{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,4,10]],"date-time":"2026-04-10T16:03:38Z","timestamp":1775837018157,"version":"3.50.1"},"reference-count":65,"publisher":"Institute of Electrical and Electronics Engineers (IEEE)","issue":"3","license":[{"start":{"date-parts":[[2022,5,1]],"date-time":"2022-05-01T00:00:00Z","timestamp":1651363200000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/ieeexplore.ieee.org\/Xplorehelp\/downloads\/license-information\/IEEE.html"},{"start":{"date-parts":[[2022,5,1]],"date-time":"2022-05-01T00:00:00Z","timestamp":1651363200000},"content-version":"stm-asf","delay-in-days":0,"URL":"https:\/\/doi.org\/10.15223\/policy-029"},{"start":{"date-parts":[[2022,5,1]],"date-time":"2022-05-01T00:00:00Z","timestamp":1651363200000},"content-version":"stm-asf","delay-in-days":0,"URL":"https:\/\/doi.org\/10.15223\/policy-037"}],"funder":[{"name":"Science and Technology Innovation 2030","award":["2018AAA0100905"],"award-info":[{"award-number":["2018AAA0100905"]}]},{"name":"China NSF","award":["62025204"],"award-info":[{"award-number":["62025204"]}]},{"name":"China NSF","award":["61972252"],"award-info":[{"award-number":["61972252"]}]},{"name":"China NSF","award":["61972254"],"award-info":[{"award-number":["61972254"]}]},{"name":"China NSF","award":["61672348"],"award-info":[{"award-number":["61672348"]}]},{"name":"China NSF","award":["61672353"],"award-info":[{"award-number":["61672353"]}]},{"name":"Joint Scientific Research Foundation of the State Education Ministry","award":["6141A02033702"],"award-info":[{"award-number":["6141A02033702"]}]},{"name":"Open Project Program of the State Key Laboratory of Mathematical Engineering and Advanced Computing","award":["2018A09"],"award-info":[{"award-number":["2018A09"]}]},{"name":"Alibaba Group through Alibaba Innovation Research Program"},{"name":"Tencent Rhino Bird Key Research Project"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["IEEE Trans. Dependable and Secure Comput."],"published-print":{"date-parts":[[2022,5,1]]},"DOI":"10.1109\/tdsc.2020.3035591","type":"journal-article","created":{"date-parts":[[2020,11,3]],"date-time":"2020-11-03T20:44:43Z","timestamp":1604436283000},"page":"1703-1721","source":"Crossref","is-referenced-by-count":32,"title":["Toward Verifiable and Privacy Preserving Machine Learning Prediction"],"prefix":"10.1109","volume":"19","author":[{"ORCID":"https:\/\/orcid.org\/0000-0002-1650-4233","authenticated-orcid":false,"given":"Chaoyue","family":"Niu","sequence":"first","affiliation":[{"name":"Department of Computer Science and Engineering, Shanghai Key Laboratory of Scalable Computing and Systems, Shanghai Jiao Tong University, Shanghai, China"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-0965-9058","authenticated-orcid":false,"given":"Fan","family":"Wu","sequence":"additional","affiliation":[{"name":"Department of Computer Science and Engineering, Shanghai Key Laboratory of Scalable Computing and Systems, Shanghai Jiao Tong University, Shanghai, China"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-9261-5210","authenticated-orcid":false,"given":"Shaojie","family":"Tang","sequence":"additional","affiliation":[{"name":"Naveen Jindal School of Management, University of Texas at Dallas, Richardson, TX, USA"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-4050-0443","authenticated-orcid":false,"given":"Shuai","family":"Ma","sequence":"additional","affiliation":[{"name":"Beijing Advanced Innovation Center for Big Data and Brain Computing, Beihang University, Beijing, China"}]},{"given":"Guihai","family":"Chen","sequence":"additional","affiliation":[{"name":"Department of Computer Science and Engineering, Shanghai Key Laboratory of Scalable Computing and Systems, Shanghai Jiao Tong University, Shanghai, China"}]}],"member":"263","reference":[{"key":"ref2","first-page":"4672","article-title":"SafetyNets: Verifiable execution of deep neural