In the context of prediction-as-a-service, concerns about the privacy of the data and the model have been brought up and tackled via secure inference protocols. These protocols are built up by using single or multiple cryptographic tools designed under a variety of different security assumptions. In this paper, we introduce SECO, a secure inference protocol that enables a user holding an input data vector and multiple server nodes deployed with a split neural network model to collaboratively compute the prediction, without compromising either party's data privacy. We extend prior work on secure inference that requires the entire neural network model to be located on a single server node, to a multi-server hierarchy, where the user communicates to a gateway server node, which in turn communicates to remote server nodes. The inference task is split across the server nodes and must be performed over an encrypted copy of the data vector. We adopt multiparty homomorphic encryption and multiparty garbled circuit schemes, making the system secure against dishonest majority of semi-honest servers as well as protecting the partial model structure from the user. We evaluate SECO on multiple models, achieving the reduction of computation and communication cost for the user, making the protocol applicable to user's devices with limited resources.

翻译：在预测即服务的背景下，数据和模型的隐私问题已通过安全推理协议得到关注与解决。这些协议基于单一或多种加密工具构建，在设计时遵循不同的安全假设。本文提出SECO，一种安全推理协议，允许持有输入数据向量的用户与部署了分裂神经网络模型的多个服务器节点协同计算预测结果，同时不泄露任何一方的数据隐私。我们拓展了先前要求整个神经网络模型位于单一服务器节点上的安全推理工作，将其延伸至多服务器层级结构：用户与网关服务器节点通信，该节点再与远程服务器节点交互。推理任务在服务器节点间分裂执行，且必须基于数据向量的加密副本进行。我们采用多方同态加密与多方混淆电路方案，使系统能抵御半诚实服务器中不诚实多数的攻击，并保护部分模型结构不被用户获取。我们在多个模型上评估SECO，实现了用户端计算与通信成本的降低，使该协议适用于资源受限的用户设备。