Deep learning-based medical diagnostic services: A secure,lightweight,and accurate realization 1

Abstract

In this paper, we propose CryptMed, a system framework that enables medical service providers to offer secure, lightweight, and accurate medical diagnostic service to their customers via an execution of neural network inference in the ciphertext domain. CryptMed ensures the privacy of both parties with cryptographic guarantees. Our technical contributions include: 1) presenting a secret sharing based inference protocol that can well cope with the commonly-used linear and non-linear NN layers; 2) devising optimized secure comparison function that can efficiently support comparison-based activation functions in NN architectures; 3) constructing a suite of secure smooth functions built on precise approximation approaches for accurate medical diagnoses. We evaluate CryptMed on 6 neural network architectures across a wide range of non-linear activation functions over two benchmark and four real-world medical datasets. We comprehensively compare our system with prior art in terms of end-to-end service workload and prediction accuracy. Our empirical results demonstrate that CryptMed achieves up to respectively $413 \times$ , $19 \times$ , and $43 \times$ bandwidth savings for MNIST, CIFAR-10, and medical applications compared with prior art. For the smooth activation based inference, the best choice of our proposed approximations preserve the precision of original functions, with less than 1.2% accuracy loss and could enhance the precision due to the newly introduced activation function family.

Keywords

Secure computation privacy-preserving medical service neural network inference secret sharing

1. Introduction

Recent thriving deep learning techniques have been fueling a wide spectrum of medical endeavors, ranging from radiotherapy [27], clinical trial and research [60], to medical imaging diagnostics [55]. Enterprises capitalize on neural networks (NNs) to offer medical diagnostic services, facilitating hospitals and researchers to produce faster and more accurate decisions over their medical data. With the growth in such offerings comes rapidly growing awareness of daunting privacy concerns. The medical data is of sensitive nature and must be always kept confidential [1,23,49,50]. Meanwhile, NN models used in these services are seen as lucrative intellectual properties and encode knowledge of private training data [24].

Addressing these privacy concerns in the above deep learning powered service scenario generally fits within paradigm of secure multi-party computation (MPC). A rich body of work [25,37,43,47,56] proposes hand-tuning MPC protocols for secure inference, whereby the service provider and the customer interact to produce an inference over encrypted/secret-shared NN model and individual data. We note that prior designs are still facing obstacles regarding inference efficiency and accuracy in the ciphertext domain, and do not appear to be able to fulfill practical requirements of real-world medical diagnostic scenarios.

Firstly, they all require customers to conduct heavy cryptographic computations like homomorphic encryption (HE) and garbled circuits (GC), imposing intensive computational and communication overheads during inference. These overheads are further exacerbated when, e.g., the service is deployed to a hospital with resource-constrained devices (like portable medical imaging scanners [34]).

Secondly, existing protocols are either not compatible with non-linear (activation) functions [25,37] or only focus on the simple ReLU function [43,56,65], causing limitations of applicability for medical diagnoses. There are limited works investigating other essential (smooth) activation functions, like sigmoid. Among them, most of existing designs use high-degree polynomials [4,40] or ad-hoc piecewise polynomials [47,57,58,61] to approximate those activation functions. However, the former approach incurs heavy costs when evaluating repeated multiplications. The latter one relies on intervention and expertise on models and training datasets for fine-tuning [47], or encounters the severe ‘vanishing gradient problem’ making the NNs imprecise [57,58,61].

To address the above challenges, we design, implement, and evaluate CryptMed, a lightweight and secure NN inference system tailored for medical diagnostic services. CryptMed proceeds by having the hospital and the medical service engage in a tailored secure inference protocol over their secret-shared inputs. Only the hospital learns the diagnostic result; and the privacy of the medical data and model is ensured against each other. In particular, we combine insights from cryptography, digital circuit design, and deep learning literature, fostering an efficient, low-interaction, and accurate deep learning service suitable for realistic medical scenarios. Our contributions are summarized as follows.

We propose a new secure NN inference system framework CryptMed relying only on the lightweight secret sharing techniques, which requires neither heavy cryptographic computation nor large-size ciphertext transmission.

We present a hybrid protocol design that consists of a preprocessing phase and an online phase where the preprocessing phase conducts as much computation as possible to ease the online phase. Moreover, the preprocessing only involves lightweight computation in the secret sharing domain.

We devise an efficient and communication-optimized secure comparison function harnessing the insights from cryptography and the field of digital circuit design. Our proposed secure comparison function can efficiently support the widely adopted comparison-based non-linear functions, including ReLU, ReLU6, Leaky ReLU, Binary activation, and MaxPool/MinPool. Compared to the commonly-used GC solutions, CryptMed’s secure ReLU is $36 \times$ faster and requires $398 \times$ less communication, and the secure MaxPool is $20 \times$ faster and uses $192 \times$ less communication.

We devise secure smooth activation functions (i.e., tanh, sigmoid, ELU) from newly proposed precise and cryptography-friendly approximations in the field of digital circuit design and deep learning literature. Our introduced approximations are non-linear and low-degree piecewise polynomial approximations with quantitative performance and demonstrate promising accuracy through comprehensive empirical. They are not only approximations but also new activation function family that are natural replacements of the smooth functions. With such approximations, CryptMed reformulates the challenging support for secure smooth activation functions into the comparison-based construction that can be efficiently and accurately evaluated in secure domain.

We conduct formal security analysis. We implement a prototype of CryptMed. We extensively train varying neural network models based on 6 architectures across a wide range of non-linear activation functions. We conduct comprehensive experiments over two benchmarking datasets and four real-world medical datasets. Our experiment results show that CryptMed requires the least network resources compared to prior works with up to $413 \times$ , $19 \times$ and $43 \times$ bandwidth savings for MNIST, CIFAR-10, and the medical applications, respectively.

The rest of this paper is organized as follows. Section 2 investigates the related work. Section 3 introduces the necessary preliminaries. After an overview of our system in Section 4, we present our proposed construction in Section 5. Section 6 presents our empirical evaluation on microbenchmarks and end-to-end secure inference service. Finally, Section 7 concludes this paper.

2. Related works

Secure neural network inference. Secure neural network inference has drawn much attention in the emerging field of privacy-preserving machine learning. Our design is closely related to a line of studies on secure NN inference. These studies [12,25,37,43,47,56,81,83] mostly propose an interactive protocol for secure inference running between the service provider and the customer. Among others, there are designs [48,58,65] that consider an outsourced scenario, where two non-colluding cloud servers collaboratively perform NN inference over the encrypted/secret-shared model and data. Apart from different system models, they commonly rely on heavy cryptographic techniques (like HE and GC) during the latency-sensitive online inference procedure. Very recently, Delphi [56] proposes a hybrid and interactive inference protocol, which preprocesses some cryptographic operations to accelerate the online inference execution. However, this work still demands intensive workloads on the customer to conduct heavy cryptographic computations during preprocessing, and relies on expensive GC based approach to evaluate the basic ReLU function. CryptMed adopts a similar hybrid setting yet only involves the lightweight secret sharing techniques during the entire secure inference procedure, which has an prominent advantage of rather simplified implementation for easy real-world deployment, compared to the SOTA which requires heavy optimization in GC and homomorphic encryption implementation.

We emphasize that most prior works only support the basic ReLU activation [43,56,65]. Other essential activation functions commonly-used in deep learning based medical diagnoses are unexplored, such as ReLU6, Leaky ReLU, and the exponential linear unit (ELU) [15]. Even worse, some works can not fully cope with the non-linearity [25,37]. Instead, they use the square function for approximation, resulting in an imprecise prediction [42,52] that could cause impactful consequences in the medical diagnostic applications.

In the literature, only limited works explore the smooth sigmoid activation function via polynomial approximations. These works either resort to high-degree polynomials [4,40] or ad-hoc piecewise polynomials [47,57,58,61]. The first approach suffers from substantial costs to evaluate a large amount of secure multiplications. The second approach heavily relies on intervention from developers to fine-tune the piecewise polynomials (coefficients and segments) [47], or runs into the severe vanishing gradient problem making the NNs imprecise [57,58,61]. All those solutions do not appear to be competent for practical deep learning based medical diagnoses deployment. A detailed comparison between our work and prior works is summarised in Table 1.

Secure machine learning MPC frameworks. A number of generic MPC frameworks are designed and implemented for complicated computation tasks like machine learning. Noteworthy examples include the two-party framework with a trusted party to generate correlated randomness proposed in Chameleon [65], the framework proposed by Reza Sadeghi et al. [68], TAPAS [70], FHE DiNN [11], the framework proposed by Dalskov et al. [19], MP2ML [9]; the three-party frameworks proposed in ABY3 [57], SecureNN [75], CryptTFlow [41]; the four-party frameworks in Trident [62], FLASH [13]; and multi-party frameworks in TFEncrypted [18], PySyft [67,89], FALCON [76]. Note that a handful of latest privacy-preserving machine learning systems opt for specialized and optimized designs rather than direct application of generic MPC frameworks [2,56,64,84] for performance consideration. Our design also follows such trend.

Table 1
Limitations of prior secure neural network inference systems and comparison with our systems

¹These systems requires NN model architecture modification, such as polynomial approximation of ReLU activation. This setting could downgrade the prediction accuracy.

²These systems are designed for quantized NNs. Quotient [2] uses Ternarized NN, and XONN [64] is designed for Binarized NN.

Privacy-preserving medical diagnosis. This work also relates to the designs of privacy-preserving medical diagnosis. There is a plethora of work proposed on privacy-preserving medical imaging based diagnostic applications. Some works strive to enhance the reliability of image-centric diagnoses via privacy-preserving image denoising [32,85,86,88]. These works resort to DNNs [86,88] or reference image patches [32,85] to devise image denoising protocols that can privately reduce the noises and deliver high-quality medical image content. Meanwhile, a line of work aims to explore privacy-preserving machine learning for various medical diagnostics, like medical image classification [3,38,39,48,51], tumor segmentation [44,45,54,71], and genomic data regression [10,21,59]. Some of them utilize cryptographic privacy-enhancing techniques (e.g., homomorphic encryption, secure multiparty computation) to protect the privacy of machine learning models and medical data [3,10,21,48,51,59]. Others resort to differential privacy techniques to train a private model that can be used to conduct private inference over medical images [38,39,44,45,54,71]. We emphasize that these works focus on different problems and their designs are highly different from ours. A few of them consider secure neural network inference based medical diagnosis, yet requiring to use heavy cryptography [3,48] or not focusing on supporting smooth activation functions [51]. Many others explore different problems, like the relatively simpler regression models [10,21,59], or federated learning [38,39,44,45,54,71]. Besides, those works relying on differential privacy techniques require to perturb the data with noise, and thus would downgrade the utility of models [38,39,44,45,54,71].

Apart from the machine learning based approaches, works adopt data mining techniques to securely analyze the medical data for diagnostics. Applications include similarity analysis of human genome sequences [6,69,78], genome-wide association studies [16,35,36,72], biometric identification [33], pharmacology and medicine [14,29], and medical time-series data analytics [7,49,50]. A common paradigm is to customize secure computation protocols to meet certain requirements for different medical diagnostic applications.

Differences from the conference version. Portions of this paper have been presented in [51]. We have revised the preliminary work [51] with substantial new contributions and improvements, as summarized below. Firstly, we have proposed a number of new efficient, lightweight, and accurate secure non-linear activation functions in Section 5, including the secure comparison-based activation functions ReLU6, Leaky ReLU, Binary activation, and the secure smooth activation functions tanh, sigmoid, and ELU with different approximation approaches. Secondly, we have made a full-fledged implementation of the new realizations of our security design and conducted comprehensive performance evaluation and comparisons. The overall experiment results have demonstrated the prominent performance advantage of our new design. Finally, we have refined the previous work significantly to reflect our new contributions and latest understanding on the topic, as well as improve the clarity.

Table 2

Table of notation

Notation	Description
X, x	Input/feature tensor and element.
W, w	Weight tensor and element.
μ, δ, γ, β	Batch normalization parameters: the running mean, running variance, scale, and shift.
L	Number of neural network layers
ℓ, n	Bit length ℓ and vector length n.
i	Identifier of a party i, where $i \in {0, 1}$ .
$b$ , $c$	Control bits
$x_{ℓ}$	The most significant bit of element x
$x_{k}$ , $x_{k}$	The k-th element of vector x; The k-th vector.
${⟨ x ⟩}_{i}^{A}$	Additive secret shares of value x in ring $Z_{2^{ℓ}}$ held by the party i
${⟦ x ⟧}_{i}$	Boolean shares of value x in ring $Z_{2}$ held by the party i
${⟨ x ⟩}_{i}^{A} \pm {⟨ y ⟩}_{i}^{A}$	Addition/subtraction over additive secret shares
${⟨ x ⟩}^{A} \cdot {⟨ y ⟩}^{A}$	Multiplication over additive secret shares
${{⟦ x ⟧}_{i} + ⟦ y ⟧}_{i}$	Bitwise XOR over Boolean shares
$⟦ x ⟧ \cdot ⟦ y ⟧$	Bitwise AND over Boolean shares

3. Preliminaries

In this section, we introduce the core primitives and background used in CryptMed. We summarize the key notations used in this paper in Table 2.

Secret sharing. We now present the key cryptographic primitive used in our design: additive secret sharing. Additive secret sharing [5] protects an ℓ-bit value $x \in Z_{2^{ℓ}}$ as two secret shares ${⟨ x ⟩}_{0} = r (mod 2^{ℓ})$ and ${⟨ x ⟩}_{1} = x - r (mod 2^{ℓ})$ such that ${⟨ x ⟩}_{0}^{A} + {⟨ x ⟩}_{1}^{A} \equiv x (mod 2^{ℓ})$ , where $Z_{2^{ℓ}}$ is a ring and r is a random value from $Z_{2^{ℓ}}$ ( $r \in_{R} Z_{2^{ℓ}}$ ). It perfectly hides x as each share is a random value and reveals no information of x. Given two parties $P_{0}$ and $P_{1}$ , each party holds corresponding shares of two secret values x and y. Additive secret sharing supports efficient local addition and subtraction over shares ${⟨ z ⟩}_{i} = {⟨ x ⟩}_{i} \pm {⟨ y ⟩}_{i}$ and scalar multiplication ${⟨ z ⟩}_{i} = η \cdot {⟨ x ⟩}_{i}$ (η is a public value). They are calculated by each party $P_{i}$ ( $i \in {0, 1}$ ) locally without interaction. Multiplication over two shares $⟨ z ⟩ = ⟨ x ⟩ \cdot ⟨ y ⟩$ is realized by the secret-shared Beaver’s triple [8], i.e., $P_{i}$ holds $({⟨ t_{1} ⟩}_{i}, {⟨ t_{2} ⟩}_{i}, {⟨ t_{3} ⟩}_{i})$ in a way that $t_{3} = t_{1} \cdot t_{2}$ . Such a multiplication operation with Beaver’s triple is a standard secure computation protocol, whereby $P_{i}$ obtains the shares ${⟨ z ⟩}_{i}$ of $x y$ at the end. Note that Beaver’s triples are data independent and can be efficiently generated via one-off computation by a third party [65,87]. In addition, additive secret shares can readily support boolean operations over binary values. Given the bit length $ℓ = 1$ and the ring $Z_{2}$ , a secret binary value x is shared as ${⟦ x ⟧}_{0} = r \in Z_{2}$ and ${{⟦ x ⟧}_{1} = r \oplus ⟦ x ⟧}_{0}$ . The bitwise XOR (⊕) and AND (∧) over shares are calculated in the same way as the above addition and multiplication, respectively.

