A Study of Privacy-Preserving Neural Network Prediction Based on Replicated Secret Sharing

Abstract

Neural networks have a wide range of promise for image prediction, but in the current setting of neural networks as a service, the data privacy of the parties involved in prediction raises concerns. In this paper, we design and implement a privacy-preserving neural network prediction model in the three-party secure computation framework over secret sharing of private data. Secret sharing allows the original data to be split, with each share held by a different party. The parties cannot know the shares owned by the remaining collaborators, and thus the original data can be kept secure. The three parties refer to the client, the service provider and the third server that assist in the computation, which is different from the previous work. Thus, under the definition of semi-honest and malicious security, we design new computation protocols for the building blocks of the neural network based on replicated secret sharing. Experimenting with MNIST dataset on different neural network architectures, our scheme improves 1.3×/1.5× and 7.4×/47.6× in terms of computation time as well as communication cost compared to the Falcon framework under the semi-honest/malicious security, respectively.

1. Introduction

Machine learning is now widely used in computer science research and practical industrial applications, generating huge social impact and economic benefits. In particular, convolutional neural networks have great potential in the field of image processing, such as face recognition [1,2,3] and speech recognition [4]. Due to their wide applicability, service providers are starting to rent neural networks as a commodity for their services. In this scenario, the model is pre-trained by the service provider and the client simply uploads their own private data to obtain the desired output.

With the advent of the digital age, massive data infrastructures are being built and sensitive data is being generated. The end-to-end communication between the client and the service provider can create security vulnerabilities, allowing the leakage of the private data owned by the client as well as model parameters trained by the service provider at great human and material cost [5]. Therefore, there is a need to protect the privacy of parties during the inference process, and neural networks that supports secure computation become a hot topic of current research.

Secure multi-party computation (SMC) offers a promising solution for privacy-preserving neural network, which originates from the Millionaire’s Problem proposed by Yao in 1982 [6]. In the SMC framework, collaborating parties do not reveal their private data to each other. Depending on the number of members involved in the protocol, current research is divided into (1) two-party secure computation (2PC) [7,8,9,10]; (2) three-party secure computation (3PC) [11,12,13,14,15]; and (3) four-party secure computation (4PC) [16,17].

SecureML [18] is based on a two-server model and relies on techniques such as oblivious transfer [19] and garbled circuits to support secure computation of shared decimal numbers, implementing protocols for various machine learning algorithms such as linear regression, logistic regression and neural networks. A hybrid protocol framework is proposed in [20] that effectively combines arithmetic sharing, boolean sharing and Yao’s garbled circuits to provide a solution for 2PC problem, which is known as ABY. Chandran et al. [21] build a compiler based on ABY to convert easy-to-write and high-level programs into efficient 2PC protocols using boolean or arithmetic circuits for better performance. Agrawal et al. [22] combine boolean sharing and arithmetic sharing to propose a ternary matrix-vector multiplication protocol with correlated oblivious transfer, and design a new fixed-point optimisation algorithm through a floating-point adaptive gradient optimisation procedure to improve prediction efficiency.

Homomorphic encryption is also an effective mean of protecting privacy, which is often used in 2PC. The first to use homomorphic encryption for secure inference is the CryptoNet [23] framework, where the user encrypts his private data and uploads it to the cloud server, which performs the corresponding computation directly on the ciphertext and returns the resulting ciphertext. The data exists in ciphertext form, which protects the user’s privacy. However, in this framework, the non-linear layer needs to be calculated by approximation, e.g., the activation function is replaced by a square function, and therefore the accuracy of the model may be reduced due to the difference between the approximation function and the original function. Researches [24,25,26,27,28] based on this are very computationally expensive and have high latency due to the limitations of homomorphic encryption itself, so further improvements are still needed, e.g., in combination with secret sharing or garbled circuits. Gazelle [29] combines garbled circuits with homomorphic encryption to achieve homomorphic linear algebraic kernel which maps neural network layers to optimized homomorphic matrix multiplication and convolution computation, improving the inference time of neural networks. Delphi [30] builds on Gazelle and proposes a new planner that automatically generates neural network architecture configurations to navigate the trade-off between performance and accuracy to further improve performance.

Araki et al. [31] propose a 3PC framework for boolean circuits with honest majorities, which is secure in the presence of semi-honest adversaries. Furukawa et al. [32] build on this by constructing beaver multiplication triples [33] to verify the correctness of the computation, making the protocol secure in the presence of malicious adversaries at most one party. Mohassel et al. propose a three-server model, namely the ABY3 [34], which generalises and optimises the conversion between arithmetic sharing, binary sharing and Yao’s garbled circuits on the basis of ABY, and propose new techniques for fixed-point multiplication with shared decimal values. Chameleon [35] is a hybrid protocol framework that utilises additive secret sharing, garbled circuits and the Goldreich-Micali-Wigderson (GMW) protocol [36] to improve performance, and introduces a semi-honest third party to design a more efficient oblivious transfer protocol for arithmetic triples. SecureNN [37] studies the computation of forward prediction and backpropagation training for deep learning models in a three-party computation environment, using only arithmetic addition and secret sharing, eliminating expensive cryptographic operations and guaranteeing semi-honest security. Malicious security is also presented in that paper, but the computation of its protocol is not accurate in this security setting. Falcon [38] proposes an end-to-end 3PC protocol for neural networks training and inference based on the ideas of SecureNN and ABY3, improving performance and ensuring semi-honest as well as malicious security, which is the main reference of this paper.

Trident [39] is a privacy-preserving machine learning framework that implements a four-server model. The fourth party in the protocol is inactive in the online phase except for input sharing and output reconstruction. Flash [40] guarantees output delivery security (all parties get the output regardless of the behaviour of the adversary), and optimises the dot product protocol to make its computation independent of vector size as well as truncation and highest significant bit extraction algorithms. QuantizedNN [41] proposes an efficient privacy-preserving machine learning framework using the quantization scheme of Jacob et al. [42], and provides protocols under the semi-honest or malicious security setting.

In the above studies, the 2PC [18,20,21,22] requires both parties involved in the protocol to be semi-honest. The 4PC [39,40,41] is not of practical importance due to the limitation of the number of computing servers. Instead, the 3PC [32,34,37,38] is considered to be one of the most promising framework available due to its security and efficiency. The main techniques include secret sharing, garbled circuits [43], homomorphic encryption, GMW protocol, etc. Each technique has its advantages and disadvantages, for example, homomorphic encryption has the highest computational complexity, while secret sharing requires the least bandwidth compared to garbled circuits or GMW protocol. Therefore, we mainly use secret sharing to build a 3PC framework for privacy-preserving neural network prediction. Our contributions are shown below.

• A neural network prediction model for three-party secure computation is constructed. Experiments are conducted on pre-trained different model architectures with the MNIST dataset, achieving an accuracy of 96.64%, 97.04%, 98.70% and 96.50%, respectively, with errors of no more than 1% from the results predicted directly on the plaintext.
• We define two security models. In the semi-honest environment, collaborators behave honestly, performing calculations according to the protocol and ensuring that they do not learn the shares held by the remaining parties. In the malicious environment, the protocol is terminated if malicious activity is detected, ensuring correct computation. Depending on the application scenario and performance requirements, the choice between the two security environments can be made.
• New sub-protocol algorithms for neural networks are designed using secret sharing, and they can be combined to construct secure prediction modelwith different combinations, it was possible to construct secure prediction model, improving the time required for prediction and the cost of communication compared to previous work.

