{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,3,13]],"date-time":"2026-03-13T15:16:48Z","timestamp":1773415008674,"version":"3.50.1"},"reference-count":60,"publisher":"Association for Computing Machinery (ACM)","issue":"4","license":[{"start":{"date-parts":[[2023,5,17]],"date-time":"2023-05-17T00:00:00Z","timestamp":1684281600000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.acm.org\/publications\/policies\/copyright_policy#Background"}],"funder":[{"name":"National Science and Technology Council","award":["111-2221-E-006 -116 -MY3"],"award-info":[{"award-number":["111-2221-E-006 -116 -MY3"]}]}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":["ACM Trans. Des. Autom. Electron. Syst."],"published-print":{"date-parts":[[2023,7,31]]},"abstract":"<jats:p>Privacy-preserving neural inference helps protect both the user input data and the model weights from being leaked to others during the inference of a deep learning model. To achieve data protection, the inference is often performed within a secure domain, and the final result is revealed in plaintext. Nevertheless, performing the computations in the secure domain incurs about a thousandfold overhead compared with the insecure version, especially when the involved operations of the entire model are mapped to the secure domain, which is the computation scheme adopted by the existing works. This work is inspired by the transfer learning technique, where the weights of some parts of the model layers are transferred from a publicly available, pre-built deep learning model, and it opens a door to further boost the execution efficiency by allowing us to do the secure computations selectively on parts of the transferred model. We have built a compiler framework, SecureTVM, to automatically translate a trained model into the secure version, where the model layers to be protected can be selectively configured by its model provider. As a result, SecureTVM outperforms the state of the art, CrypTFlow2, by a factor of 55 for the transfer learning model. We believe that this work takes a step forward toward the practical uses of privacy-preserving neural inference for real-world applications.<\/jats:p>","DOI":"10.1145\/3579049","type":"journal-article","created":{"date-parts":[[2023,1,3]],"date-time":"2023-01-03T11:43:11Z","timestamp":1672746191000},"page":"1-28","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":6,"title":["SecureTVM: A TVM-based Compiler Framework for Selective Privacy-preserving Neural Inference"],"prefix":"10.1145","volume":"28","author":[{"ORCID":"https:\/\/orcid.org\/0000-0002-7458-9634","authenticated-orcid":false,"given":"Po-Hsuan","family":"Huang","sequence":"first","affiliation":[{"name":"National Cheng Kung University, Tainan, Taiwan"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-8967-1385","authenticated-orcid":false,"given":"Chia-Heng","family":"Tu","sequence":"additional","affiliation":[{"name":"National Cheng Kung University, Tainan, Taiwan"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-8086-6661","authenticated-orcid":false,"given":"Shen-Ming","family":"Chung","sequence":"additional","affiliation":[{"name":"Delta Research Center, Delta Electronics, Inc., Taipei, Taiwan"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-7860-3678","authenticated-orcid":false,"given":"Pei-Yuan","family":"Wu","sequence":"additional","affiliation":[{"name":"National Taiwan