Deep neural networks. A typical Deep Neural Network (DNN) comprises two types of layers in sequence: linear layers and non-linear layers. Linear layers include convolutional layers (CONV), fully-connected layers (FC), batch normalization (BN) layers, and average pooling layers (AvgPool). The functionalities of these layers in cleartext can be formulated as a bunch of additions, multiplications, and flattened operations over kernels (partial model weights for a certain function) and features (user inputs and intermediate results). Specifically, the underlying functionality of CONV and FC is the vector-wise dot product $VDP (x, w) = \sum_{i = 1}^{n} w (i) \cdot x (i)$ between a kernel vector $w \in R^{n}$ and a feature vector $x \in R^{n}$ within a sliding window $n \times n$ . Given a kernel $W \in R^{c_{in} \times c_{out} \times n \times n}$ , CONV transforms an input feature $X \in R^{c_{in} \times h_{in} \times w_{in}}$ into an output feature $Y \in R^{c_{out} \times h_{out} \times w_{out}}$ via $\begin{matrix} Y (t, m, n) = \sum_{k = 1}^{c_{in}} \sum_{i = 1}^{n} \sum_{j = 1}^{n} VDP (X (k, m + i - 1, n + j - 1), W (k, t, i, j)), \end{matrix}$ where $t \in [c_{out}]$ , $m \in [h_{out}], n \in [w_{out}]$ . That is, any data point in Y is produced by applying a sliding kernel tensor $W^{c_{in} \times n \times n}$ over the entire feature tensor X, and performing cross-channel $VDP$ operations repeatedly. Such a function indicates the FC layer when $n = 1$ . Batch normalization is used to regularize the model. It is applied after CONV/FC layers and performs $z = γ (x - μ) / δ + β$ over the feature x on each neuron, where μ, δ, γ, and β are BN parameters: the running mean, the running variance, the scale, and the shift. Note that the BN parameters are part of the model weights and should be protected properly.

Table 3
Typical non-linear layers in DNNs

Layer Description Function

Comparison-based activation function Binary activation function $f (x) = \{\begin{matrix} 1 & if x ⩾ 0 \\ 0 & if x < 0 \end{matrix}$

ReLU activation function $f (x) = max (0, x)$

ReLU6 activation function $f (x) = min (max (0, x), 6)$

Leaky ReLU activation function $f (x) = max (0.1 x, x)$

Smooth activation functions Sigmoid function $f (x) = \frac{1}{1 + e^{- x}}$

Hyperbolic tangent (tanh) function $f (x) = \frac{2^{x} - e^{- x}}{e^{x} + e^{- x}}$

Exponential linear units (ELU) activation function $f (x) = \{\begin{matrix} x & if x ⩾ 0 \\ α \cdot (e^{x} - 1) & if x < 0 \end{matrix}$

Pooling layers (window size n) max pooling $max (x_{1}, \dots, x_{n})$

min pooling $min (x_{1}, \dots, x_{n})$

Layer	Description	Function
Comparison-based activation function	Binary activation function	$f (x) = \{\begin{matrix} 1 & if x ⩾ 0 \\ 0 & if x < 0 \end{matrix}$
ReLU activation function	$f (x) = max (0, x)$
ReLU6 activation function	$f (x) = min (max (0, x), 6)$
Leaky ReLU activation function	$f (x) = max (0.1 x, x)$
Smooth activation functions	Sigmoid function	$f (x) = \frac{1}{1 + e^{- x}}$
Hyperbolic tangent (tanh) function	$f (x) = \frac{2^{x} - e^{- x}}{e^{x} + e^{- x}}$
Exponential linear units (ELU) activation function	$f (x) = \{\begin{matrix} x & if x ⩾ 0 \\ α \cdot (e^{x} - 1) & if x < 0 \end{matrix}$
Pooling layers (window size n)	max pooling	$max (x_{1}, \dots, x_{n})$
min pooling	$min (x_{1}, \dots, x_{n})$

As summarized in Table 3, non-linear functions in DNNs can broadly be classified into comparison-based activation functions, smooth activation functions, and pooling layers. Comparison-based activation functions (ReLU, ReLU6, LeakyReLU, and Binary activation) have been demonstrated with superior performance in deep learning applications for rapid learning and high prediction accuracy. They are essential building blocks in neural networks to introduce non-linearity, particularly in image classifications. These functions alleviate the well-known ‘vanishing gradient problem’ (neural networks could not converge) encountered when the sigmoid and tanh functions are leveraged for training. The ReLU function is the most widely adopted activation function in CNNs. The ReLU6 activation function is a variant of the ReLU that clips weights between 0 and 6. The Leaky ReLU function adopts a linear function for negative features. The Binary activation function is usually adopted in quantized NNs.

Smooth activation functions make non-trivial usage in deep learning. Similar to comparison-based activation functions, smooth activation functions introduce non-linearity to NNs. Additionally, these functions have properties of continuity, smoothness, and monotonicity to empower NNs with complex capabilities [20,79]. CryptMed focuses on three widely-adopted smooth activation functions, i.e., sigmoid, hyperbolic tangent (tanh), and ELU. They are vital building blocks in a variety of machine learning and deep learning paradigms for medical diagnoses, like medical time series predictions [79], tumor segmentation, and medical imaging denoising [86]. The tanh function and the sigmoid function are preferable over logistic regression, LSTM, and RNN for sequential and time series data prediction. The ELU function [17] is a noise-robust and precise activation function compared to the conventional ReLU activation and its variants (e.g., Leaky ReLU, Parametrized ReLU). Besides, ELU effectively diminishes the ‘vanishing gradient problem’ by setting the identity for positive features.

Secure computation over fixed-point ring. Deep learning inference operates over real-valued numbers, i.e., DNN weights and user inputs. In cleartext, they are represented in floating-point numbers. To allow CryptMed to operate in the secret sharing domain, we leverage the fixed-point representation to project values to the underlying ring $Z_{2^{ℓ}}$ . Such fixed-point representation is a common paradigm adapted in prior work [47,56,58,61]. Specifically, given a floating-point number x, we first convert it to a signed fixed-point integer $\bar{x} = ⌊ x \cdot 2^{s} ⌋$ with a scaling factor s embedding the fractional part. Afterwards, we project such an integer to the ring $Z_{2^{ℓ}}$ via $\bar{x} mod 2^{ℓ}$ . To represent the sign, we leverage the two’s complement representation, where the most significant bit (MSB) represents the sign. In this way, non-negative values are mapped to the lower-half ring $[0, 2^{ℓ - 1} - 1]$ , while negative values are mapped to the upper-half ring $[2^{ℓ - 1}, 2^{ℓ} - 1]$ . Then, the MSB will be ‘0’ for a non-negative value, and ‘1’ for a negative value. In fixed-point representation, repeated multiplications may lead to integer overflow due to the excess of fractional bits (from s to $2 s$ bits). A common treatment is to use a secure local truncation [56,58,61], where the least s bits are chopped off ahead of subsequent multiplications.

4. System overview

4.1. Architecture

Figure 1 illustrates the system architecture of CryptMed which enables secure deep learning based medical diagnostic service. CryptMed operates between two parties: the hospital and the medical service provider. On the one hand, we consider that the medical service as an enterprise which deploys an NN powered medical diagnoses service offering though a proprietary NN model. On the other hand, we consider that the hospital as a customer intends to take advantage of the deep learning service to facilitate an accurate medical conclusion, while protecting its own confidential medical records (e.g., CT image, physiological data). Note that the role of the hospital in the real world can be any healthcare institutes, such as clinics, biomedical research centers, or life-science institutes. To launch a secure medical diagnostic service, the above two parties execute CryptMed’s secure NN inference protocol over the secret-shared model and secret-shared medical record. At the end, only the hospital can obtain the secret shares prediction result, which is then recovered to get the cleartext diagnosis. CryptMed provides a cryptographic guarantee such that the hospital obtains the inference result only and nothing else, while the medical service learns no information about the hospital’s medical records.

Fig. 1.

System architecture.

4.2. Threat model

CryptMed designs two-party inference secure against semi-honest adversaries. In CryptMed, the hospital and the medical service will honestly follow the prescribed protocol, yet trying to deduce auxiliary information about each other’s private input beyond what revealed from the protocol result. It is noted that such an assumption is practical. Nowadays the behavior of hospital is widely enforced by ethics, law and privacy regulations [1,23]. In the meantime, the medical service is usually offered by well-established vendors (e.g., Microsoft Project InnerEye [55], Google DeepMind Health [27]), that do not have strong incentives to risk their business model and publicity for malicious behaviors [7]. Due to the above facts and observations, such a threat model is commonly adopted in prior secure NN inference work [47,56] as well. CryptMed strives to ensure the privacy of the hospital’s medical records and the NN model (values of trained weights). Consistent with prior art [47,48,56], CryptMed does not hide the data-independent model architecture, e.g., the model size and number of layers. Lastly, CryptMed deems thwarting adversarial machine learning attacks orthogonal, which attempt to exploit the inference procedure as a blackbox oracle to extract private information. Mitigation strategies can be differentially private learning [82].

5. Our proposed design

In this section, we introduce CryptMed’s secure NN inference protocol for medical diagnostic applications. At a high level, our design consists of two types of secure layer evaluations: secure linear layers and secure non-linear layers. CryptMed efficiently supports a suite of secure linear layers, including the secure convolutional layers, secure fully-connect layers, secure batch normalization, and secure average pooling layers. For secure non-linear layers, CryptMed efficiently realizes a series of comparison-based non-linear layers, i.e., ReLU, ReLU6, Leaky ReLU, Binary activation, MaxPool, and MinPool. Besides, CryptMed enables rich non-linear functionalities by supporting lightweight and accurate evaluations of secure smooth activation functions, including tanh, sigmoid, and ELU. All these layers are vital building blocks in deep learning based medical diagnostic services.

In CryptMed, each secure layer securely evaluates a certain cleartext functionality in the secret sharing domain, which proceeds by taking the secret-shared inputs (features and/or kernels) and producing the secret-shared outputs passed to the succeeding secure layer. Our overarching goal is to devise a lightweight protocol for secure neural network inference with optimized interactions, while empowering rich and accurate secure functionalities for deep learning based medical services. Atop such goal, we have three prominent design insights.

Supporting lightweight secure linear layers. We first split CryptMed’s protocol into a preprocessing phase and an online phase, so as to shift as much computation as possible to preprocessing phase. Inspired by [56], we preprocess the model as secret shares and deliver corresponding shares to the hospital before medical record becomes available. So, the online phase can directly work over secret shares without any heavy cryptographic techniques (like HE) or multi-round ciphertext transmissions. Yet we are aware that the protocol in [56] involves heavy HE during preprocessing to produce and send the model shares as ciphertexts, which may not be amiable for the resource-limited hospital, like COVID-19 pandemic screening centers with handheld medical imaging scanners [34]). Instead, our protocol delicately leverages the insight from Chameleon [65] and enables the preprocessing to be purely based on lightweight computation in the secret sharing domain. As a result, our entire protocol works only with small shares, which immediately gains $20 \times$ improvement on preprocessing and $10 \times$ on overall communication costs over [56].

Supporting lightweight non-linear layers. For secure evaluation of non-linear layers, prior works either resort to the heavy cryptographic techniques (i.e., garbled circuits) [47,56], or circumvent the non-linearities with the square function approximations [25,37]. Unfortunately, such methods may introduce high communication overheads or induce instabilities of NN when handling complex tasks [42,52]. In CryptMed, we make observations from the field of digital circuit design [28] and present a secure comparison function that can efficiently evaluate comparison-based non-linear layers, including ReLU, ReLU6, Leaky ReLU, and Binary activation functions. At the core, this function is fully based on lightweight secret sharing with optimized interactions between the hospital and the medical service. With these designs, our experiment demonstrates a $413 \times$ bandwidth reduction compared with prior works.

Supporting accurate activation functions over secret sharing domain. Most existing works [43,56,65] focus only on the simple ReLU function. Other essential activation functions remain under exploration, including Leaky ReLU, ReLU6, and ELU. These activation are fundamental building blocks in modern NN architectures for medical applications, such as medical image classification [15], image denoising [86], and medical times series (physiological data) prediction [63,79]. The most challenging task is to accurately and efficiently evaluate the smooth activation functions (e.g., sigmoid, tanh, and ELU) in secure domain. Such functions involve exponentiation and division operations that are knowingly expensive to be computed over secret-shared data.

Prior art tackling such challenges mainly falls into two categories. Works in the first category resort to function approximations based on polynomials. Some of them use the high-degree polynomials [4,40,47], which require heavy computational and communication costs to evaluate repeated multiplications. Others leverage the ad-hoc piecewise polynomial approximation [47,57,58,61]. These works either heavily rely on intervention and expertise on DNN model and training dataset to fine-tune the coefficients [47] or encounter severe ‘vanishing gradient problem’ making the NNs quite imprecise [57,58,61]. The work [66] in the other category uses GC to evaluate the smooth functions in a blackbox manner, suffering from prohibitively performance overheads.

Instead of the strawman approximations, CryptMed proposes secure smooth activation functions that are accurate while keeping the cryptographic costs in mind. The core idea is to make use of advancements from the field of digital circuit design [46,73,74,86] and the machine learning literature [79,80] so as to propose more precise and cryptography-friendly approximations. These approximations are non-linear and low-degree piecewise polynomials that have quantitative performance demonstrating promising accuracy over comprehensive empirical evaluations. With such approximations, CryptMed reformulates the smooth activation functions into comparison-based constructions, and thus circumvents the obstacles coming from exponentiation and division. As a result, CryptMed empowers accurate and efficient secure realizations of smooth activation functions over secret sharing domain.

5.1. Secure linear layers

Fig. 2.

CryptMed’s secure inference protocol.

The subsequent section presents CryptMed’s secure inference protocol, which is comprised of the preprocessing phase and the online inference phase as shown in Fig. 2.

