skip to main content
survey

Towards Practical Secure Neural Network Inference: The Journey So Far and the Road Ahead

Published: 27 November 2023 Publication History

Abstract

Neural networks (NNs) have become one of the most important tools for artificial intelligence. Well-designed and trained NNs can perform inference (e.g., make decisions or predictions) on unseen inputs with high accuracy. Using NNs often involves sensitive data: Depending on the specific use case, the input to the NN and/or the internals of the NN  (e.g., the weights and biases) may be sensitive. Thus, there is a need for techniques for performing NN inference securely, ensuring that sensitive data remain secret.
In the past few years, several approaches have been proposed for secure neural network inference. These approaches achieve better and better results in terms of efficiency, security, accuracy, and applicability, thus making big progress toward practical secure neural network inference. The proposed approaches make use of many different techniques, such as homomorphic encryption and secure multi-party computation. The aim of this article is to give an overview of the main approaches proposed so far, their different properties, and the techniques used. In addition, remaining challenges toward large-scale deployments are identified.

References

[1]
Abbas Acar, Hidayet Aksu, A. Selcuk Uluagac, and Mauro Conti. 2018. A survey on homomorphic encryption schemes: Theory and implementation. ACM Comput. Surv. 51, 4 (2018), 79:1–79:35.
[2]
Arohan Ajit, Koustav Acharya, and Abhishek Samanta. 2020. A review of convolutional neural networks. In ic-ETITE. IEEE, 1–5.
[3]
Miklós Ajtai. 1996. Generating hard instances of lattice problems (extended abstract). In STOC. ACM, 99–108.
[4]
Gorjan Alagic, Daniel Apon, David Cooper, Quynh Dang, Thinh Dang, John Kelsey, Jacob Lichtinger, Carl Miller, Dustin Moody, Rene Peralta, et al. 2022. Status Report on the Third Round of the NIST Post-quantum Cryptography Standardization Process. Technical Report NISTIR 8413. National Institute of Standards and Technology.
[5]
Gilad Asharov, Yehuda Lindell, Thomas Schneider, and Michael Zohner. 2017. More efficient oblivious transfer extensions. J. Cryptol. 30, 3 (2017), 805–858.
[6]
Ahmad Al Badawi, Jack Bates, Flávio Bergamaschi, et al. 2022. OpenFHE: Open-Source Fully Homomorphic Encryption Library. Cryptology ePrint Archive, Paper 2022/915. (2022).
[7]
Maya Bakshi and Mark Last. 2020. CryptoRNN - Privacy-preserving recurrent neural networks using homomorphic encryption. In CSCML’20. Springer, 245–253.
[8]
Mauro Barni, Claudio Orlandi, and Alessandro Piva. 2006. A privacy-preserving protocol for neural-network-based computation. In MM&Sec. ACM, 146–151.
[9]
Donald Beaver. 1991. Efficient multiparty protocols using circuit randomization. In CRYPTO. Springer, 420–432.
[10]
Donald Beaver. 1995. Precomputing oblivious transfer. In CRYPTO. Springer, 97–109.
[11]
Mihir Bellare, Viet Tung Hoang, Sriram Keelveedhi, and Phillip Rogaway. 2013. Efficient garbling from a fixed-key blockcipher. In SP. IEEE Computer Society, 478–492.
[12]
Mihir Bellare and Silvio Micali. 1989. Non-interactive oblivious transfer and applications. In CRYPTO. Springer, 547–557.
[13]
Song Bian, Weiwen Jiang, Qing Lu, Yiyu Shi, and Takashi Sato. 2020. NASS: Optimizing secure inference via neural architecture search. In ECAI (Frontiers in Artificial Intelligence and Applications), Vol. 325. IOS Press, 1746–1753.
[14]
Simone Bianco, Rémi Cadène, Luigi Celona, and Paolo Napoletano. 2018. Benchmark analysis of representative deep neural network architectures. IEEE Access 6 (2018), 64270–64277.
[15]
Fabian Boemer, Rosario Cammarota, Daniel Demmler, Thomas Schneider, and Hossein Yalame. 2020. MP2ML: A mixed-protocol machine learning framework for private inference. In ARES. ACM, 14:1–14:10.
[16]
Fabian Boemer, Anamaria Costache, Rosario Cammarota, and Casimir Wierzynski. 2019. nGraph-HE2: A High-throughput framework for neural network inference on encrypted data. In WAHC@CCS. ACM, 45–56.
[17]
Fabian Boemer, Yixing Lao, Rosario Cammarota, and Casimir Wierzynski. 2019. nGraph-HE: A graph compiler for deep learning on homomorphically encrypted data. In CF. ACM, 3–13.
[18]
Charlotte Bonte, Carl Bootland, Joppe W. Bos, Wouter Castryck, Ilia Iliashenko, and Frederik Vercauteren. 2017. Faster homomorphic function evaluation using non-integral base encoding. In CHES. Springer, 579–600.
