Cryptology ePrint Archive: Report 2021/1040

MUSE: Secure Inference Resilient to Malicious Clients

Ryan Lehmkuhl and Pratyush Mishra and Akshayaram Srinivasan and Raluca Ada Popa

Abstract: The increasing adoption of machine learning inference in applications has led to a corresponding increase in concerns surrounding the privacy guarantees offered by existing mechanisms for inference. Such concerns have motivated the construction of efficient secure inference protocols that allow parties to perform inference without revealing their sensitive information. Recently, there has been a proliferation of such proposals, rapidly improving efficiency. However, most of these protocols assume that the client is semi-honest, that is, the client does not deviate from the protocol; yet in practice, clients are many, have varying incentives, and can behave arbitrarily. To demonstrate that a malicious client can completely break the security of semi-honest protocols, we first develop a new model-extraction attack against many state-of-the-art secure inference protocols. Our attack enables a malicious client to learn model weights with 22x-312x fewer queries than the best black-box model-extraction attack and scales to much deeper networks.

Motivated by the severity of our attack, we design and implement MUSE, an efficient two-party secure inference protocol resilient to malicious clients. MUSE introduces a novel cryptographic protocol for conditional disclosure of secrets to switch between authenticated additive secret shares and garbled circuit labels, and an improved Beaver's triple generation procedure which is 8x-12.5x faster than existing techniques.

These protocols allow MUSE to push a majority of its cryptographic overhead into a preprocessing phase: compared to the equivalent semi-honest protocol (which is close to state-of-the-art), MUSE's online phase is only 1.7x-2.2x slower and uses 1.4x more communication. Overall, MUSE is 13.4x-21x faster and uses 2x-3.6x less communication than existing secure inference protocols which defend against malicious clients.

Category / Keywords: cryptographic protocols / privacy-preserving machine learning, secure inference, model extraction

Original Publication (with minor differences): USENIX Security 2021

Date: received 11 Aug 2021, last revised 21 Aug 2021

Contact author: ryanleh at berkeley edu, pratyush at berkeley edu, raluca popa at berkeley edu

Available format(s): PDF | BibTeX Citation

Version: 20210821:221044 (All versions of this report)

Short URL: ia.cr/2021/1040


[ Cryptology ePrint archive ]