research-article

SecureTVM: A TVM-based Compiler Framework for Selective Privacy-preserving Neural Inference

Authors:
Po-Hsuan Huang

National Cheng Kung University, Tainan, Taiwan

National Cheng Kung University, Tainan, Taiwan

0000-0002-7458-9634
View Profile

,
Chia-Heng Tu

National Cheng Kung University, Tainan, Taiwan

National Cheng Kung University, Tainan, Taiwan

0000-0001-8967-1385
View Profile

,
Shen-Ming Chung

Delta Research Center, Delta Electronics, Inc., Taipei, Taiwan

Delta Research Center, Delta Electronics, Inc., Taipei, Taiwan

0000-0001-8086-6661
View Profile

,
Pei-Yuan Wu

National Taiwan University, Taipei, Taiwan

National Taiwan University, Taipei, Taiwan

0000-0001-7860-3678
View Profile

,
Tung-Lin Tsai

National Taiwan University, Taipei, Taiwan

National Taiwan University, Taipei, Taiwan

0000-0003-4987-799X
View Profile

,
Yi-An Lin

National Taiwan University, Taipei, Taiwan

National Taiwan University, Taipei, Taiwan

0000-0002-4703-6348
View Profile

,
Chun-Yi Dai

National Taiwan University, Taipei, Taiwan

National Taiwan University, Taipei, Taiwan

0000-0001-8357-2415
View Profile

,
Tzu-Yi Liao

National Taiwan University, Taipei, Taiwan

National Taiwan University, Taipei, Taiwan

0000-0002-9164-7605
View Profile

ACM Transactions on Design Automation of Electronic Systems Volume 28 Issue 4Article No.: 61pp 1–28https://doi.org/10.1145/3579049

Published:17 May 2023Publication History

ACM Transactions on Design Automation of Electronic Systems

Abstract

Privacy-preserving neural inference helps protect both the user input data and the model weights from being leaked to others during the inference of a deep learning model. To achieve data protection, the inference is often performed within a secure domain, and the final result is revealed in plaintext. Nevertheless, performing the computations in the secure domain incurs about a thousandfold overhead compared with the insecure version, especially when the involved operations of the entire model are mapped to the secure domain, which is the computation scheme adopted by the existing works. This work is inspired by the transfer learning technique, where the weights of some parts of the model layers are transferred from a publicly available, pre-built deep learning model, and it opens a door to further boost the execution efficiency by allowing us to do the secure computations selectively on parts of the transferred model. We have built a compiler framework, SecureTVM, to automatically translate a trained model into the secure version, where the model layers to be protected can be selectively configured by its model provider. As a result, SecureTVM outperforms the state of the art, CrypTFlow2, by a factor of 55 for the transfer learning model. We believe that this work takes a step forward toward the practical uses of privacy-preserving neural inference for real-world applications.