networks on an untrusted cloud","volume-title":"Proc. 31st Int. Conf. Neural Inf. Process. Syst.","author":"Ghodsi"},{"key":"ref3","doi-asserted-by":"publisher","DOI":"10.1109\/EuroSP.2018.00035"},{"key":"ref4","article-title":"Slalom: Fast, verifiable and private execution of neural networks in trusted hardware","volume-title":"Proc. Int. Conf. Learn. Representations","author":"Tram\u00e8r"},{"key":"ref5","doi-asserted-by":"publisher","DOI":"10.1016\/j.qref.2007.04.001"},{"key":"ref6","doi-asserted-by":"publisher","DOI":"10.1038\/nature21056"},{"key":"ref7","first-page":"2505","article-title":"Delphi: A cryptographic inference service for neural networks","volume-title":"Proc. USENIX Secur. Symp.","author":"Mishra"},{"key":"ref8","first-page":"601","article-title":"Stealing machine learning models via prediction APIs","volume-title":"Proc. USENIX Conf. Secur. Symp.","author":"Tram\u00e8r"},{"key":"ref9","doi-asserted-by":"publisher","DOI":"10.1145\/3133956.3134056"},{"key":"ref10","first-page":"1651","article-title":"GAZELLE: A low latency framework for secure neural network inference","volume-title":"Proc. USENIX Conf. Secur. Symp.","author":"Juvekar"},{"key":"ref12","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-642-14623-7_25"},{"key":"ref13","doi-asserted-by":"publisher","DOI":"10.1145\/2976749.2978368"},{"key":"ref14","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2015.23241"},{"key":"ref15","first-page":"201","article-title":"CryptoNets: Applying neural networks to encrypted data with high throughput and accuracy","volume-title":"Proc. Int. Conf. Mach. Learn.","author":"Gilad-Bachrach"},{"key":"ref16","doi-asserted-by":"publisher","DOI":"10.1145\/3319535.3363207"},{"key":"ref17","doi-asserted-by":"publisher","DOI":"10.29012\/jpc.v4i1.612"},{"key":"ref18","doi-asserted-by":"publisher","DOI":"10.1145\/2976749.2978318"},{"key":"ref19","article-title":"Learning differentially private recurrent language models","volume-title":"Proc. Int. Conf. Learn. Representations","author":"McMahan"},{"key":"ref20","first-page":"1895","article-title":"Evaluating differentially private machine learning in practice","volume-title":"Proc. USENIX Conf. Secur. Symp.","author":"Jayaraman"},{"key":"ref21","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2019.00019"},{"key":"ref22","doi-asserted-by":"publisher","DOI":"10.1109\/TIFS.2019.2939713"},{"key":"ref23","doi-asserted-by":"publisher","DOI":"10.1023\/A:1022627411411"},{"key":"ref24","doi-asserted-by":"publisher","DOI":"10.1145\/103418.103434"},{"key":"ref25","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-642-13190-5_3"},{"key":"ref26","doi-asserted-by":"publisher","DOI":"10.1007\/s00145-007-9005-7"},{"key":"ref27","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-540-30576-7_18"},{"key":"ref28","doi-asserted-by":"publisher","DOI":"10.1007\/3-540-69053-0_9"},{"key":"ref29","first-page":"335","article-title":"Helios: Web-based open-audit voting","volume-title":"Proc. USENIX Conf. Secur. Symp.","author":"Adida"},{"key":"ref30","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2008.32"},{"key":"ref31","article-title":"Going from bad to worse: From internet voting to blockchain voting","volume-title":"MIT","author":"Park","year":"2020"},{"key":"ref32","doi-asserted-by":"publisher","DOI":"10.1145\/2619239.2626306"},{"key":"ref33","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2015.24"},{"key":"ref37","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-319-57048-8_6"},{"key":"ref38","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-642-36594-2_13"},{"key":"ref39","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2013.30"},{"key":"ref40","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2017.12"},{"key":"ref41","doi-asserted-by":"publisher","DOI":"10.1007\/3-540-46416-6_47"},{"key":"ref42","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-540-72540-4_14"},{"key":"ref43","first-page":"855","article-title":"On