1 Introduction
From Alexa and Google Assistant to selfdriving vehicles and Cyborg technologies, deep learning is rapidly advancing and transforming the way we work and live. It is becoming prevalent and pervasive, embedded in many systems, e.g., for pattern recognition
[26], medical diagnosis [8], speech recognition [5] and creditrisk assessment [10]. In particular, deep Convolutional Neural Network (CNN) has demonstrated superior performance in computer vision such as image classification
[24, 39][35], among many others.Since training a deep neural network model is resourceintensive, cloud providers begin to offer Machine Learning as a Service (MLaaS) [46], where a proprietary model is trained and hosted on clouds, and clients make queries (inference) and receive results through a web portal. While this emerging cloud service is embraced as important tools for efficiency and productivity, the interaction between clients and cloud servers creates new vulnerabilities for unauthorized access to private information. This work focuses on ensuring privacypreserved while efficient inference in MLaaS.
Although communication can be readily secured from end to end, privacy still remains a fundamental challenge. On the one hand, the clients must submit their data to the cloud for inference, but they want the data privacy well protected, preventing curious cloud provider from mining valuable information. In many domains such as health care [31] and finance [40], data are extremely sensitive. For example, when patients transmit their physiological data to the server for medical diagnosis, they do not want anyone (including the cloud provider) to see it. Regulations such as Health Insurance Portability and Accountability Act (HIPAA) [1] and the recent General Data Protection Regulation (GDPR) in Europe [11] have been in place to impose restrictions on sharing sensitive user information. On the other hand, cloud providers do not want users to be able to extract their proprietary, valuable model that has been trained with significant resource and efforts, as it may turn customers into onetime shoppers [43]. Furthermore, the trained model contains private information about the training data set and can be exploited by malicious users [38, 41, 45]. To this end, there is an urgent need to develop effective and efficient schemes to ensure that, in MLaaS, a cloud server does not have access to users’ data and a user cannot learn the server’s model.
Scheme for Linear Computation  Scheme for NonLinear Computation  Speedup over [14]  
CryptoNets [14]  HE  HE (square approx.)  – 
Faster CryptoNets [4]  HE  HE (polynomial approx.)  10 
GELUNet [48]  HE  Plaintext (no approx.)  14 
E2DM [22]  Packed HE & Matrix optimization  HE (square approx.)  30 
SecureML [30]  HE & Secret share  GC (piecewise linear approx.)  60 
Chameleon [33]  Secret share  GMW & GC (piecewise linear approx.)  150 
MiniONN [28]  Packed HE & Secret share  GC (piecewise linear approx.)  230 
DeepSecure [34]  GC  GC (polynomial approx.)  527 
SecureNN [44]  Secret share  GMW (piecewise linear approx.)  1000 
FALCON [27]  Packed HE with FFT  GC (piecewise linear approx.)  1000 
XONN [32]  GC  GC (piecewise linear approx.)  1000 
GAZELLE [23]  Packed HE & Matrix optimization  GC (piecewise linear approx.)  1000 
CHEETAH  Packed HE & Obscure matrix cal.  Obscure HE & SS (no approx.)  100,000 
1.1 Retrospection: Evolvement of PrivacyPreserved Neural Networks
The quest began in 2016 when CryptoNets [14] was proposed to embed Homomorphic Encryption (HE) [13] into CNN. It was the first work that successfully demonstrated the feasibility of calculating inference over Homomorphically encrypted data. While the idea is conceptually straightforward, its prohibitively high computation cost renders it impractical for most applications that rely on nontrivial deep neural networks with a practical size in order to characterize complex feature relations [39]. For instance, CryptoNets takes about
s for computing inference even on a simple threelayer CNN architecture. With the increase of depth, the computation time grows exponentially. Moreover, several key functions in neural networks (e.g., activation and pooling) are nonlinear. CryptoNets had to use Taylor approximation, e.g., replacing the original activation function with a square function. Such approximation leads to not only degraded accuracy compared with the original model, but also instability and failure in training.