The rest of the paper is structured as follows: Section 2 focuses on the relevant theoretical knowledge; Section 3 introduces the prediction framework and the sub-protocol algorithms for the neural network; Section 4 presents the experimental results; and Section 5 provides the conclusion.

2. Preliminaries

In this section, we describe the concepts and notations needed in this paper.

2.1. Replicated Secret Sharing

The three parties are denoted by $P_0$, $P_1$, $P_2$, respectively, then $P_{i+1}$, $P_{i-1}$ denote the next and previous party of $P_i$, where the subscript is in modulo 3, i.e., the next party of $P_0$ is $P_1$ and the previous party is $P_2$. Let ${\left[\left[x\right]\right]}^L=\left(x_0,x_1,x_2\right)$ denotes the 2-out-of-3 replicated secret sharing [31,32,34] of x in the number field ${\mathbb{Z}}^L$, i.e., $x\equiv x_0+x_1+x_2\left(modL\right)$, where $L=2^{\ell }$ (L is a number of data type with bit size ℓ). Then $P_0$ holds the pair $\left(x_0,x_1\right)$, $P_1$ holds the pair $\left(x_1,x_2\right)$ and $P_2$ holds the pair $\left(x_2,x_0\right)$. Any two parties can combine to recover the original data x. Similarly, the 2-out-of-3 replicated secret sharing of y in the number field ${\mathbb{Z}}^2$ can be denoted by ${\left[\left[y\right]\right]}^2=(y_0,y_1,y_2)$, i.e., $y=y_0⨁y_1⨁y_2$.

Furthermore, Let ${\left[x\right]}^L=\left(x_0,x_1,x_2\right)$ and ${\left[y\right]}^2=(y_0,y_1,y_2)$ denote the 3-out-of-3 secret sharing in the ${\mathbb{Z}}^L$ and ${\mathbb{Z}}^2$, respectively, then $P_0$ holds the shares $x_0$ and $y_0$, $P_1$ holds the shares $x_1$ and $y_1$, and $P_2$ holds the shares $x_2$ and $y_2$. Only a joint three-party effort can recover the original data x and y.

2.2. Random Number

We need to add a certain amount of noise to the sharing values to avoid channel attacks in peer-to-peer transmission. When the party $P_i$ generates a random number seed $k_i$ and shares it with the previous party $P_{i-1}$, each of the three parties has the peer-to-peer communication channel $\left(P_i,P_{i-1}\right)$, $\left(P_i,P_{i+1}\right)$ and a sharing seed pair $\left(k_i,k_{i+1}\right)$. A pseudo-random generation function $F_{k_i}$ is used to generate public random numbers as follows, where $ct$ is a counter that automatically adds 1 after each call to the pseudo-random generation function.

• The party $P_i$ generates the random number ${\alpha }_i=F_{k_i}\left(ct\right)-F_{k_{i+1}}\left(ct\right)\left(i=0,1,2\right)$, then all parties can directly generate a 3-out-of-3 secret sharing of 0 without interaction, i.e., ${\alpha }_0+{\alpha }_1+{\alpha }_2\equiv 0\left(modL\right)$.
• The party $P_i$ generates the random number pair $\left(r_i,r_{i+1}\right)=\left(F_{k_i}\left(ct\right),F_{k_{i+1}}\left(ct\right)\right)$$\left(i=0,1,2\right)$, then $(r_0,r_1,r_2)$ can form a 2-out-of-3 replicated secret sharing of r without interaction, i.e., $r_0+r_1+r_2\equiv r\left(modL\right)$.

Optimization. In the main protocols of Section 3, we need parties to have the 2-out-of-3 replicated secret sharing of 0, which is proposed in Section 3.1 in [34]. Then the secret sharing of x is denoted by $\left(x_0,x_1,x_2\right)=({\alpha }_0,{\alpha }_1+x,{\alpha }_2)$, which can reduce the number of interactions between the parties. The random numbers can be pre-generated in the offline phase, so we focus mainly on the online phase of the computation.

3. Framework and Protocols

In this section, we describe the prediction model for 3PC, the basic operations and some sub-protocols for the fully connected, convolutional, activation and pooling layers over replicated secret sharing.

3.1. Overview of the Framework

In this paper, we focus on the prediction phase of neural networks, where users query inference results by leasing pre-trained models. Our proposed 3PC prediction model consists of three roles, as shown in Figure 1. One is the data owner $P_0$, which applies its own private data to the leased model; the second is the service provider $P_2$, which provides pre-trained network models for users to perform query services; and the last is the helper service $P_1$, which performs auxiliary computations.

First, $P_0$ shares private data ${\left[\left[x\right]\right]}^L=({\alpha }_0,x+{\alpha }_1,{\alpha }_2)$ and $P_2$ shares model parameters ${\left[\left[y\right]\right]}^L=({\beta }_0,{\beta }_1,y+{\beta }_2)$ in the form of 2-out-of-3 replicated secret sharing, where ${\left[\left[\alpha \right]\right]}^L$ and ${\left[\left[\beta \right]\right]}^L$ are both 2-out-of-3 replicated secret sharing of 0. Afterwards, the three parties jointly use their shared data for inference. The result is also in sharing form. Finally, the $P_0$ communicates with the $P_1$ and reconstructs to obtain the final inference result. In this way, the user’s input data, the specific parameters of the model, and the final inference output are all in secret sharing form, and no information about the original data can be leaked by any of the parties’ shares, thus allowing for complete privacy.

In most of the current studies [31,34,38], outsourced cloud computers are used to perform SMC. Therefore, the computation volume of each computer as well as its security assumptions are the same, while in proposed model, $P_0$, as the service renter, is semi-honest and does not modify the data in order to get the final expected value. Therefore, the proposed model has the following two definitions of security, based on the security assumptions of the party $P_1$ and $P_2$.

Definition 1.

The model is defined as a semi-honest security model if both $P_1$ and $P_2$ are semi-honest.

Definition 2.

The model is defined as a malicious security model if $P_1$ or $P_2$ is malicious.

In the semi-honest security model, the parties will obey the protocol but will attempt to learn the shares owned by the remaining parties from the results of the intermediate calculations received. In a malicious security model, the malicious party may corrupt the correctness of the protocol by tampering with the intermediate data so that the model does not achieve the desired result. Therefore, we need a method of validation to ensure that the protocol can proceed correctly.

3.2. Basic Operation

Linear calculations. Assuming that a, b, c are common constant and ${\left[\left[x\right]\right]}^L$, ${\left[\left[y\right]\right]}^L$ are secret sharing, then the sharing of the linear calculation ${\left[[ax+by+c]\right]}^L$ can be expressed as $(a{x}_0+b{y}_0+c$, $a{x}_1+b{y}_1$, $a{x}_2+b{y}_2)$. The addition between secret sharing can be added directly corresponding to shares, whereas constant addition only requires adding the constant to a certain share. Constant multiplication requires that each share be multiplied by the constant. These three operations only need to be calculated locally without interaction, so does not require a security algorithm.

