CaPC Learning: Confidential and Private Collaborative Learning
Christopher A. Choquette-Choo, Natalie Dullerud, Adam Dziedzic, Yunxiang Zhang, Somesh Jha, Nicolas Papernot, Xiao Wang
PPublished as a conference paper at ICLR 2021 C A PC L
EARNING : C
ONFIDENTIAL AND P RIVATE C OLLABORATIVE L EARNING
Christopher A. Choquette-Choo ∗ , Natalie Dullerud ∗ , Adam Dziedzic ∗ University of Toronto and Vector Institute {christopher.choquette.choo,natalie.dullerud}@[email protected]
Yunxiang Zhang ∗† The Chinese University of Hong Kong [email protected]
Somesh Jha ‡ University of Wisconsin-Madison and XaiPient [email protected]
Nicolas Papernot ‡ University of Toronto and Vector Institute [email protected]
Xiao Wang ‡ Northwestern University [email protected] A BSTRACT
Machine learning benefits from large training datasets, which may not always bepossible to collect by any single entity, especially when using privacy-sensitivedata. In many contexts, such as healthcare and finance, separate parties maywish to collaborate and learn from each other’s data but are prevented from doingso due to privacy regulations. Some regulations prevent explicit sharing of databetween parties by joining datasets in a central location ( confidentiality ). Othersalso limit implicit sharing of data, e.g., through model predictions ( privacy ). Thereis currently no method that enables machine learning in such a setting, whereboth confidentiality and privacy need to be preserved, to prevent both explicitand implicit sharing of data. Federated learning only provides confidentiality, notprivacy, since gradients shared still contain private information. Differentiallyprivate learning assumes unreasonably large datasets. Furthermore, both of theselearning paradigms produce a central model whose architecture was previouslyagreed upon by all parties rather than enabling collaborative learning where eachparty learns and improves their own local model. We introduce
Confidential andPrivate Collaborative (CaPC) learning, the first method provably achieving both confidentiality and privacy in a collaborative setting. We leverage secure multi-party computation (MPC), homomorphic encryption (HE), and other techniques incombination with privately aggregated teacher models. We demonstrate how CaPCallows participants to collaborate without having to explicitly join their training setsor train a central model. Each party is able to improve the accuracy and fairnessof their model, even in settings where each party has a model that performs wellon their own dataset or when datasets are not IID and model architectures are heterogeneous across parties.
NTRODUCTION
The predictions of machine learning (ML) systems often reveal private information contained in theirtraining data (Shokri et al., 2017; Carlini et al., 2019) or test inputs. Because of these limitations,legislation increasingly regulates the use of personal data (Mantelero, 2013). The relevant ethicalconcerns prompted researchers to invent ML algorithms that protect the privacy of training data andconfidentiality of test inputs (Abadi et al., 2016; Koneˇcn`y et al., 2016; Juvekar et al., 2018). ∗ Equal contributions, authors ordered alphabetically. † Work done while the author was at Vector Institute. ‡ Equal contributions, authors ordered alphabetically. a r X i v : . [ c s . L G ] F e b ublished as a conference paper at ICLR 2021 P i* P P n ... Send encrypted query Enc(q) M M n Enc(q)Enc(q) Enc(r ) Enc(r n ) Output logitsOutput logitsGenerate random vector
Generate random vector r̂ r̂ n Send Enc(r i - r̂ i ) r̂ r̂ n Decrypt (r - r̂ ) (r n - r̂ n ) . . . Garbled circuit: argmax of logits One-hot( 𝑎𝑟𝑔𝑚𝑎𝑥[ (r i - r̂ i )+ r̂ i ])= s i + ŝ i s ŝ ŝ n s n Content Service Provider 𝑖=1 𝑛 ŝ i 𝑖=1 𝑛 s i Garbled circuit: argmax sum of shares 𝑎𝑟𝑔𝑚𝑎𝑥[ 𝑖=1 𝑛 s i + ŝ i + 𝐷𝑃𝑁𝑜𝑖𝑠𝑒 𝜀 ] Add Laplacian /
Gaussian noise 𝑖=1 𝑛 ŝ i + 𝐷𝑃 𝑁𝑜𝑖𝑠𝑒(𝜀) Label . . . Y S Y Y n . . . Querying PartyAnswering Parties
1a 1b Figure 1:
Confidential and Private Collaborative (CaPC) Learning Protocol: 1a Querying party P i ∗ sendsencrypted query q to each answering party P i , i (cid:54) = i ∗ . Each P i engages in a secure 2-party computation protocolto evaluate Enc ( q ) on M i and outputs encrypted logits Enc ( r i ) . 1b Each answering party, P i , generates arandom vector ˆ r i , and sends Enc ( r i − ˆ r i ) to the querying party, P i ∗ , who decrypts to get r i − ˆ r i . 1c Eachanswering party P i runs Yao’s garbled circuit protocol ( Y i ) with querying party P i ∗ to get s i for P i ∗ and ˆ s i for P i s.t. s i + ˆ s i is the one-hot encoding of argmax of logits. 2 Each answering party sends ˆ s i to the contentservice provider (CSP). The CSP sums ˆ s i from each P i and adds Laplacian or Gaussian noise for DP. Thequerying party sums s i from each Y i computation. 3 The CSP and the querying party run Yao’s garbledcircuit Y s to obtain argmax of querying party and CSP’s noisy share. The label is output to the querying party. Yet, these algorithms require a large dataset stored either in a single location or distributed amongstbillions of participants. This is the case for example with federated learning (McMahan et al., 2017).Prior algorithms also assume that all parties are collectively training a single model with a fixedarchitecture. These requirements are often too restrictive in practice. For instance , a hospital maywant to improve a medical diagnosis for a patient using data and models from other hospitals. Inthis case, the data is stored in multiple locations, and there are only a few parties collaborating.Further, each party may also want to train models with different architectures that best serve theirown priorities.We propose a new strategy that lets fewer heterogeneous parties learn from each other collaboratively ,enabling each party to improve their own local models while protecting the confidentiality and privacyof their data. We call this
