VerifyML: Obliviously Checking Model Fairness Resilient to Malicious Model Holder

We consider a secure ML inference scenario, where a model holder $P_{0}$ and a client $P_{1}$ interact with each other to evaluate the fairness of the target model. In such a model holder-malicious threat model, $P_{0}$ holds the model $\mathbf{M}$ while the client owns the private test set used to verify the fairness of the model. The client is generally considered to be semi-honest, that is, it follows the protocol’s specifications in the interaction process for evaluating the fairness of the model unbiased. However, it is possible to infer model parameters by passively analyzing data streams captured during interactions. The model holder is malicious. It may arbitrarily violate the specification of the protocol to trick clients into believing that they hold a high-fairness model. The network architecture is assumed to be known to both $P_{0}$ and $P_{1}$. VerifyML aims to construct such a secure inference framework that enables $P_{1}$ to correctly evaluate the fairness of model without knowing any details of the model parameters, meanwhile, $P_{0}$ knows nothing about the client’s input. We provide a formal definition of the threat model in Appendix A.

We use $\lambda$ and $\sigma$ to denote the computational security parameter and the statistical security parameter, respectively. $[k]$ represents the set $\{1,2,\cdots k\}$ for $k>0$. In our VerifyML, all the arithmetic operations are calculated in the field $\mathbb{F}_{p}$, where $p$ is a a prime and we define $\kappa=\lceil\log p\rceil$. This means that there is a natural mapping for elements in $\mathbb{F}_{p}$ to $\{0,1\}^{\kappa}$. For example, $a[i]$ indicates the $i$-th bit of $a$ on this mapping, i.e, $a=\sum_{i\in[\kappa]}a[i]\cdot 2^{i-1}$. Given two vectors $\mathbf{a}$ and $\mathbf{b}$, and an element $\alpha\in\mathbb{F}_{p}$, $\mathbf{a}+\mathbf{b}$ indicates the element-wise addition, $\alpha+\mathbf{a}$ and $\alpha\mathbf{a}$ mean that each component of $\mathbf{a}$ performs addition and multiplication with $\alpha$, respectively. $\mathbf{a}\ast\mathbf{b}$ represents the inner production between vectors $\mathbf{a}$ and $\mathbf{b}$. Similarly, given any function $f:\mathbb{F}_{p}\rightarrow\mathbb{F}_{p}$, $f(\mathbf{a})$ denotes evaluation of $f$ on each component on $\mathbf{a}$. $a||b$ represents the concatenation of $a$ and $b$. $U_{n}$ is used to represent the uniform distribution on the set $\{0,1\}^{n}$ for any $n>0$.

For ease of exposition, we consider an ML model, usually a neural network model $\mathbf{M}$, consisting of alternating linear and nonlinear layers. We assume that the specification of the linear layer is $\mathbf{L}_{1},\cdots\mathbf{L}_{m}$ and the non-linear layer is $f_{1},\cdots,f_{m-1}$. Given an initial input (i.e. query) $\mathbf{x}_{0}$, the model holder will sequentially execute $\mathbf{v}_{i}=\mathbf{L}_{i}\mathbf{x}_{i-1}$ and $\mathbf{x}_{i}=f_{i}(\mathbf{v}_{i})$. Finally, $\mathbf{M}$ outputs the inference result $\mathbf{v}_{m}=\mathbf{L}_{m}\mathbf{x}_{m-1}=\mathbf{M}(\mathbf{x}_{0})$.

Let $\mathcal{X}$ be the set of possible inputs and $\mathcal{Y}$ be the set of all possible labels. In addition, let $\mathcal{O}$ be a finite set related to fairness (e.g., ethnic group). We assume that $\mathcal{X}\times\mathcal{Y}\times\mathcal{O}$ is drawn from a probability space $\Omega$ with an unknown distribution $\mathcal{D}$, and use $\mathbf{M}(\mathbf{x})$ to denote the model inference result given an input $\mathbf{x}$. Based on these, we review the term of the empirical fairness gap (EFG) [38], which is widely used to measure the fairness of ML models against a specific group. To formalize the formulation of EFG, we first describe the definition of conditional risk as follows:

