Pith. sign in

REVIEW 2 major objections 2 minor 173 references

An information-theoretic approach defends collaborative LLM inference from prompt inversion by minimizing mutual information between activations and prompts.

Reviewed by Pith at T0; open to challenge. T0 means a machine referee read the full paper against a public rubric. the ladder, T0–T4 →

T0 review · grok-4.3

2026-06-27 09:36 UTC pith:P24YTHCO

load-bearing objection The paper frames prompt inversion defense in collaborative LLM inference as an MI minimization problem with privacy adapters, which is a reasonable step but the claimed theoretical guarantees on reconstruction error do not appear to hold up under the low-dimensional approximations required. the 2 major comments →

arxiv 2606.11592 v1 pith:P24YTHCO submitted 2026-06-10 cs.CR

Defense Against Prompt Inversion Attacks: An Information-Theoretic Approach for LLM Collaborative Inference

classification cs.CR
keywords prompt inversion attackscollaborative LLM inferenceinformation-theoretic defensemutual information minimizationprivacy adaptersinformation bottleneckprivacy-utility tradeoffedge-cloud inference
verification ladder T0 review T1 audit T2 compute T3 formal T4 reserved

The pith

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper develops a defense framework for prompt inversion attacks during collaborative edge-cloud inference with large language models. It learns privacy-preserving representations by explicitly minimizing the mutual information between intermediate activations and the original input prompt. This minimization occurs while preserving task utility and respecting computational constraints. The work derives theoretical guarantees on reconstruction error and characterizes privacy-utility tradeoffs. A practical method uses low-dimensional privacy adapters as information bottlenecks, with experiments showing improved tradeoffs over prior approaches.

Core claim

By minimizing the mutual information between intermediate activations and the input prompt via low-dimensional privacy adapters implemented as information bottlenecks, the framework produces representations that limit prompt reconstruction while maintaining downstream inference utility, yielding theoretical bounds on reconstruction error and token-level accuracy along with empirical reductions in attack success.

What carries the argument

Low-dimensional privacy adapters that function as information bottlenecks to minimize mutual information between activations and the input prompt.

Load-bearing premise

Mutual information between activations and prompts can be minimized in practice via low-dimensional privacy adapters without violating computational constraints or substantially degrading downstream task utility, and the derived theoretical guarantees hold under real model architectures.

What would settle it

An experiment in which the privacy adapters produce no reduction in attack success rate relative to heuristic defenses or in which observed prompt reconstruction error exceeds the paper's theoretical bound.

Watch this falsifier — get emailed when new claim-graph text bears on it.

If this is right

  • Theoretical guarantees on prompt reconstruction error follow directly from the mutual information minimization.
  • Fundamental privacy-utility tradeoffs are characterized for collaborative inference.
  • Token-level accuracy bounds are established for the downstream task.
  • The approach yields up to 35% reduction in attack success compared with existing defenses.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

  • The same mutual-information minimization could be applied to protect against other leakage risks in distributed inference pipelines.
  • The adapter construction might transfer to collaborative settings that use models other than LLMs.
  • Deployment would require checking whether the low-dimensional adapters preserve the stated tradeoffs under real network latency and hardware limits.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit.

Referee Report

2 major / 2 minor

Summary. The paper proposes an information-theoretic defense framework against prompt inversion attacks in collaborative edge-cloud LLM inference. It learns privacy-preserving representations by minimizing mutual information between intermediate activations and input prompts via low-dimensional privacy adapters (while preserving task utility), derives theoretical guarantees on prompt reconstruction error and token-level accuracy bounds, characterizes privacy-utility-latency tradeoffs, and reports up to 35% reduction in attack success versus baselines across experiments.