Confidential and Private Collaborative (CaPC) learning.Our strategy improves on confidential inference (Boemer, 2020) and PATE, the private aggregation ofteacher ensembles (Papernot et al., 2017). Through structured applications of these two techniques,we design a strategy for inference that enables participants to operate an ensemble of heterogeneousmodels, i.e. the teachers, without having to explicitly join each party’s data or teacher model at a singlelocation. This also gives each party control at inference, because inference requires the agreementand participation of each party. In addition, our strategy provides measurable confidentiality andprivacy guarantees, which we formally prove. We use the running example of a network of hospitalsto illustrate our approach. The hospitals participating in CaPC protocol need guarantees on both confidentiality (i.e., data from a hospital can only be read by said hospital) and privacy (i.e., nohospital can infer private information about other hospitals’ data by observing their predictions).First, one hospital queries all the other parties over homomorphic encryption (HE), asking themto label an encrypted input using their own teacher models. This can prevent the other hospitalsfrom reading the input (Boemer et al., 2019), an improvement over PATE, and allows the answeringhospitals to provide a prediction to the querying hospital without sharing their teacher models.The answering hospitals use multi-party computation (MPC) to compute an aggregated label, and addnoise during the aggregation to obtain differential privacy guarantees (Dwork et al., 2014). This isachieved by a content service provider (CSP), which then relays the aggregated label to the queryinghospital. The CSP only needs to be semi-trusted: we operate under the honest-but-curious assumption.The use of MPC ensures that the CSP cannot decipher each teacher model’s individual prediction,and the noise added via noisy argmax mechanism gives differential privacy even when there are few participants . This is a significant advantage over prior decentralized approaches like federatedlearning, which require billions of participants to achieve differential privacy, because the sensitivity2ublished as a conference paper at ICLR 2021of the histogram used in our aggregation is lower than that of the gradients aggregated in federatedlearning. Unlike our approach, prior efforts involving few participants thus had to prioritize modelutility over privacy and only guarantee confidentiality (Sheller et al., 2020).Finally, the querying hospital can learn from this confidential and private label to improve their localmodel. Since the shared information is a label rather than a gradient, as used by federated learning,CaPC participants do not need to share a common model architecture; in fact, their architectures canvary throughout the participation in the protocol. This favors model development to a degree whichis not possible in prior efforts such as federated learning.We show how participants can instantiate various forms of active and online learning with the labelsreturned by our protocol: each party participating in the CaPC protocol may (a) identify deficienciesof its model throughout its deployment and (b) finetune the model with labels obtained by interactingwith other parties. Intuitively, we achieve the analog of a doctor querying colleagues for a secondopinion on a difficult diagnostic, without having to reveal the patient’s medical condition. Thisprotocol leads to improvements in both the accuracy and fairness (when there is a skew in the datadistribution of each participating hospital) of model predictions for each of the CaPC participants.To summarize, our contributions are the following:• We introduce CaPC learning: a confidential and private collaborative learning platform thatprovides both confidentiality and privacy while remaining agnostic to ML techniques.• Through a structured application of homomorphic encryption, secure MPC, and privateaggregation, we design a protocol for CaPC. We use two-party deep learning inference anddesign an implementation of the noisy argmax mechanism with garbled circuits.• Our experiments on SVHN and CIFAR10 demonstrate that CaPC enables participants tocollaborate and improve the utility of their models, even in the heterogeneous setting wherethe architectures of their local models differ, and when there are only a few participants.• Further, when the distribution of data drifts across participating parties, we show that CaPCsignificantly improves fairness metrics because querying parties benefit from knowledgelearned by other parties on different data distributions, which is distilled in their predictions.• We release the source code for reproducing all our experiments.
