Secure Transformer Inference Protocol

TL;DR

This paper introduces STIP, a novel three-party secure Transformer inference protocol that significantly improves efficiency over existing two-party methods without sacrificing accuracy.

Contribution

It proposes a new three-party threat model and a permutation-based protection scheme, enabling secure Transformer inference with practical security and high efficiency.

Findings

STIP outperforms two-party protocols by millions of times in efficiency.

It achieves secure inference without any accuracy loss.

The protocol is practical for real-world Transformer services.

Abstract

Security of model parameters and user data is critical for Transformer-based services, such as ChatGPT. While recent strides in secure two-party protocols have successfully addressed security concerns in serving Transformer models, their adoption is practically infeasible due to the prohibitive cryptographic overheads involved. Drawing insights from our hands-on experience in developing two real-world Transformer-based services, we identify the inherent efficiency bottleneck in the two-party assumption. To overcome this limitation, we propose a novel three-party threat model. Within this framework, we design a semi-symmetric permutation-based protection scheme and present STIP, the first secure Transformer inference protocol without any inference accuracy loss. Experiments on representative Transformer models in real systems show that STIP has practical security and outperforms state-of-the-art secure two-party protocols in efficiency by millions of times.