Following CryptoNets, the past two years have seen a multitude of works aiming to improve the computation accuracy and efficiency (as summarized in Table I). A neural network essentially consists of two types of computations, i.e., linear and nonlinear computations. The former focuses on matrix calculation to compute dot product (for fullyconnected dense layers) and convolution (for convolutional layers). The latter includes nonlinear functions such as activation, pooling and softmax. A series of studies have been carried out to accelerate the linear computation, or nonlinear computation, or both. For example, faster CryptoNets [4] leveraged sparse polynomial multiplication to accelerate the linear computation. It achieved about 10 times speedup over CryptoNets. SecureML [30], Chameleon [33] and MiniONN [28] adopted a similar design concept. Among them, MiniONN achieved the highest performance gain. It applied Secret Share (SS) for linear computation, and packed HE [9]
to preshare a noise vector between the client and server offline, in order to cancel the noise during secure online computation. In
[28], nonlinear functions were approximated by piecewise linear segments, and computed by using Garbled Circuits (GC), which resulted in times speedup over CryptoNets. DeepSecure [34] took an allGC approach, i.e., implemented both linear and nonlinear computations using GC. It optimized the gates in the traditional GC module to achieve a speedup of 527 times over CryptoNets. Finally, GAZELLE [23] focused on the linear computation, to accelerate the matrixvector multiplication based on packed HE, such that Homomorphic computations can be efficiently parallelized on multiple packed ciphertexts. GAZELLE demonstrated impressive speedup of about times compared with MiniONN and three orders of magnitude faster than CryptoNets. So far, GAZELLE is considered the stateofart framework for secure inference computation.Two recent works unofficially published in arXiv reported new designs that achieved computation speed at the same order of magnitude as GAZELLE. FALCON [27]
leveraged fast Fourier Transform (FFT) to accelerate linear computation. Its computing speed is similar to GAZELLE, while the communication cost is higher. SecureNN
[44] adopted a design philosophy similar to Chameleon and MiniONN, but exploited a 3party setting to accelerate the secure computation, to obtain a 4 times speedup over GAZELLE, at the cost of using a semitrust third party. Additionally, XONN [32] worked in line with DeepSecure to explore the GC based design for Binary Neural Network (BNN), achieving up to 7 times speedup over GAZELLE, at the cost of accuracy drop due to the binary quantization in BNN.In addition, a few approaches were introduced to not just improve computation efficiency but also provide other desirable features. For example, GELUNet [48] aims to avoid approximation of nonlinear functions. It partitioned computation onto noncolluding parties: one party performs linear computations on encrypted data, and the other executes nonpolynomial computation in an unencrypted but secure manner. It showed over 14 times speedup than CryptoNets and does not have accuracy loss. E2DM [22] aimed to encrypt both data and neural network models, assuming the latter are uploaded by users to untrusted cloud. It focused on matrix optimization by combining Homomorphic operation and ciphertext permutation, demonstrating 30 times speedup over CryptoNets.
1.2 Contribution of This Work
Despite the fast and promising improvement in computation speed, there is still a significant performance gap to apply privacypreserved neural networks on practical applications. The time constraints in many realtime applications (such as speech recognition in Alexa and Google Assistant) are within seconds [2, 16]; selfdriving cars even demand an immediate response less than a second [6]. In contrast, our benchmark has showed that GAZELLE, which has achieved the best performance so far in terms of speed among existing schemes, takes 161s and 1731s to run the wellknown practical deep neural networks AlexNet [24] and VGG16 [39], which renders it impractical in realworld applications.
In this paper, we propose CHEETAH, an ultrafast, secure MLaaS framework that features a carefully crafted secret sharing scheme to enable efficient, joint linear and nonlinear computation, so that it can run significantly faster than the stateoftheart schemes. It eliminates the need to use approximation for nonlinear computations; hence, unlike the existing schemes, CHEETAH does not have accuracy loss. It, for the first time, reduces the computation delay to milliseconds and thus enables a wide range of practical applications to utilize privacypreserved deep neural networks. To the best of knowledge, this is also the first work that demonstrates privacypreserved inference based on the wellknown, practical deep architectures such as AlexNet and VGG.
The significant performance improvement of CHEETAH stems from a creative design, called joint obscure neural computing
. Computations in neural networks follow a series of operations alternating between linear and nonlinear transformations for feature extraction. Each operation takes the output from the previous layer as the input. For example, the nonlinear activation is computed on the weighted values of linear transformations (i.e., the dot product or convolution). All existing approaches discussed in Sec.
1.1 essentially follow the same framework, aiming to securely compute the results for each layer and then propagate to the next layer. This seemingly logic approach, however, becomes the fundamental performance hurdle as revealed by our analysis.First, although matrix computation has been deeply optimized based on packed HE for the linear transformation in the stateoftheart GAZELLE, it is still costly. The computation time of the linear transformation is dominated by the operation called ciphertext permutation (or Perm) [23], which generates the sum based on a packed vector. It is required in both convolution (for a convolutional layer) and dot product (for a dense layer). From our experiments, one Perm is 56 times slower than one Homomorphic addition and 34 times slower than one Homomorphic multiplication. We propose an approach to enable an incomplete (or obscure) linear transformation result to propagate to the next nonlinear transformation as the input to continue the neural computation, reducing the number of ciphertext permutations to zero in both convolution and linear dot product computation.
Second, most existing schemes (including GAZELLE) adopted GC to compute the nonlinear transformation (such as activation, pooling and softmax), because GC generally performs better than HE when the multiplicative depth is greater than 0 (i.e., nonlinear) [23]
. However, the GCbased approach is still costly. The overall network must be represented as circuits and involves interactive communications between two parties to jointly evaluate neural functions over their private inputs. The time cost is often significant for large and deep networks. Specifically, our benchmark shows that it takes about 263 seconds to compute a nonlinear ReLu function with 3.2M input values, which is part of the VGG16 framework
[39]. Moreover, all existing GCbased solutions rely on piecewise or polynomial approximation for nonlinear functions such as activation. This leads to degraded accuracy and the accuracy loss is often significant. The proposed scheme takes a secret sharing approach with 0multiplicativedepth packed HE to avoid the use of computationally expensive GC. A novel design is developed to allow the server and client to each obtain a share of Homomorphic encrypted nonlinear transformation result based on the obscure linear transformation as discussed above. This approach eliminates the need to use approximation for nonlinear functions and achieves enormous speedup. For example, it is 1793 times faster than GAZELLE in computing the most common nonlinear ReLu activation function, under the output dimension of 10K.Overall, the proposed CHEETAH is an ultrafast privacypreserved neural network inference framework without accuracy loss. It enables obscure neural computing that intrinsically merges the calculation of linear and nonlinear transformations and effectively reduces the computation time. We benchmark the performance of CHEETAH with wellknown deep networks for secure inference. Our results show that it is 218 and 334 times faster than GAZELLE, respectively, for a 3layer and a 4layer CNN used in previous works. It achieves a significant speedup of 130 and 140 times, respectively, over GAZELLE in the wellknown, practical deep networks AlexNet and VGG16. Compared with CryptoNets, CHEETAH achieves a speedup of five orders of magnitudes.
