Qiao Zhang,Cong Wang,Hongyi Wu,Chunsheng Xin,Tran V. Phuong

DOI: https://doi.org/10.24963/ijcai.2018/547

2018-01-01

Abstract:Privacy is a fundamental challenge for a variety of smart applications that depend on data aggregation and collaborative learning across different entities. In this paper, we propose a novel privacy-preserved architecture where clients can collaboratively train a deep model while preserving the privacy of each client's data. Our main strategy is to carefully partition a deep neural network to two non-colluding parties. One party performs linear computations on encrypted data utilizing a less complex homomorphic cryptosystem, while the other executes non-polynomial computations in plaintext but in a privacy-preserved manner. We analyze security and compare the communication and computation complexity with the existing approaches. Our extensive experiments on different datasets demonstrate not only stable training without accuracy loss, but also 14 to 35 times speedup compared to the state-of-the-art system.

Yuanchao Ding,Hua Guo,Yewei Guan,Weixin Liu,Jiarong Huo,Zhenyu Guan,Xiyong Zhang

2023-08-19

Abstract:Transformer has been successfully used in practical applications, such as ChatGPT, due to its powerful advantages. However, users' input is leaked to the model provider during the service. With people's attention to privacy, privacy-preserving Transformer inference is on the demand of such services. Secure protocols for non-linear functions are crucial in privacy-preserving Transformer inference, which are not well studied. Thus, designing practical secure protocols for non-linear functions is hard but significant to model performance. In this work, we propose a framework \emph{East} to enable efficient and accurate secure Transformer inference. Firstly, we propose a new oblivious piecewise polynomial evaluation algorithm and apply it to the activation functions, which reduces the runtime and communication of GELU by over 1.5$\times$ and 2.5$\times$, compared to prior arts. Secondly, the secure protocols for softmax and layer normalization are carefully designed to faithfully maintain the desired functionality. Thirdly, several optimizations are conducted in detail to enhance the overall efficiency. We applied \emph{East} to BERT and the results show that the inference accuracy remains consistent with the plaintext inference without fine-tuning. Compared to Iron, we achieve about 1.8$\times$ lower communication within 1.2$\times$ lower runtime.

Cryptography and Security,Artificial Intelligence,Machine Learning

Mu Yuan,Lan Zhang,Xiang-Yang Li

2024-05-08

Abstract:Security of model parameters and user data is critical for Transformer-based services, such as ChatGPT. While recent strides in secure two-party protocols have successfully addressed security concerns in serving Transformer models, their adoption is practically infeasible due to the prohibitive cryptographic overheads involved. Drawing insights from our hands-on experience in developing two real-world Transformer-based services, we identify the inherent efficiency bottleneck in the two-party assumption. To overcome this limitation, we propose a novel three-party threat model. Within this framework, we design a semi-symmetric permutation-based protection scheme and present STIP, the first secure Transformer inference protocol without any inference accuracy loss. Experiments on representative Transformer models in real systems show that STIP has practical security and outperforms state-of-the-art secure two-party protocols in efficiency by millions of times.

Cryptography and Security,Machine Learning

Yanxin Liu,Qianqian Su

DOI: https://doi.org/10.1109/access.2024.3384268

IF: 3.9

2024-04-12

IEEE Access

Abstract:The Transformer model has emerged as a prominent machine learning tool within the field of natural language processing. Nevertheless, running the Transformer model on resource-constrained devices presents a notable challenge that needs to be addressed. Although outsourcing services can significantly reduce the computational overhead associated with using the model, it also incurs privacy risks to the provider's proprietary model and the client's sensitive data. In this paper, we propose an efficient privacy-preserving Transformer inference framework (PPTIF) for language translation tasks based on three-party replicated secret-sharing techniques. PPTIF offers a secure approach for users to leverage Transformer-based applications, such as language translation, while maintaining the confidentiality of their original input and inference results, thereby preventing any disclosure to the cloud server. Meanwhile, PPTIF ensures robust protection for the model parameters, guaranteeing their integrity and confidentiality. In PPTIF, we design a series of interaction protocols to implement the secure computation of Transformer components, namely secure Encoder and secure Decoder. To improve the efficiency of PPTIF, we optimize the computation of the Scaled Dot-Product Attention (Transformer's core operation) under secret sharing, effectively reducing its computation and communication overhead. Compared with Privformer, the optimized Masked Multi-Head Attention achieves about lower runtime and lower communication. In total, PPTIF achieve about lower runtime and lower communication. The effectiveness and security of PPTIF have been rigorously evaluated through comprehensive theoretical analysis and experimental validation.