Multiplication. Let ${\left[\left[x\right]\right]}^L=(x_0,x_1,x_2)$ and ${\left[\left[y\right]\right]}^L=(y_0,y_1,y_2)$, then a total of two steps are required to obtain the secret sharing of $z=xy$. First, party $P_i$ computes $z_i=x_i{y}_i+x_{i+1}{y}_i+x_i{y}_{i+1}$ locally, which gets the 3-out-of-3 secret sharing of z, i.e., ${\left[z\right]}^L=(z_0,z_1,z_2)=(x_0{y}_0+x_1{y}_0+x_0{y}_1$, $x_1{y}_1+x_2{y}_1+x_2{y}_2$, $x_2{y}_2+x_0{y}_2+x_2{y}_0)$, which is defined as ${\left[z\right]}^L:={\left[\left[x\right]\right]}^L{\left[\left[y\right]\right]}^L$. Afterwards, the party $P_i$ sends share $z_i+{\alpha }_i$ to party $P_{i-1}$, which gets the 2-out-of-3 replicated secret sharing of z, i.e., ${\left[\left[z\right]\right]}^L=(z_0+{\alpha }_0,z_1+{\alpha }_1,z_2+{\alpha }_2)$, where a 3-out-of-3 secret sharing of 0 is added for blinding to ensure the security of the data.

In the malicious security model, the information sent by $P_1$ and $P_2$ could be changed, so validation means need to be added to ensure the correctness of the data, as shown in Algorithm 1. An additional uniformly distributed tuple $({\left[\left[a\right]\right]}^L,{\left[\left[b\right]\right]}^L,{\left[\left[c\right]\right]}^L)$ is needed, which $c\equiv ab\left(modL\right)$.

Algorithm 1 Multiplication protocol ${\prod }_{Mult}$

Input: shares of ${\left[\left[x\right]\right]}^L$ and ${\left[\left[y\right]\right]}^L$ held by $P_0$, $P_1$, and $P_2$.   Output: shares of ${\left[\left[z\right]\right]}^L$ held by $P_0$, $P_1$, and $P_2$.   Common Randomness: 3-out-of-3 secret sharing ${\left[\alpha \right]}^L$ of 0, 2-out-of-3 replicated secret sharing ${\left[\left[\beta \right]\right]}^L$ of 0, and uniformly distributed tuple $({\left[\left[a\right]\right]}^L,{\left[\left[b\right]\right]}^L,{\left[\left[c\right]\right]}^L)$, where $c\equiv ab\left(modL\right)$. 1: for $i=0,1,2$, $P_i$ computes locally ${\left[\left[u\right]\right]}^L:={\left[\left[x\right]\right]}^L-{\left[\left[a\right]\right]}^L,{\left[\left[v\right]\right]}^L:={\left[\left[y\right]\right]}^L-{\left[\left[b\right]\right]}^L$. 2: for $i=0,1,2$, $P_i$ computes ${\left[z\right]}^L:={\left[\left[x\right]\right]}^L{\left[\left[y\right]\right]}^L$, ${\left[p\right]}^L:={\left[\left[u\right]\right]}^L{\left[\left[b\right]\right]}^L$, ${\left[q\right]}^L:={\left[\left[a\right]\right]}^L{\left[\left[v\right]\right]}^L$, ${\left[o\right]}^L:={\left[\left[u\right]\right]}^L{\left[\left[v\right]\right]}^L$ and $s_i=p_i+q_i+o_i+c_i$. These calculations can be performed locally. 3: for $i=1,2$, $P_i$ sends $(z_i+{\alpha }_i,s_i)$ to $P_0$ in the malicious security model, while $P_i$ only needs to send $z_i+{\alpha }_i$ to $P_0$ in the semi-honest security model. 4: $P_0$ computes $s^{\prime }={\sum }_i(z_i+{\alpha }_i-s_i)$. Output ⊥ if $s^{\prime }\ne 0$, otherwise, continue the protocol. 5: $P_0$ computes locally $z\equiv z_0+{\alpha }_0+z_1+{\alpha }_1+z_2+{\alpha }_2\left(modL\right)$. 6: $P_0$ transmits $z+{\beta }_1$ to $P_1$. 7: return${\left[\left[z\right]\right]}^L=({\beta }_0,{\beta }_1+z,{\beta }_2)$.

Theorem 1.

The protocol ${\prod }_{Mult}$ described in Algorithm 1 allows for correct and secure operation of the multiplication functionality.

Proof of Theorem 1.

In step 1 and 2, there are $u=x-a$, $v=y-b$, $z=xy$, $p=ub$, $q=av$, $o=uv$, then

$$\begin{array}{cc}\hfill s& =p+q+o+c\hfill \\ & =(x-a)b+a(y-b)+(x-a)(y-b)+ab\hfill \\ & =xb-ab+ay-ab+xy-ay-xb+ab+ab\hfill \\ & =xy\hfill \end{array}$$

So in step 4, $s^{\prime }=z+\alpha -s=0$, which means the messages sent by $P_1$ and $P_2$ are correct, without being tempered, and can continue to be calculated. Otherwise, terminal the protocol. Thus, in step 5, $P_0$ can correctly calculate $z=xy$ and send the share to get ${\left[\left[z\right]\right]}^L$ after adding the random number. The introduction of common randomness during the transmission ensures the security of the data in Algorithm 1. □

Reconstruction. In the semi-honest security model, denoted by ${\left[\left[\alpha \right]\right]}^L$ for 2-out-of-3 replicated secret sharing of 0, $P_1$ sends $x_2+{\alpha }_2$ to $P_0$, then the party $P_0$ has shares $x_0+{\alpha }_0$, $x_1+{\alpha }_1$, and $x_2+{\alpha }_2$, which can be recovered by computing $x\equiv x_0+{\alpha }_0+x_1+{\alpha }_1+x_2+{\alpha }_2\left(modL\right)$ to recover the global value x, which only need 1 round communication and 1 message. In the malicious security model, because $P_1$ and $P_2$ may tamper with the data, in order to ensure the correctness of the final result, it is necessary for $P_1$ and $P_2$ to transmit both $x_2+{\alpha }_2$ to $P_0$. $P_0$ judges the received messages, and if the two messages are equal, it means that the correct value is transmitted in this round of communication without tampering, and the subsequent calculation can be continued. Otherwise, it is immediately terminated.

3.3. Fully Connected Layer

The computation of the fully connected layer is a matrix multiplication such that the input $X\left(n\times 1\right)$ and the weight $W\left(m\times n\right)$, then the output $Y=W\times X(y_i={\sum }_{j=1}^n{w}_{ij}{x}_j,$$i=1,...,m)$. Since the addition calculation can be performed directly locally, the main focus is on the multiplication between the shares and the matrix multiplication based on it. We use a fixed-point algorithm (as shown in Section 5.1 of [34]), so the matrix multiplication result needs to be truncated in the protocol ${\prod }_{MatMul}$, which is shown in Algorithm 2, to ensure that the accuracy of the input and output remains consistent.

