Silent Guardians: Independent and Secure Decision Tree Evaluation Without Chatter

JOURNAL OF L A T E X CLASS FILES, VOL. 14, NO. 8, A UGUST 2021 1 Silent Guardians: Independent and Secure Decision T ree Ev aluation W ithout Chatter Jinyuan Li and Liang Feng Zhang Abstract —As machine learning as a service (MLaaS) gains in- creasing popularity , it raises two critical challenges: privacy and veriﬁability . For privacy , clients are reluctant to disclose sensitive private inf ormation to access MLaaS, while model pr oviders must safeguard their proprietary models. For veriﬁability , clients lack reliable mechanisms to ensure that cloud servers execute model inference correctly . Decision trees are widely adopted in MLaaS due to their popularity , interpretability , and broad applicability in domains like medicine and ﬁnance. In this context, outsourcing decision tree evaluation (ODTE) enables both clients and model pro viders to ofﬂoad their sensitive data and decision tree models to the cloud securely . However , existing ODTE schemes often fail to address both privacy and veriﬁability simultaneously . T o bridge this gap, we propose PV ODTE , a nov el two-server private and veriﬁable ODTE protocol that lev erages homomorphic secret sharing and a MA C-based veriﬁcation mechanism. PV ODTE eliminates the need for server -to-server communication, enabling independent computation by each cloud server . This “non- interactive” setting addresses the latency and synchronization bottlenecks of prior arts, making it uniquely suitable f or wide- area network (W AN) deployments. T o our knowledge, PV ODTE is the ﬁrst two-server ODTE protocol that eliminates serv er-to- server communication. Furthermore, PVODTE achieves security against malicious servers, where servers cannot learn anything about the client’ s input or the pro viders’ decision tree models, and servers cannot alter the infer ence result without being detected. Index T erms —Cloud security , Decision tree, Cloud computing I . I N T R O D U C T I O N M A CHINE Learning as a Service (MLaaS) enables ac- cess to adv anced machine learning models without requiring extensi ve in-house resources or expertise. Dri ven by cloud computing, MLaaS has ev olved into a paradigm [1] where a model provider (e.g., a hospital) deploys a pre-trained model (e.g., a diagnostic decision tree) to the cloud, offering inference services to clients (e.g., patients) who submit sen- sitiv e input data (e.g., health records). Outsourcing MLaaS to the cloud deli vers well-documented beneﬁts for both parties: high scalability , ubiquitous access, and low economical cost. Howe ver , this paradigm raises two fundamental security challenges [2]: (i) Priv acy: Model providers (e.g., hospitals) hesitate to outsource proprietary diagnostic models to cloud service providers due to risks of intellectual property exposure; clients (e.g., patients) fear pri vac y violations when transmitting plaintext sensitive data (e.g., health records). (ii) V eriﬁability: Untrusted cloud servers may return incorrect inference results Jinyuan Li and Liang Feng Zhang are with the School of Information Science and T echnology , ShanghaiT ech Uni versity , Shanghai 201210, China. E-mail: lijy6, zhanglf@shanghaitech.edu.cn. (e.g., manipulated medical diagnoses), but clients lack mech- anisms to verify result correctness. T o address both priv acy and veriﬁability in MLaaS, priv acy- preserving and veriﬁable model inference (PVMI) has emerged as a key research direction. PVMI protocols guarantee two core properties: (i) cloud servers cannot access the provider’ s proprietary model or client’ s sensitive input in plaintext; (ii) malicious server behavior (e.g., result manipulation) is detectable. PVMI solutions are broadly categorized into single- server and multi-server paradigms based on the number of cloud servers in v olved. In the single-server setting, the provider’ s encrypted model and client’ s encrypted input are sent to one cloud server , which performs encrypted inference and returns an encrypted result. Prior works [2]–[5] use additiv ely homomorphic encryption (AHE) [6] or fully homomorphic encryption (FHE) [7] to outsource models like neural networks and decision trees. For veriﬁability , some works [2], [3] integrate zero-knowledge proofs (ZKPs) [8], while others [4], [5] lack such mechanisms, leaving clients unable to verify the correctness of inference results. Ho wever , single-server designs suf fer from pr ohibitive computational overhead due to AHE/FHE, limiting their real- world practicality [9]. T o mitigate these computational bottlenecks, multi-server architectures use secret sharing (SS) [10]–[12], where the model and input are split into shares, and then distributed across two or more non-colluding servers [1], [13]–[20]. SS- based protocols replace expensiv e homomorphic operations with lightweight arithmetic, improving efﬁcienc y . Howe ver , they introduce ne w challenges: high network latenc y and excessi ve bandwidth consumption due to frequent server -to- server (S2S) communication (e.g., data exchange between servers) during inference, especially in wide-area networks (W ANs). Moreover , existing SS-based PVMI protocols [1], [13]–[20] only satisfy pri v acy but lack veriﬁability , clients can- not detect malicious serv er beha vior like result manipulation. In this work, we focus on a speciﬁc type of machine learn- ing model: decision trees, which are popular, interpretable, and widely used in applications like medical diagnosis [21], [22], ﬁnancial distress prediction [23], and more [24], [25]. Speciﬁcally , we target the outsourced decision tr ee evaluation (ODTE) problem: securely outsourcing a decision tree model and the client input to the cloud, with inference performed on encrypted or secret-shared data such that the model and input remain priv ate, and the result is veriﬁable. Prior work on ODTE prioritizes privac y (i.e., hiding the model and the client input from servers). According to the number of required servers, existing ODTE protocols can JOURNAL OF L A T E X CLASS FILES, VOL. 14, NO. 8, A UGUST 2021 2 T ABLE I C O MPA R IS O N O F OD T E P RO TO C O LS . Protocol #Servers Malicious security #S2S Rounds T echniques [4] 1 ◦ 0 FHE [5] 1 ◦ 0 FHE [15] 3 ◦ 25 RSS [16] 3 ◦ 5 FSS, RSS [17] 3 ◦ 4 FSS [18] 2 ◦ h + 3 SS, HE [19] 2 ◦ 2 h SS, OT [26] 2 ◦ 2( h + 1) FHE [1] 2 ◦ 2( λ − 1) SS [20] 2 ◦ log( λ ) + 5 SS, OT Ours 2 • 0 HSS Remark: A protocol that possesses a particular property in a given column is marked with a • ; otherwise, it is marked with a ◦ . #Servers denotes the number of required servers. #S2S Rounds denotes the rounds of S2S communication. h denotes the height of the decision tree, λ denotes the security parameter . be classiﬁed into three categories: (i) single-server proto- cols [4], [5] that minimize server requirements but suffer from prohibitive computational overhead due to the reliance on FHE; (ii) two-server protocols [1], [18]–[20] that retain a relativ ely simple setup but require O ( h ) , O ( λ ) or O (log( λ )) S2S rounds, where h is the height of the decision tree and λ is the security parameter, leading to high network latency; (iii) thr ee-server protocols [15]–[17] that reduce S2S rounds to constant but increase deployment complexity (three cloud servers). Unfortunately , all existing ODTE protocols suffer from two critical limitations: (i) P erformance bottlenecks : They suffer from either signiﬁcant computational overhead (single-server designs) or high network latency (multi-server designs); (ii) W eak security guarantees : No protocol provides security against malicious servers. Malicious serv ers may compromise the priv acy of clients and model providers, or manipulate inference results. These gaps moti vate our core research question: Can we design an ODTE pr otocol that simultaneously achieves thr ee goals: (i) maintaining a practical two-server setup to avoid FHE; (ii) eliminating S2S rounds to minimize network latency; and (iii) achieving security against malicious servers to ensure privacy and veriﬁability? A. Our Contrib utions In this paper , we propose PVODTE . T o our knowledge, this is the ﬁrst two-server ODTE protocol that eliminates S2S r ounds while simultaneously achieving security against malicious servers. A detailed comparison with existing ODTE protocols is provided in T ABLE I. Furthermore, we demon- strate the practical applicability of PV ODTE on gradient boosted decision trees and features with categorical values. Our key tool to obtain PV ODTE is a new secure integer comparison algorithm designed for two non-communicating servers. This algorithm enables efﬁcient integer comparison without any S2S rounds, while guaranteeing that neither server learns the plaintexts of the inputs or the comparison result. T o T ABLE II C O MPA R IS O N O F T W O - SE RV ER S EC U R E I N T EG E R C O MPA R IS O N A L G OR I T H MS . Algorithms #S2S Rounds #Mult. #Comm. [1] 2 t − 2 3 t − 5 12 t 2 − 10 t [20] log t + 1 3 t − 5 12 t 2 − 10 t [27] 44 205 t + 188 log t 410 t 2 + 376 t 2 log t [28] 15 279 t + 5 558 t 2 + 10 t [29] 8 27 t + 36 t + 5 54 t 2 + 72 t log t + 10 t [30] 23 10 84 t Ours 0 4 t − 2 0 Remark: t denotes the number of bits of an integer compared. #S2S Rounds denotes the number of rounds of S2S communication. #Mult. denotes the number of multiplication gates. #Comm. denotes the number of bits of communication. our knowledge, this is the ﬁrst such algorithm tailored for two non-communicating servers. Compared with existing secure integer comparison algorithms, our algorithm retains the O ( t ) multiplication gate complexity (where t is the bit length of the inputs) while eliminating the need for S2S rounds. Detailed performance comparisons are provided in T ABLE II. W e further extend this algorithm to support secure ﬂoating-point number comparison. Notably , the secure integer comparison algorithm is not only critical for decision tree ev aluation but also useful in other applications [31], [32]. W e implement a proof-of-concept system for PVODTE to validate its practicality and efﬁciency . W e conduct empirical ev aluations using decision trees of practical sizes (consistent with real-world deployments) to benchmark our protocol’ s performance. Experimental results sho w that our protocol achiev es a 20 × improvement in total communication efﬁ- ciency over the state-of-the-art ODTE protocol [20]. Addition- ally , our protocol’ s overall computation speed is 2 . 7 × faster than that in [20]. The detailed comparison results are presented in T ABLE VI and T ABLE VIII. The source code is publicly av ailable at https://github .com/neuroney/PODT. PV ODTE targets priv acy-preserving MLaaS where model owners and clients are of ﬂine. The two non-colluding servers can be instantiated as organizationally independent cloud providers (e.g., A WS and Azure), making collusion unlikely in practice. By eliminating online S2S rounds, PV ODTE excels in high-throughput W AN environments with a large number of queries, effecti vely amortizing the O ( mn ) one-time download cost ( m non-leaf nodes; n features), though is less ef ﬁcient for sporadic queries or LAN settings. For deployments where the one-time do wnloading is unacceptable such as stateless clients, an alternativ e instantiation over RL WE-based HSS [33] can eliminate it entirely , at the cost of increased server -side com- putation; we discuss this variant in detail in the supplementary material. B. Our Designs Our PV ODTE relies on two core building blocks: homo- morphic secret sharing (HSS) [33]–[36] and message authen- tication codes (MA Cs). HSS is selected for enabling non- interactiv e priv ate decision tree ev aluation across two non- communicating servers, while MACs are adopted for generat- ing veriﬁable e valuation results. JOURNAL OF L A T E X CLASS FILES, VOL. 14, NO. 8, A UGUST 2021 3 Follo wing [37], the procedure for decision tree ev aluation in ODTE consists of three main algorithms: secure feature selection ( SFS ), secure integer comparison ( SIC ), and secure result generation ( SRG ). In PV ODTE , we use HSS to in- stantiate these three algorithms, enabling a non-interactiv e priv acy-preserving ev aluation process. T o achie ve veriﬁability , we augment the SRG algorithm with MA Cs, yielding the fourth algorithm: veriﬁable result generation ( VRG ). Secure feature selection. The goal of secure feature selection is to obliviously select, for each of the m decision