Given a set of samples $(\mathbf{x},y,o^{\prime})$ satisfying distribution $\mathcal{D}$, $\digamma_{o}(\mathbf{M})$ is the expectation of the number of misclassified entries in the test set that belong to group $o$, where $\mathbb{I}\{\Phi\}$ represents the indicator function with a predicate $\Phi$. Given an independent sample set $\Psi=\{(\mathbf{x}^{(1)},y^{(1)},o^{(1)}),\cdots,(\mathbf{x}^{(t)},y^{(t)},o^{(t)})\}$$\sim$ $\mathcal{D}^{t}$, the empirical conditional risk is defined as follows:

where $t_{o}$ indicates the number of samples in $\Psi$ from group $o$. Then, we describe the term fairness gap (FG), which is used to measure the maximum margin of any two groups, specifically,

Likewise, the empirical fairness gap (EFG) is defined as

Lastly, we say a ML model $\mathbf{M}$ is $\epsilon$-fair on $(\mathcal{O},\mathcal{D})$, if its fairness gap is smaller than $\epsilon$ with confidence $1-\delta$. Formally, a $\epsilon$-fair $\mathbf{M}$ is defined as satisfying the following conditions:

In practice, we usually replace FG in Eqn.5 with EFG to facilitate the measurement of fairness. Note that once the client gets enough predictions in the target model, it can locally evaluate the fairness of the model according to Eqn.5.

Let the plaintext space be $\mathbb{F}_{p}$, informally, a Fully homomorphic encryption (FHE) under the public key encryption system usually contains the following algorithms:

• $\bullet$

  $\mathtt{KeyGen}(1^{\lambda})\rightarrow(pk,sk)$. Taking the security parameter $\lambda$ as input, $\mathtt{KeyGen}$ is a random algorithm used to output the public key $pk$ and the corresponding secret key $sk$ required for homomorphic encryption.

• $\bullet$

  $\mathtt{Enc}(pk,x)\rightarrow c$. Given $pk$ and a plaintext $x\in\mathbb{F}_{p}$, the algorithm $\mathtt{Enc}$ outputs a ciphertext $c$ encrypting $x$.

• $\bullet$

  $\mathtt{Dec}(sk,c)\rightarrow x$. Taking $sk$ and a ciphertext $c$ as input, $\mathtt{Dec}$ decrypts $c$ and outputs the corresponding plaintext $x$.

• $\bullet$

  $\mathtt{Eval}(pk,c_{1},c_{2},F)\rightarrow c^{\prime}$. Given $pk$, two ciphertexts $c_{1}$ and $c_{2}$, and a function $F$, the algorithm $\mathtt{Eval}$ outputs a ciphertext $c^{\prime}$ encrypting $F(c_{1},c_{2})$.

We require FHE to satisfy correctness, semantic security, and functional privacy¹¹1Functional privacy ensures that given a ciphertext $c$, which is an encrypted share of $F(x_{1},x_{2})$ obtained by homomorphically evaluating $L$, $c$ is indistinguishable from ciphertext $c^{\prime}$ encrypting a share of $F^{\prime}(x_{1},x_{2})$ for any $F^{\prime}$. . In VerifyML, we use the SEAL library [37] to implement the fully homomorphic encryption. In addition, we utilize ciphertext packing technology (CPT) [39] to encrypt multiple plaintexts into a single ciphertext, thus enabling homomorphic computation in a SIMD manner. Specifically, given two plaintext vectors $\mathbf{x}=(x_{1},\cdots,x_{n})$ and $\mathbf{x^{\prime}}=(x_{1}^{\prime},\cdots,x_{n}^{\prime})$, we can pack $\mathbf{x}$ and $\mathbf{x}^{\prime}$ into ciphertexts $c$ and $c^{\prime}$ each of them containing $n$ plaintext slots. Homomorphic operations between $c$ and $c^{\prime}$ including addition and multiplication are equivalent to performing the same element-wise operations on the corresponding plaintext slots.

