Machine unlearning aims to remove points from the training dataset of a machine learning model after training; for example when a user requests their data to be deleted. While many machine unlearning methods have been proposed, none of them enable users to audit the unlearning procedure and verify that their data was indeed unlearned. To address this, we define the first cryptographic framework to formally capture the security of verifiable machine unlearning. While our framework is generally applicable to different approaches, its advantages are perhaps best illustrated by our instantiation for the canonical approach to unlearning: retraining the model without the data to be unlearned. In our cryptographic protocol, the server first computes a proof that the model was trained on a dataset~$D$. Given a user data point $d$, the server then computes a proof of unlearning that shows that $d \notin D$. We realize our protocol using a SNARK and Merkle trees to obtain proofs of update and unlearning on the data. Based on cryptographic assumptions, we then present a formal game-based proof that our instantiation is secure. Finally, we validate the practicality of our constructions for unlearning in linear regression, logistic regression, and neural networks.
翻译:机器不学习的目的是从培训后机器学习模式的培训数据集中去除分数;例如,当用户要求删除数据时,可以删除机器学习模式的培训数据集中的分数;虽然提出了许多机器不学习方法,但没有一个使用户能够审计不学习程序,并核实其数据是否确实没有获得。为了解决这个问题,我们定义了第一个加密框架,以正式获取可核实的机器不学习的安全性。虽然我们的框架一般适用于不同的做法,但其优点也许最好通过我们对不学习的简单方法的即时解释来说明:在数据不为人所了解的情况下,对模型进行再培训。在我们的加密协议中,服务器首先计算模型是用数据集~D$培训的证据。鉴于用户数据点为$dd$,服务器然后计算了未学习的证明,显示$d\nomin D$。我们用SNARK和Merkle树来实现我们的协议,以便获得数据更新和不学习的证据。根据加密假设,我们随后提出一个正式的游戏证据,证明我们的瞬间回归是安全的。最后,我们验证了我们构建的正轨的回归网络。