Private Speech Characterization with Secure Multiparty Computation

Deep learning in audio signal processing, such as human voice audio signal classification, is a rich application area of machine learning. Legitimate use cases include voice authentication, gunfire detection, and emotion recognition. While there are clear advantages to automated human speech classification, application developers can gain knowledge beyond the professed scope from unprotected audio signal processing. In this paper we propose the first privacy-preserving solution for deep learning-based audio classification that is provably secure. Our approach, which is based on Secure Multiparty Computation, allows to classify a speech signal of one party (Alice) with a deep neural network of another party (Bob) without Bob ever seeing Alice's speech signal in an unencrypted manner. As threat models, we consider both passive security, i.e. with semi-honest parties who follow the instructions of the cryptographic protocols, as well as active security, i.e. with malicious parties who deviate from the protocols. We evaluate the efficiency-security-accuracy trade-off of the proposed solution in a use case for privacy-preserving emotion detection from speech with a convolutional neural network. In the semi-honest case we can classify a speech signal in under 0.3 sec; in the malicious case it takes ∼1.6 sec. In both cases there is no leakage of information, and we achieve classification accuracies that are the same as when computations are done on unencrypted data.



There are no comments yet.


page 1

page 2

page 3

page 4


Privacy-Preserving Video Classification with Convolutional Neural Networks

Many video classification applications require access to personal data, ...

MPC-enabled Privacy-Preserving Neural Network Training against Malicious Attack

In the past decades, the application of secure multiparty computation (M...

Outsourcing Private Machine Learning via Lightweight Secure Arithmetic Computation

In several settings of practical interest, two parties seek to collabora...

Fast Privacy-Preserving Text Classification based on Secure Multiparty Computation

We propose a privacy-preserving Naive Bayes classifier and apply it to t...

POSEIDON: Privacy-Preserving Federated Neural Network Learning

In this paper, we address the problem of privacy-preserving training and...

Introducing a Novel Data over Voice Technique for Secure Voice Communication

The current increasing need for privacy-preserving voice communications ...
This week in AI

Get the week's most popular data science and artificial intelligence research sent straight to your inbox every Saturday.

1 Introduction

Speech technology is becoming increasingly prevalent and intrusive nautsch2019preserving . Speech data, i.e. recordings of human speech, are automatically classified for various purposes, extending from user authentication, to control of services and devices, surveillance, and marketing. The developing prevalence of speech audio processing technology stems from the ever-increasing demand of devices and programs that are “always-listening” – such as smartphones, televisions, and intelligent digital voice assistants – and the technological improvements in speech technology. Beyond applications that aim to automatically classify speakers or speech, e.g. for authentication or for emotion detection, respectively, there are countless interesting sound classification tasks222See e.g. the IEEE AASP Challenge on Detection and Classification of Acoustic Scenes and Events, that may include speech audio processing. These include gunfire detection in surveillance, cough sensing in healthcare, and noise mitigation enabled by smart acoustic sensor networks mydlarz2017implementation ; salamon2017deep .

While there are apparent benefits to automated speech audio signal recognition,333See the Interspeech Computational Paralinguistics Challenges for an overview of applications: application developers can gain knowledge beyond the professed scope from unprotected audio signals. A wealth of personal data can be extracted from speech audio signals, including age and gender, health and emotional state, racial or ethnic origin, geographical background, social identity, and socio-economic status tomashenkovoiceprivacy . As stated in the recent survey paper by Nautsch et al., the continued success of speech technologies hinges upon the development of reliable and efficient privacy-preservation capabilities, specifically designed for the automatic processing of speech signals nautsch2019preserving . Efforts to safeguard the privacy of users in data driven applications are underway along at least three dimensions: (1) by laws and regulations such as the EU General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA); (2) by anonymization techniques that aim to suppress personally identifiable information in data444A nice example is the VoicePrivacy Challenge:
; and (3) by protecting sensitive data through encryption.

In this paper, we focus on the latter, using techniques from Secure Multiparty Computation (MPC). MPC is an umbrella term for cryptographic approaches that allow two or more parties to jointly compute a specified output from their private information in a distributed fashion, without actually revealing the private information to each other CDN2015 . As illustrated in Figure 1, speech classification is inherently a two-party computation (2PC) problem, where one party – nicknamed Alice henceforth – has a speech signal or sound fragment that needs to be classified, and another party – nicknamed Bob – has a machine learning (ML) classifier that can be used to this end. Similar to how Alice does not want to disclose her speech data to Bob, Bob may not want to disclose his ML model to Alice for a variety of reasons. ML models can be expensive to train and usually constitute a competitive advantage. For example, as reported by Dalskov et al. dalskov2019secure , the network by Yang et al. yang2019xlnet costs between $61,000 and $250,000 to train peng2019 . Furthermore, deep learning models are powerful enough to memorize specific examples from the training data carlini2019secret , hence disclosing a trained model can leak very specific information about the training data, which might be sensitive in itself. Finally, disclosing the trained ML model increases the likelihood that adversaries can develop successful evasion attacks. In the context of speaker or speech characterization, such attacks could consist of altering speech signals to bypass speaker verification systems or to bypass classifiers that detect “fake speech”, i.e. that detect the use of speech synthesis tools for malicious purposes such as spreading misinformation, harassment and intimidation aaai2020fakespeech .

MPC allows oblivious speech classification through computations over encrypted data. In this way, Alice can classify her speech signal using Bob’s model, without Alice revealing her speech signal to anyone in plaintext, and without Bob disclosing his ML model to anyone in-the-clear, i.e. without encryption. To this end, Alice and Bob engage in computations, and they exchange intermediate encrypted results by communicating with each other. At the end of the oblivious speech classification protocol, Alice and Bob each have “shares” of the inferred class label (e.g. the emotion state of Alice). The true class label is revealed only when these shares are combined, e.g. when, depending on the application, (1) Bob sends his shares to Alice, or (2) Alice sends his shares to Bob, or (3) both Alice and Bob send their shares to a third party, like a health care provider who might need to be informed when Alice is not doing well.

Figure 1: Oblivious speech classification as a two-party computation (2PC) problem in the dishonest majority setting (Section 3.2.2)

MPC has already been used for speaker and speech recognition with hidden Markov models (HMMs) and Gaussian mixture models (GMMs)

smaragdis2007framework ; pathak2013privacy ; pathak2012privacy ; portelo2014privacy . While HMMs and GMMs were popular techniques for speech classification in the 1980s and 1990s, more recently deep learning has emerged as a state-of-the-art technique in this field. To the best of our knowledge, MPC-based secure classification of speech with deep neural networks has never been studied. It is this gap in the literature, which is also called out by Nautsch et al. nautsch2019preserving , that we fill in this paper.

Several kinds of neural network architectures can be used for speech classification. As cryptographic methods are known to result in significant increases to computational complexity and/or communication overheads tomashenkovoiceprivacy

, we choose convolutional neural networks (CNNs), which are computationally less intensive than for instance long short-term memory networks (LSTMs), even without encryption. To the best of our knowledge, all existing work on MPC-based classification with CNNs is developed for and focused on 2-dimensional CNNs, which are commonly used for classification of images. Speech on the other hand can, like text, be most naturally thought of as a 1-dimensional input. In addition to being the first work on provably secure speech classification using CNNs, this paper is also the first on MPC-based privacy-preserving classification with 1-dimensional CNNs.

