Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Trusted Machine Learning Models Unlock Private Inference for Problems Currently Infeasible with Cryptography

Ilia Shumailov, Daniel Ramage, Sarah Meiklejohn, Peter Kairouz, Florian Hartmann, Borja Balle, Eugene Bagdasarian

TL;DR

The paper introduces Trusted Capable Model Environments (TCMEs) as a pragmatic alternative to purely cryptographic private inference, leveraging capable ML models to perform computations on private inputs under explicit input/output constraints. TCMEs rely on statelessness, explicit information flow control, and verifiability to function as trusted third parties, potentially enabling private inference for complex, unstructured tasks beyond current cryptographic scalability. They discuss instantiation via TEEs, practical deployment challenges, and key limitations, including heuristic privacy guarantees, model trustworthiness, and side-channel risks, outlining a path forward for robust TCME implementations. Through practical use cases—multi-agent non-competition, confidentiality audits, damage monitoring, and private code attestation—the paper illustrates TCME's potential and contrasts its capabilities with MPC and ZKPs to demarcate where each approach excels.

Abstract

We often interact with untrusted parties. Prioritization of privacy can limit the effectiveness of these interactions, as achieving certain goals necessitates sharing private data. Traditionally, addressing this challenge has involved either seeking trusted intermediaries or constructing cryptographic protocols that restrict how much data is revealed, such as multi-party computations or zero-knowledge proofs. While significant advances have been made in scaling cryptographic approaches, they remain limited in terms of the size and complexity of applications they can be used for. In this paper, we argue that capable machine learning models can fulfill the role of a trusted third party, thus enabling secure computations for applications that were previously infeasible. In particular, we describe Trusted Capable Model Environments (TCMEs) as an alternative approach for scaling secure computation, where capable machine learning model(s) interact under input/output constraints, with explicit information flow control and explicit statelessness. This approach aims to achieve a balance between privacy and computational efficiency, enabling private inference where classical cryptographic solutions are currently infeasible. We describe a number of use cases that are enabled by TCME, and show that even some simple classic cryptographic problems can already be solved with TCME. Finally, we outline current limitations and discuss the path forward in implementing them.

Trusted Machine Learning Models Unlock Private Inference for Problems Currently Infeasible with Cryptography

TL;DR

The paper introduces Trusted Capable Model Environments (TCMEs) as a pragmatic alternative to purely cryptographic private inference, leveraging capable ML models to perform computations on private inputs under explicit input/output constraints. TCMEs rely on statelessness, explicit information flow control, and verifiability to function as trusted third parties, potentially enabling private inference for complex, unstructured tasks beyond current cryptographic scalability. They discuss instantiation via TEEs, practical deployment challenges, and key limitations, including heuristic privacy guarantees, model trustworthiness, and side-channel risks, outlining a path forward for robust TCME implementations. Through practical use cases—multi-agent non-competition, confidentiality audits, damage monitoring, and private code attestation—the paper illustrates TCME's potential and contrasts its capabilities with MPC and ZKPs to demarcate where each approach excels.

Abstract

We often interact with untrusted parties. Prioritization of privacy can limit the effectiveness of these interactions, as achieving certain goals necessitates sharing private data. Traditionally, addressing this challenge has involved either seeking trusted intermediaries or constructing cryptographic protocols that restrict how much data is revealed, such as multi-party computations or zero-knowledge proofs. While significant advances have been made in scaling cryptographic approaches, they remain limited in terms of the size and complexity of applications they can be used for. In this paper, we argue that capable machine learning models can fulfill the role of a trusted third party, thus enabling secure computations for applications that were previously infeasible. In particular, we describe Trusted Capable Model Environments (TCMEs) as an alternative approach for scaling secure computation, where capable machine learning model(s) interact under input/output constraints, with explicit information flow control and explicit statelessness. This approach aims to achieve a balance between privacy and computational efficiency, enabling private inference where classical cryptographic solutions are currently infeasible. We describe a number of use cases that are enabled by TCME, and show that even some simple classic cryptographic problems can already be solved with TCME. Finally, we outline current limitations and discuss the path forward in implementing them.
Paper Structure (13 sections, 3 figures, 2 tables)

This paper contains 13 sections, 3 figures, 2 tables.

Table of Contents

  1. What are TCMEs?
  2. Trusted Capable Model Environments
  3. Instantiating TCMEs
  4. Practical implementation
  5. Limitations
  6. Examples
  7. Practical Example 1: Multi-agent non-competition
  8. Practical Example 2: Audit for confidentiality violations
  9. Practical Example 3: Damage to business property
  10. Practical Example 4: Private Code Auditor in TEE Attestation
  11. Understanding the Trade-Off with Cryptography
  12. Comparing with MPC
  13. Comparing with ZKPs

Figures (3)

  • Figure 1: Practical Example of TCME in Damage Monitoring: TCME can be used to monitor potential damage to business space while preserving privacy. The system, utilizing a pre-agreed model and prompt, analyzes camera recordings. It is restricted to output only "YES" if significant damage is detected, ensuring minimal intrusion.
  • Figure 2: TCME can be used to perform auditing of private code and models that are deployed in the TEE and participate in the 'attestation' that includes private components.
  • Figure 3: Graph coloring verification performed by Gemini-1.5-Flash. The model generally has a high precision (83%) and low recall (14%).