[19]
Joppe W. Bos, Wouter Castryck, Ilia Iliashenko, and Frederik Vercauteren. 2017. Privacy-friendly forecasting for the smart grid using homomorphic encryption and the group method of data handling. In AFRICACRYPT. 184–201.
[20]
Joppe W. Bos, Kristin E. Lauter, Jake Loftus, and Michael Naehrig. 2013. Improved security for a ring-based fully homomorphic encryption scheme. In IMACC. Springer, 45–64.
[21]
Amine Boulemtafes, Abdelouahid Derhab, and Yacine Challal. 2020. A review of privacy-preserving techniques for deep learning. Neurocomputing 384 (2020), 21–45.
[22]
Florian Bourse, Michele Minelli, Matthias Minihold, and Pascal Paillier. 2018. Fast homomorphic evaluation of deep discretized neural networks. In CRYPTO. Springer, 483–512.
[23]
Elette Boyle, Geoffroy Couteau, Niv Gilboa, Yuval Ishai, Lisa Kohl, Peter Rindal, and Peter Scholl. 2019. Efficient two-round OT extension and silent non-interactive secure computation. In CCS. ACM, 291–308.
[24]
Elette Boyle, Geoffroy Couteau, Niv Gilboa, Yuval Ishai, Lisa Kohl, and Peter Scholl. 2020. Efficient pseudorandom correlation generators from ring-LPN. In CRYPTO. 387–416.
[25]
Elette Boyle, Niv Gilboa, Yuval Ishai, and Ariel Nof. 2021. Sublinear GMW-style compiler for MPC with preprocessing. In CRYPTO. Springer, 457–485.
[26]
Zvika Brakerski. 2012. Fully homomorphic encryption without modulus switching from classical GapSVP. In CRYPTO. Springer, 868–886.
[27]
Zvika Brakerski, Craig Gentry, and Vinod Vaikuntanathan. 2012. (Leveled) fully homomorphic encryption without bootstrapping. In ITCS. ACM, 309–325.
[28]
Zvika Brakerski and Vinod Vaikuntanathan. 2014. Lattice-based FHE as secure as PKE. In ITCS. ACM, 1–12.
[29]
Alon Brutzkus, Ran Gilad-Bachrach, and Oren Elisha. 2019. Low latency privacy preserving inference. In ICML (Proceedings of Machine Learning Research), Vol. 97. PMLR, 812–821.
[30]
Niklas Büscher, Daniel Demmler, Stefan Katzenbeisser, David Kretzmer, and Thomas Schneider. 2018. HyCC: Compilation of hybrid protocols for practical secure computation. In CCS. ACM, 847–861.
[31]
Megha Byali, Harsh Chaudhari, Arpita Patra, and Ajith Suresh. 2020. FLASH: Fast and robust framework for privacy-preserving machine learning. Proc. Priv. Enhancing Technol. 2020, 2 (2020), 459–480.
[32]
Cecile Cabanes, Antoine Grouazel, Karina von Schuckmann, et al. 2013. The CORA dataset: Validation and diagnostics of in-situ ocean temperature and salinity measurements. Ocean Sci. 9, 1 (2013), 1–18.
[33]
Ran Canetti. 2001. Universally composable security: A new paradigm for cryptographic protocols. In FOCS. IEEE Computer Society, 136–145.
[34]
Cornelia Caragea, Jian Wu, Alina Maria Ciobanu, Kyle Williams, Juan Pablo Fernández Ramírez, Hung-Hsuan Chen, Zhaohui Wu, and C. Lee Giles. 2014. CiteSeer x : A scholarly big dataset. In ECIR. Springer, 311–322.
[35]
Dario Catalano, Mario Di Raimondo, Dario Fiore, and Irene Giacomelli. 2020. Mon\(\mathbb {Z}_{2^k}\)a: Fast maliciously secure two party computation on \(\mathbb {Z}_{2^k}\). In PKC. 357–386.
[36]
Daphnee Chabal, Dolly Sapra, and Zoltán Ádám Mann. 2023. On achieving privacy-preserving state-of-the-art edge intelligence. PPAI.
[37]
Nishanth Chandran, Divya Gupta, Sai Lakshmi Bhavana Obbattu, and Akash Shah. 2022. SIMC: ML inference secure against malicious clients at semi-honest cost. In USENIX Security Symposium. USENIX Association, 1361–1378.
[38]
Nishanth Chandran, Divya Gupta, Aseem Rastogi, Rahul Sharma, and Shardul Tripathi. 2019. EzPC: Programmable and efficient secure two-party computation for machine learning. In EuroS&P. IEEE, 496–511.
[39]
Harsh Chaudhari, Ashish Choudhury, Arpita Patra, and Ajith Suresh. 2019. ASTRA: High throughput 3pc over rings with application to secure prediction. In CCSW@CCS. ACM, 81–92.
[40]
Harsh Chaudhari, Rahul Rachuri, and Ajith Suresh. 2020. Trident: Efficient 4PC framework for privacy preserving machine learning. In NDSS. The Internet Society.
[41]
Yuanfeng Chen, Gaofeng Huang, Junjie Shi, Xiang Xie, and Yilin Yan. 2020. Rosetta: A Privacy-Preserving Framework Based on TensorFlow. Retrieved from https://github.com/LatticeX-Foundation/Rosetta.
[42]
Jung Hee Cheon, Andrey Kim, Miran Kim, and Yong Soo Song. 2017. Homomorphic encryption for arithmetic of approximate numbers. In ASIACRYPT. Springer, 409–437.