ACKGROUND
Before introducing CaPC, we first go over elements of cryptography and differential privacy that arerequired to understand it. Detailed treatment of these topics can be found in Appendices A and B.2.1 C
RYPTOGRAPHIC P RELIMINARIES FOR C ONFIDENTIALITY
The main cryptographic tool used in CaPC is secure multi-party computation (MPC) (Yao, 1986).MPC allows a set of distrusting parties to jointly evaluate a function on their input without revealinganything beyond the output. In general, most practical MPC protocols can be classified into two cate-gories: 1) generic MPC protocols that can compute any function with the above security goal (Malkhiet al., 2004); and 2) specialized MPC protocols that can be used to compute only selected functions(e.g., private set intersection (Pinkas et al., 2020), secure machine learning (Mohassel & Zhang,2017)). Although specialized MPC protocols are less general, they are often more efficient in execu-tion time. Protocols in both categories use similar cryptographic building blocks, including (fully)homomorphic encryption (Gentry, 2009), secret sharing (Shamir, 1979), oblivious transfer (Rabin,2005), garbled circuits (Yao, 1986). To understand our protocol, it is not necessary to know alldetails about these cryptographic building blocks and thus we describe them in Appendix A.1. Ourwork uses these cryptographic preliminaries for secure computation at prediction time, unlike recentapproaches, which explore new methods to achieving confidentiality at training time (Huang et al.,2020a;b).The cryptographic protocol designed in this paper uses a specialized MPC protocol for securelyevaluating a private ML model on private data, and a generic two-party computation protocol tocompute an argmax in different forms. For the generic two-party computation, we use a classical Yao’sgarbled-circuit protocol that can compute any function in Boolean circuit. For secure classification3ublished as a conference paper at ICLR 2021of neural networks, our protocol design is flexible to work with most existing protocols (Boemeret al., 2020; 2019; Gilad-Bachrach et al., 2016; Mishra et al., 2020). Most existing protocols aredifferent in how they handle linear layers (e.g. convolution) and non-linear layers (e.g. ReLU). Forinstance, one can perform all computations using a fully homomorphic encryption scheme resultingin low communication but very high computation, or using classical MPC techniques with morecommunication but less computation. Other works (Juvekar et al., 2018) use a hybrid of both andthus enjoy further improvement in performance (Mishra et al., 2020). We discuss it in more details inAppendix A.2.2.2 D
IFFERENTIAL P RIVACY
Differential privacy is the established framework for measuring the privacy leakage of a randomizedalgorithm (Dwork et al., 2006). In the context of machine learning, it requires the training algorithmto produce statistically indistinguishable outputs on any pair of datasets that only differ by one datapoint. This implies that an adversary observing the outputs of the training algorithm (e.g., the model’sparameters, or its predictions) can improve its guess at most by a bounded probability when inferringproperties of the training data points. Formally, we have the following definition.
