Deep learning security verification and privacy computing method against malicious server

By employing commitment and accuracy verification and secure two-party computation in the deep learning as a service (MLaaS) scenario, and utilizing certified secret sharding and zero-knowledge proofs, the problems of malicious servers providing low-quality services and privacy leaks are solved, achieving an efficient and secure model inference process.

CN122179097APending Publication Date: 2026-06-09UNIV OF ELECTRONICS SCI & TECH OF CHINA

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Applications(China)
Current Assignee / Owner
UNIV OF ELECTRONICS SCI & TECH OF CHINA
Filing Date
2026-03-18
Publication Date
2026-06-09

Smart Images

  • Figure QLYQS_161
    Figure QLYQS_161
  • Figure QLYQS_164
    Figure QLYQS_164
  • Figure QLYQS_166
    Figure QLYQS_166
Patent Text Reader

Abstract

The application provides a deep learning security verification and privacy calculation method against malicious servers, comprising: a commitment and accuracy verification step, in which a server commits to model parameters and proves to a client through zero-knowledge proof that the accuracy of the committed model on a specified test set meets a preset threshold; and a secure reasoning step, in which both parties perform reasoning on the committed model on the private input of the client based on authentication secret fragmentation and a malicious security two-party computation protocol for fixed malicious parties. In the method, the verification overhead is greatly reduced by converting the matrix multiplication verification of the linear layer into the vector inner product verification of the compressed dimension; and the alternating evaluation of the layers and nonlinear layers in the deep learning model is supported through the mixed design of the arithmetic circuit and the Boolean circuit, and the conversion between different circuit domains is realized through a multiplication sub-protocol based on labels. The practicability and efficiency of the secure reasoning under the malicious model are significantly improved.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This invention relates to information security, privacy computing, and secure multi-party computation technologies, and particularly to deep learning-based security verification and privacy computing technologies for resisting malicious servers. Technical Background

[0002] In the paradigm of deep learning services, service providers (such as remote servers) typically deploy and provide inference services to customers on a pay-as-you-go pricing model. Server hosting usually has parameters. model It also provides an inference application programming interface (API) to the public. Clients can send queries to the server. And receive the corresponding results. Due to intellectual property and privacy concerns, protecting the privacy of client queries and server model parameters has become an urgent need. To address this, some works have proposed secure inference under a semi-honest setting based on secure two-party computation (2PC) technology. These schemes ensure that the server cannot obtain the privacy of client queries and server model parameters. And customers, besides Apart from its derivation, it is impossible to know anything about Any information.

[0003] However, existing solutions lack mechanisms to verify whether service providers are faithfully adhering to protocol specifications. On one hand, malicious attackers could compromise servers, causing them to provide services using low-quality models instead of the claimed high-quality models. Inaccurate or erroneous inference results could have serious consequences, such as misleading medical diagnoses. On the other hand, there are instances where servers deviate from the protocol with the aim of stealing customers' private input. Worse still, such deviations can occur undetectably, meaning the server can still provide seemingly correct inference services while stealing customer input. These vulnerabilities highlight the need for more stringent security safeguards in inference services. Summary of the Invention

[0004] The technical problem to be solved by the present invention is to provide a secure verification and privacy computing framework for Deep Learning as a Service (MLaaS) scenarios that ensures the correct service is provided on a claimed accurate deep learning model while protecting the privacy of both the client and the server.

[0005] The technical solution adopted by this invention to solve the above-mentioned technical problems is a deep learning security verification and privacy computation method for resisting malicious servers, comprising the following steps:

[0006] Commitment and accuracy verification steps: Server Make commitments to the model parameters and to the client. Prove that the promised model meets a preset threshold in accuracy on the specified test dataset, and both parties obtain a certified secret shard of the model parameters. , ;

[0007] Among them, the server With the client Invoke the input sub-protocol of the secure two-party computation protocol, and send the server... Model parameters Convert to authentication secret sharding format , Indicates the first The model parameter matrix for each linear layer This represents the authentication secret fragment; the authentication secret fragment The structure is Authentication secret shard Including clients Holding Fragments and MAC key and by server Holding Fragments and MAC tags ;in , , This is the global key;

[0008] Client With server The server invokes a zero-knowledge proof protocol based on vector unintentional linear evaluation. To the client Prove the authenticity of the promised model parameters using secret shards. The accuracy on the specified test set meets the preset threshold.

[0009] Secure reasoning steps: After accuracy verification passes, the client... With server Based on the authentication secret sharding, the matrix multiplication verification of the linear layer is transformed into a vector inner product verification of the compressed dimension, thereby enabling client-side verification on the commitment model. Private input data Perform inference and, during the inference process, interact with the server. The correctness of the calculation steps is verified to obtain the reasoning result. ;

[0010] The inference process protects the client. Input data With server Model parameters Privacy, and client It can verify the completeness of the reasoning process;

[0011] For linear layer computation, the first Intermediate results from the output of a linear layer Decompose it into and Calculate the two parts separately. For the first Input data for each linear layer Server sharding, For the first Input data for each linear layer Client-side sharding.

