14 research outputs found
Garbled Neural Networks are Practical
We show that garbled circuits are a practical choice for secure evaluation of neural network classifiers. At the protocol level, we start with the garbling scheme of Ball, Malkin & Rosulek (ACM CCS 2016) for arithmetic circuits and introduce new optimizations for modern neural network activation functions. We develop fancy-garbling, the first implementation of the BMR16 garbling scheme along with our new optimizations, as part of heavily optimized garbled-circuits tool that is driven by a TensorFlow classifier description.
We evaluate our constructions on a wide range of neural networks. We find that our approach is up to 100x more efficient than straight-forward boolean garbling (depending on the neural network). Our approach is also roughly 40% more efficient than DeepSecure (Rouhani et al., DAC 2018), the only previous garbled-circuit-based approach for secure neural network evaluation, which incorporates significant optimization techniques for boolean circuits. Furthermore, our approach is competitive with other non-garbled-circuit approaches for secure neural network evaluation
On Achieving Privacy-Preserving State-of-the-Art Edge Intelligence
Deep Neural Network (DNN) Inference in Edge Computing, often called Edge Intelligence, requires solutions to insure that sensitive data confidentiality and intellectual property are not revealed in the process. Privacy-preserving Edge Intelligence is only emerging, despite the growing prevalence of Edge Computing as a context of Machine-Learning-as-a-Service. Solutions are yet to be applied, and possibly adapted, to state-of-the-art DNNs. This position paper provides an original assessment of the compatibility of existing techniques for privacy-preserving DNN Inference with the characteristics of an Edge Computing setup, highlighting the appropriateness of secret sharing in this context. We then address the future role of model compression methods in the research towards secret sharing on DNNs with state-of-the-art performance
Characterizing and Optimizing End-to-End Systems for Private Inference
Increasing privacy concerns have given rise to Private Inference (PI). In PI,
both the client's personal data and the service provider's trained model are
kept confidential. State-of-the-art PI protocols combine several cryptographic
primitives: Homomorphic Encryption (HE), Secret Sharing (SS), Garbled Circuits
(GC), and Oblivious Transfer (OT). Today, PI remains largely arcane and too
slow for practical use, despite the need and recent performance improvements.
This paper addresses PI's shortcomings with a detailed characterization of a
standard high-performance protocol to build foundational knowledge and
intuition in the systems community. The characterization pinpoints all sources
of inefficiency -- compute, communication, and storage. A notable aspect of
this work is the use of inference request arrival rates rather than studying
individual inferences in isolation. Prior to this work, and without considering
arrival rate, it has been assumed that PI pre-computations can be handled
offline and their overheads ignored. We show this is not the case. The offline
costs in PI are so high that they are often incurred online, as there is
insufficient downtime to hide pre-compute latency. We further propose three
optimizations to address the computation (layer-parallel HE), communication
(wireless slot allocation), and storage (Client-Garbler) overheads leveraging
insights from our characterization. Compared to the state-of-the-art PI
protocol, the optimizations provide a total PI speedup of 1.8, with the
ability to sustain inference requests up to a 2.24 greater rate.Comment: 12 figure
DeepReShape: Redesigning Neural Networks for Efficient Private Inference
Prior work on Private Inference (PI)--inferences performed directly on
encrypted input--has focused on minimizing a network's ReLUs, which have been
assumed to dominate PI latency rather than FLOPs. Recent work has shown that
FLOPs for PI can no longer be ignored and have high latency penalties. In this
paper, we develop DeepReShape, a network redesign technique that tailors
architectures to PI constraints, optimizing for both ReLUs and FLOPs for the
first time. The {\em key insight} is that a strategic allocation of channels
such that the network's ReLUs are aligned in their criticality order
simultaneously optimizes ReLU and FLOPs efficiency. DeepReShape automates
network development with an efficient process, and we call generated networks
HybReNets. We evaluate DeepReShape using standard PI benchmarks and demonstrate
a 2.1\% accuracy gain with a 5.2 runtime improvement at iso-ReLU on
CIFAR-100 and an 8.7 runtime improvement at iso-accuracy on
TinyImageNet. Furthermore, we demystify the input network selection in prior
ReLU optimizations and shed light on the key network attributes enabling PI
efficiency.Comment: 37 pages, 23 Figures, and 17 Table
Full-Threshold Actively-Secure Multiparty Arithmetic Circuit Garbling
In this work, we show how to garble arithmetic circuits with full active security in the general multiparty setting, secure in the full-threshold setting (that is, when only one party is assumed honest). Our solution allows interfacing Boolean garbled circuits with arithmetic garbled circuits. Previous works in the arithmetic circuit domain focused on the 2-party setting, or on semi-honest security and assuming an honest majority -- notably, the work of Ben-Efraim (Asiacrypt 2018) in the semi-honest, honest majority security model, which we adapt and extend. As an additional contribution, we improve on Ben-Efraim\u27s selector gate. A selector gate is a gate that given two arithmetic inputs and one binary input, outputs one of the arithmetic inputs, based on the value of the selection bit input. Our new construction for the selector gate reduces the communication cost to almost half of that of Ben-Efraim\u27s gate. This result applies both to the semi-honest and to the active security model
FUSE – Flexible File Format and Intermediate Representation for Secure Multi-Party Computation
Secure Multi-Party Computation (MPC) is continuously becoming more and more practical. Many optimizations have been introduced, making MPC protocols more suitable for solving real-world problems. However, the MPC protocols and optimizations are usually implemented as a standalone proof of concept or in an MPC framework and are tightly coupled with special-purpose circuit formats, such as Bristol Format. This makes it very hard and time-consuming to re-use algorithmic advances and implemented applications in a different context. Developing generic algorithmic optimizations is exceptionally hard because the available MPC tools and formats are not generic and do not provide the necessary infrastructure.
In this paper, we present FUSE: A Framework for Unifying and Optimizing Secure Multi-Party Computation Implementations with Efficient Circuit Storage. FUSE provides a flexible intermediate representation (FUSE IR) that can be used across different platforms and in different programming languages, including C/C++, Java, Rust, and Python. We aim at making MPC tools more interoperable, removing the tight coupling between high-level compilers for MPC and specific MPC protocol engines, thus driving knowledge transfer. Our framework is inspired by the widely known LLVM compiler framework. FUSE is portable, extensible, and it provides implementation-agnostic optimizations.
As frontends, we implement HyCC (CCS\u2718), the Bristol circuit format, and MOTION (TOPS\u2722), meaning that these can be automatically converted to FUSE IR. We implement several generic optimization passes, such as automatic subgraph replacement and vectorization, to showcase the utility and efficiency of our framework. Finally, we implement as backends MOTION and MP-SPDZ (CCS\u2720), so that FUSE IR can be run by these frameworks in an MPC protocol, as well as other useful backends for JSON output and the DOT language for graph visualization. With FUSE, it is possible to use any implemented frontend with any implemented backend and vice-versa. FUSE IR is not only efficient to work on and much more generic than any other format so far -- supporting, e.g., function calls, hybrid MPC protocols as well as user-defined building blocks, and annotations -- while maintaining backwards-compatibility, but also compact, with smaller storage size than even minimalistic formats such as Bristol already for a few hundred operations