nodes, a corresponding feature from the client’ s n -dimensional feature vector x . This selection follows the decision tree’ s feature map δ : [ m ] → [ n ] , where δ ( j ) index es the feature for the j -th decision node. T o represent δ in a form amenable to HSS ev aluation, the model provider encodes δ as a binary matrix M ∈ { 0 , 1 } m × n , where each row M j contains exactly one non-zero entry at column δ ( j ) , so that x δ ( j ) = M j · x . The model provider encrypts M under HSS to obtain C M , which is published as a public parameter accessible to all clients. Each client downloads C M once as a one-time setup cost; for deployments where this cost is unacceptable, we describe an alternativ e instantiation that eliminates the download entirely in the supplementary material. Gi ven a feature vector x , the client runs the SFS algorithm to locally compute an m × t matrix C M x , where each entry C ( M x ) j,i is an HSS ciphertext encrypting the i -th bit of x δ ( j ) . This bit-decomposed representation directly serves as input to the subsequent SIC step. The client then sends C M x to the two cloud servers. The semantic security of HSS guarantees that the client learns nothing about the feature map δ from C M , while the serv ers obtain no information about the feature indices or values from C M x . Secure integer comparison. The secure integer comparison step compares the selected feature value x δ ( j ) against the threshold y j (for the j -th decision node). T o enable non- interactiv e secure comparison, we adopt an iterative approach to construct the comparison result. Speciﬁcally , let α = P t i =1 2 i − 1 · α i and β = P t i =1 2 i − 1 · β i be two t -bit integers, where α i , β i ∈ { 0 , 1 } represent their i -th binary bits (with α 1 and β 1 be the least signiﬁcant bits). The SIC algorithm iterativ ely constructs the comparison result by ev aluating the difference of substrings. Deﬁne c 0 = 0 , and let c i , 1 ≤ i ≤ t represent the result of comparing the i -bit substrings α i . . . α 1 and β i . . . β 1 (i.e., whether α i . . . α 1 > β i . . . β 1 ). The v alue of c i +1 is recursively deﬁned as: c i +1 := ( α i +1 > β i +1 ) ∨ [( α i +1 = β i +1 ) ∧ c i ] , 0 ≤ i < t, (1) where c t yields the ﬁnal comparison result ( α > β ) . In SIC algorithm, we transform Eq. (1) into a restricted multiplication straight-line (RMS) program [38], which can be efﬁciently ev aluated by HSS. SIC ensures that neither server learns any information about the compared integers ( α, β ) or the result. Thus, the priv acy of x δ ( j ) , y j , and their comparison result is guaranteed against the cloud servers. Secure Result Generation. After obtaining the compared result at each decision node, the inference result is generated using the “path costs” methodology from [39]. Brieﬂy speak- ing, each leaf node L j of the decision tree is assigned a path cost pc j , which is determined by the comparison results of the decision nodes along the path to L j . The correct inference result T ( x ) (where T denotes the decision tree model) is the classiﬁcation label v j of leaf node L j if and only if pc j = 0 . Since the path cost calculation contains only linear operations, we design a SRG algorithm to compute path costs via HSS. W e further employ a random masking technique [45] to hide classiﬁcation labels, ensuring the client only learns the correct inference result T ( x ) = v j (corresponding to pc j = 0 ) without gaining any information about other labels. V eriﬁable Result Generation. T o enable the client to verify the correctness of the inference result T ( x ) , we design a MA C-based veriﬁcation mechanism and extend the SRG algo- rithm to a VRG algorithm. The mechanism consists of three key steps: (i) MA C Ke y Distribution: The client generates a MA C key A , encrypts A using HSS to produce ciphertext C A , and distributes C A to the two servers. The security of HSS ensures that the servers cannot extract A from C A , keeping A secret to the client. (ii) Proof Generation: During server -side computation, we extend SRG with a veriﬁable label generation step. For each leaf node L j , the servers compute a proof w j such that w j = A · v j (where v j is L j ’ s classiﬁcation label) via HSS, using the encrypted MA C key C A and encrypted label C v j . (iii) Result V eriﬁcation: Upon receiving proofs from the servers, the client veriﬁes the correctness of T ( x ) = v j by checking if A · v j = w j . Such MA C-based veriﬁcation mechanism is secure against a single malicious server , and is widely used to construct maliciously secure MPC protocols [40]. For collusion-resistant security , combining HSS with ZKPs is a promising direction [41], and left for future work. I I . R E L AT E D W O R K Existing ODTE protocols primarily rely on FHE [4], [5], [26] and SS [1], [15]–[20]. The optimal choice depends on the network en vironments, as these primiti ves often hav e a trade- off reg arding the number of required cloud servers, security guarantees, computation cost and communication cost. Our focus is to construct a two-serv er ODTE protocol that is free of S2S rounds, and achie ves security against malicious serv ers, which is suitable in W AN settings. Sev eral studies [4], [5] ha ve sought to construct single- server ODTE protocols, where both the encrypted decision tree model and the encrypted client’ s input data are sent to a single server . While these protocols eliminate the need for S2S rounds by requiring only a single cloud server , they require the full power of FHE, which incurs signiﬁcant computa- tional overhead. Additionally , these protocols fail to protect the client’ s feature indices from the cloud servers, thereby allowing the server to identify the type of data ev aluated at each decision tree node. Such exposure enables the cloud servers to infer more about the decision tree model [37], compromising the intellectual property of the model provider . As opposed to the single-server approach, another line of research has proposed two-server ODTE p r otocols to reduce the computation ov erhead by distributing the computations among two servers [1], [18]–[20], [26]. Howe ver , these proto- cols typically require O ( h ) , O ( λ ) or O (log( λ )) S2S rounds, JOURNAL OF L A T E X CLASS FILES, VOL. 14, NO. 8, A UGUST 2021 4 where h is the height of the decision tree and λ is the security parameter . Liu et al. [18] leveraged secret sharing and additively homomorphic encryption to construct an ODTE protocol with h + 3 communication rounds by using Beaver’ s triplets for multiplication. Ma et al. [19] constructed an ODTE protocol by combining heavy techniques lik e key management, conditional Oblivious T ransfer (OT) and garbled circuits, which necessitates 2 h S2S rounds. Xu et al. [26] distributed single-server protocol [5] to two unbalanced serv ers by using multi-key FHE schemes. In their protocol, one of the serv ers holds the decryption k ey which can learn the comparison result at each lev el of the decision tree, resulting in 2( h + 1) S2S rounds but more information leakage compared with others. Zheng et al. [1] achiev ed more lightweight computation by replacing the additiv ely homomorphic encryption approach of T ai et al. [39] with additive-sharing counterparts (and Beaver’ s triplets) using kno wn secure computation tricks [42] in ideal network settings. Howe ver , they require 2( λ − 1) S2S rounds. After the optimizations in [20], they still require log( λ ) + 5 S2S rounds. Recently , several three-server ODTE protocols hav e been proposed to achie ve constant S2S rounds using replicated secret sharing (RSS) schemes [15], [16] and function secret sharing (FSS) schemes [17]. Tsuchida et al. [15] introduced the ﬁrst constant-round ODTE protocol, requiring 25 commu- nication rounds. Cheng et al. [16] reduced this to 5 rounds, and Ji et al. [17] further optimized it to 4 rounds. Howe ver , Cheng et al. [16] claimed that protocol [17] achie ves a weaker functionality than [15], [16]. Speciﬁcally , [17] only supports interval checks rather than general less-than comparisons and equality checks. While these multi-server ODTE protocols aim to reduce S2S rounds, they still require multiple S2S rounds and assume that servers are semi-honest . Moreover , the protocol of [18] does not protect the feature indices from servers, and the protocol of [26] does not protect the comparison results from one of the servers. T ABLE I summarizes these ODTE protocols. In contrast, the two-server ODTE protocol in this paper protects both the feature indices and the comparison results from all servers. Furthermore, our protocol eliminates the need for S2S rounds and achiev es security against malicious servers. T o achiev e security against malicious servers, a common approach is to le verage general-purpose maliciously secure multi-party computation (MPC) protocols [40] in place of the semi-honest SS schemes used in [1], [18]–[20], [26]. Howe ver , such generic transformations are not straightforward; they typically necessitate extensi ve additional rounds of S2S com- munication and incur heavy computational ov erhead, which is often unsuitable for latenc y-sensitiv e W AN settings. In the context of non-outsourced priv ate decision tree ev alu- ation (PDTE), several studies hav e explored malicious security with different cryptographic techniques. For instance, T ai et al. [39] and W u et al. [45] le verage conditional Oblivious T ransfer (O T) and Proofs of Kno wledge (PoK) to ensure the integrity of the ev aluation process. More recently , Bai et al. [44] achiev ed malicious security by utilizing Consistent RSS, which detects inconsistencies among serv ers. Despite these advances, many PDTE protocols [43], [46]–[49], remain focused on the semi-honest model to maintain efﬁcienc y . Note that, these protocols require both the client and the provider to hav e sufﬁcient computational resource and stay online during the ev aluation process. I I I . P R E L I M I N A R I E S For any integer n > 0 , we denote [ n ] = { 1 , . . . , n } . W e denote by Z the set of all integers and by N the set of all non-negati ve integers. Let λ ∈ N be a security parameter . W e say that a function ϵ ( λ ) is negligible in λ and denote ϵ = negl ( λ ) if ϵ ( λ ) = o ( λ − c ) for any constant c > 0 . For any ﬁnite set S , we denote by “ s ← S ” the process of choosing an element s uniformly from S . For any algorithm A , we denote by “ y ← A ( x ) ” the process of running A on an input x and assigning the output to y . W e denote that ( ⟨ x ⟩ 0 , ⟨ x ⟩ 1 ) ∈ N 2 is a subtractive sharing of x if ⟨ x ⟩ 1 − ⟨ x ⟩ 0 = x . For a relation R , ( R ) denotes 1 if R is true and 0 otherwise. For example, ( α > β ) denotes 1 if a > b and 0 otherwise. A. Homomorphic Secr et Sharing Homomorphic secret sharing (HSS) [34] allows two servers (denoted by S 0 , S 1 ) to non-interactiv ely ev aluate functions on secret-shared data obtaining secret-shared results. The set of supported functions is usually restricted to a class P . T o some extent, HSS can be vie wed as a distributed variant of homomorphic encryption but is roughly one order of magnitude faster . Follo wing [34], an HSS scheme HSS = ( Setup , Input , Eval ) for a class P of programs that have an input space I and output space R consists of three PPT algorithms with the follo wing syntax: • ( pk , ( ek 0 , ek 1 )) ← Setup (1 λ ) : Gi ven a security parameter λ , this algorithm generates a public ke y pk , which will be used by a client to encrypt its input, and a pair ( ek 0 , ek 1 ) of private evaluation keys , which will be giv en to the servers to perform local computations. • C x ← Input ( pk , x ) : Giv en pk and a priv ate input x ∈ I , this algorithm outputs a ciphertext C x . • ⟨ y ⟩ σ ← Eval ( b, ek σ , ( C x 1 , . . . , C x ρ ) , P ) : Giv en a pro- gram P ∈ P and ρ ciphertexts ( C x 1 , . . . , C x ρ ) , the σ th server ( σ ∈ { 0 , 1 } ) will use its e valuation ke y ek σ to compute a share ⟨ y ⟩ σ ∈ R of the program’ s output y = P ( x 1 , . . . , x ρ ) ∈ R such that ⟨ y ⟩ 1 − ⟨ y ⟩ 0 = y . An HSS scheme for a class P of programs should satisfy the properties of correctness and security . The property of corr ectness requires that if all algorithms of HSS are correctly ex ecuted, then ⟨ y ⟩ 1 − ⟨ y ⟩ 0 = y with probability 1 − negl ( λ ) . The property of security requires that any PPT adversary that controls a server (say the b th server S b ) cannot learn any information about an input x