2 System and Threat Models
In this section, we introduce the overall system architecture and threat model, as well as the background knowledge about cryptographic tools used in our design.
2.1 System Model
We consider a MLaaS system as shown in Fig. 1. The client is the party that generates or owns the private data. The server is the party that has a welltrained deep learning model and provides the inference service based on the client’s data. For example, a doctor performs a chest Xray for her patient and sends the Xray image to the server on the cloud, which runs the neural network model and returns the inference result to assist the doctor’s diagnosis.
While various deep learning techniques can be employed to enable MLaaS, we focus on the Convolutional Neural Network (CNN), which has achieved wide success and demonstrated superior performance in computer vision such as image classification [24, 39] and face recognition [35]. A CNN consists of a stack of layers to learn a complex relation among the input data, e.g., the relations between pixels of an input image. It operates on a sequence of linear and nonlinear transformations to infer a result, e.g., whether an input medical image indicates the patient has pneumonia. The linear transformations are in two typical forms: dot product and convolution. The nonlinear transformations leverage activations
such as the Rectified Linear Unit (
ReLu) to approximate complex functions [20] and pooling(e.g., max pooling and mean pooling) for dimensionality reduction. CNN repeats the linear and nonlinear transformations recursively to reduce the highdimensional input data to a lowdimensional feature vector for classification at the
fully connected layer. Without losing generality, we use image classification as an example in the following discussion, aiming to provide a lucid understanding of the CNN architecture as illustrated in Fig. 2.Convolutional Layer. As shown in Fig. 2(b), the input to a convolutional layer has the dimensions of , where and are the width and height of the input feature map and is the number of the feature maps (or channels). For the first layer, the feature maps are simply the input images. Hereafter, we use the subscript to denote input and output. The input is convolved with groups of kernels. The size of each group of kernel is , in which and are the width and height of the kernel. The number of channels of the kernel group must match with the input, i.e., . The convolution will produce the feature output, with a size of . More specifically, the th element in the th output feature is calculated as follows:
(1) 
where and are the kernel and input, respectively. For the ease of description, we omit the bias in Eq. (1). Nevertheless, it can be easily transformed into the convolution or weight matrix multiplication [18].
The last convolutional layer is typically connected with the fullyconnected layer, which computes the weighted sum, i.e., a dot product between the weight matrix of size and a flatten feature vector of size . The output is a vector with the size of . Each element of the output vector is calculated below:
(2) 
Activation. Nonlinear activation is applied to convolutional and weightedsum outputs in an elementwise manner. The commonly used activation functions include ReLu, ; sigmoid, ; and tanh, . The last layer uses the softmax function
to normalize the outputs into a probability vector.
Pooling. Pooling conducts downsampling to reduce dimensionality. In this work, we consider Mean pooling, which is implemented in CryptoNets and also commonly adopted in stateofart CNNs. It splits a feature map into regions and averages the regional elements. Compared to max pooling (another pooling function which selects the maximum value in each region), authors in [49] have claimed that while the max and mean pooling functions are rather similar, the use of mean pooling encourages the network to identify the complete extent of the object, which builds a generic localizable deep representation that exposes the implicit attention of CNNs on an image.
2.2 Threat Model
Similar to [28, 23, 30, 34], we adopt the semihonest model, in which both parties try to learn additional information from the message received (assuming they have bounded computational capability). That is, the client and server will follow the protocol, but wants to learn the model parameters and attempts to learn the data. Hence, the goal is to make the server oblivious of the private data from the clients, and prevent the client from learning the model parameters of the server. We would prove that the proposed framework is secure under semihonest corruption using ideal/real security [15]. Our framework targets to protect clients’ sensative data, and service providers’ models which have been trained by service providers with significant resources (e.g., private training data and computing power). Protecting models is usually sufficient through protecting the model parameters, which are the most critical information for a model. Moreover, many applications are even built on wellknown deep network structures such as AlexNet [24], VGG16/19 [39] and ResNet50 [19]. Hence it is typically not necessary to protect the structure (number of layers, kernel size, etc). In the case that the implemented structure is proprietary and has to be protected, service providers can introduce redundant layers and kernels to hide the real structure [28, 23].
There is also an array of emerging attacks to the security and privacy of the neural networks [45, 38, 43, 12, 29, 21]
. They can be further classified by the processes that they are targeting at: training, inference (model) and input.
