Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Towards Anonymous Neural Network Inference

Liao Peiyuan

TL;DR

funion addresses the privacy challenge of cloud-based neural-network inference by architecting a store–compute–store workflow atop Echomix, combining Pigeonhole storage and BACAP to achieve sender–receiver unlinkability and input–output unlinkability. The approach decouples anonymity from computation, routing input tensors through a mixnet to compute nodes that store and process data, while timing is quantized via public latency buckets to mitigate timing side channels. The paper provides formal reductions to Echomix and BACAP, derives a bound on adversarial advantage (bounded by $4\varepsilon_E + \delta$), and estimates end-to-end latency and bandwidth overhead using Llama-3-70B benchmarks. It also discusses limitations (notably hidden-state privacy) and outlines concrete avenues for verifiable computation, private-model techniques, and real-world evaluation, highlighting the practicality and potential of anonymous neural inference for cloud services.

Abstract

We introduce funion, a system providing end-to-end sender-receiver unlinkability for neural network inference. By leveraging the Pigeonhole storage protocol and BACAP (blinding-and-capability) scheme from the Echomix anonymity system, funion inherits the provable security guarantees of modern mixnets. Users can anonymously store input tensors in pseudorandom storage locations, commission compute services to process them via the neural network, and retrieve results with no traceable connection between input and output parties. This store-compute-store paradigm masks both network traffic patterns and computational workload characteristics, while quantizing execution timing into public latency buckets. Our security analysis demonstrates that funion inherits the strong metadata privacy guarantees of Echomix under largely the same trust assumptions, while introducing acceptable overhead for production-scale workloads. Our work paves the way towards an accessible platform where users can submit fully anonymized inference queries to cloud services.

Towards Anonymous Neural Network Inference

TL;DR

funion addresses the privacy challenge of cloud-based neural-network inference by architecting a store–compute–store workflow atop Echomix, combining Pigeonhole storage and BACAP to achieve sender–receiver unlinkability and input–output unlinkability. The approach decouples anonymity from computation, routing input tensors through a mixnet to compute nodes that store and process data, while timing is quantized via public latency buckets to mitigate timing side channels. The paper provides formal reductions to Echomix and BACAP, derives a bound on adversarial advantage (bounded by ), and estimates end-to-end latency and bandwidth overhead using Llama-3-70B benchmarks. It also discusses limitations (notably hidden-state privacy) and outlines concrete avenues for verifiable computation, private-model techniques, and real-world evaluation, highlighting the practicality and potential of anonymous neural inference for cloud services.

Abstract

We introduce funion, a system providing end-to-end sender-receiver unlinkability for neural network inference. By leveraging the Pigeonhole storage protocol and BACAP (blinding-and-capability) scheme from the Echomix anonymity system, funion inherits the provable security guarantees of modern mixnets. Users can anonymously store input tensors in pseudorandom storage locations, commission compute services to process them via the neural network, and retrieve results with no traceable connection between input and output parties. This store-compute-store paradigm masks both network traffic patterns and computational workload characteristics, while quantizing execution timing into public latency buckets. Our security analysis demonstrates that funion inherits the strong metadata privacy guarantees of Echomix under largely the same trust assumptions, while introducing acceptable overhead for production-scale workloads. Our work paves the way towards an accessible platform where users can submit fully anonymized inference queries to cloud services.

Paper Structure

This paper contains 70 sections, 4 theorems, 27 equations, 1 figure, 4 tables, 2 algorithms.

Table of Contents

  1. Introduction
  2. Threat Model
  3. Client's Perspective
  4. What Metadata Might We Leak
  5. Adversary Classes
  6. Attack Vectors
  7. Security Objectives
  8. Security Non-Objectives
  9. Pigeonhole Storage, BACAP, and SURB
  10. Sphinx & SURBs (routing layer).
  11. Pigeonhole storage (service layer).
  12. BACAP vanilla (cryptographic core).
  13. System Definition
  14. System Architecture and Components
  15. BACAP for Neural Inference
  16. ...and 55 more sections

Key Result

Lemma 4.1

Let $o \in \{0,1\}$ be the overflow flag returned by the service ("1" iff $t_{\mathrm{finish}} \geq t_j$). The adversary's observable tuple is $(o, t_{\mathrm{release}})$. Given the public bucket index $j$ and grid ${t_0,\ldots,t_n}$, $(o, t_{\mathrm{release}})$ is a deterministic function of $(j, o

Figures (1)

  • Figure 1: funion store $\rightarrow$ compute $\rightarrow$ store workflow. Bob and Ben are storage couriers inside the mixnet; Charlie is a compute courier whose fetch/store requests are themselves anonymized by first entering the mixnet. B/E mark the BACAP boxes handled along each chain.

Theorems & Definitions (7)

  • Lemma 4.1: Bucket-edge timing leaks $\leq$ 1 extra bit
  • proof
  • Lemma 4.2: Buckets + overflow leak $\le \log_2(n+1)$ bits
  • Lemma 4.3: Self-receiver IO-U $\Rightarrow$ SRTU
  • proof
  • Definition 4.1: Input-Output Unlinkability, restated
  • Theorem 4.4: funion inherits Echomix + BACAP anonymity