Preprocessing phase. During preprocessing, the hospital and the medical service pre-generate custom secret shares of the NN model in an appropriate form which are to be used during online inference. This is a one-off computation and conducted independent of the hospital’s medical record. Let L be number of layers. The hospital takes as input the L sets of randomnesses (in tensor form) ${a_{i}^{0}, a_{i}^{2}}$ , where $i \in [1, L]$ . Similarly, the medical service takes as input the tensors of model weights for each layer $W_{1}, \dots, W_{L}$ and randomnesses tensors ${A_{i}, a_{i}^{1}}$ . Such randomness tensors ${a_{i}^{0}, a_{i}^{1}, a_{i}^{2}, A_{i}}$ are independent to any party’s input and can be pre-distributed to the parties. They satisfy the relationship: $a_{i}^{1} = A_{i} \cdot a_{i}^{0} - a_{i}^{2}$ . Note that the dimension of each randomness tensor is in line with the dimension of each layer’s filter. Given these inputs, the two parties perform the following steps.

For each $i \in [1, L]$ , the medical service computes $W_{i} - A_{i}$ over the weight tensors and sends to the hospital.

The hospital computes $(W_{i} - A_{i}) \cdot a_{i}^{0} + a_{i}^{2} = W_{i} a_{i}^{0} - A_{i} a_{i}^{0} + a_{i}^{2}$ for each layer.

Let $u_{i}$ denote $a_{i}^{0}$ , and $v_{i}$ denote $a_{i}^{1}$ . The medical service thus holds $v_{i}$ , and the hospital holds $W_{i} u_{i} - v_{i}$ , i.e., an additively secret-shared weight tensor $W_{i} u_{i}$ .

Online inference phase. During online inference, the hospital takes as input the tensor of a medical record

X_{1}

, the randomnesses

u_{i}

, and weight shares

W_{i} u_{i} - v_{i}

. The medical service takes as input the weight tensors

W_{1}, \dots, W_{L}

and the randomnesses

v_{i}

. They then perform the secure layer function in pipeline as follows.

The first linear layer $i = 1$ :

The hospital computes and sends $X_{1} - u_{1}$ to the medical service, and uses ${⟨ X_{2} ⟩}_{0}$ to denote $W_{1} u_{1} - v_{1}$ .

The medical service computes ${⟨ X_{2} ⟩}_{1} = W_{1} (X_{1} - u_{1}) + v_{1} = W_{1} X_{1} - W_{1} u_{1} + v_{1}$ .

At this point, the hospital and the medical service hold the additive secret shares (i.e., ${⟨ X_{2} ⟩}_{0}$ , ${⟨ X_{2} ⟩}_{1}$ ) of features2

Biases can be added to the medical service’s shares locally.

outputted from the first linear layer

W_{1} X_{1}

Remaining linear layers

i ⩾ 2

Similar to the first layer, the hospital computes ${⟨ {\bar{X}}_{i} ⟩}_{0} - u_{i}$ over its share ${⟨ {\bar{X}}_{i} ⟩}_{0}$ of activation produced from the secure ReLU evaluation (which we will detail later), and sends it to the medical service. Such a treatment can perfectly hide the hospital’s share, and protect the activation ${\bar{X}}_{i}$ against the medical service. It then sets ${⟨ X_{i + 1} ⟩}_{0} = W_{i} u_{i} - v_{i}$ .

The medical service computes $X_{i} - u_{i} = {⟨ {\bar{X}}_{i} ⟩}_{0} - u_{i} + {⟨ {\bar{X}}_{i} ⟩}_{1}$ . Then it gets ${⟨ X_{i + 1} ⟩}_{1} = W_{i} (X_{i} - u_{i}) + v_{i}$ , ensuring both parties hold additive secret shares (i.e., ${⟨ X_{i + 1} ⟩}_{0}$ , ${⟨ X_{i + 1} ⟩}_{1}$ ) of layer result $W_{i} X_{i}$ .

Non-linear layers: The shares form secure linear layer evaluation can be fed into the secure non-linear layer, which outputs shares

{⟨ {\bar{X}}_{i + 1} ⟩}_{0}

{⟨ {\bar{X}}_{i + 1} ⟩}_{1}

of activations to each party.

Output layer: The medical service sends ${⟨ X_{L} ⟩}_{1}$ to the hospital, who can then integrate ${⟨ X_{L} ⟩}_{0}$ for reconstruction of the final inference result $X_{L}$ .

5.2. Secure non-linear layers

CryptMed supports highly efficient evaluation of the secure non-linear layers in the secret sharing domain. We observed that most of the non-linear activation functions and pooling layers can be decomposed into a series of comparison operations along with some linear operations (i.e., addition and multiplication). Besides, as mentioned above, the smooth activation functions will be delicately reformulated to the comparison-based piecewise non-linear polynomials, and thus relying on the comparison as well. With such an observation in mind, we reformulate each comparison to the MSB extraction defined as follows. Suppose we have two features $x_{1}$ , $x_{2}$ . The MSB extraction is defined as $\begin{matrix} b \leftarrow MSB (x_{1} - x_{2}) = \{\begin{matrix} 0 & if x_{1} ⩾ x_{2} \\ 1 & if x_{1} < x_{2} . \end{matrix} \end{matrix}$ Then, finding the maximum $max (x_{1}, x_{2})$ (or the minimum $min (x_{1}, x_{2})$ ) is reformulated as $\begin{matrix} max (x_{1}, x_{2}) = b \cdot (x_{2} - x_{1}) + x_{1}; min (x_{1}, x_{2}) = b \cdot (x_{1} - x_{2}) + x_{2} . \end{matrix}$ The sign of a feature x is calculated via $\begin{matrix} sign (x) = 1 - 2 MSB (x) = \{\begin{matrix} 1 & if x ⩾ 0 \\ - 1 & if x < 0 . \end{matrix} \end{matrix}$

Note that similar philosophy has also been adopted in the preliminary version of our paper [51], yet prior solution requires two multiplications for each comparison (i.e., $max (x_{1}, x_{2}) = (1 - b) \cdot x_{1} + b \cdot x_{2}$ ), whereas our newly proposed reformulation involves only one multiplication. Such an improvement is non-trivial, since a typical neural network usually requires a million and even billion scale of the number of comparison operations. With the above reformulation, the most challenging computation is how to securely extract the MSB in the secret sharing domain. We resort to a communication-optimized construction of the secure $MSB$ extraction function. Details are presented in this subsequent section.

Communication-optimized secure MSB extraction. The secure $MSB (\cdot)$ extraction function is used to securely extract the MSB of an additive-shared data $⟨ x ⟩$ and generate a boolean-shared MSB $⟦ x_{ℓ} ⟧$ , where ℓ is the bit length. The key idea is to efficiently extract the MSB in the secret sharing domain. CryptMed’s proposed design is built upon an practical and communication-optimized construction [51], which realizes the MSB extraction via carry look-ahead adder logic. By taking advantage of the parallel prefix adder [28] (PPA), such a construction can securely produce the MSB in logarithm round complexity $O (log ℓ)$ in the secret sharing domain.

Fig. 3.

A concrete example of 8-bit parallel prefix adder and the corresponding binary operator.

The construction of the PPA-based MSB extraction is introduced as follows. The staring point is to view the two shares of an ℓ-bit value x as two inputs of the PPA. To do so, we decompose the secret shares ${⟨ x ⟩}_{0}$ , ${⟨ x ⟩}_{1}$ as two bit strings $e = {e_{ℓ}, \dots, e_{1}}$ and $f = {f_{ℓ}, \dots, f_{1}}$ , respectively. Afterwards, an ℓ-bit PPA is used to calculate $x = e + f (mod 2^{ℓ})$ via a series of binary additions ${e_{i}} + {f_{i}}$ and pop out the carry bits $c_{ℓ}, \dots, c_{1}$ . In this way, the MSB can be produced as $x_{ℓ} = c_{ℓ} \oplus e_{ℓ} \oplus f_{ℓ}$ . We provide a concrete example of 8-bit PPA in Fig. 3 and introduce the details of an ℓ-bit PPA realization as follows.

The first step is to calculate the initial signal tuple ( $p_{i}^{0}$ , $g_{i}^{0}$ ): the carry generate signal $g_{i}^{0}$ and the carry propagate signal $p_{i}^{0}$ in parallel via $g_{i}^{0} = e_{i} \cdot f_{i}$ and $p_{i}^{0} = e_{i} + f_{i}$ .

The second step is to produce the rest signal tuples $(p_{i}^{1}, g_{i}^{1}) \dots (p_{i}^{log ℓ}, g_{i}^{log ℓ})$ via a binary operator ⊙. Given $(g_{{in}_{1}}, p_{{in}_{1}})$ , $(g_{{in}_{2}}, p_{{in}_{2}})$ are the inputted two adjacent signal tuples, and $(g_{out}, p_{out})$ is the outputted single tuple. Each binary operator is defined as $(g_{out}, p_{out}) = (g_{{in}_{1}}, p_{{in}_{1}}) ⊙ (g_{{in}_{2}}, p_{{in}_{2}})$ , where $g_{out} = g_{{in}_{2}} + g_{{in}_{1}} \cdot p_{{in}_{2}}$ and $p_{out} = p_{{in}_{2}} \cdot p_{{in}_{1}}$ . Such a binary operation is recursively performed over the input tuples, and the outputted signal tuples is propagated to the next layer’s nodes as inputs, until reaching the $log ℓ$ layer.

The third step is to calculate the carry bits via $c_{i + 1} = (e_{i} \cdot f_{i}) + c_{i} \cdot (e_{i} + f_{i}) = c_{i + 1} = g_{i} + c_{i} \cdot p_{i}$ .

Finally, the most significant carry bit can be generated via $c_{ℓ} = g_{ℓ - 1} + (p_{ℓ - 1} \cdot g_{ℓ - 2}) + \dots + (p_{ℓ - 1} \dots p_{2} \cdot g_{1})$ . The MSB is calculated as $x_{ℓ} = c_{ℓ} \oplus e_{ℓ} \oplus f_{ℓ}$ .

With the above PPA-based MSB construction in mind, we present details of the secure $MSB$ extraction function in what follows. On each neuron, it takes as input the arithmetic shared integer feature $⟨ x ⟩ \in Z_{2^{ℓ}}$ , and produces the boolean shared MSB $⟦ x_{ℓ} ⟧ \in Z_{2}$ as output. The hospital (denoted as $P_{0}$ ) and the medical service (denoted as $P_{1}$ ) jointly compute the function $⟦ x_{ℓ} ⟧ \leftarrow MSB (⟨ x ⟩)$ as follows:

Decompose $⟨ x ⟩$ into bit strings:

$P_{0}$ sets e as ${⟨ x ⟩}_{0}$ , and decomposes it to bit string $e \to e_{ℓ}, \dots, e_{1}$ ;

$P_{1}$ sets f as ${⟨ x ⟩}_{1}$ , and decomposes it to bit string $f \to f_{ℓ}, \dots, f_{1}$ .

For each $k \in [1, ℓ]$ , $P_{0}$ sets ${⟦ e_{k} ⟧}_{0} = e_{k}$ and ${⟦ f_{k} ⟧}_{0} = 0$ ; $P_{1}$ sets ${⟦ e_{k} ⟧}_{1} = 0$ and ${⟦ f_{k} ⟧}_{1} = f_{k}$ .

Compute signal tuples $(g, p)$ : $⟦ g_{k}^{0} ⟧ = ⟦ e_{k} ⟧ \cdot ⟦ f_{k} ⟧$ , $⟦ p_{k}^{0} ⟧ = ⟦ e_{k} ⟧ + ⟦ f_{k} ⟧$ .

Compute PPA:

Round $R = 1$ :

$P_{0}$ and $P_{1}$ set $(⟦ g_{1}^{1} ⟧, ⟦ p_{1}^{1} ⟧) = (⟦ g_{1}^{0} ⟧, ⟦ p_{1}^{0} ⟧)$ as a dummy node.

For each $k \in [2, ℓ / 2]$ , let ${in}_{1} = 2 k - 2$ , ${in}_{2} = 2 k - 1$ . $P_{0}$ and $P_{1}$ compute $(⟦ g_{k}^{1} ⟧, ⟦ p_{k}^{1} ⟧) = (⟦ g_{{in}_{1}}^{0} ⟧, ⟦ p_{{in}_{1}}^{0} ⟧) ⊙ (⟦ g_{{in}_{2}}^{0} ⟧, ⟦ p_{{in}_{2}}^{0} ⟧)$ .

Round $R = 2, \dots, log ℓ$ :

For each $k \in [1, ℓ / 2^{R}]$ , let ${in}_{1} = 2 k - 1$ , ${in}_{2} = 2 k$ . $P_{0}$ and $P_{1}$ compute $(⟦ g_{k}^{R} ⟧, ⟦ p_{k}^{R} ⟧) = (⟦ g_{{in}_{1}}^{R - 1} ⟧, ⟦ p_{{in}_{1}}^{R - 1} ⟧) ⊙$ $(⟦ g_{{in}_{2}}^{R - 1} ⟧, ⟦ p_{{in}_{2}}^{R - 1} ⟧)$ .

Compute MSB: $P_{0}$ and $P_{1}$ set $⟦ c_{ℓ} ⟧ = ⟦ g_{1}^{log ℓ} ⟧$ , $⟦ x_{ℓ} ⟧ = ⟦ p_{ℓ}^{0} ⟧ + ⟦ c_{ℓ} ⟧$ .

Secure B2A function. Recall that in CryptMed, our proposed secure comparison function is formulated via the above proposed secure

MSB

extraction. For example, finding the minimum between two features

x_{1}

x_{2}

is formulated as

min (x_{1}, x_{2}) \to MSB (x) \cdot (x_{1} - x_{2}) + x_{2}

. The secure realization of such a formula requires secure share conversion when securely multiplying

MSB (x)

with

(x_{1} - x_{2})

. Namely, the boolean-shared

⟦ MSB (x) ⟧ \in Z_{2}

needs to be firstly converted into its corresponding additive shares

⟨ MSB (x) ⟩ \in Z_{2^{ℓ}}

. Afterwards, the additively-shared MSB can multiply with the additive shares

⟨ (x_{1} - x_{2}) ⟩ \in Z_{2^{ℓ}}

CryptMed resorts to the standard secure boolean-to-additive shares conversion construction (i.e., $B 2 A$ ) [48,87]. The aim is to convert any boolean shares $⟦ x ⟧ \in Z_{2}$ to its additive shares $⟨ x ⟩ \in Z_{2^{ℓ}}$ . Given two parties, the hospital (denoted as $P_{0}$ ) and the medical service (denoted as $P_{1}$ ), the secure $B 2 A$ function is computed as follow:

$P_{0}$ sets ${{⟨ e ⟩}_{0} = ⟦ x ⟧}_{0}$ , ${⟨ f ⟩}_{0} = 0$ , and $P_{1}$ sets ${⟨ e ⟩}_{1} = 0$ , ${{⟨ f ⟩}_{1} = ⟦ x ⟧}_{1}$ ;

$P_{0}$ and $P_{1}$ compute $⟨ x ⟩ = ⟨ e ⟩ + ⟨ f ⟩ - 2 \cdot ⟨ e ⟩ \cdot ⟨ f ⟩$ .