[0012] The proposed secure verification and privacy computation framework consists of two components. The first is commitment and accuracy verification. The server first commits to the model parameters and proves, using zero-knowledge proofs, that the committed model achieves the claimed accuracy on a client-selected test dataset. The second is secure inference against malicious servers on the committed model. This part is built upon a secure two-party computation 2PC protocol with a fixed malicious participant, designed in this invention, for a malicious model. This invention carefully addresses the compatibility issues of these two components and leverages the advantage that the semi-honest party can inspect the behavior of the malicious participant, achieving high efficiency while supporting both arithmetic and Boolean circuit evaluation. This is crucial for secure inference because deep learning models typically consist of alternating linear and nonlinear layers, which need to be evaluated in arithmetic and Boolean circuits, respectively.

[0013] To meticulously integrate zero-knowledge proofs (ZK) using 2PC technology, the protocol of this invention is built upon authentication sharing. To evaluate authenticated multiplications in arithmetic circuits, this invention leverages the advantages of a static malicious model, splitting authenticated multiplications on secret shared values ​​into two sub-multiplications on non-shared values, thereby allowing the invocation of efficient ZK proofs to verify the correctness of the computation. For secure evaluation of arbitrary nonlinear functions, the Boolean circuit protocol of this invention employs a confused circuit paradigm, as confused circuits (GC) are inherently secure against malicious evaluators, allowing this invention to designate malicious service providers as evaluators. For improved performance, this invention proposes two constructs for an improved GC-based solution. Experimental results show that this invention achieves a one to two-order-of-magnitude improvement in communication and computational costs compared to traditional general-purpose secure computation protocols secure under malicious models.

[0014] The beneficial effects of this invention are:

[0015] (1) Comprehensive improvement in security:

[0016] Verifiable integrity: For the first time, a verifiable guarantee of the integrity of the deep learning model inference process is achieved under the static malicious model, ensuring that malicious service providers cannot deviate from the protocol without being detected.

[0017] Double privacy protection: Protects the privacy of customer query data and service provider model parameters in both directions, preventing information leakage even in malicious attack environments.

[0018] Accuracy auditable: Zero-knowledge proof technology enables customers to verify whether the model has reached the claimed accuracy threshold before inference.

[0019] (2) Breakthrough improvement in computational efficiency:

[0020] By organically integrating zero-knowledge proofs and secure two-party computation through authentication-sharing technology, a unified malicious secure computation framework is constructed, avoiding the performance loss caused by simply adding cryptographic tools.

[0021] The authentication multiplication is broken down into parallel verifiable subtasks, and malicious behavior detection is achieved using efficient zero-knowledge proofs.

[0022] Obfuscated circuits are used to handle nonlinear functions, leveraging their inherent malicious security to reduce overhead.

[0023] The complexity of matrix multiplication verification is reduced from O(m×n) to O(n) by using random vector compression techniques.

[0024] Optimize data transmission in numerical truncation operations, reducing traffic from O(ℓ) 2 ) decreased to O(ℓ(ℓ- )).

[0025] It supports full-layer batch consistency checks, avoiding redundant communication for layer-by-layer verification.

[0026] (3) Significantly enhanced practicality

[0027] Compatible with existing models: Supports standard deep learning model structures, uses fixed-point computation throughout, and remains compatible with mainstream secure inference schemes.

[0028] Reduced deployment costs: Accuracy verification only needs to be performed once, and its overhead can be spread across multiple inference services, making it suitable for real-world application scenarios.

[0029] Significant performance advantages: Experiments show that this solution has a 1-2 order of magnitude improvement in communication and computing costs compared to traditional general-purpose security computing protocols for malicious security, making security reasoning under malicious models practical for the first time. Detailed Implementation

[0030] I. The specific requirements that this invention needs to meet are as follows:

[0031] (1) Accuracy: Before requesting the inference service, the customer should be able to verify whether the accuracy of the server model meets the claimed threshold.

[0032] (2) Integrity: The customer should be able to detect with overwhelming probability any deviation of the server from the specified protocol on the claimed model.

[0033] (3) Privacy: The proposed solution should prevent malicious servers from stealing client input and output, while protecting the privacy of the server model.

[0034] II. To clearly describe this invention, the basic cryptographic primitives involved in this invention will first be introduced.