Significance. If the central claims hold, the work supplies a principled alternative to heuristic defenses by linking explicit MI minimization to reconstruction-error bounds and empirical tradeoffs. This would be significant for secure collaborative inference deployments, as it moves beyond empirical tuning toward information-theoretic characterizations. The combination of derived bounds with adapter-based implementation is a potential strength if the approximations are rigorously controlled.

major comments (2)
  1. [§3] §3 (theoretical guarantees): The reconstruction-error bounds and token-level accuracy claims rest on exact minimization of I(activations; prompt). The privacy adapters implement this via a low-dimensional bottleneck, but the derivation provides no error bounds or concentration results on the variational or estimator approximation to the true MI; without this, the stated guarantees do not necessarily transfer to the implemented method.
  2. [§5] §5 (experiments): The reported 35% attack-success reduction and privacy-utility curves are presented as validation of the framework, yet the attack models used for evaluation are not shown to match the threat model assumed in the theoretical bounds (e.g., whether the adversary has access to the same adapter parameters or only to the transmitted activations). This gap makes it impossible to assess whether the empirical gains confirm the derived bounds or merely reflect a different operating regime.
minor comments (2)
  1. Notation: The definition of the privacy adapter objective (likely Eq. (X)) should explicitly state whether the MI term is the true mutual information or a variational lower/upper bound, and how the Lagrange multiplier for the utility constraint is chosen.
  2. Related work: The manuscript should cite recent results on high-dimensional MI estimation error (e.g., variational bounds and their sample complexity) to contextualize the practical achievability of the claimed minimization.

Simulated Author's Rebuttal

2 responses · 0 unresolved

We thank the referee for the insightful comments, which highlight important aspects of the connection between our theoretical analysis and practical implementation. We address each major comment below.

read point-by-point responses
  1. Referee: [§3] §3 (theoretical guarantees): The reconstruction-error bounds and token-level accuracy claims rest on exact minimization of I(activations; prompt). The privacy adapters implement this via a low-dimensional bottleneck, but the derivation provides no error bounds or concentration results on the variational or estimator approximation to the true MI; without this, the stated guarantees do not necessarily transfer to the implemented method.

    Authors: We agree that the stated bounds assume exact mutual information minimization. The implemented privacy adapters rely on a variational lower bound and dimensionality reduction, introducing approximation error not quantified in the current derivation. In the revision we will add a dedicated paragraph in §3 that invokes standard concentration inequalities for MI estimators (under Lipschitz and bounded-support assumptions on the activation distributions) and derives an explicit additive error term between the variational estimate and the true MI. This will state the conditions under which the reconstruction-error and token-accuracy bounds continue to hold approximately. revision: yes

  2. Referee: [§5] §5 (experiments): The reported 35% attack-success reduction and privacy-utility curves are presented as validation of the framework, yet the attack models used for evaluation are not shown to match the threat model assumed in the theoretical bounds (e.g., whether the adversary has access to the same adapter parameters or only to the transmitted activations). This gap makes it impossible to assess whether the empirical gains confirm the derived bounds or merely reflect a different operating regime.

    Authors: The theoretical threat model in §3 assumes the adversary receives only the post-adapter activations and has no knowledge of the adapter weights. The experiments in §5 train inversion attacks on exactly those activations, which is consistent with the stated model. We will nevertheless revise the threat-model subsection and the experimental-setup paragraph to make this assumption explicit and to discuss the stronger adversary that also knows the adapter parameters. We will also add a short note on how the reported 35 % figure would be expected to change under that stronger model. revision: partial

Circularity Check

0 steps flagged

No circularity: theoretical claims presented as derived from MI minimization without reduction to fitted quantities or self-citations

full rationale

The provided abstract and description state that the framework minimizes mutual information to learn privacy-preserving representations and derives theoretical guarantees on reconstruction error and token-level bounds. No equations, self-citations, or derivation steps are exhibited that would reduce the guarantees to the training of the adapters by construction, nor is any uniqueness theorem or ansatz imported from prior author work. The experimental results on privacy-utility tradeoffs are presented separately from the theoretical derivation, leaving the claims self-contained against external information-theoretic principles.

Axiom & Free-Parameter Ledger

0 free parameters · 0 axioms · 0 invented entities

Abstract-only view provides no explicit free parameters, axioms, or invented entities; the low-dimensional bottleneck dimension and any weighting on the mutual information term are likely free parameters but are not quantified here.

pith-pipeline@v0.9.1-grok · 5727 in / 1230 out tokens · 28944 ms · 2026-06-27T09:36:32.255563+00:00 · methodology