FHE also provides algorithm $\mathtt{Rotation}$ to handle operations between data located in different plaintext slots. Informally, given a plaintext vector $\mathbf{x}=(x_{0},\cdots,x_{n})$ is encrypted into a single ciphertext $c$, $\mathtt{Rotation}(pk,c,j)$ transforms $c$ into another ciphertext $c^{\prime}$ whose encrypted plaintext vector is $x^{\prime}=(x_{j+1},x_{j+2},\cdots,x_{1},\cdots,x_{j})$. In this way, data on different plaintext slots can be moved to the same position to achieve element-wise operations under ciphertext. In FHE, rotation operations are computational expensive compared to homomorphic addition and multiplication operations. Therefore, the optimization criterion for homomorphic SIMD operations is to minimize the number of rotation operations.

We review the parallel homomorphic multiplication method between arbitrary matrices proposed by Jiang et al.[17], which will be used to accelerate the generation of authenticated triples for convolution in VerifyML. We take the homomorphic multiplication of two $d\times d$ dimensional matrices as an example. Specifically, given a $d\times d$ dimensional matrix $\mathbf{X}={(x_{i,j})}_{0\leq i,j<d}$, we first define four useful permutations, $\sigma$, $\tau$, $\phi$, and $\varphi$, over the field $\mathbb{F}_{p}^{d\times d}$. Let $\sigma(\mathbf{X})_{i,j}=\mathbf{X}_{i,i+j}$, $\tau(\mathbf{X})_{i,j}=\mathbf{X}_{i+j,j}$, $\phi(\mathbf{X})_{i,j}=\mathbf{X}_{i,j+1}$ and $\varphi(\mathbf{X})_{i,j}=\mathbf{X}_{i+1,j}$. Then for two square matrices $\mathbf{X}$ and $\mathbf{Y}$ of order $d$, we can calculate the matrix multiplication between the two by the following formula:

where $\odot$ denotes the element-wise multiplication. We provide a toy example of the multiplication of two $3\times 3$ matrices in Figure 1 for ease of understanding.

We can convert a $d\times d$-dimensional matrix to a vector of length $d^{2}$ by encoding map $\mathbb{F}_{p}^{d^{2}}\rightarrow\mathbb{F}_{p}^{d\times d}$: $\mathbf{x}=(x_{0},\cdots,x_{d^{2}-1})\mapsto\mathbf{X}={(x_{d\cdot i+j})}_{0\leq i,j<d}$. A ciphertext is said to encrypt a matrix $\mathbf{X}$ if it encrypts the corresponding plaintext vector $\mathbf{x}$. Therefore, given two square matrices $\mathbf{X}$ and $\mathbf{X}$, the multiplication of the two under the ciphertext is calculated as follows:

In the following sections, we will use $\mathbf{c}_{\mathbf{X}}\circledast\mathbf{c}_{\mathbf{Y}}$ to represents multiplication between any matrixes $\mathbf{X}$ and $\mathbf{Y}$ in ciphertext. $\boxtimes$ denotes the elewent-wise homomorphic multiplication between two ciphertexts. In Section 4.1.2, we describe how to utilize the parallel homomorphic multiplication described above to boost the generation of authenticated convolution triples.

• $\bullet$

  Additive Secret Sharing. Given any $x\in\mathbb{F}_{p}$, a 2-out-of-2 additive secret sharing of $x$ is a pair $(\left\langle x\right\rangle_{0},\left\langle x\right\rangle_{1})=(x-r,r)\in\mathbb{F}_{p}^{2}$, where $r$ is a random value uniformly selected from $\mathbb{F}_{p}$, and $x=\left\langle x\right\rangle_{0}+\left\langle x\right\rangle_{1}$. Additive secret sharing is perfectly hiding, that is, given a share $\left\langle x\right\rangle_{0}$ or $\left\langle x\right\rangle_{1}$, $x$ is perfectly hidden.