[0035] Arithmetic Secret Sharing and IT-MACs: This invention utilizes finite fields It uses a 2-out-of-2 arithmetic secret sharing mechanism, combined with information theory message authentication codes (IT-MACs) to ensure security against malicious attacks. The samples (such as images and text) that customers want to query may contain personal privacy information (medical records, facial photos), which is private information that this invention needs to protect, and therefore cannot be known by the server. The specific content of this is called a secret. Given a secret... , For a containing A finite field of elements, client The arithmetic secret fragment held is represented as ,server The arithmetic secret fragment held is represented as This makes in middle Security is satisfied: given or , It's perfectly hidden. Furthermore, it uses IT-MACs for authentication. The value on. Let To randomly sample the global key shared by all MACs, by Value By giving A uniform key as a MAC key And give A MAC tag To perform authentication, so that Although secure protocols typically require [a certain level of security] under a (two-party) malicious model. Secret sharing occurs between the parties, but in this invention, the semi-honest party... Choose and hold Authentication secret shard The structure is a tuple ,in , That is, for authentication secret shards. Including clients Shards held and MAC key and by server Shards held and MAC tags .

[0036] In the following description, This indicates the authentication value based on IT-MACs. Indicates the authentication secret fragment, Indicates definition, For verification equations, Indicates the function output. This indicates assignment.

[0037] Additively Homomorphic Encryption (AHE): The additively homomorphic encryption scheme includes four algorithms: key generation (KeyGen), encryption (Enc), decryption (Dec), and homomorphic evaluation (Eval).

[0038] KeyGen( ) (pk, sk): Given security parameters It returns the public key pk and the private key sk.

[0039] Enc(pk, ) Given PK and message Return ciphertext .

[0040] Dec(sk, ) Given sk and ciphertext , return message .

[0041] Eval(pk, ) Given PK, two ciphertexts and (in , ), and linear functions Return ciphertext ,satisfy This corresponds to the additive homomorphism of AHE. and They are and The corresponding message.

[0042] Garbled Circuits (GC): Garbled circuits are a general scheme for securely evaluating arbitrary Boolean circuits. It consists of a pair of algorithms: Garble (the garbled circuit) and Garbled Circuit Evaluation (GCEval).

[0043] Given security parameters sum function ,gather The superscript indicates the length of the binary string, returns the obfuscated circuit GC, and a set of input labels. and a set of output labels . The input bit length of the Boolean circuit. is the output bit length of the Boolean circuit. Indicates the index number. This indicates a bit value of 0 or 1. Indicates the corresponding number The input wire is in Input labels for different states. The superscript "in" indicates input, and the superscript "out" indicates output.

[0044] Given GC and corresponding input tags Returns the output corresponding to tags .

[0045] This invention uses an obfuscation scheme instantiation with Point-and-Permute (PaP) optimization. For each AND gate in the obfuscated circuit GC, the obfuscator garbage collector generates a table containing four ciphertexts, where the tag of each input wire is used as a key to encrypt the corresponding output wire tag. Therefore, the evaluator typically needs to test all four ciphertexts to find the correct one. The core idea of ​​PaP is to interpret a portion of the tag as a pointer to a table, and the encrypted content is placed at the location pointed to by that pointer. Specifically, for each tag... wires PaP will Constructed as , Indicates the first A wire with a bit value The key part at that time, No. A wire with a bit value The pointer part at that time, and satisfying the constraints. , This indicates an XOR operation. Using this technique, the evaluator only needs to decrypt the ciphertext that is uniquely pointed to.

[0046] 1) Zero-knowledge proof for inner products: This invention uses the QuickSilver protocol, as the most advanced ZK protocol, to prove the inner product result. Formally, the prover and the verifier hold the first vector of the inner product. The second vector and its inner product Authentication and public value The prover aims to prove to the verifier... Equal to 0, To prove the function, the main idea is that the following equation holds:

[0047] ;

[0048] This is denoted as , representing the sub-item labeling split; observation As known to the verifier, The publicly available verification value held by the verifier. To the knowledge of the witness, The first intermediate coefficient calculated by the prover. The second intermediate coefficient was calculated for the prover. Therefore, the equation represents a linear relationship, which can be verified by the following method.

[0049] Batch Check. Note that by using a random linear combination, simultaneous checks are possible. Such a relationship. This indicates the number of items to be checked in the batch. Assume the prover possesses... The validator possesses and This makes batch inspection more general. .

[0050] a) Both parties first generate a random vector for unintentional linear evaluation (VOLE) of the relationship. Among them, the certifier holds Validator holds . This refers to the merged verification data in a batch verification scenario.

[0051] b) Then, the verifier samples a random number. And send it to the prover, who calculates... and And send it to the verifier. For batch verification aggregation value, For batch verification aggregation value. random numbers of Power of 1.

[0052] c) Finally, the validator calculates the aggregated values ​​in the batch validation. value Then check if If the underlying value (i.e. If the calculation is incorrect, the probability that the above relationship holds true is only [missing information]. , Representing a finite field The number of elements in the array.

[0053] 2) Black-box protocol: The following black-box protocol can safely and correctly obtain the corresponding output given the input. It will be used in subsequent algorithms. Make the call.

