TLDR: A new study explores the integration of Conformal Prediction (CP) with machine learning models operating on deterministically encrypted data. By using AES encryption on the MNIST dataset, researchers demonstrate that CP remains effective, allowing models to extract patterns and quantify uncertainty even without decrypting the data. The e-value-based CP method achieved high coverage, highlighting the potential for privacy-preserving machine learning with reliable uncertainty estimates, while also revealing trade-offs between prediction set size and coverage accuracy.
In the evolving landscape of artificial intelligence, ensuring both the accuracy of predictions and the privacy of data is paramount. A recent study delves into a fascinating intersection of these two critical areas: integrating Conformal Prediction (CP) with machine learning models that operate on deterministically encrypted data.
Conformal Prediction is a powerful framework designed to quantify the uncertainty of predictions. Unlike traditional methods that might only give a single prediction, CP generates ‘confidence sets’ or ‘prediction intervals’ that are guaranteed to contain the true outcome with a specified probability. A key advantage of CP is its ‘distribution-free’ guarantee, meaning it works reliably regardless of the underlying data distribution, provided the data points are ‘exchangeable’ (their order doesn’t affect their statistical properties).
The challenge addressed by this research is how to apply such rigorous uncertainty quantification when data is encrypted to protect privacy. The researchers explored whether CP methods remain effective even when applied directly to encrypted data, without ever decrypting it. Their hypothesis was that deterministic encryption – where the same input always produces the same encrypted output using a fixed key – preserves the essential ‘exchangeability’ property of the data, thus allowing CP to function.
Methodology and Experiments
To test their theory, the team used the well-known MNIST dataset, which consists of handwritten digit images. They applied the Advanced Encryption Standard (AES) with a fixed symmetric key and initialization vector to encrypt the entire dataset. This ensured that the encryption was deterministic and consistent across all data partitions (training, calibration, and test sets).
A simple feedforward neural network was then trained on these encrypted images. Crucially, the model never saw the original, unencrypted data. The model’s outputs were used to calculate ‘nonconformity scores,’ which measure how unusual a new data point is compared to the training data. These scores are fundamental to how Conformal Prediction constructs its prediction sets.
The study compared two main approaches within CP: the traditional p-value-based method and the more recent e-value-based method. They evaluated the models based on classification accuracy on encrypted data and, more importantly, the ‘coverage’ of the prediction sets – how often the true label was included in the set.
Key Findings
The results were insightful. While encryption naturally led to a drop in classification accuracy compared to unencrypted data, the model trained on deterministically encrypted MNIST still achieved a test accuracy of 36.88%. This is significantly higher than random guessing (9.56%), indicating that the neural network could still extract meaningful patterns from the obscured data. In contrast, when each image was encrypted with a unique, randomized key, the accuracy plummeted to random guessing levels, confirming that consistent encryption is vital.
For uncertainty quantification, the e-value-based CP method demonstrated impressive performance. It achieved a realized coverage of approximately 97.76%, meaning that in nearly 98% of test cases, the true digit was included in the prediction set. This was achieved with a specific loss-threshold calibration. The p-value-based CP, while producing smaller prediction sets, had a reduced coverage of 59.3%.
This highlights a crucial trade-off: the e-value approach offered a higher guarantee of including the true label, but often resulted in larger prediction sets (meaning less precise predictions). The p-value approach yielded more compact sets but with less reliable coverage in this encrypted setting. The research paper can be found here: Conformal Prediction for Privacy-Preserving Machine Learning.
Also Read:
- Keeping AI Models Reliable: A New Approach to Monitoring Performance During Adaptation
- Enhancing Data Privacy in Machine Learning with Focal Entropy
Implications and Future Directions
The findings demonstrate the practical feasibility of applying Conformal Prediction frameworks to machine learning models operating on deterministically encrypted data. This is a significant step towards building privacy-preserving machine learning systems that can also provide reliable uncertainty estimates.
The authors suggest future work should focus on developing new nonconformity scoring functions specifically designed for encrypted data, potentially leveraging the deterministic nature of the encryption. They also recommend extending this approach to other encryption schemes, such as homomorphic or probabilistic encryption, and testing it on more complex datasets to assess real-world applicability. This research lays a foundational stone for secure yet interpretable predictive systems in privacy-first machine learning pipelines.
