In secure machine learning inference, most current schemes assume that the server is semi-honest and honestly follows the protocol but attempts to infer additional information. However, in real-world scenarios, the server may behave maliciously, e.g., using low-quality model parameters as inputs or deviating from the protocol. Although a few studies investigate the security against the malicious server, they do not consider the verification of model accuracy meanwhile preserving the privacy of both server's model and the client's inputs. Furthermore, an honest-but-curious client may perform model extraction attacks to steal the server's model. To address these issues, we propose $\textit{Fusion}$, an efficient and privacy-preserving inference scheme that is secure against the malicious server, and a curious client who may perform model extraction attacks. Without leveraging expensive cryptographic techniques, $\textit{Fusion}$ can be used as a general compiler for converting any semi-honest inference scheme into a maliciously secure one. The experimental results indicate that \textit{Fusion} is 48.06$\times$ faster and uses 30.90$\times$ less communication than the existing maliciously secure inference protocol which does not achieve the verification of the model accuracy. In addition, to show the scalability, we conduct ImageNet-scale inference on the practical ResNet50 model and it costs 8.678 minutes and 10.117 GiB of communication in a WAN setting, which is 1.18$\times$ faster and has 2.64$\times$ less communication than those of semi-honest C\textsc{ryp}TF\textsc{low}2 (ACM CCS 2020) which is efficient and one of the most popular secure inference over ImageNet-scale DNNs.
翻译:在安全的机器学习推断中,大多数目前的计划假定服务器是半诚实的,诚实地遵循协议,但试图推断更多的信息。然而,在现实世界情景中,服务器可能表现恶意,例如,使用低质量模型参数作为输入或偏离协议。虽然有几项研究调查恶意服务器的安全性,但并不考虑在维护服务器模型和客户投入的隐私的同时核查模型准确性。此外,诚实但谨慎的客户可能会进行模型提取攻击以窃取服务器模型。为了解决这些问题,我们提议$\textit{Fusion}$,对恶意服务器使用高效和隐私保存的推力计划,例如,使用低质量的模型参数参数参数参数参数参数参数参数参数参数参数参数参数参数参数参数参数参数参数参数参数参数参数参数参数参数参数参数参数参数模型模型模型模型模型模型模型模型模型模型模型模型模型模型模型模型模型模型模型模型和客户端数据模型模型模型模型模型模型模型模型模型的隐私值值值(美元) 。诚实但诚实但实验结果显示,在服务器模型值模型值模型值模型值中,成本值(美元的实际值值值值值值值值值值值值值值值值值值值值值值值值值值值值值值)中,准确度值为48.06=50美元,而目前值的精确度的计算成本值的通信的通信数据序列值的精确度为30