Security of model parameters and user data is critical for Transformer-based services, such as ChatGPT. While recent strides in secure two-party protocols have successfully addressed security concerns in serving Transformer models, their adoption is practically infeasible due to the prohibitive cryptographic overheads involved. Drawing insights from our hands-on experience in developing two real-world Transformer-based services, we identify the inherent efficiency bottleneck in the two-party assumption. To overcome this limitation, we propose a novel three-party threat model. Within this framework, we design a semi-symmetric permutation-based protection scheme and present STIP, the first secure Transformer inference protocol without any inference accuracy loss. Experiments on representative Transformer models in real systems show that STIP has practical security and outperforms state-of-the-art secure two-party protocols in efficiency by millions of times.

翻译：模型参数和用户数据的安全性对于基于Transformer的服务（如ChatGPT）至关重要。尽管近年来安全两方协议在解决Transformer模型服务的安全问题方面取得了进展，但由于其涉及高昂的密码学开销，这些协议实际应用并不可行。基于我们在开发两个真实世界Transformer服务中的实践经验，我们识别出两方假设中固有的效率瓶颈。为克服这一限制，我们提出了一种新的三方威胁模型。在此框架内，我们设计了一种基于半对称置换的保护方案，并提出了STIP——首个无任何推理精度损失的安全Transformer推理协议。在真实系统中对代表性Transformer模型的实验表明，STIP具有实际安全性，且在效率上比最先进的安全两方协议高出数百万倍。