[43]
Ilaria Chillotti, Nicolas Gama, Mariya Georgieva, and Malika Izabachène. 2020. TFHE: Fast fully homomorphic encryption over the torus. J. Cryptol. 33, 1 (2020), 34–91.
[44]
Edward Chou, Josh Beal, Daniel Levy, Serena Yeung, Albert Haque, and Li Fei-Fei. 2018. Faster CryptoNets: Leveraging sparsity for real-world encrypted inference. CoRR abs/1811.09953 (2018).
[45]
Tung Chou and Claudio Orlandi. 2015. The simplest protocol for oblivious transfer. In LATINCRYPT. 40–58.
[46]
Ashish Choudhury and Arpita Patra. 2022. Secure Multi-Party Computation Against Passive Adversaries. Springer.
[47]
Geoffroy Couteau, Peter Rindal, and Srinivasan Raghuraman. 2021. Silver: Silent VOLE and oblivious transfer from hardness of decoding structured LDPC codes. In CRYPTO. Springer, 502–534.
[48]
Ronald Cramer, Ivan Damgård, Daniel Escudero, Peter Scholl, and Chaoping Xing. 2018. SPD\(\mathbb {Z}\)\({}_{\mbox{2${}^{\mbox{k}}$}}\): Efficient MPC mod 2\({}^{\mbox{k}}\) for Dishonest Majority. In CRYPTO. Springer, 769–798.
[49]
Jack L. H. Crawford, Craig Gentry, Shai Halevi, Daniel Platt, and Victor Shoup. 2018. Doing real work with FHE: The case of logistic regression. In WAHC@CCS. ACM, 1–12.
[50]
Ivan Damgård, Jesper Buus Nielsen, and Claudio Orlandi. 2008. Essentially optimal universally composable oblivious transfer. In ICISC. Springer, 318–335.
[51]
Roshan Dathathri, Olli Saarikivi, Hao Chen, Kim Laine, Kristin E. Lauter, Saeed Maleki, Madanlal Musuvathi, and Todd Mytkowicz. 2019. CHET: An optimizing compiler for fully-homomorphic neural-network inferencing. In PLDI. ACM, 142–156.
[52]
Daniel Demmler, Ghada Dessouky, Farinaz Koushanfar, Ahmad-Reza Sadeghi, Thomas Schneider, and Shaza Zeitouni. 2015. Automated synthesis of optimized circuits for secure computation. In CCS. ACM, 1504–1517.
[53]
Daniel Demmler, Thomas Schneider, and Michael Zohner. 2015. ABY - A framework for efficient mixed-protocol secure two-party computation. In NDSS. The Internet Society.
[54]
Li Deng. 2012. The MNIST database of handwritten digit images for machine learning research [best of the web]. IEEE Sign. Process. Mag. 29, 6 (2012), 141–142.
[55]
Léo Ducas and Daniele Micciancio. 2015. FHEW: Bootstrapping homomorphic encryption in less than a second. In EUROCRYPT. Springer, 617–640.
[56]
ENCRYPTO Group. 2021. ENCRYPTO Utils. Retrieved from https://github.com/encryptogroup/ENCRYPTO_utils/.
[57]
Junfeng Fan and Frederik Vercauteren. 2012. Somewhat Practical Fully Homomorphic Encryption. IACR Cryptol. ePrint Arch., Paper 2012/144. (2012).
[58]
[59]
Craig Gentry. 2009. Fully homomorphic encryption using ideal lattices. In STOC. ACM, 169–178.
[60]
Ran Gilad-Bachrach, Nathan Dowlin, Kim Laine, Kristin E. Lauter, Michael Naehrig, and John Wernsing. 2016. CryptoNets: Applying neural networks to encrypted data with high throughput and accuracy. In ICML (JMLR Workshop and Conference Proceedings), Vol. 48. JMLR.org, 201–210.
[61]
Oded Goldreich. 2004. The Foundations of Cryptography—Volume 2: Basic Applications. Cambridge University Press.
[62]
Oded Goldreich, Silvio Micali, and Avi Wigderson. 1987. How to play any mental game or A completeness theorem for protocols with honest majority. In STOC. ACM, 218–229.
[63]
Jianping Gou, Baosheng Yu, Stephen J. Maybank, and Dacheng Tao. 2021. Knowledge distillation: A survey. Int. J. Comput. Vis. 129 (2021), 1789–1819.
[64]
Meng Hao, Hongwei Li, Hanxiao Chen, Pengzhi Xing, Guowen Xu, and Tianwei Zhang. 2022. Iron: Private inference on transformers. Adv. Neural Inf. Process. Syst. 35 (2022), 15718–15731.
[65]
Marcella Hastings, Brett Hemenway, Daniel Noble, and Steve Zdancewic. 2019. SoK: General purpose compilers for secure multi-party computation. In SP. IEEE, 1220–1237.
[66]
Carmit Hazay and Yehuda Lindell. 2010. Efficient Secure Two-Party Protocols—Techniques and Constructions. Springer.
[67]
Kaiming He, Xiangyu Zhang, Shaoqing Ren, and Jian Sun. 2015. Delving deep into rectifiers: Surpassing human-level performance on ImageNet classification. In ICCV. IEEE Computer Society, 1026–1034.
[68]
David Heath and Vladimir Kolesnikov. 2020. Stacked garbling—Garbled circuit proportional to longest execution path. In CRYPTO. Springer, 763–792.
[69]
David Heath and Vladimir Kolesnikov. 2021. One hot garbling. In CCS. ACM, 574–593.
[70]