(1) Training. The attack in [45]attempts to steal the hyperparameters during training. The membership inference attack
[38] wants to find out whether an input belongs to the training set based on the similarities between models that are privately trained or duplicated by the attacker. This paper focuses on the inference stage and does not consider such attacks in training, since the necessary variables for launching these attacks have been released in memory and the training API is not provided. (2) Model. The model extraction attack [43] exploits the linear transformation at the inference stage to extract the model parameters and the model inversion attack [12] attempts to deduce the training sets by finding the input that maximizes the classification probability. The success of these attacks requires full knowledge of the softmax probability vectors. To mitigate them, the server can return only the predicted label but not the probability vector or limits the number of queries from the attacker. The Generative Adversarial Networks (GAN) based attacks [29] can recover the training data by accessing the model. In this research, since the model parameters are successfully protected from the clients, this attack can be defended effectively. (3) Input. A plethora of attacks adopt adversarial examples by adding a small perturbation to the input in order to cause the neural network to misclassify [21]. Since rational clients pay for prediction services, it is not of their interest to obtain an erroneous output. Thus, this attack does not apply in our framework.2.3 Cryptographic Tools
The proposed privacypreserved deep neural network framework, i.e., CHEETAH, employs two fundamental cryptographic tools as outlined below.
(1) Packed Homomorphic Encryption. Homomorphic Encryption (HE) is a cryptographic primitive that supports meaningful computations on encrypted data without the decryption key. It has found increasing applications in data communication, storage and computation [42]. Traditional HE operates on individual ciphertext [48], while the packed homomorphic encryption (PHE) enables packing of multiple values into a single ciphertext and performs componentwise homomorphic computation in a Single Instruction Multiple Data (SIMD) manner [3] to take the advantages of parallelism. Among various PHE techniques, our work builds on the privatekey BrakerskiFanVercauteren (BFV) scheme [9], which involves four parameters^{1}^{1}1The readers are referred to [23] for more detail.: 1) ciphertext modulus , 2) plaintext modulus , 3) number of ciphertext slots
, and 4) a Gaussian noise with a standard deviation
. The secure computation involves two parties, i.e., the client and server .In PHE, the encryption algorithm encrypts a plaintext message vector from into a ciphertext with slots. We denote and as the ciphertexts encrypted by client and server , respectively. The decryption algorithm returns the plaintext vector from the ciphertext . Computation can be performed on the ciphertext. In a general sense, an evaluation algorithm inputs several ciphertexts and outputs a ciphertext . The function is constructed by homomorphic addition (Add), multiplication (Mult) and permutation (Perm). Add(,) outputs a ciphertext which encrypts the elementwise sum of and . Mult(,) outputs a ciphertext which encrypts the elementwise multiplication of and plaintext . It is worth pointing out that CHEETAH is designed to require multiplication between a ciphertext and a plaintext only, but not the much more expensive multiplication between two ciphertexts. Perm() permutes the elements in into another ciphertext , where and is a permutation of .
The runtime complexities of Add and Mult are significantly lower than Perm. From our experiments, one Perm is 56 times slower than one Add and 34 times slower than one Mult. This observation motivates the design of CHEETAH, which completely eliminates permutations in convolution and dot product transformations, thus substantially reducing the overall computation time.
It is worth pointing out that neural networks always deal with floating point numbers while the PHE is in the integer domain. Specifically, neural networks typically use real number arithmetic, not modular arithmetic. On the other hand, direct increasing plaintext modulus in PHE increases noise budget consumption, and also decreases the initial noise budget, which causes limited Homomorphic operations. our implementation adopts the highly efficient encoding for BFV in Microsoft SEAL library [36] to establish a mapping from real numbers in neural network to plaintext elements in PHE. This makes real number arithmetic workable in PHE without data overflow. Thereafter, our design is described in floating point domain with real number input.
(2) Secret Sharing. In the secret sharing protocol, a value is shared between two parties, such that combining the two secrets yields the true value [33]. In order to additively share a secret , a random number, , is selected and two shares are created as and . Here, can be either plaintext or ciphertext. A party that wants to share a secret sends one of the shares to the other party. To reconstruct the secret, one needs to only add two shares .
While the overall idea of secret share (SS) is straightforward, creative designs are often required to enable its effective application in practice, because in many applications the two parties need to perform complex nonlinear computation on their respective shares and thus it is nontrivial to reconstruct the final result based on the computed shares. Due to this fundamental hurdle, the existing approaches discussed in Sec. 1.1 predominately chose to use GC, instead of SS, to implement the nonlinear functions. However, GC is computationally costly for large input [34, 47, 23]. Specifically, our benchmark shows that GC takes about 263 seconds to compute a nonlinear ReLu function with 3.2M input values, which is part of the VGG16 framework [39]. In this work, we propose a creative PHEbased SS for CHEETAH to implement secret nonlinear computation, which requires only round communication for each nonlinear function, thus achieving multiple orders of magnitude reduction of the computation time. For example, CHEETAH achieves a speedup of 1793 times over GAZELLE in computing the nonlinear ReLu function.
