Privacy Leakage in Privacy-Preserving Neural Network Inference

Mengqi Wei; Wenxing Zhu; Liangkun Cui; Xiangxue Li; Qiang Li

doi:10.1007/978-3-031-17140-6_7

Privacy Leakage in Privacy-Preserving Neural Network Inference

Mengqi Wei
, Wenxing Zhu
, Liangkun Cui
, Xiangxue Li^*
, Qiang Li

^*Corresponding author for this work

Software Engineering Institute

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

3 Scopus citations

Abstract

The community has seen many attempts to secure machine learning algorithms from multi-party computation or other cryptographic primitives. An interesting 3-party framework (SCSDF hereafter) for privacy-preserving neural network inference was presented at ESORICS 2020. SCSDF defines several protocols for non-linear activation functions including ReLU, Sigmoid, etc. In particular, these protocols reckon on a protocol DReLU (derivative computation for ReLU function) they proposed as a building block. All protocols are claimed secure (against one single semi-honest corruption and against one malicious corruption). Unfortunately, the paper shows that there exists grievous privacy leakage of private inputs during SCSDF executions. This would completely destroy the framework security. We first give detailed cryptanalysis on SCSDF from the perspective of the real-ideal simulation paradigm and indicate that these claimed-secure protocols do not meet the underlying security model. We then go into particular steps in SCSDF and demonstrate that the signs of input data would be inevitably revealed to the (either semi-honest or malicious) third party responsible for assisting protocol executions. To show such leakage more explicitly, we perform plenteous experiment evaluations on the MNIST dataset, the CIFAR-10 dataset, and CFD (Chicago Face Database) for both ReLU and Sigmoid non-linear activation functions. All experiments succeed in disclosing original private data of the data owner in the inference process. Potential countermeasures are recommended and demonstrated as well.

Original language	English
Title of host publication	Computer Security – ESORICS 2022 - 27th European Symposium on Research in Computer Security, Proceedings
Editors	Vijayalakshmi Atluri, Roberto Di Pietro, Christian D. Jensen, Weizhi Meng
Publisher	Springer Science and Business Media Deutschland GmbH
Pages	133-152
Number of pages	20
ISBN (Print)	9783031171390
DOIs	https://doi.org/10.1007/978-3-031-17140-6_7
State	Published - 2022
Event	27th European Symposium on Research in Computer Security, ESORICS 2022 - Hybrid, Copenhagen, Denmark Duration: 26 Sep 2022 → 30 Sep 2022

Publication series

Name	Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume	13554 LNCS
ISSN (Print)	0302-9743
ISSN (Electronic)	1611-3349

Conference

Conference	27th European Symposium on Research in Computer Security, ESORICS 2022
Country/Territory	Denmark
City	Hybrid, Copenhagen
Period	26/09/22 → 30/09/22

Keywords

Multi-party computation
Neural network inference
Privacy leakage
Privacy-preserving machine learning

Access to Document

10.1007/978-3-031-17140-6_7

Cite this

Wei, M., Zhu, W., Cui, L., Li, X., & Li, Q. (2022). Privacy Leakage in Privacy-Preserving Neural Network Inference. In V. Atluri, R. Di Pietro, C. D. Jensen, & W. Meng (Eds.), Computer Security – ESORICS 2022 - 27th European Symposium on Research in Computer Security, Proceedings (pp. 133-152). (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 13554 LNCS). Springer Science and Business Media Deutschland GmbH. https://doi.org/10.1007/978-3-031-17140-6_7

Wei, Mengqi ; Zhu, Wenxing ; Cui, Liangkun et al. / Privacy Leakage in Privacy-Preserving Neural Network Inference. Computer Security – ESORICS 2022 - 27th European Symposium on Research in Computer Security, Proceedings. editor / Vijayalakshmi Atluri ; Roberto Di Pietro ; Christian D. Jensen ; Weizhi Meng. Springer Science and Business Media Deutschland GmbH, 2022. pp. 133-152 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)).