from C x . B. RMS Pr ogr ams Many existing HSS schemes [33]–[36] support the homo- morphic ev aluation of restricted multiplications straight-line (RMS) programs [38]. RMS programs can represent arithmetic circuits with a speciﬁc constraint: multiplication gates must operate on an input value and a memory value . Within the JOURNAL OF L A T E X CLASS FILES, VOL. 14, NO. 8, A UGUST 2021 5 Fig. 1. A decision tree of height 2 ( m = 3 , k = 4 ) HSS frame work, for a plaintext x , an input value of x refers to the HSS ciphertext C x , while a memory value of x refers to the intermediate value M x,σ , σ ∈ { 0 , 1 } . The HSS frame work encompasses ﬁ ve fundamental instructions for RMS program ev aluation, which are described as follows: • ConvertInput ( ek σ , C x ) : Given an e v aluation ke y ek σ , con vert any ciphertext C x into a memory v alue M x,σ . • Add ( M x,σ , M y ,σ ) : Giv en two memory values M x,σ and M y ,σ , output a memory value M z ,σ for z = x + y . • Add ( C x , C y ) : Giv en two ciphertexts C x and C y , output a ciphertext C z for z = x + y . • Mul ( C x , M y ,σ ) : Gi ven a ciphertext C x and a memory value M y ,σ , output a memory value M z ,σ for z = x · y . • Output ( M x,σ , n out ) : Gi ven a memory v alue M x,σ and an output modulus n out , output ⟨ x ⟩ σ mo d n out . Giv en that RMS inherently supports addition operations be- tween two memory values, we extend this instruction set with two additional instructions: subtraction ( HSS . Sub ) between two memory values and constant multiplication ( HSS . cMul ), which can be described as follo ws: • Sub ( M x,σ , M y ,σ ) : Giv en two memory values M x,σ and M y ,σ , output a memory value M z ,σ for z = x − y . • cMul ( c, M y ,σ ) : Gi ven an integer c and a memory value M y ,σ , output a memory value M z ,σ for z = c · y . These supplementary instructions play a crucial role in our ODTE protocol. I V . P RO B L E M S TA T E M E N T In this section, we provide the background on decision tree ev aluation and then describe the system framework, and the threat model for our ODTE protocol. A. Backgr ound on Decision T r ee Evaluation A decision tree (see Fig. 1 for an example) is a binary tree together with two vectors: a vector y = ( y 1 , . . . , y m ) ∈ Z m of thr eshold values and a vector v = ( v 1 , . . . , v k ) ∈ Z k of classiﬁcation labels . Each non-leaf node D j (1 ≤ j ≤ m ) of the tree is called a decision node and associated with a threshold v alue y j ; each leaf node L j (1 ≤ j ≤ k ) of the tree is associated with a classiﬁcation label v j . A decision tree takes a feature vector x = ( x 1 , . . . , x n ) ∈ Z n as input and outputs a classiﬁcation label. Giv en a feature vector x and a Fig. 2. Our ODTE System Framework mapping δ : [ m ] → [ n ] as input, the ev aluation of a decision tree is done by traversing a path from the tree’ s root to a leaf as follows: P erforming feature selection by assigning a feature x δ ( j ) to each decision node D j for all j ∈ [ m ] . T o evaluate the tr ee, starting fr om the r oot D 1 of the tr ee, evaluate the boolean testing function f ( x δ ( j ) , y j ) = ( x δ ( j ) > y j ) at every decision node D j to get a bit b j ∈ { 0 , 1 } ; traverse the left branc h if b j = 1 and traverse the right branch if b j = 0 , until a leaf node is r eached. B. System F ramework Our system framework for the ODTE protocol (see Fig. 2 ) consists of three types of entity: a model pro vider , a client , and two cloud servers . Model pro vider . In our system, the model provider owns a proprietary decision tree T (including the vector y of threshold values, the vector v of classiﬁcation labels and the mapping δ ) that can make classiﬁcation on a feature v ector x . The model provider aims to offer classiﬁcation services to clients by deploying the decision tree model on cloud servers, which provides beneﬁts such as faster response times and ease of management. In our framew ork, the model provider encrypts the threshold values y and classiﬁcation labels v before sending them to each cloud server . The encrypted feature mapping δ is made publicly a vailable, after which the model provider can go ofﬂine. Client. The client possesses a feature vector x , which contains priv ate and sensiti ve information. The client seeks to leverage the computational powers of the cloud servers to obtain the classiﬁcation result T ( x ) . Initially , the client downloads the encrypted mapping δ , a one-time cost since δ remains un- changed across multiple inferences. During the online phase, the client encodes the feature vector x and sends it to both cloud servers. In response, the client recei ves a single r esponse message from each cloud server . Using these two responses, the client efﬁciently extracts the classiﬁcation result T ( x ) . Cloud servers. In our system, the two cloud servers S 0 and S 1 are hosted by two independent cloud service providers. Upon recei ving the client’ s request, each server performs the required computations locally and generates a single r esponse message to the client. Notably , we require the cloud servers never communicate with each other . This key distinction from existing two-server models for ODTE [1], [18]–[20], [26] JOURNAL OF L A T E X CLASS FILES, VOL. 14, NO. 8, A UGUST 2021 6 signiﬁcantly reduces the risk of collusion between servers and eliminates the high latenc y associated with S2S rounds. C. Threat Model As in prior ODTE protocols, we ﬁrst consider semi-honest adversaries. These adversaries are assumed to follow protocol speciﬁcations but may attempt to extract additional informa- tion through local computations. W e assume a static corruption strategy , where the adversary corrupts one party (client or server) before protocol execution and gains access to its input. In addition, our ODTE protocol is designed to be secure against malicious servers. A corrupted server may attempt to access the proprietary decision tree T or the client’ s feature vector x and may tamper with the classiﬁcation result T ( x ) to mislead the client. Our system ensures the following security guarantees: (i) A single cloud serv er cannot infer information about either x or T ; (ii) the client can verify the integrity of the classiﬁcation result T ( x ) . Remark. T o hide the structure of the tree T , sev eral existing works [1], [18]–[20], [26], [39], [45] hav e suggested the non- complete decision trees should be made complete by adding dummy decision nodes. W ithout loss of generality , we will focus on complete binary decision tr ees in our protocol. D. Non-colluding Assumption T o achiev e priv acy in multi-serv er protocols, secret sharing serves as a foundational technique: a user splits its priv ate data x into n shares { x 1 , x 2 , ..., x n } and distributes them to n servers. An n -server secret-sharing based protocol typically guarantees t -priv acy (where t < n ): meaning that any subset of t servers cannot reconstruct x from their shares, while t + 1 servers can. For two-serv er protocols ( n = 2 ), the t -priv acy reduces to the non-colluding assumption ( t = 1 ): A single server cannot reconstruct x from its share, but two servers can. Therefore, the non-colluding assumption is inherent to preserving priv acy in two-server ODTE protocols. T o our knowledge, all existing two-server ODTE protocols [1], [15]– [20], [26] rely on the non-colluding assumption. T o ensure veriﬁability against colluding servers, a common approach requires all servers to jointly participate in a zero- knowledge proof system [8]. This ensures that even if all servers collude, they cannot manipulate the output without being detected. W e defer exploring this promising direction to future work. While the non-colluding assumption is inherent, sev eral practical measures can signiﬁcantly reduce the risk of col- lusion. First, our non-interactiv e protocol design relaxes the practical strictness of this assumption. Speciﬁcally , a model provider can deploy their models on two distinct cloud plat- forms (e.g., A WS and Azure), with no requirement for either cloud to be aware of the other’ s in volv ement [50]. Second, game-theoretic mechanisms can be employed to actively deter and detect collusion between servers. Gong et al. [51] pro- posed a game-theoretic frame work that incentivizes rational servers to beha ve honestly by making collusion economically irrational, providing an additional layer of practical assurance beyond infrastructure-lev el separation. V . S E C U R E I N T E G E R C O M P A R I S O N As described in Section IV -A, the e valuation of a decision tree hinges on a sequence of conditional checks at each internal node: for a given feature value x δ ( j ) (selected via the model’ s feature mapping δ ) and threshold y j , determine if x δ ( j ) > y j . This comparison operation is the core of decision tree inference—yet it is also the most pri vac y-sensitive step. A naiv e implementation would leak not only the feature v alue and threshold but also the structure of the decision tree (e.g., which paths are taken). For ODTE, ensuring the pri vac y of this comparison while av oiding S2S rounds is a critical challenge. Existing secure integer comparison solutions for multi- server settings [1], [20], [27]–[30] rely on interactiv e protocols (e.g., rounds of message exchange between servers) to achie ve priv acy . Howe ver , these protocols are ill-suited for our non- interactiv e ODTE framework: frequent S2S communication introduces heavy communication ov erhead and high network latency (especially in W ANs). A summary of the S2S rounds, communication cost in bits, and the number of multiplication gates required by these solutions is provided in T ABLE II. T o address this gap, we design the ﬁrst non-interacti ve se- cure inte ger comparison ( SIC ) algorithm for two serv ers, which enables priv acy-preserving comparison of integers encrypted by HSS without any S2S rounds. Our algorithm lev erages HSS to support distributed, local computation, and outputs an expressi ve result (a secret share of the comparison bit) that can be directly used in subsequent decision tree tra versal steps. A. Comparison of T wo Inte gers within HSS Giv en two integers α and β in the clear , computing ( α > β ) can be achiev ed through several established methods [52]– [54]. The con ventional approach in volv es calculating their difference α − β and determining its sign bit. Howe ver , this approach is insuf ﬁcient in our non-interactiv e setting, where each server only holds shares of α − β , making it impossible to directly compute the sign bit without S2S rounds. T o address this limitation, we adopt an arithmetic circuit- based formulation. Let: α = P t i =1 2 i − 1 · α i , β = P t i =1 2 i − 1 · β i , where α i , β i ∈ { 0 , 1 } . This representation enables bit-level comparison operations through tw o main approaches: the Most Signiﬁcant Bit (MSB) method and the Least Signiﬁcant Bit (LSB) method. The MSB approach identiﬁes the ﬁrst differing bit by examining bits from position i = t to i = 1 , while the LSB method b uilds the comparison result progressi vely from i = 1 to i = t . Each method offers distinct adv antages in terms of circuit depth and implementation efﬁciency within v arious secure computation framew orks. In the circuit-based approach, basic boolean operations and comparisons can be expressed as arithmetic equations. Specif- ically , for any two bits α i , β i ∈ { 0 , 1 } , the boolean operations ( ∧ , ∨ ) and comparison relations ( >, = ) are expressed in terms of arithmetic operations o ver integers Z as follo ws: ( α i ∧ β i ) := α i · β i , ( α i ∨ β i ) := α i + β i − α i · β i , ( α i > β i ) := α i · (1 − β i ) , ( α i = β i ) := 1 − α i − β i + 2 · α i · β i . (2) JOURNAL OF L A T E X CLASS FILES, VOL. 14, NO. 8, A UGUST 2021 7 Algorithm 1 M c t ,σ ← SIC ( σ, ek σ , { C α i } t i =1 , { C β i } t i =1 ) Input . (1) σ ∈ { 0 , 1 } : the index of a server S σ ; (2) ek σ : the priv ate ev aluation key of HSS; (3) C α i (resp. C β i ): a ciphertext of the bit α i (resp. β i ) under HSS , where 1 ≤ i ≤ t . Output . M c t ,σ : a memory v alue of the bit c t . Step 1 . S σ generates a trivial memory value M 1 ,σ ; Step 2 . M α 1 ,σ ← HSS . ConvertInput ( ek σ , C α 1 ) ; Step 3 . M c 1 ,σ ← HSS . Mul ( C β 1 , M α 1 ,σ ) ; Step 4 . M c 1 ,σ ← HSS . Sub ( M α 1 ,σ , M c 1 ,σ ) ; Step 5 . f or i ∈ { 1 , . . . , t − 1 } do M α i +1 ,σ ← HSS . ConvertInput ( ek σ , C α i +1 ) ; C temp ← HSS . Add ( C α i +1 , C