0 comments
read the original abstract

Collaborative edge-cloud inference enables resource-constrained devices to leverage large language models (LLMs) by offloading partial computation to cloud servers. However, transmitting intermediate activations exposes sensitive user prompts to prompt inversion attacks, where an adversary reconstructs the original input from shared representations. Existing defenses rely largely on heuristic perturbations or empirical tuning, offering limited theoretical understanding of privacy leakage and its interaction with utility and latency constraints. We propose an information-theoretic defense framework for prompt inversion in collaborative LLM inference. Our approach learns privacy-preserving representations by explicitly minimizing the mutual information between intermediate activations and the input prompt while maintaining task utility under computational constraints. We derive theoretical guarantees on prompt reconstruction error, characterize fundamental privacy-utility tradeoffs, and establish token-level accuracy bounds for downstream inference. We then propose a novel defense based on privacy adapters implemented via low-dimensional information bottlenecks. Extensive experiments across multiple settings demonstrate that our method achieves superior privacy-utility-latency tradeoffs compared to existing defenses (up to 35% reduction in attack success), providing a principled foundation for private and efficient collaborative LLM inference.

Figures

Figures reproduced from arXiv: 2606.11592 by Hossein Khalili, Nader Sehatbakhsh, Sayedeh Leila Noorbakhsh.

Figure 1
Figure 1. Figure 1: Privacy-adapter–based collaborative inference. Lightweight trainable adapters are inserted [PITH_FULL_IMAGE:figures/full_fig_p003_1.png] view at source ↗
Figure 2
Figure 2. Figure 2: Cross-dataset privacy-utility tradeoff over [PITH_FULL_IMAGE:figures/full_fig_p008_2.png] view at source ↗
Figure 3
Figure 3. Figure 3: Skytrax dataset (LLaMA-2-7B, k=4, r=512). The privacy gap widens as λ increases. 0.2 0.4 0.6 0.8 Privacy Weight 0 20 40 60 80 100 Token Accuracy (%) (a) Token Accuracy Overall Acc. Sensitive Acc. Common Acc. Privacy Gap 0.2 0.4 0.6 0.8 Privacy Weight 0.0 0.2 0.4 0.6 0.8 1.0 BLEU Score 0.76 0.71 0.43 0.15 (b) BLEU Score 0.2 0.4 0.6 0.8 Privacy Weight 0 20 40 60 80 100 NERR (%) 53.5% 45.9% 17.6% 1.4% (c) Ent… view at source ↗
Figure 4
Figure 4. Figure 4: Medical dataset (LLaMA-2-7B, k=4, r=512). Sensitive token accuracy drops most aggressively, reflecting the high concentration of domain-specific terminology (medical conditions, drug names). attacker Luo et al. [2025] on LLaMA-2-7B at split k=4. Our privacy adapters at r=256, λ=0.5 achieve the lowest attack accuracy among all defenses with usable perplexity on every dataset [PITH_FULL_IMAGE:figures/full_f… view at source ↗
Figure 5
Figure 5. Figure 5: Legal dataset (LLaMA-2-7B, k=4, r=512). Token accuracy curves converge at intermedi￾ate λ, indicating more uniform entropy across token types in legal text. the additional computation introduced by the adapters is fixed by the bottleneck dimension r rather than by the underlying transformer width [PITH_FULL_IMAGE:figures/full_fig_p030_5.png] view at source ↗

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Reference graph

Works this paper leans on

173 extracted references · 7 canonical work pages · 6 internal anchors

  1. [3]

    2020 International Conference on Data Mining Workshops (ICDMW) , pages=

    NoPeek: Information leakage reduction to share activations in distributed deep learning , author=. 2020 International Conference on Data Mining Workshops (ICDMW) , pages=. 2020 , organization=

  2. [4]

    ICML , year=

    Bounding training data reconstruction in private (deep) learning , author=. ICML , year=

  3. [5]

    International Conference on Machine Learning (ICML) , pages=

    Wasserstein Generative Adversarial Networks , author=. International Conference on Machine Learning (ICML) , pages=. 2017 , organization=

  4. [6]

    Advances in Neural Information Processing Systems (NeurIPS) , volume=

    Generative Adversarial Nets , author=. Advances in Neural Information Processing Systems (NeurIPS) , volume=

  5. [7]