• $\bullet$

  Authenticated Shares. Given a random value $\alpha$ (known as the MAC key) uniformly chosen from $\mathbb{F}_{p}$, for any $x\in\mathbb{F}_{p}$, the authenticated shares of $x$ on $\alpha$ denote that each party $P_{b}$ holds $[\![x]\!]_{b}=\{\langle\alpha\rangle_{b},\langle x\rangle_{b},\langle\alpha x\rangle_{b}\}_{b\in\{0,1\}}$²²2Sometimes in $[\![x]\!]_{b}$ we omit $\langle\alpha\rangle_{b}$ for brevity., where we have $(\langle\alpha\rangle_{0}+\langle\alpha\rangle_{1})\times(\langle x\rangle_{0}+\langle x\rangle_{1})=(\langle\alpha x\rangle_{0}+\langle\alpha x\rangle_{1})$. While in the general malicious 2PC setting, $\alpha$ should be generated randomly through interactions between all parties, in our model holder-malicious model, $\alpha$ can be picked up by $P_{1}$ and secretly shared with $P_{0}$. Authenticated sharing provides $\lfloor\log p\rfloor$ bits of statistical security. Informally, if a malicious $P_{0}$ tries to forge the shared $x$ to be $x+\beta$, by tampering with its shares $(\langle x\rangle_{0},\langle\alpha x\rangle_{0})$ to $(\langle x\rangle_{0}+\beta,\langle\alpha x\rangle_{0}+\beta^{\prime})$, for non-zero $\{\beta,\beta^{\prime}\}$, the probability of parties being authenticated to hold the share of $x+\beta$ (i.e., $\alpha x+\beta^{\prime}=\alpha(x+\beta)$) is at most $2^{-\lfloor\log p\rfloor}$.

In VerifyML, we require the technique of authenticated Beaver’s triples to detect possible breaches of the protocol from the malicious model holder. In more detail, authenticated Beaver’s multiplication triple is denoted that each $P_{b}$ holds a tuple $\{[\![x]\!]_{b},[\![y]\!]_{b},[\![z]\!]_{b}\}_{b\in\{0,1\}}$, where $x$, $y$, $z\in\mathbb{F}_{p}$, and satisfy $xy=z$. Giving $P_{0}$ and $P_{1}$ holding authenticated shares of $c$ and $d$, i.e., ($[\![c]\!]_{0}$, $[\![d]\!]_{0}$), ($[\![c]\!]_{1}$, $[\![d]\!]_{1}$), respectively, to compute the authenticated share of the product of $c$ and $d$, the parties first reveal $c-x$ and $d-y$, and then each party $P_{b}$ locally computes the authenticated share of $[\![e=c\cdot d]\!]_{b}$ as follows:

Authenticated Beaver’s multiplication triple is independent of the user’s input in the actual execution of the secure computing protocol, thus can be generated offline (see Section 4) to speed up the performance of online secure multiplication computations. Inspired by existing work to construct custom triples for specific mathematical operations [30] for improving performance, we generalize traditional Beaver’s triples to matrix-vector multiplication and convolution domains. We provide the definitions of matrix-vector and convolution triples below and leave the description of generating them to Section 4.

• $\bullet$

  Authenticated Matrix-Vector triples: is denoted that each $P_{b}$ holds a tuple $\{[\![\mathbf{X}]\!]_{b},[\![\mathbf{y}]\!]_{b},[\![\mathbf{z}]\!]_{b}\}_{b\in\{0,1\}}$, where $\mathbf{X}$ is a matrix uniformly chosen from $\mathbb{F}_{p}^{d_{1}\times d_{2}}$, $\mathbf{y}$ represents a vector selected from $\mathbb{F}_{p}^{d_{2}}$, and $\mathbf{z}\in\mathbb{F}_{p}^{d_{1}}$ satisfying $\mathbf{X}\ast\mathbf{y}=\mathbf{z}$, where $d_{1}$ and $d_{2}$ are determined depending on the ML model architecture.

