Abstract
Privacy-preserving neural inference helps protect both the user input data and the model weights from being leaked to others during the inference of a deep learning model. To achieve data protection, the inference is often performed within a secure domain, and the final result is revealed in plaintext. Nevertheless, performing the computations in the secure domain incurs about a thousandfold overhead compared with the insecure version, especially when the involved operations of the entire model are mapped to the secure domain, which is the computation scheme adopted by the existing works. This work is inspired by the transfer learning technique, where the weights of some parts of the model layers are transferred from a publicly available, pre-built deep learning model, and it opens a door to further boost the execution efficiency by allowing us to do the secure computations selectively on parts of the transferred model. We have built a compiler framework, SecureTVM, to automatically translate a trained model into the secure version, where the model layers to be protected can be selectively configured by its model provider. As a result, SecureTVM outperforms the state of the art, CrypTFlow2, by a factor of 55 for the transfer learning model. We believe that this work takes a step forward toward the practical uses of privacy-preserving neural inference for real-world applications.
- [1] . 2015. TensorFlow: Large-Scale Machine Learning on Heterogeneous Systems. Retrieved from http://tensorflow.org/.Google Scholar
- [2] . 2013. Efficient garbling from a fixed-key blockcipher. In Proceedings of the IEEE Symposium on Security and Privacy (SP’13). 478–492. Google ScholarDigital Library
- [3] . 2019. nGraph-HE2: A high-throughput framework for neural network inference on encrypted data. In Proceedings of the 7th ACM Workshop on Encrypted Computing & Applied Homomorphic Cryptography (WAHC’19). 45–56. Google ScholarDigital Library
- [4] . 2019. nGraph-HE: A graph compiler for deep learning on homomorphically encrypted data. In Proceedings of the 16th ACM International Conference on Computing Frontiers (CF’19). 3–13. Google ScholarDigital Library
- [5] . 2013. Improved security for a ring-based fully homomorphic encryption scheme. In Proceedings of the IMA International Conference on Cryptography and Coding (IMACC’13). 45–64. Google ScholarDigital Library
- [6] . 1976. The influence of pattern similarity and transfer of learning upon training of a base perceptron b2. In Proceedings of Symposium Informatica. 121–126.Google Scholar
- [7] . 2020. MOTION—A Framework for Mixed-Protocol Multi-Party Computation. Cryptology ePrint Archive, Paper 2020/1137. Retrieved from https://eprint.iacr.org/2020/1137.Google Scholar
- [8] . 2018. HyCC: Compilation of hybrid protocols for practical secure computation. In Proceedings of the ACM SIGSAC Conference on Computer and Communications Security (CCS’18). 847–861. Google ScholarDigital Library
- [9] . 2019. EzPC: Programmable and efficient secure two-party computation for machine learning. In Proceedings of the IEEE European Symposium on Security and Privacy (EuroS&P’19). 496–511. Google ScholarCross Ref
- [10] . 2015. MXNet: A flexible and efficient machine learning library for heterogeneous distributed systems. In NIPS Workshop on Machine Learning Systems (LearningSys’15). 1–6.Google Scholar
- [11] . 2018. TVM: An automated end-to-end optimizing compiler for deep learning. In Proceedings of the 13th USENIX Symposium on Operating Systems Design and Implementation (OSDI’18). 578–594.Google Scholar
- [12] . 2018. Intel nGraph: An intermediate representation, compiler, and executor for deep learning. arXiv preprint arXiv:1801.08058 (2018).Google Scholar
- [13] . 2019. CHET: An optimizing compiler for fully-homomorphic neural-network inferencing. In Proceedings of the 40th ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI’19). 142–156. Google ScholarDigital Library
- [14] . 2015. ABY—A framework for efficient mixed-protocol secure two-party computation. In Proceedings of the Network and Distributed System Security Symposium (NDSS’15).Google ScholarCross Ref
- [15] . 2009. Imagenet: A large-scale hierarchical image database. In Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition (CVPR’09). 248–255.Google ScholarCross Ref
- [16] . 1990. Finding structure in time. Cogn. Sci. 14, 2 (1990), 179–211.Google ScholarCross Ref
- [17] . 2018. A Pragmatic Introduction to Secure Multi-Party Computation. Now Publishers Inc. Google ScholarCross Ref
- [18] . 2020. Exploiting multiple optimizers with transfer learning techniques for the identification of COVID-19 patients. J. Healthcare Eng. 2020 (2020), 8889412.Google ScholarCross Ref
- [19] . 2009. A Fully Homomorphic Encryption Scheme. Ph.D. Dissertation. Stanford University.Google ScholarDigital Library
- [20] . 2016. CryptoNets: Applying neural networks to encrypted data with high throughput and accuracy. In Proceedings of the International Conference on Machine Learning (ICML’16). 201–210.Google Scholar
- [21] . 2004. Foundations of Cryptography: Basic Applications. Vol. 2. Cambridge University Press. Google ScholarCross Ref
- [22] . 1987. How to play any mental game or a completeness theorem for protocols with honest majority. In Proceedings of the 19th Annual ACM Symposium on Theory of Computing (STOC’87). 218–229. Google Scholar
- [23] . 2018. Privado: Practical and secure DNN inference with enclaves.