The two secret sharing of input are ${\left[\left[W\right]\right]}^L=(W_0,W_1,W_2),{\left[\left[X\right]\right]}^L=(X_0,X_1,X_2)$, and the sharing of output is ${\left[[Y=WX]\right]}^L$. The protocol needs to generate a pair of shared random numbers $({\left[\left[R\right]\right]}^L,{\left[\left[R^{\prime }\right]\right]}^L)$, where $R=R^{\prime }/2^d$ (Each element of the matrix is divided by $2^d$, d indicates the precision bit of the input). First, the parties compute locally ${\left[Y^{\prime }\right]}^L={\left[\left[W\right]\right]}^L{\left[\left[X\right]\right]}^L$, where $Y=Y^{\prime }/2^d$. After that, $P_1$ transmits the blinded ${Y^{\prime }}_1$ with ${R^{\prime }}_1$ to $P_0$, and $P_2$ transmits the blinded ${Y^{\prime }}_2$ with ${R^{\prime }}_2$ to $P_0$, ensuring the privacy of the shared values in transmission. $P_0$ receives the messages from $P_1$ and $P_2$ and performs an addition operation for reconstruction, as shown in Line 5, to obtain the blinded $Y^{\prime }$, so that the parameter of the party $P_2$ cannot be calculated by $W=(Y^{\prime }-R^{\prime })X^{-1}$. Because multiplication leads to a larger precision of the result, the truncation algorithm $Z=(Y^{\prime }-R^{\prime })/2^d$ is needed to reduce the precision. In order to get the output sharing, $P_0$ needs to blind Z and send it to $P_1$, then the final 2-out-of-3 replicated secret sharing ${\left[\left[Y\right]\right]}^L=(R_0,Z+R_1,R_2)$ is obtained.

In the malicious security model, similarly, an additional uniformly distributed tuple $({\left[\left[A\right]\right]}^L,{\left[\left[B\right]\right]}^L,{\left[\left[C\right]\right]}^L)$ is needed, which $C\equiv AB\left(modL\right)$, to ensure the correctness of the data.

Algorithm 2 Matrix Multiplication protocol ${\prod }_{MatMul}$

Input: shares of ${\left[\left[W\right]\right]}^L$ and ${\left[\left[X\right]\right]}^L$ held by $P_0$, $P_1$, and $P_2$.   Output: shares of ${\left[\left[Y\right]\right]}^L$ held by $P_0$, $P_1$, and $P_2$.   Common Randomness:truncation pair of shared random number $({\left[\left[R\right]\right]}^L,{\left[\left[R^{\prime }\right]\right]}^L)$, where $R=R^{\prime }/2^d$, and uniformly distributed tuple $({\left[\left[A\right]\right]}^L,{\left[\left[B\right]\right]}^L,{\left[\left[C\right]\right]}^L)$, where $C\equiv AB\left(modL\right)$. 1: for $i=0,1,2$, $P_i$ computes locally ${\left[\left[U\right]\right]}^L={\left[\left[W\right]\right]}^L-{\left[\left[A\right]\right]}^L$, ${\left[\left[V\right]\right]}^L={\left[\left[X\right]\right]}^L-{\left[\left[B\right]\right]}^L$. 2: for $i=0,1,2$, $P_i$ computes ${\left[Y^{\prime }\right]}^L={\left[\left[W\right]\right]}^L{\left[\left[X\right]\right]}^L$, ${\left[P^{\prime }\right]}^L={\left[\left[U\right]\right]}^L{\left[\left[B\right]\right]}^L$, ${\left[Q^{\prime }\right]}^L={\left[\left[A\right]\right]}^L{\left[\left[V\right]\right]}^L$, ${\left[O^{\prime }\right]}^L={\left[\left[U\right]\right]}^L{\left[\left[V\right]\right]}^L$ and $S_i={Y^{\prime }}_i-{P^{\prime }}_i-{Q^{\prime }}_i-{O^{\prime }}_i-C_i$. These calculations can be performed locally. 3: for $i=1,2$, $P_i$ transmits $({Y^{\prime }}_i-{R^{\prime }}_i,S_i)$ to $P_0$ in the malicious security model, while $P_i$ only needs to send ${Y^{\prime }}_i-{R^{\prime }}_i$ to $P_0$ in the semi-honest security model. 4: $P_0$ computes $S^{\prime }={\sum }_i{S}_i$. Output ⊥ if $S^{\prime }\ne 0$, otherwise, continue the protocol. 5: $P_0$ computes $Y^{\prime }-R^{\prime }={\sum }_i({Y^{\prime }}_i-{R^{\prime }}_i)$ and truncates $Z=(Y^{\prime }-R^{\prime })/2^d$. 6: $P_0$ transmits $Z+R_1$ to $P_1$. 7: return${\left[\left[Y\right]\right]}^L=(R_0,Z+R_1,R_2)$.

Theorem 2.

The protocol ${\prod }_{MatMul}$ described in Algorithm 2 allows for correct and secure operation of the matrix multiplication functionality.

Proof of Theorem 2.

The proof of the theorem proceeds similarly to Theorem 1. □

3.4. Convolutional Layer

The convolution computation can be viewed as the merging of multiple matrix multiplications, so the convolution can be expanded into a matrix of larger dimensionality. Suppose the convolution calculation between an input image of $3\times 3$ and a kernel of size $2\times 2$ (with the step of 1) can be converted into a matrix multiplication between $W\left(1\times 4\right)$ and $X\left(4\times 4\right)$, which as follows.

$$Conv\left(\left[\begin{array}{cc}{k}_1& k_2\\ k_3& k_4\end{array}\right],\left[\begin{array}{ccc}{x}_1& x_2& x_3\\ x_4& x_5& x_6\\ x_7& x_8& x_9\end{array}\right]\right)=\left[\begin{array}{cccc}{k}_1& k_2& k_3& k_4\end{array}\right]\times \left[\begin{array}{cccc}{x}_1& x_2& x_4& x_5\\ x_2& x_3& x_5& x_6\\ x_4& x_5& x_7& x_8\\ x_5& x_6& x_8& x_9\end{array}\right]$$

Then we can call the protocol ${\prod }_{MatMul}$ directly to calculate it.

3.5. Wrap Function

The definition of the $wrap$ functions $wra{p}_{2e}$, $wra{p}_{3e}$ and $wra{p}_3$ is given below, which can compute the carry efficiently when the shared values are summed as integers.

$$wra{p}_{2e}(a_0,a_1,L)=\left\{\begin{array}{c}0\mathrm{if}0⩽a_0+a_1<L\hfill \\ 1\mathrm{Otherwise}\hfill \end{array}\right.$$

(1)

$$wra{p}_{3e}(a_0,a_1,a_2,L)=\left\{\begin{array}{c}0\mathrm{if}0⩽\sum _{i=0}^2{a}_i<L\hfill \\ 1\mathrm{if}L⩽\sum _{i=0}^2{a}_i<2L\hfill \\ 2\mathrm{if}2L⩽\sum _{i=0}^2{a}_i<3L\hfill \end{array}\right.$$

(2)

$$wra{p}_3(a_0,a_1,a_2,L)=wra{p}_{3e}(a_0,a_1,a_2,L)\left(mod2\right)$$

(3)

Next, we describe the relationship between the most significant bit of a and $wra{p}_3$ function on the secret sharing $(a_0,a_1,a_2)$. Note that $a\equiv a_0+a_1+a_2\left(modL\right)$ and $a_i$ is a share within modulo L, and we can see the most significant bit $MSB\left(a\right)=MSB\left(a_0\right)+MSB\left(a_1\right)+MSB\left(a_2\right)+c\left(mod2\right)$, where c is the carry of the previous index. The key insight here is that ignoring the most significant bit of $a_i$, the carry c of the previous index is obtained by performing the $wra{p}_3$ function on $a_i$ with modulo $L/2$. Furthermore, this operation is equivalent to performing $wra{p}_3$ function on $2a_i$ with modulo L. That is, $c=wra{p}_3\left(a_0,a_1,a_2,L/2\right)=wra{p}_3\left(2a_0,2a_1,2a_2,L\right)$.

