DarKnight: An Accelerated Framework for Privacy and Integrity Preserving Deep Learning Using Trusted Hardware

Privacy and security-related concerns are growing as machine learning reaches diverse application domains. The data holders want to train or infer with private data while exploiting accelerators, such as GPUs, that are hosted in the cloud. Cloud systems are vulnerable to attackers that compromise the privacy of data and integrity of computations. Tackling such a challenge requires unifying theoretical privacy algorithms with hardware security capabilities. This paper presents DarKnight, a framework for large DNN training while protecting input privacy and computation integrity. DarKnight relies on cooperative execution between trusted execution environments (TEE) and accelerators, where the TEE provides privacy and integrity verification, while accelerators perform the bulk of the linear algebraic computation to optimize the performance. In particular, DarKnight uses a customized data encoding strategy based on matrix masking to create input obfuscation within a TEE. The obfuscated data is then offloaded to GPUs for fast linear algebraic computation. DarKnight’s data obfuscation strategy provides provable data privacy and computation integrity in the cloud servers. While prior works tackle inference privacy and cannot be utilized for training, DarKnight’s encoding scheme is designed to support both training and inference.

[1]  Diego Perino,et al.  PPFL: privacy-preserving federated learning with trusted execution environments , 2021, MobiSys.

[2]  Mark Sandler,et al.  MobileNetV2: Inverted Residuals and Linear Bottlenecks , 2018, 2018 IEEE/CVF Conference on Computer Vision and Pattern Recognition.

[3]  Sachin S. Talathi,et al.  Fixed Point Quantization of Deep Convolutional Networks , 2015, ICML.

[4]  Jan Hendrik Witte,et al.  Deep Learning for Finance: Deep Portfolios , 2016 .

[5]  Yao Lu,et al.  Oblivious Neural Network Predictions via MiniONN Transformations , 2017, IACR Cryptol. ePrint Arch..

[6]  Murali Annavaram,et al.  Byzantine-Robust and Privacy-Preserving Framework for FedML , 2021, ArXiv.

[7]  Shimon Whiteson,et al.  Learning to Communicate with Deep Multi-Agent Reinforcement Learning , 2016, NIPS.

[8]  Yongqin Wang,et al.  Privacy-Preserving Inference in Machine Learning Services Using Trusted Execution Environments , 2019, ArXiv.

[9]  Raluca Ada Popa,et al.  Delphi: A Cryptographic Inference System for Neural Networks , 2020, IACR Cryptol. ePrint Arch..

[10]  Johannes Götzfried,et al.  Cache Attacks on Intel SGX , 2017, EUROSEC.

[11]  Zhiru Zhang,et al.  GuardNN: Secure DNN Accelerator for Privacy-Preserving Deep Learning , 2020, ArXiv.

[12]  Pritish Narayanan,et al.  Deep Learning with Limited Numerical Precision , 2015, ICML.

[13]  Jay-J. Kim A METHOD FOR LIMITING DISCLOSURE IN MICRODATA BASED ON RANDOM NOISE AND , 2002 .

[14]  Irmengard Rauch 1994 , 1994, Semiotica.

[15]  Srinivas Devadas,et al.  Intel SGX Explained , 2016, IACR Cryptol. ePrint Arch..

[16]  Shafi Goldwasser,et al.  Secure large-scale genome-wide association studies using homomorphic encryption , 2020, Proceedings of the National Academy of Sciences.

[17]  Vitaly Shmatikov,et al.  Chiron: Privacy-preserving Machine Learning as a Service , 2018, ArXiv.

[18]  Srdjan Capkun,et al.  Software Grand Exposure: SGX Cache Attacks Are Practical , 2017, WOOT.

[19]  Alex Krizhevsky,et al.  Learning Multiple Layers of Features from Tiny Images , 2009 .

[20]  Amir Salman Avestimehr,et al.  Mitigating Byzantine Attacks in Federated Learning , 2020, ArXiv.