REFERENCES

[1] Abadi Martín, Agarwal Ashish, Barham Paul, Brevdo Eugene, Chen Zhifeng, Citro Craig, Corrado Greg S., Davis Andy, Dean Jeffrey, Devin Matthieu, Ghemawat Sanjay, Goodfellow Ian, Harp Andrew, Irving Geoffrey, Isard Michael, Jia Yangqing, Jozefowicz Rafal, Kaiser Lukasz, Kudlur Manjunath, Levenberg Josh, Mané Dan, Monga Rajat, Moore Sherry, Murray Derek, Olah Chris, Schuster Mike, Shlens Jonathon, Steiner Benoit, Sutskever Ilya, Talwar Kunal, Tucker Paul, Vanhoucke Vincent, Vasudevan Vijay, Viégas Fernanda, Vinyals Oriol, Warden Pete, Wattenberg Martin, Wicke Martin, Yu Yuan, and Zheng Xiaoqiang. 2015. TensorFlow: Large-Scale Machine Learning on Heterogeneous Systems. Retrieved from http://tensorflow.org/.Google Scholar
[2] Bellare Mihir, Hoang Viet Tung, Keelveedhi Sriram, and Rogaway Phillip. 2013. Efficient garbling from a fixed-key blockcipher. In Proceedings of the IEEE Symposium on Security and Privacy (SP’13). 478–492. Google ScholarDigital Library
[3] Boemer Fabian, Costache Anamaria, Cammarota Rosario, and Wierzynski Casimir. 2019. nGraph-HE2: A high-throughput framework for neural network inference on encrypted data. In Proceedings of the 7th ACM Workshop on Encrypted Computing & Applied Homomorphic Cryptography (WAHC’19). 45–56. Google ScholarDigital Library
[4] Boemer Fabian, Lao Yixing, Cammarota Rosario, and Wierzynski Casimir. 2019. nGraph-HE: A graph compiler for deep learning on homomorphically encrypted data. In Proceedings of the 16th ACM International Conference on Computing Frontiers (CF’19). 3–13. Google ScholarDigital Library
[5] Bos Joppe W., Lauter Kristin E., Loftus Jake, and Naehrig Michael. 2013. Improved security for a ring-based fully homomorphic encryption scheme. In Proceedings of the IMA International Conference on Cryptography and Coding (IMACC’13). 45–64. Google ScholarDigital Library
[6] Bozinovski Stevo and Fulgosi Ante. 1976. The influence of pattern similarity and transfer of learning upon training of a base perceptron b2. In Proceedings of Symposium Informatica. 121–126.Google Scholar
[7] Braun Lennart, Demmler Daniel, Schneider Thomas, and Tkachenko Oleksandr. 2020. MOTION—A Framework for Mixed-Protocol Multi-Party Computation. Cryptology ePrint Archive, Paper 2020/1137. Retrieved from https://eprint.iacr.org/2020/1137.Google Scholar
[8] Büscher Niklas, Demmler Daniel, Katzenbeisser Stefan, Kretzmer David, and Schneider Thomas. 2018. HyCC: Compilation of hybrid protocols for practical secure computation. In Proceedings of the ACM SIGSAC Conference on Computer and Communications Security (CCS’18). 847–861. Google ScholarDigital Library
[9] Chandran Nishanth, Gupta Divya, Rastogi Aseem, Sharma Rahul, and Tripathi Shardul. 2019. EzPC: Programmable and efficient secure two-party computation for machine learning. In Proceedings of the IEEE European Symposium on Security and Privacy (EuroS&P’19). 496–511. Google ScholarCross Ref
[10] Chen Tianqi, Li Mu, Li Yutian, Lin Min, Wang Naiyan, Wang Minjie, Xiao Tianjun, Xu Bing, Zhang Chiyuan, and Zhang Zheng. 2015. MXNet: A flexible and efficient machine learning library for heterogeneous distributed systems. In NIPS Workshop on Machine Learning Systems (LearningSys’15). 1–6.Google Scholar
[11] Chen Tianqi, Moreau Thierry, Jiang Ziheng, Zheng Lianmin, Yan Eddie Q., Shen Haichen, Cowan Meghan, Wang Leyuan, Hu Yuwei, Ceze Luis, Guestrin Carlos, and Krishnamurthy Arvind. 2018. TVM: An automated end-to-end optimizing compiler for deep learning. In Proceedings of the 13th USENIX Symposium on Operating Systems Design and Implementation (OSDI’18). 578–594.Google Scholar