@inproceedings{ac095524e2924561a66dd979f9f76158,

title = "Privacy Leakage in Privacy-Preserving Neural Network Inference",

abstract = "The community has seen many attempts to secure machine learning algorithms from multi-party computation or other cryptographic primitives. An interesting 3-party framework (SCSDF hereafter) for privacy-preserving neural network inference was presented at ESORICS 2020. SCSDF defines several protocols for non-linear activation functions including ReLU, Sigmoid, etc. In particular, these protocols reckon on a protocol DReLU (derivative computation for ReLU function) they proposed as a building block. All protocols are claimed secure (against one single semi-honest corruption and against one malicious corruption). Unfortunately, the paper shows that there exists grievous privacy leakage of private inputs during SCSDF executions. This would completely destroy the framework security. We first give detailed cryptanalysis on SCSDF from the perspective of the real-ideal simulation paradigm and indicate that these claimed-secure protocols do not meet the underlying security model. We then go into particular steps in SCSDF and demonstrate that the signs of input data would be inevitably revealed to the (either semi-honest or malicious) third party responsible for assisting protocol executions. To show such leakage more explicitly, we perform plenteous experiment evaluations on the MNIST dataset, the CIFAR-10 dataset, and CFD (Chicago Face Database) for both ReLU and Sigmoid non-linear activation functions. All experiments succeed in disclosing original private data of the data owner in the inference process. Potential countermeasures are recommended and demonstrated as well.",

keywords = "Multi-party computation, Neural network inference, Privacy leakage, Privacy-preserving machine learning",

author = "Mengqi Wei and Wenxing Zhu and Liangkun Cui and Xiangxue Li and Qiang Li",

note = "Publisher Copyright: {\textcopyright} 2022, The Author(s), under exclusive license to Springer Nature Switzerland AG.; 27th European Symposium on Research in Computer Security, ESORICS 2022 ; Conference date: 26-09-2022 Through 30-09-2022",

year = "2022",

doi = "10.1007/978-3-031-17140-6\_7",

language = "英语",

isbn = "9783031171390",

series = "Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)",

publisher = "Springer Science and Business Media Deutschland GmbH",

pages = "133--152",

editor = "Vijayalakshmi Atluri and \{Di Pietro\}, Roberto and Jensen, \{Christian D.\} and Weizhi Meng",

booktitle = "Computer Security – ESORICS 2022 - 27th European Symposium on Research in Computer Security, Proceedings",

address = "德国",

}

Wei, M, Zhu, W, Cui, L, Li, X & Li, Q 2022, Privacy Leakage in Privacy-Preserving Neural Network Inference. in V Atluri, R Di Pietro, CD Jensen & W Meng (eds), Computer Security – ESORICS 2022 - 27th European Symposium on Research in Computer Security, Proceedings. Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), vol. 13554 LNCS, Springer Science and Business Media Deutschland GmbH, pp. 133-152, 27th European Symposium on Research in Computer Security, ESORICS 2022, Hybrid, Copenhagen, Denmark, 26/09/22. https://doi.org/10.1007/978-3-031-17140-6_7

Privacy Leakage in Privacy-Preserving Neural Network Inference. / Wei, Mengqi; Zhu, Wenxing; Cui, Liangkun et al.
Computer Security – ESORICS 2022 - 27th European Symposium on Research in Computer Security, Proceedings. ed. / Vijayalakshmi Atluri; Roberto Di Pietro; Christian D. Jensen; Weizhi Meng. Springer Science and Business Media Deutschland GmbH, 2022. p. 133-152 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 13554 LNCS).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

