CrypTFlow2: Practical 2-Party Secure Inference

Rathee, Deevashwer; Rathee, Mayank; Kumar, Nishant; Chandran, Nishanth; Gupta, Divya; Rastogi, Aseem; Sharma, Rahul

doi:10.1145/3372297.3417274

Cited by 181 publications

(136 citation statements)

References 23 publications

Supporting

Mentioning

124

Contrasting

Unclassified

Order By: Relevance

“…Note that, while the client can use the server's prediction service as a blackbox oracle to extract the model [66], [69], or even infer the training set [26], [50], [61], GALA does not aim to protect against the black-box attack. Instead, it focuses on protecting the input data and the model parameters during the inference process, which stays in line with the threat model of GAZELLE [38], SecureML [48], DELPHI [46], CrytoFlow2 [54], etc., the output of neural network model is returned to the client which decrypts the result and gets the plaintext prediction.…”

Section: B Threat Modelmentioning

confidence: 99%

“…In addition, Differential Privacy (DP) [60], [7], [53] and Secure Enclave (SE) [45], [51], [10], [75] are also explored to protect data security and privacy in neural networks. In order to deal with different properties of linearity (weighted sum and convolution functions) and nonlinearity (activation and pooling functions) in neural network computations, several efforts have been made to orchestrate multiple cryptographic techniques to achieve better performance [74], [43], [38], [48], [56], [44], [76], [18], [73], [47], [71], [16], [12], [41], [54], [46]. Among them, the schemes with HE-based linear computations and GC-based nonlinear computations (called the HE-GC neural network framework hereafter) demonstrate superior performance [43], [38], [44], [46].…”

Section: Introductionmentioning

confidence: 99%

“…We refer readers to[11],[21],[48],[54] for more details.…”

mentioning

confidence: 99%

See 2 more Smart Citations

GALA: Greedy ComputAtion for Linear Algebra in Privacy-Preserved Neural Networks

Zhang

Xin

2021

Proceedings 2021 Network and Distributed System Security Symposium

View full text Add to dashboard Cite

Machine Learning as a Service (MLaaS) is enabling a wide range of smart applications on end devices. However, privacy still remains a fundamental challenge. The schemes that exploit Homomorphic Encryption (HE)-based linear computations and Garbled Circuit (GC)-based nonlinear computations have demonstrated superior performance to enable privacypreserved MLaaS. Nevertheless, there is still a significant gap in the computation speed. Our investigation has found that the HE-based linear computation dominates the total computation time for state-of-the-art deep neural networks. Furthermore, the most time-consuming component of the HE-based linear computation is a series of Permutation (Perm) operations that are imperative for dot product and convolution in privacy-preserved MLaaS. This work focuses on a deep optimization of the HEbased linear computations to minimize the Perm operations, thus substantially reducing the overall computation time. To this end, we propose GALA: Greedy computAtion for Linear Algebra in privacy-preserved neural networks, which views the HE-based linear computation as a series of Homomorphic Add, Mult and Perm operations and chooses the least expensive operation in each linear computation step to reduce the overall cost. GALA makes the following contributions: (1) It introduces a row-wise weight matrix encoding and combines the share generation that is needed for the GC-based nonlinear computation, to reduce the Perm operations for the dot product; (2) It designs a first-Add-second-Perm approach (named kernel grouping) to reduce Perm operations for convolution. As such, GALA efficiently reduces the cost for the HE-based linear computation, which is a critical building block in almost all of the recent frameworks for privacy-preserved neural networks, including GAZELLE (Usenix Security'18), DELPHI (Usenix Security'20), and CrypTFlow2 (CCS'20). With its deep optimization of the HE-based linear computation, GALA can be a plug-and-play module integrated into these systems to further boost their efficiency. Our experiments show that it achieves a significant speedup up to 700× for the dot product and 14× for the convolution computation under different data dimensions. Meanwhile, GALA demonstrates an encouraging runtime boost by 2.5×,

show abstract

Section: B Threat Modelmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

GALA: Greedy ComputAtion for Linear Algebra in Privacy-Preserved Neural Networks

Zhang

Xin

2021

Proceedings 2021 Network and Distributed System Security Symposium

View full text Add to dashboard Cite

show abstract

“…For division over the secret-shared data, we invoke a state-ofthe-art cryptographic protocol [43], denoted as SecDiv(). On input x and y , SecDiv outputs secret shares of x/y with the required accuracy.…”

