MOBIUS: Model-Oblivious Binarized Neural Networks

A privacy-preserving framework in which a computational resource provider receives encrypted data from a client and returns prediction results without decrypting the data, i.e., oblivious neural network or encrypted prediction, has been studied in machine learning. In this work, we introduce and explore a new problem called the model-oblivious problem, where a trainer can delegate a protected model to a resource provider without revealing the original model itself to the resource provider. The resource provider can then offer prediction on a client's input data, which is additionally kept private from the resource provider. To solve this problem, we present MOBIUS (Model-Oblivious BInary neUral networkS), a new system that combines Binarized Neural Networks (BNNs) and secure computation based on secret sharing as tools for scalable and fast privacy-preserving machine learning. BNNs improve computational performance by binarizing values in training to -1 and +1, while secure computation based on secret sharing provides fast and various computations under encrypted forms via modulo operations with a short bit length. However, combining these tools is not trivial because their operations have different algebraic structures. MOBIUS uses improved procedures of BNNs and secure computation that have compatible algebraic structures without downgrading prediction accuracy. We present an implementation of MOBIUS in C++ using the ABY library (NDSS 2015). Then, we conduct experiments using several datasets, including the MNIST, Cancer, and Diabetes datasets, and the results show that MOBIUS outperforms SecureML (IEEE S&P 2017), which is the only other work that can potentially tackle the model-oblivious problem, in terms of both accuracy and computational time. Compared with TAPAS (ICML 2018) as a state-of-the-art BNN-based system, MOBIUS is three orders of magnitude faster without downgrading the accuracy despite solving the model-oblivious problem.