Secure Transformer Inference Protocol
Mu Yuan, Lan Zhang, Xiang-Yang Li
TL;DR
STIP addresses the security-efficiency gap in Transformer inference by introducing a three-party threat model that separates model development from hosting. It relies on a feature-space permutation and a semi-symmetric protection scheme to achieve lossless inference while keeping model parameters and on-device data private, with theoretical guarantees and empirical validation. Experiments across language, multi-modal, and MoE variants show STIP attains throughput comparable to unprotected full-cloud inference and dramatically outperforms secure two-party protocols by large margins, while quantifying privacy leakage via distance-correlation metrics. The approach is designed to fit production workflows and frameworks, though its three-party assumptions may limit applicability in some cloud-provider scenarios and does not directly address training privacy.
Abstract
Security of model parameters and user data is critical for Transformer-based services, such as ChatGPT. While recent strides in secure two-party protocols have successfully addressed security concerns in serving Transformer models, their adoption is practically infeasible due to the prohibitive cryptographic overheads involved. Drawing insights from our hands-on experience in developing two real-world Transformer-based services, we identify the inherent efficiency bottleneck in the two-party assumption. To overcome this limitation, we propose a novel three-party threat model. Within this framework, we design a semi-symmetric permutation-based protection scheme and present STIP, the first secure Transformer inference protocol without any inference accuracy loss. Experiments on representative Transformer models in real systems show that STIP has practical security and outperforms state-of-the-art secure two-party protocols in efficiency by millions of times.