the computational efficiency of training neural networks","volume-title":"Proc. 27th Int. Conf. Neural Inf. Process. Syst.","author":"Livni"},{"key":"ref49","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-642-17373-8_11"},{"key":"ref50","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-662-44371-2_21"},{"key":"ref51","doi-asserted-by":"publisher","DOI":"10.1145\/2660267.2660366"},{"key":"ref52","first-page":"1501","article-title":"XONN: XNOR-based oblivious deep neural network inference","volume-title":"Proc. USENIX Conf. Secur. Symp.","author":"Riazi"},{"key":"ref53","doi-asserted-by":"publisher","DOI":"10.1109\/SP40000.2020.00092"},{"key":"ref54","doi-asserted-by":"publisher","DOI":"10.1109\/TDSC.2023.3348760"},{"key":"ref55","doi-asserted-by":"publisher","DOI":"10.1109\/TPDS.2021.3068195"},{"key":"ref56","doi-asserted-by":"publisher","DOI":"10.1109\/TIFS.2019.2929409"},{"key":"ref57","doi-asserted-by":"publisher","DOI":"10.1145\/3133956.3133982"},{"key":"ref58","first-page":"1345","article-title":"High accuracy and high fidelity extraction of neural networks","volume-title":"Proc. USENIX Secur. Symp.","author":"Jagielski"},{"key":"ref59","first-page":"1309","article-title":"Exploring connections between active learning and model extraction","volume-title":"Proc. USENIX Secur. Symp.","author":"Chandrasekaran"},{"key":"ref60","doi-asserted-by":"publisher","DOI":"10.1145\/1081870.1081950"},{"key":"ref61","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2014.20"},{"key":"ref62","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-642-40994-3_25"},{"key":"ref63","doi-asserted-by":"publisher","DOI":"10.1145\/3319535.3345660"},{"key":"ref64","doi-asserted-by":"publisher","DOI":"10.1145\/3274694.3274740"},{"key":"ref65","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2016.41"},{"key":"ref66","first-page":"7728","article-title":"Attacks meet interpretability: Attribute-steered detection of adversarial samples","volume-title":"Proc. 32nd Conf. Neural Inf. Process. Syst.","author":"Tao"},{"key":"ref67","first-page":"17","article-title":"Privacy in pharmacogenetics: An end-to-end case study of personalized warfarin dosing","volume-title":"Proc. USENIX Conf. Secur. Symp.","author":"Fredrikson"},{"key":"ref68","doi-asserted-by":"publisher","DOI":"10.1504\/IJSN.2015.071829"},{"key":"ref69","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2019.00065"},{"key":"ref70","first-page":"1467","article-title":"Poisoning attacks against support vector machines","volume-title":"Proc. 29th Int. Conf. Mach. Learn.","author":"Biggio"},{"key":"ref71","article-title":"Targeted backdoor attacks on deep learning systems using data poisoning","author":"Chen","year":"2017"},{"key":"ref72","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2018.00057"},{"key":"ref73","doi-asserted-by":"publisher","DOI":"10.1145\/3319535.3363216"},{"key":"ref74","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2019.00031"},{"key":"ref75","doi-asserted-by":"publisher","DOI":"10.1109\/MNET.011.1900577"}],"container-title":["IEEE Transactions on Dependable and Secure Computing"],"original-title":[],"link":[{"URL":"http:\/\/xplorestaging.ieee.org\/ielx7\/8858\/9773152\/09247447.pdf?arnumber=9247447","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2024,1,10]],"date-time":"2024-01-10T00:24:35Z","timestamp":1704846275000},"score":1,"resource":{"primary":{"URL":"https:\/\/ieeexplore.ieee.org\/document\/9247447\/"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2022,5,1]]},"references-count":65,"journal-issue":{"issue":"3"},"URL":"https:\/\/doi.org\/10.1109\/tdsc.2020.3035591","relation":{},"ISSN":["1545-5971","1941-0018","2160-9209"],"issn-type":[{"value":"1545-5971","type":"print"},{"value":"1941-0018","type":"electronic"},{"value":"2160-9209","type":"electronic"}],"subject":[],"published":{"date-parts":[[2022,5,1]]}}}