[12] Cyphers Scott, Bansal Arjun K., Bhiwandiwalla Anahita, Bobba Jayaram, Brookhart Matthew, Chakraborty Avijit, Constable Will, Convey Christian, Cook Leona, Kanawi Omar, Kimball Robert, Knight Jason, Korovaiko Nikolay, Kumar Varun, Lao Yixing, Lishka Christopher R., Menon Jaikrishnan, Myers Jennifer, Narayana Sandeep Aswath, Procter Adam, and Webb Tristan J.. 2018. Intel nGraph: An intermediate representation, compiler, and executor for deep learning. arXiv preprint arXiv:1801.08058 (2018).Google Scholar
[13] Dathathri Roshan, Saarikivi Olli, Chen Hao, Laine Kim, Lauter Kristin E., Maleki Saeed, Musuvathi Madanlal, and Mytkowicz Todd. 2019. CHET: An optimizing compiler for fully-homomorphic neural-network inferencing. In Proceedings of the 40th ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI’19). 142–156. Google ScholarDigital Library
[14] Demmler Daniel, Schneider Thomas, and Zohner Michael. 2015. ABY—A framework for efficient mixed-protocol secure two-party computation. In Proceedings of the Network and Distributed System Security Symposium (NDSS’15).Google ScholarCross Ref
[15] Deng Jia, Dong Wei, Socher Richard, Li Li-Jia, Li Kai, and Fei-Fei Li. 2009. Imagenet: A large-scale hierarchical image database. In Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition (CVPR’09). 248–255.Google ScholarCross Ref
[16] Elman Jeffrey L.. 1990. Finding structure in time. Cogn. Sci. 14, 2 (1990), 179–211.Google ScholarCross Ref
[17] Evans David, Kolesnikov Vladimir, and Rosulek Mike. 2018. A Pragmatic Introduction to Secure Multi-Party Computation. Now Publishers Inc. Google ScholarCross Ref
[18] Fan Zeming, Jamil Mudasir, Sadiq Muhammad Tariq, Huang Xiwei, and Yu Xiaojun. 2020. Exploiting multiple optimizers with transfer learning techniques for the identification of COVID-19 patients. J. Healthcare Eng. 2020 (2020), 8889412.Google ScholarCross Ref
[19] Gentry Craig. 2009. A Fully Homomorphic Encryption Scheme. Ph.D. Dissertation. Stanford University.Google ScholarDigital Library
[20] Gilad-Bachrach Ran, Dowlin Nathan, Laine Kim, Lauter Kristin E., Naehrig Michael, and Wernsing John. 2016. CryptoNets: Applying neural networks to encrypted data with high throughput and accuracy. In Proceedings of the International Conference on Machine Learning (ICML’16). 201–210.Google Scholar
[21] Goldreich Oded. 2004. Foundations of Cryptography: Basic Applications. Vol. 2. Cambridge University Press. Google ScholarCross Ref
[22] Goldreich Oded, Micali Silvio, and Wigderson Avi. 1987. How to play any mental game or a completeness theorem for protocols with honest majority. In Proceedings of the 19th Annual ACM Symposium on Theory of Computing (STOC’87). 218–229. Google Scholar
[23] Grover Karan, Tople Shruti, Shinde Shweta, Bhagwan Ranjita, and Ramjee Ramachandran. 2018. Privado: Practical and secure DNN inference with enclaves. DOI: DOI: https://doi.org/10.48550/arxiv.1810.00602Google Scholar
[24] He Kaiming, Zhang Xiangyu, Ren Shaoqing, and Sun Jian. 2016. Deep residual learning for image recognition. In Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition (CVPR’16). 770–778.Google ScholarCross Ref
[25] Hochreiter Sepp and Schmidhuber Jürgen. 1997. Long short-term memory. Neural Comput. 9, 8 (1997), 1735–1780.Google ScholarDigital Library
[26] Huang Gao, Liu Zhuang, Maaten Laurens Van Der, and Weinberger Kilian Q.. 2017. Densely connected convolutional networks. In Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition (CVPR’17). 4700–4708.Google ScholarCross Ref
[27] Huang Po-Hsuan, Tu Chia-Heng, and Chung Shen-Ming. 2021. TONIC: Towards oblivious neural inference compiler. In Proceedings of the 36th Annual ACM Symposium on Applied Computing (SAC’21). 491–500.Google ScholarDigital Library
