Chen Chaochao,Li Liang,Fang Wenjing,Zhou Jun,Wang Li,Wang Lei,Yang Shuang,Liu Alex,Wang Hao

2020-01-01

Abstract: Nowadays, the utilization of the ever expanding amount of data has made a huge impact on web technologies while also causing various types of security concerns. On one hand, potential gains are highly anticipated if different organizations could somehow collaboratively share their data for technological improvements. On the other hand, data security concerns may arise for both data holders and data providers due to commercial or sociological concerns. To make a balance between technical improvements and security limitations, we implement secure and scalable protocols for multiple data holders to train linear regression and logistic regression models. We build our protocols based on the secret sharing scheme, which is scalable and efficient in applications. Moreover, our proposed paradigm can be generalized to any secure multiparty training scenarios where only matrix summation and matrix multiplications are used. We demonstrate our approach by experiments which shows the scalability and efficiency of our proposed protocols, and finally present its real-world applications.

Longfei Zheng,Chaochao Chen,Yingting Liu,Bingzhe Wu,Xibin Wu,Li Wang,Lei Wang,Jun Zhou,Shuang Yang

2020-01-01

Abstract:Deep Neural Network (DNN) has been showing great potential in kinds of real-world applications such as fraud detection and distress prediction. Meanwhile, data isolation has become a serious problem currently, i.e., different parties cannot share data with each other. To solve this issue, most research leverages cryptographic techniques to train secure DNN models for multi-parties without compromising their private data. Although such methods have strong security guarantee, they are difficult to scale to deep networks and large datasets due to its high communication and computation complexities. To solve the scalability of the existing secure Deep Neural Network (DNN) in data isolation scenarios, in this paper, we propose an industrial scale privacy preserving neural network learning paradigm, which is secure against semi-honest adversaries. Our main idea is to split the computation graph of DNN into two parts, i.e., the computations related to private data are performed by each party using cryptographic techniques, and the rest computations are done by a neutral server with high computation ability. We also present a defender mechanism for further privacy protection. We conduct experiments on real-world fraud detection dataset and financial distress prediction dataset, the encouraging results demonstrate the practicalness of our proposal.

Ágnes Kiss,Masoud Naderpour,Jian Liu,N. Asokan,Thomas Schneider

DOI: https://doi.org/10.2478/popets-2019-0026

2019-01-01

Proceedings on Privacy Enhancing Technologies

Abstract:Abstract Decision trees and random forests are widely used classifiers in machine learning. Service providers often host classification models in a cloud service and provide an interface for clients to use the model remotely. While the model is sensitive information of the server, the input query and prediction results are sensitive information of the client. This motivates the need for private decision tree evaluation, where the service provider does not learn the client’s input and the client does not learn the model except for its size and the result. In this work, we identify the three phases of private decision tree evaluation protocols: feature selection, comparison, and path evaluation. We systematize constant-round protocols for each of these phases to identify the best available instantiations using the two main paradigms for secure computation: garbling techniques and homomorphic encryption. There is a natural tradeoff between runtime and communication considering these two paradigms: garbling techniques use fast symmetric-key operations but require a large amount of communication, while homomorphic encryption is computationally heavy but requires little communication. Our contributions are as follows: Firstly, we systematically review and analyse state-of-the-art protocols for the three phases of private decision tree evaluation. Our methodology allows us to identify novel combinations of these protocols that provide better tradeoffs than existing protocols. Thereafter, we empirically evaluate all combinations of these protocols by providing communication and runtime measures, and provide recommendations based on the identified concrete tradeoffs.

Shuangyi Chen,Yue Ju,Zhongwen Zhu,Ashish Khisti

2024-07-22

Abstract:We propose a secure inference protocol for a distributed setting involving a single server node and multiple client nodes. We assume that the observed data vector is partitioned across multiple client nodes while the deep learning model is located at the server node. Each client node is required to encrypt its portion of the data vector and transmit the resulting ciphertext to the server node. The server node is required to collect the ciphertexts and perform inference in the encrypted domain. We demonstrate an application of multi-party homomorphic encryption (MPHE) to satisfy these requirements. We propose a packing scheme, that enables the server to form the ciphertext of the complete data by aggregating the ciphertext of data subsets encrypted using MPHE. While our proposed protocol builds upon prior horizontal federated training protocol~\cite{sav2020poseidon}, we focus on the inference for vertically partitioned data and avoid the transmission of (encrypted) model weights from the server node to the client nodes.