David Heath, Vladimir Kolesnikov, and Rafail Ostrovsky. 2022. EpiGRAM: Practical garbled RAM. In EUROCRYPT. Springer, 3–33.
[71]
Tim Heldmann, Thomas Schneider, Oleksandr Tkachenko, Christian Weinert, and Hossein Yalame. 2021. LLVM-based circuit compilation for practical secure computation. In ACNS. Springer, 99–121.
[72]
Johannes Heurix, Peter Zimmermann, Thomas Neubauer, and Stefan Fenz. 2015. A taxonomy for privacy enhancing technologies. Comput. Secur. 53 (2015), 1–17.
[73]
Jiahui Hou, Huiqi Liu, Yunxin Liu, Yu Wang, Peng-Jun Wan, and Xiang-Yang Li. 2022. Model protection: Real-time privacy-preserving inference service for model privacy at the edge. IEEE Trans. Depend. Secur. Comput. 19, 6 (2022), 4270–4284.
[74]
Shou-Ching Hsiao, Zi-Yuan Liu, Raylin Tso, Da-Yu Kao, and Chien-Ming Chen. 2020. PrivGRU: Privacy-preserving GRU inference using additive secret sharing. J. Intell. Fuzzy Syst. 38, 5 (2020), 5627–5638.
[75]
Kai Huang, Ximeng Liu, Shaojing Fu, Deke Guo, and Ming Xu. 2021. A lightweight privacy-preserving CNN feature extraction framework for mobile sensing. IEEE Trans. Depend. Secur. Comput. 18, 3 (2021), 1441–1455.
[76]
Zhicong Huang, Wen-jie Lu, Cheng Hong, and Jiansheng Ding. 2022. Cheetah: Lean and fast secure two-party deep neural network inference. In USENIX Security Symposium. USENIX Association, 809–826.
[77]
Siam Umar Hussain, Mojan Javaheripi, Mohammad Samragh, and Farinaz Koushanfar. 2021. COINN: Crypto/ML codesign for oblivious inference via neural networks. In CCS. ACM, 3266–3281.
[78]
Alberto Ibarrondo, Hervé Chabanne, and Melek Önen. 2021. Banners: Binarized neural networks with replicated secret sharing. In IH&MMSec. ACM, 63–74.
[79]
Russell Impagliazzo and Steven Rudich. 1989. Limits on the provable consequences of one-way permutations. In STOC. ACM, 44–61.
[80]
Yuval Ishai, Joe Kilian, Kobbi Nissim, and Erez Petrank. 2003. Extending oblivious transfers efficiently. In CRYPTO. Springer, 145–161.
[81]
A. G. Ivakhnenko. 1970. Heuristic self-organization in problems of engineering cybernetics. Automatica 6, 2 (1970), 207–219.
[82]
Yixin Jie, Yixuan Ren, Qingtao Wang, Yankai Xie, Chi Zhang, Lingbo Wei, and Jianqing Liu. 2022. Multi-party secure computation with intel sgx for graph neural networks. In ICC. IEEE, 528–533.
[83]
Chiraag Juvekar, Vinod Vaikuntanathan, and Anantha P. Chandrakasan. 2018. GAZELLE: A low latency framework for secure neural network inference. In USENIX Security Symposium. USENIX Association, 1651–1669.
[84]
Jonathan Katz and Yehuda Lindell. 2014. Introduction to Modern Cryptography, Second Edition. CRC Press.
[85]
Marcel Keller. 2020. MP-SPDZ: A versatile framework for multi-party computation. In CCS. ACM, 1575–1590.
[86]
Marcel Keller, Emmanuela Orsini, and Peter Scholl. 2015. Actively secure OT extension with optimal overhead. In CRYPTO. Springer, 724–741.
[87]
Marcel Keller, Emmanuela Orsini, and Peter Scholl. 2016. MASCOT: Faster malicious arithmetic secure computation with oblivious transfer. In CCS. ACM, 830–842.
[88]
Marcel Keller, Valerio Pastro, and Dragos Rotaru. 2018. Overdrive: Making SPDZ great again. In EUROCRYPT. Springer, 158–189.
[89]
Brian Knott, Shobha Venkataraman, Awni Y. Hannun, Shubho Sengupta, Mark Ibrahim, and Laurens van der Maaten. 2021. CrypTen: Secure multi-party computation meets machine learning. In NeurIPS. 4961–4973.
[90]
Vladimir Kolesnikov and Ranjit Kumaresan. 2013. Improved OT extension for transferring short secrets. In CRYPTO. Springer, 54–70.
[91]
Vladimir Kolesnikov, Payman Mohassel, and Mike Rosulek. 2014. FleXOR: Flexible garbling for XOR gates that beats free-XOR. In CRYPTO. Springer, 440–457.
[92]
Vladimir Kolesnikov and Thomas Schneider. 2008. Improved garbled circuit: Free XOR gates and applications. In ICALP. Springer, 486–498.
[93]
Nishat Koti, Mahak Pancholi, Arpita Patra, and Ajith Suresh. 2021. SWIFT: Super-fast and robust privacy-preserving machine learning. In USENIX Security Symposium. USENIX Association, 2651–2668.
[94]
Nishat Koti, Arpita Patra, Rahul Rachuri, and Ajith Suresh. 2022. Tetrad: Actively secure 4PC for secure training and inference. In NDSS. The Internet Society.
[95]
Benjamin Kreuter, Abhi Shelat, and Chih-Hao Shen. 2012. Billion-gate secure computation with malicious adversaries. In USENIX Security Symposium. USENIX Association, 285–300.
[96]
