Jihyung Kook (국지형)

Jihyung Kook (국지형)

she/her

OMSCS alumnus @ Georgia Tech. Motivated by my experience working with sensitive data, I aim to design systems that enforce privacy by design while remaining scalable and deployable. My long-term goal is to make strong cryptographic privacy guarantees usable and accessible in practice.

TFMD: General and Fast Secure Neural Network Inference Framework with Threshold FHE

Published:

TFMD: General and Fast Secure Neural Network Inference Framework with Threshold FHE

This post is based on the paper TFMD: General and Fast Secure Neural Network Inference Framework with Threshold FHE.
이 글은 TFMD: General and Fast Secure Neural Network Inference Framework with Threshold FHE 논문을 기반으로 정리한 내용이다.

Overview

Summary:
A review of TFMD, which proposes a secure neural network inference framework combining Threshold FHE and Masked Data to safely compute nonlinear functions without revealing the model input.

🔑 Research Question:

  • Can we compute nonlinear functions (e.g., ReLU) over encrypted inputs without any party learning the plaintext?

⚙️ Key Mechanism:

  • Threshold FHE (n-out-of-n): The secret key $s$ is split into $n$ shares $s_i$, so decryption requires all $n$ parties — even $n-1$ colluders cannot reconstruct the key.

  • Masked Data: Before decryption, the ciphertext is masked by a random value $r$ (i.e., $\text{Enc}(r \cdot x)$), so the decrypted value reveals $r \cdot x$, not $x$ — no party learns the actual input.

  • Nonlinear protocols ($\Pi_\text{ReLU}$, $\Pi_\text{MP}$): Built on the above two conditions: mask → threshold decrypt → compute ReLU/MaxPool on $r \cdot x$ → remove mask → recover $\text{Enc}(\text{ReLU}(x))$.

  • Supporting protocols ($\Pi_\text{EC}$, $\Pi_\text{FHE-PC}$): Handle encoding conversion (Coefficient ↔ SIMD) and parameter switching (large params for offline, small params for online) using the same masked data trick.

📊 Main Results:

  • Supports dishonest-majority security: only 1 honest party needed (vs. $t < n/2$ for prior work).
  • Generalizes to arbitrary $n$ parties without redesigning protocols.
  • Achieves 4.9× speedup on ReLU, 6.7× on Max Pooling, 2.1× on full inference vs. CrypTFlow (WAN, 3-party).

⚠️ Limitations / Open Questions:

  • Security model is semi-honest only — assumes parties follow the protocol but may try to learn from transcripts.
  • Malicious adversary setting remains future work.
  • GPU acceleration not yet integrated.

💡 Insight:
TFMD shows that combining two conceptually simple ideas — distributing the decryption key (Threshold FHE) and masking the input before decryption (Masked Data) — is enough to enable safe nonlinear computation over ciphertexts. The preprocessing/online phase separation further makes it practical, since the expensive randomness generation can be done ahead of time.

💬 Personal Comment:
Most prior work on secure inference approximates ReLU with polynomials to keep everything inside the FHE domain — a trade-off that sacrifices both exactness and security. What struck me about TFMD is that it sidesteps approximation entirely: by masking the input with a random $r$ before decryption, no party ever sees $x$, yet ReLU can be computed exactly on $r \cdot x$ in plaintext. It’s a surprisingly clean idea — masking alone turns out to be powerful enough to make exact nonlinear computation safe.

Slides:
PDF (Korean) Download