University, Taipei, Taiwan"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-4987-799X","authenticated-orcid":false,"given":"Tung-Lin","family":"Tsai","sequence":"additional","affiliation":[{"name":"National Taiwan University, Taipei, Taiwan"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-4703-6348","authenticated-orcid":false,"given":"Yi-An","family":"Lin","sequence":"additional","affiliation":[{"name":"National Taiwan University, Taipei, Taiwan"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-8357-2415","authenticated-orcid":false,"given":"Chun-Yi","family":"Dai","sequence":"additional","affiliation":[{"name":"National Taiwan University, Taipei, Taiwan"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-9164-7605","authenticated-orcid":false,"given":"Tzu-Yi","family":"Liao","sequence":"additional","affiliation":[{"name":"National Taiwan University, Taipei, Taiwan"}]}],"member":"320","published-online":{"date-parts":[[2023,5,17]]},"reference":[{"key":"e_1_3_2_2_2","unstructured":"Mart\u00edn Abadi Ashish Agarwal Paul Barham Eugene Brevdo Zhifeng Chen Craig Citro Greg S. Corrado Andy Davis Jeffrey Dean Matthieu Devin Sanjay Ghemawat Ian Goodfellow Andrew Harp Geoffrey Irving Michael Isard Yangqing Jia Rafal Jozefowicz Lukasz Kaiser Manjunath Kudlur Josh Levenberg Dan Man\u00e9 Rajat Monga Sherry Moore Derek Murray Chris Olah Mike Schuster Jonathon Shlens Benoit Steiner Ilya Sutskever Kunal Talwar Paul Tucker Vincent Vanhoucke Vijay Vasudevan Fernanda Vi\u00e9gas Oriol Vinyals Pete Warden Martin Wattenberg Martin Wicke Yuan Yu and Xiaoqiang Zheng. 2015. TensorFlow: Large-Scale Machine Learning on Heterogeneous Systems. Retrieved from http:\/\/tensorflow.org\/."},{"key":"e_1_3_2_3_2","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2013.39"},{"key":"e_1_3_2_4_2","doi-asserted-by":"publisher","DOI":"10.1145\/3338469.3358944"},{"key":"e_1_3_2_5_2","doi-asserted-by":"publisher","DOI":"10.1145\/3310273.3323047"},{"key":"e_1_3_2_6_2","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-642-45239-0_4"},{"key":"e_1_3_2_7_2","first-page":"121","volume-title":"Proceedings of Symposium Informatica","author":"Bozinovski Stevo","year":"1976","unstructured":"Stevo Bozinovski and Ante Fulgosi. 1976. The influence of pattern similarity and transfer of learning upon training of a base perceptron b2. In Proceedings of Symposium Informatica. 121\u2013126."},{"key":"e_1_3_2_8_2","article-title":"MOTION\u2014A Framework for Mixed-Protocol Multi-Party Computation","author":"Braun Lennart","year":"2020","unstructured":"Lennart Braun, Daniel Demmler, Thomas Schneider, and Oleksandr Tkachenko. 2020. MOTION\u2014A Framework for Mixed-Protocol Multi-Party Computation. Cryptology ePrint Archive, Paper 2020\/1137. Retrieved from https:\/\/eprint.iacr.org\/2020\/1137.","journal-title":"Cryptology ePrint Archive, Paper 2020\/1137"},{"key":"e_1_3_2_9_2","doi-asserted-by":"publisher","DOI":"10.1145\/3243734.3243786"},{"key":"e_1_3_2_10_2","doi-asserted-by":"publisher","DOI":"10.1109\/EuroSP.2019.00043"},{"key":"e_1_3_2_11_2","volume-title":"NIPS Workshop on Machine Learning Systems (LearningSys\u201915)","author":"Chen Tianqi","year":"2015","unstructured":"Tianqi Chen, Mu Li, Yutian Li, Min Lin, Naiyan Wang, Minjie Wang, Tianjun Xiao, Bing Xu, Chiyuan Zhang, and Zheng Zhang. 2015. MXNet: A flexible and efficient machine learning library for heterogeneous distributed systems. In NIPS Workshop on Machine Learning Systems (LearningSys\u201915). 1\u20136."