HOLMES: A Platform for Detecting Malicious Inputs in Secure Collaborative Computation

Though maliciously secure multiparty computation (SMPC) ensures confidentiality and integrity of the computation from malicious parties, malicious parties can still provide malformed inputs. As a result, when using SMPC for collaborative computation, input can be manipulated to perform biasing and poisoning attacks. Parties may defend against many of these attacks by performing statistical tests over one another’s input, before the actual computation. We present HOLMES, a platform for expressing and performing statistical tests securely and efficiently. Using HOLMES, parties can perform well-known statistical tests or define new tests. For efficiency, instead of performing such tests naively in SMPC, HOLMES blends together zero-knowledge proofs (ZK) and SMPC protocols, based on the insight that most computation for statistical tests is local to the party who provides the data. High-dimensional tests are critical for detecting malicious inputs but are prohibitively expensive in secure computation. To reduce this cost, HOLMES provides a new secure dimensionality reduction procedure tailored for high-dimensional statistical tests. This new procedure leverages recent development of algebraic pseudorandom functions. Our evaluation shows that, for a variety of statistical tests, HOLMES is 18× to 40× more efficient than naively implementing the statistical tests in a generic SMPC framework. I . I N T R O D U C T I O N To meet the increasing demands of big data, many services today try to gain access to diverse and wide-ranging datasets. For this reason, a recent trend between competing business organizations is to perform collaborative computation over their joint datasets, so they can make decisions based on more than just their own data [1–3]. This approach, however, comes with data privacy issues, as organizations are often unwilling, sometimes prohibited by regulators, to share data [4, 5]. A solution to this problem is secure multiparty computation (SMPC), which enables such collaboration without compromising privacy. SMPC has been used in various settings, such as data analytics and machine learning [6–22], and in a wide range of applications, such as medical [23] and financial [24]. Though SMPC ensures the privacy and correctness of the computation, it does not ensure that parties provide well-formed datasets as input. As a result, state-of-the-art works offering malicious security, such as Senate [6], Helen [11], and Private Deep Learning [19], have assumed that all parties provide wellformed data, though the security of these systems ensures that parties cannot deviate from the protocol in many other ways. However, if we consider real-world use cases, such as training models for anti-money laundering or for medical studies, manipulated input can lead to grave consequences. For instance, a malicious organization can gain an unfair advantage in market competition by contributing grossly biased data to make the result of collaborative computation unusable. This raises the following question: Can we practically detect malicious input in secure collaborative computation? Though identifying every possible malicious input is infeasible, in many scenarios we know properties that the honest input must satisfy. For instance, we know that age data must lie in a specific range (e.g., 0–100), and that in a typical city, only a small fraction of the population has age over 90. In fact, range checks [25–27] are frequently used to limit the effect of misreported values in secure computation. However, range checks are not always enough. For example, assume that two banks with the same number of clients use the age of clients to predict the success of a bank marketing campaign. A malicious bank can decrease the combined mean age from, for example 20, to 10 by contributing manipulated data where all the ages are 1. Therefore, if some statistical characteristics of the data must be enforced, statistical hypothesis testing [28, 29] can be used as a general tool to check the quality of the input. Indeed, statistical testing has been a major tool in quality control [30–32], which checks the quality of all factors involved in manufacturing. Building defenses against ill-formed or biased input is an active research area in machine learning [33–46]. In biasing attacks, the attacker provides biased data to reduce the accuracy of the model. In poisoning attacks, the attacker injects malicious input to the training dataset and influences a model. These attacks can not only affect the correctness, but also reveal information about the training data [47–49]. Various defenses against poisoning attacks are also based on computing statistical characteristics of the input [50, 51]. Thus, statistical tests are building blocks of many known and future defenses against biased or poisoned data in various settings. We present HOLMES, a platform for expressing a rich class of statistical tests and performing them efficiently and securely. HOLMES does not aim to prescribe which specific tests each application should run because they depend on the use case, and new research may open up new defenses. Nonetheless, HOLMES enables parties in secure collaborative computation to express checks of statistical properties over the input by offering a rich set of statistical tests and building blocks, and performs these tests securely and efficiently. The efficiency gain is indeed important, as it allows parties to run more statistical tests with the same cost. In sum, we envision that users of secure collaborative computation can use HOLMES to perform input checks before the actual computation, to detect malformed input. ... Statistical tests Secure collaborative computation ... Planning phase Execution phase