At Apple, we imagine privateness is a basic human proper. Our work to guard consumer privateness is knowledgeable by a set of privateness rules, and a type of rules is to prioritize utilizing on-device processing. By performing computations regionally on a consumer’s machine, we assist reduce the quantity of information that’s shared with Apple or different entities. In fact, a consumer could request on-device experiences powered by machine studying (ML) that may be enriched by trying up world information hosted on servers. To uphold our dedication to privateness whereas delivering these experiences, we’ve carried out a mix of applied sciences to assist guarantee these server lookups are non-public, environment friendly, and scalable.
One of many key applied sciences we use to do that is homomorphic encryption (HE), a type of cryptography that allows computation on encrypted information (see Determine 1). HE is designed so {that a} consumer machine encrypts a question earlier than sending it to a server, and the server operates on the encrypted question and generates an encrypted response, which the consumer then decrypts. The server doesn’t decrypt the unique request and even have entry to the decryption key, so HE is designed to maintain the consumer question non-public all through the method.
At Apple, we use HE together with different privacy-preserving applied sciences to allow a wide range of options, together with non-public database lookups and ML. We additionally use quite a lot of optimizations and strategies to steadiness the computational overhead of HE with the latency and effectivity calls for of manufacturing purposes at scale. On this article, we’re sharing an summary of how we use HE together with applied sciences like non-public info retrieval (PIR) and personal nearest neighbor search (PNNS), in addition to an in depth take a look at how we mix these and different privacy-preserving strategies in manufacturing to energy Enhanced Visible Seek for Photographs whereas defending consumer privateness (see Determine 2).
Introducing HE into the Apple ecosystem gives the privateness protections that make it potential for us to counterpoint on-device experiences with non-public server look-ups, and to make it simpler for the developer group to equally undertake HE for their very own purposes, we’ve open-sourced swift-homomorphic-encryption, an HE library. See this put up for extra info.
Apple’s Implementation of Homomorphic Encryption
Our implementation of HE wants to permit operations widespread to ML workflows to run effectively at scale, whereas attaining an especially excessive stage of safety. We’ve got carried out the Brakerski-Fan-Vercauteren (BFV) HE scheme, which helps homomorphic operations which can be effectively suited to computation (comparable to dot merchandise or cosine similarity) on embedding vectors which can be widespread to ML workflows. We use BFV parameters that obtain post-quantum 128-bit safety, that means they supply sturdy safety in opposition to each classical and potential future quantum assaults (beforehand defined on this put up).
HE excels in settings the place a consumer must search for info on a server whereas preserving the lookup computation encrypted. We first present how HE alone permits privateness preserving server search for for precise matches with non-public info retrieval (PIR), after which we describe the way it can serve extra complicated purposes with ML when combining approximate matches with non-public nearest neighbor search (PNNS).
Personal Data Retrieval (PIR)
Quite a lot of use-cases require a tool to privately retrieve a precise match to a question from a server database, comparable to retrieving the suitable enterprise emblem and knowledge to show with a acquired e mail (a function coming to the Mail app in iOS 18 later this yr), offering caller ID info on an incoming telephone name, or checking if a URL has been categorised as grownup content material (as is completed when a mother or father has set content material restrictions for his or her youngster’s iPhone or iPad (see Determine 3). To guard privateness, the related info needs to be retrieved with out revealing the question itself, for instance in these circumstances the enterprise that emailed the consumer, the telephone quantity that known as the consumer, or the URL that’s being checked.
For these workflows, we use non-public info retrieval (PIR), a type of non-public keyword-value database lookup. With this course of, a consumer has a non-public key phrase and seeks to retrieve the related worth from a server, with out downloading your entire database. To maintain the key phrase non-public the consumer encrypts its key phrase earlier than sending it to the server. The server performs HE computation between the incoming ciphertext and its database, and sends the ensuing encrypted worth again to the requesting machine, which decrypts it to study the worth related to the key phrase. All through this course of, the server doesn’t study the consumer’s non-public key phrase or the retrieved outcome, because it operates on the consumer’s ciphertext. For instance, within the case of net content material filtering, the URL is encrypted and despatched to the server. The server performs encrypted computation on the ciphertext with URLs in its database, the output of which can be a ciphertext. This encrypted result’s despatched all the way down to the machine, the place it’s decrypted to establish if the web site needs to be blocked as per the parental restriction controls.