Alex Krizhevsky. 2009. Learning Multiple Layers of Features from Tiny Images. Master’s thesis. University of Toronto.
[97]
Nishant Kumar, Mayank Rathee, Nishanth Chandran, Divya Gupta, Aseem Rastogi, and Rahul Sharma. 2020. CrypTFlow: Secure TensorFlow inference. In SP. IEEE, 336–353.
[98]
Clemens Lachner, Zoltán Ádám Mann, and Schahram Dustdar. 2021. Towards understanding the adaptation space of AI-assisted data protection for video analytics at the edge. In ICDCS Workshops. IEEE, 7–12.
[99]
Yann LeCun, Yoshua Bengio, and Geoffrey E. Hinton. 2015. Deep learning. Nature 521, 7553 (2015), 436–444.
[100]
Yann LeCun, Léon Bottou, Yoshua Bengio, and Patrick Haffner. 1998. Gradient-based learning applied to document recognition. Proc. IEEE 86, 11 (1998), 2278–2324.
[101]
Joon-Woo Lee, HyungChul Kang, Yongwoo Lee, Woosuk Choi, Jieun Eom, Maxim Deryabin, Eunsang Lee, Junghyun Lee, Donghoon Yoo, Young-Sik Kim, and Jong-Seon No. 2022. Privacy-preserving machine learning with fully homomorphic encryption for deep neural network. IEEE Access 10 (2022), 30039–30054.
[102]
Ryan Lehmkuhl, Pratyush Mishra, Akshayaram Srinivasan, and Raluca Ada Popa. 2021. Muse: Secure inference resilient to malicious clients. In USENIX Security Symposium. USENIX Association, 2201–2218.
[103]
Yehuda Lindell. 2017. How to simulate it - A tutorial on the simulation proof technique. In Tutorials on the Foundations of Cryptography. Springer International Publishing, 277–346.
[104]
Jian Liu, Mika Juuti, Yao Lu, and N. Asokan. 2017. Oblivious neural network predictions via MiniONN transformations. In CCS. ACM, 619–631.
[105]
Qiang Liu, Pan Li, Wentao Zhao, Wei Cai, Shui Yu, and Victor C. M. Leung. 2018. A survey on security threats and defensive techniques of machine learning: A data driven view. IEEE Access 6 (2018), 12103–12117.
[106]
Qian Lou and Lei Jiang. 2019. SHE: A fast and accurate deep neural network for encrypted data. In NeurIPS. 10035–10043.
[107]
Qian Lou and Lei Jiang. 2021. HEMET: A homomorphic-encryption-friendly privacy-preserving mobile neural network architecture. In ICML (Proceedings of Machine Learning Research), Vol. 139. PMLR, 7102–7110.
[108]
Vadim Lyubashevsky, Chris Peikert, and Oded Regev. 2010. On ideal lattices and learning with errors over rings. In EUROCRYPT. Springer, 1–23.
[109]
Zoltán Ádám Mann. 2011. GPGPU: Hardware/Software co-design for the masses. Comput. Inf. 30, 6 (2011), 1247–1257.
[110]
Zoltán Ádám Mann. 2021. Security- and privacy-aware IOT application placement and user assignment. In Computer Security–ESORICS 2021 International Workshops. Springer, 296–316.
[111]
Paulo Martins, Leonel Sousa, and Artur Mariano. 2018. A survey on fully homomorphic encryption: An engineering perspective. ACM Comput. Surv. 50, 6 (2018), 83:1–83:33.
[112]
Microsoft Research. ([n.d.]). Microsoft SEAL. https://github.com/Microsoft/SEAL.
[113]
Pratyush Mishra, Ryan Lehmkuhl, Akshayaram Srinivasan, Wenting Zheng, and Raluca Ada Popa. 2020. Delphi: A cryptographic inference service for neural networks. In USENIX Security Symposium. USENIX Association, 2505–2522.
[114]
Athar Hussein Mohammed and Ali H. Ali. 2021. Survey of BERT Bidirectional Encoder Representation Transformer types. In Journal of Physics: Conference Series, Vol. 1963. IOP Publishing, 012173.
[115]
Payman Mohassel and Peter Rindal. 2018. ABY\({}^{\mbox{3}}\): A mixed protocol framework for machine learning. In CCS. ACM, 35–52.
[116]
Payman Mohassel and Yupeng Zhang. 2017. SecureML: A system for scalable privacy-preserving machine learning. In SP. IEEE Computer Society, 19–38.
[117]
Moni Naor and Benny Pinkas. 2001. Efficient oblivious transfer protocols. In SODA. ACM/SIAM, 448–457.
[118]
Moni Naor, Benny Pinkas, and Reuban Sumner. 1999. Privacy preserving auctions and mechanism design. In EC. ACM, 129–139.
[119]
Usman Naseem, Imran Razzak, Shah Khalid Khan, and Mukesh Prasad. 2021. A comprehensive survey on word representation models: From classical to state-of-the-art word representation language models. ACM Trans. Asian Low Resour. Lang. Inf. Process. 20, 5 (2021), 74:1–74:35.
[120]
Claudio Orlandi, Alessandro Piva, and Mauro Barni. 2007. Oblivious neural network computing via homomorphic encryption. EURASIP J. Inf. Secur. 2007 (2007).
[121]
Emmanuela Orsini, Nigel P. Smart, and Frederik Vercauteren. 2020. Overdrive2k: Efficient secure MPC over \(\mathbb {Z}_{2^k}\) from somewhat homomorphic encryption. In CT-RSA. Springer, 254–283.
