Secure Transformer Inference Protocol
This work addresses security and efficiency challenges for Transformer-based services like ChatGPT, offering a practical solution for real-world deployment.
The paper tackles the prohibitive cryptographic overheads of secure two-party protocols for Transformer inference by proposing a novel three-party threat model and STIP, a protocol that maintains full accuracy while improving efficiency by millions of times over state-of-the-art methods.
Security of model parameters and user data is critical for Transformer-based services, such as ChatGPT. While recent strides in secure two-party protocols have successfully addressed security concerns in serving Transformer models, their adoption is practically infeasible due to the prohibitive cryptographic overheads involved. Drawing insights from our hands-on experience in developing two real-world Transformer-based services, we identify the inherent efficiency bottleneck in the two-party assumption. To overcome this limitation, we propose a novel three-party threat model. Within this framework, we design a semi-symmetric permutation-based protection scheme and present STIP, the first secure Transformer inference protocol without any inference accuracy loss. Experiments on representative Transformer models in real systems show that STIP has practical security and outperforms state-of-the-art secure two-party protocols in efficiency by millions of times.