    33rd USENIX Security Symposium (USENIX Security 24) , pages=

    Inf2Guard: An Information-Theoretic Framework for Learning Privacy-Preserving Representations against Inference Attacks , author=. 33rd USENIX Security Symposium (USENIX Security 24) , pages=. 2024 , organization=

  6. [8]

    International Conference on Machine Learning (ICML) , pages=

    CLUB: A Contrastive Log-ratio Upper Bound of Mutual Information , author=. International Conference on Machine Learning (ICML) , pages=. 2020 , organization=

  7. [9]

    2006 , publisher=

    Elements of Information Theory , author=. 2006 , publisher=

  8. [10]

    Proceedings of the AAAI Conference on Artificial Intelligence , volume=

    Task-Agnostic Privacy-Preserving Representation Learning for Federated Learning Against Attribute Inference Attacks , author=. Proceedings of the AAAI Conference on Artificial Intelligence , volume=

  9. [11]

    , author=

    Lora: Low-rank adaptation of large language models. , author=. ICLR , volume=

  10. [12]

    2025 IEEE Symposium on Security and Privacy (SP) , pages=

    Prompt inversion attack against collaborative inference of large language models , author=. 2025 IEEE Symposium on Security and Privacy (SP) , pages=. 2025 , organization=

  11. [13]

    Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security , pages=

    Deep Learning with Differential Privacy , author=. Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security , pages=

  12. [14]

    International Conference on Learning Representations , year=

    Deep Variational Information Bottleneck , author=. International Conference on Learning Representations , year=

  13. [15]

    International Conference on Machine Learning , year=

    CLUB: A Contrastive Log-ratio Upper Bound of Mutual Information , author=. International Conference on Machine Learning , year=

  14. [16]

    John Wiley & Sons , year=

    Information Theory and Statistics , author=. John Wiley & Sons , year=

  15. [17]

    LLaMA: Open and Efficient Foundation Language Models

    LLaMA: Open and Efficient Foundation Language Models , author=. arXiv preprint arXiv:2302.13971 , year=

  16. [18]

    OPT: Open Pre-trained Transformer Language Models

    OPT: Open Pre-trained Transformer Language Models , author=. arXiv preprint arXiv:2205.01068 , year=

  17. [19]

    Split learning for health: Distributed deep learning without sharing raw patient data

    Split Learning for Health: Distributed Deep Learning without Sharing Raw Data , author=. arXiv preprint arXiv:1812.00564 , year=

  18. [20]

    2017 IEEE Symposium on Security and Privacy (SP) , pages=

    Membership Inference Attacks Against Machine Learning Models , author=. 2017 IEEE Symposium on Security and Privacy (SP) , pages=

  19. [21]

    Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security , pages=

    Model Inversion Attacks That Exploit Confidence Information and Basic Countermeasures , author=. Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security , pages=

  20. [22]

    International Conference on Machine Learning , pages=

    Flexgen: High-throughput generative inference of large language models with a single gpu , author=. International Conference on Machine Learning , pages=. 2023 , organization=

  21. [23]

    Advances in neural information processing systems , volume=

    Distributed inference and fine-tuning of large language models over the internet , author=. Advances in neural information processing systems , volume=

  22. [24]

    ACM Computing Surveys , volume=

    Towards efficient generative large language model serving: A survey from algorithms to systems , author=. ACM Computing Surveys , volume=. 2025 , publisher=

  23. [25]

    IEEE Communications Surveys & Tutorials , year=

    Mobile edge intelligence for large language models: A contemporary survey , author=. IEEE Communications Surveys & Tutorials , year=

  24. [26]

    Forty-first International Conference on Machine Learning , year=

    Position: Exploring the robustness of pipeline-parallelism-based decentralized training , author=. Forty-first International Conference on Machine Learning , year=

  25. [27]

    Proceedings of the 29th Annual International Conference on Mobile Computing and Networking , pages=

    Enc2: Privacy-preserving inference for tiny IoTs via encoding and encryption , author=. Proceedings of the 29th Annual International Conference on Mobile Computing and Networking , pages=

  26. [28]

    Forty-first International Conference on Machine Learning , year=

    Mobilellm: Optimizing sub-billion parameter language models for on-device use cases , author=. Forty-first International Conference on Machine Learning , year=

  27. [29]

    Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition , pages=

    Cloud-device collaborative learning for multimodal large language models , author=. Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition , pages=