computer science, information systems,telecommunications,engineering, electrical & electronic

Yang Li,Xinyu Zhou,Yitong Wang,Liangxin Qian,Jun Zhao

2024-12-11

Abstract:Transformer models have revolutionized AI, enabling applications like content generation and sentiment analysis. However, their use in Machine Learning as a Service (MLaaS) raises significant privacy concerns, as centralized servers process sensitive user data. Private Transformer Inference (PTI) addresses these issues using cryptographic techniques such as Secure Multi-Party Computation (MPC) and Homomorphic Encryption (HE), enabling secure model inference without exposing inputs or models. This paper reviews recent advancements in PTI, analyzing state-of-the-art solutions, their challenges, and potential improvements. We also propose evaluation guidelines to assess resource efficiency and privacy guarantees, aiming to bridge the gap between high-performance inference and data privacy.

Cryptography and Security,Artificial Intelligence

Mingyun Bian,Yanli Ren,Guanghui He,Guorui Feng,Xinpeng Zhang

DOI: https://doi.org/10.1109/tetci.2024.3502411

2024-01-01

IEEE Transactions on Emerging Topics in Computational Intelligence

Abstract:Nowadays, the generative pre-trained transformer (GPT) models with intrinsic traits have been widely employed in tackling a variety of natural language process tasks. Federated learning facilitates collaborative learning across isolated data silos, entailing risks to sensitive data and proprietary models. Prior works on secure GPT-2 services focused on protect confidential data at the cost of utility degradation, leaving fine-tuned models and feedback results vulnerable to malicious server. To accomplish a higher level of security preservation while maintaining model utility, we design the first verifiable privacy-enhanced federated GPT-2 fine-tuning system (VFFG) with dropout-resilience. VFFG leverages homomorphic encryption and pseudorandom techniques to ensure the privacy of local sensitive data and fine-tuned model parameters while also guaranteeing the reliability of feedback results to resist the tampering attacks. Security analysis theoretically proves that VFFG obtains a higher privacy level compared to previous works and a constant complexity of verification. Extensive evaluations on three types of large language models and four public datasets indicate that VFFG quantitatively outperforms the related work under multiple evaluation criteria.

Meng Tong,Kejiang Chen,Jie Zhang,Yuang Qi,Weiming Zhang,Nenghai Yu,Tianwei Zhang,Zhikun Zhang

2024-03-27

Abstract:Large language models (LLMs), like ChatGPT, have greatly simplified text generation tasks. However, they have also raised concerns about privacy risks such as data leakage and unauthorized data collection. Existing solutions for privacy-preserving inference face practical challenges related to computation time and communication costs. In this paper, we propose InferDPT, the first practical framework for the privacy-preserving Inference of black-box LLMs, implementing Differential Privacy in Text generation. InferDPT comprises two key modules: the "perturbation module" utilizes the exponential mechanism to generate a perturbed prompt, facilitating privacy-preserving inference with black-box LLMs, and the "extraction module", inspired by knowledge distillation and retrieval-augmented generation, extracts coherent and consistent text from the perturbed generation result, ensuring successful text generation completion. To address privacy concerns related to previous exponential mechanisms' susceptibility to embedding revision attacks, we introduce RANTEXT, a novel differential privacy mechanism integrated into the perturbation module of InferDPT, which introduces the concept of "RANdom adjacency" for TEXT perturbation within the prompt. Experimental results across three datasets demonstrate that the text generation quality of InferDPT is comparable to that of non-private GPT-4, and RANTEXT surpasses existing state-of-the-art mechanisms, namely, SANTEXT+ and CUSTEXT+ in the trade-off between privacy and utility. Even with an privacy parameter epsilon value of 6.0, RANTEXT achieves an average privacy protection rate exceeding 90% against embedding revision attacks, which is 0.58 times higher than that of SANTEXT+ and 3.35 times higher than that of CUSTEXT+.