DOI: DOI: https://doi.org/10.48550/arxiv.1810.00602Google Scholar - [24] . 2016. Deep residual learning for image recognition. In Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition (CVPR’16). 770–778.Google ScholarCross Ref
- [25] . 1997. Long short-term memory. Neural Comput. 9, 8 (1997), 1735–1780.Google ScholarDigital Library
- [26] . 2017. Densely connected convolutional networks. In Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition (CVPR’17). 4700–4708.Google ScholarCross Ref
- [27] . 2021. TONIC: Towards oblivious neural inference compiler. In Proceedings of the 36th Annual ACM Symposium on Applied Computing (SAC’21). 491–500.Google ScholarDigital Library
- [28] . 2022. Addendum to “SecureTVM: A TVM-Based Compiler Framework for Selective Privacy-Preserving Neural Inference.” Retrieved from https://github.com/asrlabncku/SecureTVM/blob/main/paper_addendum.pdf.Google Scholar
- [29] . 2019. CheXpert: A large chest radiograph dataset with uncertainty labels and expert comparison. In Proceedings of the AAAI Conference on Artificial Intelligence (AAAI’19). 590–597.Google ScholarDigital Library
- [30] . 2003. Extending oblivious transfers efficiently. In Proceedings of the Annual International Cryptology Conference (Crypto’03). 145–161. Google ScholarCross Ref
- [31] . 2021. PRICURE: Privacy-preserving collaborative inference in a multi-party setting. In Proceedings of the ACM Workshop on Security and Privacy Analytics (IWSPA’21). 25–35.Google ScholarDigital Library
- [32] . 2018. GAZELLE: A low latency framework for secure neural network inference. In Proceedings of the 27th USENIX Security Symposium (USENIX Security’18). 1651–1669.Google Scholar
- [33] . 2012. Imagenet classification with deep convolutional neural networks. Adv. Neural Inf. Process. Syst. 25 (2012), 1097–1105.Google ScholarDigital Library
- [34] . 2020. Cryptflow: Secure tensorflow inference. In Proceedings of the IEEE Symposium on Security and Privacy (SP’20). 336–353.Google ScholarCross Ref
- [35] . 2010. MNIST Handwritten Digit Database. Retrieved from http://yann.lecun.com/exdb/mnist/.Google Scholar
- [36] . 2015. ObliVM: A programming framework for secure computation. In Proceedings of the IEEE Symposium on Security and Privacy (SP’15). 359–376. Google ScholarDigital Library
- [37] . 2017. Oblivious neural network predictions via MiniONN transformations. In Proceedings of the ACM SIGSAC Conference on Computer and Communications Security (CCS’17). 619–631. Google ScholarDigital Library
- [38] . 2020. Deep-COVID: Predicting COVID-19 from chest X-ray images using deep transfer learning. Med. Image Anal. 65 (2020), 101794.Google ScholarCross Ref
- [39] . 2017. SecureML: A system for scalable privacy-preserving machine learning. In Proceedings of the IEEE Symposium on Security and Privacy (SP’17). 19–38. Google ScholarCross Ref
- [40] . 1999. Public-key cryptosystems based on composite degree residuosity classes. In Proceedings of the International Conference on the Theory and Applications of Cryptographic Techniques (Eurocrypt’99). 223–238.Google ScholarCross Ref
- [41] . 2020. Transfer learning with fine-tuned MobileNetV2 for diabetic retinopathy. In Proceedings of the International Conference for Emerging Technology (INCET’20). 1–4.Google ScholarCross Ref
- [42] . 2018. A-Z Handwritten Alphabets in .csv Format. Retrieved from https://www.kaggle.com/sachinpatel21/az-handwritten-alphabets-in-csv-format.Google Scholar
- [43] . 2018. Towards end-to-end speech recognition with transfer learning. EURASIP J. Audi. Speech Music Process. 2018 (2018), 18.Google ScholarDigital Library
- [44] . 2019. Transfusion: Understanding transfer learning for medical imaging. Adv Neural Inf Process Syst 32 (2019).Google Scholar
- [45] . 2020. CrypTFlow2: Practical 2-party secure inference. In Proceedings of the ACM SIGSAC Conference on Computer and Communications Security (CCS’20). 325–342. Google ScholarDigital Library
- [46] . 2019. Transfer learning with ResNet-50 for malaria cell-image classification. In Proceedings of the International Conference on Communication and Signal Processing (ICCSP’19). 0945–0949.Google ScholarCross Ref
- [47] . 2019. XONN: XNOR-based oblivious deep neural network inference. In Proceedings of the 28th USENIX Security Symposium (USENIX Security’19). 1501–1518.Google Scholar
- [48] . 2017. The PALISADE Lattice Cryptography Library. Retrieved from https://git.njit.edu/palisade/PALISADE.
