隐私保护的可验证神经网络推理服务 (Privacy-Preserving Verifiable Neural Network Inference Service)

from arxiv, This paper is to appear at the Annual Computer Security Applications Conference (ACSAC) 2024. The source code for our implementation can be found at $\href{https://github.com/vt-asaplab/vPIN}{github.com/vt-asaplab/vPIN}$

Machine learning has revolutionized data analysis and pattern recognition, but its resource-intensive training has limited accessibility. Machine Learning as a Service (MLaaS) simplifies this by enabling users to delegate their data samples to an MLaaS provider and obtain the inference result using a pre-trained model. Despite its convenience, leveraging MLaaS poses significant privacy and reliability concerns to the client. Specifically, sensitive information from the client inquiry data can be leaked to an adversarial MLaaS provider. Meanwhile, the lack of a verifiability guarantee can potentially result in biased inference results or even unfair payment issues. While existing trustworthy machine learning techniques, such as those relying on verifiable computation or secure computation, offer solutions to privacy and reliability concerns, they fall short of simultaneously protecting the privacy of client data and providing provable inference verifiability. In this paper, we propose vPIN, a privacy-preserving and verifiable CNN inference scheme that preserves privacy for client data samples while ensuring verifiability for the inference. vPIN makes use of partial homomorphic encryption and commit-and-prove succinct non-interactive argument of knowledge techniques to achieve desirable security properties. In vPIN, we develop various optimization techniques to minimize the proving circuit for homomorphic inference evaluation thereby, improving the efficiency and performance of our technique. We fully implemented and evaluated our vPIN scheme on standard datasets (e.g., MNIST, CIFAR-10). Our experimental results show that vPIN achieves high efficiency in terms of proving time, verification time, and proof size, while providing client data privacy guarantees and provable verifiability.

翻译：机器学习已经彻底改变了数据分析和模式识别，但其资源密集型的训练过程限制了其可访问性。机器学习即服务（MLaaS）通过允许用户将数据样本委托给MLaaS提供商，并使用预训练模型获取推理结果，从而简化了这一过程。尽管MLaaS带来了便利，但利用MLaaS会给客户端带来重大的隐私和可靠性问题。具体而言，客户端查询数据中的敏感信息可能泄露给恶意的MLaaS提供商。同时，缺乏可验证性保证可能导致有偏的推理结果，甚至引发不公平的支付问题。虽然现有的可信机器学习技术，如依赖可验证计算或安全计算的方法，为解决隐私和可靠性问题提供了方案，但它们未能同时保护客户端数据的隐私并提供可证明的推理可验证性。在本文中，我们提出了vPIN，一种隐私保护且可验证的CNN推理方案，该方案在保护客户端数据样本隐私的同时，确保推理的可验证性。vPIN利用部分同态加密以及承诺与证明的简洁非交互式知识论证技术，以实现理想的安全特性。在vPIN中，我们开发了多种优化技术，以最小化同态推理评估的证明电路，从而提高了我们技术的效率和性能。我们在标准数据集（如MNIST、CIFAR-10）上完整实现并评估了我们的vPIN方案。实验结果表明，vPIN在证明时间、验证时间和证明大小方面实现了高效率，同时提供了客户端数据隐私保证和可证明的可验证性。