Cryptography and Security

Ziyuan Liang,Qi'ao Jin,Zhiyong Wang,Zhaohui Chen,Zhen Gu,Yanheng Lu,Fan Zhang

DOI: https://doi.org/10.46586/tches.v2024.i2.819-843

2024-01-01

Abstract:Secure multi-party computation and homomorphic encryption are two primary security primitives in privacy-preserving machine learning, whose wide adoption is, nevertheless, constrained by the computation and network communication overheads. This paper proposes a hybrid Secret-sharing and Homomorphic encryption Architecture for Privacy-pERsevering machine learning (SHAPER). SHAPER protects sensitive data in encrypted or randomly shared domains instead of relying on a trusted third party. The proposed algorithm-protocol-hardware co-design methodology explores techniques such as plaintext Single Instruction Multiple Data (SIMD) and fine-grained scheduling, to minimize end-to-end latency in various network settings. SHAPER also supports secure domain computing acceleration and the conversion between mainstream privacy-preserving primitives, making it ready for general and distinctive data characteristics. SHAPER is evaluated by FPGA prototyping with a comprehensive hyper-parameter exploration, demonstrating a 94x speed-up over CPU clusters on large-scale logistic regression training tasks.

Claudio Angione,Yue Zhao,Harry Yang,Ahmad Farhan,Fielding Johnston,James Buban,Patrick Colangelo

2024-07-29

Abstract:The rapid growth of large-scale AI models, particularly large language models has brought significant challenges in data privacy, computational resources, and accessibility. Traditional centralized architectures often struggle to meet required data security and scalability needs which hinders the democratization of AI systems. Nesa introduces a model-agnostic sharding framework designed for decentralized AI inference. Our framework uses blockchain-based sequential deep neural network sharding to distribute computational tasks across a diverse network of nodes based on a personalised heuristic and routing mechanism. This enables efficient distributed training and inference for recent large-scale models even on consumer-grade hardware. We use compression techniques like dynamic blockwise quantization and mixed matrix decomposition to reduce data transfer and memory needs. We also integrate robust security measures, including hardware-based trusted execution environments to ensure data integrity and confidentiality. Evaluating our system across various natural language processing and vision tasks shows that these compression strategies do not compromise model accuracy. Our results highlight the potential to democratize access to cutting-edge AI technologies by enabling secure and efficient inference on a decentralized network.

Artificial Intelligence,Computation and Language,Cryptography and Security,Distributed, Parallel, and Cluster Computing

Yifeng Zheng,Huayi Duan,Cong Wang,Ruochen Wang,Surya Nepal

DOI: https://doi.org/10.1109/tdsc.2020.3040012

2020-01-01

IEEE Transactions on Dependable and Secure Computing

Abstract:Outsourcing machine learning inference services to the cloud is getting increasingly popular. However, this also entails privacy risks to the provider's proprietary model and the client's sensitive data. Focusing on inference with decision trees, this article proposes a framework for securely and efficiently outsourcing decision tree inference. Targeting both privacy and efficiency, we propose a customized protocol using only lightweight cryptography in the online execution of secure inference. We resort to additive secret sharing and tackle the problems in various components including secure input feature selection, decision node evaluation, and inference result generation. Our protocol requires no interaction from the provider and client during online secure inference, a distinct advantage over prior works for practical deployment as they all operate under the client-provider setting where synchronous and continuous interaction is required. Performance evaluation demonstrates our security design's efficiency, as well as substantial performance benefits for the client (up to four orders of magnitude in computation and 163 times in communication), as opposed to prior art in the non-outsourcing setting. To facilitate the practical usage for meeting more service demands, we also investigate the extensions for secure outsourced inference of random forests and categorical feature-based decision trees.

computer science, information systems, software engineering, hardware & architecture