β i +1 ) ; M c i +1 ,σ ← HSS . Mul ( C temp , M c i ,σ ) ; M c i +1 ,σ ← HSS . Sub ( M c i ,σ , M c i +1 ,σ ) ; M 2 c i ,σ ← HSS . Add ( M c i ,σ , M c i ,σ ) ; M 2 c i − 1 ,σ ← HSS . Sub ( M 2 c i ,σ , M 1 ,σ ) ; M temp,σ ← HSS . Mul ( C α i +1 , M 2 c i − 1 ,σ ) ; M temp,σ ← HSS . Mul ( C β i +1 , M temp,σ ) ; M c i +1 ,σ ← HSS . Add ( M c i +1 ,σ , M temp,σ ) ; M c i +1 ,σ ← HSS . Add ( M c i +1 ,σ , M α i +1 ,σ ) ; Step 6 . Output M c t ,σ . MSB approach . The MSB approach relies on identifying the leftmost differing bit position. Howe ver , this approach is incompatible with non-interactive settings where servers only hold shares of the bits. Instead, the comparison can be rephrased as identifying the existence of a bit position i where α i > β i while all more signiﬁcant bits remain equal. This can be expressed as: ( α > β ) := W t i =1 [( α i > β i ) V t j = i +1 ( α i = β i )] . Using the arithmetic expressions in Eq. (2), the MSB approach can also be formulated as: ( α > β ) := t X i =1 [ α i (1 − β i ) t Y j = i +1 (1 − α i − β i + 2 α i β i )] . This yields a 2 t -variate polynomial P ( α>β ) of degree 2 t , demanding t ( t + 1) / 2 homomorphic multiplications [55]. Each server S σ can ev aluate P ( α>β ) locally by ex ecuting HSS . Eval ( σ, ek σ , ( { C α i } t i =1 , { C β i } t i =1 ) , P ( α>β ) ) . LSB approach . The LSB approach iterativ ely b uilds the comparison result for two integers. Let c 0 = 0 , and for 1 ≤ i ≤ t , let c i denote the comparison result for the i -bit substring ( α i . . . α 1 > β i . . . β 1 ) . The value of c i +1 can be recursiv ely deﬁned as: c i +1 := ( α i +1 > β i +1 ) ∨ [( α i +1 = β i +1 ) ∧ c i ] , 0 ≤ i < t, (3) where c t indicates the ﬁnal comparison result ( α > β ) for α, β being t -bit integers. Using the arithmetic expressions deﬁned in Eq. (2), we can transform Eq. (3) into: c i +1 := α i +1 (1 − β i +1 )+ c i (1 − α i +1 − β i +1 + 2 α i +1 β i +1 ) , 0 ≤ i < t, (4) In this formulation, ( α > β ) := c t . This sequential formula- tion requires only 5 t − 4 multiplication gates. T o implement this LSB method in a non-interactiv e setting, Eq. (4) must be compatible with the ev aluation under HSS. Indeed, the multiplication operations in Eq. (4) naturally align with the RMS program requirements: c i serves as an inter- mediate v alue (a memory value), while α i , β i are provided as HSS ciphertexts (input values). The product α i β i is computed by con verting α i to memory v alues using HSS . ConvertInput . This HSS-based implementation requires a total of 6 t − 4 multiplication gates during ev aluation, accounting for the ad- ditional HSS . mul gate per iteration during HSS . ConvertInput (See Section III-B). T o further optimize the LSB method, we can minimize the number of multiplication gates by transforming Eq. (4) into a more efﬁcient form. Through ingenious algebraic manipu- lation, we reconﬁgure and rewrite Eq. (4), con verting some complex multiplication and addition gates into simpler ones: c i +1 := c i − c i ( α i +1 + β i +1 )+ (2 c i − 1) α i +1 β i +1 + α i +1 , 0 ≤ i < t. (5) The adv antage of this optimization (Eq. (5)) lies in the sub- stantial reduction of computational complexity . Speciﬁcally , the number of multiplication gates is decreased to 4 t − 2 . W ith these optimizations implemented, we proceed to present our complete SIC algorithm ( Algorithm 1 ). In Algorithm 1 , server S σ ﬁrst initializes the constant unit share M 1 ,σ in Step 1. and immediately computes the base term M c 1 ,σ by effecti vely ev aluating α 1 (1 − β 1 ) on memory values in Step 2-4. T ypically following the recursion in Eq. (5), S σ iterativ ely updates its state to obtain ﬁnal memory value M c t ,σ in Step 5. It should be noted that each server S σ can further extract a linear share of c t through the in- vocation of the algorithm ⟨ c t ⟩ σ ← HSS . Output ( M c t ,σ , n out ) , where n out denotes the output modulus, satisfying the relation c t = ( ⟨ c t ⟩ 1 − ⟨ c t ⟩ 0 ) . The security of our SIC algorithm originates from the underlying HSS scheme: each server S σ has access only to the encrypted bits of α and β , and obtains exclusi vely the shares of the comparison result c t . Due to the security properties of HSS, these encrypted bits and shares re veal no information re garding the actual values under comparison. Consequently , our SIC algorithm successfully implements secure inte ger comparison while maintaining priv acy of both the input values α, β and the comparison result ( α > β ) against each serv er S σ . B. Dealing with Floating P oint Numbers While the SIC algorithm is designed for integer arithmetic, decision tree models usually require ﬂoating point number comparisons [43]. Thus, we must adapt our algorithm. Since SIC operates at the bit level, ﬂoating-point compar- isons transform ef fortlessly into integer operations via constant scaling. By multiplying α and β by K (e.g., K = 2 52 for IEEE 754 doubles), the inequality α > β maps to an integer comparison of α ′ = K · α vs. β ′ = K · β . This strategy preserves ev aluation accuracy under the algorithm’ s integer arithmetic. The precision requirements for such comparisons are well- supported by the underlying HSS scheme, which is typi- cally implemented in cryptographic frame works such as RSA groups [35], [36] (e.g., P aillier). These HSS schemes provide JOURNAL OF L A T E X CLASS FILES, VOL. 14, NO. 8, A UGUST 2021 8 Algorithm 2 C M x ← SFS ( C M , x ) Input . (1) C M : an m × n matrix, C M j,s is the ciphertext of M j,s under HSS ; (2) x : the client’ s feature vector of length n , each feature is t -bit long. Output . C M x : an m × t matrix, C ( M x ) j,i is the ciphertext of the i th bit of feature x δ ( j ) under HSS . Step 1 . Represent the feature vector x in binary format, where x s = P t i =1 2 i − 1 x s,i . Step 2 . f or j ∈ { 1 , . . . , m } do for i ∈ { 1 , . . . , t } do C ( M x ) j,i ← P n s =1 C M j,s · x s,i ▷ C M j,s · x s,i := C M j,s if x s,i = 1 else C M j,s · x s,i := C 0 ; Step 3 . Output C M x . an exponentially large plaintext space of approximately 2 1024 , allowing for the use of a sufﬁciently large K without sacri- ﬁcing numerical precision. Consequently , our SIC algorithm ( Algorithm 1 ) securely extends to ﬂoating-point comparisons. V I . O U R S E M I - H O N E S T O D T E P R OT O C O L In this section, we ﬁrst propose a new semi-honest ODTE protocol based on the HSS scheme HSS in Section III-A. The maliciously secure ODTE protocol is presented in Section VII. A. Pr otocol Overview At a high level, our protocol consists of four phases: setup , input prepar ation , server-side computation , and r esult r econstruction. W e introduce each phase as follows. (i) Setup phase. This phase initializes the protocol with HSS key pairs and a random permutation. (ii) Input preparation phase. This phase allows the provider to encrypt the decision tree, and the client to encrypt the feature vector . (iii) Server - side computation phase. In this phase, each cloud server locally ev aluates the encrypted decision tree on the encrypted feature vector to generate a partial classiﬁcation result for the client. (i v) Result reconstruction phase. This phase enables the client to recov er the classiﬁcation result corresponding to her feature vector . W e giv e the details of each phase in the subsequent sections. B. Setup Phase Our ODTE protocol begins with a trusted party ex ecuting the algorithm HSS . Setup ( 1 λ ) (Section III-A), which generates a public key pk , and two pri vate ev aluation keys ek 0 , ek 1 , as discussed in Section III-A. The public key pk is av ailable to all parties, including the client, the model provider and the two servers. Each pri vate ev aluation key ek σ ( σ = 0 , 1) is only av ailable to the server S σ respectiv ely . Additionally , the trusted party selects a pseudo-random permutation (PRP) π : [ k ] → [ k ] and distributes π to both servers. Importantly , the requirement for a trusted setup can be eliminated by con- structing the HSS scheme from Paillier-ElGamal encryption [35] and generating PRP by established PRP generators [56]. C. Input Pr eparation Phase In this phase, the model provider and the client prepare their respectiv e inputs, T and x , for the cloud servers. Model provider . The model provider ﬁrst encrypts the thresh- old v alue y j at each decision node of the decision tree T and the classiﬁcation label v i at each leaf node of T : • For j ∈ [ m ] , encrypt the threshold v alue y j = P t i =1 2 i − 1 · y j,i at each decision node D j by bit using HSS : C y j,i ← HSS . Input ( pk , y j,i ) . (6) • For i ∈ [ k ] , encrypt the classiﬁcation label v i at each leaf node L i by bit using HSS : C v i ← HSS . Input ( pk , v i ) . (7) In Eq. (6), we encrypt the threshold values by bit because our SIC algorithm ( Algorithm 1 ) takes the HSS ciphertexts of bits as input. Besides to the encryption of these data values, the provider must also appropriately encrypt the mapping δ : [ m ] → [ n ] for use in feature selection while maintaining priv acy . T o solve this problem, our main idea is to ﬁnd an appropriate representation for σ , and we resort to representing σ as an m × n matrix M where each row M j is a binary vector with n elements and the only nonzero element of M j is located at the position δ ( j ) . Under such a representation, it is easy to see that x δ ( j ) = M j x . The model provider may encrypt the matrix M as C M via HSS . Input : C M j,s ← HSS . Input ( pk , M j,s ) , j ∈ [ m ] , s ∈ [ n ] , (8) thus ensuring the mapping’ s priv acy through the security of HSS . Client. A straightforward way for the client to prepare her encrypted feature vector is to encrypt it bit-by-bit, similar to the model provider’ s approach. Howe ver , this approach may be impractical due to the limitations of most HSS, which only supports ev aluations on RMS programs. For instance, consider a client encrypting a feature vector x bit by bit into HSS ciphertexts { C x s,i } , where s ∈ [ n ] , i ∈ [ t ] , and sending these ciphertexts to the two servers. Upon receiving the ciphertexts, server S σ would need to compute x δ ( j ) = M j x via the product C M j,s · C x s,i . Howe ver , the group- based HSS schemes [34]–[36] does not support ciphertext- ciphertext multiplication, as its underlying encryption scheme is only linearly homomorphic over a group (e.g., Paillier). Consequently , ev aluating M j,s · x s,i requires one operand to remain in plaintext. Therefore, we propose a client-side secur e featur e selection ( SFS ) algorithm that encrypts the feature vector and performs feature selection simultaneously . This algorithm le verages the additive homomorphism inherent in the HSS scheme, ensuring compatibility with subsequent computations while maintaining the efﬁcienc y and security of the protocol. In our algorithm, the encrypted mapping matrix C M is made publicly av ailable by the model provider . Since C M remains constant for a giv en decision tree, the client can download it once and reuse it for multiple inferences. The algorithm SFS takes two inputs: the encrypted mapping matrix C M of dimen- sion m × n , and the client’ s feature vector x = ( x 1 , . . . , x n ) . JOURNAL OF L A T E X CLASS FILES, VOL. 14, NO. 8, A UGUST 2021 9 The feature vector is represented as an n × t matrix through bit decomposition of each feature. The algorithm outputs an m × t matrix C M x , where each entry C ( M x ) j,i is an HSS ciphertext of the i th bit of x δ ( j ) = M j x . This approach ensures that the client’ s feature vector is both feature-selected and encrypted bit by bit, satisfying the requirements for subsequent secure computation. The SFS algorithm le verages the additiv e homomorphism of HSS ciphertexts, utilizing the C x + y ← Add ( C x , C y ) in- struction (described in Section III-B). Observing that: M j x = ( n X s =1 M j,s · x s, 1 , . . . , n X s =1 M j,s · x s,t ) , (9) where x s,i , i ∈ [ t ] is the i th bit of the feature x s , it follows that: M j,s · x s,i == M j,s if x s,i = 1 and 0 otherwise. W ith M j,s encrypted as C M j,s , Eq. (9) can be e xpressed as: C M j x = ( n X s =1 C M j,s · x s, 1 , . . . , n X s =1 C M j,s · x s,t ) . (10) Here, C M j,s · x s,i equals C M j,s if x s,i = 1 and C 0 (the HSS ciphertext of integer 0 ) otherwise. The summation P n k =1 represents the aggregation of n HSS ciphertexts. In practice, C 0 need not be explicitly computed, as it can be omitted from addition operations. The complete implementation