[0054] a) Oblivious Transfer Protocol (OT): OT (Oblivious Transfer) protocol Implement a privacy-preserving message transmission function that allows users to choose between two options. The protocol input consists of two options held by the sender. Message and the selection bit held by the recipient The output is what the receiver receives. This protocol guarantees that the receiver can only receive the selected messages. Unable to obtain Furthermore, the sender cannot know the recipient's choice. This invention requires that OT be secure for both semi-honest senders and malicious receivers, and utilizes OT instantiation from existing technologies.

[0055] b) Vector Oblivious Linear Evaluation Protocol (VOLE): VOLE (Vector Oblivious Linear Evaluation) protocol Implement vector linear correlation generation based on a global key. The protocol operates in a finite field. The process is divided into two phases: initialization and expansion.

[0056] Initialization: The protocol sends a message to the client. Output a globally sampled key with uniform random sampling. .

[0057] Extend: Given the length of the output vector The protocol sends to the client Output vector Send to server Output vector .

[0058] Output relationship: VOLE output vector Satisfy linear relationship In a malicious model, if It is malicious, allowing it to specify. and The agreement is recalculated accordingly. To maintain a linear relationship.

[0059] II. Implementation Plan

[0060] This solution consists of two core layers: first, a malicious security 2PC protocol targeting fixed malicious participants at the bottom layer, and second, a secure and reliable inference framework built on top of this protocol.

[0061] Core 1: Malicious Security 2PC Protocol Targeting Fixed Malicious Participants

[0062] In this embodiment, the protocol runs on a semi-honest client. and malicious servers Between. System preset parameters include finite domain. The additive homomorphic encryption scheme AHE(KeyGen,Enc,Dec) uses a vector inadvertent linear evaluation function. Unintentional transmission function , and the obfuscated circuit scheme GC.

[0063] The secure computing protocol proposed in this invention The first part of the process is as follows:

[0064] 1. Initialization Phase

[0065] Client Generate AHE key pairs and the public key Send to server .

[0066] Client and server Call Function (send Init command) to the client Return a A globally selected key that is uniformly and randomly selected .

[0067] 2. Input Stage

[0068] For clients Each input : exist random sampling fragments and MAC tags . Calculate local fragments and keys . Will Send to server At this point, both parties hold input... Authentication fragments .

[0069] For from the server Each input : and Call Function (sends Extend command). This function sends... return , The random mask obtained by the server. Random mask held by the server MAC tag, to Returns a random mask held by the client. MAC key . Calculate the difference And send to Both parties calculate the input. Authentication fragments : hold and ; hold and .

[0070] 3. Arithmetic Circuit Evaluation Phase

[0071] 3.1 Without loss of generality, assume that the arithmetic circuit It contains only one multiplication gate. Both sides hold the input. And evaluate the multiplication according to the following steps. To obtain :

[0072] a) Local computation: Client Locally calculated product part , for Client-side sharding, for Client-side sharding.

[0073] b) Server computation and authentication: Client and server Call Function. This function provides... return ,Towards return .server Calculate the product part And send the difference Give . and Set separately Authentication parameters ,Right now set up The MAC label is and receive Then, calculate MAC key .

[0074] c) Calculate the first cross term : send Give . Sample random numbers , This means uniformly and randomly selecting B from a specified set A. For the first cross item shard held by the server, The MAC tag corresponding to the second cross item fragment held by the server is used to calculate the ciphertext using homomorphic properties. and and will Send to . Decryption and At this time, both parties hold Authentication fragments .

[0075] d) Calculate the second cross term : send Give . Sample random numbers ,calculate and and will Send to . Decryption and At this time, both parties hold Authentication fragments .

[0076] e) Result aggregation (client-side): calculate and .

[0077] f) Result aggregation (server): calculate and .

[0078] 3.2 To verify whether the malicious server's calculations are correct (i.e., to verify...) (And the correctness of the cross term calculation), both parties shall perform the following checks:

[0079] a) Prepare the verification items: Calculated MAC product and check difference . Computation key combination .

[0080] b) Challenge generation: Random sampling challenge value And send to .

[0081] c) Perform VOLE verification: and Call Function, return Give ,return Give . Calculate the aggregated MAC value in the final verification. and the aggregated values ​​in the final verification and will Send to .

[0082] d) Final verification: The aggregated key value is calculated in the final verification. And check the equation Is it true or false? If the check fails, then... Output an error and abort the protocol.

[0083] When verifying multiple multiplication gates, the above checks can be performed only once by linear combination to improve efficiency.

[0084] Following the above arithmetic circuit evaluation, the secure computing protocol proposed in this invention... The second part of the process is as follows:

[0085] 4. Boolean Circuit Evaluation Phase

[0086] Without loss of generality, assume a Boolean circuit. It contains only a single input and a single output (expandable to multiple inputs and multiple outputs). Both parties hold authenticated inputs. And evaluate the Boolean circuit according to the following steps to obtain ,in :

[0087] a) Generation circuit: Client Run the obfuscation algorithm Generate the GC (Confusion Circuit) and its corresponding input tags. and output tags Among them, the circuit The logic is: For input, in Reconstruction and output . express Corresponding to the The input wire is in Input label for the status. express Corresponding to the The input wire is in Output label when in a state.