Cryptography and Security

Wenjing Fang,Chaochao Chen,Jin Tan,Chaofan Yu,Yufei Lu,Li Wang,Lei Wang,Jun Zhou,Alex X

2020-01-01

Abstract:Gradient tree boosting (e.g. XGB) is one of the most widely usedmachine learning models in practice. How to build a secure XGB inface of data isolation problem becomes a hot research topic. However, existing works tend to leak intermediate information and thusraise potential privacy risk. In this paper, we propose a novel framework for two parties to build secure XGB with vertically partitioneddata. Specifically, we associate Homomorphic Encryption (HE) domain with Secret Sharing (SS) domain by providing the two-waytransformation primitives. The framework generally promotes theefficiency for privacy preserving machine learning and offers theflexibility to implement other machine learning models. Then weelaborate two secure XGB training algorithms as well as a corresponding prediction algorithm under the hybrid security domains.Next, we compare our proposed two training algorithms throughboth complexity analysis and experiments. Finally, we verify themodel performance on benchmark dataset and further apply ourwork to a real-world scenario.

Zhengyi Li,Kang Yang,Jin Tan,Wen-jie Lu,Haoqi Wu,Xiao Wang,Yu Yu,Derun Zhao,Yancheng Zheng,Minyi Guo,Jingwen Leng

2024-11-24

Abstract:Transformer models have gained significant attention due to their power in machine learning tasks. Their extensive deployment has raised concerns about the potential leakage of sensitive information during inference. However, when being applied to Transformers, existing approaches based on secure two-party computation (2PC) bring about efficiency limitations in two folds: (1) resource-intensive matrix multiplications in linear layers, and (2) complex non-linear activation functions like $\mathsf{GELU}$ and $\mathsf{Softmax}$. This work presents a new two-party inference framework $\mathsf{Nimbus}$ for Transformer models. For the linear layer, we propose a new 2PC paradigm along with an encoding approach to securely compute matrix multiplications based on an outer-product insight, which achieves $2.9\times \sim 12.5\times$ performance improvements compared to the state-of-the-art (SOTA) protocol. For the non-linear layer, through a new observation of utilizing the input distribution, we propose an approach of low-degree polynomial approximation for $\mathsf{GELU}$ and $\mathsf{Softmax}$, which improves the performance of the SOTA polynomial approximation by $2.9\times \sim 4.0\times$, where the average accuracy loss of our approach is 0.08\% compared to the non-2PC inference without privacy. Compared with the SOTA two-party inference, $\mathsf{Nimbus}$ improves the end-to-end performance of \bert{} inference by $2.7\times \sim 4.7\times$ across different network settings.

Cryptography and Security,Artificial Intelligence

Boxin Wang,Weixin Chen,Hengzhi Pei,Chulin Xie,Mintong Kang,Chenhui Zhang,Chejian Xu,Zidi Xiong,Ritik Dutta,Rylan Schaeffer,Sang T. Truong,Simran Arora,Mantas Mazeika,Dan Hendrycks,Zinan Lin,Yu Cheng,Sanmi Koyejo,Dawn Song,Bo Li

2024-02-27

Abstract:Generative Pre-trained Transformer (GPT) models have exhibited exciting progress in their capabilities, capturing the interest of practitioners and the public alike. Yet, while the literature on the trustworthiness of GPT models remains limited, practitioners have proposed employing capable GPT models for sensitive applications such as healthcare and finance -- where mistakes can be costly. To this end, this work proposes a comprehensive trustworthiness evaluation for large language models with a focus on GPT-4 and GPT-3.5, considering diverse perspectives -- including toxicity, stereotype bias, adversarial robustness, out-of-distribution robustness, robustness on adversarial demonstrations, privacy, machine ethics, and fairness. Based on our evaluations, we discover previously unpublished vulnerabilities to trustworthiness threats. For instance, we find that GPT models can be easily misled to generate toxic and biased outputs and leak private information in both training data and conversation history. We also find that although GPT-4 is usually more trustworthy than GPT-3.5 on standard benchmarks, GPT-4 is more vulnerable given jailbreaking system or user prompts, potentially because GPT-4 follows (misleading) instructions more precisely. Our work illustrates a comprehensive trustworthiness evaluation of GPT models and sheds light on the trustworthiness gaps. Our benchmark is publicly available at <a class="link-external link-https" href="https://decodingtrust.github.io/" rel="external noopener nofollow">this https URL</a> ; our dataset can be previewed at <a class="link-external link-https" href="https://huggingface.co/datasets/AI-Secure/DecodingTrust" rel="external noopener nofollow">this https URL</a> ; a concise version of this work is at <a class="link-external link-https" href="https://openreview.net/pdf?id=kaHpo8OZw2" rel="external noopener nofollow">this https URL</a> .

