How to only encrypte the ML model and make local model predictions based on the encrypted model about concrete-ml HOT 5 CLOSED

Ok, currently concrete uses plaintext training models. Then, by encrypting the input parameters, the model prediction calculation is compiled into a Fhe calculation circuit. so the predict algorithm is fixed, the circuit is also fixed. But there is the following scenario, alice has a model but does not want to expose it to bob, so she wants to encrypt the model and send it to bob, bob makes predictions based on the encrypted model, and bob can also use sparse matrix to filter type 0 data, but the problem is if Assuming that the model weight is used as an encrypted input, bob data can only be compiled into an FHE circuit when it is certain, but the data that bob needs to predict it‘s be uncertain, and it is impossible to predict once and then need to compile a new fhe circuit.

from concrete-ml.

Hello @Daihongwei1900,
Just to make things clear, here's a summary of what you are trying to achieve :

• Bob has some local clear inputs
• Alice has a defined model with encrypted weights, which she sends to Bob (FHE circuit + encrypted weights)
• Bob executes the model's inference locally using his clear inputs

What you seem to be afraid of is that Bob might always need to compile before being able to compute the predictions, but is not possible because the weights are encrypted. Am I right ? 🙂

If so, then there are a few things to comment here. The short answer is that, in theory, your use case could be done as Bob will never need to compile, but it's not available in Concrete ML. Also, Bob won't be able to decrypt the model's predictions, only Alice will.

More precisely :

• No, Bob does not need to compile before computing the predictions. This is because Alice can easily compile (in the clear) on her own using clear values, which should be representative of what kind of inputs Bob could give, as parameters. Once this is done, the FHE circuit will be able to evaluate any kind of clear inputs without having to be compiled again.
• Once Bob executes the inference in FHE on his clear inputs, he'll get encrypted predictions but won't be able to decrypt them. This is because only Alice possess the private key needed for decryption, as she is the one that encrypted the weights. Is this what you had in mind ?
• Unfortunately, this feature is not available in Concrete ML and we are not planning on working on it. Could you maybe indicate to use what kind of use case you are thinking ? Maybe it will help us better understand why such a feature could be important. In the mean time, if you really need to make this work, I can advise you to dig into our source code and try implement it yourself. This could probably be done by modifying the models' compile methods so that they include clear inputs and encrypted weights, and then update the predict methods accordingly as well. But I can't guarantee that this will automatically make it working. Again, I might be able to help you further if you detail your use case a bit more 😉

Hope this helps !

from concrete-ml.

Thank you very much, your answer solved my problem very well, I need to implement clear inputs and encrypted weights.

from concrete-ml.

Hello @Daihongwei1900 . Could you be a bit more precise on what the "feature request" is and what is the "motivation". Thank you

from concrete-ml.

Ok, currently concrete uses plaintext training models. Then, by encrypting the input parameters, the model prediction calculation is compiled into a Fhe calculation circuit. so the predict algorithm is fixed, the circuit is also fixed. But there is the following scenario, alice has a model but does not want to expose it to bob, so she wants to encrypt the model and send it to bob, bob makes predictions based on the encrypted model, and bob can also use sparse matrix to filter type 0 data, but the problem is if Assuming that the model weight is used as an encrypted input, bob data can only be compiled into an FHE circuit when it is certain, but the data that bob needs to predict it‘s be uncertain, and it is impossible to predict once and then need to compile a new fhe circuit.

@bcm-at-zama

from concrete-ml.