[122]
Seyed Ali Osia, Ali Shahin Shamsabadi, Sina Sajadmanesh, Ali Taheri, Kleomenis Katevas, Hamid R. Rabiee, Nicholas D. Lane, and Hamed Haddadi. 2020. A hybrid deep learning architecture for privacy-preserving mobile analytics. IEEE IoT J. 7, 5 (2020), 4505–4518.
[123]
Pascal Paillier. 1999. Public-key cryptosystems based on composite degree residuosity classes. In EUROCRYPT. Springer, 223–238.
[124]
Nicolas Papernot, Patrick D. McDaniel, Arunesh Sinha, and Michael P. Wellman. 2018. SoK: Security and privacy in machine learning. In EuroS&P. IEEE, 399–414.
[125]
Arpita Patra, Thomas Schneider, Ajith Suresh, and Hossein Yalame. 2021. ABY2.0: Improved mixed-protocol secure two-party computation. In USENIX Security Symposium. USENIX Association, 2165–2182.
[126]
Arpita Patra and Ajith Suresh. 2020. BLAZE: Blazing fast privacy-preserving machine learning. In NDSS. The Internet Society.
[127]
Chris Peikert. 2016. A decade of lattice cryptography. Found. Trends Theor. Comput. Sci. 10, 4 (2016), 283–424.
[128]
Chris Peikert, Oded Regev, and Noah Stephens-Davidowitz. 2017. Pseudorandomness of ring-LWE for any ring and modulus. In STOC. ACM, 461–473.
[129]
Chris Peikert, Vinod Vaikuntanathan, and Brent Waters. 2008. A framework for efficient and composable oblivious transfer. In CRYPTO. Springer, 554–571.
[130]
Lance Roy Peter Rindal. libOTe: An efficient, portable, and easy to use Oblivious Transfer Library. Retrieved from https://github.com/osu-crypto/libOTe.
[131]
Benny Pinkas, Thomas Schneider, Nigel P. Smart, and Stephen C. Williams. 2009. Secure two-party computation is practical. In ASIACRYPT. Springer, 250–267.
[132]
Rishabh Poddar, Sukrit Kalra, Avishay Yanai, Ryan Deng, Raluca Ada Popa, and Joseph M. Hellerstein. 2021. Senate: A maliciously-secure MPC platform for collaborative analytics. In USENIX Security Symposium. USENIX Association, 2129–2146.
[133]
John M. Pollard. 1971. The fast Fourier transform in a finite field. Math. Comp. 25, 114 (1971), 365–374.
[134]
Samira Pouyanfar, Saad Sadiq, Yilin Yan, Haiman Tian, Yudong Tao, Maria E. Presa Reyes, Mei-Ling Shyu, Shu-Ching Chen, and S. S. Iyengar. 2019. A survey on deep learning: Algorithms, techniques, and applications. ACM Comput. Surv. 51, 5 (2019), 92:1–92:36.
[135]
Do Le Quoc, Franz Gregor, Sergei Arnautov, Roland Kunkel, Pramod Bhatotia, and Christof Fetzer. 2020. SecureTF: A secure TensorFlow framework. In Middleware. ACM, 44–59.
[136]
Michael O. Rabin. 1981. How to exchange secrets with oblivious transfer. Technical Report TR-81, Aiken Computation Lab, Harvard University (1981).
[137]
Deevashwer Rathee, Mayank Rathee, Rahul Kranti Kiran Goli, Divya Gupta, Rahul Sharma, Nishanth Chandran, and Aseem Rastogi. 2021. SiRnn: A math library for secure RNN inference. In SP. IEEE, 1003–1020.
[138]
Deevashwer Rathee, Mayank Rathee, Nishant Kumar, Nishanth Chandran, Divya Gupta, Aseem Rastogi, and Rahul Sharma. 2020. CrypTFlow2: Practical 2-party secure inference. In CCS. ACM, 325–342.
[139]
Deevashwer Rathee, Thomas Schneider, and K. K. Shukla. 2019. Improved multiplication triple generation over rings via RLWE-based AHE. In CANS. Springer, 347–359.
[140]
Brandon Reagen, Wooseok Choi, Yeongil Ko, Vincent T. Lee, Hsien-Hsin S. Lee, Gu-Yeon Wei, and David Brooks. 2021. Cheetah: Optimizing and accelerating homomorphic encryption for private inference. In HPCA. IEEE, 26–39.
[141]
Oded Regev. 2005. On lattices, learning with errors, random linear codes, and cryptography. In STOC. ACM, 84–93.
[142]
Yixuan Ren, Yixin Jie, Qingtao Wang, Bingbing Zhang, Chi Zhang, and Lingbo Wei. 2021. A hybrid secure computation framework for graph neural networks. In PST. IEEE, 1–6.
[143]
M. Sadegh Riazi, Mohammad Samragh, Hao Chen, Kim Laine, Kristin E. Lauter, and Farinaz Koushanfar. 2019. XONN: XNOR-based oblivious deep neural network inference. In USENIX Security Symposium. 1501–1518.
[144]
M. Sadegh Riazi, Christian Weinert, Oleksandr Tkachenko, Ebrahim M. Songhori, Thomas Schneider, and Farinaz Koushanfar. 2018. Chameleon: A hybrid secure computation framework for machine learning applications. In AsiaCCS. ACM, 707–721.
[145]
Mauro Ribeiro, Katarina Grolinger, and Miriam A. M. Capretz. 2015. MLaaS: Machine learning as a service. In ICMLA. IEEE, 896–902.
[146]