of the SFS algorithm is detailed in Algorithm 2 . A quantitati ve analysis of the computational and communication costs of the SFS algorithm is provided in Section IX-E. Although downloading C M may initially appear burden- some for the client, it is a one-time cost, as the matrix can be reused for all subsequent inferences with the same decision tree. A detailed quantitativ e analysis of the one-time ofﬂine costs is provided in Section IX-E. For deployments where ev en this one-time cost is unacceptable, the supplementary material discusses an alternativ e instantiation based on RL WE- based HSS , which eliminates the ofﬂine download entirely by delegating the computation of C M x to the servers, at the expense of increased server-side computational overhead. D. Server-side Computation Phase In this phase, each server S σ ( σ = 0 , 1) locally ev aluates the encrypted decision tree ( C y , C v ) on the encrypted selected feature vector C M x to generate a partial classiﬁcation result output σ for the client. In particular , each server’ s computation requires two algorithms: Secur e inte ger comparison ( SIC ); and Secur e r esult generation ( SRG ). At each decision node D j , j ∈ [ m ] , each server takes both an encrypted threshold value { C y j,i } , i ∈ [ t ] and an encrypted feature value { C ( M x ) j,i } , i ∈ [ t ] as input, in vokes the algorithm SIC to compute a memory value of the Boolean value b j = ( x δ ( j ) > y j ) . Once all decision nodes are ev aluated, the server in vok es the algorithm SRG . At each decision node D j , SRG assigns a function of D j ’ s share to e very outgoing edge of D j . Finally , with the values on all edges, SRG computes a share for each leaf node. The shares generated by the two servers, one from each server for e very leaf node, collectively determine a value that indicates whether the corresponding leaf node contains the classiﬁcation result T ( x ) . Algorithm 3 ( {⟨ pc ∗ π ( i ) ⟩ σ , ⟨ v ∗ π ( i ) ⟩ σ } k i =1 ) ← SRG ( σ, ek σ , π , { M b j ,σ } m j =1 , { C v i } k i =1 ) Input . (1) σ ∈ { 0 , 1 } : the index of a server S σ ; (2) ek σ : the priv ate ev aluation key of HSS, which includes the secret key k prf for the PRF; (3) π : a random permutation of the integers 1 , . . . , k ; (4) { M b j ,σ ⟩} m j =1 : the memory value of the m comparison results at m decision nodes; (5) { C v i ⟩} k i =1 : the ciphertexts of the k classiﬁcation labels at k leaf nodes. Output . (1) {⟨ pc ∗ π ( i ) ⟩ σ } k i =1 : the subtractiv e shares of k randomized path costs; (2) {⟨ v ∗ π ( i ) ⟩ σ } k i =1 : the subtractiv e shares of k randomized classiﬁcation labels. Step 1 . S σ generates a trivial memory value M 1 ,σ ; Step 2 . For each decision node D j , j ∈ [ m ] , assign the memory value of ec j, 0 and ec j, 1 respectiv ely to the outgoing edges E j, 0 and E j, 1 : M ec j, 0 ,σ ← HSS . Sub ( M 1 ,σ , M b j ,σ ) , M ec j, 1 ,σ ← M b j ,σ . Step 3 . For each leaf node L i , i ∈ [ k ] , set the path cost M pc i ,σ = P E j,ℓ ∈ P i M ec j,ℓ ,σ . Step 4 . For each leaf node L i , i ∈ [ k ] , con vert the HSS ciphertexts of classiﬁcation labels into memory v alues: M v i ,σ ← HSS . ConvertInput ( ek σ , C v i ) . Step 5 . For e very i ∈ [ k ] , generate two random integers r i, 0 = F k prf ( i ∥ 0) and r i, 1 = F k prf ( i ∥ 1) using the PRF F . Compute the randomized path cost and the randomized classiﬁcation label as M pc ∗ i ,σ ← HSS . cMul ( r i, 0 , M pc i ,σ ) , M v ∗ i ,σ ← HSS . Add ( M v i ,σ , HSS . cMul ( r i, 1 , M pc i ,σ )) . Step 6 . Conv ert the memory values in Step 5 into linear shares: ⟨ pc ∗ i ⟩ σ ← HSS . Output ( M pc ∗ i ,σ , n out ) , ⟨ v ∗ i ⟩ σ ← HSS . Output ( M v ∗ i ,σ , n out ) . Step 7 . Apply the permutation π to the values in Step 6 : {⟨ pc ∗ π ( i ) ⟩ σ , ⟨ v ∗ π ( i ) ⟩ σ } k i =1 . Output  {⟨ pc ∗ π ( i ) ⟩ σ , ⟨ v ∗ π ( i ) ⟩ σ } k i =1  . (11) Secure integer comparison. After the input preparation phase, each server S σ holds the HSS ciphertexts of the bits of the threshold values ( { C y j,i } j ∈ [ m ] i ∈ [ t ] ) and the HSS ciphertexts of the bits of the feature-selected features ( { C ( M x ) j,i } j ∈ [ m ] i ∈ [ t ] ). The memory v alue M b j ,σ of the comparison result at the j th decision node is computed using the SIC algorithm as follows: M b j ,σ ← SIC ( σ, ek σ , { C ( M x ) j,i } t i =1 } , { C y j,i } t i =1 } ) . Secure result generation. Giv en the memory values { M b j ,σ } m j =1 at decision nodes { D j } m j =1 and the HSS cipher- texts { C v i } k i =1 at leaf nodes { L j } k i =1 , we design an SRG algorithm that allows the servers to securely determine the ﬁnal classiﬁcation result T ( x ) . T o this end, we adopt the path cost methodology from [39], as also used in the secret-sharing based ODTE protocol [1], and tailor it for our HSS-based ODTE protocol. JOURNAL OF L A T E X CLASS FILES, VOL. 14, NO. 8, A UGUST 2021 10 The main idea of the path cost methodology is to assign an edge cost to ev ery outgoing edge of ev ery decision node, compute the total edge cost (i.e., path cost) of a path for each leaf node, and use the path cost to assess the likelihood of ev ery leaf node containing T ( x ) . In particular , we assign the edge cost ec j, 0 = 1 − b j for edge E j, 0 , ec j, 1 = b j for edge E j, 1 at each decision node D j , where j ∈ [ m ] . Here, E j, 0 and E j, 1 are the left and right outgoing edge of the decision node D j , respectiv ely . For e very leaf node L i , i ∈ [ k ] , the path cost pc i = P E j,ℓ ∈ P i ec j,ℓ is deﬁned as the sum of the costs of all edges on P i , the path from the root of T to the leaf L i . The edge costs are chosen such that a leaf node L i contains the classiﬁcation result T ( x ) if and only if pc i = 0 . Algorithm 3 giv es the details of our proposed SRG algorithm. Similar to Algorithm 1 , Algorithm 3 starts its computation by generating a trivial memory value representing constant 1 . The subsequent operations are distributed between two non-communicating servers S σ , σ ∈ { 0 , 1 } , which compute both edge costs and path costs. Lev eraging the additiv e homomorphism of HSS, each server computes: M ec j, 0 ,σ ← HSS . Sub ( M 1 ,σ , M b j ,σ ) , and M ec j, 1 ,σ ← M b j ,σ . This com- putation is valid since: ec j, 0 = 1 − b j = 1 − ( ⟨ b j ⟩ 1 − ⟨ b j ⟩ 0 ) = (1 − ⟨ b j ⟩ 1 ) − (0 − ⟨ b j ⟩ 0 ) . The servers then conv ert the HSS ciphertexts C v i of each classiﬁcation label v i into corresponding memory values M v i ,σ . Note that direct return of path costs and classiﬁcation labels is prohibited, as this would enable the client to recover all path costs pc 1 , . . . , pc k , not only identifying the inde x i ∈ [ k ] where pc i = 0 to determine T ( x ) , but also gaining additional information such as the nonzero path costs and the position i of the leaf node that contains T ( x ) . T o hide the nonzero path costs, Step 5 of Algorithm 3 chooses two random v alues r i, 0 and r i, 1 for e very leaf node L i , and masks the path cost shares and the leaf label shares, such that ev ery non-zero path cost pc i ′ ( i ′  = i ) becomes a random value pc ∗ i ′ (after reconstruction) and pc i becomes pc ∗ i = 0 . T o conceal the position of the i with pc i = 0 , Step 7 of Algorithm 3 requires each server to generated permuted values {⟨ pc ∗ π ( i ) ⟩ σ } k i =1 and {⟨ v ∗ π ( i ) ⟩ σ } k i =1 to hide the indices of the path costs. E. Result Reconstruction Phase Upon receiving the subtractiv e shares of randomized path costs and classiﬁcation labels {{⟨ pc ∗ π ( i ) ⟩ σ , ⟨ v ∗ π ( i ) ⟩ σ } k i =1 } 1 σ =0 from S 0 and S 1 , the client ﬁnds a π ( i ) ∈ [ k ] such that ⟨ pc ∗ π ( i ) ⟩ 1 − ⟨ pc ∗ π ( i ) ⟩ 0 = 0 and then obtains the classiﬁcation result as T ( x ) = ⟨ v ∗ π ( i ) ⟩ 1 − ⟨ v ∗ π ( i ) ⟩ 0 . Note that for any i ′  = i , we have ⟨ pc ∗ π ( i ′ ) ⟩ 1 − ⟨ pc ∗ π ( i ′ ) ⟩ 0  = 0 , and in this case, both ⟨ pc ∗ π ( i ′ ) ⟩ 1 − ⟨ pc ∗ π ( i ′ ) ⟩ 0 and ⟨ v ∗ π ( i ′ ) ⟩ 1 − ⟨ v ∗ π ( i ′ ) ⟩ 0 are random values due to the techniques of using random masks and random permutations in Algorithm 3 . F . Security Analysis W e treat the proposed protocol as an MPC protocol among the client, the model provider and two servers, and follow the ideal/r eal world paradigm of [1], [20] to prove its security against a semi-honest client and semi-honest servers. W e begin with the following notations: Ideal Functionality . Let f ODTE be a PPT functionality deﬁned in the ideal world that captures the desired security properties of our ODTE protocol. The functionality f ODTE takes as input a decision tree T from the model provider and a feature vector x from the client. It outputs the classiﬁcation result T ( x ) to the client. Real W orld Protocol. Let Π ODTE denote our proposed protocol that realizes the functionality f ODTE in the real world . During an execution of protocol Π ODTE , the out- put of serv er S σ (where σ ∈ { 0 , 1 } ) consists of ad- ditiv e shares as speciﬁed in Eq. (11): output Π ODTE σ = ( {⟨ pc ∗ π ( i ) ⟩ σ } k i =1 , {⟨ v ∗ π ( i ) ⟩ σ } k i =1 ) . The output of the client is the classiﬁcation result T ( x ) . The vie w of the client U during an execution of protocol Π ODTE is deﬁned as: View Π ODTE U = ( pk , x , C M , output Π ODTE 0 , output Π ODTE 1 ) , where pk is the public key of HSS , x represents the client’ s feature vector and C M denotes the encrypted attribute mapping matrix received from the model provider . The view of server S σ during an ex ecution of protocol Π ODTE comprises: View Π ODTE S σ = ( pk , ek σ , { C y j,i } j ∈ [ m ] i ∈ [ t ] ∪ { C v i } k i =1 ∪ { C M x j,i } j ∈ [ n ] i ∈ [ t ] ) , where pk is the public key of HSS , ek σ is the σ th evaluation key of HSS , C y j,i denotes the ciphertext of the i -th bit of the j -th element in vector y , C v i represents the ciphertext of the i -th element in vector v , C M x j,i corresponds to the ciphertext of the ( j, i ) -th element in matrix M x . Deﬁnition 1 (Semi-Honest Security) . The pr otocol Π ODTE secur ely realizes the ideal functionality f ODTE in the pr es- ence of semi-honest adversaries if there e xist PPT sim- ulators Sim U , Sim S 0 , Sim S 1 , such that View Π ODTE U ≈ c Sim U ( x , T ( x )) , and View Π ODTE S σ ≈ c Sim S σ , σ ∈ { 0 , 1 } . Theorem 1. Our pr otocol secur ely computes the ideal func- tionality f ODTE in the pr esence of semi-honest adversaries. Pr oof. According to our security deﬁnition, we need to con- struct the simulators Sim U , Sim S 0 and Sim S 1 . Simulator f or the client - Sim U . Given the feature vector x ∈ Z n and the classiﬁcation result T ( x ) , Sim U ﬁrstly generates HSS ke ys: ( pk , ek 0 , ek 1 ) ← HSS . Gen (1 λ ) . The distribution of C M can be simulated by simply choosing an m × n binary matrix M ′ , and encrypt each entry M ′ j,i using HSS . Input ( pk , M ′ j,i ) to obtain C M ′ . It is clearly that C M ′ is computationally indistinguishable with C M . Note that the messages output Π ODTE 0 and output Π ODTE 1 receiv ed by the client includes the secret shares of the permuted and randomized path costs and classiﬁcation v alues. The simulator can simulate these distributions as follows. • Choose an index η ← [ k ] uniformly at random and set pc η = 0 . Choose pc i ← Z ∗ N uniformly at random for all i ∈ [ k ] \ { η } . • Set v η = T ( x ) . Choose v i ← Z ∗ N uniformly at random for all i ∈ [ k ] \ { η } . • For ev ery i ∈ [ k ] , choose the subtractiv e shares ⟨ pc i ⟩ ′ 0 ← Z N , ⟨ v i ⟩ ′ 0 ← Z N uniformly at random. Set ⟨ pc i ⟩ ′ 1 = ⟨ pc i ⟩ ′ 0 + pc i (mo d N ) , ⟨ v i ⟩ ′ 1 = ⟨ v i ⟩ ′ 0 + v i (mo d N ) . • Set output ′ Π ODTE σ = ( {⟨ pc i ⟩ ′ σ } k i =1 , {⟨ v i ⟩ ′ σ } k i =1 ) . Due to the se curity of the HSS during computation and our randomization technique applied over the path costs and classi- JOURNAL OF L A T E X CLASS FILES, VOL. 14, NO. 8, A UGUST 2021 11 ﬁcation values respectiv ely in our real protocol, the position of the zero path cost and classiﬁcation result is uniformly random in { 1 , . . . , k } , and other non-zero path costs and corresponding classiﬁcation labels are just random values. So, output Π ODTE σ is computationally indistinguishable with output ′ Π ODTE σ . As such, View Π ODTE U ≈ c Sim U ( x , T ( x )) . Simulator f or a ser ver - Sim S σ . Sim S σ ﬁrstly generates HSS keys: ( pk , ek 0 , ek 1 ) ← HSS . Gen (1 λ ) , and then encrypt mt + k + nt dummy values to simulate { C y j,i } j ∈ [ m ] i ∈ [ t ] ∪ { C v i } k i =1 ∪ { C M x j,i } j ∈ [ n ] i ∈ [ t ] ) . Due to the security of HSS, View Π ODTE S σ ≈ c Sim S σ . V I I . O U R M A L I C I O U S LY S E C U R E O D T E P R OT O C O L As discussed in Section IV -C, the objectiv e of ensuring security against malicious adversaries is to prev ent two types of adversaries: 1) A malicious server (priv acy attack) who attempts to deduce information about both the proprietary decision tree T and the sensitiv e feature vector x ; and 2) A malicious server (veriﬁability attack) who attempts to manipulate the classiﬁcation result T ( x ) and deceive the client. T o our knowledge, current two-server ODTE protocols [1], [18]–[20], [26], do not ensure security against two malicious adversaries. Only the PDTE protocol of [19], which does not support outsourcability achieves security against malicious adversaries by replacing the underlying garbled circuit method with its maliciously secure version. The challenge in designing a maliciously secure ODTE protocol lies in the necessity for multiple rounds of S2S communication. During the process of interactions, controlling malicious behaviors becomes extremely complex. Fortunately , the servers in our ODTE protocol do not need to communicate with each other , thereby limiting malicious activities to local computations. A. Maliciously Secur e HSS A straightforward solution to achiev e malicious security in our ODTE protocol is to replace the underlying HSS scheme with its maliciously secure version [36]. The core idea is to in- corporate veriﬁable information within the memory values in a semi-honest HSS scheme. At the be ginning of the protocol, the trusted party generates a Message Authentication Code (MA C) key A , and sends it to the client while distributing its linear share of ⟨ A ⟩ 0 , ⟨ A ⟩ 1 to the servers, where ⟨ A ⟩ 1 −⟨ A ⟩ 0 = A . F or any plaintext x , the corresponding memory value M x,σ now comprises not only a linear share of x b ut also a linear share of A · x . And the algorithm HSS . Output ( M x ,σ ) is modiﬁed to yield ⟨ x ⟩ σ along with ⟨ A · x ⟩ σ . Upon receiving these linear shares ⟨ x ⟩ 0 , ⟨ x ⟩ 1 , ⟨ A · x ⟩ 0 , ⟨ A · x ⟩ 1 , the client can verify the correctness of the linear shares ⟨ x ⟩ 0 , ⟨ x ⟩ 1 , by checking the equation: ⟨ A · x ⟩ 1 − ⟨ A · x ⟩ 0 = A · x . Howe ver , this approach has its drawbacks. First, for the veriﬁcation process to be effecti ve, the client must know the MA C key A . If the system serves multiple clients, the MA C key A must be held among all participants, posing a Algorithm 4 ( {⟨ pc ∗ π ( i ) ⟩ σ , ⟨ v ∗ π ( i ) ⟩ σ , ⟨ w ∗ π ( i ) ⟩ σ } k i =1 ) ← VRG ( σ , ek σ , π , { M b j ,σ } m j =1 , { C v i } k i =1 , C A ) Remark. W e use “ . . . ” to omit the unchanged inputs, outputs and computation steps in Algorithm 3 . Input . (1) . . . ; (6) C A : the HSS ciphertexts of the MA C key A . Output . (1) . . . ; (3) {⟨ w ∗ π ( i ) ⟩ σ } k i =1 : the subtractiv e shares of k proofs of randomized classiﬁcation labels. Step 1-5 . . . . Step 6 . Compute the proofs of the randomized classiﬁcation label as: M w ∗ i ,σ ← HSS . Mul ( C A , M v ∗ i ,σ ) . Step 7 . Con vert the memory v alues in Step 5 and Step 6 into linear shares: ⟨ pc ∗ i ⟩ σ ← HSS . Output ( M pc ∗ i ,σ , n out ) , ⟨ v ∗ i ⟩ σ ← HSS . Output ( M v ∗ i ,σ , n out ) , ⟨ w ∗ i ⟩ σ ← HSS . Output ( M w ∗ i ,σ , n out ) . Step 8 . Apply the permutation π to the v alues in Step 7 , output  {⟨ pc ∗ π ( i ) ⟩ σ , ⟨ v ∗ π ( i ) ⟩ σ , ⟨ w ∗ π ( i ) ⟩ σ } k i =1  . (12) risk to its conﬁdentiality . There is no security if the server learns A . Second, the computational overhead associated with a maliciously secure HSS is signiﬁcantly higher . The memory value in a maliciously secure HSS is typically twice as extensi ve as that in a semi-honest HSS, at least doubling the computational complexity for each instruction in HSS. B. Our Maliciously Secure Method T o address these issues, we propose a similar yet ef fectiv e method to achiev e malicious security in our ODTE protocol. MA C key preparation. Instead of having a MA C ke y A generated by a trusted party , we ask the client to generate a MAC key A and encrypt it using HSS . Input to obtain C A in the input prepar ation phase . C A is then distrib uted to two servers. As A is only known to the client, and it is a one time key , the security of the MAC key is guaranteed. V eriﬁable result generation. In the sever -side computation phase , we extend the SRG algorithm to VRG algorithm in Algorithm 4 . Instead of doubling the length of the memory values, we perform a multiplication between the MA C key A and the memory values of the classiﬁcation labels to generate the veriﬁable classiﬁcation labels in Step 6 in VRG algorithm. Note that there is no need to perform multiplication between the MAC ke y A and the memory values of the path costs as the server does not know which path cost is zero. The probability of a malicious server manipulating the path costs is negligible. Finally , the linear shares in Step 7 satisfy the equation: A · ( ⟨ v ∗ i ⟩ 1 − ⟨ v ∗ i ⟩ 0 ) = ⟨ w ∗ i ⟩ 1 − ⟨ w ∗ i ⟩ 0 . Similar to the SRG algorithm, in Step 8, we perform a permutation π on the linear shares. V eriﬁable r esult reconstruction. Upon receiving the sub- tractiv e shares of randomized path costs, classiﬁcation labels and proofs: {{⟨ pc ∗ π ( i ) ⟩ σ , ⟨ v ∗ π ( i ) ⟩ σ , ⟨ w ∗ π ( i ) ⟩ σ } k i =1 } 1 σ =0 from S 0 JOURNAL OF L A T E X CLASS FILES, VOL. 14, NO. 8, A UGUST 2021 12 and S 1 , the client ﬁnds a π ( i ) ∈ [ k ] such that ⟨ pc ∗ π ( i ) ⟩ 1 − ⟨ pc ∗ π ( i ) ⟩ 0 = 0 and then obtains the classiﬁcation result as T ( x ) = ⟨ v ∗ π ( i ) ⟩ 1 − ⟨ v ∗ π ( i ) ⟩ 0 . T o verify its correctness, the client can check the equation: A · T ( x ) = ⟨ w ∗ π ( i ) ⟩ 1 − ⟨ w ∗ π ( i ) ⟩ 0 . C. Security Analysis W e follo w the standard ideal/real world paradigm to prov e the security of our protocol against malicious servers. As dis- cussed in Section IV -C, we assume the servers may arbitrarily deviate from the protocol speciﬁcation (e.g., by modifying the ﬁnal shares), while the model provider and the client remain semi-honest (though the client veriﬁes the result). W e deﬁne an ideal functionality that captures the property of veriﬁability . Ideal Functionality . Let f PV ODTE be the functionality in the ideal world secure against malicious servers. f PV ODTE receiv es input T from the model provider and x from the client. It computes the result y = T ( x ) . Before deliv ering y to the client, f PV ODTE allows the adversary (controlling the servers) to send a command. If the adversary sends ab o rt , f PV ODTE sends ⊥ to the client. Otherwise, it sends y to the client. Crucially , f PV ODTE does not allow the adversary to modify y into a valid y ′  = y . The views in protocol Π PV ODTE extend those in protocol Π ODTE with MA C-related messages: The view of the client U during an execution of protocol Π PV ODTE is deﬁned as: View Π PVODTE U = ( A, pk , x , C M , output Π PVODTE 0 , output Π PVODTE 1 ) , where A is the secret MA C key generated by the client, and output Π PVODTE σ = ( {⟨ pc ∗ π ( i ) ⟩ σ , ⟨ v ∗ π ( i ) ⟩ σ , ⟨ w ∗ π ( i ) ⟩ σ } k i =1 ) . The view of server S σ during an ex ecution of protocol Π PV ODTE comprises: View Π PVODTE S σ = { View Π ODTE S σ , C A } , where C A is the ciphertext of the MA C key A . Deﬁnition 2 (Malicious Security against Servers) . The pr oto- col Π PV ODTE secur ely realizes the ideal functionality f PV ODTE in the pr esence of malicious servers if: • Privacy: Ther e exist PPT simulators Sim U , Sim S 0 , Sim S 1 , such that View Π PVODTE U ≈ c Sim U ( x , T ( x )) , and View Π PVODTE S σ ≈ c Sim S σ , σ ∈ { 0 , 1 } . • V eriﬁability: F or any malicious adversary A contr olling the servers, the pr obability that the client outputs an incorr ect r esult y ′  = T ( x ) and y ′  = ⊥ is ne gligible. Theorem 2. The pr otocol Π PV ODTE secur ely computes the ideal functionality f PV ODTE in the pr esence of malicious ad- versaries. Pr oof. The priv acy proof mirrors Section VI-F with added MA C handling, so we focus on veriﬁability . Giv en the sym- metry between servers in Π PV ODTE , it sufﬁces to assume A corrupted S 0 . Let the true result be v η = T ( x ) at index η with pc ∗ η = 0 . T o force an incorrect output T ′ ( x )  = T ( x ) , A must attempt the follo wing attacks: Attack 1: For ge a zero path cost at index j  = η . The adver - sary modiﬁes ⟨ pc ∗ j ⟩ 0 to ⟨ pc ∗ j ⟩ ′ 0 aiming for ⟨ pc ∗ j ⟩ 1 − ⟨ pc ∗ j ⟩ ′ 0 = 0 . Howe ver , for j  = η , the v alue pc j ∈ Z ∗ N is uniformly random. Supported by the semantic security of HSS and the security of PRFs, the remote share ⟨ pc j ⟩ 1 remains indistinguishable from a uniform random value over Z N to A . Therefore, A must guess ⟨ pc j ⟩ ′ 0 = ⟨ pc j ⟩ 1 with probability at most 1 / N per index. By a union bound over all k − 1 indices: Pr[ Attack 1 succeeds ] = k − 1 N (1 − 1 N ) k − 1 < k − 1 N = negl ( λ ) considering N ≫ k . Attack 2: F orge the classiﬁcation value at the corr ect index. W e prove by contradiction. Suppose A successfully forges a classiﬁcation result T ′ ( x )  = T ( x ) that passes the veriﬁcation. For the correct classiﬁcation result at index η , the MA C veriﬁcation equation is: A · v η = w η , where v η = ⟨ v η ⟩ 1 − ⟨ v η ⟩ 0 = T ( x ) and w η = ⟨ w η ⟩ 1 − ⟨ w η ⟩ 0 . If A successfully forges a result by modifying its shares to ⟨ v η ⟩ ′ 0 and ⟨ w η ⟩ ′ 0 , the forged values must satisfy: A · v ′ η = w ′ η , where v ′ η = ⟨ v η ⟩ 1 − ⟨ v η ⟩ ′ 0 = T ′ ( x )  = T ( x ) and w ′ η = ⟨ w η ⟩ 1 − ⟨ w η ⟩ ′ 0 . From these two equations, we hav e: A · ( v ′ η − v η ) = w ′ η − w η . Since v ′ η = T ′ ( x )  = T ( x ) = v η , we have v ′ η − v η  = 0 . Therefore, A can compute the MAC key as: A = w ′ η − w η v ′ η − v η = ⟨ w η ⟩ 0 −⟨ w η ⟩ ′ 0 ⟨ v η ⟩ 0 −⟨ v η ⟩ ′ 0 . Note that all terms in the right-hand side are known to A . Howe ver , this contradicts the security of HSS . By the security of HSS , the ciphertext C A should not rev eal any information about A to A . Speciﬁcally , A should remain computationally indistinguishable from a uniformly random v alue in Z N from A ’ s view . If A could compute A as shown abov e with non-negligible probabil- ity , this would contradict the security of HSS . Therefore: Pr[ Attack 2 succeeds ] = negl ( λ ) . V I I I . F U RT H E R I N V E S T I G AT I O N S In this section, we extend PVODTE to support two practical inference scenarios [45]: Gradient Boosted Decision Trees and decision trees using cate gorical features. A. Extension to Gradient Boosted Decision T rees A gradient boosted decision tree (GBDT) [57] is an ensem- ble learning model comprising sequentially trained decision trees, where the ﬁnal prediction is a weighted sum of outputs from all constituent trees (each scaled by a small learning rate η ). Formally , gi ven a GBDT model T GBDT with s trees {T 1 , . . . , T s } , the prediction for an input x is: T GBDT ( x ) = T 0 + η P s j =1 T j ( x ) , where T 0 is the initial constant bias (estimated from training data). For simplicity , we treat T 0 as the output of a dummy tree T 0 . T o extend PVODTE to GBDTs, we employ an additive masking technique to preserve the priv acy of individual tree predictions while ensuring the ﬁnal prediction remains unbiased. The core idea is to inject random masks into each tree’ s output such that: (1) individual tree predictions are hidden from the client, and (2) the sum of masks cancels out (i.e., P s j =0 r j = P s j =0 r ′ j = 0 , where r j , r ′ j are the masks for tree T j ). The extended protocol for GBDTs modiﬁes the original PV ODTE workﬂo w as follows: Input preparation phase. The model provider encrypts the initial bias T 0 and learning rate η using the HSS . Input algo- rithm, generating ciphertexts C T 0 and C η . These, along with the encrypted GBDT model, are sent to servers S 0 and S 1 . Server -side computation phase. Instead of executing the single-tree VRG algorithm, each server S σ runs a mod- iﬁed VRG GBDT algorithm (detailed in Algorithm 5) with JOURNAL OF L A T E X CLASS FILES, VOL. 14, NO. 8, A UGUST 2021 13 Algorithm 5 ( {⟨ pc ∗ π ( i ) ⟩ σ , ⟨ v ∗ π ( i ) ⟩ σ , ⟨ w ∗ π ( i ) ⟩ σ } k i =1 ) ← VRG GBDT ( σ, ek σ , π , { M b j ,σ } m j =1 , { C v i } k i =1 , C A , C η , r j , r ′ j ) Remark. W e use “ . . . ” to omit the unchanged inputs, outputs and computation steps in Algorithm 4 . Input . (1) . . . ; (7) C η : the HSS ciphertexts of the learning rate η . (8) r j : A random mask for classiﬁcation labels in the tree T j . (9) r ′ j : A random mask for proofs in the decision