5.3. Secure comparison based activation functions

CryptMed targets on four popular comparison-based activation functions, i.e., ReLU and its variants ReLU6 and Leaky ReLU, and the conventional Binary activation function, as summarized in Table 3. CryptMed manages to convert their cleartext functionalities into the MSB extraction based constructions. Through careful customizing, we propose efficient and lightweight realizations of secure $ReLU$ function, secure $ReLU 6$ function, secure $LeakyReLU$ function, and secure $Binary$ function that are purely based on secret sharing techniques. In what follows, we present the details of their secure constructions.

5.3.1. Secure ReLU activation function

In CryptMed, we reformulate the ReLU activation to a simpler MSB extraction problem that can be efficiently evaluated in the secret sharing domain. Given the feature x on each neuron outputted from the preceding linear layer, it is reformulated into an MSB extraction based construction via $\begin{matrix} ReLU (x) = max (x, 0) \overset{tranform}{\to} \neg MSB (x) \cdot x = \{\begin{matrix} 1 \cdot x & if x ⩾ 0 \\ 0 \cdot x & if x < 0 . \end{matrix} \end{matrix}$ Such a reformulated construction comprises of four atomic steps: the secure $MSB (x)$ extraction, the secure NOT (i.e., ¬ operation), the secure $B 2 A$ to convert the boolean-shared MSB into additive shares, and the secure multiplication. All these steps can be efficiently realized by CryptMed’s secure linear and non-linear functions. Without loss of generality, we demonstrate the secure $ReLU$ function over single feature element x on each neuron. Given the shares of a single input feature $⟨ x ⟩$ , the hospital (denoted as $P_{0}$ ) and the medical service (denoted as $P_{1}$ ) jointly compute the secure $ReLU$ function as follows:

$P_{0}$ and $P_{1}$ run to get $⟦ b ⟧ \leftarrow MSB (⟨ x ⟩)$ .

$P_{i}$ computes the NOT operation $⟦ c ⟧ = ⟦ b ⟧ + i$ .

$P_{0}$ and $P_{1}$ run to get the additively shared NOT MSB $⟨ c ⟩ \leftarrow B 2 A (⟦ c ⟧)$ .

$P_{0}$ and $P_{1}$ produce the $ReLU$ activation $⟨ z ⟩ = ⟨ c ⟩ \cdot ⟨ x ⟩$ .

5.3.2. Secure ReLU6 activation function

The ReLU6 activation function is a variant of the ReLU that clips the weights between 0 and 6. Given the feature x on each neuron, the MSB extraction based ReLU6 is converted via $\begin{array}{l} ReLU 6 (x) & = min (max (0, x), 6) = \{\begin{matrix} x & if 6 ⩾ x > 0 \\ 0 & if x ⩽ 0 \\ 6 & if x > 6 \end{matrix} \\ \to transform (\underset{c_{1}}{\underset{︸}{\neg MSB (x - 6)}} \cdot 6) + (\underset{c_{2}}{\underset{︸}{MSB (x - 6) \cdot \neg MSB (x)}} \cdot x) . \end{array}$ Similar to ReLU, such a construction can be efficiently realized in the secret sharing domain via CryptMed’s secure linear and non-linear functions. Given the additive shares of each neuron’s feature $⟨ x ⟩$ , the hospital $P_{0}$ and the medical service $P_{1}$ jointly compute the secure $ReLU 6$ function as follows:

$P_{0}$ and $P_{1}$ run to get the MSB $⟦ b_{1} ⟧ \leftarrow MSB (⟨ x ⟩)$ and $⟦ b_{2} ⟧ \leftarrow MSB (⟨ x ⟩ - 6)$ .

$P_{0}$ and $P_{1}$ compute the control bits $⟦ c_{1} ⟧ = ⟦ b_{2} ⟧ + i$ and $⟦ c_{2} ⟧ = (⟦ b_{1} ⟧ + i) \cdot ⟦ b_{2} ⟧$ .

$P_{0}$ and $P_{1}$ run to get the additively shared control bits $⟨ c_{1} ⟩ \leftarrow B 2 A (⟦ c_{1} ⟧)$ and $⟨ c_{2} ⟩ \leftarrow B 2 A (⟦ c_{2} ⟧)$ .

$P_{0}$ and $P_{1}$ produce the $ReLU 6$ activation $⟨ z ⟩ = 6 \cdot ⟨ c_{1} ⟩ + ⟨ c_{2} ⟩ \cdot ⟨ x ⟩$ .

5.3.3. Secure leaky ReLU function

Given the feature x on each neuron, CryptMed reformulates the Leaky ReLU into the MSB extraction based construction via $\begin{array}{l} LeakyReLU (x) & = max (0.01 x, x) = \{\begin{matrix} x & if x > 0 \\ 0.01 x & if x ⩽ 0 \end{matrix} \\ \overset{transform}{\to} (MSB (x) \cdot (x - 100 x) + 100 x) \cdot 1 / 100. \end{array}$ Similar to other comparison-based activation functions, the reformulated Leaky ReLU can be realized via CryptMed’s secure functions. Specifically, given the additive shares of each neuron’s feature $⟨ x ⟩$ , the hospital $P_{0}$ and the medical service $P_{1}$ jointly compute the secure $LeakyReLU$ function as follows:

$P_{0}$ and $P_{1}$ run to get the MSB $⟦ b ⟧ \leftarrow MSB (⟨ x ⟩)$ .

$P_{0}$ and $P_{1}$ run to get the additively shared MSB $⟨ b ⟩ \leftarrow B 2 A (⟦ b ⟧)$ .

$P_{0}$ and $P_{1}$ produce the $LeakyReLU$ activation $⟨ z ⟩ = ⌊ (⟨ b ⟩ \cdot ⟨ x ⟩ \cdot (- 99) + ⟨ x ⟩ \cdot 100) / 100 ⌋$ .

5.3.4. Secure binary activation function

Given the feature x on each neuron, CryptMed converts the Binary activation function into an MSB extraction based construction as follows $\begin{matrix} Binary (x) = \{\begin{matrix} 1 & if x ⩾ 0 \\ 0 & if x < 0 \end{matrix} \overset{transform}{\to} \neg MSB (x) . \end{matrix}$ Such a construction can be efficiently realized via CryptMed’s secure linear and non-linear functions. Given the additive shares of each neuron’s feature $⟨ x ⟩$ , the hospital $P_{0}$ and the medical service $P_{1}$ jointly compute the secure $Binary$ function as follows:

$P_{0}$ and $P_{1}$ run to get $⟦ \neg b ⟧ \leftarrow MSB (⟨ x ⟩) + i$ .

$P_{0}$ and $P_{1}$ run to get the additively shared NOT MSB as the $Binary$ activation $⟨ z ⟩ \leftarrow B 2 A (⟦ \neg b ⟧)$ .

5.4. Secure smooth activation functions

The smooth activation functions make non-trivial usages in deep learning. As shown in Table 3, CryptMed focuses on three widely-adopted smooth activation functions, i.e., sigmoid, tanh, and ELU. They are vital building blocks in a variety of machine learning and deep learning paradigms for medical diagnoses, like medical time series predictions [79] and medical imaging denoising [86].

CryptMed’s secure smooth activation functions are tailored from two precise and cryptography-friendly approximations: the polynomial piecewise approximations (PLAs) and the SQNL activation function family. We provide a high-level overview of our insights below.

Piecewise linear approximations. Our first insight is to make use of the PLAs from the field of digital circuit design [46,73,74,86]. They are non-linear and low-degree polynomials with quantitative performance. With these approximations, we propose the secure ${tanh}_{PLA}$ function and secure ${sigmoid}_{PLAN 2}$ function. They are efficient and accurate realizations of the tanh and the sigmoid functions in the secret sharing domain. We note that prior work [57,58,61] also makes use of the PLA approximation. However, during our experiments, we observed that their proposed approximation could induce the severe ‘vanishing gradient problem’, which makes the NNs quite imprecise. More details are given later.

Replacements with SQNL-family. Our second insight is to leverage the SQNL-family [79,80] from deep learning literature. Instead of a vanilla approximation, the SQNL-family is a suite of new activation functions demonstrating promising accuracy over comprehensive empirical evaluations. It utilizes the universal approximation theorem [30,31] and introduces a quadratic non-linearity. With such an observation, CryptMed devises the secure ${tanh}_{SQNL}$ function, secure ${sigmoid}_{LogSQNL}$ function, and the secure ${ELU}_{SQLU}$ function for the tanh, sigmoid, and ELU activation functions. In this subsequent sections, we provide the details of their constructions.

5.4.1. Secure tanh function

As defined in Table 3, the tanh function involves exponentiation and division operations that are prohibitively expensive to be evaluated in secure domain. In CryptMed, we propose the secure ${tanh}_{PLA}$ function and the secure ${tanh}_{SQNL}$ function that demonstrate promising precision as plotted in Fig. 4.

Secure ${tanh}_{PLA}$ function. The ${tanh}_{PLA}$ function is a piecewise polynomial approximation resorting to the non-linear and low-degree approximation [46,86]. Such a PLA has quantitative performance, where the average error and the maximum error are $E_{ave} = 0.41 %$ and $E_{max} = 2.2 %$ , respectively. Given the feature on each neuron x, the cleartext functionality can be reformulated to an MSB extraction based construction via $\begin{array}{l} {tanh}_{PLA} (x) \\ = \{\begin{matrix} sign (x) \cdot (- 0.2716 x^{2} + | x | + 0.016) & if | x | ⩽ 0.016 \\ sign (x) \cdot (- 0.0848 x^{2} + 0.42654 | x | + 0.4519) & if 0.016 ⩽ | x | < 2.57 \\ sign (x) & if | x | ⩾ 2.57 \end{matrix} \\ (1) & \overset{transform}{\to} \underset{c_{1}}{\underset{︸}{\overset{b_{1}}{\overset{︷}{MSB (100 x - 257)}} \cdot \neg \overset{b_{3}}{\overset{︷}{MSB (125 x - 2)}}}} \cdot \underset{c}{\underset{︸}{sign (x)}} \cdot (- 10 x^{2} + 51 x + 54) / 120 \\ (2) & + \underset{c_{2}}{\underset{︸}{\neg \overset{b_{2}}{\overset{︷}{MSB (100 x + 257)}} \cdot \overset{b_{4}}{\overset{︷}{MSB (125 x + 2)}}}} \cdot sign (x) \cdot (- 10 x^{2} - 51 x + 54) / 120 \\ (3) & + \underset{c_{3}}{\underset{︸}{\neg MSB (125 x + 2) \cdot MSB (125 x - 2)}} \cdot sign (x) \cdot (- 27 x^{2} + 125 sign (x) \cdot x + 2) / 125 \\ (4) & + \underset{c_{4}}{\underset{︸}{\neg MSB (100 x - 257)}} \cdot sign (x) + MSB (100 x + 257) \cdot sign (x) . \end{array}$ Such a reformulated construction can be viewed as five polynomials, and each of them is triggered by a control bit. Each control bit indicates the certain threshold x located in and is derived from the MSBs of the comparison results. For example, the first polynomial in Eq. (1) is defined as $sign (x) \cdot (- 10 x^{2} + 51 x + 54) / 120$ and is triggered by the control bit $c_{1}$ . That is to say, when $0.016 ⩽ x < 2.57$ , then $c_{1} = 1$ , and the other control bits are ‘0’s, and thus the tanh activation of x is produced based on above polynomial. In addition, the control bit $c_{1}$ stems from the MSBs of two comparison results: the MSB $b_{1} = 1$ indicates $x < 2.57$ and the MSB $b_{3} = 0$ indicates $x ⩾ 0.016$ . Note that the control bit of the last polynomial in Eq. (4) is the MSB $b_{2}$ .

Fig. 4.

The tanh function and its approximation.

To this end, we present the secure realization of the secure ${tanh}_{PLA}$ function based on above reformulation. Given the additive shares of each neuron’s feature $⟨ x ⟩$ , the hospital $P_{0}$ and the medical service $P_{1}$ jointly compute the secure ${tanh}_{PLA}$ function as follows:

$P_{0}$ and $P_{1}$ run to get the MSB $⟦ b ⟧ \leftarrow MSB (⟨ x ⟩)$ , $⟦ b_{1} ⟧ \leftarrow MSB (100 ⟨ x ⟩ - 257)$ , $⟦ b_{2} ⟧ \leftarrow MSB (100 ⟨ x ⟩ + 257)$ , $⟦ b_{3} ⟧ \leftarrow MSB (125 ⟨ x ⟩ - 2)$ , $⟦ b_{4} ⟧ \leftarrow MSB (125 ⟨ x ⟩ + 2)$ .

$P_{0}$ and $P_{1}$ compute the control bits $⟦ c_{1} ⟧ = ⟦ b_{1} ⟧ \cdot (⟦ b_{3} ⟧ + i)$ , $⟦ c_{2} ⟧ = ⟦ b_{4} ⟧ \cdot (⟦ b_{2} ⟧ + i)$ , $⟦ c_{3} ⟧ = ⟦ b_{3} ⟧ \cdot (⟦ b_{4} ⟧ + i)$ , and $⟦ c_{4} ⟧ = ⟦ b_{1} ⟧ + i$ .

$P_{0}$ and $P_{1}$ run to get the additively shared bits $⟨ b ⟩ \leftarrow B 2 A (⟦ b ⟧)$ , $⟨ c_{1} ⟩ \leftarrow B 2 A (⟦ c_{1} ⟧)$ , $⟨ c_{2} ⟩ \leftarrow B 2 A (⟦ c_{2} ⟧)$ , $⟨ c_{3} ⟩ \leftarrow B 2 A (⟦ c_{3} ⟧)$ , $⟨ c_{4} ⟩ \leftarrow B 2 A (⟦ c_{4} ⟧)$ , and $⟨ b_{2} ⟩ \leftarrow B 2 A (⟦ b_{2} ⟧)$ .

$P_{0}$ and $P_{1}$ compute the sign bit $⟨ c ⟩ = 1 - 2 \cdot ⟨ b ⟩$ .

$P_{0}$ and $P_{1}$ compute the Eq. (1) via $⟨ z_{1} ⟩ = ⟨ c_{1} ⟩ \cdot ⟨ c ⟩ \cdot ⌊ (- 10 ⟨ x ⟩ \cdot ⟨ x ⟩ + 51 ⟨ x ⟩ + 54) / 120 ⌋$ .

$P_{0}$ and $P_{1}$ compute the Eq. (2) via $⟨ z_{2} ⟩ = ⟨ c_{2} ⟩ \cdot ⟨ c ⟩ \cdot ⌊ (- 10 ⟨ x ⟩ \cdot ⟨ x ⟩ - 51 ⟨ x ⟩ + 54) / 120 ⌋$ .