  28. [30]

    ACM SIGARCH Computer Architecture News , volume=

    Neurosurgeon: Collaborative intelligence between the cloud and mobile edge , author=. ACM SIGARCH Computer Architecture News , volume=. 2017 , publisher=

  29. [31]

    Proceedings of the 2025 ACM SIGSAC Conference on Computer and Communications Security , pages=

    Prompt inference attack on distributed large language model inference frameworks , author=. Proceedings of the 2025 ACM SIGSAC Conference on Computer and Communications Security , pages=

  30. [32]

    IEEE Internet of Things Journal , year=

    Edgeshard: Efficient llm inference via collaborative edge computing , author=. IEEE Internet of Things Journal , year=

  31. [33]

    34th USENIX Security Symposium (USENIX Security 25) , pages=

    Depth Gives a False Sense of Privacy: \ LLM \ Internal States Inversion , author=. 34th USENIX Security Symposium (USENIX Security 25) , pages=

  32. [35]

    Proceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications Security , pages=

    Unveiling the vulnerability of private fine-tuning in split-based frameworks for large language models: A bidirectionally enhanced attack , author=. Proceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications Security , pages=

  33. [36]

    Proceedings of the AAAI Conference on Artificial Intelligence , volume=

    Invariant representations through adversarial forgetting , author=. Proceedings of the AAAI Conference on Artificial Intelligence , volume=

  34. [37]

    IEEE Internet of Things Journal , volume=

    A hybrid deep learning architecture for privacy-preserving mobile analytics , author=. IEEE Internet of Things Journal , volume=. 2020 , publisher=

  35. [38]

    2019 IEEE symposium on security and privacy (SP) , pages=

    Exploiting unintended feature leakage in collaborative learning , author=. 2019 IEEE symposium on security and privacy (SP) , pages=. 2019 , organization=

  36. [39]

    Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition , pages=

    Disco: Dynamic and invariant sensitive channel obfuscation for deep neural networks , author=. Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition , pages=

  37. [40]

    Advances in neural information processing systems , volume=

    GAN you see me? enhanced data reconstruction attacks against split inference , author=. Advances in neural information processing systems , volume=

  38. [41]

    Advances in Neural Information Processing Systems , volume=

    Posthoc privacy guarantees for collaborative inference with modified propose-test-release , author=. Advances in Neural Information Processing Systems , volume=

  39. [42]

    Advances in neural information processing systems , volume=

    Measuring data reconstruction defenses in collaborative inference systems , author=. Advances in neural information processing systems , volume=

  40. [43]

    Advances in Neural Information Processing Systems , volume=

    Trade-offs and guarantees of adversarial representation learning for information obfuscation , author=. Advances in Neural Information Processing Systems , volume=

  41. [44]

    Proceedings of the AAAI Conference on Artificial Intelligence , volume=

    Learning Robust and Privacy-Preserving Representations via Information Theory , author=. Proceedings of the AAAI Conference on Artificial Intelligence , volume=

  42. [45]

    International conference on machine learning , pages=

    Improving adversarial robustness via mutual information estimation , author=. International conference on machine learning , pages=. 2022 , organization=

  43. [46]

    31st USENIX Security Symposium (USENIX Security 22) , pages=

    Cheetah: Lean and fast secure \ Two-Party \ deep neural network inference , author=. 31st USENIX Security Symposium (USENIX Security 22) , pages=

  44. [47]

    2024 IEEE Symposium on Security and Privacy (SP) , pages=

    Bolt: Privacy-preserving, accurate and efficient inference for transformers , author=. 2024 IEEE Symposium on Security and Privacy (SP) , pages=. 2024 , organization=

  45. [48]

    Advances in neural information processing systems , volume=

    Iron: Private inference on transformers , author=. Advances in neural information processing systems , volume=

  46. [49]

    2025 IEEE Symposium on Security and Privacy (SP) , pages=

    Dataseal: Ensuring the verifiability of private computation on encrypted data , author=. 2025 IEEE Symposium on Security and Privacy (SP) , pages=. 2025 , organization=

  47. [50]

