意冒充）;以及（2）使用多个专有数据集（减少数据偏差所需）开发生成模型会引发对数据泄露的隐私担忧。在这些挑战之后，最近采取了立法努力，迄今为止，对条例的格式以及对其技术或社会可行性的了解有限。为此，该项目将开发新的数学理论和计算工具，以评估这些挑战的两种相关解决方案的可行性：模型归属强制所有者根据其生成的内容被正确识别;安全训练确保在可归属生成模型的协作训练期间零数据泄漏。如果成功，该项目的成果将为未来的监管设计提供技术指导，以确保生成模型的安全开发和传播。项目成果将通过项目网站、开放源码软件和公共数据集传播。该项目的影响将通过教育活动扩大，包括人工智能（AI）安全的新课程模块，本科生研究项目，以及通过实验室图尔斯之旅与当地社区的联系，为代表性不足的群体提供技能，以减轻恶意冒充和有偏见的数据带来的风险;针对这些群体的模型表示。该项目将专注于协同研究任务，以实现分散的模型属性和生成模型的安全训练。在前者中，研究团队将研究一组用户端生成模型的系统设计，这些模型可以通过一组二进制分类器进行可证明的属性，这些分类器以分散的方式存储，以减轻安全风险。去中心化归因的技术可行性将通过归因性、生成质量和模型容量之间的权衡来衡量。在后者中，研究小组将研究生成模型的安全多方训练和相关的二进制分类器。数据隐私和训练可扩展性将通过设计安全友好的模型架构和学习损失来平衡。将创建新的知识，将该项目与现有的数字取证和安全计算方面的最先进文献区分开来：（1）将开发分散归因的充分条件，这将揭示可归因性，数据几何，模型架构和生成质量之间的分析联系。(2)该充分条件将使得能够估计给定数据集的可归因模型的容量和生成质量容差。(3)研究次线性安全向量乘法的可行性，从根本上提高安全协同训练的可扩展性。(4)该奖项反映了NSF的法定使命，并通过使用基金会的知识价值和更广泛的影响审查标准进行评估，被认为值得支持。

项目成果

Decentralized Attribution of Generative Models

• 发表时间: 2020-10
• 期刊: ArXiv
• 作者: Changhoon Kim;Yi Ren;Yezhou Yang

Attributing Image Generative Models using Latent Fingerprints

• DOI: 10.48550/arxiv.2304.09752
• 发表时间: 2023-04
• 作者: Guangyu Nie;C. Kim;Yezhou Yang;Yi Ren

Attributable Watermarking of Speech Generative Models

语音生成模型的归属水印

• DOI: 10.1109/icassp43922.2022.9746578
• 发表时间: 2022
• 期刊: Proceedings of the IEEE International Conference on Acoustics Speech and Signal Processing
• 作者: Cho, Yongbaek;Kim, Changhoon;Yang, Yezhou;Ren, Yi
• 通讯作者: Ren, Yi

Compact and Malicious Private Set Intersection for Small Sets

• DOI: 10.1145/3460120.3484778
• 发表时间: 2021-11
• 期刊: Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security
• 作者: Mike Rosulek;Ni Trieu

Private Join and Compute from PIR with Default

• DOI: 10.1007/978-3-030-92075-3_21
• 发表时间: 2020
• 期刊: IACR Cryptol. ePrint Arch.
• 作者: Tancrède Lepoint;Sarvar Patel;Mariana Raykova;Karn Seth;Ni Trieu