$P_{0}$ and $P_{1}$ compute the Eq. (3) via $⟨ z_{3} ⟩ = ⟨ c_{3} ⟩ \cdot ⟨ c ⟩ \cdot ⌊ (- 27 ⟨ x ⟩ \cdot ⟨ x ⟩ + 125 \cdot ⟨ c ⟩ ⟨ x ⟩ + 2) / 125 ⌋$ .

$P_{0}$ and $P_{1}$ compute the Eq. (4) via $⟨ z_{4} ⟩ = ⟨ c_{4} ⟩ \cdot ⟨ c ⟩ + ⟨ b_{2} ⟩ \cdot ⟨ c ⟩$ .

$P_{0}$ and $P_{1}$ produce the ${tanh}_{PLA}$ activation $⟨ z ⟩ = ⟨ z_{1} ⟩ + ⟨ z_{2} ⟩ + ⟨ z_{3} ⟩ + ⟨ z_{4} ⟩$ .

Secure

{tanh}_{SQNL}

function. The

{tanh}_{SQNL}

function uses the SQNL-family [79] demonstrating promising accuracy over comprehensive empirical evaluations. Given the feature on each neuron x, the cleartext functionality can be reformulated to an MSB extraction based construction via

\begin{array}{l} {tanh}_{SQNL} (x) & = \{\begin{matrix} 1 & if x > 2 \\ x - 0.25 \cdot sign (x) \cdot x^{2} & if - 2 ⩽ x < 2 \\ - 1 & if x < - 2 \end{matrix} \\ \overset{transform}{\to} \underset{c_{1}}{\underset{︸}{MSB (x - 2) \cdot \neg MSB (x + 2)}} \cdot ⌊ (4 x - \underset{c}{\underset{︸}{sign (x)}} \cdot x^{2}) / 4 ⌋ \\ (5) & + \underset{c_{2}}{\underset{︸}{\neg MSB (x - 2)}} - MSB (x + 2) . \end{array}

Such a construction consists of three polynomials that are triggered by the control bits

c_{1}

c_{2}

, and the

MSB (x + 2)

indicating the thresholds

- 2 ⩽ x < 2

x > 2

, and

x < - 2

, respectively. Each control bit is derived from the MSBs of comparing x with the threshold boundaries.

With the above reformulation and the additive shares of each neuron’s feature $⟨ x ⟩$ , the hospital $P_{0}$ and the medical service $P_{1}$ jointly compute the secure ${tanh}_{SQNL}$ function as follows:

$P_{0}$ and $P_{1}$ run to get the MSB $⟦ b ⟧ \leftarrow MSB (⟨ x ⟩)$ , $⟦ b_{1} ⟧ \leftarrow MSB (⟨ x ⟩ - 2)$ , and $⟦ b_{2} ⟧ \leftarrow MSB (⟨ x ⟩ + 2)$ .

$P_{0}$ and $P_{1}$ compute the control bits $⟦ c_{1} ⟧ = ⟦ b_{1} ⟧ \cdot (⟦ b_{2} ⟧ + i)$ and $⟦ c_{2} ⟧ = ⟦ b_{1} ⟧ + i$ .

$P_{0}$ and $P_{1}$ run to get the additively shared bits $⟨ b ⟩ \leftarrow B 2 A (⟦ b ⟧)$ , $⟨ c_{1} ⟩ \leftarrow B 2 A (⟦ c_{1} ⟧)$ , $⟨ c_{2} ⟩ \leftarrow B 2 A (⟦ c_{2} ⟧)$ , and $⟨ b_{2} ⟩ \leftarrow B 2 A (⟦ b_{2} ⟧)$ .

$P_{0}$ and $P_{1}$ compute the sign bit $⟨ c ⟩ = 1 - 2 \cdot ⟨ b ⟩$ .

$P_{0}$ and $P_{1}$ produce the ${tanh}_{SQNL}$ activation $⟨ z ⟩ = ⟨ c_{1} ⟩ \cdot ⌊ (4 ⟨ x ⟩ - ⟨ c ⟩ \cdot ⟨ x ⟩ \cdot ⟨ x ⟩) / 4 ⌋ + ⟨ c_{2} ⟩ - ⟨ b_{2} ⟩$ .

5.4.2. Secure sigmoid function

The sigmoid function, as defined in Table 3, comprises the exponentiation and division operations which are knowingly computational extensive by a secure two-party computation protocol [22,47,63].

Table 4
Vanishing gradient problem of the ${sigmoid}_{CRI}$ approximation

sigmoid ${sigmoid}_{CRI}$ ${sigmoid}_{PLAN 2}$ ${sigmoid}_{LogSQNL}$

Thyroid 81.47% 5.16 ∼ 9.88% 86.55% 85.85%

MNIST 96.44% 11.35% 91.41% 96.75%

CIFAR-10 47.87% 10.03% 47.87% 59.08%

	sigmoid	${sigmoid}_{CRI}$	${sigmoid}_{PLAN 2}$	${sigmoid}_{LogSQNL}$
Thyroid	81.47%	5.16 ∼ 9.88%	86.55%	85.85%
MNIST	96.44%	11.35%	91.41%	96.75%
CIFAR-10	47.87%	10.03%	47.87%	59.08%

Fig. 5.

The sigmoid function and its approximations.

Prior work [57,58,61] leverages the first-order PLA to approximate the sigmoid function denoted as $\begin{matrix} {sigmoid}_{CRI} (x) = \{\begin{matrix} 0 & if x < - 1 / 2 \\ x + 1 / 2 & if - 1 / 2 ⩽ x < 1 / 2 \\ 1 & if 1 / 2 ⩽ x . \end{matrix} \end{matrix}$ Such an approximation seems plausible. However, in our experiments, we observed that the ${sigmoid}_{CRI} (x)$ approximation could introduce severe ‘vanishing gradient problem’ making the NNs hardly converge during training. As a consequence, the prediction accuracy of the trained NNs is quit undesired, particularly when dealing with complex datasets. Table 4 showcases the vanishing gradient problem of the ${sigmoid}_{CRI} (x)$ approximation in our experiments.

Instead, CryptMed takes advantage of the insights from the field of digital circuit design [73,74] and the machine learning literature [79,80] to propose more precise approximations, i.e., the second-order PLA ( ${sigmoid}_{PLAN 2}$ ) and the SQNL-family replacement ( ${sigmoid}_{LogSQNL}$ ). Figure 5 illustrates the approximations of sigmoid used in CryptMed and the ${sigmoid}_{CRI}$ used in prior art. Note that, all these approximations can be converted to the MSB extraction based functions and can be efficiently evaluated in the secret sharing domain. In this subsequent section, we expatiate on the secure ${sigmoid}_{PLAN 2}$ function and secure ${sigmoid}_{LogSQNL}$ function.

Secure ${sigmoid}_{PLAN 2}$ function. The ${sigmoid}_{PLAN 2}$ function is a non-linear and second-order approximation [73,74] of the sigmoid function, where the average error and the maximum error are quantified as $E_{ave} = 0.41 %$ and $E_{max} = 2.2 %$ , respectively. Given the feature on each neuron x, the cleartext functionality can be converted to an MSB extraction based construction via $\begin{array}{l} {sigmoid}_{PLAN 2} (x) & = \{\begin{matrix} \neg MSB (x) & if | x | ⩾ 4 \\ - sign (x) \cdot 0.03125 x^{2} + 0.25 x + 0.5 & if 0 ⩽ | x | < 4 \end{matrix} \\ \overset{transform}{\to} \underset{c_{1}}{\underset{︸}{MSB (x - 4) \cdot \neg MSB (x + 4)}} \cdot ⌊ (- \underset{c}{\underset{︸}{sign (x)}} \cdot x^{2} + 8 x + 16) / 32 ⌋ \\ (6) & + \underset{c_{2}}{\underset{︸}{\neg MSB (x - 4)}} . \end{array}$ It comprises two polynomials that are triggered by the control bits $c_{1}$ and $c_{2}$ indicating the thresholds $- 4 < x < 4$ , and $x ⩾ 4$ , respectively. Note that here we prune off the threshold $x ⩽ - 4$ , since the polynomial keeps zero ( $\neg MSB (x) \cdot c_{2} = 0$ ) in such a threshold.

Given above reformulation and the additive shares of each neuron’s feature $⟨ x ⟩$ , the hospital $P_{0}$ and the medical service $P_{1}$ jointly compute the secure ${sigmoid}_{PLAN 2}$ function as follows:

$P_{0}$ and $P_{1}$ run to get the MSB $⟦ b ⟧ \leftarrow MSB (⟨ x ⟩)$ , $⟦ b_{1} ⟧ \leftarrow MSB (⟨ x ⟩ - 4)$ , and $⟦ b_{2} ⟧ \leftarrow MSB (⟨ x ⟩ + 4)$ .

$P_{0}$ and $P_{1}$ compute the control bits $⟦ c_{1} ⟧ = ⟦ b_{1} ⟧ \cdot (⟦ b_{2} ⟧ + i)$ and $⟦ c_{2} ⟧ = ⟦ b_{1} ⟧ + i$ .

$P_{0}$ and $P_{1}$ run to get $⟨ b ⟩ \leftarrow B 2 A (⟦ b ⟧)$ , $⟨ c_{1} ⟩ \leftarrow B 2 A (⟦ c_{1} ⟧)$ , and $⟨ c_{2} ⟩ \leftarrow B 2 A (⟦ c_{2} ⟧)$ .

$P_{0}$ and $P_{1}$ compute the sign bit $⟨ c ⟩ = 1 - 2 \cdot ⟨ b ⟩$ .

$P_{0}$ and $P_{1}$ produce the ${sigmoid}_{PLAN 2}$ activation $⟨ z ⟩ = ⟨ c_{1} ⟩ \cdot ⌊ (8 ⟨ x ⟩ - ⟨ c ⟩ \cdot ⟨ x ⟩ \cdot ⟨ x ⟩ + 16) / 32 ⌋ + ⟨ c_{2} ⟩$ .

Secure

{sigmoid}_{LogSQNL}

function. The

{sigmoid}_{LogSQNL}

function resorts to a new activation function LogSQNL from the SQNL-family [79,80], which is a precise replacement of the sigmoid function. Given the feature on each neuron x, the cleartext functionality and corresponding MSB extraction based construction are defined as follows

\begin{array}{l} {sigmoid}_{LogSQNL} (x) & = \{\begin{matrix} 1 & if x > 2 \\ 0.5 x - 0.125 \cdot sign (x) \cdot x^{2} + 0.5 & if - 2 ⩽ x < 2 \\ 0 & if x < - 2 \end{matrix} \\ \overset{transform}{\to} \underset{c_{1}}{\underset{︸}{MSB (x - 2) \cdot \neg MSB (x + 2)}} \cdot ⌊ (4 x - \underset{c}{\underset{︸}{sign (x)}} \cdot x^{2} + 4) / 8 ⌋ \\ (7) & + \underset{c_{2}}{\underset{︸}{\neg MSB (x - 2)}} . \end{array}

The MSB extraction based construction consists of two polynomials. They are activated by the control bits

c_{1}

and

c_{2}

when x in the thresholds

- 2 ⩽ x < 2

, and

x ⩾ 2

, respectively. Similar to the

{sigmoid}_{PLAN 2}

function, the polynomial in threshold

x < - 2

is trimmed due to its zero value. Given the additive shares of each neuron’s feature

⟨ x ⟩

, the hospital

P_{0}

and the medical service

P_{1}

jointly compute the secure

{sigmoid}_{LogSQNL}

function as follows:

$P_{0}$ and $P_{1}$ run to get the MSB $⟦ b ⟧ \leftarrow MSB (⟨ x ⟩)$ , $⟦ b_{1} ⟧ \leftarrow MSB (⟨ x ⟩ - 2)$ , and $⟦ b_{2} ⟧ \leftarrow MSB (⟨ x ⟩ + 2)$ .

$P_{0}$ and $P_{1}$ compute the control bits $⟦ c_{1} ⟧ = ⟦ b_{1} ⟧ \cdot (⟦ b_{2} ⟧ + i)$ and $⟦ c_{2} ⟧ = ⟦ b_{1} ⟧ + i$ .

$P_{0}$ and $P_{1}$ run to get $⟨ b ⟩ \leftarrow B 2 A (⟦ b ⟧)$ , $⟨ c_{1} ⟩ \leftarrow B 2 A (⟦ c_{1} ⟧)$ , and $⟨ c_{2} ⟩ \leftarrow B 2 A (⟦ c_{2} ⟧)$ .

$P_{0}$ and $P_{1}$ compute the sign bit $⟨ c ⟩ = 1 - 2 \cdot ⟨ b ⟩$ .

$P_{0}$ and $P_{1}$ produce the ${sigmoid}_{LogSQNL}$ activation $⟨ z ⟩ = ⟨ c_{1} ⟩ \cdot ⌊ (4 ⟨ x ⟩ - ⟨ c ⟩ \cdot ⟨ x ⟩ \cdot ⟨ x ⟩ + 4) / 8 ⌋ + ⟨ c_{2} ⟩$ .

5.4.3. Secure exponential linear units function

As Fig. 6 illustrates, CryptMed proposes the ${ELU}_{SQLU}$ function taking advantages of the SQLU function from the SQNL-family [79,80]. It is defined as follows $\begin{array}{l} {ELU}_{SQLU} (x) & = \{\begin{matrix} x & if x ⩾ 0 \\ x + 0.25 x^{2} & if - 2 ⩽ x ⩽ 0 \\ - 1 & if x < - 2 \end{matrix} \\ \overset{transform}{\to} \underset{c_{1}}{\underset{︸}{MSB (x) \cdot \neg MSB (x + 2)}} \cdot ⌊ (4 x + x^{2}) / 4 ⌋ \\ (8) & + \underset{c_{2}}{\underset{︸}{\neg MSB (x)}} \cdot x - MSB (x + 2) . \end{array}$ Given the additive shares of each neuron’s feature $⟨ x ⟩$ , the hospital $P_{0}$ and the medical service $P_{1}$ jointly compute the secure ${ELU}_{SQLU}$ activation function as follows:

$P_{0}$ and $P_{1}$ run to get the MSB $⟦ b_{1} ⟧ \leftarrow MSB (⟨ x ⟩)$ , $⟦ b_{2} ⟧ \leftarrow MSB (⟨ x ⟩ + 2)$ .

$P_{0}$ and $P_{1}$ compute the control bits $⟦ c_{1} ⟧ = ⟦ b_{1} ⟧ \cdot (⟦ b_{2} ⟧ + i)$ and $⟦ c_{2} ⟧ = ⟦ b_{1} ⟧ + i$ .

$P_{0}$ and $P_{1}$ run to get the additively shared bits $⟨ b_{2} ⟩ \leftarrow B 2 A (⟦ b_{2} ⟧)$ , $⟨ c_{1} ⟩ \leftarrow B 2 A (⟦ c_{1} ⟧)$ , and $⟨ c_{2} ⟩ \leftarrow B 2 A (⟦ c_{2} ⟧)$ .