1.0 edition .Google Scholar - [49] . 2018. Deepsecure: Scalable provably-secure deep learning. In Proceedings of the 55th Annual Design Automation Conference (DAC’18). 1–6. Google ScholarDigital Library
- [50] . 2018. MobileNetV2: Inverted residuals and linear bottlenecks. In Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR’18). 4510–4520.Google ScholarCross Ref
- [51] . 2008. The graph neural network model. IEEE Trans. Neural Netw. 20, 1 (2008), 61–80.Google ScholarDigital Library
- [52] SEAL 2019. Microsoft SEAL (Release 3.4). https://github.com/Microsoft/SEAL.
Microsoft Research, Redmond, WA .Google Scholar - [53] . 2020. Fundamentals of recurrent neural network (RNN) and long short-term memory (LSTM) network. Physica D 404 (2020), 132306.Google ScholarCross Ref
- [54] . 2018. Modality classification and concept detection in medical images using deep transfer learning. In Proceedings of the International Conference on Image and Vision Computing New Zealand (IVCNZ’18). 1–9.Google ScholarCross Ref
- [55] . 2019. Slalom: Fast, verifiable and private execution of neural networks in trusted hardware. In Proceedings of the 7th International Conference on Learning Representations (ICLR’19).Google Scholar
- [56] . 2016. EMP-toolkit: Efficient MultiParty Computation Toolkit. Retrieved from https://github.com/emp-toolkit.Google Scholar
- [57] . 2004. Image quality assessment: From error visibility to structural similarity. IEEE Trans. Image Process. 13, 4 (2004), 600–612.Google ScholarDigital Library
- [58] . 2016. A survey of transfer learning. J. Big Data 3 (2016), 9.Google ScholarCross Ref
- [59] . 1982. Protocols for secure computations. In Proceedings of the 23rd Annual Symposium on Foundations of Computer Science (SFCS’82). 160–164. Google ScholarCross Ref
- [60] . 2015. Obliv-C: A Language for Extensible Data-Oblivious Computation. Cryptology ePrint Archive, Paper 2015/1153. Retrieved from https://eprint.iacr.org/2015/1153.Google Scholar
Index Terms
- SecureTVM: A TVM-based Compiler Framework for Selective Privacy-preserving Neural Inference
Recommendations
CrypTFlow2: Practical 2-Party Secure Inference
CCS '20: Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications SecurityWe present CrypTFlow2, a cryptographic framework for secure inference over realistic Deep Neural Networks (DNNs) using secure 2-party computation. CrypTFlow2 protocols are both correct -- i.e., their outputs are bitwise equivalent to the cleartext ...
TONIC: towards oblivious neural inference compiler
SAC '21: Proceedings of the 36th Annual ACM Symposium on Applied ComputingPrivacy-preserving deep learning computing becomes popular these days as it helps protect, for example, both user data and deep neural network (DNN) model parameters at the same time with cryptographic techniques. In particular, significant efforts have ...
Alambic: a privacy-preserving recommender system for electronic commerce
Recommender systems enable merchants to assist customers in finding products that best satisfy their needs. Unfortunately, current recommender systems suffer from various privacy-protection vulnerabilities. Customers should be able to keep private their ...
Comments