Securing Transformer-based AI Execution via Unified TEEs and Crypto-protected Accelerators

TL;DR

TwinShield is a novel framework that enhances the security and efficiency of Transformer model inference by leveraging heterogeneous TEEs and crypto-protected accelerators, significantly reducing inference time while safeguarding data and models.

Contribution

The paper introduces TwinShield, a new system that securely offloads most Transformer inference computations to GPUs with dual protection, overcoming limitations of previous schemes.

Findings

Achieves 4.0x - 6.1x speedup over prior methods.

Offloads approximately 87% of computation to GPUs.

Provides dual protection for data and model during inference.

Abstract

Recent advances in Transformer models, e.g., large language models (LLMs), have brought tremendous breakthroughs in various artificial intelligence (AI) tasks, leading to their wide applications in many security-critical domains. Due to their unprecedented scale and prohibitively high development cost, these models have become highly valuable intellectual property for AI stakeholders and are increasingly deployed via machine learning as a service (MLaaS). However, MLaaS often runs on untrusted cloud infrastructure, exposing data and models to potential breaches. Mainstream protection mechanisms leverage trusted execution environments (TEEs) where confidentiality and integrity for secretive data are shielded using hardware-based encryption and integrity checking. Unfortunately, running model inference entirely within TEEs is subject to non-trivial slowdown, which is further exacerbated in LLMs due to the substantial computation and memory footprint involved. Recent studies reveal that the hybrid TEE-based scheme offloading partial model inference operations to the untrusted accelerators (e.g., GPU) is a promising solution. However, prior offloading schemes fail to ensure dual protection of data and model in Transformer inference, as they cannot securely offload critical operations, i.e., Attention and SoftMax, forcing these computations to remain confined within TEEs. To address these challenges, we propose TwinShield, a framework enabling secure Transformer inference in heterogeneous TEE and accelerator systems with dual protection for both model and data. TwinShield offloads ~87% of computation to GPUs and delivers 4.0x - 6.1x speedups over previous approaches across various Transformer models.