TY - GEN

T1 - Privacy Leakage in Privacy-Preserving Neural Network Inference

AU - Wei, Mengqi

AU - Zhu, Wenxing

AU - Cui, Liangkun

AU - Li, Xiangxue

AU - Li, Qiang

PY - 2022

Y1 - 2022

N2 - The community has seen many attempts to secure machine learning algorithms from multi-party computation or other cryptographic primitives. An interesting 3-party framework (SCSDF hereafter) for privacy-preserving neural network inference was presented at ESORICS 2020. SCSDF defines several protocols for non-linear activation functions including ReLU, Sigmoid, etc. In particular, these protocols reckon on a protocol DReLU (derivative computation for ReLU function) they proposed as a building block. All protocols are claimed secure (against one single semi-honest corruption and against one malicious corruption). Unfortunately, the paper shows that there exists grievous privacy leakage of private inputs during SCSDF executions. This would completely destroy the framework security. We first give detailed cryptanalysis on SCSDF from the perspective of the real-ideal simulation paradigm and indicate that these claimed-secure protocols do not meet the underlying security model. We then go into particular steps in SCSDF and demonstrate that the signs of input data would be inevitably revealed to the (either semi-honest or malicious) third party responsible for assisting protocol executions. To show such leakage more explicitly, we perform plenteous experiment evaluations on the MNIST dataset, the CIFAR-10 dataset, and CFD (Chicago Face Database) for both ReLU and Sigmoid non-linear activation functions. All experiments succeed in disclosing original private data of the data owner in the inference process. Potential countermeasures are recommended and demonstrated as well.

AB - The community has seen many attempts to secure machine learning algorithms from multi-party computation or other cryptographic primitives. An interesting 3-party framework (SCSDF hereafter) for privacy-preserving neural network inference was presented at ESORICS 2020. SCSDF defines several protocols for non-linear activation functions including ReLU, Sigmoid, etc. In particular, these protocols reckon on a protocol DReLU (derivative computation for ReLU function) they proposed as a building block. All protocols are claimed secure (against one single semi-honest corruption and against one malicious corruption). Unfortunately, the paper shows that there exists grievous privacy leakage of private inputs during SCSDF executions. This would completely destroy the framework security. We first give detailed cryptanalysis on SCSDF from the perspective of the real-ideal simulation paradigm and indicate that these claimed-secure protocols do not meet the underlying security model. We then go into particular steps in SCSDF and demonstrate that the signs of input data would be inevitably revealed to the (either semi-honest or malicious) third party responsible for assisting protocol executions. To show such leakage more explicitly, we perform plenteous experiment evaluations on the MNIST dataset, the CIFAR-10 dataset, and CFD (Chicago Face Database) for both ReLU and Sigmoid non-linear activation functions. All experiments succeed in disclosing original private data of the data owner in the inference process. Potential countermeasures are recommended and demonstrated as well.

KW - Multi-party computation

KW - Neural network inference

KW - Privacy leakage

KW - Privacy-preserving machine learning

UR - https://www.scopus.com/pages/publications/85140443183

U2 - 10.1007/978-3-031-17140-6_7

DO - 10.1007/978-3-031-17140-6_7

M3 - 会议稿件

AN - SCOPUS:85140443183

SN - 9783031171390

T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

SP - 133

EP - 152

BT - Computer Security – ESORICS 2022 - 27th European Symposium on Research in Computer Security, Proceedings

A2 - Atluri, Vijayalakshmi

A2 - Di Pietro, Roberto

A2 - Jensen, Christian D.

A2 - Meng, Weizhi

PB - Springer Science and Business Media Deutschland GmbH

T2 - 27th European Symposium on Research in Computer Security, ESORICS 2022

Y2 - 26 September 2022 through 30 September 2022

ER -

Wei M, Zhu W, Cui L, Li X, Li Q. Privacy Leakage in Privacy-Preserving Neural Network Inference. In Atluri V, Di Pietro R, Jensen CD, Meng W, editors, Computer Security – ESORICS 2022 - 27th European Symposium on Research in Computer Security, Proceedings. Springer Science and Business Media Deutschland GmbH. 2022. p. 133-152. (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)). doi: 10.1007/978-3-031-17140-6_7