Fatemeh Jafarian Dehkordi,Yasaman Keshtkarjahromi,Hulya Seferoglu

2024-09-16

Abstract:This paper focuses on designing a privacy-preserving Machine Learning (ML) inference protocol for a hierarchical setup, where clients own/generate data, model owners (cloud servers) have a pre-trained ML model, and edge servers perform ML inference on clients' data using the cloud server's ML model. Our goal is to speed up ML inference while providing privacy to both data and the ML model. Our approach (i) uses model-distributed inference (model parallelization) at the edge servers and (ii) reduces the amount of communication to/from the cloud server. Our privacy-preserving hierarchical model-distributed inference, privateMDI design uses additive secret sharing and linearly homomorphic encryption to handle linear calculations in the ML inference, and garbled circuit and a novel three-party oblivious transfer are used to handle non-linear functions. privateMDI consists of offline and online phases. We designed these phases in a way that most of the data exchange is done in the offline phase while the communication overhead of the online phase is reduced. In particular, there is no communication to/from the cloud server in the online phase, and the amount of communication between the client and edge servers is minimized. The experimental results demonstrate that privateMDI significantly reduces the ML inference time as compared to the baselines.

Cryptography and Security,Machine Learning

Hai Huang,Yongjian Wang

DOI: https://doi.org/10.1016/j.neunet.2024.106135

IF: 7.8

2024-01-19

Neural Networks

Abstract:Pre-trained models such as BERT have made great achievements in natural language processing tasks in recent years. In this paper, we investigate the privacy-preserving pre-training based neural network inference in a two-server framework based on additive secret sharing technique. Our protocol allows a resource-restrained client to request two powerful servers to cooperatively process the natural processing tasks without revealing any useful information about its data. We first design a series of secure sub-protocols for non-linear functions used in BERT model. These sub-protocols are expected to have broad applications and of independent interest. Based on the building sub-protocols, we propose SecBERT, a privacy-preserving pre-training based neural network inference protocol. SecBERT is the first cryptographically secure privacy-preserving pre-training based neural network inference protocol. We show security, efficiency and accuracy of SecBERT protocol through comprehensive theoretical analysis and experiments.

computer science, artificial intelligence,neurosciences

Yu-Chi Chen,Jhe-Kai Yang,Hsin-Chan Yen,Pei-Wen Lin

DOI: https://doi.org/10.1109/tifs.2024.3436662

IF: 7.231

2024-08-20

IEEE Transactions on Information Forensics and Security

Abstract:With the prevalence of artificial intelligence, people collect data through numerous sensors and use machine learning to create models for intelligent services. However, data privacy and massive data issues are raised with the proliferation of devices. Although secret sharing can be the solution to providing privacy and performing efficient computations (than homomorphic encryption-based) in the privacy domain, sharing large amounts of data may impose a considerable storage burden on resource-restricted devices. Therefore, we aim to reduce the shares that participants need to hold and construct secure computation protocols that form privacy-preserving data utilization with multi-secret sharing. In this paper, we study the mechanism of persistent computation with multi-secret sharing for privacy protection, which avoids the requirements for participants to store extra information during secure computation. We present the mask techniques to convert secrets into protected data and upload them separately to non-colluding dual-cloud servers through multi-secret sharing. Then, we can locally evaluate the operation result shares by revealing a part of the protected data, where the true secret consistently remains secure as the other part stays in a shared state. Eventually, we outsource a dataset to the cloud, build a privacy-preserving multi-party kNN classification based on our scheme, and provide some experiments to demonstrate the feasibility and usability of storage size.

computer science, theory & methods,engineering, electrical & electronic

Minghui Li,Yuejing Yan,Qian Wang,Minxin Du,Zhan Qin,Cong Wang

DOI: https://doi.org/10.1109/mnet.011.2000293

IF: 10.294

2021-01-01

IEEE Network

Abstract:Neural networks have attracted much attention due to their excellent performance in providing insightful predictions. The trained neural network models usually have millions of parameters requiring massive storage resources, which motivates the model owner to deploy their models to cloud servers for relieving the storage burden. The client can also directly enjoy the prediction service provided by the cloud server. Albeit convenient, untrusted cloud servers may violate the privacy of the model owners and the clients, which hinders the wide applications of such a prediction service. This survey reviews various privacy-preserving neural network prediction services, which protect the privacy of the model and the query. Many protocols are in the basic secure two-party computation (S2C) setting, which protects the secret of the querier and the model owner against the counterparty. Secure outsourcing further protects the privacy of the model against the cloud hosting it for the prediction service. We compare the existing approaches in terms of security, accuracy, and efficiency. We then propose an optimized neural network prediction scheme in the outsourcing setting, which simultaneously achieves high accuracy, model privacy, and low overheads, and conduct an experimental evaluation for computation time and communication costs. Finally, we highlight several future research directions and provide new insights into open problems in strengthening security and improving efficiency.

