Xiaoyu Fang (Beijing University of Posts and Telecommunications), Shihui Zheng (Beijing University of Posts and Telecommunications), Lize Gu (Beijing University of Posts and Telecommunications)
Machine learning inference protocols based on semi-honest security models are vulnerable to attacks from malicious clients in real-world applications. These attacks can lead to the leakage of machine learning model parameters. Previous works introduced additional MACs computations to ensure correct client behavior. However, this resulted in higher runtime and communication costs during online inference.
In this work, we present CRISP, an efficient two-party cryptographic framework designed to defend against malicious clients. Specifically:
1)We design protocols for non-linear layers based on a new cryptographic primitive (Function Secret Sharing). The core of our approach focuses on optimizing the reconstruction process of MACs.
2)We propose a complex domain verification mechanism for linear layers. This mechanism eliminates the additional MACs computations by making better use of the complex space in homomorphic encryption CKKS.
Furthermore, in previous work (SIMC, USENIX Security'22), we identified compatibility issues in practical applications. The MAC reconstruction process in the nonlinear layers may leak intermediate inputs and outputs of the model when certain garbled circuit optimizations are applied. In contrast, CRISP effectively avoids this problem.
In secure inference benchmarks considered in SIMC, CRISP reduces the total communication cost of ML inference by up to 94% and cuts inference latency by up to 43%.