Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Covert Attacks on Machine Learning Training in Passively Secure MPC

Matthew Jagielski, Daniel Escudero, Rahul Rachuri, Peter Scholl

TL;DR

The paper shows that active adversaries can stealthily compromise ML models trained with passively secure MPC, challenging the assumption that passive security suffices. It develops low-level MPC attacks targeting activations and comparisons, and combines them with high-level gradient-based manipulation strategies (gradient zeroing, shifting, and scaling) to realize data poisoning and privacy breaches. Through plaintext simulations on standard datasets, the authors demonstrate dramatic effects including backdoors, targeted misclassification, and dramatic increases in membership inference success, often with minimal degradation to overall model accuracy. The work highlights the need for actively secure MPC in PPML and discusses practical mitigations and future research directions at the intersection of MPC and adversarial ML.

Abstract

Secure multiparty computation (MPC) allows data owners to train machine learning models on combined data while keeping the underlying training data private. The MPC threat model either considers an adversary who passively corrupts some parties without affecting their overall behavior, or an adversary who actively modifies the behavior of corrupt parties. It has been argued that in some settings, active security is not a major concern, partly because of the potential risk of reputation loss if a party is detected cheating. In this work we show explicit, simple, and effective attacks that an active adversary can run on existing passively secure MPC training protocols, while keeping essentially zero risk of the attack being detected. The attacks we show can compromise both the integrity and privacy of the model, including attacks reconstructing exact training data. Our results challenge the belief that a threat model that does not include malicious behavior by the involved parties may be reasonable in the context of PPML, motivating the use of actively secure protocols for training.

Covert Attacks on Machine Learning Training in Passively Secure MPC

TL;DR

The paper shows that active adversaries can stealthily compromise ML models trained with passively secure MPC, challenging the assumption that passive security suffices. It develops low-level MPC attacks targeting activations and comparisons, and combines them with high-level gradient-based manipulation strategies (gradient zeroing, shifting, and scaling) to realize data poisoning and privacy breaches. Through plaintext simulations on standard datasets, the authors demonstrate dramatic effects including backdoors, targeted misclassification, and dramatic increases in membership inference success, often with minimal degradation to overall model accuracy. The work highlights the need for actively secure MPC in PPML and discusses practical mitigations and future research directions at the intersection of MPC and adversarial ML.

Abstract

Secure multiparty computation (MPC) allows data owners to train machine learning models on combined data while keeping the underlying training data private. The MPC threat model either considers an adversary who passively corrupts some parties without affecting their overall behavior, or an adversary who actively modifies the behavior of corrupt parties. It has been argued that in some settings, active security is not a major concern, partly because of the potential risk of reputation loss if a party is detected cheating. In this work we show explicit, simple, and effective attacks that an active adversary can run on existing passively secure MPC training protocols, while keeping essentially zero risk of the attack being detected. The attacks we show can compromise both the integrity and privacy of the model, including attacks reconstructing exact training data. Our results challenge the belief that a threat model that does not include malicious behavior by the involved parties may be reasonable in the context of PPML, motivating the use of actively secure protocols for training.

Paper Structure

This paper contains 30 sections, 5 equations, 7 figures, 8 tables.

Table of Contents

  1. Introduction
  2. Our Contribution
  3. Background and Related Work
  4. MPC Background
  5. MPC Computation
  6. Machine Learning Training in MPC
  7. Adversarial Machine Learning
  8. Related Work
  9. Attacking Activation Functions
  10. High Level Manipulation Strategies
  11. Gradient Zeroing
  12. Gradient Shifting
  13. Gradient Scaling
  14. Attacks on Machine Learning Training
  15. Parameter Transfer: Poisoning Linear Models with Gradient Shifting
  16. ...and 15 more sections

Figures (7)

  • Figure 1: MPC logistic regression gradient
  • Figure 2: Gradient scaling leads to successful reconstruction attacks on logistic regression. The top row is the original image, and the bottom is its reconstruction.
  • Figure 3: Gradient scaling attacks permit successful reconstruction attacks on neural networks. The top row is the original image, and the bottom row is the reconstructed image.
  • Figure 4: MPC arithmetic black box for fixed-point arithmetic modulo $M$
  • Figure 5: Parameter Transfer Attack from Section \ref{['sec:paramtransfer']}
  • ...and 2 more figures