computer science, information systems,telecommunications,engineering, electrical & electronic, hardware & architecture

Chaochao Chen,Liang Li,Bingzhe Wu,Cheng Hong,Li Wang,Jun Zhou

DOI: https://doi.org/10.3233/faia200132

2020-01-01

Abstract:Nowadays, privacy preserving machine learning has been drawing much attention in both industry and academy. Meanwhile, recommender systems have been extensively adopted by many commercial platforms (e.g. Amazon) and they are mainly built based on user-item interactions. Besides, social platforms (e.g. Facebook) have rich resources of user social information. It is well known that social information, which is rich on social platforms such as Facebook, are useful to recommender systems. It is anticipated to combine the social information with the user-item ratings to improve the overall recommendation performance. Most existing recommendation models are built based on the assumptions that the social information are available. However, different platforms are usually reluctant to (or cannot) share their data due to certain concerns. In this paper, we first propose a SEcure SOcial RECommendation (SeSoRec) framework which can (1) collaboratively mine knowledge from social platform to improve the recommendation performance of the rating platform, and (2) securely keep the raw data of both platforms. We then propose a Secret Sharing based Matrix Multiplication (SSMM) protocol to optimize SeSoRec and prove its correctness and security theoretically. By applying minibatch gradient descent, SeSoRec has linear time complexities in terms of both computation and communication. The comprehensive experimental results on three real-world datasets demonstrate the effectiveness of our proposed SeSoRec and SSMM.

Yunhao Yao,Jiahui Hou,Guangyu Wu,Yihang Cheng,Mu Yuan,Puhan Luo,Zhiqiang Wang,Xiang-Yang Li

DOI: https://doi.org/10.1145/3694972

2024-01-01

ACM Transactions on Sensor Networks

Abstract:End-edge collaborative inference enhances computational efficiency by segmenting a deep neural network (DNN) model into two parts, executed across the end device and the edge node. However, existing collaborative inference strategies often involve transmitting original inputs from the end device to the edge node, resulting in significant risks of user detail leakage without requiring input reconstruction. Therefore, in this work, we present SecoInfer, a secure layer-level DNN end-edge collaborative inference framework. SecoInfer achieves joint optimization of data privacy and inference latency for DNN partition solutions that meet latency constraints, supported by three key designs. First, the privacy-aware DNN layer projection measurement quantifies the difficulty adversaries encounter in reconstructing the original input from the intermediate output of each layer. Then, the latency-privacy integrated structure modelling enables the direct calculation of the privacy measurement and inference latency for each partition solution from a list element or a directed acyclic graph (DAG) cut. Finally, the two-stage latency constraint adjustment scheme narrows down the search space of feasible partition solutions at the block level and fine-tunes the final one to meet the latency constraint based on layer depth. We prototype SecoInfer, utilizing a Raspberry Pi 4B as the end device and a server with an NVIDIA GeForce RTX 3060 GPU as the edge node. Experimental results demonstrate that under latency constraints of 20 ms, 33 ms, and 40 ms, SecoInfer reduces adversarial data reconstruction by \(9.84\%\) , \(19.26\%\) , and \(25.18\%\) respectively, without any loss of task model accuracy. SecoInfer also enhances efficiency, reducing the time needed to determine optimal end-edge partition solutions on a Raspberry Pi 4B by \(18.04\%\) .