[28] Huang Po-Hsuan, Tu Chia-Heng, Chung Shen-Ming, Wu Pei-Yuan, Tsai Tung-Lin, Lin Yi-An, Dai Chun-Yi, and Liao Tzu-Yi. 2022. Addendum to “SecureTVM: A TVM-Based Compiler Framework for Selective Privacy-Preserving Neural Inference.” Retrieved from https://github.com/asrlabncku/SecureTVM/blob/main/paper_addendum.pdf.Google Scholar
[29] Irvin Jeremy, Rajpurkar Pranav, Ko Michael, Yu Yifan, Ciurea-Ilcus Silviana, Chute Chris, Marklund Henrik, Haghgoo Behzad, Ball Robyn L., Shpanskaya Katie S., Seekins Jayne, Mong David A., Halabi Safwan S., Sandberg Jesse K., Jones Ricky, Larson David B., Langlotz Curtis P., Patel Bhavik N., Lungren Matthew P., and Ng Andrew Y.. 2019. CheXpert: A large chest radiograph dataset with uncertainty labels and expert comparison. In Proceedings of the AAAI Conference on Artificial Intelligence (AAAI’19). 590–597.Google ScholarDigital Library
[30] Ishai Yuval, Kilian Joe, Nissim Kobbi, and Petrank Erez. 2003. Extending oblivious transfers efficiently. In Proceedings of the Annual International Cryptology Conference (Crypto’03). 145–161. Google ScholarCross Ref
[31] Jarin Ismat and Eshete Birhanu. 2021. PRICURE: Privacy-preserving collaborative inference in a multi-party setting. In Proceedings of the ACM Workshop on Security and Privacy Analytics (IWSPA’21). 25–35.Google ScholarDigital Library
[32] Juvekar Chiraag, Vaikuntanathan Vinod, and Chandrakasan Anantha. 2018. GAZELLE: A low latency framework for secure neural network inference. In Proceedings of the 27th USENIX Security Symposium (USENIX Security’18). 1651–1669.Google Scholar
[33] Krizhevsky Alex, Sutskever Ilya, and Hinton Geoffrey E.. 2012. Imagenet classification with deep convolutional neural networks. Adv. Neural Inf. Process. Syst. 25 (2012), 1097–1105.Google ScholarDigital Library
[34] Kumar Nishant, Rathee Mayank, Chandran Nishanth, Gupta Divya, Rastogi Aseem, and Sharma Rahul. 2020. Cryptflow: Secure tensorflow inference. In Proceedings of the IEEE Symposium on Security and Privacy (SP’20). 336–353.Google ScholarCross Ref
[35] LeCun Yann and Cortes Corinna. 2010. MNIST Handwritten Digit Database. Retrieved from http://yann.lecun.com/exdb/mnist/.Google Scholar
[36] Liu Chang, Wang Xiao Shaun, Nayak Kartik, Huang Yan, and Shi Elaine. 2015. ObliVM: A programming framework for secure computation. In Proceedings of the IEEE Symposium on Security and Privacy (SP’15). 359–376. Google ScholarDigital Library
[37] Liu Jian, Juuti Mika, Lu Yao, and Asokan N.. 2017. Oblivious neural network predictions via MiniONN transformations. In Proceedings of the ACM SIGSAC Conference on Computer and Communications Security (CCS’17). 619–631. Google ScholarDigital Library
[38] Minaee Shervin, Kafieh Rahele, Sonka Milan, Yazdani Shakib, and Soufi Ghazaleh Jamalipour. 2020. Deep-COVID: Predicting COVID-19 from chest X-ray images using deep transfer learning. Med. Image Anal. 65 (2020), 101794.Google ScholarCross Ref
[39] Mohassel Payman and Zhang Yupeng. 2017. SecureML: A system for scalable privacy-preserving machine learning. In Proceedings of the IEEE Symposium on Security and Privacy (SP’17). 19–38. Google ScholarCross Ref
[40] Paillier Pascal. 1999. Public-key cryptosystems based on composite degree residuosity classes. In Proceedings of the International Conference on the Theory and Applications of Cryptographic Techniques (Eurocrypt’99). 223–238.Google ScholarCross Ref
[41] Patel Rupa and Chaware Anita. 2020. Transfer learning with fine-tuned MobileNetV2 for diabetic retinopathy. In Proceedings of the International Conference for Emerging Technology (INCET’20). 1–4.Google ScholarCross Ref
[42] Patel Sachin. 2018. A-Z Handwritten Alphabets in .csv Format. Retrieved from https://www.kaggle.com/sachinpatel21/az-handwritten-alphabets-in-csv-format.Google Scholar
[43] Qin Chu-Xiong, Qu Dan, and Zhang Lian-hai. 2018. Towards end-to-end speech recognition with transfer learning. EURASIP J. Audi. Speech Music Process. 2018 (2018), 18.Google ScholarDigital Library