},{"key":"e_1_3_2_12_2","first-page":"578","volume-title":"Proceedings of the 13th USENIX Symposium on Operating Systems Design and Implementation (OSDI\u201918)","author":"Chen Tianqi","year":"2018","unstructured":"Tianqi Chen, Thierry Moreau, Ziheng Jiang, Lianmin Zheng, Eddie Q. Yan, Haichen Shen, Meghan Cowan, Leyuan Wang, Yuwei Hu, Luis Ceze, Carlos Guestrin, and Arvind Krishnamurthy. 2018. TVM: An automated end-to-end optimizing compiler for deep learning. In Proceedings of the 13th USENIX Symposium on Operating Systems Design and Implementation (OSDI\u201918). 578\u2013594."},{"key":"e_1_3_2_13_2","unstructured":"Scott Cyphers Arjun K. Bansal Anahita Bhiwandiwalla Jayaram Bobba Matthew Brookhart Avijit Chakraborty Will Constable Christian Convey Leona Cook Omar Kanawi Robert Kimball Jason Knight Nikolay Korovaiko Varun Kumar Yixing Lao Christopher R. Lishka Jaikrishnan Menon Jennifer Myers Sandeep Aswath Narayana Adam Procter and Tristan J. Webb. 2018. Intel nGraph: An intermediate representation compiler and executor for deep learning. arXiv preprint arXiv:1801.08058 (2018)."},{"key":"e_1_3_2_14_2","doi-asserted-by":"publisher","DOI":"10.1145\/3314221.3314628"},{"key":"e_1_3_2_15_2","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2015.23113"},{"key":"e_1_3_2_16_2","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR.2009.5206848"},{"key":"e_1_3_2_17_2","doi-asserted-by":"publisher","DOI":"10.1207\/s15516709cog1402_1"},{"key":"e_1_3_2_18_2","doi-asserted-by":"publisher","DOI":"10.1561\/9781680835090"},{"key":"e_1_3_2_19_2","doi-asserted-by":"publisher","DOI":"10.1155\/2020\/8889412"},{"key":"e_1_3_2_20_2","volume-title":"A Fully Homomorphic Encryption Scheme","author":"Gentry Craig","year":"2009","unstructured":"Craig Gentry. 2009. A Fully Homomorphic Encryption Scheme. Ph.D. Dissertation. Stanford University."},{"key":"e_1_3_2_21_2","first-page":"201","volume-title":"Proceedings of the International Conference on Machine Learning (ICML\u201916)","author":"Gilad-Bachrach Ran","year":"2016","unstructured":"Ran Gilad-Bachrach, Nathan Dowlin, Kim Laine, Kristin E. Lauter, Michael Naehrig, and John Wernsing. 2016. CryptoNets: Applying neural networks to encrypted data with high throughput and accuracy. In Proceedings of the International Conference on Machine Learning (ICML\u201916). 201\u2013210."},{"key":"e_1_3_2_22_2","doi-asserted-by":"publisher","DOI":"10.5555\/975541"},{"key":"e_1_3_2_23_2","first-page":"218","volume-title":"Proceedings of the 19th Annual ACM Symposium on Theory of Computing (STOC\u201987)","author":"Goldreich Oded","year":"1987","unstructured":"Oded Goldreich, Silvio Micali, and Avi Wigderson. 1987. How to play any mental game or a completeness theorem for protocols with honest majority. In Proceedings of the 19th Annual ACM Symposium on Theory of Computing (STOC\u201987). 218\u2013229."},{"key":"e_1_3_2_24_2","unstructured":"Karan Grover Shruti Tople Shweta Shinde Ranjita Bhagwan and Ramachandran Ramjee. 2018. Privado: Practical and secure DNN inference with enclaves. DOI:https:\/\/doi.org\/10.48550\/arxiv.1810.00602"},{"key":"e_1_3_2_25_2","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR.2016.90"},{"key":"e_1_3_2_26_2","doi-asserted-by":"publisher","DOI":"10.1162\/neco.1997.9.8.1735"},{"key":"e_1_3_2_27_2","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR.2017.243"},{"key":"e_1_3_2_28_2","doi-asserted-by":"publisher","DOI":"10.1145\/3412841.3441929"},{"key":"e_1_3_2_29_2","doi-asserted-by":"crossref","unstructured":"Po-Hsuan Huang Chia-Heng Tu Shen-Ming Chung Pei-Yuan Wu Tung-Lin Tsai Yi-An Lin Chun-Yi Dai and Tzu-Yi Liao. 2022. Addendum to \u201cSecureTVM: A TVM-Based Compiler Framework for Selective Privacy-Preserving Neural Inference.