3 Design of Privacy Preserved Inference
A neural network is organized into layers. For example, CNN consists of convolutional layers and fullyconnected dense layers. Each layer includes linear transformation (i.e., weighted sum for a fullyconnected dense layer or convolution for a convolutional layer), followed by nonlinear tranformation (such as activation and pooling). All existing schemes intend to securely compute the results for linear transformation first, and then perform the nonlinear computation. Although it appears logical, such design leads to a fundamental performance bottleneck as discussed in Sec. 1. The proposed approach, CHEETAH, is based on a creative design, named joint obscure neural computing, which only computes a partial linear transformation output and uses it to complete the nonlinear transformation. It achieves several orders of magnitude speedup compared with existing schemes.
We introduce the basic idea of CHEETAH via a simple example based on a twolayer CNN (with a convolutional layer and a dense layer), which can be formulated as follows:
(3) 
where is the activation function, is the input data, is a kernel for the convolutional layer, stands for convolution and is the weight matrix for the dense layer: 0pt
Note that while we use the simple twolayer CNN to lucidly describe the main idea, CHEETAH is actually applicable to any neural networks with any layer structure and input data size. In the rest of this section, we first present CHEETAH for a Single Input Single Output (SISO) convolution layer and then discuss the cases for Multiple Input Multiple Output (MIMO) convolution and fully connected dense layers.
3.1 SISO Convolutional Layer
The process of convolution can be visualized as placing the kernels at different locations of the input data. At each location, an elementwise sum of product is computed between the kernel and corresponding data values. If the convolution of the above example, i.e., , is computed in plaintext, the result, denoted as , should include four elements, :
In the problem setting of secure MLaaS (as introduced in Sec. 2), the client owns the data , while the server owns the CNN model (including and ). The goal is to ensure that the server does not have access to and the client cannot learn the server’s model parameters. To this end, in GAZELLE, encrypts into by using HE and sends it to . In the following discussion, both server and client use privatekey BFV encryption [9]. The subscript denotes ciphertext encrypted by the client’s private key, while denotes ciphertext encrypted by the private key of server.
performs HE computation to calculate the convolution . To accelerate the computation, packed HE is employed. For example, to compute the first element of the convolution (i.e., ), a single cipheretxt can be created to contain the vector . On the other hand, a packed plaintext vector is created for . The packed HE supports the computation of elementwise multiplication between the two vectors in a single operation, yielding a single ciphertext for the vector . However, we still need to add the vector’s elements together to compute . Since the vector is in a single ciphertext, direct addition is not possible. GAZELLE uses permutation (Perm) to compute the sum [23]. However, computing the sum using Perm is costly, with the complexity of for convolution and for weighted sum in the dense layer, where , and are the output dimension, input dimension, and kernel size, respectively). From our experiments, one Perm is 56 times slower than one Add and 34 times slower than one Mult.
In this paper, we propose a novel idea to enable an incomplete (or obscure) linear transformation result to propagate to the next nonlinear transformation to continue the neural computation, thus eliminating the need for ciphertext permutations. The overall design is motivated by the doublesecret scheme for solving linear system of equations [7]. Our scheme is illustrated in Fig. 3.
(1) Packed HE Encryption. and transform the data and kernel into and , respectively, as follows:
As illustrated in Fig. 4, four convolutional blocks are computed. For example, the first convolutional block computes . The elements in each convolutional block are sequentially extracted into a packed ciphertext . Meanwhile, also transforms the kernel into according to each convolutional block. Note that the transformation is completed offline. encrypts and sends to .
(2) Permfree Secure Linear Computation. Upon receiving , performs the linear computation based on the clientencrypted data. A distinguished feature of the proposed design is to eliminate the costly permutations.
Let denote the elementwise multiplication between and . As we can see, the sum of four elements for each block in corresponds to one element of the convolution result. For example, the four elements for first block, i.e., and , correspond to . The next block (i.e., and ) correspond to , and so on and so forth.
performs Mult to obtain . The result is the clientencrypted elementwise multiplication between and . But does not intend to calculate the sum of each block to obtain the final convolution result as GAZELLE does, because it would need the costly permutations. Instead, it intends to let decrypt to compute the sum in the plaintext.
However, naively sending to the client would allow the client to obtain the neural network model information, i.e., . To this end, disturbs each element of the convolution result with a randomly multiplicative blinding factor. Specifically, pregenerates a pair of random numbers that satisfy , for each th tobesummed block in , where in this example.
constructs the following vector by using :
which will be used to scramble by multiplying it with before it is sent to . Note that, as each individual in the th fourelement block is multiplied with the same factor (since are repeated four times in ), it would leak the relative magnitude among those four elements in each block. To this end, further constructs a zerosum vector as follows:
where are random numbers subject to . The zerosum strategy has been adopted in the classic privacypreserving data aggregation [37], where a secret key is distributed based on zero sum of random noise.
At the same time, uses to create the following vectors:
where is a pair of polar indicator,
(4) 
encrypts and by using packed HE. The encrypted values, i.e., and , will be sent to for the nonlinear computation as to be discussed later. Note that, and can be transmitted to offline, as and are pregenerated by .