$P_{0}$ and $P_{1}$ produce the ${ELU}_{SQLU}$ activation $⟨ z ⟩ = ⟨ c_{1} ⟩ \cdot ⌊ (4 ⟨ x ⟩ + ⟨ x ⟩ \cdot ⟨ x ⟩) / 4 ⌋ + ⟨ c_{2} ⟩ \cdot ⟨ x ⟩ - ⟨ b_{2} ⟩$ .

Fig. 6.

The ELU activation function and its approximation.

5.5. Secure pooling layers

The MaxPool layer $max (x_{1}, \dots, x_{n})$ (or MinPool $min (x_{1}, \dots, x_{n})$ ) can be views as the pairwise maximum (or minimum) over features within the n-width pooling window. They can be realized based on the secure $MSB (\cdot)$ extraction as follows: $\begin{array}{l} b \leftarrow MSB (x_{1} - x_{2}); / / b = 0, x_{1} ⩾ x_{2}; b = 1, x_{1} < x_{2} \\ z = max (x_{1}, x_{2}) = b \cdot (x_{2} - x_{1}) + x_{1}; z = min (x_{1}, x_{2}) = b \cdot (x_{1} - x_{2}) + x_{2} . \end{array}$ Based on above equations, given the secret shares of features $⟨ x_{1} ⟩, \dots, ⟨ x_{n} ⟩$ , the hospital $P_{0}$ and the medical service $P_{1}$ perform the secure MaxPool (or MinPool) function as follows:

For $k \in [1, n - 1]$ :

$P_{0}$ and $P_{1}$ run to get $⟦ b ⟧ \leftarrow MSB (⟨ x_{k} ⟩ - ⟨ x_{k + 1} ⟩)$ .

$P_{0}$ and $P_{1}$ run to get additively shared MSB $⟨ b ⟩ \leftarrow B 2 A (⟦ b ⟧)$ .

$P_{0}$ and $P_{1}$ compute the maximum value $⟨ z_{k} ⟩ = ⟨ b ⟩ \cdot (⟨ x_{k + 1} ⟩ - ⟨ x_{k} ⟩) + ⟨ x_{k} ⟩$ ; or the minimum value $⟨ z_{k} ⟩ = ⟨ b ⟩ \cdot (⟨ x_{k} ⟩ - ⟨ x_{k + 1} ⟩) + ⟨ x_{k + 1} ⟩$ . $P_{i}$ sets $⟨ x_{k + 1} ⟩ : = ⟨ z_{k} ⟩$ .

Finally, $P_{i}$ outputs the shares ${⟨ z_{n} ⟩}_{i}$ as MaxPool (or MinPool) result.

The average pooling layer

⌊ (x_{1} + \dots + x_{n}) / n ⌋

can be directly computed over additive secret shares via secure addition, where n is a cleartext hyper-parameter.

5.6. Security analysis

In this section, we present a comprehensive security analysis of CryptMed’s secure inference protocol in the semi-honest adversary model. CryptMed’s core secure inference protocol is devised based on standard additive secret sharing techniques [5,26], where all the input data (i.e., medical data, neural network model) are perfectly protected as additive secret shares that are uniformly distributed in ring $Z_{2^{ℓ}}$ . Besides, during CryptMed’s protocol execution, any message transcriptions are supported by standard Beaver’s multiplication/AND procedure [8] as uniformly distributed secret shares. CryptMed provides stringent cryptographic guarantees throughout the service procedure, where only the prescribed inference result can be learned by the hospital. Nothing else about each party’s private input can be deduced from the counterparty beyond what is revealed from the inference result. In what follows, we formally define the ideal functionality $F^{CryptMed}$ , security definition, and the security proof of CryptMed’s secure NN inference protocol under the ideal/real world paradigm.

Definition 1.
The ideal functionality $F^{CryptMed}$ of CryptMed’s secure deep neural network inference consists of the following parts:
Input. The medical service submits the DNN model $W$ and the hospital submits the medical record X to $F^{CryptMed}$ .

Computation. Upon receiving $W$ and X, $F^{CryptMed}$ conducts DNN inference and produces the inference result $W (X)$ .

Output. $F^{CryptMed}$ outputs $W (X)$ only to the hospital, and returns no information to the medical service.

Given the ideal functionality, we formally define the security definition. Definition 2.
A protocol Π securely realizes the $F^{CryptMed}$ if it provides the following guarantees in the presence of a probabilistic polynomial time (PPT) semi-honest adversary with static corruption:
Corrupted hospital. A corrupted semi-honest hospital $H$ should learn no information about the medical service’s DNN model weights except the hyper-parameters of model architecture. Formally, there should exit a PPT simulator $Si m_{H}$ that can simulate the view ${View}_{H}^{Π}$ of the corrupted hospital in real-world protocol execution: ${View}_{H}^{Π} \overset{c}{\approx} Si m_{H} (X, W (X))$ .

Corrupted medical service. A corrupted semi-honest medical service $S$ should learn no information about the medical record X submitted by the hospital. Formally, there should exist a PPT simulator $Si m_{S}$ that can simulate the view ${View}_{S}^{Π}$ of the corrupted medical service in real-world protocol execution: ${View}_{S}^{Π} \overset{c}{\approx} Si m_{S} (W)$ .

Theorem 1.
CryptMed’s secure deep neural network inference protocol securely emulates the ideal functionality $F^{CryptMed}$ under the Security Definition 2 .
Proof.
We present a simulator for the corrupted medical service or the corrupted hospital, in a way that the distribution of real-world protocol execution is computationally indistinguishable to the simulated distribution under our security definition.
Simulator for the corrupted hospital: Define the simulator of Beaver’s multiplication procedure is $Si m_{BM}$ . The emulated view is indistinguishable from the real-world view of the corrupted hospital $H$ in the multiplication procedure.

In the preprocessing phase of Π, the simulator of the corrupted hospital $Si m_{H}$ generates the randomness $r \overset{$}{\leftarrow} Z_{2^{ℓ}}$ to emulate the message $W - a^{1}$ in real-world protocol execution. Both messages are uniformly distributed in ring $Z_{2^{ℓ}}$ . Given the security of additive secret sharing, $H$ cannot distinguish the simulated message with the message received from real-world protocol execution. $H$ computes ${⟨ {\tilde{X}}_{2} ⟩}_{0} = a^{0} \cdot r + a^{2}$ and $u = a^{0}$ .

In the online phase of Π, $H$ inputs the secret shares of medical record $X - u$ or the activation ${⟨ {\bar{X}}_{i} ⟩}_{0} - u$ for secure linear layers and receives no messages for the linear layers. $Si m_{H}$ works in a dummy way by directly outputting inputs of $H$ . Thus, the output of $Si m_{H}$ is identically distributed to the view ${View}_{H}^{Π}$ . For the non-linear layers, $Si m_{H}$ generates ${⟨ {\tilde{X}}_{i + 1} ⟩}_{1} \overset{$}{\leftarrow} Z_{2^{ℓ}}$ and runs $Si m_{BM}$ to compute secure multiplication over ${⟨ {\tilde{X}}_{i + 1} ⟩}_{1}$ and ${⟨ X_{i + 1} ⟩}_{0}$ whenever interactions are required. $Si m_{H}$ outputs the simulated shares of activation returned from the secure non-linear layer. $Si m_{H}$ conducts the above computations for every layer. At the end, $Si m_{H}$ outputs the simulated shares of the last layer’s result ${⟨ {\tilde{X}}_{L} ⟩}_{0}$ , ${⟨ {\tilde{X}}_{L} ⟩}_{1}$ . The reconstructed value of these two shares is uniformly distributed in ring $Z_{2^{ℓ}}$ , same as the result from the real-world protocol execution. Therefore, the output of $Si m_{H} (X, W (X))$ is computationally indistinguishable to ${View}_{H}^{Π}$ the view of the corrupted hospital.

Simulator for the corrupted medical service:

In the preprocessing phase of Π, the corrupted medical service $S$ only inputs the secret shares of model $W - A^{1}$ and receives no message. $Si m_{S}$ works in a dummy way by directly outputting the inputs of $S$ $v = a^{1}$ . In this way, the output of $Si m_{S}$ is identically distributed to the view ${View}_{S}^{Π}$ .

In the online phase of Π, $Si m_{S}$ generates and outputs the randomness $r \overset{$}{\leftarrow} Z_{2^{ℓ}}$ to emulate the message $X - u$ (or $\bar{X} - u$ ) in the real-world protocol execution. Given the security of additive secret sharing, $S$ cannot distinguish the emulated message with the one received from real protocol. For the non-linear layers, $Si m_{S}$ generates ${⟨ {\tilde{X}}_{i + 1} ⟩}_{0} \overset{$}{\leftarrow} Z_{2^{ℓ}}$ . Whenever interactions happen in the secure activation function, $Si m_{S}$ runs $Si m_{BM}$ to perform the Beaver’s secure multiplication procedure over ${⟨ {\tilde{X}}_{i + 1} ⟩}_{0}$ and ${⟨ X_{i + 1} ⟩}_{1}$ received from the corrupted medical service $S$ . $Si m_{S}$ outputs the simulated shares of activation outputted from the secure activation function. $Si m_{S}$ conducts the above computations for every layer. Because all simulated intermediate messages are uniformly distributed in $Z_{2^{ℓ}}$ , and given the security of additive secret sharing and Beaver’s secure multiplication procedure, the output of $Si m_{S} (W)$ is computationally indistinguishable to ${View}_{S}^{Π}$ the view of the corrupted medical service.
□

6. Performance evaluation

We implement a proof-of-concept prototype of CryptMed in Java. We deploy our prototype to Australian MASSIVE M3 using m3i computation nodes. Each computation node has 2.7 GHz Intel Xeon Gold 6150 CPU and 384 GB RAM, running CentOS Linux 7 system. In our experiment, we choose to protect the data as additive secret shares in 32-bit ring $Z_{2^{ℓ}}$ . In line with prior secure inference systems [25,47,64], we deploy the computation nodes representing the medical service and the hospital in a dedicated network. For cleartext neural networks implementation and training, we use the Pytorch backend and train our models on a NVIDIA Tesla V100 GPU.

We evaluate CryptMed’s performance in terms of performance and accuracy. To evaluate the performance, we train 78 neural network models based on six architectures (see the Appendix) across 13 different activation functions. These activation functions include the secure comparison-based activations (ReLU, ReLU6, Leaky ReLU, Binary activation), the original smooth activations (tanh, sigmoid, ELU) and the secure smooth activations based on different approximation approaches ( ${tanh}_{PLA}$ , ${tanh}_{SQNL}$ , ${sigmoid}_{CRI}$ , ${sigmoid}_{PLAN 2}$ , ${sigmoid}_{LogSQNL}$ , and ${ELU}_{SQLU}$ ). They are trained over MNIST, CIFAR-10, Breast Cancer, Diabetes, Liver Disease, and Thyroid. The goal of our evaluation is to answer two questions:

Whether CryptMed’s secure inference protocol lightweight?

Is CryptMed practical and accurate for secure medical diagnostic service?

To answer above questions, we evaluate microbenchmarks of CryptMed’s secure layer functions and a series of end-to-end system-level inference performance.

6.1. Microbenchmarks

Secure layer functions. Table 5 summarizes the performance of commonly-used secure layer functions, including a series of secure linear layers (CONV, FC, BN, AvgPool) and the secure non-linear layers ReLU and MaxPool. For demonstration purpose, we set the parameters of the sliding windows as $3 \times 3$ and $5 \times 5$ for the CONV kernels, the pooling window as $2 \times 2$ for the AvgPool and MaxPool, and the $16 \times 16$ vectors for FC. As reported, all secure layers in CryptMed are lightweight and can be efficiently evaluated within 35 ms consuming at most 1 KB bandwidth.

Table 5
Performance of secure layer functions

Secure layer Conv. FC BN ReLU MaxPool AvgPool

$3 \times 3$ $5 \times 5$ $16 \times 16$ $2 \times 2$ $2 \times 2$

Time (ms) 1.25 2.16 8.44 1.74 22.7 31.2 0.05

Comm. (Bytes) 36 100 943 4 78 234 0

Secure layer	Conv.	FC	BN	ReLU	MaxPool	AvgPool
Time (ms)	1.25	2.16	8.44	1.74	22.7	31.2	0.05
Comm. (Bytes)	36	100	943	4	78	234	0

Fig. 7.

Computational overhead of the secure activation functions.

For secure non-linear activation functions, we first investigate their performance in terms of execution time and network consumption, including secure comparison-based activations $ReLU$ , $ReLU 6$ , $LeakyReLU$ , $Binary$ , and secure smooth activations ${tanh}_{PLA}$ , ${tanh}_{SQNL}$ , ${sigmoid}_{PLAN 2}$ , ${sigmoid}_{LogSQNL}$ , ${ELU}_{SQLU}$ . Figures 7 and 8 illustrate the computational and communication overheads of secure comparison-based activations (in respective left figures) and secure smooth activations (in respective right figures). As shown, all secure smooth activations require around $10 \times$ more resources than secure comparison-based activations. Nevertheless, CryptMed’s secure non-linear activation functions can be accomplished within 10 ms for a single execution, as plotted in Fig. 9 by grabbing $10^{4}$ unit executions. In particular, for the secure smooth functions, the SQNL-family based approximations ( ${tanh}_{SQNL}$ , ${sigmoid}_{LogSQNL}$ , ${ELU}_{SQLU}$ ) are relatively lightweight than the PLA based approximations ( ${tanh}_{PLA}$ and ${sigmoid}_{PLAN 2}$ ). In combination with their superior prediction accuracy, as shown later, the SQNL-family based secure smooth activations would be more desirable in practical medical diagnostic applications.

Fig. 8.

Communication overhead of the secure activation functions.

Secure non-linear layers comparison with GC. We compare CryptMed’s secure realizations of the secure ReLU and MaxPool with the common GC-based solutions, since prior works target only on these two non-linear layers. The GC baseline is implemented with FlexSC [77], a Java based two-party GC framework in the semi-honest setting. In our implementation, we adopt the free-XOR and half-AND optimizations for GC. All GC-based realizations are implemented with equivalent functionalities to ours. As Fig. 10 depicts, CryptMed’s realizations are $36 \times$ , $20 \times$ faster then the GC baseline for secure ReLU and MaxPool, respectively. For bandwidth consumption, CryptMed’s secure ReLU and MaxPool achieve respective $394 \times$ , $192 \times$ bandwidth savings compared with the GC baseline. Such improvements demonstrate that CryptMed’s secret sharing based design is indeed lightweight and much more efficient than the prior works relying on GC [47,56,64,65].

Fig. 9.

Unit time of the secure activation functions.

Fig. 10.

Performance comparison of the secure ReLU and MaxPool layers with GC baseline.

