Hybrid HE–SMPC Protocols
- Hybrid HE–SMPC protocols are methods that integrate homomorphic encryption for linear operations with secure multiparty computation for non-linear functions in deep neural network inference.
- They ensure data privacy by processing encrypted inputs through a layered approach, switching between HE for matrix multiplications and MPC for operations like ReLU and max-pooling.
- The protocols face vulnerabilities such as the SEEK extraction attack, highlighting the need for enhanced security measures like malicious-secure MPC or fully homomorphic alternatives.
Hybrid HE–SMPC protocols form a foundational methodology for privacy-preserving machine learning inference, leveraging homomorphic encryption (HE) for efficient linear computations and secure multiparty computation (SMPC or simply MPC) for non-linear operations, notably in deep neural network (DNN) evaluation. These protocols enable servers and clients to compute over encrypted data without mutual data disclosure, addressing prediction-as-a-service security requirements where model, input, and output confidentiality are priorities. Notable instantiations include pipelines referenced by Gazelle (Juvekar et al.), Delphi (Mishra et al.), and CryptFlow2 (Rathee et al.), and the class is characterized and critiqued by the SEEK model extraction attack framework (Chen et al., 2022).
1. Architectural Overview
Hybrid HE–SMPC protocols adopt a layered approach. Linear operations—chiefly matrix multiplications and bias additions in DNN layers—are executed using leveled FHE schemes such as BFV, BGV, or CKKS. These schemes are selected for their ability to operate on encrypted vectors, supporting a bounded depth of multiplications without the need for bootstrapping. Non-linear functions, especially ReLU, max-pooling, and argmax layers, are delegated to two-party MPC protocols over arithmetic or Boolean shares on .
The principal data flow is as follows:
- Homomorphic encryption is used to process all linear components, including weight and bias application.
- At each non-linear layer, the protocol transitions to MPC via an encrypted, randomly masked handoff.
- Post-MPC, results are re-encoded in the HE domain, enabling the next sequence of homomorphic linear operations.
2. Homomorphic Encryption Pipeline
The HE component is instantiated as a leveled FHE scheme, supporting a limited multiplicative depth. Key operations include:
- Key Generation: Generation of , where is the secret key, the public key, and the set of evaluation keys for multiplication.
- Encryption: For vector input , ciphertext is produced. For example, in BFV-like schemes, (note SEEK does not explicitly provide this equation).
- Homomorphic Evaluation: Linear layers () are computed via Ct–Pt multiplies (applying or 0 as plaintext to a ciphertext) and additions. CKKS pipelines require “rescale” operations post-inner product to control scaling factor and noise.
- Noise Management: Each homomorphic multiplication increases noise in the ciphertext, managed by modulus switching and rescale operations specific to the HE scheme, though quantitative noise formulas are not provided in (Chen et al., 2022).
- Decryption: Only the client, in possession of 1, decrypts ciphertexts to enable further protocol steps.
3. Non-Linear Layer Computation via MPC
Upon reaching a non-linear layer, the protocol transitions to a semi-honest two-party arithmetic MPC framework over 2:
- Masking: The server samples a random mask 3 and homomorphically subtracts it from the encrypted pre-activation 4, producing ciphertext 5.
- Share Distribution: The client decrypts to obtain 6, holding an additive share, while the server retains 7.
- MPC Step: Both parties compute the non-linear operation (e.g., ReLU, max-pool, argmax) as an MPC task (commonly via OT-based or garbled circuits).
- Recombination: Resultant shares of 8 (post-nonlinearity) are re-encrypted by the client, with the server homomorphically adding its share, reconstructing 9.
Explicit share transformation equations are:
- Pre-nonlinearity: Client share 0; Server share 1
- Post-nonlinearity: Client share 2; Server share 3
- HE conversion: 4
4. Protocol Complexity
The protocol's round and resource complexity is dominated by the number of non-linearities and the size of the neural network:
- Rounds: Each non-linear layer incurs two transitions (HE→MPC and MPC→HE). The final argmax classification invokes one additional MPC sub-protocol, yielding 5 rounds.
- Communication: Every non-linear layer exchanges one encrypted mask and one encrypted share, each 6 bits for 7-dimensional activations. MPC communication (for ReLU) requires 8 OT-messages/secret shares.
- Computation: Per linear weight: one Ct–Pt or Ct–Ct multiplication/addition. Each non-linear step: two HE operations (masking and remasking), one decryption, one encryption, and one 9-size MPC circuit evaluation.
- Performance Metrics: (Chen et al., 2022) reports only model extraction costs, not honest inference throughput, latency, or bandwidth.
5. Security Model and Malleability
These protocols presuppose the semi-honest security model, where parties follow prescribed steps but may attempt passive inference via transcripts. Standard FHE, OT, and garbled circuit simulatable proofs underwrite privacy for inputs, intermediate activations, and weights.
A critical vulnerability, as established by SEEK, is that masking-and-sharing steps enable unchecked malleability: a client may substitute shares (e.g., 0) without detection due to HE's semantic security. This fault injection allows adversarial clients to perform controlled shifts at every non-linearity, observe predictions, and thereby extract model parameters and intermediate values more efficiently than under plaintext-only settings. The SEEK attack, leveraging such malleation, can reconstruct ResNet-18 parameters on ImageNet with an average of 45.8 queries per parameter and relative errors below 1 (Chen et al., 2022).
6. Limitations, Benchmarks, and Mitigations
These hybrid protocols, as sketched by (Chen et al., 2022), omit explicit HE parameterizations (key sizes, modulus chains), specific noise-growth analysis, and detailed running-time or throughput measurements. The only reported benchmarks focus on the extraction attack’s efficiency (see Section 5).
Key limitations and possible mitigations are as follows:
- Under the semi-honest model, malleability compromises model confidentiality.
- Mitigation necessitates malicious-secure MPC with authenticated shares, as explored by Lehmkuhl et al. (2021), Chandran et al. (2021), and Xu et al. (2022), or transitioning to fully-FHE or GC-only pipelines, at a significant computational and communication cost.
- A plausible implication is that protocol security for practical deployments must factor in active adversarial threat models, or restrict client capabilities with extra safeguards on share manipulation.
Hybrid HE–SMPC protocols offer a tractable compromise for privacy-preserving inference but suffer from a fundamental vulnerability when masking and HE semantic security are used for non-linear layer transitions, as demonstrated by the SEEK extraction attack. Their security is adequate only within non-malleable, semi-honest models unless augmented by dedicated malicious security techniques (Chen et al., 2022).