Now, let us put all pieces together for the secure computation of convolution: encrypts and sends to . precomputes in plaintext and then multiplies the result with to obtain . As we can see, the th convolution element (which corresponds to the sum of th fourelement block in ) is actually multiplied with a random number . Finally, adds the zerosum vector by Add. In this way, disturbs each element of convolution result (the sum of four elements in each block) while disturbs each individual element in the convolutional block.
Next, we will show that, although the convolution result is not explicitly calculated, the partial (obscure) result, i.e., , is sufficient to compute the nonlinear transformation (e.g., activation and pooling).
(3) PHEbased Secret Share for NonLinear Transformation. sends , and to (note that and are transmitted to offline).
decrypts and sums up each fourelement block in plaintext, yielding . It is not difficult to show that is times of the true convolution, i.e., .
If had the true convolution outcome, i.e., , it would compute the ReLu function as follows:
(5) 
However, only has . Since is a random number that could be positive or negative, it is infeasible to obtain correct activation directly. Instead, computes
(6) 
We can show that the above calculation essentially recovers the serverencrypted true ReLu function outcome, i.e., . Since , may yield four possible outputs, depending on the signs of and .
(7) 
For example, when and , we have according to Eq. (4) and thus . On the other hand, . Since , we have . Note that we have chosen . Therefore, Eq. (6) should yield . This is clearly the serverencrypted ReLu output. Similarly, we can examine other cases of and in Eq. (7) and show that Eq. (6) always produce the serverencrypted ReLu outcome.
Eqs. (6) and (7) are created for ReLu function only. Similar design can be developed for other activation functions as shown in the Appendix A.
Subsequently, creates a ReLu share and computes the server’s share as Add. sends it along with (i.e., the clientencrypted share , which can be pregenerated by ) to .
decrypts to obtain a share of the plaintext activation result, i.e., . It then computes Add to obtain , i.e., the clientencrypted true nonlinear transformation result. Note that, the random share has been canceled in this HE addition.
Till now, the computation of the current layer (including linear convolution and nonlinear activation) is completed. The output of this layer (i.e., ) will serve as the input for the next layer. If the next layer is still convolution, the server simply repeats the above process. Otherwise, if the next is a fullyconnected dense layer, a similar approach can be taken as to be discussed in Sec. 3.3.
Note that some CNN models employ pooling after activation to reduce its dimensionality. For example, mean pooling takes the activations as the input, which is divided into a number of regions. The averaged value of each region is used to represent that region. Both and can respectively average their activation shares (i.e., and ) to obtain the share of mean pooling. Meanwhile, a similar scheme can be applied if the bias is included.
3.2 MIMO Convolutional Layer
The above SISO method can be readily extended to MIMO convolutional layer in order to process multiple inputs simultaneously. Assume there are input data (i.e., ). Let be the number of input data that can be packed into one ciphertext. Recall that each must be transformed to as discussed in Sec. 3.1. Let denote the number of kernels and the size of each kernel. After transformation, the size of is times of the original . Therefore, each ciphertext can hold such transformed input data. Accordingly, the input data are transformed and encrypted into ciphertexts.
The remaining process for linear and nonlinear computation is similar to SISO, except that the computation on a ciphertext actually calculates multiple input data simultaneously and that the convolution of all input ciphertexts based on one kernel are combined into one output ciphertext, yielding a total of output ciphertexts. MIMO is obviously more efficient in processing batches of input data.
3.3 Fullyconnected Dense Layer
In a fullyconnected dense layer, uses the output of the previous layer (i.e., ) to compute the weighted sum. Take the simple twolayer CNN as an example, the weighted sum computes
The computation of and is intrinsically the same as the computation of each convolution element (i.e., ) as discussed above.
3.4 Complexity Analysis
In this subsection, we analyze the computation and communication cost of CHEETAH and compare it with other schemes.
(1) Computation Complexity. The analysis of the computation complexity focuses on the number of ciphertext permutations (Perm), multiplications (Mult), and additions (Add). The notations to be used in the analysis are summarized as follows:

is the number of slots in a ciphertext.

is the ciphertext space.

is the number of bits of a ciphertext.

is the input dimension of a fully connected layer.

is the output dimension of a fully connected layer.

is the kernel size.

is the number of input data (channels) in MIMO.

is the number of kernels or the number of output feature maps in MIMO.

is the number of input data that can be packed into one ciphertext.
In SISO, recall that a ciphertext is firstly sent to . conducts one ciphertext multiplication and addition to get . Then receives , performs the decryption, and gets the summed convolution in plaintext, which is followed by 2 multiplications and 1 addition to get the encrypted ReLu, according to Eq. 6. Finally, does another addition namely Add to generate ’s ReLu share. finaly recovers the encrypted nonlinear result with another addition. Therefore, total 3 multiplications and 4 additions are required in SISO. The complexity is .
In MIMO, sends ciphertexts. Then performs Mult and Add to get an incomplete ciphertext for each of kernels. After that, each of incomplete ciphertext is added with zerosum vector by one addition. Then sends those cipheretxts to , which decrypts them and obtain output features, creating plaintext. Based on Eq. (6), gets the encrypted ReLu with multiplications and additions, because each of plaintext associates with multiplications and 1 addition. Finally, performs another addition on each of ReLu ciphertexts to generate the ReLu share for . then gets its ReLu share by decryption and recovers the nonlinear result by Add. Therefore, MIMO needs multiplications and additions, both with the complexity of .