[21]  Victor C. M. Leung,et al.  Secure Distributed On-Device Learning Networks with Byzantine Adversaries , 2019, IEEE Network.

[22]  Hadi Esmaeilzadeh,et al.  Shredder: Learning Noise Distributions to Protect Inference Privacy , 2020, ASPLOS.

[23]  Fengyuan Xu,et al.  Occlumency: Privacy-preserving Remote Deep-learning Inference Using SGX , 2019, MobiCom.

[24]  Vitaly Shmatikov,et al.  Privacy-preserving deep learning , 2015, 2015 53rd Annual Allerton Conference on Communication, Control, and Computing (Allerton).

[25]  Nicholas G. Polson,et al.  Deep learning for finance: deep portfolios: J. B. HEATON, N. G. POLSON AND J. H. WITTE , 2017 .

[26]  Jaehyuk Huh,et al.  Nested Enclave: Supporting Fine-grained Hierarchical Isolation with SGX , 2020, 2020 ACM/IEEE 47th Annual International Symposium on Computer Architecture (ISCA).

[27]  Craig Gentry,et al.  Fully homomorphic encryption using ideal lattices , 2009, STOC '09.

[28]  Sarvar Patel,et al.  Practical Secure Aggregation for Privacy-Preserving Machine Learning , 2017, IACR Cryptol. ePrint Arch..

[29]  Christof Fetzer,et al.  Varys: Protecting SGX Enclaves from Practical Side-Channel Attacks , 2018, USENIX ATC.

[30]  Sameer Wagh,et al.  SecureNN: 3-Party Secure Computation for Neural Network Training , 2019, Proc. Priv. Enhancing Technol..

[31]  A. Salman Avestimehr,et al.  Byzantine-Resilient Secure Federated Learning , 2020, IEEE Journal on Selected Areas in Communications.

[32]  Payman Mohassel,et al.  SecureML: A System for Scalable Privacy-Preserving Machine Learning , 2017, 2017 IEEE Symposium on Security and Privacy (SP).

[33]  Michael Moeller,et al.  Inverting Gradients - How easy is it to break privacy in federated learning? , 2020, NeurIPS.

[34]  Nikhil R. Devanur,et al.  PipeDream: generalized pipeline parallelism for DNN training , 2019, SOSP.

[35]  Michael S. Bernstein,et al.  ImageNet Large Scale Visual Recognition Challenge , 2014, International Journal of Computer Vision.

[36]  Jian Sun,et al.  Deep Residual Learning for Image Recognition , 2015, 2016 IEEE Conference on Computer Vision and Pattern Recognition (CVPR).

[37]  Peter Rindal,et al.  ABY3: A Mixed Protocol Framework for Machine Learning , 2018, IACR Cryptol. ePrint Arch..

[38]  Michael Naehrig,et al.  CryptoNets: applying neural networks to encrypted data with high throughput and accuracy , 2016, ICML 2016.

[39]  Tom Shanley,et al.  Infiniband Network Architecture , 2002 .

[40]  Oded Goldreich,et al.  Foundations of Cryptography: Volume 1, Basic Tools , 2001 .

[41]  Christopher De Sa,et al.  SWALP : Stochastic Weight Averaging in Low-Precision Training , 2019, ICML.

[42]  Úlfar Erlingsson,et al.  Amplification by Shuffling: From Local to Central Differential Privacy via Anonymity , 2018, SODA.

[43]  Manuel Blum,et al.  Toward a Mathematical Theory of Inductive Inference , 1975, Inf. Control..

[44]  Song Han,et al.  Deep Compression: Compressing Deep Neural Network with Pruning, Trained Quantization and Huffman Coding , 2015, ICLR.

[45]  Kai Li,et al.  InstaHide: Instance-hiding Schemes for Private Distributed Learning , 2020, ICML.

[46]  Ji Liu,et al.  Staleness-Aware Async-SGD for Distributed Deep Learning , 2015, IJCAI.

[47]  Amir Salman Avestimehr,et al.  Slack squeeze coded computing for adaptive straggler mitigation , 2019, SC.