• $\bullet$

  Authenticated Convolution triples (aka matrix multiplication triples³³3We can reduce the convolution operation to matrix multiplication by transforming the inputs of convolution appropriately. We provide a detailed description in Section 4.): is denoted that each $P_{b}$ holds a tuple $\{[\![\mathbf{X}]\!]_{b},[\![\mathbf{Y}]\!]_{b},[\![\mathbf{Z}]\!]_{b}\}_{b\in\{0,1\}}$, where $\mathbf{X}$ and $\mathbf{Y}$ are tensors uniformly chosen from $\mathbb{F}_{p}^{u_{w}\times u_{h}\times c_{i}}$ and $\mathbb{F}_{p}^{(2l+1)\times(2l+1)\times c_{i}\times c_{o}}$, respectively. $\mathbf{Z}\in\mathbb{F}_{p}^{u_{w}^{\prime}\times u_{h}^{\prime}\times c_{o}}$ satisfying convolution $\mathtt{Conv}(\mathbf{X},\mathbf{Y})=\mathbf{Z}$, where $u_{w}$, $u_{w}$, $u_{w}^{\prime}$, $u_{h}^{\prime}$, $l$, $c_{i}$ and $c_{o}$ are determined depending on the model architecture.

We take OT_n to denote the 1-out-of-2 Oblivious Transfer (OT) [13, 10]. In OT_n, the inputs of the sender (assuming $P_{0}$ for convenience) are two strings $s_{0},s_{1}\in\{0,1\}^{n}$, and the input of the receiver ($P_{1}$) is a bit $b\in\{0,1\}$ for selection. At the end of the OT-execution, $P_{1}$ learns $s_{b}$ while $P_{0}$ learns nothing. In this paper, we require that the instance of OT_n is secure against a semi-honest sender and a malicious receiver. We use OT${}_{n}^{\kappa}$ to represent $\kappa$ instances of OT_n. We exploit [21] to implement OT${}_{n}^{\kappa}$ with the communication complexity of $\kappa{\lambda+2n}$ bits.

The garbling scheme [35, 8] for boolean circuits parsing arbitrary functions consists of a pair of algorithms ($\mathtt{Garble}$, $\mathtt{GCEval}$) defined as follows:

• $\bullet$

  $\mathtt{Garble}(1^{\lambda},C)\rightarrow(\mathtt{GC},\{\{\mathtt{lab}_{i,j}^{in}\}_{i\in[n]},\{\mathtt{lab}_{j}^{out}\}\}_{j\in\{0,1\}})$. Giving the security parameter $\lambda$ and an arbitrary Boolean circuit $C:\{0,1\}^{n}\rightarrow\{0,1\}$, the algorithm $\mathtt{Garble}$ outputs a garbled circuit $\mathtt{GC}$, a set of input labels $\{\mathtt{lab}_{i,j}^{in}\}_{i\in[n],j\in\{0,1\}}$ of this $\mathtt{GC}$, and a set of output labels $\{\mathtt{lab}_{j}^{out}\}_{j\in\{0,1\}}$, where the size of each label is $\lambda$ bits. For any $x\in\{0,1\}^{n}$, we refer to $\{\mathtt{lab}_{i,x[i]}^{in}\}_{i\in[n]}$ as the garbled input of $x$, and $\mathtt{lab}_{C(x)}^{out}$ as the garbled output of $C(x)$.

• $\bullet$

  $\mathtt{GCEval}(\mathtt{GC},\{\mathtt{lab}_{i}\}_{i\in[n]})\rightarrow\mathtt{lab^{\prime}}$. Giving the garbled circuit $\mathtt{GC}$ and a set of input labels $\{\mathtt{lab}_{i}\}_{i\in[n]}$, the algorithm $\mathtt{GCEval}$ outputs a label $\mathtt{lab^{\prime}}$.

Let $\mathtt{Garble}(1^{\lambda},C)\rightarrow(\mathtt{GC},\{\{\mathtt{lab}_{i,j}^{in}\}_{i\in[n]},\{\mathtt{lab}_{j}^{out}\}\}_{j\in\{0,1\}})$, the above garbled scheme ($\mathtt{Garble}$, $\mathtt{GCEval}$) is required to satisfy the following properties:

• $\bullet$

  Correctness. $\mathtt{GCEval}$ is faithfully performed on the $\mathtt{GC}$ and correctly outputs garbled results when given the garbled input of $x$. Formally, for any Boolean circuit $C$ and input $x\in\{0,1\}^{n}$, $\mathtt{GCEval}$ holds that

  $$\mathtt{GCEval}(\mathtt{GC},\{\mathtt{lab}_{i,x[i]}^{in}\}_{i\in[n]})\rightarrow\mathtt{lab}_{C(x)}^{out}$$