\u201d Retrieved from https:\/\/github.com\/asrlabncku\/SecureTVM\/blob\/main\/paper_addendum.pdf.","DOI":"10.1145\/3579049"},{"key":"e_1_3_2_30_2","doi-asserted-by":"publisher","DOI":"10.1609\/aaai.v33i01.3301590"},{"key":"e_1_3_2_31_2","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-540-45146-4_9"},{"key":"e_1_3_2_32_2","doi-asserted-by":"publisher","DOI":"10.1145\/3445970.3451156"},{"key":"e_1_3_2_33_2","first-page":"1651","volume-title":"Proceedings of the 27th USENIX Security Symposium (USENIX Security\u201918)","author":"Juvekar Chiraag","year":"2018","unstructured":"Chiraag Juvekar, Vinod Vaikuntanathan, and Anantha Chandrakasan. 2018. GAZELLE: A low latency framework for secure neural network inference. In Proceedings of the 27th USENIX Security Symposium (USENIX Security\u201918). 1651\u20131669."},{"key":"e_1_3_2_34_2","first-page":"1097","article-title":"Imagenet classification with deep convolutional neural networks","volume":"25","author":"Krizhevsky Alex","year":"2012","unstructured":"Alex Krizhevsky, Ilya Sutskever, and Geoffrey E. Hinton. 2012. Imagenet classification with deep convolutional neural networks. Adv. Neural Inf. Process. Syst. 25 (2012), 1097\u20131105.","journal-title":"Adv. Neural Inf. Process. Syst."},{"key":"e_1_3_2_35_2","doi-asserted-by":"publisher","DOI":"10.1109\/SP40000.2020.00092"},{"key":"e_1_3_2_36_2","unstructured":"Yann LeCun and Corinna Cortes. 2010. MNIST Handwritten Digit Database. Retrieved from http:\/\/yann.lecun.com\/exdb\/mnist\/."},{"key":"e_1_3_2_37_2","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2015.29"},{"key":"e_1_3_2_38_2","doi-asserted-by":"publisher","DOI":"10.1145\/3133956.3134056"},{"key":"e_1_3_2_39_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.media.2020.101794"},{"key":"e_1_3_2_40_2","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2017.12"},{"key":"e_1_3_2_41_2","doi-asserted-by":"publisher","DOI":"10.1007\/3-540-48910-X_16"},{"key":"e_1_3_2_42_2","doi-asserted-by":"publisher","DOI":"10.1109\/INCET49848.2020.9154014"},{"key":"e_1_3_2_43_2","unstructured":"Sachin Patel. 2018. A-Z Handwritten Alphabets in .csv Format. Retrieved from https:\/\/www.kaggle.com\/sachinpatel21\/az-handwritten-alphabets-in-csv-format."},{"key":"e_1_3_2_44_2","doi-asserted-by":"publisher","DOI":"10.1186\/s13636-018-0141-9"},{"key":"e_1_3_2_45_2","article-title":"Transfusion: Understanding transfer learning for medical imaging","author":"Raghu Maithra","year":"2019","unstructured":"Maithra Raghu, Chiyuan Zhang, Jon Kleinberg, and Samy Bengio. 2019. Transfusion: Understanding transfer learning for medical imaging. Adv Neural Inf Process Syst 32 (2019).","journal-title":"Adv Neural Inf Process Syst"},{"key":"e_1_3_2_46_2","doi-asserted-by":"publisher","DOI":"10.1145\/3372297.3417274"},{"key":"e_1_3_2_47_2","doi-asserted-by":"publisher","DOI":"10.1109\/ICCSP.2019.8697909"},{"key":"e_1_3_2_48_2","first-page":"1501","volume-title":"Proceedings of the 28th USENIX Security Symposium (USENIX Security\u201919)","author":"Riazi M. Sadegh","year":"2019","unstructured":"M. Sadegh Riazi, Mohammad Samragh, Hao Chen, Kim Laine, Kristin E. Lauter, and Farinaz Koushanfar. 