tree T j . Output . (1) . . . ; (2) {⟨ µ ∗ π ( i ) ⟩ σ } k i =1 : the weighted-outputs of the randomized classiﬁcation labels. (3) {⟨ τ ∗ π ( i ) ⟩ σ } k i =1 : the weighted-proofs of the randomized classiﬁcation labels. Step 1-6 . . . . Step 7 . Compute the weighted-output of the randomized classiﬁcation label as: M µ ∗ i ,σ ← HSS . Mul ( C η , M v ∗ i ,σ ) . Step 8 . Compute the weight-proofs of the randomized classiﬁcation label as: M τ ∗ i ,σ ← HSS . Mul ( C η , M w ∗ i ,σ ) . Step 9 . Con vert the memory v alues in Step 7 and Step 8 into linear shares: ⟨ pc ∗ i ⟩ σ ← HSS . Output ( M pc ∗ i ,σ , n out ) , ⟨ µ ∗ i ⟩ σ ← HSS . Output ( M µ ∗ i ,σ , n out ) , ⟨ τ ∗ i ⟩ σ ← HSS . Output ( M τ ∗ i ,σ , n out ) . Step 10 . Add random masks r j , r ′ j to the linear shares of the weighted outputs and weighted proofs: ⟨ µ ∗ i ⟩ σ ← ⟨ µ ∗ i ⟩ σ + r j , ⟨ τ ∗ i ⟩ σ ← ⟨ τ ∗ i ⟩ σ + r ′ j . Step 11 . Apply the permutation π to the values in Step 10 , output  {⟨ pc ∗ π ( i ) ⟩ σ , ⟨ µ ∗ π ( i ) ⟩ σ , ⟨ τ ∗ π ( i ) ⟩ σ , } k i =1  . (13) inputs C T 0 , C η , and two random masks r j , r ′ j (satisfying P s j =0 r j = P s j =0 r ′ j = 0 ). After ex ecuting VRG GBDT for each tree T j , each serv er S σ additionally masks and sends the secret share of T 0 to the client. The share is deriv ed as: M T 0 ,σ ← HSS . ConvertInput ( ek σ , C T 0 ) , ⟨ T 0 ⟩ σ ← HSS . Output ( M T 0 ,σ , n out ) , and then masked as ⟨ T 0 ⟩ σ ← ⟨ T 0 ⟩ σ + r 0 . For correctness veriﬁcation of T 0 , the servers compute: M T ′ 0 ,σ ← HSS . Mul ( C A , M T 0 ,σ ) , ⟨ T ′ 0 ⟩ σ ← HSS . Output ( M T ′ 0 ,σ , n out ) , and ⟨ T ′ 0 ⟩ σ ← ⟨ T ′ 0 ⟩ σ + r ′ 0 . Result reconstruction phase. The client recei ves subtracti ve secret shares of randomized path costs, weighted classiﬁcation labels, and weighted proofs from both servers for each tree T j : {{⟨ pc ∗ π ( i ) ⟩ σ , ⟨ µ ∗ π ( i ) ⟩ σ , ⟨ τ ∗ π ( i ) ⟩ σ } k i =1 } 1 σ =0 from S 0 and S 1 . T o identify the correct output for each decision tree T j , the client ﬁnds a π ( i ) ∈ [ k ] such that ⟨ pc ∗ π ( i ) ⟩ 1 − ⟨ pc ∗ π ( i ) ⟩ 0 = 0 , and then obtains the weighted-output η · T j ( x ) , and its proof A · η · T j ( x ) as: η · T j ( x ) = ⟨ µ ∗ π ( i ) ⟩ 1 − ⟨ µ ∗ π ( i ) ⟩ 0 and A · η · T j ( x ) = ⟨ τ ∗ π ( i ) ⟩ 1 − ⟨ τ ∗ π ( i ) ⟩ 0 . The ﬁnal GBDT prediction is then computed by aggregating the reconstructed tree outputs and the initial bias: T GBDT ( x ) = ⟨ T 0 ⟩ 1 − ⟨ T 0 ⟩ 0 + · P s j =1 η · T j ( x ) . T o verify correctness, the client checks that the aggregated proof matches the product of A and the ﬁnal prediction: A · T GBDT ( x ) = ⟨ T ′ 0 ⟩ 1 − ⟨ T ′ 0 ⟩ 0 + · P s j =1 A · η · T j ( x ) . The correctness of the extended protocol follo ws directly from the correctness of the PV ODTE and the linearity of the Algorithm 6 M c t ,σ ← SEQ ( σ, ek σ , { C α i } t i =1 , { C β i } t i =1 ) Input . (1) σ ∈ { 0 , 1 } : the index of a server S σ ; (2) ek σ : the priv ate ev aluation key of HSS; (3) C α i (resp. C β i ): a ciphertext of the bit α i (resp. β i ) under HSS , where 1 ≤ i ≤ t . Output . M c t ,σ : a memory v alue of the bit c t . Step 1 . S σ generates a trivial memory value M 1 ,σ ; Step 2 . M α 1 ,σ ← HSS . ConvertInput ( ek σ , C α 1 ) ; Step 3 . M β 1 ,σ ← HSS . ConvertInput ( ek σ , C β 1 ) ; Step 4 . M c 1 ,σ ← HSS . Mul ( C β 1 , M α 1 ,σ ) ; Step 5 . M c 1 ,σ ← HSS . Add ( M c 1 ,σ , M c 1 ,σ ) ; Step 6 . M c 1 ,σ ← HSS . Sub ( M c 1 ,σ , M α 1 ,σ ) ; Step 7 . M c 1 ,σ ← HSS . Sub ( M c 1 ,σ , M β 1 ,σ ) ; Step 8 . M c 1 ,σ ← HSS . Add ( M c 1 ,σ , M 1 ,σ ) ; Step 9 . f or i ∈ { 1 , . . . , t − 1 } do C temp ← HSS . Add ( C α i +1 , C β i +1 ) ; M c i +1 ,σ ← HSS . Mul ( C temp , M c i ,σ ) ; M c i +1 ,σ ← HSS . Sub ( M c i ,σ , M c i +1 ,σ ) ; M 2 c i ,σ ← HSS . Add ( M c i ,σ , M c i ,σ ) ; M temp,σ ← HSS . Mul ( C α i +1 , M 2 c i ,σ ) ; M temp,σ ← HSS . Mul ( C β i +1 , M temp,σ ) ; M c i +1 ,σ ← HSS . Add ( M c i +1 ,σ , M temp,σ ) ; Step 10 . Output M c t ,σ . HSS operations used for aggregation. The priv acy of T 0 and η is preserved by the security of the HSS scheme, ensuring they remain pri vate from the servers. F or the client, only the ﬁnal GBDT prediction and its proof are rev ealed—aligning with PV ODTE ’ s security requirements. Individual tree predictions are obscured by random masks r j , r ′ j , which cancel out in the aggregated sum, prev enting the client from recovering intermediate tree outputs. B. Extension to Categorical F eatur es In practice, feature vectors x often include categorical vari- ables (e.g., “gender” or “product type”) instead of numerical ones. F or such v ariables, the natural branching operation at a decision node (i.e., the Boolean test function) is set membership testing (e.g., “is x in the set S ?”) [45]. Consider a categorical variable x in x corresponding to a non-leaf node D j , where x takes values from a ﬁnite set S = { s 1 , . . . , s ℓ } . The Boolean test function at D j checks whether x ∈ S holds. Translating this into our PV ODTE requires a construction that: (i) T akes as input the HSS cipherte xt C x of x and the HSS ciphertexts { C s 1 , . . . , C s ℓ } of elements in S . (ii) Outputs a memory value of 1 if x = s j for any s j ∈ S , and 0 otherwise. Note that we have already designed a “greater than” test- ing algorithm (Algorithm 1) for bitwise integer comparison (Section V). This bit-level approach extends naturally to set membership testing: we compare x sequentially with each element in S , and the ﬁnal result is the sum of these pairwise equality tests. Secure equality test algorithm. T o implement set member- ship testing, we ﬁrst design a secur e equality test algorithm ( SEQ ) to compare two t -bit variables α = ( α 1 , . . . , α t ) and JOURNAL OF L A T E X CLASS FILES, VOL. 14, NO. 8, A UGUST 2021 14 T ABLE III T R EE P A R AM E T E RS I N O U R E X P E RI M E N TS . Decision Tree #Features T ree height #Nodes hear t-disease 13 3 15 breast-cancer 9 8 511 housing 13 13 16383 spambase 57 17 262143 MNIST 784 20 2.1E+06 T ABLE IV C O MPA R IS O N O F R U NN I N G T I ME O F PVODTE MH A N D PVODTE MS Decision tree SIC (s) VRG (s) PVODTE MH PVODTE MS PVODTE MH PVODTE MS hear t-disease 4.53 2.18 0.14 0.07 breast-cancer 4.41 2.23 2.82 1.30 housing 4.10 2.25 87.16 42.53 spambase 4.34 2.12 1352.13 670.26 MNIST 4.21 2.29 11139.41 5373.95 β = ( β 1 , . . . , β t ) (where α 1 , β 1 are least signiﬁcant bits (LSBs)). Recall that for any two bits α i , β i ∈ { 0 , 1 } , the equality test can be expressed via arithmetic over Z as: ( α i = β i ) := 1 − α i − β i + 2 α i β i , (14) where ( α i = β i ) := 1 if α i = β i and 0 otherwise. Using an LSB appr oac h , we iterati vely construct the equality result for the full t -bit variables. Let c 0 = 1 , and let c i , 1 ≤ i ≤ t denote the equality result for the ﬁrst i bits ( α i . . . α 1 = β i . . . β 1 ). The recursiv e relation for c i +1 is: c i +1 := ( α i +1 = β i +1 ) ∧ c i , 0 ≤ i < t, (15) where c t = 1 if and only if α = β . By substituting Eq. (2) and Eq. (14) into Eq. (15), we obtain: c i +1 := c i − c i ( α i +1 + β i +1 ) + 2 c i α i +1 β i +1 , 1 ≤ i < t. Similar to the SIC algorithm (Algorithm 1), we design SEQ (Algorithm 6) to implement this equation. The SEQ algorithm also keeps the priv acy of the input x , the set S and the equality test result from the servers. Set membership testing via SEQ . For a categorical variable x and set S = { s 1 , . . . , s ℓ } , each server S σ : (1) Run SEQ for each s j ∈ S to compute a memory value M c j ,σ ( c j = 1 if x = s j , 0 otherwise). (2) Sum the memory values of c j to obtain the set membership result: M c S ,σ = P ℓ j =1 M c j ,σ , where c S = 1 if x ∈ S and 0 otherwise. I X . E X P E R I M E N T S In this section, we provide detailed ev aluation results for PV ODTE . Dataset and model. These datasets hav e been used in prior work [1], [20], [44], [45] to ev aluate ODTE protocols. For each dataset, we train a decision tree using the scikit-learn toolkit [59], which allows setting the maximum depth of the resulting tree. Following standard practice [1], [20], [37], [45], we pad the tree with dummy nodes to reach the target depth. W e train six decision-tree models, as shown in T ABLE III. Among them, hear t-disease and breast-cancer represent small trees, while housing and spambase are medium-sized trees with a moderate number of features and classes. MNIST heart-disease breast-cancer housing spambase MNIST 10 3 10 5 10 7 10 9 Overall Online Cost (KB) ODTE SS ODTE OS PV ODTE MS Fig. 3. Comparison of overall online communication overhead of ODTE SS [1], ODTE OS [20] and our PV ODTE MS . The y-axis is in logarithmic scale. is a deep tree with a high-dimensional feature vector; we include it primarily as a benchmark, though decision trees are not commonly used for classiﬁcation tasks in practice. Implementation setup. W e implement our semi-honestly se- cure ODTE protocol and maliciously secure ODTE protocol, denoted as ODTE SH and PV ODTE MS , respecti vely . Both protocols use a semi-honest ElGamal-based HSS scheme from [36], which satisﬁes the deﬁnitions of the HSS scheme in Section III-A. T o ev aluate its performance, we compare our PV ODTE MS with three alternativ e protocols: 1) A maliciously secure ODTE protocol, denoted as PV ODTE MH , constructed by combining our semi-honest ODTE protocol with the maliciously secure HSS scheme from [36]. 2) The state-of-the-art two-server semi-honest ODTE pro- tocol, denoted as ODTE SS , proposed by Zheng et al. [1], which is based on a secret sharing scheme. 3) The optimized version of the protocol of [1], denoted as ODTE OS , proposed by Zheng et al. [20], which is designed to reduce the S2S rounds in [1]. All protocols are implemented in C++ using the NTL library [60]. W e set a feature or a threshold value to be a random t = 10 bit integer , which is a common choice in existing experiments [5], [26]. Our protocol’ s output modulus and the message spaces of ODTE SS and ODTE OS are all set to 128 bits, while the RSA modulus in our protocol is set to 3072 bits. W e implement the OT protocol employed in [20] as a classic O T based on RSA encryption (the RSA modulus is same as ours), since the authors do not provide the details of the OT protocol the y employ . T o test the performance of our protocols in a genuine heterogeneous network setting, we conduct benchmarks on a workstation equipped with Intel(R) Xeon(R) Gold 6250 CPU @ 3.90GHz running Ubuntu 22.04 L TS with 64GB memory . W e employ the Linux tc tool to simulate local- area network (LAN, R TT : 0.1 ms, 1 Gbps), and wide-area network (W AN, R TT : 160 ms, 135 Mbps). This process allows us to learn the real-world performance of our protocol during model inference, such as actual online communication ov erhead and running time. Our source code is av ailable at https://github .com/neuroney/PODT. JOURNAL OF L A T E X CLASS FILES, VOL. 14, NO. 8, A UGUST 2021 15 T ABLE V C L IE N T - S I DE L A T EN C Y B R E A KD OW N OF ODTE SS , ODTE OS , ODTE SH A N D PVODTE MS OV E R D I FFE R E N T D AT A S ET S Protocols hear t-disease breast-cancer housing spambase MINIST C ⇀ S C ↽ S C ⇀ S C ↽ S C ⇀ S C ↽ S C ⇀ S C ↽ S C ⇀ S C ↽ S ODTE SS [1] 5.47E–05 3.49E–05 3.79E–05 1.12E–03 5.47E–05 3.57E–02 2.40E–04 5.71E–01 3.30E–03 4.57E+00 ODTE OS [20] 5.47E–05 2.18E–06 3.79E–05 2.18E–06 5.47E–05 2.18E–06 2.40E–04 2.18E–06 3.30E–03 2.18E–06 ODTE SH 5.66E–02 3.49E–05 2.06E+00 1.12E–03 6.62E+01 3.57E–02 1.06E+03 5.71E–01 8.47E+03 4.57E+00 PVODTE MS 5.66E–02 5.23E–05 2.06E+00 1.67E–03 6.62E+01 5.36E–02 1.06E+03 8.57E–01 8.47E+03 6.86E+00 Remark. All latency values are reported in seconds (s). W e measure “C ⇀ S” and “C ↽ S” using the global median upload/download speeds (58 Mbps for upload, 112 Mbps for download) as reported by Ookla [61]. T ABLE VI O N LI N E R UN N I N G T I M E O F ODTE SS , ODTE OS , ODTE SH A N D PVODTE MS OV E R D I FFE R E N T D AT A S ET S AN D N E T W OR K S Protocols hear t-disease breast-cancer housing spambase MINIST LAN.T W AN.T LAN.T W AN.T LAN.T W AN.T LAN.T W AN.T LAN.T W AN.T ODTE SS [1] 2.61E–02 4.08E+01 4.17E–01 6.50E+02 1.34E+01 2.08E+04 2.16E+02 3.33E+05 2.0E+03 2.66E+06 ODTE OS [20] 8.30E–02 3.44E+00 1.02E–01 6.66E+01 1.80E+00 2.54E+03 3.12E+01 4.59E+04 2.71E+02 3.98E+05 ODTE SH 2.25E+00 2.25E+00 3.63E+01 3.63E+01 1.16E+03 1.16E+03 1.86E+04 1.86E+04 1.48E+05 1.48E+05 PVODTE MS 2.33E+00 2.33E+00 3.76E+01 3.76E+01 1.20E+03 1.20E+03 1.92E+04 1.92E+04 1.54E+05 1.54E+05 IF 1 / 17.51 / 17.29 / 17.33 / 17.34 / 17.27 