CECELIA: Secure Machine Learning Framework

• CECELIA is a three-party secure computation framework that performs exact, privacy-preserving evaluations of machine learning models using advanced secret sharing techniques.
• It implements modular protocols such as modulus conversion, most-significant bit extraction, and secure multiplexing to facilitate complex operations like exact exponentiation and inverse square roots.
• The framework demonstrates practical scalability and near-plaintext accuracy in privacy-preserving inference, notably in recurrent kernel networks for protein classification.

CECELIA (Comprehensive Secure Machine Learning Framework) is a three-party secure computation framework developed to perform privacy-preserving evaluation of machine learning algorithms, especially those requiring complex arithmetic and matrix operations. Building upon secret sharing and advanced multiparty computation primitives, CECELIA enables the exact private computation of functions that were previously intractable, such as the exact exponential and the inverse square root of a secret Gram matrix, with applications demonstrated in privacy-preserving inference on recurrent kernel networks (RKNs) for structural protein classification.

1. Architecture and Secure Computation Model

CECELIA employs a three-party computation model based on 2-out-of-2 additive secret sharing over integer rings $\mathbb{Z}_L$ and $\mathbb{Z}_K$ (with $L = 2^n$, $K = 2^{n-1}$). The three parties are:

• Two proxies ($P_0$, $P_1$), each holding additive shares of the private inputs (e.g., data samples and model parameters).
• A helper ($P_2$) providing random masks and facilitating specific masked computations.

The core design of CECELIA is modular: basic secure arithmetic operations (addition, multiplication using Beaver triples), and a suite of novel protocols for modulus conversion, most significant bit extraction, and secure multiplexing form the basis for implementing higher-level machine learning primitives.

2. Novel Protocols and Primitive Building Blocks

Modulus Conversion (MOC)

MOC allows conversion of a secret shared value from $\mathbb{Z}_K$ to $\mathbb{Z}_L$:

• $P_0$ and $P_1$ mask their shares with a random value $r$ from $P_2$.
• Both reconstruct $(x + r) \bmod K$ and use a private-compare subroutine to detect overflow (wrap-around).
• Depending on the overflow, one party adds $K$ to their share, then $r$ is subtracted, re-adjusting to $\mathbb{Z}_L$.
• This process supports seamless transitions needed for higher-precision and signed operations.

Most Significant Bit (MSB) Extraction

• Utilizes MOC to isolate the high-order bit, then a secure multiplexer (MUX) to output a secret share of the sign (MSB).
• The process achieves this with minimal communication rounds.

Secure Multiplexer (MUX)

• Selects between two secret-shared values based on a secret bit $b$ (i.e., $z = x - b\cdot(x-y)$).
• Proxies locally randomize their shares and employ helper-facilitated randomized encoding (RE) for cross-party multiplication, ensuring composability and privacy.
• This is the first use of randomized encoding inside a secure multiplexer within multiparty computation.

These primitives can be composed for the secure, efficient evaluation of complex functions in privacy-preserving machine learning.

3. Secure Implementation of Complex Operations

CECELIA introduces secure, exact protocols for two computationally demanding functions:

Exact Exponential Protocol

• For a public base $b$ and a secret exponent $a$, it computes $b^a$ without approximation.
• Relies on a generalized square-and-multiply approach: the exponent $a$ is represented in binary, and for each bit $a_i$, appropriate contributions ($b^{2^i}$ or $(1/b)^{2^i}$ for negative exponents) are conditionally multiplied using the MUX primitive.
• Binary tree-style secure multiplications aggregate these contributions.
• Enables privacy-preserving kernel methods with precise exponentials, overcoming the limitations of prior approximate solutions.

Inverse Square Root of a Secret Gram Matrix

• Essential for RKNs, the protocol privately computes $G^{-1/2}$ (where $G$ is the Gram matrix of secret anchor points).
• Proxies mask $G$ as $G' = M(G+sI)M^\top$, with $M$ a random orthogonal matrix and $s$ a scalar offset; helper $P_2$ performs eigenvalue decomposition on $G'$.
• Using additional random masks ($\Delta$, $\alpha$) and secure modulus conversion, the original eigenvalues are privately recovered.
• The inverse square roots of the eigenvalues, together with the secret-shared eigenvectors, allow reconstruction of $G^{-1/2}$.
• This protocol supports exact, private matrix function evaluations required in advanced models.

4. Case Study: Private Inference on Recurrent Kernel Networks

CECELIA was demonstrated in the privacy-preserving inference of pre-trained RKNs for structural protein classification:

• Model parameters (e.g., anchor points, classifier weights, Gram matrix) and input protein sequences are maintained confidential throughout computation.
• Secure dot products, exponentials, recursive updates, and final matrix multiplications are realized using CECELIA's primitives.
• On the SCOP protein database, the privacy-preserving RKN achieves predictions matching the plaintext solution to within $2 \times 10^{-5}$.
• This constitutes the first privacy-preserving inference on RKNs, highlighting the framework's capability for complex model evaluation under full confidentiality.

5. Scalability Analysis and Performance Metrics

CECELIA's performance is characterized by both cryptographic protocol round complexity and empirical execution time:

• Primitive round complexity (selected examples): MUL/MUX (2 rounds), MSB/CMP (4 rounds), EXP (24 rounds), INVSQRT (15 rounds).
• Experiments on both synthetic and real datasets (using Amazon EC2) indicate near-linear scaling of execution time with respect to:
  • Number of anchor points (dimension of Gram matrix),
  • $k$-mer length (motif length),
  • Input sequence length.
• Both LAN and WAN deployments were tested, confirming practical scalability of the protocols.

Operation	Communication Rounds
MUL, MUX	2
MSB, CMP	4
EXP	24
INVSQRT	15

Practical feasibility was confirmed for the considered use cases, with secure protocols remaining tractable even for WAN-distributed setting.

6. Broader Implications and Extensibility

CECELIA's generic, composable primitives lay the groundwork for privacy-preserving computation beyond RKNs:

• MOC, MSB, and MUX support a wide range of secure arithmetic and logic needed by modern machine learning architectures.
• The framework's ability to exactly and privately compute exponentials and eigenfunction-based matrix operations (e.g., inversions, square roots) makes it applicable to kernel methods, advanced DNN layers, and algorithms requiring non-linear transformations.
• Prospects include extending primitives to privacy-preserving training (not just inference), as well as to architectures necessitating secure evaluation of more complex machine learning subroutines.
• By supporting provable privacy with negligible accuracy loss, CECELIA is suitable for sensitive domains such as biomedical or financial cloud-based machine learning workflows.

7. Technical Summary and Formulas

Key procedural highlights:

• Exponential Protocol:

$b^a = \prod_{i=0}^{n-1} b^{a_i \cdot 2^i}$

with $a = (a_{n-1},...,a_0)$ in binary, and secure selection/multiplication via MUX.

• Inverse Square Root of $G$:

$$G' = M (G + sI) M^\top, \qquad G^{-1/2} = Q \cdot \mathrm{diag}(\lambda^{-1/2}) Q^\top$$

where recovery of $\lambda$ is enabled by random masking and MOC.

The framework systematically combines randomness-masked protocols (minimizing information leakage) and round-efficient communication patterns, raising the practical bar for private computation in moderately distributed and latency-bound environments.

---

CECELIA constitutes a significant advance in secure machine learning by introducing exact, composable protocols for computations beyond basic arithmetic, markedly extending the class of models and tasks that can be executed privately and practically in distributed environments (Ünal et al., 2022).