• $\bullet$

  Security. Given $C$, the garbled circuit $\mathtt{GC}$ of $C$ and garbled inputs of any $x\in\{0,1\}^{n}$ can be simulated by a polynomial probability-time simulator $\mathtt{Sim}$. Formally, for any circuit $C$ and input $x\in\{0,1\}^{n}$, we have $(\mathtt{GC},\{\mathtt{lab}_{i,x[i]}^{in}\}_{i\in[n]})\approx\mathtt{Sim}(1^{\lambda},C)$, where $\approx$ indicates computational indistinguishability.

• $\bullet$

  Authenticity. This implies that given the garbled input of $x$ and $\mathtt{GC}$, it is infeasible to guess the output label of $1-C(x)$. Formally, for any circuit $C$ and $x\in\{0,1\}^{n}$, we have $\left(\mathtt{lab}_{1-C(x)}^{out}|\mathtt{GC},\{\mathtt{lab}_{i,x[i]}^{in}\}_{i\in[n]}\right)\approx U_{\lambda}$.

Without loss of generality, the garbled scheme described above can be naturally extended to securely implement Boolean circuits with multi-bit outputs. In VerifyML, we utilize state-of-the-art optimization strategies, including point-and-permute [12], free-XOR [23] and half-gates [42] to construct the garbling scheme.

Consistent with state-of-the-art work on the setting of semi-honest models [29], VerifyML is deconstructed into an offline stage and an online stage, where the preprocessing process of the offline stage is independent of the input of model holders and clients. In this way, the majority ($>95\%$) of the computation can be performed offline to minimize the overhead of the online process. Figure 2 provides an overview of VerifyML, where we describe the computational parts required for the offline and online phase, respectively.

As described in Figure 2, we move almost all linear operations into the offline phase, where we construct customized triples for matrix-vector multiplication and convolution to accelerate linear execution. Specifically, 1) we design an efficient construction of matrix-multiplication triples instead of generating Beaver’s multiplication triples for individual multiplications (see Section 4.1.1). Our core insight is a new packed homomorphic multiplication method for matrices and vectors. We explore the inherent connection between secret sharing and homomorphic encryption to remove all the rotation operation in parallel homomorphic computation. 2) We extend the idea of generating matrix multiplicative triples over semi-honest models [30] into convolution domain over the model holder-malicious threat model (see Section 4). The core of our construction is derived from E2DM [17], which proposes a state-of-the-art method for parallel homomorphic multiplication between arbitrary matrices. We further optimize E2DM to achieve at least $2\times$ computational speedup compared to naive use.

Our optimization technique for linear layer computation exhibits superior advantages compared to state-of-the-art existing methods [22, 20]⁴⁴4Note that several efficient parallel homomorphic computation methods [19, 43] with packed ciphertext have been proposed and run on semi-honest or client-malicious models [29, 26, 5] for secure inference. It may be possible to transfer these techniques to our method to speed up triple’s generation, but this is certainly non-trivial and we leave it for future work.. In more detail, we reduce the communication overhead from cubic to quadratic (both for offline and online phases) compared to Overdrive [22], which is the mainstream tool for generating authenticated multiplicative triples on malicious adversary models(see Section 4 for detailed analysis).

We use the garbled circuit to achieve secure computation of nonlinear functions (mainly ReLU) in ML models. Specifically, assumed that $P_{0}$ and $P_{1}$ learn the authenticated sharing about $\mathbf{v}_{i}=\mathbf{L}_{i}\mathbf{x}_{i-1}$ after executing the $i$-th linear layer, that is, each party $P_{b}$ holds $[\![\mathbf{v}_{i}]\!]_{b}=\{\langle\alpha\rangle_{b},\langle\mathbf{v}_{i}\rangle_{b},\langle\alpha\mathbf{v}_{i}\rangle_{b}\}_{b\in\{0,1\}}$. Then, $\{\langle\mathbf{v}_{i}\rangle_{b}\}_{b\in\{0,1\}}$ will be used as the input of ReLU (dented as $f_{i}$ for brevity) in the $i$-th nonlinear layer for both parties learning the authentication sharing about $\mathbf{x}_{i}=f_{i}(\mathbf{v}_{i})$, i.e., $[\![\mathbf{x}_{i}]\!]_{b}$. However, constructing such a satisfactory garbling scheme has the following intractable problems.