In a fullyconnected (FC) dense layer, conducts multiplications to get intermediate ciphertext, where is usually much larger than and . After that, the zerosum vector is added on each of intermediate ciphertext to form ^{2}^{2}2The structure of is similar with . which is sent to . does the decryption and gets the summed result in plaintext. Then calculates the encrypted ReLu with 2 multiplications and 1 addition by Eq. (6). Finally, one addition is performed to generate the ReLu share for , and needs another Add to recover the encrypted nonlinear result. So the FC layer needs multiplications and additions, resulting in the complexity of .
Table II compares the computation complexity between CHEETAH and other schemes. Specifically, In the SISO case, CHEETAH has a constant complexity without permutation while GAZELLE has the complexity . In the MIMO case, GAZELLE has two traditional options for permutation, i.e., Input Rotation (IR) and Output Rotation (OR) [23]. CHEETAH eliminates the expensive permutation without incurring more multiplications and additions, thus yielding a considerable gain. In the FC layer, we compare CHEETAH with a naive method in [23] (the baseline of GAZELLE), HaleviShoup (HS) [17] and GAZELLE. Through the obscure matrix calculation, obscure HE and secret share, CHEETAH further reduces the complexity of addition by compared to GAZELLE. In particular, is usually much larger than , which makes this reduction significant. It is worth pointing out that CHEETAH completes both the linear and nonlinear operations with the above complexity while the existing schemes such as GAZELLE only finish the linear operation.
Layer Type  Methodology  Perm  Mult  Add  Communication (bits) 

SISO  GAZELLE  
CHEETAH  
MIMO  IR[23]    
OR[23]  
CHEETAH  
FC  Naive method[23]    
HS[17]    
GAZELLE  
CHEETAH  0 
(2) Communication Complexity. In the SISO case, CHEETAH has two transmissions: 1) sends the encrypted data to ; 2) sends to . Thus the communication cost is bits. Note that the third transmission in Fig. 4 where sends the encrypted ReLu share to is the beginning of the next layer.
Similarly, in MIMO, the two transmissions are 1) sends ciphertexts for input images; 2) sends cipheretexts for kernels. Note that, in the first transmission, ciphertexts are transmitted at the first convolutional layer while only ciphertexts are needed in other layers. This is because the size of encrypted ReLu will not be changed. In the second transmission, since can simultaneously send each of cipheretexts after each calculation, the actual communication cost is on transmiting the last one of ciphertexts. Thus, the communication cost is bits.
In the FC layer, the two transmissions are 1) sends an input ciphertext; 2) sends cipheretexts. As each of cipheretexts can be simultaneously transmitted after each calculation, the actual communication cost is the last one of ciphertexts. The total cost is thus bits.
Table II also compares the communication costs between CHEETAH and GAZELLE. We can see that through the obscure matrix calculation, obscure HE and secret share, CHEETAH completes the convolution and FC layers with a smaller communication cost while GAZELLE needs expensive GC for nonlinear functions, resulting in a much higher communication cost.
4 Security Analysis
We prove the security of CHEETAH using the simulation approach [15]. As discussed in Sec. 2, the semihonest adversary can compromise any one of the client or server, but not both (i.e., the client and server do not collude). Here, security means that the adversary only learns the inputs from the party that it has compromised, but nothing else beyond that. It is modeled by two interactions: first, an interaction in the real world where parties follow the protocol in the presence of an adversary , and the environment machine which chooses the inputs to the parties; second, an ideal interaction that parties forward their inputs to a trusted functionality machine . To prove security, the goal is to demonstrate that no environment can distinguish the real and ideal interactions. In other words, we want to show that the realworld simulator achieves the same effect in the ideal interaction. The proofs are sketched in the following^{3}^{3}3Since SISO and MIMO only differ in the number of transmitted ciphertext, it is sufficient to demonstrate the security of SISO. The proof is for convolutional kernels and the same follows for dot products. .
(1) Security against a semihonest client. We define a simulator that simulates an admissible adversary which has compromised the client in the real world. conducts the following: 1) receives the transformed input data from the environment , transmits it to and obtains the convolution result , an encrypted ReLu and ReLu (pooling) share ; 2) constructs a ciphertext and sends to ; 3) receives the ciphertext from , decrypts it, performs summation; 4) receives encrypted polar indicator pair, and , from and calculates encrypted ReLu by Eq. (6); 5) randomly generates ReLu (pooling) share and sends to , where is the true convolution of .
Here the view of that simulates in the ideal world is the convolution result , an encrypted ReLu and ReLu (or pooling) share from , while ’s view in the real execution is the convolution result of , another encrypted ReLu for and the ReLu (pooling) share . The above is secure against the semihonest client: 1) the randomness of and in and makes the two convolution results from ideal and real worlds indistinguishable; 2) the privatekey HE is semantically secure [9] so the two encrypted ReLu in ideal and real worlds are also indistinguishable from ; 3) the ReLu (pooling) shares, and , are uniformly random, thus they are not distinguishable. In summary, the output distribution of in the ideal world is indistinguishable from that in the real world.
