In secure machine learning inference, most of the schemes assume that the server is semi-honest (honestly following the protocol but attempting to infer additional information). However, the server may be malicious (e.g., using a low-quality model or deviating from the protocol) in the real world. Although a few studies have considered a malicious server that deviates from the protocol, they ignore the verification of model accuracy (where the malicious server uses a low-quality model) meanwhile preserving the privacy of both the server's model and the client's inputs. To address these issues, we propose \textit{Fusion}, where the client mixes the public samples (which have known query results) with their own samples to be queried as the inputs of multi-party computation to jointly perform the secure inference. Since a server that uses a low-quality model or deviates from the protocol can only produce results that can be easily identified by the client, \textit{Fusion} forces the server to behave honestly, thereby addressing all those aforementioned issues without leveraging expensive cryptographic techniques. Our evaluation indicates that \textit{Fusion} is 48.06$\times$ faster and uses 30.90$\times$ less communication than the existing maliciously secure inference protocol (which currently does not support the verification of the model accuracy). In addition, to show the scalability, we conduct ImageNet-scale inference on the practical ResNet50 model and it costs 8.678 minutes and 10.117 GiB of communication in a WAN setting, which is 1.18$\times$ faster and has 2.64$\times$ less communication than those of the semi-honest protocol.

翻译：在安全机器学习推理中，大多数方案假设服务器是半诚实的（即诚实遵循协议但试图推断额外信息）。然而，现实中的服务器可能是恶意的（例如，使用低质量模型或偏离协议）。尽管已有少数研究考虑了偏离协议的恶意服务器，但这些工作既忽略了模型准确性的验证（即恶意服务器使用低质量模型），又未能同时保护服务器模型与客户端输入的隐私。为解决这些问题，我们提出\textit{Fusion}方案：客户端将已知查询结果的公开样本与其待查询样本混合，作为多方计算的输入，从而联合执行安全推理。由于使用低质量模型或偏离协议的服务器仅能生成易被客户端识别的结果，\textit{Fusion}强制服务器诚实行为，进而在不依赖昂贵密码学技术的前提下解决上述所有问题。评估表明，相较现有恶意安全推理协议（目前不支持模型准确性验证），\textit{Fusion}速度提升48.06倍，通信开销降低30.90倍。此外，为展示可扩展性，我们在实际ResNet50模型上进行了ImageNet规模推理，广域网环境下耗时8.678分钟、通信量10.117 GiB，相比半诚实协议速度提升1.18倍，通信量降低2.64倍。