Computation and Language,Artificial Intelligence,Cryptography and Security

Mengxin Zheng,Qian Lou,Lei Jiang

2023-03-24

Abstract:It is increasingly important to enable privacy-preserving inference for cloud services based on Transformers. Post-quantum cryptographic techniques, e.g., fully homomorphic encryption (FHE), and multi-party computation (MPC), are popular methods to support private Transformer inference. However, existing works still suffer from prohibitively computational and communicational overhead. In this work, we present, Primer, to enable a fast and accurate Transformer over encrypted data for natural language processing tasks. In particular, Primer is constructed by a hybrid cryptographic protocol optimized for attention-based Transformer models, as well as techniques including computation merge and tokens-first ciphertext packing. Comprehensive experiments on encrypted language modeling show that Primer achieves state-of-the-art accuracy and reduces the inference latency by 90.6% ~ 97.5% over previous methods.

Cryptography and Security

Yixin Jie,Yixuan Ren,Qingtao Wang,Yankai Xie,Chi Zhang,Lingbo Wei,Jianqing Liu

DOI: https://doi.org/10.1109/ICC45855.2022.9839282

2022-01-01

Abstract:The current privacy-preserving Graph Neural Networks (GNNs) cannot provide security and privacy guarantees against malicious adversaries without sacrificing accuracy and efficiency. For example, the Secure Multi-party Computation (MPC) can resist malicious adversaries while adding severe overhead. Trusted Execution Environment (TEE), such as Intel Software Guard Extension (SGX), can guarantee privacy and faithful execution without compromising efficiency. However, existing attacks can compromise the confidentiality of SGXs. Besides, the CPU-based structure of SGX restricts its extensibility that cannot perform collaborative computation with GPUs. To address the above issues, we propose a novel GNN training and inference framework to support data holders outsourcing their computation tasks to servers. First, we combine the advantage of MPC and the code integrity protection provided by SGXs to resist malicious adversaries without sacrificing efficiency. Second, we adopt a strategy that allows the servers to transfer the parallelizable computation task to the untrusted yet high-performance GPUs, further improving efficiency without hindering privacy. To the best of our knowledge, our proposal is the first privacy-preserving GNN framework against malicious adversaries without sacrificing accuracy and efficiency. Experiments on real-world citation datasets have demonstrated the performance of our framework regarding security, privacy, accuracy, and efficiency.

Manil Shrestha,Yashodha Ravichandran,Edward Kim

2024-09-28

Abstract:As usage of generative AI tools skyrockets, the amount of sensitive information being exposed to these models and centralized model providers is alarming. For example, confidential source code from Samsung suffered a data leak as the text prompt to ChatGPT encountered data leakage. An increasing number of companies are restricting the use of LLMs (Apple, Verizon, JPMorgan Chase, etc.) due to data leakage or confidentiality issues. Also, an increasing number of centralized generative model providers are restricting, filtering, aligning, or censoring what can be used. Midjourney and RunwayML, two of the major image generation platforms, restrict the prompts to their system via prompt filtering. Certain political figures are restricted from image generation, as well as words associated with women's health care, rights, and abortion. In our research, we present a secure and private methodology for generative artificial intelligence that does not expose sensitive data or models to third-party AI providers. Our work modifies the key building block of modern generative AI algorithms, e.g. the transformer, and introduces confidential and verifiable multiparty computations in a decentralized network to maintain the 1) privacy of the user input and obfuscation to the output of the model, and 2) introduce privacy to the model itself. Additionally, the sharding process reduces the computational burden on any one node, enabling the distribution of resources of large generative AI processes across multiple, smaller nodes. We show that as long as there exists one honest node in the decentralized computation, security is maintained. We also show that the inference process will still succeed if only a majority of the nodes in the computation are successful. Thus, our method offers both secure and verifiable computation in a decentralized network.

Cryptography and Security,Artificial Intelligence

Xuanqi Liu,Zhuotao Liu

2023-12-15

Abstract:The community explored to build private inference frameworks for transformer-based large language models (LLMs) in a server-client setting, where the server holds the model parameters and the client inputs its private data (or prompt) for inference. However, these frameworks impose significant overhead when the private inputs are forward propagated through the original LLMs. In this paper, we show that substituting the computation- and communication-heavy operators in the transformer architecture with privacy-computing friendly approximations can greatly reduce the private inference costs while incurring very minor impact on model performance. Compared to state-of-the-art Iron (NeurIPS 2022), our privacy-computing friendly model inference pipeline achieves a $5\times$ acceleration in computation and an 80% reduction in communication overhead, while retaining nearly identical accuracy.