Definition 1 (Differential Privacy) . A randomized mechanism M with domain D and range R satisfies ( ε, δ ) -differential privacy if for any subset S ⊆ R and any adjacent datasets d, d (cid:48) ∈ D , i.e. (cid:107) d − d (cid:48) (cid:107) ≤ , the following inequality holds: Pr [ M ( d ) ∈ S ] ≤ e ε Pr [ M ( d (cid:48) ) ∈ S ] + δ (1)In our work, we obtain differential privacy by post-processing the outputs of an ensemble of modelswith the noisy argmax mechanism of Dwork et al. (2014) (for more details on differential privacy,please refer to Appendix B), à la PATE (Papernot et al., 2017). We apply the improved analysisof PATE (Papernot et al., 2018) to compute the privacy guarantees obtained (i.e., a bound on ε ).Our technique differs from PATE in that each of the teacher models is trained by different partieswhereas PATE assumes a centralized learning setting where all of the training and inference isperformed by a single party. Note that our technique is used at inference time, which differs fromrecent works in differential privacy that compare neuron pruning during training with mechanismssatisfying differential privacy (Huang et al., 2020c). We use cryptography to securely decentralizecomputations. HE C A PC P
ROTOCOL
We now introduce our protocol for achieving both confidentiality and privacy in collaborative (CaPC)learning. To do so, we formalize and generalize our example of collaborating hospitals from Section 1.3.1 P
ROBLEM D ESCRIPTION
A small number of parties {P i } i ∈ [1 ,K ] , each holding a private dataset D i = { ( x j , y j or ∅ ) j ∈ [1 ,N i ] } and capable of fitting a predictive model M i to it, wish to improve the utility of their individualmodels via collaboration. Due to the private nature of the datasets in question, they cannot directlyshare data or by-products of data (e.g., model weights) with each other. Instead, they will collaborateby querying each other for labels of the inputs about which they are uncertain. In the active learningparadigm, one party P i ∗ poses queries in the form of data samples x and all the other parties {P i } i (cid:54) = i ∗ together provide answers in the form of predicted labels ˆ y . Each model {M i } i ∈ [1 ,K ] can be exploitedin both the querying phase and the answering phase, with the querying party alternating betweendifferent participants {P i } i ∈ [1 ,K ] in the protocol. Threat Model.
To obtain the strong confidentiality and privacy guarantees that we described, werequire a semi-trusted third party called the content service provider (CSP). We assume that the CSPdoes not collude with any party and that the adversary can corrupt any subset of C parties {P i } i ∈ [1 ,C ] .When more than one party gets corrupted, this has no impact on the confidentiality guarantee, butthe privacy budget obtained (cid:15) will degrade by a factor proportional to C because the sensitivity ofthe aggregation mechanism increases (see Section 3.3). We work in the honest-but-curious setting, acommonly adopted assumption in cryptography which requires the adversary to follow the protocoldescription correctly but will try to infer information from the protocol transcript.4ublished as a conference paper at ICLR 20213.2 C A PC P
ROTOCOL D ESCRIPTION
Our protocol introduces a novel formulation of the private aggregation of teachers, which implementstwo-party confidential inference and secret sharing to improve upon the work of Papernot et al. (2017)and guarantee confidentiality. Recall that the querying party P i ∗ initiates the protocol by sendingan encrypted input x to all answering parties P i , i (cid:54) = i ∗ . We use sk and pk to denote the secret andpublic keys owned by party P i ∗ . The proposed protocol consists of the following steps:1. For each i (cid:54) = i ∗ , P i (with model parameters M i as its input) and P i ∗ (with x, sk, pk as its input)run a secure two-party protocol. As the outcome, P i obtains ˆ s i and P i ∗ obtains s i such that s i + ˆ s i = OneHot (arg max( r i )) where r i are the predicted logits.This step could be achieved by the following:a) P i ∗ and P i run a secure two-party ML classification protocol such that P i ∗ learns nothingwhile P i learns Enc pk ( r i ) , where r i are the predicted logits.b) P i generates a random vector ˆ r i , performs the following computation on the encrypted data Enc pk ( r i ) − Enc pk (ˆ r i ) = Enc pk ( r i − ˆ r i ) , and sends the encrypted difference to P i ∗ , whodecrypts and obtains ( r i − ˆ r i ) .c) P i (with ˆ r i as input) and P i ∗ (with r i − ˆ r i as input) engage in Yao’s two-party garbled-circuit protocol to obtain vector s i for P i ∗ and vector ˆ s i for P i , such that s i + ˆ s i = OneHot (arg max( r i )) .2. P i sends ˆ s i to the CSP. The CSP computes ˆ s = (cid:80) i (cid:54) = i ∗ ˆ s i + DPNoise ( (cid:15) ) , where DPNoise () is element-wise Laplacian or Gaussian noise whose variance is calibrated to obtain a desireddifferential privacy guarantee ε ; whereas P i ∗ computes s = (cid:80) i (cid:54) = i ∗ s i .3. The CSP and P i ∗ engage in Yao’s two-party garbled-circuit protocol for computing the argmax: P i ∗ gets arg max(ˆ s + s ) and the CSP gets nothing.Next, we elaborate on the confidentiality and privacy guarantees achieved by CaPC.3.3 C ONFIDENTIALITY AND D IFFERENTIAL P RIVACY G UARANTEES
Confidentiality Analysis.
