Overview

This chapter introduces Nesa's cutting-edge hybrid approach to security and privacy (SP) enhancement. The essence of this hybrid design lies in the thoughtful integration of hardware-based and software/algorithm-based solutions to achieve co-optimization, each selected and optimized for varying scenarios within our ecosystem. Notably, SP concerns may appear in different forms. For instance, users may wish to protect their input data and the inference results, while node owners might seek to protect the confidentiality of their model parameters in certain cases. Meanwhile, the users want to ensure that the models executed by the nodes are verifiable — the designated ML models generate the inference results without unexpected changes.

SP Requirements: In summary, there are two core SP aspects we identify in decentralized inference: (i) model verification to prove the nodes execute the designated models for a user and (ii) data encryption to protect the user's data from being revealed during the inference. Based on these requirements, we develop a suite of solutions to ensure SP in Nesa's system.

Our Hardware-Software Co-Optimization Solution: To address both model verification and data encryption jointly, we design an integrated approach to achieve leading SP performance in our system. Specifically, through the combination of the robust, hardware-centric protections of Trusted Execution Environments (TEEs) and the advanced algorithmic approaches, including Zero-knowledge Machine Learning (ZKML), Consensus-based Distribution Verification (CDV), and Split-Learning (SL), we ensure that security and privacy are foundational pillars of the system.

In a nutshell, TEEs provide a secure area within a processor that ensures the confidentiality and integrity of the code and data loaded within it, thus supplying robustness from the hardware level. Differently, ZKML and CDV are novel algorithms that ensure that the inference nodes execute the correct model by verifying proofs or measuring their output distribution consensus, while SL protects user data by only transferring the intermediate computational embeddings rather than the raw data. Collectively, this hardware-software integrated solution guarantees high SP in Nesa's system.