SIMC 2.0: Improved Secure ML Inference Against Malicious Clients

In this paper, we study the problem of secure ML inference against a malicious client and a semi-trusted server such that the client only learns the inference output while the server learns nothing. This problem is first formulated by Lehmkuhl \textit{et al.} with a solution (MUSE, Usenix Security'21), whose performance is then substantially improved by Chandran et al.'s work (SIMC, USENIX Security'22). However, there still exists a nontrivial gap in these efforts towards practicality, giving the challenges of overhead reduction and secure inference acceleration in an all-round way. We propose SIMC 2.0, which complies with the underlying structure of SIMC, but significantly optimizes both the linear and non-linear layers of the model. Specifically, (1) we design a new coding method for homomorphic parallel computation between matrices and vectors. It is custom-built through the insight into the complementarity between cryptographic primitives in SIMC. As a result, it can minimize the number of rotation operations incurred in the calculation process, which is very computationally expensive compared to other homomorphic operations e.g., addition, multiplication). (2) We reduce the size of the garbled circuit (GC) (used to calculate nonlinear activation functions, e.g., ReLU) in SIMC by about two thirds. Then, we design an alternative lightweight protocol to perform tasks that are originally allocated to the expensive GCs. Compared with SIMC, our experiments show that SIMC 2.0 achieves a significant speedup by up to $17.4\times$ for linear layer computation, and at least $1.3\times$ reduction of both the computation and communication overheads in the implementation of non-linear layers under different data dimensions. Meanwhile, SIMC 2.0 demonstrates an encouraging runtime boost by $2.3\sim 4.3\times$ over SIMC on different state-of-the-art ML models

Boosting Decision-Based Black-Box Adversarial Attack with Gradient Priors

Decision-based methods have shown to be effective in black-box adversarial attacks, as they can obtain satisfactory performance and only require to access the final model prediction. Gradient estimation is a critical step in black-box adversarial attacks, as it will directly affect the query efficiency. Recent works have attempted to utilize gradient priors to facilitate score-based methods to obtain better results. However, these gradient priors still suffer from the edge gradient discrepancy issue and the successive iteration gradient direction issue, thus are difficult to simply extend to decision-based methods. In this paper, we propose a novel Decision-based Black-box Attack framework with Gradient Priors (DBA-GP), which seamlessly integrates the data-dependent gradient prior and time-dependent prior into the gradient estimation procedure. First, by leveraging the joint bilateral filter to deal with each random perturbation, DBA-GP can guarantee that the generated perturbations in edge locations are hardly smoothed, i.e., alleviating the edge gradient discrepancy, thus remaining the characteristics of the original image as much as possible. Second, by utilizing a new gradient updating strategy to automatically adjust the successive iteration gradient direction, DBA-GP can accelerate the convergence speed, thus improving the query efficiency. Extensive experiments have demonstrated that the proposed method outperforms other strong baselines significantly.Comment: Accepted by IJCAI 202

Effectiveness and safety of auricular acupuncture on adjuvant analgesia in patients with total knee arthroplasty: a randomized sham-controlled trial

ObjectiveThis study aimed to evaluate the effectiveness and safety of auricular acupuncture (AA) on postoperative analgesia, the degree of postoperative nausea, and the effect of inflammation after total knee arthroplasty (TKA).MethodsThis was a single-center, placebo-controlled, randomized clinical trial. In total, 96 patients were randomly divided into an AA group with an indwelling intradermal needle (n = 48) and a sham auricular acupuncture (SAA) group with a non-penetrating placebo needle (n = 48). Intra-spinal anesthesia was adopted in both groups during surgery, and an epidural analgesic pump was implanted after surgery for 48 h. The primary outcome was the post-surgery visual analog score (VAS) of resting and movement states (at 6, 12 h and 1, 2, 3, 5, and 7 days). The secondary outcomes included additional doses of analgesic injection during the treatment, C-reactive protein (CRP) levels, erythrocyte sedimentation rate (ESR), and white blood cell (WBC) count on the 1st, 3rd, and 7th day after the operation, nausea on the 1st, 2nd, and 3rd day after the operation, the Hospital for Special Surgery Knee Score (HSS) on the 2nd and 12th week after the operation, and adverse events.ResultsThe VAS in the AA group at 6 h, 12 h, 2, 3, and 5 days after surgery were lower than those of the SAA group (p < 0.05). Among the secondary outcomes, the total dose of additional analgesic injection after surgery in the AA group was lower than that in the SAA group (p < 0.05). The serum CRP on the 1st day after operation in the AA group was lower than that in the SAA group (p < 0.05). The degree of nausea on 2nd day after surgery in the AA group was lower than that in the SAA group (p < 0.05). There was no significant difference in other outcomes (p > 0.05).ConclusionIn this study, AA was shown to be an effective and safe complementary and alternative therapy for pain relief after TKA, which was able to reduce the total postoperative dose of additional painkillers, decrease serum CRP 1 day after surgery, and improve the degree of postoperative nausea.Clinical trial registrationwww.chictr.org.cn, ChiCTR2100054403

Perturbation optimization of maximum power point tracking of photovoltaic power systems based on practical solar irradiance data

There is a dilemma for fixed step perturb-and-observe (P&O) maximum power point tracking (MPPT) method which is the tracking accuracy and speed. The idea of this paper is to propose an optimized solution which can be regard as a trade-off between performance and cost. The optimal selection of the perturb step size will be designed off-line for a specific location based on their local meteorological data. The step size also can be updated monthly for better system performance without increasing the control complexity. Simulation and experiments have been carried out to verify the effectiveness and superiority of the proposed method. The experimental results show an example with 5.8% of energy generation increase by selecting optimal step size based on the local irradiance data