After describing the relationships between this paper and existing work in Section 2, in Section 3 we present details about the proposed methods. These include the pre-processing of the audio and the proposed MPC-friendly neural network architecture, a description of the security settings, and MPC-based protocols for secure classification with 1-dimensional CNNs. We implemented our approach on top of the MP-SPDZ framework MP-SPDZ . In Section 4, we present accuracy and runtime results on the RAVDESS benchmark data set livingstone2018ryerson for emotion detection from speech. In the active security setting, i.e. with malicious adversaries that may deviate from the protocol, a speech signal is classified in 1.6 sec. In the passive security setting, i.e. with semi-honest adversaries that adhere to the protocol instructions but try to learn additional information, we can classify a speech signal in 0.26 sec. The accuracy in both cases is 96.6%, which is the same as the accuracy of performing speech classification in-the-clear. In other words, there is no accuracy loss. Furthermore, our approach is provably secure: nobody other than Alice learns anything about her speech signal, and nobody other than Bob learns anything about his model parameters. As we highlight in Section 5, these results answer a question that has remained open in the literature thus far, namely to what extent MPC-based protocols can enable provably secure and highly accurate real-time speech recognition.

2 Related work

We refer to the work of Nautsch et al. nautsch2019preserving for an excellent and comprehensive survey of existing work on privacy-preserving speaker and speech characterization. Below we focus on what is most relevant for our work, namely (1) existing approaches to speech classification that are based on MPC, and (2) existing work on secure inference with a trained deep learning model based on MPC, for applications other than speech or speaker characterization. To the best of our knowledge, none of the existing work in category (1) is based on deep learning, while none of the existing work in (2) has been applied to 1-dimensional CNNs in general, or to speech classification in specific. This is the gap we close in our work.

(1) MPC-based speech classification. In the clear, i.e. without concern for user privacy, there are several successful ML approaches for speech classification. Well-known ML work horses that gained popularity in the 1980s and 1990s are hidden Markov models (HMMs) and Gaussian mixture models (GMMs). The earliest work on privacy-preserving speech classification based on MPC focused on the design of cryptographic protocols to make training and inference with HMMs and GMMs secure in the semi-honest setting smaragdis2007framework ; pathak2013privacy ; pathak2012privacy . These early approaches were based on homomorphic encryption (HE) and slow because of the large computation costs. Portêlo et al. substantially improved upon this computational cost by using Garbled Circuits (GC) instead of HE, in a GMM based protocol specifically for speaker verification, i.e. voice based authentication portelo2014privacy .

While up until a decade ago, HMM used to be popular for speech processing and audio classification, more recently deep learning has been acknowledged as a state-of-the-art ML approach in this field trigeorgis2016adieu ; milde2015using . The CNN approach that we follow in this paper adheres to the latter.

(2) MPC-based classification with CNNs. The problem of doing privacy-preserving inference with trained neural networks has received a lot of attention in the literature recently, and a variety of MPC-based approaches and frameworks have been proposed. Most of these, including MiniONN liu2017oblivious , SecureML mohassel2017secureml , DeepSecure rouhani2018deepsecure , Chameleon riazi2018chameleon , Gazelle juvekar2018gazelle , Quotient agrawal2019quotient , XONN riazi2019xonn , and Delphi mishra2020delphi , are limited to the semi-honest security setting, i.e. they guarantee that no information is leaked as long as the parties honestly execute the protocols. CrypTFlow kumar2020cryptflow , based in part on SecureNN wagh2019securenn , is an interesting recent addition to the growing body of MPC-based secure inference frameworks. In addition to the semi-honest case, CrypTFlow also guarantees security in the malicious case, where parties may deviate arbitrarily from the protocols. To this end, CrypTFlow uses a combination of cryptographic techniques and secure hardware (Intel SGX). To the best of our knowledge, SecureQ8 dalskov2019secure is the only work so far on MPC-based secure inference with trained CNNs in both the semi-honest and malicious case that does not require special secure hardware. In this paper, we adapt the work that was done in SecureQ8 for 2-dimensional CNNs (image classification) to 1-dimensional CNNs (speech classification).

For completeness, we mention the research by Dias et al. dias2018exploring and Teixeira et al. teixeira2019privacy who combine neural networks with (leveled) fully homomorphic encryption (FHE) for privacy-preserving detection of emotion and of voice-affecting diseases such as a cold, a depression, and Parkinson’s disease. The main difference between their work, which builds on Cryptonets gilad2016cryptonets , and ours, is that in dias2018exploring ; teixeira2019privacy

, Alice encrypts her input feature vector and sends it to Bob, who uses FHE to perform computations over the encrypted data, while in our MPC approach both Alice and Bob perform computations. FHE comes with lower communication costs than MPC, at the expense of substantially higher computation costs. Since FHE-based secure neural network inference relies on approximating operations by polynomials, there is a degradation in accuracy. In our MPC based approach for secure CNN inference, there is no accuracy loss. Dias et al. 


use a multi-layer perceptron (MLP) with two hidden layers (no convolutional layers) that achieves a

80% accuracy for a binary classification task of labeling recordings as neutral or angry when no encryption is used. Our MPC-based CNN approach has 96.6% accuracy for a multi-class classification with eight emotion labels. Based on runtime results reported in gilad2016cryptonets , in addition to being more accurate, the approach that we propose in this paper is faster than the approach of Dias et al. dias2018exploring

, even for active security (i.e. malicious parties), and an estimated two orders of magnitude faster for passive security (i.e. semi-honest parties).

3 Methods

Our approach for private speech characterization consists of two phases: first the ML model training is done by Bob in the clear, i.e. on training data that is not encrypted (see Section 3.1), then the inference with the trained model is performed securely using a MPC-based solution (see Section 3.2). In the secure inference steps, all computations are done over encrypted data and model parameters, meaning that Alice does not learn anything about Bob’s model weights or training examples, while Bob does not learn anything about Alice’s speech signal.

3.1 Data preprocessing and neural network architecture

3.1.1 Data preprocessing and feature extraction

Our assumption is that Bob has a set of audio files (speech signals) that are each annotated with a label, and he uses these to train an ML model that can assign a correct label to a previously unseen audio file (Alice’s input). It is common in speech processing for classifiers to work on features extracted from the speech signal as opposed to on the raw speech signal itself. These features and the software to extract them are widely known and publicly available. It is for example very common to convert a speech signal into a sequence of feature vectors of mel-frequency cepstral coefficients (MFCC)

davis1980comparison that are extracted from sliding windows of consecutive speech. We assume that Bob converts each audio file from his training data into a sequence of feature vectors, each of length , and subsequently averages them to obtain one feature vector of length per audio file. Similarly, Alice converts her speech signal into a sequence of vectors of MFCC coefficients, averages them, and uses the resulting feature vector of length as her input to the protocol for speech classification (see Figure 1). As we demonstrate in Section 4, we can train highly accurate ML models for speech classification based on these extracted feature vectors. That in itself is clear evidence that the feature vectors contain meaningful, private information that needs to be kept private during inference, as we do with the technique described in Section 3.2.

3.1.2 MPC-friendly CNN model architecture

We propose the use of a standard, MPC-friendly CNN model architecture. By “MPC-friendly” we mean that the operations to be performed when doing inference with the trained CNN are chosen purposefully among operations for which efficient MPC protocols exist. A standard CNN contains one or more blocks that each have a convolutional layer, followed by an activation layer, and an optional pooling layer.

The difference between the more commonly used 2-dimensional CNNs on one hand, and the 1-dimensional CNNs that we use in this paper, is that in a 1-dimensional CNN, convolutional operations are performed across one dimension. In 2-dimensional CNNs, the shape of the input of a convolutional layer is defined in terms of its height H, width M, and number of channels D. In a 1-dimensional CNN, the height is always 1, hence the input is a D M matrix, as illustrated in Figure 2. A convolutional layer is defined by F filters (kernels), each of size D L, with L the width of the filters. In addition, for each filter , , the convolutional layer contains a bias term . The values of the weights in the filters and the bias are, as usual, learned during training. The output produced by a convolutional layer with F filters of width L, when applied to an input of size D M, is a matrix of size F M, which is computed as:

for  to F
xxxx for  to M

In this pseudocode, denotes the submatrix of that consists of column through column of ,555

We assume a stride of 1, and zero padding, which means that

columns with 0s are appended to to avoid the index from running out of bounds. while denotes the Frobenius inner product (a generalization to matrices of the dot product of vectors). The computation of the th row of is illustrated in Figure 2. In privacy-preserving speech classification, the input into the first convolutional layer is known to Alice, while the values of and are known to Bob. We address in Section 3.2 how in this case can be computed, and subsequent CNN operations can be performed, without the need for Alice to disclose and without the need for Bob to disclose and .

