SONNI: Secure Oblivious Neural Network Inference
Luke Sperling, Sandeep S. Kulkarni
TL;DR
SONNI identifies a novel Silver Platter model‑stealing attack in outsourced oblivious neural network inference under multi‑key FHE and introduces a secure results‑checking protocol. By dedicating a subset of ciphertext slots to verify a randomly generated function g(y) and performing a privacy‑preserving result check, SONNI ensures correct computation without revealing the client’s input or the provider’s model parameters, even with majority dishonest participants. The authors prove a near‑zero attack probability for practical parameter choices (e.g., a 32k parameter model yields a failure probability of $1.51 \times 10^{-28}$) and report only a small batching overhead of $0.2\%$, making the approach viable for MLaaS deployments. Overall, SONNI advances privacy in MLaaS by coupling obfuscated computation with verifiable results, addressing both client data privacy and provider model confidentiality.
Abstract
In the standard privacy-preserving Machine learning as-a-service (MLaaS) model, the client encrypts data using homomorphic encryption and uploads it to a server for computation. The result is then sent back to the client for decryption. It has become more and more common for the computation to be outsourced to third-party servers. In this paper we identify a weakness in this protocol that enables a completely undetectable novel model-stealing attack that we call the Silver Platter attack. This attack works even under multikey encryption that prevents a simple collusion attack to steal model parameters. We also propose a mitigation that protects privacy even in the presence of a malicious server and malicious client or model provider (majority dishonest). When compared to a state-of-the-art but small encrypted model with 32k parameters, we preserve privacy with a failure chance of 1.51 x 10^-28 while batching capability is reduced by 0.2%. Our approach uses a novel results-checking protocol that ensures the computation was performed correctly without violating honest clients' data privacy. Even with collusion between the client and the server, they are unable to steal model parameters. Additionally, the model provider cannot learn any client data if maliciously working with the server.