[0088] b) Input tag for transmission server: for input length Each and every one of them Both parties invoked the unintentional transmission function. Client As the sender input A pair of labels ,server As the receiver, it inputs its fragmented bits. Obtain authentication input held by the server 2 fragments The bits Corresponding tags .

[0089] c) Transmit client input tag: Client Based on its fragmentation Select the corresponding tag And send these tags and obfuscated circuits to the server. .

[0090] d) Circuit evaluation: Server Run evaluation algorithm Using the received labels as input, calculate and obtain the output labels. .

[0091] To convert the output tags of the obfuscated circuit back to arithmetic authentication fragments, both parties invoke the tag-based multiplication protocol GCMul:

[0092] e) Obtain result fragments Both parties invoke the GCMul protocol. Input all possible output labels And 1 as a multiplier, Input the labels obtained from its evaluation The protocol returns a fragment of the Boolean circuit output obtained by the client. Give The Boolean circuit output result obtained from the server is fragmented. Give .

[0093] f) Obtain the MAC result: Both parties call the GCMul protocol again. Input all output labels and (Global key) as the multiplier, Input the evaluation label. The protocol returns the result to the client after a second call to GCMul. Client-side sharding Give The result returned by the server after the second call to GCMul Server sharding Give . Compute key . Set tags At this point, both parties hold the results. Authentication fragments . The MAC key used for the calculation result. MAC tags used for calculation results.

[0094] g) Input consistency auxiliary calculation: for subsequent verification Did the inputs used in the OT phase conform to its commitment? Both parties invoked the GCMul protocol again. Enter all input tags and with global key As a multiplier, Enter the input label it holds The protocol returns the fragment obtained from the client's third call to GCMul. Give The server returns the shard obtained from the third call to GCMul. Give . calculate . set up . and Used for input consistency verification.

[0095] Both parties shall perform the following steps to verify Consistency (i.e.) The inputs used in the Boolean circuit are the same as those used in the previous arithmetic circuit. Correctness:

[0096] a) Local computation: calculate . calculate .

[0097] b) Challenge generation: Random sampling challenge value And send to .

[0098] c) VOLE extended verification: Both parties call Extend function, to return ,Towards return . Calculate the combined value as well as and will Send to .

[0099] d) Final verification: calculate And check if it meets the requirements. If the check fails, then Output an error and abort the protocol.

[0100] 5. Label-based multiplication sub-protocol (GCMul)

[0101] This sub-protocol is used to convert or compute data in the Boolean field into shared fragments in the arithmetic field by using the labels of the obfuscated circuit as a mask.

[0102] GCMul is a general sub-protocol that is called three times during the Boolean circuit evaluation phase, each time with different input variables. Placeholders are used to specify the input variables of GCMul. This indicates that GCMul's input uses placeholders. express.

[0103] Preset parameters: Finite field Random Oracle ; and length parameter , This indicates rounding up to the nearest integer.

[0104] Input: Client Enter the labels for all wires. and a multiplication factor (This factor is determined by the client when calculating MAC-related shards) Enter the global key it holds directly. ).server Input the valid labels obtained from its evaluation ,in Corresponding to The actual bit value.

[0105] Output: Client and server Obtain result fragments respectively and , satisfying superior , For the client The input multiplication factor. In the secure inference process of this invention, when it is necessary to generate the MAC tag for the authentication fragment, this... The value is the global key. .

[0106] Specific steps

[0107] 1) For each and Client label Parsing into a combination of key and pointer , For input The A wire with a bit value The key part at that time, For input The A wire with a bit value The pointer value at that time.

[0108] 2) For each Client Calculate auxiliary value based on pointer value :if ,but The first calculation client locally computed hash value , Use a hash function and set the hash value sent by the client to the server. Auxiliary values . Used to convert obfuscated circuit tags into arithmetic fragments. If (Right now ),but set up and calculate .

[0109] 3) Client The calculated set Send to server and set its local output fragments. .

[0110] 4) For each ,server The label it holds Parsed as , Indicates the actual value. For input No. The pointer part of the wire, For input No. The key portion of the wire is calculated, and: if the server actually holds information about the input... No. Pointer value of a wire ,but Set the server-side recovery of the first Bitmask value Otherwise (i.e.) ), set up Finally, the server Calculate and obtain output fragments .

[0111] 6. Output Stage

[0112] When the protocol ends, reconstruct the results as needed:

[0113] Scenario 1 (Client) Get Results ):server Its fragmentation and MAC Send to the client . examine If the verification passes, Calculate and output Otherwise, the process will be suspended.

[0114] Scenario 2 (Server) Get Results ): Client Slice it Send to server . Calculate and output .

