Modern Machine Learning models are expensive IP and business competitiveness often depends on keeping this IP confidential. This in turn restricts how these models are deployed -- for example it is unclear how to deploy a model on-device without inevitably leaking the underlying model. At the same time, confidential computing technologies such as Multi-Party Computation or Homomorphic encryption remain impractical for wide adoption. In this paper we take a different approach and investigate feasibility of ML-specific mechanisms that deter unauthorized model use by restricting the model to only be usable on specific hardware, making adoption on unauthorized hardware inconvenient. That way, even if IP is compromised, it cannot be trivially used without specialised hardware or major model adjustment. In a sense, we seek to enable cheap locking of machine learning models into specific hardware. We demonstrate that locking mechanisms are feasible by either targeting efficiency of model representations, such making models incompatible with quantisation, or tie the model's operation on specific characteristics of hardware, such as number of cycles for arithmetic operations. We demonstrate that locking comes with negligible work and latency overheads, while significantly restricting usability of the resultant model on unauthorized hardware.

翻译：现代机器学习模型是昂贵的知识产权，企业竞争力往往依赖于保持这些知识产权的机密性。这反过来限制了这些模型的部署方式——例如，如何在设备上部署模型而不不可避免地泄露底层模型，目前尚不明确。同时，多方计算或同态加密等机密计算技术仍难以广泛实用化。本文采取一种不同的方法，研究机器学习专用机制的可行性，该机制通过将模型限制为只能在特定硬件上使用来阻止未经授权的模型使用，从而使在未经授权硬件上的采用变得不便。这样，即使知识产权被泄露，若无专用硬件或对模型进行重大调整，也无法轻易使用。从某种意义上说，我们寻求实现将机器学习模型廉价地锁定至特定硬件。我们证明，锁定机制是可行的，其方法要么针对模型表示的效率（例如使模型与量化不兼容），要么将模型的操作与硬件的特定特性（例如算术运算的周期数）绑定。我们证明，锁定机制带来的工作和延迟开销可忽略不计，同时能显著限制所得模型在未经授权硬件上的可用性。