Figure 2: Illustration of 1-dimensional convolution

As the activation function in the convolutional blocks, we choose the RELU function

, which means that all negative values are mapped to

. For the pooling layer, we select average pooling instead of max pooling, because in an MPC setting additions and division by a publicly known constant (as is needed to compute an average) are computationally less expensive than performing comparisons (which would be needed to find a maximum). Applying RELU and average pooling with size 2 to the output in Figure

2 would yield .

The stacked convolutional blocks are followed by a dense layer, the application of which comes down to a product of two matrices. The activation function on the final layer is typically a logistic function (for binary classification problems) or a softmax operation (for multi-class classification problems). The output of the softmax operation is a probability for each of the possible class labels; the label with the highest probability is returned as the final result. While the use of a softmax function is important during training, we note that during inference it can be replaced by an argmax function. Indeed, the softmax operation does not change the ordering among the logits, i.e. the values that are passed into it from the previous layer. Argmax is computationally much less expensive to compute in a privacy-preserving manner. Finally, any dropout layers that are used to improve the training process, are omitted during inference, which means that we do not need to include MPC-based protocols for these layers when doing secure inference (see Section

3.2). We refer to Section 4 for more details about the exact CNN architecture that we used in our experiments.

3.2 Privacy-preserving inference with a 1-dimensional CNN

After giving a high level overview in Section 3.2.1 of the security settings that we consider, we recall the principles of MPC based on secret sharing in Sections 3.2.2 and 3.2.3, and the particular MPC schemes that we use in this paper. This includes an explanation of how Alice and Bob can perform additions and multiplications on integers even if they only have so-called shares of the integers instead of the actual values. Since in speech classification, Alice’s MFCC feature values and Bob’s model parameters are real numbers, in Section 3.2.4 we explain how Alice and Bob use techniques from quantization of neural networks to convert their floating-point data into integers before they execute the MPC protocols. Next we explain in Section 3.2.5 how Alice and Bob can use an MPC scheme to perform privacy-preserving speech classification.

3.2.1 Security settings

There exist a variety of MPC schemes, designed for different numbers of participants and offering various levels of security that correspond to different threat models. In the scenario of privacy-preserving speech classification that we consider in this work, there are two participants, Alice and Bob, and one of them may be corrupted. When Alice and Bob execute a secure MPC protocol between themselves to perform the privacy-preserving speech classification, as illustrated in Figure 1, one corrupted party means that we are in the so-called scenario of dishonest majority. In general, a dishonest majority setting is one where an adversary can corrupt a fraction of the protocol participants that is equal to or greater than 1/2. In our two-party computation (2PC) setting this means that each party can only trust itself and assumes that the other party may be corrupted. We describe the MPC protocols that we use for the dishonenst majority setting in Section 3.2.2.

Figure 3: Oblivious speech classification as a three-party computation (3PC) problem in the honest majority setting (Section 3.2.3). Alice and Bob outsource the computations to 3 servers.

MPC protocols in the dishonest majority setting such as the 2PC scenario from Figure 1 are much more computationally expensive than protocols in an honest majority setting, i.e. when more than half of the protocol participants are honest. Therefore, many works on privacy-preserving inference have considered the setting in which Alice and Bob outsource the secure computations to a set of 3 or more servers, of which a majority is assumed to honest (e.g., dalskov2019secure ; riazi2018chameleon ; kumar2020cryptflow ; wagh2019securenn ). In this work we also evaluate the performance of privacy-preserving speech classification in the scenario in which Alice and Bob outsource the secure classification to 3 servers (three-party computation, 3PC), one of which can be corrupted. The protocols that we use for this scenario, which is illustrated in Figure 3, are described in Section 3.2.3.

Furthermore, a party can be corrupted in different ways. In the passive security setting (also known as semi-honest or honest-but-curious adversaries), the corrupted parties follow the specified protocol instructions, but they may try to learn additional information (i.e., information other than what can be inferred from their specified inputs and outputs) from the messages exchanged during the protocol execution. Secure MPC protocols prevent such information leakage. In the active security setting (also known as malicious adversaries), the parties may deviate from the protocol instructions in arbitrary ways, for instance by providing incorrect values on purpose. In this case, secure MPC protocols should prevent information leakage and detect devious behavior. Protection against such a stronger threat model comes at a higher computational cost.

In this paper, we evaluate multiple MPC schemes and their efficiency-security-accuracy trade-off for privacy-preserving speech classification.

3.2.2 Secret sharing-based MPC for dishonest majority

In the MPC schemes that we use, all computations are done on integers, modulo an integer . The modulo

is a hyperparameter that defines the algebraic structure in which the computations are done, which in turn has a direct effect on the efficiency of the MPC protocols for different tasks. In Section

4, we evaluate MPC schemes where is a prime number as well as where is a power of 2.

Furthermore, all MPC schemes for the dishonest majority scenario that we use are based on additive sharing. A value in is secret shared between Alice and Bob by picking uniformly random values such that


Equation (2) expresses that and are additive shares of (which are delivered to Alice and Bob, respectively). Note that no information about the secret value is revealed by any of the individual shares or , but the secret shared value can be trivially revealed by combining both shares. As we explain below, the parties Alice and Bob can jointly perform computations on numbers by performing computations on their own shares, without the parties learning the values of the numbers themselves.666We often omit the modular notation for conciseness.

Passive security. For protocols in the passive security setting, we use as a shorthand for a secret sharing of , i.e. . Given secret shared values and , and a constant , Alice and Bob can jointly perform the following operations, each by doing only local computations on their own shares:

  • Addition of a constant (): Alice and Bob compute . Note that Alice adds to her share , while Bob keeps the same share . This operation will be denoted by .

  • Addition (): Alice and Bob compute by adding their local shares of and . This operation will be denoted by .

  • Multiplication by a constant (): Alice and Bob compute by multiplying their local shares of by . This operation will be denoted by .

The basic operation that is missing in the list above is the multiplication of secret shared values and . This is done using a so called multiplication triple Beavertriple , which is a triple of secret shared values , , , such that and are uniformly random values in and . We explain later on how Alice and Bob obtain such multiplication triples from an offline phase. Given that they have a multiplication triple, Alice and Bob can compute and , and, in a communication step, open and by disclosing their respective shares of and to each other. Next, they can compute , which is equal to . Each multiplication requires a fresh multiplication triple; generating sufficient multiplication triples contributes substantially to the computational cost of MPC protocols. This secure multiplication protocol can be generalized for the multiplication of element-wise secret shared matrices (for efficiency gains) using matrix multiplication triples, and keeps its security even when composed with other arbitrary building blocks IEEETDSC:CDHK+17 ; Dowsley16 .

