Covert Attacks on Machine Learning Training in Passively Secure MPC

TL;DR

This paper demonstrates that passive secure MPC protocols for machine learning training are vulnerable to simple, undetectable active attacks that compromise data privacy and model integrity, challenging current threat assumptions.

Contribution

It introduces explicit, effective attacks on passively secure MPC protocols, highlighting the need for actively secure protocols in privacy-preserving ML training.

Findings

Active attacks can reconstruct training data.

Passive protocols are vulnerable to undetectable malicious modifications.

Security assumptions ignoring malicious behavior are insufficient.

Abstract

Secure multiparty computation (MPC) allows data owners to train machine learning models on combined data while keeping the underlying training data private. The MPC threat model either considers an adversary who passively corrupts some parties without affecting their overall behavior, or an adversary who actively modifies the behavior of corrupt parties. It has been argued that in some settings, active security is not a major concern, partly because of the potential risk of reputation loss if a party is detected cheating. In this work we show explicit, simple, and effective attacks that an active adversary can run on existing passively secure MPC training protocols, while keeping essentially zero risk of the attack being detected. The attacks we show can compromise both the integrity and privacy of the model, including attacks reconstructing exact training data. Our results challenge the belief that a threat model that does not include malicious behavior by the involved parties may be reasonable in the context of PPML, motivating the use of actively secure protocols for training.