Functional Encryption in Secure Neural Network Training: Data Leakage and Practical Mitigations

With the increased interest in artificial intelligence, Machine Learning as a Service provides the infrastructure in the Cloud for easy training, testing, and deploying models. However, these systems have a major privacy issue: uploading sensitive data to the Cloud, especially during training. Therefore, achieving secure Neural Network training has been on many researchers' minds lately. More and more solutions for this problem are built around a main pillar: Functional Encryption (FE). Although these approaches are very interesting and offer a new perspective on ML training over encrypted data, some vulnerabilities do not seem to be taken into consideration. In our paper, we present an attack on neural networks that uses FE for secure training over encrypted data. Our approach uses linear programming to reconstruct the original input, unveiling the previous security promises. To address the attack, we propose two solutions for secure training and inference that involve the client during the computation phase. One approach ensures security without relying on encryption, while the other uses function-hiding inner-product techniques.

Key Contributions

• Demonstrates that FE-based secure neural network training schemes leak the plaintext input immediately before the first hidden layer's activation function, enabling reconstruction from a single sample
• Proposes a linear programming attack that recovers original training inputs from intermediate inner-product computation values visible to the cloud server
• Proposes two practical mitigations: MITIG1 using function-hiding inner-product encryption (FHIPE) and MITIG2 using client participation in computation without cryptography

🛡️ Threat Analysis

Details

Similar Papers