Table 6

Prediction workload of NNs over different secure comparison-based activation functions

Dataset	Overhead	Binary	ReLU	ReLU6	LeakyReLU
Breast cancer	time (s)	0.28	0.22	0.35	0.28
Breast cancer	comm. (KB)	8.14	8.64	10.56	8.64
Diabetes	time (s)	0.24	0.39	0.33	0.24
Diabetes	comm. (KB)	40.34	40.97	43.37	40.97
Liver disease	time (s)	0.19	0.19	0.34	0.19
Liver disease	comm. (KB)	8.22	9.22	13.07	9.22
Thyroid	time (s)	0.88	0.94	1.34	0.89
Thyroid	comm. (KB)	110.46	113.59	125.60	113.59
MNIST	time (s)	0.82	0.64	1.41	0.84
MNIST	comm. (MB)	0.91	0.91	0.93	0.91
CIFAR-10	time (s)	423.58	146.9	820.07	436.05
CIFAR-10	comm. (MB)	496.18	498.83	508.98	498.83

Table 7

Prediction workload of NNs over different secure smooth activation functions

Dataset	Overhead	${sigmoid}_{PLAN 2}$	${sigmoid}_{LogSQNL}$	${tanh}_{PLA}$	${tanh}_{SQNL}$	${ELU}_{SQLU}$
Breast cancer	time (s)	0.45	0.45	0.63	0.38	0.45
Breast cancer	comm. (KB)	13.48	13.48	19.83	12.06	13.48
Diabetes	time (s)	0.45	0.45	0.67	0.37	0.45
Diabetes	comm. (KB)	47.02	47.02	54.95	45.24	47.02
Liver disease	time (s)	0.53	0.53	0.89	0.40	0.53
Liver disease	comm. (KB)	18.91	18.91	31.60	16.07	18.91
Thyroid	time (s)	19.37	19.54	30.56	15.39	19.54
Thyroid	comm. (KB)	143.86	143.86	183.51	134.97	143.86
MNIST	time (s)	2.17	2.20	3.61	1.66	2.19
MNIST	comm. (MB)	0.95	0.95	1.00	0.94	0.95
CIFAR-10	time (s)	1336.20	1350.77	2304.31	991.88	1350.39
CIFAR-10	comm. (MB)	524.41	524.41	557.91	516.90	524.41

Table 8

Preprocessing overhead of secure NNs

Overhead	Breast cancer	Diabetes	Liver disease	Thyroid	MNIST	CIFAR-10
Time (s)	0.1	0.03	0.06	0.28	0.07	243
Comm. (MB)	0.003	0.0022	0.018	0.048	0.45	246.4

Table 9

Prediction accuracy of different comparison-based activation functions

Dataset	Binary	ReLU	ReLU6	LeakyReLU
Breast cancer	88.81%	93.0%	93.7%	91.61%
Diabetes	68.75%	71.87%	73.43%	73.43%
Liver disease	71.72%	72.0%	66.89%	71.03%
Thyroid	48.77%	86.31%	86.20%	86.11%
MNIST	75.78%	97%	96.97%	97.57%
CIFAR-10	13.2%	81%	80%	82.68%

Table 10

Prediction accuracy of different approximated smooth activation functions

Dataset	sigmoid family				tanh family			ELU family

	sigmoid	${sigmoid}_{CRI}$	${sigmoid}_{PLAN 2}$	${sigmoid}_{LogSQNL}$	tanh	${tanh}_{PLA}$	${tanh}_{SQNL}$	ELU	${ELU}_{SQLU}$
Breast cancer	92.3%	86.01%	93.01%	95.8%	92.3%	72.02%	93.01%	95.1%	95.8%
Diabetes	68.75%	67.7%	74.47%	72.39%	70.31%	69.79%	70.31%	72.91%	71.87%
Liver disease	71.72%	65.51%	71.72%	71.03%	69.65%	71.03%	69.65%	70.34%	69.65%
Thyroid	81.47%	5.16 ∼ 9.88%	86.55%	85.85%	85.56%	64.2%	85.88%	85.5%	85.88%
MNIST	96.44%	11.35%	91.41%	96.75%	96.03%	38.62%	96.93%	97.58%	97.67%
CIFAR-10	47.87%	10.03%	47.87%	59.08%	76.0%	19.71%	74.19%	81.27%	83.87%

6.2. CryptMed’s protocol performance

Prediction workload. Tables 6 and 7 summarize the end-to-end prediction workload of CryptMed’s system with 9 different activation functions over real-world medical applications and the commonly-used machine learning benchmarks. In summary, CryptMed’s secure NN inference system is lightweight and low-latency over all medical datasets. By using the secure comparison-based activations, CryptMed can produce deep learning based medical conclusions within 1 s consuming less than 130 KB bandwidth for all evaluated medical datasets. For more complex secure smooth activations, CryptMed requires less than 31 s and 200 KB to produce a deep learning based medical conclusion. For the ML benchmarks, CryptMed evaluates MNIST within 4 s and 1 MB network resources. For the CIFAR-10 dataset on a complicated 10 layers NN, CryptMed produces an inference within 14 min, 509 MB using secure comparison-based activations, and 38 min, 558 MB using secure smooth activations. Furthermore, we report the performance of secure preprocessing overhead in Table 8. Note that, the costs of preprocecessing are only related to the NN sizes, i.e., the amount of weights in linear layers (non-linear layers do not produce any weights).

Prediction Accuracy. Tables 9 and 10 demonstrate the prediction accuracy of our system over different activation functions. We note that, for the original smooth activation functions sigmoid, tanh, ELU, and the ${sigmoid}_{CRI}$ used in prior work [58,61], we evaluate their accuracy in cleartext domain. For each family of the smooth functions, we highlight the most precise functions and underline the one facing with gradient vanishing problem. As shown, our proposed approximations do not introduce many losses to prediction accuracy. In particular, some of them from the SQNL-family can even enhance the accuracy. Consider both the evaluation costs and the accuracy, the secure smooth functions based on the SQNL-family would be better suitable for deep learning based medical diagnostic services.

Comparison with prior art. Table 11 compares CryptMed’s end-to-end inference performance with notable prior secure NN inference works. As shown, CryptMed requires the least network resources among all other prior works with up to $413 \times$ bandwidth saving for MNIST and up to $19 \times$ bandwidth saving for CIFAR-10. For the medical applications, CryptMed improves up to $43 \times$ communication over XONN, the notable work investigating medical scenario with smaller quantized NNs and network trimming optimization.

Table 11
Bandwidth (MB) comparison of CryptMed with prior art

MNIST CIFAR-10 Breast cancer Diabetes Liver disease

MiniONN 15.8 MiniONN 9272 XONN 0.35 XONN 0.16 XONN 0.3

CryptoNets 372.2 FALCON 1278

XONN 4.29 XONN 2599

Chameleon 10.5 Chameleon 2650

Gazelle (ReLU) ∼5000

Delphi (ReLU) ∼5100

CryptMed 0.9 CryptMed 498 CryptMed 0.008 CryptMed 0.04 CryptMed 0.009

For the state-of-the-art work Delphi [56], their all ReLU version consumes total 5100 MB, whereas CryptMed only requires 498 MB, with a $10 \times$ enhancement.3

Preprocessing: 243 MB in CryptMed and 4915 MB in Delphi.

Such significant improvement stems from the fact that CryptMed only involves lightweight secret sharing based secure computation through out the whole service procedure. In comparison, Delphi relies on the usages of heavy cryptography, i.e., homomorphic encryption for secure preprocessing and garbled circuits for secure non-linear layers. Regarding the overall runtime, we emphasize that it is not a fair comparison to directly compare the experiment results reported in [56]. The reason is that Delphi is implemented in a different programming language (Rust) with significant optimizations and acceleration from GPU computing. Our evaluation results are not based on such optimizations.

We note that secure evaluation of non-linear layers is the performance bottleneck in secure neural network inference [56]. To support the non-linearity introduced by the original ReLU, Delphi adopts a GC-based realization. For a fair comparison, we have reported in above Fig. 10 the performance of our design and the GC-based realization. The results have validated a significant performance boost of our design over the GC-based realization ( $36 \times$ in runtime and $398 \times$ in communication). Even with a direct (unfair) comparison, CryptMed’s overall inference time, with much simplified implementations, is still comparable to Delphi’s reported runtime ( $147 s$ in CryptMed against $140 s$ in Delphi) which is driven by aforementioned significantly optimized and sophisticated implementations.

7. Conclusion

In this paper, we present CryptMed, a new secure and lightweight NN inference system towards secure intelligent medical diagnostic services. Our protocol fully resorts to the lightweight additive secret sharing techniques, free of heavy cryptographic operations as seen in prior art. The commonly-used non-linear comparison-based and smooth activation functions are well supported in a secure, efficient, and accurate manner. With CryptMed, the privacy of the medical record of the hospital and the NN model of the medical service is provably ensured with practical performance.

Footnotes

Acknowledgments

This work was supported in part by the Australian Research Council (ARC) Discovery Projects (No. DP200103308, No. DP180103251, and No. DP190102835), by the ARC Linkage Project (No. LP160101766), by the HITSZ Start-up Research Grant (No. BA45001023), by the Guangdong Basic and Applied Basic Research Foundation under Grant No. 2021A1515110027, and by the Shenzhen Science and Technology Program under Grant No. RCBS20210609103056041.

More details of model architecture

In this section, we present the detailed model architectures used in our paper (see Tables 12–17).

References

104th United States Congress, Health Insurance Portability and Accountability Act of 1996 (HIPPA), 1996.

Agrawal,

Shahin Shamsabadi,

M.J.

Kusner and

Gascón, QUOTIENT: Two-party secure neural network training and prediction, in: Proc. of ACM CCS, 2019.

Alvarez-Valle,

Bhatu,

Chandran,

Gupta,

Nori,

Rastogi,

Rathee,

Sharma and

Ugare, Secure medical image analysis with cryptflow, arXiv preprint, 2020. arXiv:2012.05064.

Aly and

N.P.

Smart, Benchmarking privacy preserving scientific operations, in: International Conference on Applied Cryptography and Network Security, Springer, 2019, pp. 509–529. doi:10.1007/978-3-030-21568-2_25.

Atallah,

Bykova,

Li,

Frikken and

Topkara, Private collaborative forecasting and benchmarking, in: Proc. of WPES, 2004.

Baldi,

Baronio,

De Cristofaro,

Gasti and

Tsudik, Countering gattaca: Efficient and secure testing of fully-sequenced human genomes, in: Proc. of ACM CCS, 2011.

Barni,

Failla,

Lazzeretti,

A.-R.

Sadeghi and

Schneider, Privacy-preserving ECG classification with branching programs and neural networks, IEEE Trans. on Information Forensics and Security (2011).

Beaver, Efficient multiparty protocols using circuit randomization, in: Proc. of Crypto, 1991.

Boemer,

Cammarota,

Demmler,

Schneider and

Yalame, MP2ML: A mixed-protocol machine learning framework for private inference, in: Proceedings of the 15th International Conference on Availability, Reliability and Security, 2020, pp. 1–10.

10.

Bost,

R.A.

Popa,

Tu and

Goldwasser, Machine learning classification over encrypted data, Cryptology ePrint Archive (2014).

11.

Bourse,

Minelli,

Minihold and

Paillier, Fast homomorphic evaluation of deep discretized neural networks, in: Annual International Cryptology Conference, Springer, 2018, pp. 483–512.

12.

Brutzkus,

Gilad-Bachrach and

Elisha, Low latency privacy preserving inference, in: International Conference on Machine Learning, PMLR, 2019, pp. 812–821.

13.

Byali,

Chaudhari,

Patra and

Suresh, FLASH: Fast and robust framework for privacy-preserving machine learning, Proc. Priv. Enhancing Technol.2020(2) (2020), 459–480. doi:10.2478/popets-2020-0036.

14.

Check Hayden, Extreme cryptography paves way to personalized medicine, Nature News519(7544) (2015), 400. doi:10.1038/519400a.

15.

Chen,

Zhang,

He,

Qiao,

Chen,

Shi,

E.X.

Wu and

Tang, Prostate segmentation using 2D bridged U-net, in: 2019 International Joint Conference on Neural Networks (IJCNN), IEEE, 2019, pp. 1–7.

16.

Cho,

D.J.

Wu and

Berger, Secure genome-wide association analysis using multiparty computation, Nature Biotechnology36(6) (2018), 547–551. doi:10.1038/nbt.4108.

17.

Clevert,

Unterthiner and

Hochreiter, Fast and accurate deep network learning by exponential linear units (ELUs), in: 4th International Conference on Learning Representations, ICLR 2016, San Juan, Puerto Rico, May 2–4, 2016, Conference Track Proceedings, 2016.

18.

Dahl,

Mancuso,

Dupis,

Decoste,

Giraud,

Livingstone,

Patriquin and

Uhma, Private machine learning in tensorflow using secure computation, arXiv preprint, 2018. arXiv:1810.08130.

19.

A.P.

Dalskov,

Escudero and

Keller, Secure evaluation of quantized neural networks, Proc. Priv. Enhancing Technol.2020(4) (2020), 355–375. doi:10.2478/popets-2020-0077.

20.

DasGupta and

Schnitger, The power of approximation: A comparison of activation functions, in: NIPS, Denver, CO, 1992, pp. 615–622.

21.

De Cock,

Dowsley,

A.C.

Nascimento,

Railsback,

Shen and

Todoki, High performance logistic regression for privacy-preserving genome analysis, BMC Medical Genomics14(1) (2021), 1–18. doi:10.1186/1755-8794-3-1.

22.

Demmler,

Schneider and

Zohner, ABY – A framework for efficient mixed-protocol secure two-party computation, in: Proc. of NDSS, 2015.

23.

European Parliament and the Council, The General Data Protection Regulation (GDPR), 2016.

24.

Fredrikson,

Jha and

Ristenpart, Model inversion attacks that exploit confidence information and basic countermeasures, in: Proc. of ACM CCS, 2015.

25.

Gilad-Bachrach,

Dowlin,

Laine,

Lauter,

Naehrig and

Wernsing, Cryptonets: Applying neural networks to encrypted data with high throughput and accuracy, in: Proc. of ICML, 2016.

26.

Goldreich,

Micali and

Wigderson, How to play any mental game or a completeness theorem for protocols with honest majority, in: Proc. of STOC, 1987.

27.

Google DeepMind Health, 2020, https://deepmind.com/blog/announcements/deepmind-health-joins-google-health.

28.

Harris, A taxonomy of parallel prefix networks, in: The Thrity-Seventh Asilomar Conference on Signals, Systems & Computers, 2003, Vol. 2, IEEE, 2003, pp. 2213–2217.

29.

Hie,

Cho and

Berger, Realizing private and practical pharmacological collaboration, Science362(6412) (2018), 347–350. doi:10.1126/science.aat4807.

30.

Hornik, Approximation capabilities of multilayer feedforward networks, Neural networks4(2) (1991), 251–257. doi:10.1016/0893-6080(91)90009-T.

