Shuffling Defense Vulnerable in Transformer Secure Inference
Recent research on cryptographic secure inference for Transformers, published on arXiv, reveals vulnerabilities in shuffling defenses. While this method ensures clients only receive the final output without the server learning about their inputs, nonlinear layers lead to communication inefficiencies. Previous studies allowed clients to access intermediate activations, posing risks as adversaries could extract model weights. The new findings indicate that a sophisticated attack can align differently shuffled activations, enabling the extraction of these weights by exploiting the aligned data. This raises concerns about the robustness of current secure inference techniques in AI technology.
Key facts
- Cryptographic secure inference for Transformers ensures client learns only final output.
- Server learns nothing about client's input.
- Nonlinear layers cause efficiency bottlenecks due to communication rounds and data transmission.
- Prior works reveal intermediate activations to client for plaintext computation.
- Exposing activations enables adversaries to extract model weights.
- Shuffling defense reveals only randomly permuted activations to client.
- New attack aligns differently shuffled activations to a common permutation.
- Attack exploits aligned activations to extract model weights.
Entities
Institutions
- arXiv