Paper 2018/442

SecureNN: Efficient and Private Neural Network Training

Sameer Wagh, Divya Gupta, and Nishanth Chandran


Neural Networks (NN) provide a powerful method for machine learning training and inference. To effectively train, it is desirable for multiple parties to combine their data -- however, doing so conflicts with data privacy. In this work, we provide novel three-party secure computation protocols for various NN building blocks such as matrix multiplication, convolutions, Rectified Linear Units, Maxpool, normalization and so on. This enables us to construct three-party secure protocols for training and inference of several NN architectures such that no single party learns any information about the data. Experimentally, we implement our system over Amazon EC2 servers in different settings. \\ Our work advances the state-of-the-art of secure computation for neural networks in three ways: \begin{enumerate} \item Scalability: We are the first work to provide neural network training on Convolutional Neural Networks (CNNs) that have an accuracy of $>99\%$ on the MNIST dataset; \item Performance: For secure inference, our system outperforms prior 2 and 3-server works (SecureML, MiniONN, Chameleon, Gazelle) by $6\times$-$113\times$ (with larger gains obtained in more complex networks). Our total execution times are $2-4\times$ faster than even just the online times of these works. For secure training, compared to the only prior work (SecureML) that considered a much smaller fully connected network, our protocols are $79\times$ and $7\times$ faster than their 2 and 3-server protocols. In the WAN setting, these improvements are more dramatic and we obtain an improvement of $553\times$! \item Security: Our protocols provide two kinds of security: full security (privacy and correctness) against one semi-honest corruption and the notion of privacy against one malicious corruption [Araki~\etal~CCS'16]. All prior works only provide semi-honest security and ours is the first system to provide any security against malicious adversaries for the secure computation of complex algorithms such as neural network inference and training. \end{enumerate} Our gains come from a significant improvement in communication through the elimination of expensive garbled circuits and oblivious transfer protocols.

Available format(s)
Cryptographic protocols
Publication info
Published elsewhere. 19th Privacy Enhancing Technologies Symposium (PETS 2019)
secure computationneural network traininginformation-theoretic security
Contact author(s)
nichandr @ microsoft com
t-digu @ microsoft com
snwagh @ gmail com
2019-03-08: revised
2018-05-14: received
See all versions
Short URL
Creative Commons Attribution


      author = {Sameer Wagh and Divya Gupta and Nishanth Chandran},
      title = {SecureNN: Efficient and Private Neural Network Training},
      howpublished = {Cryptology ePrint Archive, Paper 2018/442},
      year = {2018},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.