Modern machine learning (ML) models are expensive IP and business competitiveness often depends on keeping this IP confidential. This in turn restricts how these models are deployed; for example, it is unclear how to deploy a model on-device without inevitably leaking the underlying model. At the same time, confidential computing technologies such as multi-party computation or homomorphic encryption remain impractical for wide adoption. In this paper, we take a different approach and investigate the feasibility of ML-specific mechanisms that deter unauthorized model use by restricting the model to only be usable on specific hardware, making adoption on unauthorized hardware inconvenient. That way, even if IP is compromised, it cannot be trivially used without specialised hardware or major model adjustment. In a sense, we seek to enable cheap \emph{locking of machine learning models into specific hardware}. We demonstrate that \emph{locking} mechanisms are feasible by either targeting efficiency of model representations, making such models incompatible with quantization, or tying the model's operation to specific characteristics of hardware, such as the number of clock cycles for arithmetic operations. We demonstrate that locking comes with negligible overheads, while significantly restricting usability of the resultant model on unauthorized hardware.

翻译：现代机器学习模型是昂贵知识产权，企业竞争力往往取决于对此类知识产权的保密。这反过来限制了这些模型的部署方式；例如，如何在设备端部署模型而不泄露底层模型仍不明确。与此同时，多方计算或同态加密等机密计算技术尚未实现广泛应用。本文采用不同思路，研究通过将模型限定于特定硬件使用以阻止未授权模型使用的机器学习专用机制的可行性，使得在未授权硬件上的应用变得困难。如此，即使知识产权被窃取，若无专用硬件或重大模型调整也无法直接使用。某种意义上，我们致力于实现将机器学习模型廉价锁定于特定硬件。我们通过以下方式证明锁定机制的可行性：针对模型表示效率进行设计，使此类模型与量化技术不兼容；或将模型运行与硬件特定特征（如算术运算时钟周期数）相绑定。实验表明，锁定机制带来的开销可忽略不计，却能显著限制衍生模型在未授权硬件上的可用性。