• $\bullet$

  How to validate input from the malicious model holder. Since the model holder is malicious, it must be ensured that the input from the model holder in the $\mathtt{GC}$ (i.e. $\langle\mathbf{v}_{i}\rangle_{0}$) is consistent with the share obtained by the previous linear layer. In the traditional malicious adversary model [22, 20, 6], a standard approach is to verify the correctness of the authenticated sharing of all inputs from malicious entities in the $\mathtt{GC}$. However, this is very expensive and takes tens of seconds or even minutes to process a ReLU function. It obviously does not meet the practicality of ML model inference because a modern ML model usually contains thousands of ReLU functions.

• $\bullet$

  How to minimize the number of multiplication encapsulated into $\mathtt{GC}$. For the $i$-th nonlinear layer, we need to compute the authenticated shares of the ReLU output, i.e. $[\![\mathbf{x}_{i}]\!]_{b}=\{\langle\alpha\rangle_{b},\langle\mathbf{x}_{i}\rangle_{b},\langle\alpha\mathbf{x}_{i}\rangle_{b}\}_{b\in\{0,1\}}$. This requires at least two multiplications on the field, if all computations are encapsulated into the $\mathtt{GC}$. Note that performing arithmetic multiplication operations in the $\mathtt{GC}$ is expensive and requires at least $O(\kappa^{2}\lambda)$ communication overhead.

We design novel protocols to remedy the above problems through the following insights: (1) garbled circuits already achieve malicious security against garbled circuit evaluators (i.e., the model holder in our setting) [26]. This means that we only need to construct a lightweight method to check the consistency between the input of the malicious adversary in the nonlinear layer and the results obtained by the previous linear layer. Then, this method can be integrated with $\mathtt{GC}$ to achieve end-to-end nonlinear secure computing (see Section 4). (2) It is enough to calculate the output label for each bit of $f_{i}(\mathbf{v}_{i})$’s share (i.e., $f_{i}(\mathbf{v}_{i})[j]$, for $1\leq j\leq\kappa$) in the GC, rather than obtaining the exact arithmetic share of $f_{i}(\mathbf{v}_{i})$ [5]. Moreover, we can parse ReLU function as $ReLU(\mathbf{v}_{i})=\mathbf{v}_{i}\cdot sign(\mathbf{v}_{i})$, where the sign function $sign(\mathbf{v}_{i})$ equals 1 if $t\geq 0$ and 0 otherwise. Hence, we only encapsulate the non-linear part of $ReLU(\mathbf{v}_{i})$ (i.e., $sign(\mathbf{v}_{i})$) into the $\mathtt{GC}$, thereby substantially minimizing the number of multiplication operations.

Compared with works [22, 20, 6] with malicious adversary, VerifyML reduces the communication overhead of each ReLU function from $2c\lambda+190\kappa\lambda+232\kappa^{2}$ to $2d\lambda+4\kappa\lambda+6\kappa^{2}$, where $d\ll c$. Our experiments show that VerifyML achieves $4\times$-$42\times$ computation speedup and gains $48\times$ less communication overhead for nonlinear layer computation.

Remark 3.1 . Beyond the above optimization strategies, we also do a series of strategies to reduce the overhead in the implementation process, including removing the reliance on distributed decryption primitives in previous works [22, 20, 6] and minimizing the number of calls to zero-knowledge proofs of ciphertexts. In the following section, we provide a comprehensive technical description of the proposed method.

In this section, we describe the technical details of VerifyML. As described above, VerifyML is divided intooffline and online phases. We first describe the operations that need to be precomputed in the offline phase, including generating matrix-vector multiplications and triples for convolution, and garbled circuits for constructing the objective function. Then, we introduce the technical details of the online phase.