We prove in Appendix E that the above protocol reveals nothing to P i orthe CSP and only reveals the final noisy results to P i ∗ . The protocol is secure against a semi-honestadversary corrupting any subset of parties. Intuitively, the proof can be easily derived based on thesecurity of the underlying components, including two-party classification protocol, secret sharing,and Yao’s garbled circuit protocol. As discussed in Section 4.1 and Appendix A.1, for secret sharingof unbounded integers, we need to make sure the random padding is picked from a domain muchlarger than the maximum possible value being shared. Given the above, a corrupted P i ∗ cannot learnanything about M i of the honest party due to the confidentiality guarantee of the secure classificationprotocol; similarly, the confidentiality of x against corrupted P i is also protected. Intermediate valuesare all secretly shared (and only recovered within garbled circuits) so they are not visible to any party. Differential Privacy Analysis.
Here, any potential privacy leakage in terms of differential privacyis incurred by the answering parties {P i } i (cid:54) = i ∗ for their datasets {D i } i (cid:54) = i ∗ , because these partiesshare the predictions of their models. Before sharing these predictions to P i ∗ , we follow the PATEprotocol: we compute the histogram of label counts ˆ y , then add Laplacian or Gaussian noise using asensitivity of , and finally return the argmax of ˆ y σ to P i ∗ . Since P i ∗ only sees this noisily aggregatedlabel, both the data-dependent and data-independent differential privacy analysis of PATE apply to P i ∗ (Papernot et al., 2017; 2018). Thus, when there are enough parties with high consensus, wecan obtain a tighter bound on the privacy budget (cid:15) as the true plurality will more likely be returned(refer to Appendix B for more details on how this is achieved in PATE). This setup assumes that onlyone answering party can be corrupted. If instead C parties are corrupted, the sensitivity of the noisyaggregation mechanism will be scaled by C and the privacy guarantee will deteriorate. There is noprivacy leakage to the CSP; it does not receive any part of the predictions from {P i } i (cid:54) = i ∗ . XPERIMENTS
CaPC aims to improve the model utility of collaborating parties by providing them with new labelleddata for training their respective local models. Since we designed the CaPC protocol with techniques5ublished as a conference paper at ICLR 2021for confidentiality (i.e., confidential inference and secret sharing) and differential privacy (i.e., privateaggregation), our experiments consider the following three major dimensions:1. How well does collaboration improve the model utility of all participating parties?2. What requirements are there to achieve privacy and how can these be relaxed under differentcircumstances? What is the trade-off between the privacy and utility provided by CaPC?3. What is the resulting computational cost for ensuring confidentiality?4.1 I
MPLEMENTATION
We use the HE-transformer library with MPC (MP2ML) by Boemer (2020) in step 1a of our protocolfor confidential two-party deep learning inference. To make our protocol flexible to any privateinference library, not just those that return the label predicted by the model (HE-transformer onlyreturns logits), we incorporate steps 1b and 1c of the protocol outside of the private inferencelibrary. The EMP toolkit (Wang et al., 2016) for generic two-party computation is used to computethe operations including argmax and sum via the garbled circuits. To secret share the encryptedvalues, we first convert them into integers over a prime field according to the CKKS parameters, andthen perform secret sharing on that domain to obtain perfect secret sharing. We use the single largestlogit value for each M i obtained on its training set D i in plain text to calculate the necessary noise.4.2 E VALUATION S ETUP
Collaboration.
