Investigating Privacy Attacks in the Gray-Box Setting to Enhance Collaborative Learning Schemes

TL;DR

This paper investigates privacy attacks in a limited access setting for collaborative learning, proposing a tailored homomorphic encryption framework that balances privacy and efficiency, with promising results on neural network training speed and privacy leakage reduction.

Contribution

It introduces SmartCryptNN, a homomorphic encryption framework optimized for privacy in gray-box models, and demonstrates its effectiveness in neural network training.

Findings

Achieves ~4x faster training compared to fully encrypted methods.

Reduces membership inference leakage by 17.8x.

Identifies a privacy-utility trade-off by protecting only a single network layer.

Abstract

The notion that collaborative machine learning can ensure privacy by just withholding the raw data is widely acknowledged to be flawed. Over the past seven years, the literature has revealed several privacy attacks that enable adversaries to extract information about a model's training dataset by exploiting access to model parameters during or after training. In this work, we study privacy attacks in the gray-box setting, where the attacker has only limited access - in terms of view and actions - to the model. The findings of our investigation provide new insights for the development of privacy-preserving collaborative learning solutions. We deploy SmartCryptNN, a framework that tailors homomorphic encryption to protect the portions of the model posing higher privacy risks. Our solution offers a trade-off between privacy and efficiency, which varies based on the extent and selection of the model components we choose to protect. We explore it on dense neural networks, where through extensive evaluation of diverse datasets and architectures, we uncover instances where a favorable sweet spot in the trade-off can be achieved by safeguarding only a single layer of the network. In one of such instances, our approach trains ~4 times faster compared to fully encrypted solutions, while reducing membership leakage by 17.8 times compared to plaintext solutions.