Section: B Additive Secret Sharingmentioning

confidence: 99%

“…On input x and y , SecDiv outputs secret shares of x/y with the required accuracy. We only introduce the function of this protocol; readers may refer to the original study [43] for details.…”

Section: B Additive Secret Sharingmentioning

confidence: 99%

A Secure and Fair Double Auction Framework for Cloud Virtual Machines

et al. 2021

View full text Add to dashboard Cite

Double auction is one of the most promising solutions to allocate virtual machine (VM) resources in two-sided cloud markets, which can increase the utilization rate of VM resources. However, most cloud auction mechanisms simply assume that the auctioneer is fully trusted while ignoring bidprivacy preservation and trade fairness in the process of auction. Previous studies have indicated that some cryptographic tools can be used to resolve the above issues, but the poor performance makes those techniques difficult to practice. In this paper, we propose a Secure and Fair Double AuCtion framework (named SF-DAC) for cloud virtual machines, which performs cloud auction efficiently while guaranteeing both bid privacy and trade fairness. We design secure 3-party computation protocols that support secure comparison and secure sorting, which enable us to construct a secure double auction scheme that outperforms all prior comparable solutions. Furthermore, we propose a fair trading mechanism based on smart contracts to prevent the bidders from halting the auction without financial penalties. The extensive experiments demonstrate that SF-DAC achieves an order of magnitude reduction in computation and communication costs than prior arts.INDEX TERMS Privacy preservation, secure double cloud auction, secure three-party protocol, trade fairness.

show abstract

Privacy‐enhancing machine learning framework with private aggregation of teacher ensembles

Zhao

et al. 2022

Int J of Intelligent Sys

View full text Add to dashboard Cite

Private aggregation of teacher ensembles (PATE), a general machine learning framework based on knowledge distillation, can provide a privacy guarantee for training data sets. However, this framework poses a number of security risks. First, PATE mainly focuses | INTRODUCTIONMachine learning (ML) has been widely used in computer vision, natural language processing, genomics, and other fields. In recent years, however, the emergence of privacy leakage issues has adversely affected the practical application of ML, where highly sensitive data, such as medical record data, 1 is used for training models. Some recent studies have shown that ML algorithms are extremely vulnerable to malicious attacks. Considering that an ML model implies some pieces of information of the training data, an attacker can use this property to analyze the model parameters or output, and eventually derive partially or fully private information about the training data. For example, Tramer et al. 2 deployed a model extraction attack on the online machine learning as a service (MLaaS) of Google and Amazon, and they successfully obtained a model similar to the original one. Fredrikson et al. 3 identified the original training data by analyzing the probability information output through the model classifier. The member inference attack designed by Shorki et al. 4 can determine whether a specific data sample is present in the model training data set on the basis of the prediction result.To solve privacy risks brought by the aforementioned attacks, Papernot et al. 5,6 proposed a privacy-preserving model called private aggregation of teacher ensembles (PATE) on the basis of multiteacher knowledge transfer. The core idea of PATE is as follows: if independent classifiers that are trained on disjoint data sets show a high degree of consistency for the same input, then the output will not leak any information about the training data. Therefore, PATE first divides a private data set into multiple disjoint subsets and trains a set of teacher models on these subsets. Then, the knowledge of the teacher models is transferred to a student model through an aggregation mechanism that satisfies differential privacy; that is, all teacher models predict the label for the public data set submitted by a student. In the end, only the student model gets published after training on public data with privacy-preserving labels obtained from teachers. An adversary can only have access to the student model, and thus, the privacy of the training data of the teacher models gets protected.Although PATE provides a flexible approach to the training model with privacy guarantees, it still suffers from several limitations and shortcomings. 7 First, PATE assumes that the data submitted by a student is always public without anything sensitive. That is to say, PATE cannot provide a privacy guarantee at all when the data provided by the student model is private. When teacher models prepare to make predictions on a student's private inputs, information of the data may be leaked directly t...

show abstract

CrypTFlow2: Practical 2-Party Secure Inference

Cited by 181 publications

References 23 publications

GALA: Greedy ComputAtion for Linear Algebra in Privacy-Preserved Neural Networks

GALA: Greedy ComputAtion for Linear Algebra in Privacy-Preserved Neural Networks

A Secure and Fair Double Auction Framework for Cloud Virtual Machines

Privacy‐enhancing machine learning framework with private aggregation of teacher ensembles

Contact Info

Product

Resources

About