The $wra{p}_{2e}$ function can be computed directly locally and therefore does not require a security algorithm. In addition, the $wra{p}_{2e}$ function allows us to write the following exact integer equation: if $a\equiv a_0+a_1\left(modL\right)$, then $a=a_0+a_1-wra{p}_{2e}\left(a_0,a_1,L\right)·L$. Where the former is a congruence relation and the latter is an integer relation which is exactly equal. Finally, Algorithm 3 gives the $wra{p}_3$ protocol on the 2-out-of-3 replicated secret sharing of a. It is necessary to blind the transmitted data in the communication to ensure data security, so two 2-out-of-3 replicated secret sharing of 0, denoted by ${\left[\left[r\right]\right]}^L$ and ${\left[\left[\eta \right]\right]}^2$, are introduced.

Algorithm 3 Wrap protocol ${\prod }_{Wrap}$

Input: shares of ${\left[\left[a\right]\right]}^L$ held by $P_0$, $P_1$, and $P_2$.   Output: shares of a bit ${\left[\left[\theta \right]\right]}^2$ held by $P_0$, $P_1$, and $P_2$, where $\theta =wra{p}_3(a_0,a_1,a_2,L)$.   Common Randomness:${\left[\left[r\right]\right]}^L$ (random shares of 0), ${\left[\left[\alpha \right]\right]}^2$ where $\alpha =wra{p}_3(r_0,r_1,r_2,L)$, and ${\left[\left[\eta \right]\right]}^2$ (a bit random shares of 0). 1: for $i=0,1,2$, $P_i$ computes locally $x_i\equiv a_i+r_i\left(modL\right)$ and ${\beta }_i=wra{p}_{2e}(a_i,r_i,L)$. 2: In the semi-honest security setting, $P_1$ sends $x_2$ to $P_0$. While in the malicious security setting, $P_1$ sends $x_2$ to $P_0$ and $P_2$ sends $H\left(x_2\right)$ to $P_0$. 3: In the malicious security setting, $P_0$ first needs to judge whether the hash value of $x_2$ from $P_1$ is equal to $H\left(x_2\right)$ from $P_2$. Output ⊥ if it is not equal, otherwise, continue the protocol. 4: $P_0$ computes $\delta =wra{p}_3(x_0,x_1,x_2,L)$ and sends $\delta +{\eta }_1$ to $P_1$. 5: return${\left[\left[\theta \right]\right]}^2=({\beta }_0\oplus {\alpha }_0\oplus {\eta }_0,{\beta }_1\oplus {\alpha }_1\oplus \delta \oplus {\eta }_1,{\beta }_2\oplus {\alpha }_2\oplus {\eta }_2)$.

Theorem 3.

The protocol ${\prod }_{Wrap}$ described in Algorithm 3 allows for correct and secure operation of the $wra{p}_3$ functionality.

Proof of Theorem 3.

The following equations exist in Algorithm 3:

$$a=a_1+a_2+a_3-{\theta }_e·L$$

(4)

$$r=r_0+r_1+r_2-{\alpha }_e·L$$

(5)

$$x_i=a_i+r_i-{\beta }_i·L,\forall i\in \left\{0,1,2\right\}$$

(6)

$$x=x_0+x_1+x_2-{\delta }_e·L$$

(7)

where ${\theta }_e$, ${\alpha }_e$ and ${\delta }_e$ represent the exact $wra{p}_{3e}$ function, Equations (4), (5) and (7) follow the definition of the exact $wra{p}_{3e}$ function, while Equation (6) follows the definition of the $wra{p}_{2e}$ function. because $x\equiv a+r\left(modL\right)$ and $r=0$, so $x\equiv a\left(modL\right)$. From the Eqs.4-7 we can get

$${\theta }_e={\beta }_0+{\beta }_1+{\beta }_2-{\delta }_e-{\alpha }_e$$

(8)

Equation (8) modulo 2 is operated to get $\theta ={\beta }_0+{\beta }_1+{\beta }_2-\delta -\alpha$, which is used to calculate the $wra{p}_3$ in Algorithm 3. Similarly, in the malicious security model, the verification method in step 3 ensures that the data is correct, so the protocol ${\prod }_{Wrap}$ is correct. In addition, the introduction of random numbers ensures the security of Algorithm 3. □

3.6. ReLU Activation Layer

In the decimal real number field, the activation function $ReLU\left(x\right)$ is defined as $ReLU\left(x\right)=x$ if $x>0$, otherwise, $ReLU\left(x\right)=0$. Under the C++ data type representation on the ring ${\mathbb{Z}}^L$, $x⩾L/2$ indicates a negative number whose most significant bit $MSB\left(x\right)=1$, and $0⩽x<L/2$ indicates a positive number whose most significant bit $MSB\left(x\right)=0$. Therefore, when using fixed-point encoding, the definition of $ReLU\left(x\right)$ can be converted as follows: if $MSB\left(x\right)=1$, $ReLU\left(x\right)=0$, otherwise, $ReLU\left(x\right)=x$, i.e., $ReLU\left(x\right)=x·\left(1-MSB\left(x\right)\right)$.

When the secret shared values of x are known, the most significant bit $MSB\left(x\right)$ is given as follows.

$$MSB\left(x\right)=MSB\left(x_0\right)\oplus MSB\left(x_1\right)\oplus MSB\left(x_2\right)\oplus wra{p}_3(2x_0,2x_1,2x_2,L)$$

(9)

The secret sharing of $MSB\left(x\right)$ is obtained by first calling the ${\prod }_{Wrap}$ protocol to calculate the sharing of the carry bits, and then locally dissociating directly with the most significant bit of the shares of x, as shown in Line 2 of Algorithm 4. If the secret sharing of x and $MSB\left(x\right)$ are held in different number fields, i.e., ${\left[\left[x\right]\right]}^L=(x_0,x_1,x_2)$ and ${\left[\left[MSB\left(x\right)\right]\right]}^2={\left[\left[0\right]\right]}^2=(1,1,0)$, then calling the multiplication protocol on two sharing can obtain ${\left[\left[2x\right]\right]}^L=(2x_0+x_1,x_1+x_2,x_2)$, which is not the expected value. So we cannot call the multiplication protocol directly, but need to convert the secret sharing of $MSB\left(X\right)$ in ${\mathbb{Z}}^2$ to the secret sharing of $1-MSB\left(x\right)$ in ${\mathbb{Z}}^L$ and then call the protocol ${\prod }_{Mult}$ to get the 2-out-of-3 replicated secret sharing of $ReLU\left(x\right)$.

Algorithm 4 ReLU protocol ${\prod }_{RU}$

Input: shares of ${\left[\left[x\right]\right]}^L$ held by $P_0$, $P_1$, and $P_2$.   Output: shares of ${\left[\left[y\right]\right]}^L$ held by $P_0$, $P_1$, and $P_2$, where $y=ReLU\left(x\right)$.   Common Randomness:random numbers ${\left[\left[r\right]\right]}^L$ and ${\left[\left[r\right]\right]}^2$. 1: Run ${\prod }_{Wrap}$ to get ${\left[\left[\theta \right]\right]}^2$ where $\theta =wra{p}_3(2x_0,2x_1,2x_2,L)$. 2: for $i=0,1,2$, $P_i$ computes locally $({\theta }_i\oplus MSB\left(x_i\right),{\theta }_{i+1}\oplus MSB\left(x_{i+1}\right)$ to obtain ${\left[\left[MSB\left(x\right)\right]\right]}^2=({\theta }_0\oplus MSB\left(x_0\right),{\theta }_1\oplus MSB\left(x_1\right),{\theta }_2\oplus MSB\left(x_2\right))$. 3: Run ${\prod }_{Reconst}$ to get c where $c=(r\oplus MSB(x\left)\right)$ and $P_0$ broadcasts c to $P_1$ and $P_2$. 4: If $c=0$, set ${\left[[1-MSB\left(x\right)]\right]}^L=1-{\left[\left[r\right]\right]}^L$, otherwise, ${\left[[1-MSB\left(x\right)]\right]}^L={\left[\left[r\right]\right]}^L$. 5: Run ${\prod }_{Mult}$ over ${\left[\left[x\right]\right]}^L$ and ${\left[[1-MSB\left(x\right)]\right]}^L$ to get ${\left[\left[y\right]\right]}^L$. 6: return${\left[\left[y\right]\right]}^L$.

