Rotation-Equivariant Neural Networks for Privacy Protection
This addresses privacy protection for users of neural networks by obfuscating input attributes, though it is an incremental improvement over existing methods like homomorphic encryption.
This paper tackles the problem of preventing input information leakage from intermediate-layer features in neural networks by proposing rotation-equivariant neural networks (RENNs), which use d-ary features rotated with random angles for encryption, effectively protecting input privacy with only mild accuracy degradation compared to traditional networks.
In order to prevent leaking input information from intermediate-layer features, this paper proposes a method to revise the traditional neural network into the rotation-equivariant neural network (RENN). Compared to the traditional neural network, the RENN uses d-ary vectors/tensors as features, in which each element is a d-ary number. These d-ary features can be rotated (analogous to the rotation of a d-dimensional vector) with a random angle as the encryption process. Input information is hidden in this target phase of d-ary features for attribute obfuscation. Even if attackers have obtained network parameters and intermediate-layer features, they cannot extract input information without knowing the target phase. Hence, the input privacy can be effectively protected by the RENN. Besides, the output accuracy of RENNs only degrades mildly compared to traditional neural networks, and the computational cost is significantly less than the homomorphic encryption.