Personal Nearest Neighbor Search (PNNS)
To be used-cases that require an approximate match, we use Apple’s non-public nearest neighbor search (PNNS), an environment friendly non-public database retrieval course of for approximate matching on vector embeddings, described within the paper Scalable Personal Search with Wally. With PNNS, the consumer encrypts a vector embedding and sends the ensuing ciphertext as a question to the server. The server performs HE computation to conduct a nearest neighbor search and sends the ensuing encrypted values again to the requesting machine, which decrypts to study the closest neighbor to its question embedding. Just like PIR, all through this course of, the server doesn’t study the consumer’s non-public embedding or the retrieved outcomes, because it operates on the consumer’s ciphertext.
Through the use of strategies like PIR and PNNS together with HE and different applied sciences, we’re in a position to construct on-device experiences that leverage info from giant server-side databases, whereas defending consumer privateness.
Implementing These Strategies in Manufacturing
Enhanced Visible Seek for pictures, which permits a consumer to go looking their photograph library for particular areas, like landmarks and factors of curiosity, is an illustrative instance of a helpful function powered by combining ML with HE and personal server lookups. Utilizing PNNS, a consumer’s machine privately queries a world index of common landmarks and factors of curiosity maintained by Apple to seek out approximate matches for locations depicted of their photograph library. Customers can configure this function on their machine, utilizing: Settings → Photographs → Enhanced Visible Search.
The method begins with an on-device ML mannequin that analyzes a given photograph to find out if there’s a “area of curiosity” (ROI) that will comprise a landmark. If the mannequin detects an ROI within the “landmark” area, a vector embedding is calculated for that area of the picture. The dimension and precision of the embedding impacts the scale of the encrypted request despatched to the server, the HE computation calls for and the response dimension, so to satisfy the latency and value necessities of large-scale manufacturing companies, the embedding is quantized to 8-bit precision earlier than being encrypted.
The server database to which the consumer will ship its request is split into disjointed subdivisions, or shards, of embedding clusters. This helps cut back the computational overhead and improve the effectivity of the question, as a result of the server can focus the HE computation on simply the related portion of the database. A precomputed cluster codebook containing the centroids for the cluster shards is obtainable on the consumer’s machine. This allows the consumer to regionally run a similarity search to establish the closest shard for the embedding, which is added to the encrypted question and despatched to the server.
Figuring out the database shard related to the question may reveal delicate details about the question itself, so we use differential privateness (DP) with
iCloud Personal Relay as an anonymization community. With DP, the consumer points pretend queries alongside its actual ones, so the server can not inform that are real. The queries are additionally routed by way of the anonymization community to make sure the server can’t hyperlink a number of requests to the identical consumer. For working PNNS for Enhanced Visible Search, our system ensures sturdy privateness parameters for every consumer’s photograph library i.e. (ε, δ)-DP, with ε = 0.8 , δ = 10-6. For extra particulars, see Scalable Personal Search with Wally.
The fleet of servers that deal with these queries leverage Apple’s present ML infrastructure, together with a vector database of worldwide landmark picture embeddings, expressed as an inverted index. The server identifies the related shard primarily based on the index within the consumer question and makes use of HE to compute the embedding similarity on this encrypted area. The encrypted scores and set of corresponding metadata (comparable to landmark names) for candidate landmarks are then returned to the consumer.
To optimize the effectivity of server-client communications, all similarity scores are merged into one ciphertext of a specified response dimension.
The consumer decrypts the reply to its PNNS question, which can comprise a number of candidate landmarks. A specialised, light-weight on-device reranking mannequin then predicts the perfect candidate by utilizing high-level multimodal function descriptors, together with visible similarity scores; regionally saved geo-signals; reputation; and index protection of landmarks (to debias candidate overweighting). When the mannequin has recognized the match, the photograph’s native metadata is up to date with the landmark label, and the consumer can simply discover the photograph when looking their machine for the landmark’s title.
Conclusion
As proven on this article, Apple is utilizing HE to uphold our dedication to defending consumer privateness, whereas constructing on-device experiences enriched with info privately regarded up from server databases. By implementing HE with a mix of privacy-preserving applied sciences like PIR and PNNS, on-device and server-side ML fashions, and different privateness preserving strategies, we’re in a position to ship options like Enhanced Visible Search, with out revealing to the server any details about a consumer’s on-device content material and exercise. Introducing HE to the Apple ecosystem has been central to enabling this, and can even assist to offer beneficial world information to tell on-device ML fashions whereas preserving consumer privateness. With the just lately open sourced library swift-homomorphic-encryption, builders can now equally construct on-device experiences that leverage server-side information whereas defending consumer privateness.