Ronald L. Rivest, Len Adleman, and Michael L. Dertouzos. 1978. On data banks and privacy homomorphisms. Found. Secure Comput. 4, 11 (1978), 169–180.
[147]
Ronald L. Rivest, Adi Shamir, and Leonard M. Adleman. 1978. A method for obtaining digital signatures and public-key cryptosystems. Commun. ACM 21, 2 (1978), 120–126.
[148]
Mike Rosulek and Lawrence Roy. 2021. Three halves make a whole? beating the half-gates lower bound for garbled circuits. In CRYPTO. Springer, 94–124.
[149]
Bita Darvish Rouhani, M. Sadegh Riazi, and Farinaz Koushanfar. 2018. DeepSecure: Scalable provably-secure deep learning. In DAC. ACM, 2:1–2:6.
[150]
Lawrence Roy. 2022. oftSpokenOT: Communication-computation tradeoffs in OT extension. In Springer.
[151]
Théo Ryffel, Pierre Tholoniat, David Pointcheval, and Francis R. Bach. 2022. AriaNN: Low-interaction privacy-preserving deep learning via function secret sharing. Proc. Priv. Enhanc. Technol. 2022, 1 (2022), 291–316.
[152]
Alexander Schlögl and Rainer Böhme. 2020. eNNclave: Offline inference with model confidentiality. In AISec@CCS. ACM, 93–104.
[153]
Y. Son, K. Han, Y. S. Lee, J. Yu, Y. H. Im, and S. Y. Shin. 2021. Privacy-preserving breast cancer recurrence prediction based on homomorphic encryption and secure two party computation. PLoS ONE 16, 12 (2021).
[154]
Ebrahim M. Songhori, Siam U. Hussain, Ahmad-Reza Sadeghi, Thomas Schneider, and Farinaz Koushanfar. 2015. TinyGarble: Highly compressed and scalable sequential garbled circuits. In SP. IEEE Computer Society, 411–428.
[155]
Sijun Tan, Brian Knott, Yuan Tian, and David J. Wu. 2021. CryptGPU: Fast privacy-preserving machine learning on the GPU. In SP. IEEE, 1021–1038.
[156]
Tjerk Timan and Zoltan Mann. 2021. Data protection in the era of artificial intelligence: Trends, existing solutions and recommendations for privacy-preserving technologies. In The Elements of Big Data Value: Foundations of the Research and Innovation Ecosystem. Springer International Publishing, 153–175.
[157]
Florian Tramèr and Dan Boneh. 2019. Slalom: Fast, verifiable and private execution of neural networks in trusted hardware. In ICLR. OpenReview.net.
[158]
David Vadas and James R. Curran. 2011. Parsing noun phrases in the penn treebank. Comput. Linguist. 37, 4 (2011), 753–809.
[159]
Sameer Wagh, Divya Gupta, and Nishanth Chandran. 2019. SecureNN: 3-party secure computation for neural network training. Proc. Priv. Enhanc. Technol. 2019, 3 (2019), 26–49.
[160]
Sameer Wagh, Shruti Tople, Fabrice Benhamouda, Eyal Kushilevitz, Prateek Mittal, and Tal Rabin. 2021. Falcon: Honest-majority maliciously secure framework for private deep learning. Proc. Priv. Enhanc. Technol. 2021, 1 (2021), 188–208.
[161]
Xiao Wang, Alex J. Malozemoff, and Jonathan Katz. EMP-toolkit: Efficient MultiParty computation toolkit. Retrieved from https://github.com/emp-toolkit.
[162]
Yongqin Wang, G. Edward Suh, Wenjie Xiong, Benjamin Lefaudeux, Brian Knott, Murali Annavaram, and Hsien-Hsin S. Lee. 2022. Characterization of MPC-based private inference for transformer-based models. In ISPASS. IEEE, 187–197.
[163]
Jean-Luc Watson, Sameer Wagh, and Raluca Ada Popa. 2022. Piranha: A GPU platform for secure computation. In USENIX Security Symposium. USENIX Association.
[164]
Kang Yang, Chenkai Weng, Xiao Lan, Jiang Zhang, and Xiao Wang. 2020. Ferret: Fast extension for correlated OT with small communication. In CCS. ACM, 1607–1626.
[165]
Andrew Chi-Chih Yao. 1982. Protocols for secure computations (extended abstract). In FOCS. 160–164.
[166]
Andrew Chi-Chih Yao. 1986. How to generate and exchange secrets (extended abstract). In FOCS. 162–167.
[167]
Samee Zahur, Mike Rosulek, and David Evans. 2015. Two halves make a whole - reducing data transfer in garbled circuits using half gates. In EUROCRYPT. Springer, 220–250.
[168]
Qiao Zhang, Chunsheng Xin, and Hongyi Wu. 2021. Privacy-preserving deep learning based on multiparty secure computation: A survey. IEEE IoT J. 8, 13 (2021), 10412–10429.
[169]
Wenting Zheng, Ryan Deng, Weikeng Chen, Raluca Ada Popa, Aurojit Panda, and Ion Stoica. 2021. Cerebro: A platform for multi-party cryptographic collaborative learning. In USENIX Security Symposium. USENIX Association, 2723–2740.
[170]
Wenxing Zhu, Mengqi Wei, Xiangxue Li, and Qiang Li. 2022. SecureBiNN: 3-party secure computation for binarized neural network inference. In ESORICS. Springer, 275–294.