Active security. In the case of active security, the main idea to prevent the players from cheating is to use a Message Authentication Code (MAC). We focus first on the case of a prime field , with a prime number. To verify the correctness of the computations, Alice and Bob each have a share of a fixed MAC key , i.e. Alice has and Bob has such that . When a value is secret shared between Alice and Bob, they also get shares and , respectively, of a MAC such that


Equation (3) is the so-called MAC relation. If at any point Alice and Bob need to open a secret shared number, i.e. make its value known, then Alice first reveals to Bob, while Bob reveals to Alice, so that they both can compute . Next, to verify that the MAC relation holds, Alice commits the value of while Bob commits the value of , and they subsequently reveal these values to each other so that they can both verify that they add up to 0. The purpose of the commit phase before the reveal phase is to prevent the parties from changing their value based on what the other party reveals.777In practice the verification of all MAC relations are performed in an aggregated, much more efficient way right before the end of the protocol.

We also use as a shorthand for a secret sharing of in the case of active security, but in this case . Given secret shared values and , and a constant , Alice and Bob can jointly perform with only local computations the same operations as before:

  • Addition of a constant (): Alice and Bob compute . Note that the MAC relation remains satisfied, since .

  • Addition (): Alice and Bob compute by adding their local shares of and . The MAC relation remains trivially satisfied.

  • Multiplication by a constant (): Alice and Bob compute by multiplying their local shares of by . The MAC relation remains trivially satisfied.

The notations we use for the operations are the same as in the passive security case. In the case of the protocol with active security using binary fields , with a power of 2, there are a few additional technical details regarding the MAC, but the MPC protocol provides the same set of basic local operations that are described above. We refer interested readers to cramer2018spd for further details.

In the case of active security, the multiplication of secret shared values can also be performed as described above using multiplication triples, but the multiplication triples must be generated together with the respective MACs.

Additionally, since in the case of active security all secret shared values that are used in the computations must contain a corresponding MAC (defined by and as in Equation 3), a procedure for the parties to obtain a MAC for their inputs must be used. This is done as follows. During the offline phase a secret sharing (with a MAC) of a random value is generated and distributed to Alice and Bob. If Alice has an input , the secret sharing is opened towards her and she sends to Bob. They then compute the secret sharing , which contains a MAC. Note that the value is uniformly random and independent from , and therefore does not reveal any information to Bob.

Generation of Multiplication Triples and Random Values During the Offline Phase. For performance reasons, modern MPC schemes are normally divided in two phases: the offline and online phases. The offline phase only performs computations that are independent from the specific inputs of the parties to the protocol (Alice’s speech signal and Bob’s trained model parameters), and therefore can be executed far before the inputs are fixed. Modern MPC protocols try to perform as much of the computation as possible in the offline phase, so that the online phase can be faster, improving the responsiveness of the MPC solution.

In the case of the secret-shared based schemes that we consider, the computationally heavy operations are the generation of the multiplication triples and of the random values, and both of them are independent of the specific inputs of parties and can be delegated to the offline phase, whose main purpose is to generate these values. The parties can jointly generate them using techniques such as homomorphic encryption or oblivious transfer. During the online phase the parties only need to perform basic arithmetic operations, whose computational costs are quite small.

MPC Schemes. Table 1 contains an overview of the MPC schemes that we use in this paper. The MPC schemes for passive security provide protection against semi-honest adversaries, while the MPC schemes for active security provide protection against malicious adversaries. The distinction between the underlying algebraic structures and is meaningful because of its potential impact on the efficiency of the protocols. We briefly describe each MPC scheme for the dishonest majority scenario here (the ones for the honest majority scenario are described in Section 3.2.3):

dishonest majority
passive security SEMI SEMI2K
active security MASCOT SPDZ2K
honest majority
passive security REPP REP2K
active security MAL-REPP BRAIN
Table 1: Overview of MPC schemes according to threat model and algebraic structure
  • In the case of active security using a prime field, we use MASCOT keller2016mascot . It is a protocol that introduced an improved offline phase based on oblivious transfer techniques to generate the necessary values for the online phase of the SPDZ protocol damgaard2012multiparty (which is the online phase described above). Note that the offline phase is also performed between Alice and Bob, and one of them may act maliciously. Therefore it is necessary to use a series of mechanisms (such as consistency checking, privacy amplification techniques, and oblivious transfer checks) in order to guarantee that correct multiplication triples and random values are generated and that nothing about them leaks to Alice or Bob. We point interested readers to keller2016mascot for further details about how these values are generated in the offline phase.

  • In the case of active security using a binary field, we use SPDZ2K cramer2018spd . It adapts the offline phase of MASCOT to generate multiplication triples and random values for a binary field, which are then consumed by its online phase (which is an adaptation of SPDZ to the setting of binary fields). See cramer2018spd for further details.

  • For passive security we use SEMI for the case of prime fields, and SEMI2K for binary fields. Both schemes generate multiplication triples using techniques based on oblivious transfer. SEMI is a cut-down version of MASCOT, which eliminates all the additional machinery of MASCOT that is only necessary for the case of active security (such as consistency checking, privacy amplification techniques, the generation and use of message authentication codes, and oblivious transfer checks). Similarly, SEMI2K is a cut-down version of SPDZ2K to focus on passive security.

Many previous works on privacy-preserving machine learning have assumed the existence of a trusted initializer (e.g., david2015efficient ; AISec:CDNN15 ; fritchman2018 ; IEEENSRE:ADMW+19 ; NeurIPS2019 ; guo2020secure ; idash ), who pre-distributes correlated randomness to the protocol participants at a setup phase and does not participate in any other part of the protocol execution. Note that such a trusted initializer would completely eliminate the need of executing the offline phase of the above protocols, as the trusted initializer can pre-distribute all necessary multiplication triples and random values to Alice and Bob. However, we are interested in evaluating the performance of secure classification in the setting in which no such trusted initializer is available to the model and data owners and they have to execute the complete two-party computation solution between themselves.

3.2.3 Secret sharing-based MPC for honest majority

In the setting with 3 computing servers and at most 1 corruption (i.e., honest majority setting), we use MPC schemes based on replicated secret sharing, which allow much faster solutions than in the two-party setting.

In a replicated secret sharing scheme, a value in is secret shared among servers and by picking uniformly random values such that


and distributing to , to and to . Note that no single server can obtain any information about given its share. We also use as a shorthand for a secret sharing of in this case.

Passive security. As in the case of additive secret sharings, the 3 parties can easily perform the following operations through carrying out local computations: addition of a constant, addition of secret shared values, and multiplication by a constant. The biggest advantage of this replicated secret sharing scheme is that it enables a more efficient procedure for multiplying secret shared values. When multiplying , the servers can locally perform the following computations: computes , computes and computes . After performing these local computations, the servers obtain an additive secret sharing of without needing any interactions. Next, they just need to convert from the additive secret sharing representation back to a replicated secret sharing representation, so that it is possible to perform more multiplications in the same way. In order to securely do this conversion, the servers obtain an additive secret sharing of by picking uniformly random such that , which can be locally done with computational security by using pseudorandom functions, and locally computes . Finally, sends to , sends to , and sends to , enabling the servers and to get the replicated secret shares , , and , respectively, of the value . Note that for performing the multiplication of secret shared values, each server only needs to send a single ring element to one other server, and no expensive public-key encryption operations (such as homomorphic encryption or oblivious transfer) are required. This MPC scheme was introduced by Araki et al. araki2016high ; we refer to the original paper for further details. Referring back to the second part of Table 1, we denote the version working on a prime field by REPP, and the version working on a binary field by REP2K.

Active security. In the case of malicious adversaries, the MPC scheme MAL-REPP that we consider for prime fields uses the approach introduced by Lindell and Nof lindell2017framework of generating multiplication triples optimistically in the offline phase (i.e., running the multiplication protocol that is secure against semi-honest adversaries), performing the triple verification via sacrificing, and then using Beaver’s protocol for multiplication of secret shared values. For more details, we refer to lindell2017framework . In the case of binary fields, the MPC scheme BRAIN that we use was recently proposed by Eerikson et al. eerikson2020use ; we evaluate the option with preprocessing for generation of the multiplication triples that is available in MP-SPDZ. Note that in the three-party computation setting, the generation of the multiplication triples does not require any expensive public-key encryption operations.

