An Efficient 3-Party Framework for Privacy-Preserving Neural Network Inference

Abstract

In the era of big data, users pay more attention to data privacy issues in many application fields, such as healthcare, finance, and so on. However, in the current application scenarios of machine learning as a service, service providers require users’ private inputs to complete neural network inference tasks. Previous works have shown that some cryptographic tools can be used to achieve the secure neural network inference, but the performance gap is still existed to make those techniques practical.

In this paper, we focus on the efficiency problem of privacy-preserving neural network inference and propose novel 3-party secure protocols to implement amounts of nonlinear activation functions such as ReLU and Sigmod, etc. Experiments on five popular neural network models demonstrate that our protocols achieve about \(1.2\times \)–\(11.8\times \) and \(1.08\times \)–\(4.8\times \) performance improvement than the state-of-the-art 3-party protocols (SecureNN [28]) in terms of computation and communication overhead. Furthermore, we are the first to implement the privacy-preserving inference of graph convolutional networks.

Appendices

A Graph Convolutional Network

For spectral-based GCN, the goal of these models is to learn a function of signals/features on a graph \(\mathcal {G=(V,E},\textit{\textbf{A}})\), where \(\mathcal {V}\) is a finite set of \(|\mathcal {V}|\) = n vertices, \(\mathcal {E}\) is a set of edges and \(\textit{\textbf{A}}\in \mathbb {R}^{n\times n}\) is a representative description of the graph structure typically in the form of an adjacency matrix. It will be computed based on the training data by the server and the graph structure is identical for all signals [16]. \(\textit{\textbf{x}}\in \mathbb {R}^{n}\) is a signal, each row \(x_v\) is a scalar for node v. An essential operator in spectral graph analysis is the graph Laplacian \(\textit{\textbf{L}}\), and the normalized definition is \(\textit{\textbf{L}}=\textit{\textbf{I}}_n-\textit{\textbf{D}}^{-1/2}\textit{\textbf{A}}\textit{\textbf{D}}^{-1/2}\), where \(\textit{\textbf{I}}_n\) is the identity matrix and \(\textit{\textbf{D}}\) is the diagonal node degree matrix of \(\textit{\textbf{A}}\).

Defferrard et al. [12] proposed to approximate the graph filters by a truncated expansion in terms of Chebyshev polynomials. The Chebyshev polynomials are recursively defined as \(T_k(x)=2xT_{k-1}(x)-T_{k-2}(x)\), with \(T_0(x)=1\) and \(T_1(x)=x\). And filtering of a signal \(\textit{\textbf{x}}\) with a K-localized filter \(g_{\varvec{\theta }}\) can be performed using: \(g_{\varvec{\theta }}*\textit{\textbf{x}}=\sum _{k=0}^{K-1}\varvec{\theta }_k T_k(\tilde{\textit{\textbf{L}}})\textit{\textbf{x}}\), with \(\tilde{\textit{\textbf{L}}}=\frac{2}{\lambda _{max}}\textit{\textbf{L}}-\textit{\textbf{I}}_n\). \(\lambda _{max}\) is the largest eigenvalue of \(\textit{\textbf{L}}\). \(\varvec{\theta }\in \mathbb {R}^K\) is a vector of Chebyshev coefficients.

The definition generalized to a signal matrix \(\textit{\textbf{X}}\in \mathbb {R}^{n\times c}\) with c dimensional feature vector for each node and f feature maps is as follows: \(\textit{\textbf{Y}}=\sum _{k=0}^{K-1}T_k(\tilde{\textit{\textbf{L}}})\varvec{X\Theta }_k\) where \(\textit{\textbf{Y}}\in \mathbb {R}^{n\times f}\), \(\varvec{\Theta }_k\in \mathbb {R}^{c\times f}\) and the total number of trainable parameters per layer is \(c\times f\times K\) (\(\varvec{\Theta }\in \mathbb {R}^{K\times c\times f}\)). Through graph convolution layer, GCN can capture feature vector information of all neighboring nodes. It preserves both network topology structure and node feature information.

However, the privacy-preserving inference of GCN is not suitable for node classification tasks, in which test nodes (without labels) are included in GCN training. It could not quickly generate embeddings and make predictions for unseen nodes [19].

B Maxpool Protocol

C Neural Network Structure

Fig. 3.

The neural network A presented in SecureML [24]

Fig. 4.

The neural network B presented in Chameleon [27]

Fig. 5.

The neural network C/D presented in MiniONN [22] and [21] resp.

Fig. 6.

Graph convolutional neural network trained from the MNIST dataset