Theorem 4.

The protocol ${\prod }_{RU}$ described in Algorithm 4 allows for correct and secure operation of the $ReLU$ functionality.

Proof of Theorem 4.

The protocol ${\prod }_{Wrap}$ called in step 1 is correct and secure. Step 2 is computed locally without the security algorithm. Step 3 invokes the protocol ${\prod }_{Reconst}$ and then exposes c as the blinded $MSB\left(x\right)$, so ensuring that the true value of $MSB\left(x\right)$ is not known to the parties. Step 4 is computed locally and if $c=0$, indicating that r is the same as $MSB\left(x\right)$, then $1-MSB\left(x\right)=1-r$, otherwise $c\ne 0$ when r is complementary to $MSB\left(x\right)$, then $1-MSB\left(x\right)=r$. The protocol ${\prod }_{Mult}$ called in step 5 is correct and secure. Therefore, it follows from Theorem 1.2 in [44] that combined protocol ${\prod }_{RU}$ is also correct and secure. □

3.7. Max-Pooling Layer

In the max-pooling layer, we treat the elements in the local field as a row vector as follows:

$$\left[\begin{array}{ccc}{x}_1& x_2& x_3\\ x_4& x_5& x_6\\ x_7& x_8& x_9\end{array}\right]->\left[\begin{array}{cccc}{x}_1& x_2& x_4& x_5\\ x_2& x_3& x_5& x_6\\ x_4& x_5& x_7& x_8\\ x_5& x_6& x_8& x_9\end{array}\right].$$

Then the computation at this layer is to find the maximum element in each row vector. The functionality of the protocol ${\prod }_{MP}$ is simply expressed as the input of a vector in the form of secret sharing and the output of secret sharing of its maximum value. At the intermediate layer, we only need to focus on the maximum value of each vector, so it is sufficient to carry out the calculations in steps 3, 4 and 5 of Algorithm 5. Iterating through the input via a for loop, the difference between the two numbers is first calculated and the protocol ${\prod }_{RU}$ is called to determine if the difference is zero, which in turn gives the maximum value of the current traversal. In the final predictive classification, the index of the maximum value in the vector, i.e., the label, needs to be obtained. So we pre-generate a number of one-hot vectors $\overrightarrow{e_k}$ with $k=\{1,2,\dots ,n\}$ and select the output in step 6 to get the index of the maximum value of the output vector.

Algorithm 5 Maxpool function ${\prod }_{MP}$

Input: shares of $x_1,x_2,\dots ,x_n$ in ${\mathbb{Z}}^L$ held by $P_0$, $P_1$, and $P_2$.   Output: shares of $x_k$ and $\overrightarrow{e_k}$ held by $P_0$, $P_1$, and $P_2$, where $k=argmax\{x_1,x_2,\dots ,x_n\}$ and $\overrightarrow{e_k}=\{e_1,e_2,\dots ,e_n\}$ with $e_k=1$ and $e_i=0\forall i\ne k$.   Common Randomness:No additional common randomness required. 1: Set $max\leftarrow a_1$ and $\overrightarrow{ind}\leftarrow \overrightarrow{e_1}=\{1,0,\dots ,0\}$. 2: for$i=\{2,3,\dots ,n\}$do 3: Set $d\leftarrow (max-a_i)$. 4: $b\leftarrow MSB\left(d\right)$, $c\leftarrow ReLU\left(d\right)$. 5: $max\leftarrow c+a_i$. 6: $\overrightarrow{ind}\leftarrow (\overrightarrow{ind}\oplus \overrightarrow{e_i})b\oplus \overrightarrow{ind}$. 7: end for 8: return$max,\overrightarrow{ind}$.

Theorem 5.

The protocol ${\prod }_{MP}$ described in Algorithm 5 allows for correct and secure operation of the $Maxpool$ functionality.

Proof of Theorem 5.

Algorithm 5 calls the protocol ${\prod }_{RU}$ in step 4 (the computation of b is in steps 1 and 2 of Algorithm 4), and the protocol ${\prod }_{Mult}$ in step 6. Similarly, because sub-protocols are secure, the combined protocol is also secure. In step 6, if $b=0$, $(\overrightarrow{ind}\oplus \overrightarrow{e_i})b\oplus \overrightarrow{ind}=\overrightarrow{ind}$, so the current $max>a_i$ and output $\overrightarrow{ind}$. If $b=1$, $(\overrightarrow{ind}\oplus \overrightarrow{e_i})b\oplus \overrightarrow{ind}=\overrightarrow{ind}\oplus \overrightarrow{e_i}\oplus \overrightarrow{ind}=\overrightarrow{e_i}$, so $max<a_i$ and the one-hot vector $e_i$ corresponding to $a_i$ is outputted. In summary, Algorithm 5 is correct and secure. □

3.8. Performance Analysis

We summarise the overhead of the protocol theoretically, with the number of rounds and the communication complexity shown in

Table 1. Theoretical overheads of protocols.

Protocol	Dependence	Semi-Honest		Malicious
		Rounds	Comm.	Rounds	Comm.
${\prod }_{Reconst}$	n	1	$1kn$	1	$2kn$
${\prod }_{Mult}$	n	2	$3n$	2	$5n$
${\prod }_{MatMul}$	$(x\times y)(y\times z)$	2	$3kxz$	2	$5kxz$
${\prod }_{Wrap}$	n	2	$2kn$	2	$3kn$
${\prod }_{RU}$	n	6	$8kn$	6	$12kn$
${\prod }_{MP}$	$x\times y$	$8(y-1)$	$11kn(y-1)$	$8(y-1)$	$17kn(y-1)$

. The protocol ${\prod }_{Reconst}$ requires the transmission of 1 message in the semi-honest security model and 2 messages in the malicious security model. the protocol ${\prod }_{MatMul}$ represents matrix multiplication of dimensions $x\times y$ and $y\times x$ and requires 2 communications in the semi-honest security model (e.g., steps 3 and 6), whereas in the malicious security model, although the same 2 communications are performed, the first communication complexity is 2×. If the number of elements transmitted is the same, the communication complexity of ${\prod }_{Wrap}$ under the malicious security model can be the same as that of the protocol ${\prod }_{Mult}$ under the semi-honest security model. The focus of protocol ${\prod }_{RU}$ is on the combined computation of ${\prod }_{Wrap}$, ${\prod }_{Reconst}$ and ${\prod }_{Mult}$. The protocol ${\prod }_{MP}$ only needs to compute the maximum value in the pooling layer of the neural network, i.e., only steps 3–5 in the for loop need to be performed. Let matrix dimension after local feature transformation be $x\times y$, then the protocol ${\prod }_{RU}$ needs to be called $y-1$ times. The full protocol ${\prod }_{MP}$ is only called when the final label classification is performed and the one-hot encoding of each label needs to be calculated.