Machine Learning,Computation and Language,Cryptography and Security

Yixuan Ren,Yixin Jie,Qingtao Wang,Bingbing Zhang,Chi Zhang,Lingbo Wei

DOI: https://doi.org/10.1109/PST52912.2021.9647843

2021-01-01

Abstract:The Multi-party Secure Computation (MPC)-based methods for privacy-preserving Graph Neural Networks (GNNs) are still challenged by high communication overhead. Moreover, the security guarantee of most MPC-based methods can only defend against the semi-honest adversary, while a few methods which can defend against the malicious adversary will cause a further increase in communication overhead. Moreover, Software Guard Extensions (SGX), which can provide the data confidentiality and code integrity, has been considered as a novel solution to privacy-preserving GNN. Unfortunately, previous work has shown that SGX is vulnerable to side-channel attacks that deprive its confidentiality and preserve only its integrity. To solve the above problems, we propose an n-party secure computation framework for GNNs using SGX. This framework can reduce the communication overhead and improve the security guarantee without relying on the confidentiality of SGX. Specifically, both data holders and the server hold SGX. Data holders enrich the data and train the model by MPC efficiently with the assistance of the server. SGX ensures integrity, where data holders and the server must execute according to protocols, so malicious adversaries cannot deviate from the protocol to breach privacy and security. Even if the confidentiality of SGX was breached, the adversary could only access the ciphertext in MPC instead of the plaintext. We conduct experiments on public datasets to demonstrate that our framework has achieved comparable performance with traditional GNNs and perform security analysis to validate that our framework satisfies security and privacy requirements.

Ye Dong,Wen-jie Lu,Yancheng Zheng,Haoqi Wu,Derun Zhao,Jin Tan,Zhicong Huang,Cheng Hong,Tao Wei,Wenguang Chen

2023-09-26

Abstract:With ChatGPT as a representative, tons of companies have began to provide services based on large Transformers models. However, using such a service inevitably leak users' prompts to the model provider. Previous studies have studied secure inference for Transformer models using secure multiparty computation (MPC), where model parameters and clients' prompts are kept secret. Despite this, these frameworks are still limited in terms of model performance, efficiency, and deployment. To address these limitations, we propose framework PUMA to enable fast and secure Transformer model inference. Our framework designs high quality approximations for expensive functions such as GeLU and softmax, and significantly reduce the cost of secure inference while preserving the model performance. Additionally, we design secure Embedding and LayerNorm procedures that faithfully implement the desired functionality without undermining the Transformer architecture. PUMA is about $2\times$ faster than the state-of-the-art framework MPCFORMER(ICLR 2023) and has similar accuracy as plaintext models without fine-tuning (which the previous works failed to achieve). PUMA can even evaluate LLaMA-7B in around 5 minutes to generate 1 token. To our best knowledge, this is the first time that a model with such a parameter size is able to be evaluated under MPC. PUMA has been open-sourced in the Github repository of SecretFlow-SPU.

Cryptography and Security

Yuhao Wu,Franziska Roesner,Tadayoshi Kohno,Ning Zhang,Umar Iqbal

2024-03-08

Abstract:Large language models (LLMs) extended as systems, such as ChatGPT, have begun supporting third-party applications. These LLM apps leverage the de facto natural language-based automated execution paradigm of LLMs: that is, apps and their interactions are defined in natural language, provided access to user data, and allowed to freely interact with each other and the system. These LLM app ecosystems resemble the settings of earlier computing platforms, where there was insufficient isolation between apps and the system. Because third-party apps may not be trustworthy, and exacerbated by the imprecision of the natural language interfaces, the current designs pose security and privacy risks for users. In this paper, we propose SecGPT, an architecture for LLM-based systems that aims to mitigate the security and privacy issues that arise with the execution of third-party apps. SecGPT's key idea is to isolate the execution of apps and more precisely mediate their interactions outside of their isolated environments. We evaluate SecGPT against a number of case study attacks and demonstrate that it protects against many security, privacy, and safety issues that exist in non-isolated LLM-based systems. The performance overhead incurred by SecGPT to improve security is under 0.3x for three-quarters of the tested queries. To foster follow-up research, we release SecGPT's source code at https://github.com/llm-platform-security/SecGPT.