Han Zhang,Zifan Wang,Mihir Dhamankar,Matt Fredrikson,Yuvraj Agarwal

2024-06-02

Abstract:Many Internet-of-Things (IoT) devices rely on cloud computation resources to perform machine learning inferences. This is expensive and may raise privacy concerns for users. Consumers of these devices often have hardware such as gaming consoles and PCs with graphics accelerators that are capable of performing these computations, which may be left idle for significant periods of time. While this presents a compelling potential alternative to cloud offloading, concerns about the integrity of inferences, the confidentiality of model parameters, and the privacy of users' data mean that device vendors may be hesitant to offload their inferences to a platform managed by another manufacturer. We propose VeriSplit, a framework for offloading machine learning inferences to locally-available devices that address these concerns. We introduce masking techniques to protect data privacy and model confidentiality, and a commitment-based verification protocol to address integrity. Unlike much prior work aimed at addressing these issues, our approach does not rely on computation over finite field elements, which may interfere with floating-point computation supports on hardware accelerators and require modification to existing models. We implemented a prototype of VeriSplit and our evaluation results show that, compared to performing computation locally, our secure and private offloading solution can reduce inference latency by 28%--83%.

Cryptography and Security,Artificial Intelligence

Hongyang Zhang,Yue Zhao,Claudio Angione,Harry Yang,James Buban,Ahmad Farhan,Fielding Johnston,Patrick Colangelo

2024-07-28

Abstract:The need for data security and model integrity has been accentuated by the rapid adoption of AI and ML in data-driven domains including healthcare, finance, and security. Large models are crucial for tasks like diagnosing diseases and forecasting finances but tend to be delicate and not very scalable. Decentralized systems solve this issue by distributing the workload and reducing central points of failure. Yet, data and processes spread across different nodes can be at risk of unauthorized access, especially when they involve sensitive information. Nesa solves these challenges with a comprehensive framework using multiple techniques to protect data and model outputs. This includes zero-knowledge proofs for secure model verification. The framework also introduces consensus-based verification checks for consistent outputs across nodes and confirms model integrity. Split Learning divides models into segments processed by different nodes for data privacy by preventing full data access at any single point. For hardware-based security, trusted execution environments are used to protect data and computations within secure zones. Nesa's state-of-the-art proofs and principles demonstrate the framework's effectiveness, making it a promising approach for securely democratizing artificial intelligence.

Cryptography and Security,Artificial Intelligence

Payman Mohassel,Yupeng Zhang

DOI: https://doi.org/10.1109/sp.2017.12

2017-05-01

Abstract:Machine learning is widely used in practice to produce predictive models for applications such as image processing, speech and text recognition. These models are more accurate when trained on large amount of data collected from different sources. However, the massive data collection raises privacy concerns. In this paper, we present new and efficient protocols for privacy preserving machine learning for linear regression, logistic regression and neural network training using the stochastic gradient descent method. Our protocols fall in the two-server model where data owners distribute their private data among two non-colluding servers who train various models on the joint data using secure two-party computation (2PC). We develop new techniques to support secure arithmetic operations on shared decimal numbers, and propose MPC-friendly alternatives to nonlinear functions such as sigmoid and softmax that are superior to prior work. We implement our system in C++. Our experiments validate that our protocols are several orders of magnitude faster than the state of the art implementations for privacy preserving linear and logistic regressions, and scale to millions of data samples with thousands of features. We also implement the first privacy preserving system for training neural networks.

Shijin Duan,Chenghong Wang,Hongwu Peng,Yukui Luo,Wujie Wen,Caiwen Ding,Xiaolin Xu

2024-06-04

Abstract:As privacy-preserving becomes a pivotal aspect of deep learning (DL) development, multi-party computation (MPC) has gained prominence for its efficiency and strong security. However, the practice of current MPC frameworks is limited, especially when dealing with large neural networks, exemplified by the prolonged execution time of 25.8 seconds for secure inference on ResNet-152. The primary challenge lies in the reliance of current MPC approaches on additive secret sharing, which incurs significant communication overhead with non-linear operations such as comparisons. Furthermore, additive sharing suffers from poor scalability on party size. In contrast, the evolving landscape of MPC necessitates accommodating a larger number of compute parties and ensuring robust performance against malicious activities or computational failures. In light of these challenges, we propose SSNet, which for the first time, employs Shamir's secret sharing (SSS) as the backbone of MPC-based ML framework. We meticulously develop all framework primitives and operations for secure DL models tailored to seamlessly integrate with the SSS scheme. SSNet demonstrates the ability to scale up party numbers straightforwardly and embeds strategies to authenticate the computation correctness without incurring significant performance overhead. Additionally, SSNet introduces masking strategies designed to reduce communication overhead associated with non-linear operations. We conduct comprehensive experimental evaluations on commercial cloud computing infrastructure from Amazon AWS, as well as across diverse prevalent DNN models and datasets. SSNet demonstrates a substantial performance boost, achieving speed-ups ranging from 3x to 14x compared to SOTA MPC frameworks. Moreover, SSNet also represents the first framework that is evaluated on a five-party computation setup, in the context of secure DL inference.