[44] Raghu Maithra, Zhang Chiyuan, Kleinberg Jon, and Bengio Samy. 2019. Transfusion: Understanding transfer learning for medical imaging. Adv Neural Inf Process Syst 32 (2019).Google Scholar
[45] Rathee Deevashwer, Rathee Mayank, Kumar Nishant, Chandran Nishanth, Gupta Divya, Rastogi Aseem, and Sharma Rahul. 2020. CrypTFlow2: Practical 2-party secure inference. In Proceedings of the ACM SIGSAC Conference on Computer and Communications Security (CCS’20). 325–342. Google ScholarDigital Library
[46] Reddy A. Sai Bharadwaj and Juliet D. Sujitha. 2019. Transfer learning with ResNet-50 for malaria cell-image classification. In Proceedings of the International Conference on Communication and Signal Processing (ICCSP’19). 0945–0949.Google ScholarCross Ref
[47] Riazi M. Sadegh, Samragh Mohammad, Chen Hao, Laine Kim, Lauter Kristin E., and Koushanfar Farinaz. 2019. XONN: XNOR-based oblivious deep neural network inference. In Proceedings of the 28th USENIX Security Symposium (USENIX Security’19). 1501–1518.Google Scholar
[48] Rohloff Kurt and Polyakov Yuriy. 2017. The PALISADE Lattice Cryptography Library. Retrieved from https://git.njit.edu/palisade/PALISADE. 1.0 edition.Google Scholar
[49] Rouhani Bita Darvish, Riazi M. Sadegh, and Koushanfar Farinaz. 2018. Deepsecure: Scalable provably-secure deep learning. In Proceedings of the 55th Annual Design Automation Conference (DAC’18). 1–6. Google ScholarDigital Library
[50] Sandler Mark, Howard Andrew G., Zhu Menglong, Zhmoginov Andrey, and Chen Liang-Chieh. 2018. MobileNetV2: Inverted residuals and linear bottlenecks. In Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR’18). 4510–4520.Google ScholarCross Ref
[51] Scarselli Franco, Gori Marco, Tsoi Ah Chung, Hagenbuchner Markus, and Monfardini Gabriele. 2008. The graph neural network model. IEEE Trans. Neural Netw. 20, 1 (2008), 61–80.Google ScholarDigital Library
[52] SEAL 2019. Microsoft SEAL (Release 3.4). https://github.com/Microsoft/SEAL. Microsoft Research, Redmond, WA.Google Scholar
[53] Sherstinsky Alex. 2020. Fundamentals of recurrent neural network (RNN) and long short-term memory (LSTM) network. Physica D 404 (2020), 132306.Google ScholarCross Ref
[54] Singh Sonit, Ho-Shon Kevin, Karimi Sarvnaz, and Hamey Len. 2018. Modality classification and concept detection in medical images using deep transfer learning. In Proceedings of the International Conference on Image and Vision Computing New Zealand (IVCNZ’18). 1–9.Google ScholarCross Ref
[55] Tramèr Florian and Boneh Dan. 2019. Slalom: Fast, verifiable and private execution of neural networks in trusted hardware. In Proceedings of the 7th International Conference on Learning Representations (ICLR’19).Google Scholar
[56] Wang Xiao, Malozemoff Alex J., and Katz Jonathan. 2016. EMP-toolkit: Efficient MultiParty Computation Toolkit. Retrieved from https://github.com/emp-toolkit.Google Scholar
[57] Wang Zhou, Bovik Alan C., Sheikh Hamid R., and Simoncelli Eero P.. 2004. Image quality assessment: From error visibility to structural similarity. IEEE Trans. Image Process. 13, 4 (2004), 600–612.Google ScholarDigital Library
[58] Weiss Karl R., Khoshgoftaar Taghi M., and Wang Dingding. 2016. A survey of transfer learning. J. Big Data 3 (2016), 9.Google ScholarCross Ref
[59] Yao Andrew Chi-Chih. 1982. Protocols for secure computations. In Proceedings of the 23rd Annual Symposium on Foundations of Computer Science (SFCS’82). 160–164. Google ScholarCross Ref
[60] Zahur Samee and Evans David. 2015. Obliv-C: A Language for Extensible Data-Oblivious Computation. Cryptology ePrint Archive, Paper 2015/1153. Retrieved from https://eprint.iacr.org/2015/1153.Google Scholar