[48]  Dawn Xiaodong Song,et al.  Efficient Deep Learning on Multi-Source Private Data , 2018, ArXiv.

[49]  Dan Boneh,et al.  Slalom: Fast, Verifiable and Private Execution of Neural Networks in Trusted Hardware , 2018, ICLR.

[50]  Carl A. Gunter,et al.  Leaky Cauldron on the Dark Land: Understanding Memory Side-Channel Hazards in SGX , 2017, CCS.

[51]  Srinivas Devadas,et al.  Sanctum: Minimal Hardware Extensions for Strong Software Isolation , 2016, USENIX Security Symposium.

[52]  Ian Goodfellow,et al.  Deep Learning with Differential Privacy , 2016, CCS.

[53]  Sherman S. M. Chow,et al.  Goten: GPU-Outsourcing Trusted Execution of Neural Network Training , 2019, AAAI.

[54]  Marcus Peinado,et al.  Controlled-Channel Attacks: Deterministic Side Channels for Untrusted Operating Systems , 2015, 2015 IEEE Symposium on Security and Privacy.

[55]  Krish Shankar,et al.  Azure Machine Learning , 2019 .

[56]  L. Cox Suppression Methodology and Statistical Disclosure Control , 1980 .

[57]  O. P. Vyas,et al.  An ontology-based adaptive personalized e-learning system, assisted by software agents on cloud storage , 2015, Knowl. Based Syst..

[58]  Song Han,et al.  Deep Leakage from Gradients , 2019, NeurIPS.

[59]  Fuguo Deng,et al.  Reply to ``Comment on `Secure direct communication with a quantum one-time-pad' '' , 2004, quant-ph/0405177.

[60]  Nancy L. Spruill THE CONFIDENTIALITY AND ANALYTIC USEFULNESS OF MASKED BUSINESS MICRODATA , 2002 .

[61]  T. Alves,et al.  TrustZone : Integrated Hardware and Software Security , 2004 .

[62]  Rodrigo Bruno,et al.  Graviton: Trusted Execution Environments on GPUs , 2018, OSDI.

[63]  Dandelion Mané,et al.  DEFENSIVE QUANTIZATION: WHEN EFFICIENCY MEETS ROBUSTNESS , 2018 .

[64]  Anantha Chandrakasan,et al.  Gazelle: A Low Latency Framework for Secure Neural Network Inference , 2018, IACR Cryptol. ePrint Arch..

[65]  Hamed Haddadi,et al.  DarkneTZ: towards model privacy at the edge using trusted execution environments , 2020, MobiSys.

[66]  Úlfar Erlingsson,et al.  RAPPOR: Randomized Aggregatable Privacy-Preserving Ordinal Response , 2014, CCS.

[67]  Somesh Jha,et al.  An Attack on InstaHide: Is Private Learning Possible with Instance Encoding? , 2020, ArXiv.

[68]  Zahra Ghodsi,et al.  SafetyNets: Verifiable Execution of Deep Neural Networks on an Untrusted Cloud , 2017, NIPS.

[69]  Thomas M. Cover,et al.  Elements of Information Theory , 2005 .

[70]  R. Raskar,et al.  Privacy in Deep Learning: A Survey , 2020, ArXiv.

[71]  Hai Jin,et al.  An Introduction to the InfiniBand Architecture , 2002 .

[72]  Tao Wei,et al.  A Bus Authentication and Anti-Probing Architecture Extending Hardware Trusted Computing Base Off CPU Chips and Beyond , 2020, 2020 ACM/IEEE 47th Annual International Symposium on Computer Architecture (ISCA).

[73]  Andrew Zisserman,et al.  Very Deep Convolutional Networks for Large-Scale Image Recognition , 2014, ICLR.

[74]  Farinaz Koushanfar,et al.  Deep Learning on Private Data , 2019, IEEE Security & Privacy.

[75]  Eugenio Culurciello,et al.  An Analysis of Deep Neural Network Models for Practical Applications , 2016, ArXiv.