Cryptography for Trusted Artificial Intelligence in Medicine

The basic tools of cryptography are suited for securing communication of the different steps in the deployment of an IA system. We will focus here on the sub-area of machine learning. For such systems, a first step consists in harvesting data to learn the model. The communications between the source of data and the learning model have to be secured ad minima by using classical cryptographic tools. The following steps can constitute an example:


Introduction
On 8 April 2019, the High-Level Expert Group on AI appointed by the European Union produced an important document [1] describing key principles behind the deployment of an ethical AI.

Classical Security Architectures for Trusted AI
The basic tools of cryptography are suited for securing communication of the different steps in the deployment of an IA system. We will focus here on the sub-area of machine learning. However, such an architecture does not provide additional features, which are demanded by the requirements for a Trustworthy AI described in section 1.

Federated Learning, Federated Byzantine Agreements and the TCLearn Model
In a classical security approach described above, all the stakeholders have to be trustworthy. If the party managing the learning model is not trusted, it is required to distribute the learning in a secure federated learning by which the model is learned by travelling across the data sources. This prevents putting privacy at the risk of a leakage, since only the model is travelling on the network while the data remains at their source.
Distributed, federated learning [2] has been suggested for multiple applications, including the medical field [3]. This approach facilitates cooperation through coalitions where each member keeps control of and responsibility for its own data (including accountability for privacy and consent of the data owners such as patients). Batches of data are processed iteratively to feed a shared We show in (Figure 1), a practical implementation of FBA for the validation of iteration steps of a learning model, as deployed in TCLearn.
After a majority vote, the candidate model is accepted or not. public key and if the encryption is homomorphic, the computation done by the encrypted model, will produce an encrypted result, which is equivalent to a result, which would have been encrypted by the public key. Only the data provider that owns the corresponding secret key will be able to decipher the result. The AI model can therefore appear as an online service, making predictions directly on encrypted data and providing directly encrypted results, and ensuring the highest level of privacy.

Deploying Machine Learning Through Homomorphic Encryption
The concept of computing over encrypted data was first introduced as a "privacy transformation" by Rivest, Adleman, and Dertouzos in 1978 [6] and developed in Europe by Paillier [7] and

Traceability of Data and Models Through Watermarking
The watermarking of data can be used for tracing their leakage.
Each batch of data can be slightly but robustly modified to contain a specific mark of the destination (for example the learning model) in such a way that leakage at the destination point can be detected ( Figure 2). Watermarks can also be used as seals to authenticate the data. Researchers encrypt their trained model parameters under the same public key and upload to the cloud, which performs the required computation for privacy-preserving classification. This result is then returned to the user, who decrypts it with his/her private key. Some of the patients agree to participate in clinical trials for which they give their complete data sets for AI training in an anonymized environment based on batching and federated learning.
Some recent works are also studying the possibility to insert watermarks in AI models: the weights of the neural networks are slightly modified to individualize each instance of the model. The watermark can be used to trace forgeries of the model or to be used as an authentication seal [9].

Conclusions
Cryptography for AI is a very active field which relies on emergent tools like full homomorphic encryption, watermarking of data and models and FBA-based blockchains. This research is mandatory to converge towards ethical trusted AI.