    34th USENIX Security Symposium (USENIX Security 25) , pages=

    Breaking the layer barrier: Remodeling private transformer inference with hybrid \ CKKS \ and \ MPC \ , author=. 34th USENIX Security Symposium (USENIX Security 25) , pages=

  48. [51]

    Proceedings of the 2025 ACM SIGSAC Conference on Computer and Communications Security , pages=

    Tensorshield: safeguarding on-device inference by shielding critical dnn tensors with tee , author=. Proceedings of the 2025 ACM SIGSAC Conference on Computer and Communications Security , pages=

  49. [52]

    2024 IEEE Symposium on Security and Privacy (SP) , pages=

    No privacy left outside: On the (in-) security of tee-shielded dnn partition for on-device ml , author=. 2024 IEEE Symposium on Security and Privacy (SP) , pages=. 2024 , organization=

  50. [53]

    Advances in neural information processing systems , volume=

    How transferable are features in deep neural networks? , author=. Advances in neural information processing systems , volume=

  51. [54]

    8th International Conference on Learning Representations, ICLR 2020 , year=

    Overlearning Reveals Sensitive Attributes , author=. 8th International Conference on Learning Representations, ICLR 2020 , year=

  52. [55]

    Advances in Neural Information Processing Systems , volume=

    Partially encrypted deep learning using functional encryption , author=. Advances in Neural Information Processing Systems , volume=

  53. [56]

    MICRO-54: 54th Annual IEEE/ACM International Symposium on Microarchitecture , pages=

    DarKnight: An accelerated framework for privacy and integrity preserving deep learning using trusted hardware , author=. MICRO-54: 54th Annual IEEE/ACM International Symposium on Microarchitecture , pages=

  54. [57]

    2021 IEEE Symposium on Security and Privacy (SP) , pages=

    CryptGPU: Fast privacy-preserving machine learning on the GPU , author=. 2021 IEEE Symposium on Security and Privacy (SP) , pages=. 2021 , organization=

  55. [58]

    29th USENIX Security Symposium (USENIX Security 20) , pages=

    Delphi: A cryptographic inference service for neural networks , author=. 29th USENIX Security Symposium (USENIX Security 20) , pages=

  56. [59]

    Proceedings of the 18th International Conference on Mobile Systems, Applications, and Services , pages=

    DarkneTZ: towards model privacy at the edge using trusted execution environments , author=. Proceedings of the 18th International Conference on Mobile Systems, Applications, and Services , pages=

  57. [60]

    17th USENIX Symposium on Networked Systems Design and Implementation (NSDI 20) , pages=

    Telekine: Secure Computing with Cloud \ GPUs \ , author=. 17th USENIX Symposium on Networked Systems Design and Implementation (NSDI 20) , pages=

  58. [61]

    2021 IEEE International Symposium on High-Performance Computer Architecture (HPCA) , pages=

    Cheetah: Optimizing and accelerating homomorphic encryption for private inference , author=. 2021 IEEE International Symposium on High-Performance Computer Architecture (HPCA) , pages=. 2021 , organization=

  59. [62]

    30th USENIX Security Symposium (USENIX Security 21) , pages=

    \ GForce \ : \ GPU-Friendly \ Oblivious and Rapid Neural Network Inference , author=. 30th USENIX Security Symposium (USENIX Security 21) , pages=

  60. [64]

    2022 IEEE International Symposium on High-Performance Computer Architecture (HPCA) , pages=

    SecNDP: Secure Near-Data Processing with Untrusted Memory , author=. 2022 IEEE International Symposium on High-Performance Computer Architecture (HPCA) , pages=. 2022 , organization=

  61. [65]

    Proceedings of the 27th ACM International Conference on Architectural Support for Programming Languages and Operating Systems , pages=

    Client-optimized algorithms and acceleration for encrypted compute offloading , author=. Proceedings of the 27th ACM International Conference on Architectural Support for Programming Languages and Operating Systems , pages=

  62. [66]

    , author=

    CraterLake: a hardware accelerator for efficient unbounded computation on encrypted data. , author=. ISCA , pages=

  63. [67]

    MICRO-54: 54th Annual IEEE/ACM International Symposium on Microarchitecture , pages=

    F1: A fast and programmable accelerator for fully homomorphic encryption , author=. MICRO-54: 54th Annual IEEE/ACM International Symposium on Microarchitecture , pages=

