Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Efficient Privacy-Preserving Machine Learning with Lightweight Trusted Hardware

Pengzhi Huang, Thang Hoang, Yueying Li, Elaine Shi, G. Edward Suh

TL;DR

This work represents the first to show that even tiny secure hardware with very limited performance can be leveraged to significantly speed-up distributed PPML protocols if the protocol can be carefully designed for lightweight trusted hardware.

Abstract

In this paper, we propose a new secure machine learning inference platform assisted by a small dedicated security processor, which will be easier to protect and deploy compared to today's TEEs integrated into high-performance processors. Our platform provides three main advantages over the state-of-the-art: (i) We achieve significant performance improvements compared to state-of-the-art distributed Privacy-Preserving Machine Learning (PPML) protocols, with only a small security processor that is comparable to a discrete security chip such as the Trusted Platform Module (TPM) or on-chip security subsystems in SoCs similar to the Apple enclave processor. In the semi-honest setting with WAN/GPU, our scheme is 4X-63X faster than Falcon (PoPETs'21) and AriaNN (PoPETs'22) and 3.8X-12X more communication efficient. We achieve even higher performance improvements in the malicious setting. (ii) Our platform guarantees security with abort against malicious adversaries under honest majority assumption. (iii) Our technique is not limited by the size of secure memory in a TEE and can support high-capacity modern neural networks like ResNet18 and Transformer. While previous work investigated the use of high-performance TEEs in PPML, this work represents the first to show that even tiny secure hardware with really limited performance can be leveraged to significantly speed-up distributed PPML protocols if the protocol can be carefully designed for lightweight trusted hardware.

Efficient Privacy-Preserving Machine Learning with Lightweight Trusted Hardware

TL;DR

This work represents the first to show that even tiny secure hardware with very limited performance can be leveraged to significantly speed-up distributed PPML protocols if the protocol can be carefully designed for lightweight trusted hardware.

Abstract

In this paper, we propose a new secure machine learning inference platform assisted by a small dedicated security processor, which will be easier to protect and deploy compared to today's TEEs integrated into high-performance processors. Our platform provides three main advantages over the state-of-the-art: (i) We achieve significant performance improvements compared to state-of-the-art distributed Privacy-Preserving Machine Learning (PPML) protocols, with only a small security processor that is comparable to a discrete security chip such as the Trusted Platform Module (TPM) or on-chip security subsystems in SoCs similar to the Apple enclave processor. In the semi-honest setting with WAN/GPU, our scheme is 4X-63X faster than Falcon (PoPETs'21) and AriaNN (PoPETs'22) and 3.8X-12X more communication efficient. We achieve even higher performance improvements in the malicious setting. (ii) Our platform guarantees security with abort against malicious adversaries under honest majority assumption. (iii) Our technique is not limited by the size of secure memory in a TEE and can support high-capacity modern neural networks like ResNet18 and Transformer. While previous work investigated the use of high-performance TEEs in PPML, this work represents the first to show that even tiny secure hardware with really limited performance can be leveraged to significantly speed-up distributed PPML protocols if the protocol can be carefully designed for lightweight trusted hardware.
Paper Structure (27 sections, 3 theorems, 2 equations, 11 figures, 7 tables, 3 algorithms)

This paper contains 27 sections, 3 theorems, 2 equations, 11 figures, 7 tables, 3 algorithms.

Table of Contents

  1. Introduction
  2. Model
  3. Background
  4. Notation
  5. Multiparty Computation
  6. Trusted/Secure Hardware
  7. LTH Benefits
  8. LTH Limitations
  9. The Stamp Protocol
  10. Initialization phase
  11. Optimized ReLU with Matrix Multiplication
  12. Extensions to Other Operations
  13. Softmax
  14. Integrating Stamp into Real Systems
  15. Evaluation
  16. ...and 12 more sections

Key Result

Theorem 1

Under the assumption of secure PRF and LTH, $\Pi_{\textsf{ReLU}}$ (in p:reluapp) securely realizes the ideal functionality $\mathcal{F}_{\textsf{ReLU}}$ (in f:relu) against any non-uniform PPT malicious adversary that can corrupt up to 1 out of 3 parties with static corruption.

Figures (11)

  • Figure 1: Stamp system and threat model. The black local machines owned by three parties, green local buses, and black inter-party communication channels are untrusted. The blue LTHs are trusted and contain secret keys shared among LTHs.
  • Figure 2: The Stamp execution flow on one of the parties. Inter-party communication (wave symbol) and the local communication with the LTH (green arrows) happen during initialization and execution, with (1) or without (2) the optimization in \ref{['sec:Merge']}. An adversary has complete control over the data and operations in the red zone.
  • Figure 3: Two types of LTHs that Stamp considers.
  • Figure 4: The breakdown of local machine execution time: linear layers, non-linear layers, and LTH-Chip bus communication & computation time. Stamp (left) and Falcon+ (right) on semi-honest inference over AlexNet under WAN/GPU.
  • Figure 5: The speedup with different bus bandwidth in the semi-honest setting under LAN/GPU.
  • ...and 6 more figures

Theorems & Definitions (4)

  • Definition 1: Simulation-based security: privacy and verifiability
  • Theorem 1
  • Theorem 2
  • Theorem 3