2019. XONN: XNOR-based oblivious deep neural network inference. In Proceedings of the 28th USENIX Security Symposium (USENIX Security\u201919). 1501\u20131518."},{"key":"e_1_3_2_49_2","unstructured":"Kurt Rohloff and Yuriy Polyakov. 2017. The PALISADE Lattice Cryptography Library. Retrieved from https:\/\/git.njit.edu\/palisade\/PALISADE. 1.0 edition."},{"key":"e_1_3_2_50_2","doi-asserted-by":"publisher","DOI":"10.1145\/3195970.3196023"},{"key":"e_1_3_2_51_2","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR.2018.00474"},{"key":"e_1_3_2_52_2","doi-asserted-by":"publisher","DOI":"10.1109\/TNN.2008.2005605"},{"key":"e_1_3_2_53_2","unstructured":"SEAL 2019. Microsoft SEAL (Release 3.4). https:\/\/github.com\/Microsoft\/SEAL. Microsoft Research Redmond WA."},{"key":"e_1_3_2_54_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.physd.2019.132306"},{"key":"e_1_3_2_55_2","doi-asserted-by":"publisher","DOI":"10.1109\/IVCNZ.2018.8634803"},{"key":"e_1_3_2_56_2","volume-title":"Proceedings of the 7th International Conference on Learning Representations (ICLR\u201919)","author":"Tram\u00e8r Florian","year":"2019","unstructured":"Florian Tram\u00e8r and Dan Boneh. 2019. Slalom: Fast, verifiable and private execution of neural networks in trusted hardware. In Proceedings of the 7th International Conference on Learning Representations (ICLR\u201919)."},{"key":"e_1_3_2_57_2","unstructured":"Xiao Wang Alex J. Malozemoff and Jonathan Katz. 2016. EMP-toolkit: Efficient MultiParty Computation Toolkit. Retrieved from https:\/\/github.com\/emp-toolkit."},{"key":"e_1_3_2_58_2","doi-asserted-by":"publisher","DOI":"10.1109\/TIP.2003.819861"},{"key":"e_1_3_2_59_2","doi-asserted-by":"publisher","DOI":"10.1186\/s40537-016-0043-6"},{"key":"e_1_3_2_60_2","doi-asserted-by":"publisher","DOI":"10.5555\/1382436.1382751"},{"key":"e_1_3_2_61_2","article-title":"Obliv-C: A Language for Extensible Data-Oblivious Computation","author":"Zahur Samee","year":"2015","unstructured":"Samee Zahur and David Evans. 2015. Obliv-C: A Language for Extensible Data-Oblivious Computation. Cryptology ePrint Archive, Paper 2015\/1153. Retrieved from https:\/\/eprint.iacr.org\/2015\/1153.","journal-title":"Cryptology ePrint Archive, Paper 2015\/1153"}],"container-title":["ACM Transactions on Design Automation of Electronic Systems"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3579049","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3579049","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,17]],"date-time":"2025-06-17T16:38:05Z","timestamp":1750178285000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3579049"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2023,5,17]]},"references-count":60,"journal-issue":{"issue":"4","published-print":{"date-parts":[[2023,7,31]]}},"alternative-id":["10.1145\/3579049"],"URL":"https:\/\/doi.org\/10.1145\/3579049","relation":{},"ISSN":["1084-4309","1557-7309"],"issn-type":[{"value":"1084-4309","type":"print"},{"value":"1557-7309","type":"electronic"}],"subject":[],"published":{"date-parts":[[2023,5,17]]},"assertion":[{"value":"2022-05-15","order":0,"name":"received","label":"Received","group":{"name":"publication_history","label":"Publication History"}},{"value":"2022-12-18","order":1,"name":"accepted","label":"Accepted","group":{"name":"publication_history","label":"Publication History"}},{"value":"2023-05-17","order":2,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}