3.2.4 Quantization

MPC based on secret sharing, as explained in Section 3.2.2 and 3.2.3, provides a mechanism to perform secure computations on integers modulo . The parameter values of a trained neural network, i.e. the values in the filters in the convolutional layers, the weights on the dense layers etc., are natively real numbers and need to be converted to integers. For this conversion process, we leverage existing research on quantization of neural networks. In deep learning, the conversion of floating-point (FP) data in the network to integers (INT) is studied as an effective way to shrink the model size and to accelerate computation, e.g. on edge devices with limited memory and computational power yang2020training . The use of quantization is growing in popularity in research on privacy-preserving deep learning as well, for instance in XONN riazi2019xonn , where neural network parameters are restricted to take binary values , in Quotient agrawal2019quotient with ternarized network weights in , and in SecureQ8 dalskov2019secure where network weights are reduced to 8-bit integers. We adhere to the latter.

Quantization allows the ability to represent a set of real numbers as a set of integers

. In this work we use the 8-bit quantization method implemented in TensorFlow Lite,

888 which was designed in the work of Jacob et al. Jacob2018 and used previously in Secure8Q dalskov2019secure . Let us define the dequantization function

where is a scale and is a zero-point. The quantization function with domain is then defined for an input by picking the number in the image of that is the closest999Breaking distance ties in favor of the smallest number. to and setting such that .

The quantization hyperparameters and are not the same across the entire neural network. The range of real values in the neural network may differ from one layer to the next. To ensure that all relevant real values are in , a pair ,

is chosen “per tensor” in the neural network (in our case of 1-dimensional CNNs, this means “per matrix”, see Section

3.1.2). Suitable values for and are determined automatically with a post-training integer quantization algorithm on the trained CNN and artificially generated input data.

Dot product is an important operation in CNNs, both for the convolutional layers and the dense layers. We use the same method as SecureQ8 dalskov2019secure to compute dot products by using only integer arithmetic to sum the products of the vector elements (in for ) and a single fixed-point multiplication to adjust to the proper scale for the output. Adding bias is handled by setting the scale of the bias representation to be the same as the scale of the output, and its zero-point to 0. Layers that only involve comparisons, such as RELU, can be directly implemented on the quantized values if they share the same scale and zero-point.

When a fixed-point multiplication is performed, it is necessary to truncate the result by a number of bits equal to the number of bits that is used to represent the fractional part, so that the output does not use twice as many bits to represent the fractional part as the inputs. In the case of prime fields this is done using either the deterministic truncation protocol of Catrina and De Hoogh catrina2010improved or the probabilistic truncation protocol of Catrina and Saxena catrina2010secure . In the probabilistic protocol, the probabilities that a number is rounded up or down are proportional to its distance to those bounds. The probabilistic truncation protocol eliminates a lot of invocations of the underlying secure comparison protocol, and therefore improves the efficiency. On the other hand, the probabilistic truncation affects negatively the accuracy of the secure classification as we will show in Section 4. In the case of binary fields, the truncation is done using the adaptations of the above deterministic and probabilistic truncation protocols that were introduced by Dalskov et al. dalskov2019secure . In the procedures in which the amount of bits to be truncated needs to be kept secret, we use the protocol of Dalskov et al. dalskov2019secure to perform deterministic truncation by a secret value.

We refer interested readers to dalskov2019secure ; Jacob2018 for further details.

3.2.5 Using an MPC scheme to securely classify

Classification of Alice’s speech signal vector with Bob’s model can, at a high level of abstraction, be thought of as the evaluation of a function that depends both on Alice’s input and on proprietary model parameters that were learned during training and that are only known to Bob. In the following description, we focus on the case of two-party computation for concreteness, but the case of outsourced three-party computation can be handled similarly. Designing a secure solution based on MPC for the classification comes down to representing the function that needs to be privately computed using the basic operations that are provided by the underlying MPC scheme (i.e., the addition and multiplication gates). Once this representation is found, the parties evaluate it gate by gate using existing procedures for private addition and private multiplication as explained in Section 3.2.2. This classification is performed during the online phase of protocol, consuming the necessary values that were generated during the offline phase, i.e. the multiplication triples that are needed for multiplication of secret shared values, as well as the random values that are needed for Alice to secret share her speech signal vector , and for Bob to secret share his model parameters . During the secure classification process, Alice and Bob jointly go through the following steps:

  1. Input. Alice secret shares her speech signal vector , and Bob secret shares his model parameters using the technique for secret sharing described in Section 3.2.2.

  2. Convolutional layer. In this step, Alice and Bob need to compute a secret sharing of the output of first convolutional layer, starting from the secret shared input and the secret shared model parameters . As indicated in the pseudocode in (1), to this end they need to perform Frobenius inner products (a generalization of dot product to matrices) and add bias terms. This boils down to performing multiplications and additions of values that are secret shared among Alice and Bob, namely Alice’s speech signal vector and Bob’s model parameters and (which are part of ). We refer to Section 3.2.2 and 3.2.4 for a description of how these operations are performed over secret shares.

  3. RELU activation layer. In this step, Alice and Bob replace all negative values in by zeros. This is done directly in the quantized values using a secure comparison protocol derived from Catrina and De Hoogh catrina2010improved , followed by a secure multiplication to either keep the original value or replace it by zero in an oblivious way.

  4. Average pooling layer. Average pooling with a window size of P means that in every row in , each (non-overlapping) block of P adjacent elements is replaced by one cell, with the average value of the original block. The resulting matrix is smaller than the original matrix . The values in are secret shared between Alice and Bob. To do average pooling, Alice and Bob first add the values in a block of by adding their own shares of these values. Next Alice and Bob need to divide the resulting sum by P, to yield the average. The window size P is a hyperparameter of the model that is known by Bob. Bob secret shares the value of hyperparameter P with Alice, similarly to how he shares the regular parameter values in step 1. For secure division of by , Alice and Bob use an iterative algorithm that is well known in the MPC literature catrina2010secure . This is the protocol for secure division used for the experimental results in Section 4. There is room for optimization in the runtime if Bob is willing to leak the window size P to Alice. P is part of the neural network architecture, just like the size L of the filters in the convolutional layers. If both Alice and Bob know the value of hyperparameter P, then there is no need for them to execute a protocol for secure division, as they can simply multiply by the constant 1/P without the need to communicate with each other.

  5. More convolutional blocks. Alice and Bob repeat steps 2-3-4 as many times as needed, depending on the neural network architecture.

  6. Dense layer. In a CNN, the output of the last convolutional block is flattened into a vector x of length . Alice and Bob can each flatten their own shares of the values to construct . Next, needs to be multiplied with a matrix that contains the weights of the dense layer, and a bias term needs to be added. and have already been provided by Bob as inputs in Step 1. The output of the dense layer is a vector y of length . Alice and Bob jointly compute by performing dot products and adding the bias term as explained in Section 3.2.2-3.2.4.

  7. Output layer. The class label inferred by the CNN is the index corresponding to the largest value in y. In the final step, Alice and Bob obtain a secret sharing of the class label by running a secure argmax protocol, which can be straightforwardly constructed using the above mentioned secure comparison protocol.

4 Results

Experimental setup: all benchmark and accuracy tests were completed on co-located c5d.4xlarge (VM1) and c5d.24xlarge (VM2) AWS virtual machines. We benchmarked our tests on two separate performance level machines to have a comparison of realistic runtimes today and into the future. A c5d.4xlarge virtual machine contains 16 cores, 32 GiB of memory, and up to a 10 Gbps link between each virtual machine. The c5d.24xlarge virtual machine represents computing power that could potentially be used more widespread in the future. This virtual machine contains 96 cores, 192 GiB of memory, and a 25 Gbps connection speed between virtual machines.