Cited By

View all
  • (2025)GuardianMPC: Backdoor-Resilient Neural Network ComputationIEEE Access10.1109/ACCESS.2025.352830413(11029-11048)Online publication date: 2025
  • (2024)SECURED for Health: Scaling Up Privacy to Enable the Integration of the European Health Data Space2024 Design, Automation & Test in Europe Conference & Exhibition (DATE)10.23919/DATE58400.2024.10546514(1-4)Online publication date: 25-Mar-2024
  • (2024)A Framework to Optimize the Energy Cost of Securing Neural Network Inference2024 IEEE International Conferences on Internet of Things (iThings) and IEEE Green Computing & Communications (GreenCom) and IEEE Cyber, Physical & Social Computing (CPSCom) and IEEE Smart Data (SmartData) and IEEE Congress on Cybermatics10.1109/iThings-GreenCom-CPSCom-SmartData-Cybermatics62450.2024.00073(339-346)Online publication date: 19-Aug-2024
  • Show More Cited By

Recommendations

Comments

Information & Contributors

Information

Published In

cover image ACM Computing Surveys
ACM Computing Surveys  Volume 56, Issue 5
May 2024
1019 pages
EISSN:1557-7341
DOI:10.1145/3613598
Issue’s Table of Contents

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 27 November 2023
Online AM: 18 October 2023
Accepted: 26 September 2023
Revised: 02 September 2023
Received: 15 October 2022
Published in CSUR Volume 56, Issue 5

Permissions

Request permissions for this article.

Check for updates

Author Tags

  1. Privacy-preserving machine learning
  2. secure inference
  3. neural networks
  4. deep learning
  5. secure computation
  6. homomorphic encryption
  7. multi-party computation

Qualifiers

  • Survey

Contributors

Other Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

  • Downloads (Last 12 months)791
  • Downloads (Last 6 weeks)83
Reflects downloads up to 20 Feb 2025

Other Metrics

Citations

Cited By

View all
  • (2025)GuardianMPC: Backdoor-Resilient Neural Network ComputationIEEE Access10.1109/ACCESS.2025.352830413(11029-11048)Online publication date: 2025
  • (2024)SECURED for Health: Scaling Up Privacy to Enable the Integration of the European Health Data Space2024 Design, Automation & Test in Europe Conference & Exhibition (DATE)10.23919/DATE58400.2024.10546514(1-4)Online publication date: 25-Mar-2024
  • (2024)A Framework to Optimize the Energy Cost of Securing Neural Network Inference2024 IEEE International Conferences on Internet of Things (iThings) and IEEE Green Computing & Communications (GreenCom) and IEEE Cyber, Physical & Social Computing (CPSCom) and IEEE Smart Data (SmartData) and IEEE Congress on Cybermatics10.1109/iThings-GreenCom-CPSCom-SmartData-Cybermatics62450.2024.00073(339-346)Online publication date: 19-Aug-2024
  • (2024)Performance Analysis of Machine Learning on Homomorphically Encrypted Data2024 16th International Conference on Wireless Communications and Signal Processing (WCSP)10.1109/WCSP62071.2024.10826872(691-696)Online publication date: 24-Oct-2024
  • (2024)SecFePAS: Secure Facial-Expression-Based Pain Assessment with Deep Learning at the Edge2024 IEEE/ACM Symposium on Edge Computing (SEC)10.1109/SEC62691.2024.00046(417-424)Online publication date: 4-Dec-2024
  • (2024)FaultyGarble: Fault Attack on Secure Multiparty Neural Network Inference2024 Workshop on Fault Detection and Tolerance in Cryptography (FDTC)10.1109/FDTC64268.2024.00015(53-64)Online publication date: 4-Sep-2024
  • (2024)Robust image encryption algorithm based on oscillated substitution and effective confusion module with novel chaining permutation and pixel mutationOptik10.1016/j.ijleo.2024.172102319(172102)Online publication date: Dec-2024
  • (2024)ALNet: An adaptive channel attention network with local discrepancy perception for accurate indoor visual localizationExpert Systems with Applications10.1016/j.eswa.2024.123792250(123792)Online publication date: Sep-2024
  • (2024)Predicting the Execution Time of Secure Neural Network InferenceICT Systems Security and Privacy Protection10.1007/978-3-031-65175-5_34(481-494)Online publication date: 26-Jul-2024
  • (2024)Privacy-Preserving Sentiment Analysis Using Homomorphic Encryption and Attention MechanismsApplied Cryptography and Network Security Workshops10.1007/978-3-031-61489-7_6(84-100)Online publication date: 29-Jun-2024
  • Show More Cited By

View Options

Login options

Full Access

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Full Text

View this article in Full Text.

Full Text

Figures

Tables

Media

Share

Share

Share this Publication link

Share on social media