[0115] Core 2: Secure Reasoning Framework

[0116] This section proposes a secure and reliable inference protocol for malicious servers. The protocol consists of two phases: 1) commitment and accuracy verification; 2) secure inference against malicious servers based on the commitment model.

[0117] 1) Commitment and Accuracy Verification

[0118] During this phase, the server The claimed model is preprocessed to ensure it can be verified in a secure manner, and then the client... Its accuracy is verified. Specifically, both parties first invoke the secure two-party computation protocol (...). The input phase in the server will... Model parameters This is converted into an authentication format. This authentication format can be seamlessly integrated into accuracy proof schemes based on zero-knowledge proofs. Then, the client... The model is verified to meet a predetermined accuracy threshold using a test dataset. This embodiment uses the state-of-the-art QuickSilver zero-knowledge proof protocol based on Vector Inadvertent Linear Evaluation (VOLE) to instantiate this step, and employs the Mystique protocol for converting between authentication arithmetic values ​​and authentication Boolean values. Notably, this verification process only needs to be executed once, so its computational and communication overhead can be amortized across subsequent inference services.

[0119] To improve efficiency, this invention introduces optimizations specifically for secure inference scenarios. Throughout the process, fixed-point evaluation is used, thus avoiding the expensive overhead of converting between fixed-point (for linear layers) and floating-point (for nonlinear layers). This design follows most existing secure inference protocols, which have shown that fixed-point arithmetic has a negligible impact on model accuracy, and even a positive impact in some cases.

[0120] 2) Security reasoning based on the commitment model for malicious servers

[0121] Once the model accuracy verification is passed, the client You can request its private input. An inference service is performed. This inference service allows for multiple executions on different private samples. The process is instantiated using the aforementioned "malicious security 2PC protocol against a fixed malicious actor," where alternating linear and nonlinear layers are sequentially evaluated based on an arithmetic circuit protocol and a Boolean circuit protocol, respectively. It is worth noting that... The correctness verification step in the arithmetic process ensures that the model parameters used in each linear layer are consistent with the parameters promised in the accuracy verification phase described above, thereby preventing malicious servers from replacing the model without authorization after passing the verification.

[0122] Compared to the general 2PC protocol, this invention makes the following customized optimizations for model inference scenarios. Without loss of generality, assume the model parameter matrix... (in The dimension of ) is The input of each linear layer The dimension is .

[0123] 1. Linear layer parameter verification and computational optimization

[0124] In the linear layer, model parameters By server It can be owned without the need for secret sharing between the two parties.

[0125] Parameter authentication: Specifically, for each In order to authenticate during the input process , For the first The model parameter matrix for each linear layer Will Send to ,in It is a random VOLE matrix. Then both parties calculate the authentication value. for .

[0126] Multiplication evaluation simplification: given , For the first Layer input vector Client-side sharding vectors, For the first Layer input vector Server sharding vector, protocol The multiplication evaluation in the arithmetic process can be simplified to: calculating using only the method in step 3b of the arithmetic protocol. The authentication value, and the calculation using the method in step 3c. The authentication secret fragment.

[0127] 2. Matrix multiplication verification optimization

[0128] As mentioned above, in a linear layer, both parties need the first... Intermediate results from the output of a linear layer This includes Element-by-element multiplication. It is obvious that... Sub-correctness verification is very expensive because of the dimensionality of the parameters. Typically, the size is large. This invention can perform the above checks without sacrificing reliability. The multiplication is converted to a check-only operation. Multiplication. The specific method is to prove... ,in, It is by Uniform sampling and sending random vectors, For transpose, express The m-dimensional vector space is given. Based on additive homomorphism, both sides can easily compute the aggregate vector term optimized by matrix multiplication verification. and The authentication value. Therefore, only the dimension needs to be proven. The output weighted vector It can be established immediately.

[0129] This optimization strategy reduces the validation cost to the number of rows in the model parameter matrix. Decoupling. In typical deep learning models (such as after fully connected layers or convolutional layers are flattened). The values ​​are often as high as several thousand or even tens of thousands, while the input dimensions The value is relatively small. Therefore, this optimization reduces the verification cost by approximately [amount missing]. This represents a performance improvement of several times (typically 1-3 orders of magnitude). This improvement is one of the key efficiency advantages of this invention, enabling efficient and verifiable secure inference on large-scale deep learning models even under malicious scenarios.

[0130] 3. Nonlinear layer communication optimization

[0131] In nonlinear layers, this invention optimizes communication costs when numerical truncation is required. Assume the truncated bit length is... In each GCMul instance of a Boolean process, the two parties only need to communicate at the end. This data, and by both parties in Top settings (That is, only the high-order part is processed) Multiplication factor for The Each component. Through this optimization, the communication cost of a GCMul instance is [value missing]. Bits, rather than those in a general solution Bit.