Artificial Intelligence,Computation and Language,Machine Learning,Computers and Society,Cryptography and Security

Haoran Li,Dadi Guo,Wei Fan,Mingshi Xu,Jie Huang,Fanpu Meng,Yangqiu Song

2023-11-01

Abstract:With the rapid progress of large language models (LLMs), many downstream NLP tasks can be well solved given appropriate prompts. Though model developers and researchers work hard on dialog safety to avoid generating harmful content from LLMs, it is still challenging to steer AI-generated content (AIGC) for the human good. As powerful LLMs are devouring existing text data from various domains (e.g., GPT-3 is trained on 45TB texts), it is natural to doubt whether the private information is included in the training data and what privacy threats can these LLMs and their downstream applications bring. In this paper, we study the privacy threats from OpenAI's ChatGPT and the New Bing enhanced by ChatGPT and show that application-integrated LLMs may cause new privacy threats. To this end, we conduct extensive experiments to support our claims and discuss LLMs' privacy implications.

Computation and Language,Cryptography and Security

Siqi Liu,Zhusen Liu,Donglong Chen,Wangchen Dai,Lu Zhou,Zhe Liu,Ray C. C. Cheung,Çetin Kaya Koç

DOI: https://doi.org/10.1007/s13389-024-00365-1

2024-11-27

Journal of Cryptographic Engineering

Abstract:Transformer-based models are widely used in natural language processing tasks, and their application has been further extended to computer vision as well. In their usage, data security has become a crucial concern when deploying deep learning services on cloud platforms. To address these security concerns, Multi-party computation (MPC) is employed to prevent data and model leakage during the inference process. However, Transformer model introduces several challenges for MPC computation, including the time overhead of the Softmax (normalized exponential) function, the accuracy issue caused by the "dynamic range" of approximated division and exponential, and the high memory overhead when processing long sequences. To overcome these challenges, we propose MLformer, an MPC-based inference framework for transformer models based on Crypten Knott et al. (Adv Neural Inf Process Syst 34: 4961–4973, 2021), a secure machine learning framework suggested by Facebook AI Research group, in the semi-honest adversary model. In this framework, we replace the softmax attention with linear attention, which has linear time and memory complexity with input length. The modification eliminates the softmax function entirely, resulting in lower time and memory overhead. To ensure the accuracy of linear attention, we propose the scaled linear attention to address the dynamic range issue caused by the MPC division used and a new approximate division function is proposed to reduce the computational time of the attention block. Furthermore, to improve the efficiency and accuracy of MPC exponential and reciprocal which are commonly used in transformer model, we propose a novel MPC exponential protocol and first integrate the efficient reciprocal protocol Bar-Ilan and Beaver (in Proceedings of the 8th annual ACM symposium on principles of distributed computing, pp. 201–209, 1989) to our framework. Additionally, we optimize the computation of causal linear attention, which is utilized in private inference of auto-regression tasks, using our novel CUDA kernel functions. All the proceeding optimizations contribute to the construction of a more accurate and efficient framework. The experimental results demonstrate that our framework achieves comparable accuracy with reduced inference time and GPU memory overhead compared to the original transformer model. The speedup reaches 78.79% compared to traditional private transformer with input length of 1024 patches.

computer science, theory & methods

Kishore Rajasekar,Randolph Loh,Kar Wai Fok,Vrizlynn L. L. Thing

2024-04-11

Abstract:MLaaS (Machine Learning as a Service) has become popular in the cloud computing domain, allowing users to leverage cloud resources for running private inference of ML models on their data. However, ensuring user input privacy and secure inference execution is essential. One of the approaches to protect data privacy and integrity is to use Trusted Execution Environments (TEEs) by enabling execution of programs in secure hardware enclave. Using TEEs can introduce significant performance overhead due to the additional layers of encryption, decryption, security and integrity checks. This can lead to slower inference times compared to running on unprotected hardware. In our work, we enhance the runtime performance of ML models by introducing layer partitioning technique and offloading computations to GPU. The technique comprises two distinct partitions: one executed within the TEE, and the other carried out using a GPU accelerator. Layer partitioning exposes intermediate feature maps in the clear which can lead to reconstruction attacks to recover the input. We conduct experiments to demonstrate the effectiveness of our approach in protecting against input reconstruction attacks developed using trained conditional Generative Adversarial Network(c-GAN). The evaluation is performed on widely used models such as VGG-16, ResNet-50, and EfficientNetB0, using two datasets: ImageNet for Image classification and TON IoT dataset for cybersecurity attack detection.

Cryptography and Security