(2) Security against a semihonest server. Similarly, we construct a simulator, , to emulate an admissible adversary which has compromised the server in the real world. acts as follows: 1) receives the transformed kernel and zerosum vector from , sends it to and obtains the encrypted partial convolution and the ReLu (pooling) share; 2) constructs a transformed kernel, zerosum vector and blinding vector as , and (corresponding to in section 3.1); 3) receives the encrypted input data from , calculates the encrypted partial convolution and sends it to ; 4) constructs the polar indicator pair and , and sends them to ; 5) receives the ReLu (pooling) share and decrypts it to get .
Here the view of that simulates in the ideal world is the encrypted partial convolution and the ReLu (pooling) share from , while the ’s view in the real world is another encrypted partial convolution and the ReLu (pooling) share . First, because the privatekey HE [9] is semantically secure, the encrypted partial convolution from and are indistinguishable from ; Second, the uniformly random at makes the ReLu (pooling) share from and not distinguishable. So the output distribution of in the ideal world is indistinguishable from that in the real world.
5 Performance Evaluation
We implement CHEETAH with C++ based on Microsoft SEAL Library [36], and compare it with the best existing scheme, GAZELLE^{4}^{4}4Available at: https://github.com/chiraag/gazelle_mpc. We use two workstations as the client and server. Both machines run Ubuntu with Intel i78700 3.2GHz CPU with 12 cores and 16 GB RAM. The network link between them is a Gigabit Ethernet. Recall that the four parameters in BFV scheme are: 1) ciphertext modulus ; 2) plaintext modulus ; 3) number of ciphertext slots and 4) a Gaussian noise with a standard deviation . A larger tolerates more noise. We set to be a 20bit number and to be a 60bit psuedoMersenne prime. The number of slots for the packed encryption is set to 10,000.
5.1 Componentwise Benchmark
We first examine the performance of each functional component including Conv, FC and ReLu.
Convolution Benchmark. We define the time of the convolution operation as the duration between receives the encrypted data or secret share from the previous layer (e.g., ReLu) till completes the convolution computation, just before sending the (partial) convolution results to . It does not contain the communication time between and , such as transmitting the (partial) convolution results to , or secret share to , or in the case of GAZELLE, the time for the HE to GC transformation between and for fair comparison. All such communication time is accounted in ReLu and pooling discussed later.
Table III benchmarks the convolution with different input and kernel sizes. The ‘In_rot’ and ‘Out_rot’ indicate two GAZELLE variants with the input or output rotation, from which, one of them has to be used for convolution (see [23] for details). From Table III, CHEETAH significantly outperforms GAZELLE. E.g., with the kernel size , both the GAZELLE In_rot and Out_rot variants need more than 25 Mult, 24 Add and 24 Perm operations to yield the result of convolution. In contrast, CHEETAH needs only 5 Mult and 5 Add operations, one for each kernel, to obtain the (partial) convolution results. Those results are then sent to for computing ReLu (to be discussed). Overall, CHEETAH accomplishes a speedup of and times compared with the GAZELLE In_rot and Out_rot variants, respectively, for the case with the kernel size and input data size .


Algorithm 

Speedup  

2828@1  55@5  In_rot  7.4  247  
Out_rot  6.2  207  
CHEETAH  0.03  
1616@128  11@2  In_rot  21.4  306  
Out_rot  4.65  66  
CHEETAH  0.07  
3232@2  33@1  In_rot  2.3  115  
Out_rot  1.94  97  
CHEETAH  0.02 
Fig. 5 illustrates the speedup and communication cost vs. the kernel size . Large kernel sizes have large receptive fields, thus capable of learning more information.^{5}^{5}5Classic structures such as VGG16 cascade multiple small kernels to realize the same functionality of a large one. CHEETAH offers more boost for large kernels, and achieves an average of (see Fig. 5(c)) to (as shown in Fig. 5(a)) speedup, with a slight exception when . This is because with a larger kernel, GAZELLE conducts more expensive Permutations for the final convolutional results. When the kernel is sufficiently large, this speedup is offset by other computations hence the curve turns flat. This is reasonable since large kernels (e.g. ) are not desired in practice due to their heavy computations even in plaintext. Fig. 5(d) compares the communication cost (the size of the data sent to ). For clarity, we sequentially denote the three rows of system configurations in Table III as R1, R2 and R3. As can be seen, CHEETAH reduces the communication cost by , and times for R1, R2 and R3, respectively.
FC Benchmark. Table IV compares the time for the weighted sum function in an FC layer (matrixvector multiplication and nonlinear ReLu) for various input and output dimensions. The speedup of CHEETAH over GAZELLE is rather impressive, from about to over times, thanks to the cost savings from elimination of permutation. For example, when is , the input is a column vector with a size of 2048 which can be packed into one ciphertext. GAZELLE first conducts the Mult between the input and the weight matrix. As there are 2048 chunks with , it then performs Perm and Add to compute the weighted sum. On the other hand, CHEETAH needs only one Mult and one Add, without the Perm. The results are packed into one ciphertext, sent to
Comments
There are no comments yet.