摘要
近年来,诸如ChatGPT、DeepSeek等神经网络推理服务的发展,使得小微企业及个人等不具备海量数据或充足算力的用户也能受益于神经网络强大的表征能力。然而,随着人们对隐私泄露问题的关注,神经网络推理服务中的两个关键问题亟待解决:(1)如何在推理过程中保护用户的数据和推理结果不被泄露;(2)如何在保证模型隐私不被泄露的前提下,实现用户对模型和推理结果的可验证性。虽然目前已有部分研究分别基于同态加密、安全多方计算等密码学技术实现对用户数据和推理结果的隐私保护,基于零知识证明实现在保护模型隐私的前提下的推理可验证性,但这些研究均未能同时解决上述两个问题。因此,本文结合同态加密和零知识证明,提出了一种可验证同态加密神经网络推理方案-VHENN。为了解决同态加密与零知识证明结合过程中存在的各种挑战,本方案首先基于Rinocchio,一种用于环上电路的零知识简洁非交互知识论证,以适应基于环多项式构造的同态加密方案,实现同态加密计算的可验证性。随后,将可验证同态加密方案与神经网络推理相结合,实现满足模型、推理数据、推理结果隐私保护以及模型真实性和推理正确性可验证的神经网络推理方案。实验结果表明,得益于同态加密可以采用单指令多数据操作的特性,本方案在零知识证明的构造过程中显著减少了约束数量,降低幅度达到1至3个数量级。相比于对比方案,本方案在可信设置、证明生成和验证等环节的计算时间缩短了超过4个数量级。
In recent years,neural network inference services such as ChatGPT and DeepSeek have provided small and medium-sized enterprises and individuals with access to advanced AI capabilities without requiring massive datasets or extensive computational power.These services have made it possible to harness the representation power of neural networks across a wide range of applications,from natural language processing to image recognition,enabling users to achieve sophisticated results with minimal technical expertise.However,the widespread adoption of these services has raised significant privacy concerns,particularly in scenarios where sensitive user data is involved.Two critical issues arise in neural network inference services that must be addressed:(1)ensuring that users'data and inference results are protected from potential leaks during the inference process,and(2)providing a mechanism for verifying the authenticity of models and correctness of inference results while preserving the privacy of the model itself.To address these challenges,cryptographic techniques such as Homomorphic Encryption(HE)and Secure Multiparty Computation(MPC)have been explored to safeguard user data and inference results,enabling computations on encrypted or shared data without exposing sensitive information.However,despite these advances,neither HE nor MPC alone can address the dual requirements of privacy preservation and verifiability in neural network inference.Zero-Knowledge Proofs(ZKPs)have been introduced to ensure the verifiability of models and inference results without revealing sensitive model details,but integrating these cryptographic tools into a single,cohesive framework that addresses both privacy and verifiability remains an open challenge.In this paper,we propose VHENN(Verifiable Homomorphic Encrypted Neural Network Inference Scheme),a novel scheme that combines homomorphic encryption and zero-knowledge proofs to provide a solution for both privacy and verifiability in neural network inference.Our approach is built on Rinocchio,a Zero-Knowledge Succinct Non-Interactive Argument of Knowledge(zk-SNARK)protocol,which is tailored for ring circuits.Rinocchio is particularly well-suited for verifiable with homomorphic encryption schemes due to its compatibility with schemes based on ring polynomials.By leveraging Rinocchio,we achieve verifiability of homomorphically encrypted computations,allowing us to confirm the verifiability of encrypted computations without revealing the underlying computed data.The core innovation of VHENN lies in its ability to integrate verifiable homomorphic encryption with neural network inference.This integration ensures that user data,models and inference results are fully protected during the inference process,while also providing verifiable guarantees of model authenticity and result correctness.Furthermore,the scheme addresses the efficiency challenges associated with combining homomorphic encryption and zero-knowledge proofs.Specifically,our approach takes advantage of the Single Instruction,Multiple Data(SIMD)feature of homomorphic encryption,which allows multiple operations to be performed simultaneously on encrypted data.This significantly reduces the number of constraints in the construction of zero-knowledge proofs,cutting them by 1 to 3 orders of magnitude compared to non-SIMD solutions.Experimental results demonstrate the effectiveness of VHENN in reducing computational overhead.Compared to other privacy-preserving inference schemes,VHENN achieves substantial improvements in the computation time required for trusted setup,proof generation,and verification—by more than 4 orders of magnitude.
作者
杨文梯
何朝阳
李萌
张子剑
关志涛
祝烈煌
YANG Wen-Ti;HE Zhao-Yang;LI Meng;ZHANG Zi-Jian;GUAN Zhi-Tao;ZHU Lie-Huang(School of Control and Computer Engineering,North China Electric Power University,Beijing 102206;School of Computer Science and Information Engineering,Hefei University of Technology,Hefei 230601;School of Cyberspace Science and Technology,Beijing Institute of Technology,Beijing 100081)
出处
《计算机学报》
北大核心
2025年第6期1458-1477,共20页
Chinese Journal of Computers
基金
国家自然科学基金面上项目(62372173,62372149)
国家自然科学基金重点项目(U23A20303)资助。
关键词
神经网络推理
隐私保护
可验证
同态加密
零知识证明
neural network inference
privacy-preservation
verification
homomorphic encryption
zero-knowledge proofs