[0132] In a typical fixed-point inference scenario, the total number of bits... Typically 64 or 128 bits, while the effective bit length Typically, it ranges from 16 to 32 bits. Therefore, this optimization reduces the communication volume of the GCMul sub-protocol by approximately [missing information]. (i.e., 50% to 75%), which significantly reduces the overall communication overhead of the nonlinear layer.

[0133] 4. Full-layer batch consistency check

[0134] To achieve better communication performance, this invention no longer performs layer-by-layer checks, but instead uses random linear combinations to batch check the consistency and correctness of all layers. Note that... All inspections can be categorized as inspections. Whether it is valid, among which Depend on Own or It should be 0. This represents the number of relationships to be checked in batches. (For checking...) Such a relationship (where) and Each has and ), First, sample uniformly random elements. Send it to Then check if the following equation is true: . Let be the i-th random challenge value used for batch checks.

[0135] Finally, the secure and reliable inference service process in this invention is as follows:

[0136] Preset parameters: include Linear layers (denoted as) ,in )and A nonlinear layer (denoted as) ,in ) model ; and the aforementioned VOLE-ZK protocol and secure two-party computation protocol ( ).

[0137] Input: Server Holding model parameters Client Holding input .

[0138] Output: Client Obtain the reasoning result ,in .

[0139] The specific steps are as follows:

[0140] Step 1: Verification of Commitment and Accuracy

[0141] 1.1 Model Input and Commitment: For each linear layer Client and server The input sub-protocols of the secure two-party computation protocol (corresponding to the aforementioned input phase) are executed separately. Server Input model parameters After the agreement is executed, both parties obtain and locally store the certified fragments of the model parameters. The authentication fragment It will serve as the sole valid parameter input for the subsequent secure inference phase, used to verify the consistency of the server's inference behavior.

[0142] 1.2 Proof of Accuracy: and Invoke a VOLE-based zero-knowledge proof protocol (such as QuickSilver). Towards Authentication fragments of model parameters that prove commitment The accuracy on the specified test set meets the preset threshold. If validation fails, The agreement shall be terminated; otherwise, it shall continue to be executed.

[0143] Step 2: Execution of Secure Reasoning

[0144] Once the accuracy verification is successful, both parties begin performing inference on the private input:

[0145] 2.1 First Linear Layer Evaluation: Both parties execute the input sub-protocol. Client Input private data The protocol returns the authentication fragment of the input data. Provided to both parties. Both parties execute the arithmetic circuit sub-protocol (corresponding to the aforementioned arithmetic circuit evaluation phase). Both parties input the function definitions of the first layer. In step 1.1, store the model parameter fragments of the first layer. and data authentication sharding The protocol returns the authentication fragment of the first-layer output. .

[0146] 2.2 Alternating evaluation of intermediate layers: For each subsequent layer The two sides alternately execute the non-linear layer and the linear layer protocol:

[0147] Nonlinear Layer: Both parties execute the Boolean circuit sub-protocol (corresponding to the aforementioned Boolean circuit evaluation phase). Input nonlinear function. and fragmentation The protocol returns the authenticated fragment after non-linear activation. .

[0148] Linear layer: Both parties execute the arithmetic circuit sub-protocol. Input linear function. The corresponding model parameter fragments that were pre-authenticated and stored in step 1.1 and the data shards after activation The protocol returns the output fragment of the current linear layer. .

[0149] Step 3: Output the results

[0150] After inference, both parties execute the output sub-protocol (corresponding to the aforementioned output phase). Both parties input the output fragment of the last layer. The recipient is specified as the client. The protocol reconstructs the plaintext result. Send to . Output the final reasoning result .

[0151] As can be seen, in the presence of malicious service providers (malicious servers), this invention achieves verification of model accuracy, validation of the integrity of the inference process, and two-way privacy protection for client queries and server model parameters. While ensuring service quality (accuracy and integrity) and data privacy security, by combining zero-knowledge proofs with a specifically designed malicious security two-party computation technique, computational and communication overhead in malicious environments is significantly reduced.

Claims

1. A deep learning-based security verification and privacy computation method for resisting malicious servers, characterized in that, Includes the following steps: Commitment and accuracy verification steps: Server Make commitments to the model parameters and to the client. Prove that the promised model meets a preset threshold in accuracy on the specified test dataset, and both parties obtain a certified secret shard of the model parameters. , ; Among them, the server With the client Invoke the input sub-protocol of the secure two-party computation protocol, and send the server... Model parameters Convert to authentication secret sharding format , Indicates the first The model parameter matrix for each linear layer This represents the authentication secret fragment; the authentication secret fragment The structure is Authentication secret shard Including clients Holding Fragments and MAC key and by server Holding Fragments and MAC tags ;in , , For the client The global key held; Client With server The server invokes a zero-knowledge proof protocol based on vector unintentional linear evaluation. To the client Prove the authenticity of the promised model parameters using secret shards. The accuracy on the specified test set meets the preset threshold. Secure reasoning steps: After accuracy verification passes, the client... With server Based on the authentication secret sharding, the matrix multiplication verification of the linear layer is transformed into a vector inner product verification of the compressed dimension, thereby enabling client-side verification on the commitment model. Private input data Perform inference to obtain the input authentication fragments for each linear layer. and output authentication fragments - ,in For initial input ; And during the reasoning process, the server The correctness of the calculation steps is verified to obtain the reasoning result. ; The inference process protects the client. Input data With server Model parameters Privacy, and client It can verify the completeness of the reasoning process; For linear layer computation, the first Intermediate results from the output of a linear layer Decompose it into and Calculate the two parts separately. For the first Input data for each linear layer Server sharding, For the first Input data for each linear layer Client-side sharding.

