Goten: GPU-outsourcing trusted execution of neural network training
Deep learning unlocks applications with societal impacts, e.g., detecting child exploitation imagery and genomic analy sis of rare diseases. Deployment, however, needs compliance with stringent privacy regulations. Training algorithms that preserve the privacy of training data are in pressing nee...
Saved in:
| Main Authors: | , , , , |
|---|---|
| Other Authors: | |
| Format: | Conference or Workshop Item |
| Language: | English |
| Published: |
2022
|
| Subjects: | |
| Online Access: | https://hdl.handle.net/10356/157152 https://ojs.aaai.org/index.php/AAAI/issue/archive |
| Tags: |
Add Tag
No Tags, Be the first to tag this record!
|
| Institution: | Nanyang Technological University |
| Language: | English |
| Summary: | Deep learning unlocks applications with societal impacts,
e.g., detecting child exploitation imagery and genomic analy sis of rare diseases. Deployment, however, needs compliance
with stringent privacy regulations. Training algorithms that
preserve the privacy of training data are in pressing need.
Purely cryptographic approaches can protect privacy, but they
are still costly, even when they rely on two or more non colluding servers. Seemingly-“trivial” operations in plain text quickly become prohibitively inefficient when a series
of them are “crypto-processed,” e.g., (dynamic) quantization
for ensuring the intermediate values would not overflow.
Slalom, recently proposed by Tramer and Boneh, is the first `
solution that leverages both GPU (for efficient batch compu tation) and a trusted execution environment (TEE) (for min imizing the use of cryptography). Roughly, it works by a lot
of pre-computation over known and fixed weights, and hence
it only supports private inference. Five related problems for
private training are left unaddressed.
Goten, our privacy-preserving training and prediction frame work, tackles all five problems simultaneously via our care ful design over the “mismatched” cryptographic and GPU
data types (due to the tension between precision and ef ficiency) and our round-optimal GPU-outsourcing protocol
(hence minimizing the communication cost between servers).
It 1) stochastically trains a low-bitwidth yet accurate model,
2) supports dynamic quantization (a challenge left by
Slalom), 3) minimizes the memory-swapping overhead of the
memory-limited TEE and its communication with GPU, 4)
crypto-protects the (dynamic) model weight from untrusted
GPU, and 5) outperforms a pure-TEE system, even without
pre-computation (needed by Slalom). As a baseline, we build
CaffeScone that secures Caffe using TEE but not GPU; Goten
shows a 6.84× speed-up of the whole VGG-11. Goten also
outperforms Falcon proposed by Wagh et al., the latest se cure multi-server cryptographic solution, by 132.64× using
VGG-11. Lastly, we demonstrate Goten’s efficacy in training
models for breast cancer diagnosis over sensitive images. |
|---|