CRISP: An Efficient Cryptographic Framework for ML Inference Against Malicious Clients

Machine learning inference protocols based on semihonest security models are vulnerable to attacks from malicious clients in real-world applications. These attacks can lead to the leakage of machine learning model parameters. Previous works introduced additional MACs computations to ensure correct client behavior. However, this resulted in higher runtime and communication costs during online inference. In this work, we present CRISP, an efficient two-party cryptographic framework designed to defend against malicious clients. Specifically: 1)We design protocols for non-linear layers based on a new cryptographic primitive (Function Secret Sharing). The core of our approach focuses on optimizing the reconstruction process of MACs. 2)We propose a complex domain verification mechanism for linear layers. This mechanism eliminates the additional MACs computations by making better use of the complex space in homomorphic encryption CKKS. Furthermore, in previous work (SIMC, USENIX Security'22), we identified compatibility issues in practical applications. The MAC reconstruction process in the nonlinear layers may leak intermediate inputs and outputs of the model when certain garbled circuit optimizations are applied. In contrast, CRISP effectively avoids this problem. In secure inference benchmarks considered in SIMC, CRISP reduces the total communication cost of ML inference by up to 94% and cuts inference latency by up to 43%. † Corresponding author y = 𝑀 (W, x) without revealing the private information x, while gaining no additional information. Over the past few years, numerous studies have proposed methods based on secure two-party computation cryptographic primitives (i.e. homomorphic encryption [5], Yao's garbled circuits [6] , function secret sharing [7], etc.) to achieve this goal. Due to the computational complexity of secure twoparty computation, the vast majority of these works have been founded on weaker security assumptions (i.e., both parties are semi-honest [8], [9]), focusing primarily on addressing efficiency issues. However, Lehmkuhl et al. show in MUSE [10] that in practical deployments, it is reasonable to assume that servers hosting ML models are semi-honest due to reputational constraints. Conversely, client entities come from diverse sources, and malicious attackers among them may violate protocol specifications. MUSE shows that secure inference protocols based on the semi-honest model can be easily broken in practice. An attacker can fully recover the model parameters using far fewer queries than state-of-the-art black-box model extraction attacks. This finding highlights a critical issue: it is essential to enforce correct behavior from the client side during secure inference. A. Related Work MUSE represents the first work designed for secure inference in a client-malicious setting. Its mechanism is built upon the Delphi [11] , incorporating additional verification to ensure the correctness of client non-linear layer inputs (equivalent to linear layer outputs) and outputs (serving as linear layer inputs). Although MUSE's performance stands out among traditional protocols that counter malicious adversaries, its computational and communication costs remain approximately 15 times higher than Delphi due to the complexity of nonlinear components. To address efficiency concerns, Chandran et al. has proposed more efficient 2-PC protocols-SIMC [12]specifically targeting malicious clients. SIMC analyzes the primary overhead in MUSE, identifying it within the complex non-linear layer computations: while using garbled circuits (GC) to complete non-linear function (primarily ReLU) calculations, participants must also learn corresponding message authentication codes (MACs) through specific multiplication protocols. This approach requires communication of at least 2𝑐𝜆 + 190𝜅𝜆 + 232𝜅 2 under security parameter 𝜆, AND gates