4.1 Data preprocessing and model training

We evaluated the proposed approach in a use case for emotion recognition from audio, using audio files from the RAVDESS data set livingstone2018ryerson . The data set contains 4,948 audio files with a length of 3.5 sec each. Each audio file is annotated with one of eight emotion labels: neutral (398), calm (777), sad (744), happy (756), fearful (767), disgust (391), angry (726), and surprise (389). We extracted vectors of MFCC features from each audio file with the librosa library mcfee2015librosa , with the default settings for all other parameters, and averaged them to obtain one 40-dimensional feature vector for each audio file.

Line (4), (11), and (12) in the code are only relevant for training, not for inference (1) model = Sequential() (2) model.add(Conv1D(128,5,padding=’same’, input_shape=(40,1))) (3) model.add(Activation(’relu’)) (4) model.add(Dropout(0.1)) (5) model.add(AveragePooling1D(pool_size=(4))) (6) model.add(Conv1D(128, 5,padding=’same’,)) (7) model.add(Activation(’relu’)) (8) model.add(Dropout(0.1)) (9) model.add(Flatten()) (10) model.add(Dense(8)) (11) model.add(Activation(’softmax’)) (12)

opt = keras.optimizers.rmsprop(lr=0.00005,

rho=0.9, epsilon=None, decay=0.0)
Figure 4: CNN architecture and Keras code snippet used to train the model.

We used a CNN architecture with two convolutional blocks. Both convolutional blocks have RELU activation, and the first one has an average pooling layer for downsampling. The convolutional blocks are followed by a dense layer with softmax activation. A Keras101010 code snippet with more details is included in Figure 4. Figure 5 shows accuracy curves when holding out 33% of the data as test data and training on the rest; the quantized trained model achieves 96.6% accuracy on the test data. We used TensorFlow Lite’s post-training integer quantization111111 to convert all CNN model parameters to 8-bit integers.

Figure 5: Train and test accuracy curves of CNN for emotion detection on RAVDESS data. The trained model obtains 96.6% accuracy on the test data.

4.2 Secure inference

To evaluate the accuracy and efficiency of the MPC schemes from Table 1 for privacy-preserving emotion detection, we ran experiments with the quantized trained model from Section 4.1 on the same held-out test set that was used for Figure 5. For the binary field , a value was used, while for the prime field a prime number with bit length 64 was used.

Table 2 contains accuracy and runtime results obtained on two different kinds of VMs in the case of two-party computation, while Table 3 contains similar data for the case of three-party computation. As mentioned above, the accuracy results were obtained by holding 33% of the data out as test data. The classification runtimes are computed as an average over 10 inferences, and they include the time needed for both the offline and the online phases. As expected, the accuracy results are consistent across the VMs and the 2PC/3PC settings, while the runtime differs.

First we observe that the accuracy results obtained with the deterministic truncation protocol are the same as the accuracy results in-the-clear (96.6%, see Section 4.1), while the probabilistic truncation protocol causes a significant drop in accuracy to 91.0%. These numbers are interesting by themselves: while Dalskov et al. dalskov2019secure write that the use of a probabilistic truncation protocol may hurt classification accuracy, to the best of our knowledge, we are the first to evaluate and measure this drop in accuracy experimentally on a real-life data set.

Active Security Passive Security
VM Truncation Accuracy SPDZ2K MASCOT SEMI2K SEMI
VM1 Probabilistic 91.0% 250.9 sec 274.6 sec 27.6 sec 92.5 sec
Deterministic 96.6% 370.0 sec 316.4 sec 40.5 sec 112.3 sec
VM2 Probabilistic 91.0% 26.01 sec 28.36 sec 2.77 sec 9.56 sec
Deterministic 96.6% 33.30 sec 32.28 sec 4.17 sec 11.55 sec
Table 2: Accuracy and runtime results for privacy-preserving emotion detection in the dishonest majority, 2PC setting in which Alice and Bob perform the privacy-preserving classification themselves. The accuracy results were obtained by holding 33% of the data out as test data. The classification runtimes are computed as an average over 10 inferences.

The absolute runtimes that we obtain are, even on the more modest VM, an order of magnitude smaller (better) than the runtimes reported for image classification in dalskov2019secure . This is because our overall neural network architecture is far more compact; the fact that we choose to use a 1-dimensional CNN instead of a 2-dimensional CNN contributes to this gain in speed. Beyond that, our runtime results are in line with what is reported in dalskov2019secure . For the 2PC setting (Table 2) we observe the following:

  • The probabilistic truncation protocol allows faster secure inferences than the deterministic truncation protocol. The price paid for this gain in speed, is a loss in accuracy (in our data set, a loss of 5.6%).

  • Among the MPC schemes for passive security, SEMI is 2-4x slower than SEMI2K. Among the MPC schemes for active security, the difference in runtime between SPDZ2K and MASCOT is minor (one slightly better with the deterministic truncation, the other slightly better with the probabilistic truncation).

  • SEMI2K (passive security) is around 7-10x faster than SPDZ2K/MASCOT (active security). The price paid for this gain in speed is a weaker security setting, in which it is assumed that the adversary tries to gain additional information, but nevertheless follows the protocol specifications.

Active Security Passive Security
VM Truncation Accuracy BRAIN MAL-REPP REP2K REPP
VM1 Probabilistic 91.0% 10.16 sec 9.97 sec 1.24 sec 4.18 sec
Deterministic 96.6% 12.72 sec 12.44 sec 2.06 sec 4.86 sec
VM2 Probabilistic 91.0% 1.35 sec 1.32 sec 0.15 sec 0.52 sec
Deterministic 96.6% 1.61 sec 1.58 sec 0.26 sec 0.60 sec
Table 3: Accuracy and runtime results for privacy-preserving emotion detection in the honest majority, 3PC setting in which Alice and Bob outsource the privacy-preserving classification to be performed by 3 servers. The accuracy results were obtained by holding 33% of the data out as test data. The classification runtimes are computed as an average over 10 inferences.

The protocols in the three-party outsourced computation setting with honest majority execute between 16x and 29x faster than their counterparts in the two-party computation setting. This is expected given the performance differences between state-of-art MPC protocols in the 2PC with dishonest majority and 3PC with honest majority settings. Beyond that, we have that

  • Among the MPC schemes for active security, MAL-REPP (which uses a prime field) performs slightly better than BRAIN (which uses a binary field) in all tests.

  • On the other hand, among the MPC schemes for passive security, REP2K outperforms REPP in all tests, running around 2-3x faster.

  • REP2K executes around 6-9x faster than MAL-REPP.

Considering passive security in both the 2PC and 3PC settings, performing the secure classification using computations on a binary field is far more efficient than using a prime field. On the other hand, in the active security setting, the secure classification achieves a comparable running time on both binary and prime fields, the winner depending on the number of parties running the MPC scheme and the type of truncation. Note that, in the passive security setting the overall procedures required for performing a multiplication of secret shared values are far less complicated than in the active security setting, and in the active security setting those procedures are more complicated in the case of binary fields.

Towards deployment in a real-time privacy-preserving speech classification application, the 3PC setting with 3 semi-honest computational servers is a very viable option (Tabke 3). The gain in speed compared to the 2PC setting stems from the use of cryptographic protocols that leverage the availability of 3 instead of only 2 players to secret share the values with, and the removal of the need for expensive public key encryption, rather than the availability of more hardware in the form of a 3rd server. It is important to stress that, since the 3 servers only receive shares of Alice’s and Bob’s information, the servers do not learn anything about the speech signal nor the trained model parameters. This holds true as long as not more than 1 of the 3 servers is corrupted. The 3PC setting is a good fit for applications where the user (Alice) and the application developer (Bob) have access to 3 reliable computational servers in the cloud, and the application developer wants to offer a speech classification service without becoming liable for invading the user’s privacy.