As can be seen from Table 1, the number of rounds under the malicious security model is essentially the same as that under the semi-honest security model, but the communication complexity is approximately $2\times$, making it a much less efficient implementation.

We compared the theoretical complexity of the Astra [45], Blaze [46], Falcon [38], Flash [40] and Trident [39] frameworks with the proposed scheme. We compares the end-to-end overhead of the protocol ${\prod }_{RU}$ due to the different methods used in this framework to calculate the non-linear functions.

Table 2. Comparison of theoretical complexity of sub-protocols in each franework.

Framework	Multiplication		ReLU
	Rounds	Comm.	Rounds	Comm.
Astra [45]	1	$4\ell$	$3+log\ell$	$45\ell$
Blaze [46]	1	$3\ell$	4	$(\kappa +7)\ell$
Falcon [38]	1	$4\ell$	$5+log\ell$	$32\ell$
Proposed	2	$3\ell$	5	$8\ell$
Flash [40]	1	$3\ell$	$10+log\ell$	$46\ell$
Trident [39]	1	$3\ell$	4	$8\ell +2$

Note: ℓ is the bit size of the data type, κ is the security parameter, and log denotes the logarithm with base 2.

shows the comparison of the theoretical complexity. Astra is a third-party secure computation framework with semi-honest security. Blaze builds on Astra to achieve malicious security and fairness in a 3PC honest majority corruption model and uses an adder circuit approach for non-linear function computation. The framework which is most similar to the proposed scheme is Falcon and introduces a non-zero random number r in step 1 of the protocol ${\prod }_{Wrap}$, so the PC protocol needs to be called in step 4 to compare the x and r, which is in Section 3.3 of the [38]. In contrast, we introduce a secret sharing of 0, so there is no need to call the PC protocol, resulting in a $log\ell$ reduction in the number of rounds and a $4\times$ reduction in communication complexity for the protocol ${\prod }_{RU}$.

4. Results

Our experiments are written in C++ program on the virtual machine Ubuntu 22.04.1 LTS amd64 and focus on evaluating the performance overhead of the proposed scheme for private prediction on multiple neural networks.

The training is first performed on plaintext data using the torch library, with the accuracy of 98.06% on Network-A, 99.00% on Network-B, 99.56% on Network-C and 99.77% on Network-D (networks are described in Section 4.1). Afterwards, the performance of various sub-protocols under semi-honest and malicious security is benchmarked as shown in Section 4.2. Section 4.3 evaluates the prediction time and communication cost of the proposed scheme in this paper based on the model parameters obtained from training with the test dataset. Finally, the feasibility of this scheme is verified by comparing the accuracy under the secret sharing and plaintext in Section 4.4.

The inputs to the neural network as well as the parameters are generally floating point numbers, so they must be encoded in fixed point form, setting their precision bit to 13. Experiments in this paper are conducted using a smaller ring $\ell =32$, allowing the entire framework to run on smaller data types with half the communication complexity compared to the generic framework with $\ell =64$. The Eigen library is used to speed up the matrix multiplication calculation.

4.1. Dataset and Networks

The dataset is MNIST [47], where each image is a $28\times 28$ pixel handwritten digital image with labels between 0 and 9, consisting of 60,000 images in the training set and 10,000 images in the test set.

For comparisons with different neural network architectures, four standard network architectures are chosen for the experiments, which are shown in Figure 2.

• Network-A: This is a neural network evaluated in the SecureML [18] framework. It consists of 3 fully connected layers, with an activation layer added after each layer. The number of nodes in each layer is $128\times 784$, $128\times 128$, $10\times 128$. This is the smallest network with 118,282 parameters.
• Network-B: This is a neural network evaluated in the Chameleon [35] framework. The network structure has 6 layers in total. The first layer is a convolutional layer with a kernel of $2\times 2\times 1\times 5$. The third and fifth layers are fully connected layers with nodes of $100\times 980$, $10\times 100$, respectively. The second, fourth and sixth layers are the activation layers. Its total number of parameters is about 99,135.
• Network-C: This is a neural network evaluated in the MiniONN [48] framework. The network has a total of 10 layers. The first and fourth layers are convolutional layers with kernels of $5\times 5\times 1\times 16$, $5\times 5\times 16\times 16$, respectively. The second and fifth layers are pooling layers with kernels of $2\times 2$. Layers 7 and 9 are fully connected layers with nodes of $100\times 256$, 10, respectively, and the rest of the layers are activation layers. Its total number of parameters is 33,542.
• Network-D: The network was first proposed in [47] for automatic detection of postal codes and digit recognition, which has 10 layers. The first and fourth layers are convolutional layers with kernels of $5\times 5\times 1\times 20$, $5\times 5\times 20\times 50$, respectively. the second and fifth layers both are pooling layers with kernels of $2\times 2$. Layers 7 and 9 are fully connected layers with nodes of $500\times 800$, $10\times 500$, respectively, and the rest of the layers are activation layers. It has a total of 431,080 parameters.

4.2. Microbenchmarks

In this section, we benchmark the computations of the fully connected, convolutional, activation and pooling layers. Three different parameter sets are used for the experiments, and the average of 100 experiments is taken as the result. A comparison of the sub-layers performance in a semi-honestly security model is shown in

Table 3. Microbenchmarks in semi-honest security.

Layers	Dimension	FALCON		Proposed
		Time (ms)	Comm (KB)	Time (ms)	Comm (KB)
Fully-connect1	$784,128,10$	$1.55$	$122.50$	$1.41$	$91.88$
Fully-connect2	$1,500,100$	$0.44$	$1.56$	$0.36$	$1.17$
Fully-connect3	$1,100,1$	$0.18$	$0.02$	$0.17$	$0.01$
Conv1	$28,5,1,20$	$0.63$	$180.00$	$0.53$	$135.00$
Conv2	$28,3,1,20$	$0.50$	$211.25$	$0.42$	$158.44$
Conv3	$8,5,16,50$	$0.67$	$12.50$	$0.61$	$9.38$
ReLU1	$128,128$	$5.38$	$3504.00$	$0.60$	$320.00$
ReLU2	$576,20$	$1.44$	$2463.75$	$0.50$	$225.00$
ReLU3	$64,16$	$1.19$	$219.00$	$0.43$	$20.00$
Maxpool1	$24\times 24\times 20,2\times 2$	$7.12$	$1949.06$	$1.39$	$168.75$
Maxpool2	$24\times 24\times 16,2\times 2$	$6.64$	$1559.25$	$1.19$	$135.00$
Maxpool3	$8\times 8\times 50,4\times 4$	$3.43$	$782.23$	$0.41$	$58.59$

. The fully connected and convolutional layers mainly invoke the protocol ${\prod }_{MatMul}$ which reduces the computational complexity from $4\ell$ to $3\ell$ compared to Falcon, resulting in an improvement in communication cost of about 1/4 under the same parameters. In the activation layer, compared to Falcon, there are fewer calls to the comparison protocol, resulting in performance improvement of about $2.7\times$–$9.0\times$ in computation time and about $10.95\times$ in communication cost for the same parameters. In the pooling layer, we mainly calculate the maximum value in the local field without focusing on its index, and the protocol ${\prod }_{MP}$ is based on the protocol ${\prod }_{RU}$, so the performance is also improved compared to Falcon, with the $5.1\times$–$8.4\times$ improvement in computation time and about $11.6\times$–$13.4\times$ in communication cost.