2. The method as described in claim 1, characterized in that, for Correctness verification, client Generate random vectors Both parties calculate the aggregate vector term based on additive homomorphism. and output weighted vector The authentication value, and through proof Established to replace Element-by-element verification reduces the verification complexity from O(m×n) to O(n), where m and n are respectively The number of rows and columns, This is a transpose.

3. The method as described in claim 1, characterized in that, The secure reasoning steps include an arithmetic circuit evaluation phase and a Boolean circuit evaluation phase, which are used to evaluate the linear and nonlinear layers of the deep learning model, respectively.

4. The method as described in claim 3, characterized in that, The arithmetic circuit evaluation phase includes the evaluation of multiplication gates. The assessment , These are the two inputs to the multiplication gate. The output of the multiplication gate specifically includes: Client Locally calculated product part ,in, For the client Holding Client-side sharding, for Client-side sharding; server Calculate the product part ,in, For server Holding Server sharding, And for Server sharding, through calling the vector inadvertent linear evaluation function. Get random mask , MAC tag and MAC key Calculate the difference Send to the client , set up The MAC label is , receive Then, calculate MAC key ; The first cross term is calculated using the additive homomorphic encryption AHE protocol. Second cross term Authentication secret fragment and ; Including clients Holding Fragments and MAC key and by server Holding Client-side sharding and MAC tags , By client Holding Fragments and MAC key and by server Holding Server Sharding and MAC tags ; Client The computing client holds Client-side sharding and MAC key ,server calculate and MAC tags Authentication secret fragment ; Perform the correctness verification step by using random challenge values ​​and vector unintentional linear evaluation functions. Check the server The product part of the calculation And the correctness of the cross terms.

5. The method as described in claim 3, characterized in that, The Boolean circuit evaluation phase includes input... Authentication secret fragment via Boolean circuits Calculate the output Authentication secret fragment ,in Specifically, it includes: Client Generate an obfuscated circuit, the logic of which is client-side fragmentation. Server sharding Reconstructing the input And calculate ; Through unintentional transmission function ,server Obtain its corresponding fragment No. bits Input tags Client Slice it The corresponding input tags and obfuscation circuits are sent to the server. ; server Evaluate the obfuscated circuit to obtain the output label ; First call to the label-based multiplication subprotocol GCMul: Client Input / Output All possible tags and As a multiplier, express Corresponding to the The input wire is in Output labels during status; server Input the labels obtained from its evaluation GCMul returns the Boolean circuit output results obtained from the client in fragments. Give The Boolean circuit output result obtained from the server is fragmented. Give ; Second call to GCMul: Client Input / Output All possible tags and As a multiplier, The client-side sharding is , The server is sharded as ;server Input the output label obtained from its evaluation GCMul returns the fragment. To the client Return to fragment To the server ; calculate MAC key set up MAC tag , obtain output Authentication fragments ; Third call to GCMul: Client enter All possible tags and As a multiplier, The client-side sharding is , The server is sharded as ;server Input the input labels obtained from its evaluation GCMul returns the fragment to the client. Give Return to fragment To the server ; Calculate MAC key , set up MAC tag ; Verification steps: Both parties perform the operation to verify. Consistency and The correctness of the statement.

6. The method as described in claim 5, characterized in that, The tag-based multiplication sub-protocol GCMul is used to convert the output tags of the obfuscated circuit into authenticated fragments on the arithmetic domain, satisfying... ,in, The multiplication factor input by the client, when used to generate the MAC tag for the authentication fragment, The value is the global key. Use placeholders for GCMul's input variables. This indicates that GCMul's output uses placeholders. This indicates, specifically, that includes: Client Label each wire Parsing into the key part and pointer part ; For input The A wire with a bit value The label of the time, For input The A wire with a bit value The key part at that time, For input The A wire with a bit value The pointer value at that time; Client According to the pointer section Calculate the first Auxiliary values And this hash value And set local result sharding ; Client auxiliary value set Send to server ; server The valid labels it holds Parsed as and , For input No. The pointer part of the wire, For input No. The key portion of the wire, and according to calculate This allows us to obtain server result shards. .