31.

Hornik,

Stinchcombe and

White, Multilayer feedforward networks are universal approximators, Neural networks2(5) (1989), 359–366. doi:10.1016/0893-6080(89)90020-8.

32.

Hu,

Zhang,

Li,

Hu and

Yu, Secure nonlocal denoising in outsourced images, ACM Transactions on Multimedia Computing, Communications, and Applications (TOMM)12(3) (2016), 1–23.

33.

Huang,

Malka,

Evans and

Katz, Efficient privacy-preserving biometric identification, in: Proc. of NDSS, 2011.

34.

Jacobi,

Chung,

Bernheim and

Eber, Portable chest X-ray in coronavirus disease-19 (COVID-19): A pictorial review, Clinical Imaging (2020).

35.

K.A.

Jagadeesh,

D.J.

Wu,

J.A.

Birgmeier,

Boneh and

Bejerano, Deriving genomic diagnoses without revealing patient genomes, Science357(6352) (2017), 692–695. doi:10.1126/science.aam9710.

36.

Jha,

Kruger and

Shmatikov, Towards practical privacy for genomic computation, in: 2008 IEEE Symposium on Security and Privacy (SP 2008), IEEE, 2008, pp. 216–230. doi:10.1109/SP.2008.34.

37.

Juvekar,

Vaikuntanathan and

Chandrakasan, GAZELLE: A low latency framework for secure neural network inference, in: Proc. of 27th USENIX Security, 2018.

38.

Kaissis,

Ziller,

Passerat-Palmbach,

Ryffel,

Usynin,

Trask,

Lima,

Mancuso,

Jungmann,

M.-M.

Steinbornet al., End-to-end privacy preserving deep learning on multi-institutional medical imaging, Nature Machine Intelligence3(6) (2021), 473–484. doi:10.1038/s42256-021-00337-8.

39.

G.A.

Kaissis,

M.R.

Makowski,

Rückert and

R.F.

Braren, Secure, privacy-preserving and federated machine learning in medical imaging, Nature Machine Intelligence2(6) (2020), 305–311. doi:10.1038/s42256-020-0186-1.

40.

Keller, MP-SPDZ: A versatile framework for multi-party computation, in: Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security, 2020, pp. 1575–1590. doi:10.1145/3372297.3417872.

41.

Kumar,

Rathee,

Chandran,

Gupta,

Rastogi and

Sharma, Cryptflow: Secure tensorflow inference, in: 2020 IEEE Symposium on Security and Privacy (SP), IEEE, 2020, pp. 336–353. doi:10.1109/SP40000.2020.00092.

42.

Leshno,

V.Y.

Lin,

Pinkus and

Schocken, Multilayer feedforward networks with a nonpolynomial activation function can approximate any function, Neural networks6(6) (1993), 861–867. doi:10.1016/S0893-6080(05)80131-5.

43.

Li,

Xue,

Zhu,

Ding,

Gao,

Wei and

Wan, FALCON: A Fourier transform based approach for fast and secure convolutional neural network predictions, in: Proc. of IEEE/CVF CVPR, 2020.

44.

Li,

Milletarì,

Xu,

Rieke,

Hancox,

Zhu,

Baust,

Cheng,

Ourselin,

M.J.

Cardosoet al., Privacy-preserving federated brain tumour segmentation, in: International Workshop on Machine Learning in Medical Imaging, Springer, 2019, pp. 133–141. doi:10.1007/978-3-030-32692-0_16.

45.

Li,

Gu,

Dvornek,

L.H.

Staib,

Ventola and

J.S.

Duncan, Multi-site fMRI analysis using privacy-preserving federated learning and domain adaptation: ABIDE results, Medical Image Analysis65 (2020), 101765. doi:10.1016/j.media.2020.101765.

46.

C.-W.

Lin and

J.-S.

Wang, A digital circuit design of hyperbolic tangent sigmoid function for neural networks, in: 2008 IEEE International Symposium on Circuits and Systems, IEEE, 2008, pp. 856–859.

47.

Liu,

Juuti,

Lu and

Asokan, Oblivious neural network predictions via minionn transformations, in: Proc. of ACM CCS, 2017.

48.

Liu,

Wu,

Yuan and

Yi, Leia: A lightweight cryptographic neural network inference system at the edge, IEEE Transactions on Information Forensics and Security17 (2022), 237–252. doi:10.1109/TIFS.2021.3138611.

49.

Liu and

Yi, Privacy-preserving collaborative medical time series analysis based on dynamic time warping, in: European Symposium on Research in Computer Security, Springer, 2019, pp. 439–460.

50.

Liu,

Zheng,

Yi and

Nepal, Privacy-preserving collaborative analytics on medical time series data, IEEE Transactions on Dependable and Secure Computing19(3) (2022), 1687–1702. doi:10.1109/TDSC.2020.3035592.

51.

Liu,

Zheng,

Yuan and

Yi, MediSC: Towards secure and lightweight deep learning as a medical diagnostic service, in: European Symposium on Research in Computer Security, Springer, 2021, pp. 519–541.

52.

Lou and

Jiang, SHE: A fast and accurate deep neural network for encrypted data, in: Proc. of NeurIPS, 2019, pp. 10035–10043.

53.

Lou,

W.-J.

Lu,

Hong and

Jiang, Falcon: Fast spectral inference on encrypted data, Proc. of NeurIPS33 (2020).

54.

M.Y.

Lu,

R.J.

Chen,

Kong,

Lipkova,

Singh,

D.F.

Williamson,

T.Y.

Chen and

Mahmood, Federated learning for computational pathology on gigapixel whole slide images, Medical image analysis76 (2022), 102298. doi:10.1016/j.media.2021.102298.

55.

Microsoft Project InnerEye, 2020, https://www.microsoft.com/en-us/research/project/medical-image-analysis/.

56.

Mishra,

Lehmkuhl,

Srinivasan,

Zheng and

R.A.

Popa, DELPHI: A cryptographic inference service for neural networks, in: USENIX Security Symposium, 2020.

57.

Mohassel and

Rindal, ABY3: A mixed protocol framework for machine learning, in: Proc. of ACM CCS, 2018.

58.

Mohassel and

Zhang, SecureML: A system for scalable privacy-preserving machine learning, in: Proc. of IEEE S&P, 2017.

59.

Nikolaenko,

Weinsberg,

Ioannidis,

Joye,

Boneh and

Taft, Privacy-preserving ridge regression on hundreds of millions of records, in: Proc. of IEEE S&P, 2013.

60.

PathAI, 2020, https://www.pathai.com/.

61.

Patra,

Schneider,

Suresh and

Yalame, ABY2.0: Improved mixed-protocol secure two-party computation, in: 30th {USENIX} Security Symposium ({USENIX} Security 21), 2021.

62.

Rachuri and

Suresh, Trident: Efficient 4PC framework for privacy preserving machine learning, 2020.

63.

Rathee,

R.K.K.

Goli,

Gupta,

Sharma,

Chandran and

Rastogi, SiRnn: A math library for secure RNN inference, in: IEEE Symposium on Security and Privacy, IEEE, 2021, pp. 1003–1020.

64.

M.S.

Riazi,

Samragh,

Chen,

Laine,

Lauter and

Koushanfar, XONN: XNOR-based oblivious deep neural network inference, in: Proc. of 28th USENIX Security, 2019.

65.

M.S.

Riazi,

Weinert,

Tkachenko,

E.M.

Songhori,

Schneider and

Koushanfar, Chameleon: A hybrid secure computation framework for machine learning applications, in: Proc. of AsiaCCS, 2018.

66.

B.D.

Rouhani,

M.S.

Riazi and

Koushanfar, Deepsecure: Scalable provably-secure deep learning, in: Proceedings of the 55th Annual Design Automation Conference, 2018, pp. 1–6.

67.

Ryffel,

Trask,

Dahl,

Wagner,

Mancuso,

Rueckert and

Passerat-Palmbach, A generic framework for privacy preserving deep learning, arXiv preprint, 2018. arXiv:1811.04017.

68.

A.-R.

Sadeghi and

Schneider, Generalized universal circuits for secure evaluation of private functions with application to data classification, in: International Conference on Information Security and Cryptology, Springer, 2008, pp. 336–353.

69.

Salem,

Berrang,

Humbert and

Backes, Privacy-preserving similar patient queries for combined biomedical data, Proc. of PETS (2019).

70.

Sanyal,

Kusner,

Gascon and

Kanade, TAPAS: Tricks to accelerate (encrypted) prediction as a service, in: International Conference on Machine Learning, PMLR, 2018, pp. 4490–4499.

71.

M.J.

Sheller,

G.A.

Reina,

Edwards,

Martin and

Bakas, Multi-institutional deep learning modeling without sharing patient data: A feasibility study on brain tumor segmentation, in: International MICCAI Brainlesion Workshop, Springer, 2018, pp. 92–104.

72.

Tkachenko,

Weinert,

Schneider and

Hamacher, Large-scale privacy-preserving statistical computations for distributed genome-wide association studies, in: Proc. of ACM AsiaCCS, 2018.

73.

Tommiska, Efficient digital implementation of the sigmoid function for reprogrammable logic, IEE Proceedings-Computers and Digital Techniques150(6) (2003), 403–411. doi:10.1049/ip-cdt:20030965.

74.

Tsmots,

Skorokhoda and

Rabyk, Hardware implementation of sigmoid activation functions using FPGA, in: 2019 IEEE 15th International Conference on the Experience of Designing and Application of CAD Systems (CADSM), IEEE, 2019, pp. 34–38. doi:10.1109/CADSM.2019.8779253.

75.

Wagh,

Gupta and

Chandran, Securenn: 3-party secure computation for neural network training, Proc. of PETS (2019).

76.

Wagh,

Tople,

Benhamouda,

Kushilevitz,

Mittal and

Rabin, Falcon: Honest-majority maliciously secure framework for private deep learning, arXiv preprint, 2020. arXiv:2004.02229.

77.

Wang, FlexSC, 2018, https://github.com/wangxiao1254/FlexSC.

78.

X.S.

Wang,

Huang,

Zhao,

Tang,

Wang and

Bu, Efficient genome-wide, privacy-preserving similar patient query based on private edit distance, in: Proc. of ACM CCS, 2015.

79.

Wuraola and

Patel, SQNL: A new computationally efficient activation function, in: 2018 International Joint Conference on Neural Networks (IJCNN), IEEE, 2018, pp. 1–7.

80.

Wuraola,

Patel and

S.K.

Nguang, Efficient activation functions for embedded inference engines, Neurocomputing442 (2021), 73–88. doi:10.1016/j.neucom.2021.02.030.

81.

Xie,

Wu and

Sun, BAYHENN: Combining Bayesian deep learning and homomorphic encryption for secure DNN inference, in: Proc. of IJCAI, 2019, pp. 4831–4837.

82.

Yu,

Liu,

Pu,

M.E.

Gursoy and

Truex, Differentially private model publishing for deep learning, in: Proc. of S&P, IEEE, 2019.

83.

Zhang,

Wang,

Wu,

Xin and

T.V.

Phuong, GELU-net: A globally encrypted, locally unencrypted deep neural network for privacy-preserved learning, in: Proc. of IJCAI, 2018, pp. 3933–3939.

84.

Zheng,

Popa,

J.E.

Gonzalez and

Stoica, Helen: Maliciously secure coopetitive learning for linear models, in: Proc. of IEEE S&P, 2019.

85.

Zheng,

Cui,

Wang and

Zhou, Privacy-preserving image denoising from external cloud databases, IEEE Transactions on Information Forensics and Security12(6) (2017), 1285–1298. doi:10.1109/TIFS.2017.2656824.

86.

Zheng,

Duan,

Tang,

Wang and

Zhou, Denoising in the dark: Privacy-preserving deep neural network-based image denoising, IEEE Transactions on Dependable and Secure Computing18(3) (2019), 1261–1275. doi:10.1109/TDSC.2019.2907081.

87.

Zheng,

Duan and

Wang, Towards secure and efficient outsourcing of machine learning classification, in: Proc. of ESORICS, Springer, 2019.

88.

Zheng,

Wang and

Zhou, Toward secure image denoising: A machine learning based realization, in: 2018 IEEE International Conference on Acoustics, Speech and Signal Processing (ICASSP), IEEE, 2018, pp. 6936–6940. doi:10.1109/ICASSP.2018.8462073.

89.

Ziller,

Trask,

Lopardo,

Szymkow,

Wagner,

Bluemke,

J.-M.

Nounahon,

Passerat-Palmbach,

Prakash,

Roseet al., PySyft: A library for easy federated learning, in: Federated Learning Systems, Springer, 2021, pp. 111–139. doi:10.1007/978-3-030-70604-3_5.

Deep learning-based medical diagnostic services: A secure,lightweight,and accurate realization 1

Abstract

Keywords

1. Introduction

2. Related works

Table 1 Limitations of prior secure neural network inference systems and comparison with our systems

4.1. Architecture

5. Our proposed design

5.1. Secure linear layers

5.3.1. Secure ReLU activation function

5.3.2. Secure ReLU6 activation function

5.3.3. Secure leaky ReLU function

5.3.4. Secure binary activation function

5.4. Secure smooth activation functions

5.4.1. Secure tanh function

Table 4 Vanishing gradient problem of the sigmoid CRI approximation sigmoid sigmoid CRI sigmoid PLAN 2 sigmoid LogSQNL Thyroid 81.47% 5.16 ∼ 9.88% 86.55% 85.85% MNIST 96.44% 11.35% 91.41% 96.75% CIFAR-10 47.87% 10.03% 47.87% 59.08%

5.6. Security analysis

6.1. Microbenchmarks

Table 5 Performance of secure layer functions Secure layer Conv. FC BN ReLU MaxPool AvgPool 3 × 3 5 × 5 16 × 16 2 × 2 2 × 2 Time (ms) 1.25 2.16 8.44 1.74 22.7 31.2 0.05 Comm. (Bytes) 36 100 943 4 78 234 0

Footnotes

Acknowledgments

More details of model architecture

References

Table 1
Limitations of prior secure neural network inference systems and comparison with our systems

Table 4
Vanishing gradient problem of the ${sigmoid}_{CRI}$ approximation

sigmoid ${sigmoid}_{CRI}$ ${sigmoid}_{PLAN 2}$ ${sigmoid}_{LogSQNL}$

Thyroid 81.47% 5.16 ∼ 9.88% 86.55% 85.85%

MNIST 96.44% 11.35% 91.41% 96.75%

CIFAR-10 47.87% 10.03% 47.87% 59.08%

Table 5
Performance of secure layer functions

Secure layer Conv. FC BN ReLU MaxPool AvgPool

$3 \times 3$ $5 \times 5$ $16 \times 16$ $2 \times 2$ $2 \times 2$

Time (ms) 1.25 2.16 8.44 1.74 22.7 31.2 0.05

Comm. (Bytes) 36 100 943 4 78 234 0