In the malicious security model, the computational performance of the sub-layers is shown in

Table 4. Microbenchmarks in malicious security.

Layers	Dimension	FALCON		Proposed
		Time (ms)	Comm (KB)	Time (ms)	Comm (KB)
Fully-connect1	$784,128,10$	$7.10$	$809.88$	$4.72$	$153.13$
Fully-connect2	$1,500,100$	$1.03$	$198.63$	$0.59$	$1.95$
Fully-connect3	$1,100,1$	$0.30$	$1.20$	$0.27$	$0.02$
Conv1	$28,5,1,20$	$2.93$	$402.31$	$1.67$	$225.00$
Conv2	$28,3,1,20$	$2.06$	$406.39$	$0.95$	$264.06$
Conv3	$8,5,16,50$	$2.90$	$176.56$	$1.78$	$15.63$
ReLU1	$128,128$	$5.89$	11,896.00	$2.10$	$448.13$
ReLU2	$576,20$	$3.65$	16,098.80	$1.62$	$315.13$
ReLU3	$64,16$	$3.70$	$1431.00$	$0.53$	$28.13$
Maxpool1	$24\times 24\times 20,2\times 2$	$10.56$	12,681.60	$4.23$	$236.63$
Maxpool2	$24\times 24\times 16,2\times 2$	$9.15$	10,145.20	$1.53$	$189.38$
Maxpool3	$8\times 8\times 50,4\times 4$	$5.77$	$5036.13$	$1.29$	$83.91$

. The performance is lower than in the semi-honest security model due to the need to verify the correctness of the data in the communication in each protocol. In our scheme, the introduction of the hash function leads to a significant reduction in communication cost. Compared to Falcon, the improvement is much higher than in in the semi-honest model. For example, with the same parameter setting of the fully connected and convolutional layers, the communication cost is improved by about $1.3\times$ with the semi-honest security setting, while it can be improved by about $1.8\times$–$101.9\times$ with the malicious security setting. With the same parameter setting in the activation layer, the communication cost is increased by about $11.0\times$ with the semi-honest security setting, while it can be increased by $51.1\times$ with the malicious security setting. In the pooling layer with the same parameter setting, the communication cost is increased by approximately $12\times$ with the semi-honest security setting, while it is increased by approximately $54\times$ with the malicious security setting.

After theoretical and experimental analysis, verify that the proposed scheme has better performance in terms of computation time as well as communication complexity. Experiments under both security definitions are also compared and show that the performance of the malicious model is lower than that of the semi-honest model, but the performance improvement of the malicious model is higher than that of the semi-honest model compared to other works.

4.3. Security Prediction

Table 5. Comparison of security predictions under different architectures.

Networks		FALCON		Proposed
		Semi-Honest	Malicious	Semi-Honest	Malicious
Network-A	Time (ms)	$54.01$	$78.81$	$45.71$	$61.20$
	Comm (KB)	$63.38$	$1090.87$	$8.90$	$13.34$
Network-B	Time (ms)	$45.02$	$75.56$	$39.54$	$47.60$
	Comm (KB)	$250.34$	$2144.46$	$34.65$	$52.42$
Network-C	Time (ms)	$47.56$	$77.21$	$32.36$	$42.98$
	Comm (KB)	$2467.58$	15,733.20	$324.02$	$486.19$
Network-D	Time (ms)	$214.83$	$266.90$	$155.28$	$194.38$
	Comm (KB)	$3626.88$	25,292.3	$476.52$	$714.94$

shows the number of communication bytes (KB) and the end-to-end latency (ms) for the proposed scheme to perform a single inference query with the Falcon framework. We execute the queries in different network architectures as well as in semi-honest and malicious settings. In the semi-honest setting, predicting a single sample takes about 45.71 ms with an improvement of $1.18\times$, and its communication cost is about 8.90 KB with an improvement of $7.12\times$ on Network-A. On Network-B, it takes about 39.54 ms with an improvement of $1.14\times$, and its communication cost is about 34.65 KB with an improvement of $7.23\times$. On Network-C, it takes about 32.36 ms ($1.47\times$), and its communication cost is about 324.02 KB ($7.62\times$). Network-D takes about 155.28 ms ($1.38\times$), and its communication cost is about 476.52 KB ($7.61\times$). In a malicious security setting, our work is $1.29\times$–$1.80\times$ faster, with a communication efficiency improvement of about $32.36\times$–$81.77\times$ compared to Falcon.

These experiments show that the proposed method has lower latency and fewer communication cost in single-sample prediction. Depending on the trust assumptions, malicious model requires more communication as well as higher runtimes compared to the semi-honest model. Figure 3 shows that the time performing batch prediction on different networks is roughly linear in the number of samples. Similarly, compared to the Falcon framework, our scheme performs better when predicting the same number of samples.

4.4. Comparison vs. Plaintext Computation

We perform experiments comparing secure prediction using secret sharing with traditional plaintext prediction using PyTorch. Results with the 64-bit floating-point data type on PyTorch (plaintext) and the 32-bit data type (secret sharing) are shown in

Table 6. Comparison of accuracy under secure prediction and plaintext.

Networks	Training Accuracy	Plaintext Inference	Security Inference	Relative Error
Network-A	$98.06\%$	$97.12\%$	$96.64\%$	$0.48\%$
Network-B	$99.00\%$	$97.90\%$	$97.04\%$	$0.86\%$
Network-C	$99.56\%$	$99.02\%$	$98.70\%$	$0.32\%$
Network-D	$97.77\%$	$97.22\%$	$96.50\%$	$0.72\%$

. The second and third columns show the accuracy with the training set and test set obtained by setting the learning rate to 0.1 and iterating 15 times using traditional prediction methods. The fourth column is the accuracy of the test set under three-party secure computation. The fifth column is the error values for prediction accuracy, with differences all less than 1% between secure computation and plaintext computation. The results show that most networks have no/low loss in accuracy when the computation is performed as a fixed-point integer with the 13-bit precision in our work, confirming the effectiveness of the proposed scheme.

5. Conclusions

This paper proposes a neural network model for privacy prediction based on a 3PChree-party secure computing framework. While traditional 3PChree-party secure computing outsources all computations to three non-colluding servers, our three-party refers to the client, the service provider and the third-party server that assists in the computation. Because of the inclusion of the client in the computation, the definition of security in the model is slightly different than before. Therefore, depending on the different trust assumptions, this paper proposes wo definitions of security to choose from, namely semi-honest and malicious security.

The introduction of the secret sharing technique ensures that the model parties do not have access to the original data of the client as well as the model parameters of the service provider, thus ensuring data security. Therefore, we give sub-protocols such as ${\prod }_{Reconst}$, ${\prod }_{Mult}$, ${\prod }_{MatMul}$, ${\prod }_{Wrap}$, ${\prod }_{RU}$ and ${\prod }_{MP}$ through the secret sharing technique. Compared to existing works, our scheme offers an improvement in both prediction time and communication cost.

The times reported in our experiments are all online times, and the performance of the framework would be further improved if the multiplicative triples computation is divided into the offline phase. As the entire codebase is parallelizable, improvements may be made later by parallelization or using GPUs in future work.