In settings where there is no configuration available of 3 computational servers with an honest majority, and where each party can only trust itself, one can resort to the MPC schemes from the 2PC setting at a higher runtime cost 2. These may be suitable for sensitive applications where real-time speech classification is not a requirement, such as healthcare applications or empathy based AI systems where one can afford several seconds of even half a minute to detect a disease or the user’s general mood in a privacy-preserving manner.

5 Conclusion

In this paper, we have presented the first privacy-preserving approach to deep learning based speech classification that is provably secure. To this end, we have proposed the first application of privacy-preserving classification with 1-dimensional CNNs based on Secure Multiparty Computation (MPC). In terms of privacy, MPC is very reliable: other than the result of the classification (which can be selectively revealed to the model owner, data owner, or a third party depending on the application), no information about the speech signal or the trained model parameters is leaked to any participant of the protocol. When performing oblivious speech classification, the price paid for keeping the data and the model private, is an increase in computational cost and runtime. Our results answer a question that has remained open in the literature thus far, namely whether MPC based protocols are efficient enough to enable highly accurate real-time speech recognition as would be needed for instance for digital voice assistants such as Apple’s Siri, Amazon’s Alexa, Google Home, and Microsoft’s Cortana. Our results show that this is clearly within reach.

In our experiments for a passive security setting, i.e. with semi-honest parties who follow the instructions of the cryptographic protocols, an audio file of 3.5 sec is classified with high accuracy in 0.26 sec, and in 0.15 sec with lower accuracy. These results were obtained with a CNN that we optimized for high accuracy as well as high efficiency in the MPC setting, through deliberate design choices in the CNN architecture, and the use of quantization. We ran the protocols in MP-SPDZ, an existing framework for MPC that is not optimized in any specific way for speech classification. That means that, in addition to the optimization efforts we made in this paper on the machine learning side, there is room to bring the secure inference runtimes down even further by optimizations on the MPC side, for instance by replacing the division algorithm in the average pooling layer by multiplication with a constant.

The fastest results mentioned above are obtained when Alice and Bob outsource the computations to 3 semi-honest servers (3PC). As long as these servers do not collude with each other, they do not learn anything about Alice’s speech signal or about Bob’s trained model parameters. We have also included scenarios with stronger security assumptions in our study, namely, in increasing order of runtime: malicious adversaries with an honest majority (3PC), semi-honest adversaries with a dishonest majority (2PC), and malicious adversaries with a dishonest majority (2PC). Actively secure protocols remain secure even if one of the parties is a malicious adversary who deviates from the protocol specification. This makes these protocols most suitable for sensitive applications, even if they come at a notably higher computational cost.


The authors would like to thank Marcel Keller for making the MP-SPDZ framework available, and for his assistance in the use of the framework.

This research did not receive any specific grant from funding agencies in the public, commercial, or not-for-profit sectors.


  • (1) A. Nautsch, A. Jiménez, A. Treiber, J. Kolberg, C. Jasserand, E. Kindt, H. Delgado, M. Todisco, M. A. Hmani, A. Mtibaa, et al., Preserving privacy in speaker and speech characterisation, Computer Speech & Language 58 (2019) 441–480.
  • (2) C. Mydlarz, J. Salamon, J. P. Bello, The implementation of low-cost urban acoustic monitoring devices, Applied Acoustics 117 (2017) 207–218.
  • (3) J. Salamon, J. P. Bello, Deep convolutional neural networks and data augmentation for environmental sound classification, IEEE Signal Processing Letters 24 (3) (2017) 279–283.
  • (4) N. Tomashenko, B. M. L. Srivastava, X. Wang, E. Vincent, A. Nautsch, J. Yamagishi, N. Evans, J.-F. Bonastre, P.-G. Noé, M. Todisco, J. Patino, The VoicePrivacy 2020 challenge evaluation plan, (2020).
  • (5) R. Cramer, I. Damgård, J. B. Nielsen, Secure Multiparty Computation and Secret Sharing, Cambridge University Press, 2015.
  • (6) A. Dalskov, D. Escudero, M. Keller, Secure evaluation of quantized neural networks, arXiv preprint arXiv:1910.12435 (2019).
  • (7) Z. Yang, Z. Dai, Y. Yang, J. Carbonell, R. R. Salakhutdinov, Q. V. Le, Xlnet: Generalized autoregressive pretraining for language understanding, in: Advances in Neural Information Processing Systems (NeurIPS), 2019, pp. 5754–5764.
  • (8) T. Peng, The staggering cost of training SOTA AI models, SyncedReview, (2019).
  • (9) N. Carlini, C. Liu, Ú. Erlingsson, J. Kos, D. Song, The secret sharer: Evaluating and testing unintended memorization in neural networks, in: 28th USENIX Security Symposium, 2019, pp. 267–284.
  • (10)

    N. Subramani, D. Rao, Learning efficient representations for fake speech detection, in: 34th AAAI Conference on Artificial Intelligence, 2020, pp. 5859–5866.

  • (11) P. Smaragdis, M. Shashanka, A framework for secure speech recognition, IEEE Transactions on Audio, Speech, and Language Processing 15 (4) (2007) 1404–1413.
  • (12) M. A. Pathak, B. Raj, S. D. Rane, P. Smaragdis, Privacy-preserving speech processing: cryptographic and string-matching frameworks show promise, IEEE Signal Processing Magazine 30 (2) (2013) 62–74.
  • (13) M. A. Pathak, B. Raj, Privacy-preserving speaker verification and identification using Gaussian mixture models, IEEE Transactions on Audio, Speech, and Language Processing 21 (2) (2013) 397–406.
  • (14) J. Portêlo, B. Raj, A. Abad, I. Trancoso, Privacy-preserving speaker verification using garbled GMMs, in: 22nd European Signal Processing Conference (EUSIPCO), IEEE, 2014, pp. 2070–2074.
  • (15) M. Keller, MP-SPDZ: A versatile framework for multi-party computation, Cryptology ePrint Archive, Report 2020/521, (2020).
  • (16) S. R. Livingstone, F. A. Russo, The Ryerson audio-visual database of emotional speech and song (RAVDESS): A dynamic, multimodal set of facial and vocal expressions in North American English, PloS one 13 (5).
  • (17) G. Trigeorgis, F. Ringeval, R. Brueckner, E. Marchi, M. A. Nicolaou, B. Schuller, S. Zafeiriou, Adieu features? End-to-end speech emotion recognition using a deep convolutional recurrent network, in: IEEE International Conference on Acoustics, Speech and Signal Processing (ICASSP), 2016, pp. 5200–5204.
  • (18) B. Milde, C. Biemann, Using representation learning and out-of-domain data for a paralinguistic speech task, in: 16th Annual Conference of the International Speech Communication Association (INTERSPEECH), 2015, pp. 904–908.
  • (19) J. Liu, M. Juuti, Y. Lu, N. Asokan, Oblivious neural network predictions via MiniONN transformations, in: ACM SIGSAC Conference on Computer and Communications Security, 2017, pp. 619–631.
  • (20) P. Mohassel, Y. Zhang, SecureML: A system for scalable privacy-preserving machine learning, in: IEEE Symposium on Security and Privacy (SP), 2017, pp. 19–38.
  • (21) B. D. Rouhani, M. S. Riazi, F. Koushanfar, DeepSecure: Scalable provably-secure deep learning, in: 55th Annual Design Automation Conference (DAC), 2018.
  • (22) M. S. Riazi, C. Weinert, O. Tkachenko, E. M. Songhori, T. Schneider, F. Koushanfar, Chameleon: A hybrid secure computation framework for machine learning applications, in: Asia Conference on Computer and Communications Security, ACM, 2018, pp. 707–721.
  • (23) C. Juvekar, V. Vaikuntanathan, A. Chandrakasan, GAZELLE: A low latency framework for secure neural network inference, in: 27th USENIX Security Symposium, 2018, pp. 1651–1669.
  • (24) N. Agrawal, A. Shahin Shamsabadi, M. J. Kusner, A. Gascón, QUOTIENT: two-party secure neural network training and prediction, in: ACM SIGSAC Conference on Computer and Communications Security, 2019, pp. 1231–1247.
  • (25)

    M. S. Riazi, M. Samragh, H. Chen, K. Laine, K. Lauter, F. Koushanfar, XONN: XNOR-based oblivious deep neural network inference, in: 28th USENIX Security Symposium, 2019, pp. 1501–1518.