We use the following for experiments unless otherwise noted. We uniformly samplefrom the training set in use , without replacement, to create disjoint partitions, D i , of equal sizeand identical data distribution for each party. We select K = 50 and K = 250 as the number ofparties for CIFAR10 and SVHN, respectively (the number is larger for SVHN because we have moredata). We select Q = 3 querying parties, P i ∗ , and similarly divide part of the test set into Q separateprivate pools for each P i ∗ to select queries, until their privacy budget of (cid:15) is reached (using Gaussiannoise with σ = 40 on SVHN and on CIFAR10). We are left with , and , evaluationdata points from the test set of CIFAR10 and SVHN, respectively. We fix (cid:15) = 2 and for SVHNand CIFAR10, respectively (which leads to ≈ queries per party), and report accuracy on theevaluation set. Querying models are retrained on their D i plus the newly labelled data; the differencein accuracies is their accuracy improvement.We use shallower variants of VGG, namely VGG-5 and VGG-7 for CIFAR10 and SVHN, respec-tively, to accommodate the small size of each party’s private dataset. We instantiate VGG-7 with 6convolutional layers and one final fully-connected layer, thus there are 7 functional layers overall.Similarly, VGG-5 has 4 convolutional layers followed by a fully connected layer. The ResNet-10architecture starts with a single convolutional layer, followed by 4 basic blocks with 2 convolutionallayers in each block, and ends with a fully-connected layer, giving 10 functional layers in total. TheResNet-8 architecture that we use excludes the last basic block and increases the number of neuronsin the last (fully-connected) layer. We present more details on architectures in Appendix F.2.We first train local models for all parties using their non-overlapping private datasets. Next, werun the CaPC protocol to generate query-answer pairs for each querying party. Finally, we retrainthe local model of each querying party using the combination of their original private dataset andthe newly obtained query-answer pairs. We report the mean accuracy and class-specific accuracyaveraged over 5 runs for all retrained models, where each uses a different random seed. Heterogeneity and Data Skew.
Where noted, our heterogeneous experiments (recall that this is anewly applicable setting that CaPC enables) use VGG-7, ResNet-8 and ResNet-10 architectures for K parties, each. One model of each architecture is used for each of Q = 3 querying parties. Our dataskew experiments use less data samples for the classes ‘horse’, ‘ship’, and ‘truck’ on CIFAR10and less data for the classes and on SVHN. In turn, unfair ML algorithms perform worse onthese specific classes, leading to worse balanced accuracy (see Appendix D). We adopt balancedaccuracy instead of other fairness metrics because the datasets we use have no sensitive attributes,making them inapplicable. We employ margin, entropy, and greedy k-center active learning strategies For the SVHN dataset, we combine its original training set and extra set to get a larger training set.
OLLABORATION A NALYSIS
We first investigate the benefits of collaboration for improving each party’s model performancein several different settings, namely: homogeneous and heterogeneous model architectures acrossquerying and answering parties, and uniform and non-uniform data sampling for training data. Fromthese experiments, we observe: increased accuracy in both homogeneous settings and heterogeneoussettings to all model architectures (Section 4.3.1) and improved balanced accuracy when there is dataskew between parties, i.e., non-uniform private data (Section 4.3.2).4.3.1 U
NIFORMLY S AMPLED P RIVATE D ATA
The first setting we consider is a uniform distribution of data amongst the parties—there is no datadrift among parties. Our set up for the uniform data distribution experiments is detailed in Section 4.2.We evaluate the per-class and overall accuracy before and after CaPC in both homogeneous andheterogeneous settings on the CIFAR10 and SVHN datasets.In Figure 2, we see there is a consistent increase in accuracy for each class and overall in termsof mean accuracy across all parties on the test sets. We observe these improvements in both thehomogeneous and heterogeneous settings for both datasets tested. As demonstrated in Figure 2, thereis a greater climb in mean accuracy for the heterogeneous setting than the homogeneous setting onSVHN. Figures 5, 6, and 7 provide a breakdown of the benefits obtained by each querying party.We can see from these figures that all querying parties observe an increase in overall accuracy inheterogeneous and homogeneous settings with both datasets; additionally, the jump in accuracyis largely constant between different model architectures. In only . of all cases were any class-specific accuracies degraded, but they still showed a net increase in overall model accuracy. S O D Q H F D U E L U G F D W G H H U G R J I U R J K R U V H V K L S W U X F N &