Index Terms

SecureTVM: A TVM-based Compiler Framework for Selective Privacy-preserving Neural Inference

Recommendations

CrypTFlow2: Practical 2-Party Secure Inference
CCS '20: Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security

We present CrypTFlow2, a cryptographic framework for secure inference over realistic Deep Neural Networks (DNNs) using secure 2-party computation. CrypTFlow2 protocols are both correct -- i.e., their outputs are bitwise equivalent to the cleartext ...
Read More
TONIC: towards oblivious neural inference compiler
SAC '21: Proceedings of the 36th Annual ACM Symposium on Applied Computing

Privacy-preserving deep learning computing becomes popular these days as it helps protect, for example, both user data and deep neural network (DNN) model parameters at the same time with cryptographic techniques. In particular, significant efforts have ...
Read More
Alambic: a privacy-preserving recommender system for electronic commerce

Recommender systems enable merchants to assist customers in finding products that best satisfy their needs. Unfortunately, current recommender systems suffer from various privacy-protection vulnerabilities. Customers should be able to keep private their ...
Read More

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Article

Published in
ACM Transactions on Design Automation of Electronic Systems Volume 28, Issue 4
July 2023
432 pages
ISSN:1084-4309
EISSN:1557-7309
DOI:10.1145/3597460
Editor:
X. Sharon Hu
University of Notre Dame, USA
Issue’s Table of Contents
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States

Journal Family
ACM Journals for the Design of Smart and Connected Systems
Publication History
- Published: 17 May 2023
- Online AM: 3 January 2023
- Accepted: 18 December 2022
- Revised: 11 October 2022
- Received: 15 May 2022
Published in todaes Volume 28, Issue 4

Permissions
Request permissions about this article.
Request Permissions

Check for updates
Author Tags
Privacy-preserving inference
deep neural networks
deep neural network compilation
secure two-party computation
Qualifiers
- research-article
Conference
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 1
  Total Citations
  View Citations
- 612
  Total Downloads
- Downloads (Last 12 months)434
- Downloads (Last 6 weeks)63
Other Metrics
View Author Metrics
Cited By
View all

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Full Text

View this article in Full Text.

View Full Text

SecureTVM: A TVM-based Compiler Framework for Selective Privacy-preserving Neural Inference

ACM Transactions on Design Automation of Electronic Systems

Abstract

REFERENCES

Cited By

Index Terms

Recommendations

CrypTFlow2: Practical 2-Party Secure Inference

TONIC: towards oblivious neural inference compiler

Alambic: a privacy-preserving recommender system for electronic commerce