  64. [68]

    Proceedings of the Twenty-Fifth International Conference on Architectural Support for Programming Languages and Operating Systems , pages=

    Shredder: Learning noise distributions to protect inference privacy , author=. Proceedings of the Twenty-Fifth International Conference on Architectural Support for Programming Languages and Operating Systems , pages=

  65. [69]

    2021 IEEE 14th International Conference on Cloud Computing (CLOUD) , pages=

    Origami inference: Private inference using hardware enclaves , author=. 2021 IEEE 14th International Conference on Cloud Computing (CLOUD) , pages=. 2021 , organization=

  66. [70]

    2021 IEEE/ACM 21st International Symposium on Cluster, Cloud and Internet Computing (CCGrid) , pages=

    Pripro: towards effective privacy protection on edge-cloud system running dnn inference , author=. 2021 IEEE/ACM 21st International Symposium on Cluster, Cloud and Internet Computing (CCGrid) , pages=. 2021 , organization=

  67. [71]

    International Conference on Machine Learning , pages=

    Low latency privacy preserving inference , author=. International Conference on Machine Learning , pages=. 2019 , organization=

  68. [72]

    2020 IEEE Symposium on Security and Privacy (SP) , pages=

    Cryptflow: Secure tensorflow inference , author=. 2020 IEEE Symposium on Security and Privacy (SP) , pages=. 2020 , organization=

  69. [73]

    Advances in Neural Information Processing Systems , volume=

    Glyph: Fast and accurately training deep neural networks on encrypted data , author=. Advances in Neural Information Processing Systems , volume=

  70. [74]

    Advances in Neural Information Processing Systems , volume=

    She: A fast and accurate deep neural network for encrypted data , author=. Advances in Neural Information Processing Systems , volume=

  71. [75]

    Advances in Neural Information Processing Systems , volume=

    FALCON: fast spectral inference on encrypted data , author=. Advances in Neural Information Processing Systems , volume=

  72. [76]

    Proceedings of the 19th Annual International Conference on Mobile Systems, Applications, and Services , pages=

    PPFL: privacy-preserving federated learning with trusted execution environments , author=. Proceedings of the 19th Annual International Conference on Mobile Systems, Applications, and Services , pages=

  73. [77]

    Proceedings of the Web Conference 2021 , pages=

    Not all features are equal: Discovering essential features for preserving prediction privacy , author=. Proceedings of the Web Conference 2021 , pages=

  74. [78]

    Proceedings of the International Conference on Internet-of-Things Design and Implementation , pages=

    SecDeep: Secure and Performant On-device Deep Learning Inference Framework for Mobile and IoT Devices , author=. Proceedings of the International Conference on Internet-of-Things Design and Implementation , pages=

  75. [79]

    Proceedings of the International Conference on Internet-of-Things Design and Implementation , pages=

    DeepObfuscator: Obfuscating intermediate representations with privacy-preserving adversarial learning on smartphones , author=. Proceedings of the International Conference on Internet-of-Things Design and Implementation , pages=

  76. [80]

    2021 16th IEEE International Conference on Automatic Face and Gesture Recognition (FG 2021) , pages=

    Adversarial Mask Generation for Preserving Visual Privacy , author=. 2021 16th IEEE International Conference on Automatic Face and Gesture Recognition (FG 2021) , pages=. 2021 , organization=

  77. [81]

    2020 IEEE Security and Privacy Workshops (SPW) , pages=

    Sentinet: Detecting localized universal attacks against deep learning systems , author=. 2020 IEEE Security and Privacy Workshops (SPW) , pages=. 2020 , organization=

  78. [82]

    Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition , pages=

    DISCO: Dynamic and Invariant Sensitive Channel Obfuscation for deep neural networks , author=. Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition , pages=

  79. [83]

    Proceedings of the AAAI Conference on Artificial Intelligence , volume=

    Controllable guarantees for fair outcomes via contrastive information estimation , author=. Proceedings of the AAAI Conference on Artificial Intelligence , volume=

  80. [84]

    Proceedings of the AAAI Conference on Artificial Intelligence , volume=

    Fair representations by compression , author=. Proceedings of the AAAI Conference on Artificial Intelligence , volume=

Showing first 80 references.