Cryptography and Security,Machine Learning

Jiahui Hou,Huiqi Liu,Yunxin Liu,Yu Wang,Peng-Jun Wan,Xiang-Yang Li

DOI: https://doi.org/10.1109/tdsc.2021.3126315

2022-01-01

IEEE Transactions on Dependable and Secure Computing

Abstract:Major cloud service providers with well-equipped infrastructure, experienced machine learning (ML) expertise, and enriched training datasets are building ML-as-a-Service (MLaaS) systems, in which clients can query ML-based prediction services with their data. Instead of moving private data to the cloud, in this work, we design, implement, and evaluate a novel secure ML system to enable MLaaS on edge devices. To protect the proprietary ML models on edge devices from revealing to the clients while maintaining a real-time inference is challenging. Existing privacy-preserving ML techniques can hardly satisfy real-time requirements. In our solution, we employ a secure enclave (e.g., SGX) to offer security and provide better efficiency than cryptographic techniques. However, the enclave alone cannot achieve real-time capability due to its limited capacity. We observe that the ML model imposes a severe accuracy degradation when adding noise to a few model weights. Based on this, we design a suite of novel solutions to optimize the performance of secure enclave-based inference service at the edge by enclosing only $1\%$ computation within secure enclaves. Our work can achieve up to a $7.8\times$ increase in efficiency and a $27\times$ reduction in memory usage compared to the state-of-the-art.

Youliang Tian,Jianting Ning,Ximeng Liu,Renwan Bi,Jinbo Xiong,Changqing Luo,Yan Zhang

DOI: https://doi.org/10.1109/TIFS.2024.3420216

IF: 7.231

IEEE Transactions on Information Forensics and Security

Abstract:Well-trained neural network models are deployed on edge servers to provide valuable inference services for clients. To protect data privacy, a promising way is to exploit various types of secret sharing to implement privacy-preserving neural network inference. However, existing schemes suffer high communication rounds and overhead, making them hardly practical. In this paper, we propose Cenia, a new communication-efficient privacy-preserving neural network inference model. Specifically, we exploit arithmetic secret sharing to develop low-interaction secure comparison protocols, that can be used to realize secure activation layers (e.g., ReLU) and secure pooling layers (e.g., max pooling) without expensive garbled circuit and oblivious transfer primitives. Besides, we also design secure exponent and division protocols to realize secure normalization layers (e.g., Sigmoid). Theoretical analysis demonstrates the security and low complexity of Cenia. Extensive experiments have also been conducted on benchmark datasets and classical models, and experimental results show that Cenia achieves privacy-preserving, accurate, and efficient neural network inference. Particularly, Cenia can achieve 37.5% and 60.76% of Sonic’s communication rounds and overhead, respectively, compared to Sonic (i.e., the state-of-the-art scheme).

Computer Science

Zirui Deng,Vinayak Ramkumar,Rawad Bitar,Netanel Raviv

2023-11-23

Abstract:A typical setup in many machine learning scenarios involves a server that holds a model and a user that possesses data, and the challenge is to perform inference while safeguarding the privacy of both parties. Private Inference has been extensively explored in recent years, mainly from a cryptographic standpoint via techniques like homomorphic encryption and multiparty computation. These approaches often come with high computational overhead and may degrade the accuracy of the model. In our work, we take a different approach inspired by the Private Information Retrieval literature. We view private inference as the task of retrieving inner products of parameter vectors with the data, a fundamental operation in many machine learning models. We introduce schemes that enable such retrieval of inner products for models with quantized (i.e., restricted to a finite set) weights; such models are extensively used in practice due to a wide range of benefits. In addition, our schemes uncover a fundamental tradeoff between user and server privacy. Our information-theoretic approach is applicable to a wide range of problems and robust in privacy guarantees for both the user and the server.

Information Theory