  • (26) P. Mishra, R. Lehmkuhl, A. Srinivasan, W. Zheng, R. A. Popa, Delphi: A cryptographic inference service for neural networks, in: 29th USENIX Security Symposium, 2020.
  • (27) N. Kumar, M. Rathee, N. Chandran, D. Gupta, A. Rastogi, R. Sharma, CrypTFlow: Secure TensorFlow inference, in: 41st IEEE Symposium on Security and Privacy, 2020.
  • (28) S. Wagh, D. Gupta, N. Chandran, SecureNN: 3-party secure computation for neural network training, Proceedings on Privacy Enhancing Technologies 2019 (3) (2019) 26–49.
  • (29) M. Dias, A. Abad, I. Trancoso, Exploring hashing and cryptonet based approaches for privacy-preserving speech emotion recognition, in: IEEE International Conference on Acoustics, Speech and Signal Processing (ICASSP), 2018, pp. 2057–2061.
  • (30) F. Teixeira, A. Abad, I. Trancoso, Privacy-preserving paralinguistic tasks, in: IEEE International Conference on Acoustics, Speech and Signal Processing (ICASSP), 2019, pp. 6575–6579.
  • (31) R. Gilad-Bachrach, N. Dowlin, K. Laine, K. Lauter, M. Naehrig, J. Wernsing, Cryptonets: Applying neural networks to encrypted data with high throughput and accuracy, in: International Conference on Machine Learning, 2016, pp. 201–210.
  • (32) S. Davis, P. Mermelstein, Comparison of parametric representations for monosyllabic word recognition in continuously spoken sentences, IEEE Transactions on Acoustics, Speech, and Signal processing 28 (4) (1980) 357–366.
  • (33) D. Beaver, Efficient multiparty protocols using circuit randomization, in: J. Feigenbaum (Ed.), Advances in Cryptology — CRYPTO ’91, Springer Berlin Heidelberg, 1992, pp. 420–432.
  • (34)

    M. De Cock, R. Dowsley, C. Horst, R. Katti, A. Nascimento, W.-S. Poon, S. Truex, Efficient and private scoring of decision trees, support vector machines and logistic regression models based on pre-computation, IEEE Transactions on Dependable and Secure Computing 16 (2) (2019) 217–230.

  • (35) R. Dowsley, Cryptography based on correlated data: Foundations and practice, Ph.D. thesis, Karlsruhe Institute of Technology, Germany (2016).
  • (36) R. Cramer, I. Damgård, D. Escudero, P. Scholl, C. Xing, SPD: Efficient MPC mod for dishonest majority, in: Annual International Cryptology Conference, 2018, pp. 769–798.
  • (37) M. Keller, E. Orsini, P. Scholl, MASCOT: faster malicious arithmetic secure computation with oblivious transfer, in: ACM SIGSAC Conference on Computer and Communications Security, 2016, pp. 830–842.
  • (38) I. Damgård, V. Pastro, N. Smart, S. Zakarias, Multiparty computation from somewhat homomorphic encryption, in: Annual Cryptology Conference, 2012, pp. 643–662.
  • (39) B. David, R. Dowsley, R. Katti, A. C. Nascimento, Efficient unconditionally secure comparison and privacy preserving machine learning classification protocols, in: International Conference on Provable Security, Springer, 2015, pp. 354–367.
  • (40)

    M. De Cock, R. Dowsley, A. C. A. Nascimento, S. C. Newman, Fast, privacy preserving linear regression over distributed datasets based on pre-distributed data, in: 8th ACM Workshop on Artificial Intelligence and Security (AISec), 2015, pp. 3–14.

  • (41) K. Fritchman, K. Saminathan, R. Dowsley, T. Hughes, M. De Cock, A. Nascimento, A. Teredesai, Privacy-preserving scoring of tree ensembles: A novel framework for AI in healthcare, in: IEEE International Conference on Big Data, 2018, pp. 2412–2421.
  • (42) A. Agarwal, R. Dowsley, N. D. McKinney, D. Wu, C.-T. Lin, M. D. Cock, A. C. A. Nascimento, Protecting privacy of users in brain-computer interface applications, IEEE Transactions on Neural Systems and Rehabilitation Engineering 27 (8) (2019) 1546–1555.
  • (43) D. Reich, A. Todoki, R. Dowsley, M. De Cock, A. Nascimento, Privacy-preserving classification of personal text messages with secure multi-party computation, in: Advances in Neural Information Processing Systems (NeurIPS), 2019, pp. 3752–3764.
  • (44) C. Guo, A. Hannun, B. Knott, L. van der Maaten, M. Tygert, R. Zhu, Secure multiparty computations in floating-point arithmetic, arXiv preprint arXiv:2001.03192.
  • (45) M. De Cock, R. Dowsley, A. C. A. Nascimento, D. Railsback, J. Shen, A. Todoki, High performance logistic regression for privacy-preserving genome analysis, (2020).
  • (46) T. Araki, J. Furukawa, Y. Lindell, A. Nof, K. Ohara, High-throughput semi-honest secure three-party computation with an honest majority, in: ACM SIGSAC Conference on Computer and Communications Security, 2016, pp. 805–817.
  • (47) Y. Lindell, A. Nof, A framework for constructing fast MPC over arithmetic circuits with malicious adversaries and an honest-majority, in: ACM SIGSAC Conference on Computer and Communications Security, 2017, pp. 259–276.
  • (48) H. Eerikson, M. Keller, C. Orlandi, P. Pullonen, J. Puura, M. Simkin, Use your brain! Arithmetic 3PC for any modulus with active security, in: 1st Conference on Information-Theoretic Cryptography (ITC 2020), Schloss Dagstuhl-Leibniz-Zentrum für Informatik, 2020.
  • (49) Y. Yang, L. Deng, S. Wu, T. Yan, Y. Xie, G. Li, Training high-performance and large-scale deep neural networks with full 8-bit integers, Neural Networks 125 (2020) 70–82.
  • (50)

    B. Jacob, S. Kligys, B. Chen, M. Zhu, M. Tang, A. Howard, H. Adam, D. Kalenichenko, Quantization and training of neural networks for efficient integer-arithmetic-only inference, in: 2018 IEEE/CVF Conference on Computer Vision and Pattern Recognition, 2018, pp. 2704–2713.

  • (51) O. Catrina, S. De Hoogh, Improved primitives for secure multiparty integer computation, in: International Conference on Security and Cryptography for Networks, 2010, pp. 182–199.
  • (52) O. Catrina, A. Saxena, Secure computation with fixed-point numbers, in: International Conference on Financial Cryptography and Data Security, 2010, pp. 35–50.
  • (53) B. McFee, C. Raffel, D. Liang, D. P. Ellis, M. McVicar, E. Battenberg, O. Nieto, librosa: Audio and music signal analysis in Python, in: Proceedings of the 14th Python in Science Conference, Vol. 8, 2015, pp. 18–25.