Ginseng, the Learning TEE Fast, Confidential Machine Learning in - - PowerPoint PPT Presentation

ginseng the learning tee
SMART_READER_LITE
LIVE PREVIEW

Ginseng, the Learning TEE Fast, Confidential Machine Learning in - - PowerPoint PPT Presentation

Feb 01, 2023 463 likes •608 views

Ginseng, the Learning TEE Fast, Confidential Machine Learning in FPGA Enclaves Nick Hynes | Oasis Labs Id Idea eal : data providers pool data to train a large, complex model Id Idea eal : data providers pool data to train a large, complex

slide-1
SLIDE 1

Nick Hynes | Oasis Labs

Ginseng, the Learning TEE

Fast, Confidential Machine Learning in FPGA Enclaves

slide-2
SLIDE 2

Id Idea eal: data providers pool data to train a large, complex model

slide-3
SLIDE 3

Id Idea eal: data providers pool data to train a large, complex model

credit scoring model Experian Equifax TransUnion

slide-4
SLIDE 4

health diagnosis model UCSF Medical

  • Mass. General

Hospital Kaiser Permanente

Id Idea eal: data providers pool data to train a large, complex model

slide-5
SLIDE 5

truly personal, personal assistant me you your neighbor

Id Idea eal: data providers pool data to train a large, complex model

slide-6
SLIDE 6

re-identification

Re Reality: data providers are mutually distrusting!

inappropriate use (ads, military) data theft

slide-7
SLIDE 7

Solu Solution ion: cooperation via a trusted third party (i.e. enclave)

slide-8
SLIDE 8

What about CPU Enclaves?

Performance of VGG-9 on CIFAR (32x32 RGB images)

[1] Efficient Deep Learning on Multi-Source Private Data. N. Hynes, R. Cheng, D. Song. Arxiv 2018 [2] Chiron: Privacy-preserving machine learning as a service. T. Hunt, C. Song, R. Shokri, V. Shmatikov, and E. Witchel. Arxiv 2018 [3] Graviton: Trusted Execution Environments on GPUs. S. Volos, K. Vaswani. OSDI 2018

img/s (training) img/s (inference) Myelin [1] 21 img/s 496 img/s Chiron (4 enclaves) [2] 25 img/s – non-private CPU 42 img/s 1119 img/s

slide-9
SLIDE 9

What about CPU Enclaves?

Performance of VGG-9 on CIFAR (32x32 RGB images)

[1] Efficient Deep Learning on Multi-Source Private Data. N. Hynes, R. Cheng, D. Song. Arxiv 2018 [2] Chiron: Privacy-preserving machine learning as a service. T. Hunt, C. Song, R. Shokri, V. Shmatikov, and E. Witchel. Arxiv 2018 [3] Graviton: Trusted Execution Environments on GPUs. S. Volos, K. Vaswani. OSDI 2018

img/s (training) img/s (inference) Myelin [1] 21 img/s 496 img/s Chiron (4 enclaves) [2] 25 img/s – non-private CPU 42 img/s 1119 img/s private GPU: Graviton [3] >1500 img/s >10,000 img/s

slide-10
SLIDE 10

Ginseng, the Learning TEE

FPGA-based ML accelerator

1. Start with a tensor accelerator framework (e.g., VTA [4])

  • 2. Bolt on a Tensor Encryption Core (TEC)
  • 3. Add remote attestation hardware (PUF, RNG)
  • 4. Distribute with a lightweight, secure unikernel

End result: a speedy end-to-end private ML pipeline

[4] A Hardware-Software Blueprint for Flexible Deep Learning Specialization. T. Moreau, et al. Arxiv 2019

slide-11
SLIDE 11

Ginseng, the Learning TEE

Ginseng, the Learning TEE on an FPGA+CPU SoC

CPU FPGA

Tensor Accelerator

tensor tile buffers

RNG PUF

TEC

TEC data

attestation engine secure µkernel Ginseng runtime tensor accel. runtime

  • ff-chip

memory

slide-12
SLIDE 12

Ginseng, the Learning TEE

slide-13
SLIDE 13

Sterling: A Privacy-Preserving Data Marketplace

A Demonstration of Sterling: A Privacy-Preserving Data Marketplace. N. Hynes, D. Yan, R. Cheng, and D. Song. VLDB 2018.