IF 2 / 1.48 / 1.77 / 2.12 / 2.39 / 2.58 Remark. LAN.T and W AN.T represent online running time under LAN (R TT : 0.1ms), and online running time under W AN (R TT : 160ms), respecti vely . All running times are reported in seconds (s). The minimum value in each column is bolded. IF 1 represents the improvement factor of PV ODTE MS over ODTE SS (i.e. ODTE SS / PVODTE MS ) and IF 2 represents the improvement factor of PVODTE MS over ODTE OS , (i.e. ODTE OS / PVODTE MS ). A. Lightweight MAC for Malicious Security: Comparison with PV ODTE MH T o demonstrate the lightweight efﬁcienc y of our ap- proach, we compare PVODTE MS against a baseline protocol PV ODTE MH built directly on maliciously secure HSS. As detailed in Section VII-A, major distinctions in MA C key preparation, memory value size, and server -side computation translate precisely into the performance differences observed below . Communication o verhead. The primary diver gence stems from MA C key scaling constraints. While PV ODTE MH relies on a trusted setup issuing lightweight linear shares (256 bytes) [36], PVODTE MS acts over a client-provided HSS ciphertext causing a speciﬁc overhead difference (3072 bytes per ciphertext versus 256 for shares). Crucially , aside from this initialization step, all other communication burdens—inputs and outputs—remain nearly identical between the two frame- works. Running time. The memory value size in PVODTE MH is twice that of PVODTE MS , leading to reduced efﬁcienc y when the cloud server ex ecutes HSS instructions. Server- side computation comprises two ke y steps: executing the SIC algorithm for m = 2 h − 1 non-leaf (decision) nodes and the VRG algorithm for k = 2 h leaf nodes. Comparison results are summarized in T ABLE IV. Compared with PVODTE MH , PV ODTE MS achiev es a roughly 50% reduction in running time for both the SIC and VRG algorithms. B. Comparison with ODTE SS and ODTE OS Our protocol is designed to enhance real-time ef ﬁciency during the critical online phase of decision tree ev aluation. By T ABLE VII O V E RA L L L ATE N C Y O F ODTE SS , ODTE OS , ODTE SH A N D PVODTE MS OV E R D I FFE R E N T D AT A S ET S IN W A N S Protocols hear t-disease breast-cancer housing spambase MINIST ODTE SS [1] 4.08E+01 6.50E+02 2.08E+04 3.33E+05 2.66E+06 ODTE OS [2] 3.44E+00 6.66E+01 2.54E+03 4.59E+04 3.98E+05 ODTE SH 2.31E+00 3.84E+01 1.23E+03 1.97E+04 1.56E+05 PVODTE MS 2.39E+00 3.97E+01 1.27E+03 2.03E+04 1.62E+05 IF 1 17.07 16.37 16.38 16.40 16.42 IF 2 1.44 1.68 2.00 2.26 2.47 Remark. The overall latency is computed as the sum of client-server communication latency (“C ⇀ S” and “C ↼ S” in T ABLE V) and the server -side online computation time (“W AN.T” in T ABLE VI) in W AN settings. All running times are reported in seconds (s). The minimum value in each column is bolded. IF 1 represents the improvement factor of PVODTE MS over ODTE SS (i.e. ODTE SS / PVODTE MS ) and IF 2 represents the impro vement factor of PVODTE MS over ODTE OS , (i.e. ODTE OS / PVODTE MS ). optimizing this phase, we address the most ur gent performance bottlenecks in practical applications. The key metrics are the ov erall time taken for one inference, which includes both client-server communication latency and server -side compu- tation time, and the online communication overhead, which includes both client-side and server -side communication. In this section, we present experimental results focusing on these key metrics. Client-side communication latency . W e ev aluate client-side communication latency for ODTE protocols by estimating the time for data upload (sending priv ate inputs to the servers) and data download (receiving the inference result). As shown in T ABLE V, PVODTE MS does not have an adv antage in upload time compared with ODTE SS and ODTE OS . Both PV ODTE MS and ODTE SH require the client to upload larger ciphertexts than ODTE SS and ODTE OS . For do wnload time, ODTE SS , ODTE SH , and PVODTE MS hav e similar latency since they all return all path costs and leaf-node values to the client, whereas ODTE OS returns only the class label and therefore achiev es the lowest latency . Although PVODTE MS JOURNAL OF L A T E X CLASS FILES, VOL. 14, NO. 8, A UGUST 2021 16 T ABLE VIII O N LI N E C O M M UN I C A T IO N OV ER H E A D O F ODTE SS , ODTE OS , ODTE SH A N D PVODTE MS OV E R D I FFE R E N T D AT A S ET S Protocols hear t-disease breast-cancer housing spambase MINIST #Client. #Server . #Client. #Serv er . #Client. #Server . #Client. #Server . #Client. #Server . ODTE SS [1] 9.06E–01 3.40E+02 1.63E+01 1.23E+04 5.12E+02 3.96E+05 8.19E+03 6.71E+06 6.56E+04 1.01E+08 ODTE OS [20] 2.19E–01 2.45E+02 1.55E–01 8.24E+03 2.19E–01 2.92E+05 9.06E–01 9.03E+06 1.23E+01 6.44E+08 ODTE SH 2.10E+02 0 7.66E+03 0 2.46E+05 0 3.94E+06 0 3.15E+07 0 PVODTE MS 2.13E+02 0 7.67E+03 0 2.46E+05 0 3.94E+06 0 3.15E+07 0 Remark. #Client. and #Server . represent the number of bits required for online computation respectiv ely . All communications are reported in KB. The minimum value in each column is bolded. incurs higher client-side communication latency than ODTE SS and ODTE OS , this cost is small relative to server-side compu- tation, as shown in T ABLE VI and T ABLE VII. Server -side running time. The server side dominates the end- to-end latency in ODTE protocols. T ABLE VI reports the on- line running time and contrasts our protocol PVODTE MS with ODTE SS [1] and ODTE OS [20]. While ODTE SS and ODTE OS achiev e lower running time in LAN settings, PVODTE MS substantially outperforms both in W AN en vironments. The primary reason is that ODTE SS and ODTE OS rely on frequent joint computations at each decision and leaf node, which ampliﬁes synchronization and network latency . In contrast, PV ODTE MS employs ef ﬁcient local e valuation, which is ro- bust to network latency . Concretely , in W AN settings our pro- tocol is approximately 17 × faster than ODTE SS and 1 . 5 - 2 . 6 × faster than ODTE OS . Overall latency . As summarized in T ABLE VII, PVODTE MS achiev es signiﬁcant ov erall latency reductions ov er ODTE SS and ODTE OS in W AN settings. On average, it is about 16 . 4 × faster than ODTE SS and 1 . 5 - 2 . 5 × faster than ODTE OS . These gains primarily stem from the server-side design choices that mitigate synchronization in high-latency networks. Online communication overhead. W e estimate the total on- line communication for our maliciously secure ODTE protocol by accounting for client-server trafﬁc and server-to-serv er traf- ﬁc. Client-side communication includes ciphertexts uploaded by the client and results returned. Server -side communica- tion captures messages exchanged between servers during computation. T ABLE VIII compares our protocol with the two-server ODTE baselines ODTE SS and ODTE OS . ODTE SS and ODTE OS incur lower client-side online communication than ours because secret-sharing ciphertexts are smaller than the HSS ciphertexts used by PVODTE MS . Howe ver , our protocol requires zero server -to-server communication due to the absence of S2S rounds, while ODTE OS requires up to 6.4E+08 KB. Consequently , as shown in Fig. 3, the total online communication of PVODTE MS is 1 . 6 - 3 . 1 × lower than ODTE SS and 1 . 1 - 20 × lower than ODTE OS . As the decision-tree depth e xceeds h = 13 , the overall communication adv antage of PVODTE MS becomes more pro- nounced relativ e to ODTE SS and ODTE OS . The improvement arises because our protocol eliminates S2S rounds, which gro w exponentially with depth in ODTE SS and ODTE OS . Therefore, for deeper trees, our protocol scales more fav orably and offers superior communication efﬁciency in large-scale deployments. C. Overhead Analysis of Malicious Security in PVODTE T o quantify the overhead introduced by malicious secu- rity , we ﬁrst compare the performance of our semi-honest ( ODTE SH ) and maliciously secure ( PVODTE MS ) protocols. Communication overhead. The client sends an HSS cipher - text of a MA C key A , which is around 3 KB to both servers. Compared with the encrypted feature vector (around 210 KB) sent to the servers, the cost for v eriﬁcation is small. Each server sends 3 k linear shares ( 48 k bytes) to the client for veriﬁcation, while 2 k linear shares ( 32 k bytes) in ODTE SH . The additional cost for veriﬁcation is 16 k bytes. As shown in T ABLE VIII, the ov erhead taken by malicious security in PV ODTE MS is negligible compared with the overall commu- nication overhead of ODTE SH . Computation overhead. In our experiments, the HSS . Input and HSS . Mul each take around 81 ms. The client requires an additional 81 ms to encrypt the MA C ke y A via HSS . Input , plus an extremely lightweight veriﬁcation step (0.001 ms) that multiplies two plaintext values to verify MAC tags. Each server performs k instances of HSS . Mul (81 ms per instance) to compute MA C tags at leaf nodes, totaling 81 k ms of extra computation. As shown in T ABLE VI, the server- side running time of PV ODTE MS remains roughly on par with ODTE SH . This is because the dominant overhead of our protocol, comparing feature values at non-leaf nodes is identical across both security models. D. W AN sensitivity T o further analyze the performance improvements, we con- ducted experiments across W AN settings (R TT 40 to 200 ms). Figure 4 conﬁrms that PVODTE MS surpasses ODTE SS and ODTE OS once R TT > 80ms, distinguishing it as superior for latency-critical applications. It’ s worth mentioning that by implementing our protocol with high-performance programming techniques and deploy- ing it on more advanced servers will surely further reduce the ev aluation time for deeper decision trees signiﬁcantly . This is because the servers in our protocol ex ecute all computations locally , thereby circumventing the adverse impacts of online communication. In contrast, the protocols in [1], [20] face exe- cution time bottlenecks due to bandwidth constraints, network delays, and the need to handle extensi ve S2S messages. E. Ofﬂine Cost Analysis In addition to the online phase, our protocol includes an ofﬂine phase in which the client performs a one-time download JOURNAL OF L A T E X CLASS FILES, VOL. 14, NO. 8, A UGUST 2021 17 ODTE SS [1] ODTE OS [2] PV ODTE MS 40 80 120 160 200 10 0 10 1 10 2 W AN R TT (ms) Running time (s) (a) hear t-disease 40 80 120 160 200 10 1 10 2 10 3 W AN R TT (ms) (b) breast-cancer 40 80 120 160 200 10 3 10 4 10 5 W AN R TT (ms) (c) housing 40 80 120 160 200 10 4 10 5 10 6 W AN R TT (ms) (d) spambase 40 80 120 160 200 10 5 10 6 10 7 W AN R TT (ms) (e) MNIST Fig. 4. Online running time in different W AN settings for different databases. y -axis is in the logarithm scale. T ABLE IX O N E - T I M E O FFL I N E D O WN L OA D CO S T F O R E N C RYP T E D M A T R IX C M . Decision T ree # C M (KB) Construction time (s) Do wnload time (s) hear t-disease 2.73E+02 4.55E+00 1.90E–02 breast-cancer 6.89E+03 1.15E+02 4.80E–01 housing 3.19E+05 5.32E+03 2.23E+01 spambase 2.24E+07 3.74E+05 1.56E+03 MNIST * 2.47E+09 4.11E+07 1.72E+05 ∗ MNIST is included primarily for benchmarking and is not a typical decision-tree dataset in practice. Download time is estimated using the global median do wnload speed (112 Mbps) reported by Ookla [61]. of the encrypted matrix C M (Algorithm 2). Although this cost is reusable and amortizable across multiple inferences, we report it to provide a complete ev aluation. The size of C M is 3 mn KB, where m is the number of non-leaf nodes and n is the number of features. As shown in T ABLE IX, the ofﬂine communication cost is practical for all datasets except MNIST at depth 20, which we include solely as a stress-test benchmark rather than a representativ e real-world use case. An important observation is that C M encodes only the tree topology (i.e., which feature is tested at each decision node), not the actual threshold values or classiﬁcation labels. Consequently , if the model is updated by adjusting thresholds or labels while maintaining the tree structure, C M requires no redistribution. Even when the tree structure itself is modiﬁed, only the af fected ro ws of C M (one per modiﬁed non-leaf node) need to be recomputed and transmitted, signiﬁcantly reducing the update cost compared to full redistribution. X . C O N C L U S I O N In this paper , we propose a novel two-serv er ODTE protocol PV ODTE , that eliminates the requirement for S2S rounds and achiev es security against malicious servers simultaneously . T o our kno wledge, this is the ﬁrst ODTE protocol that achie ve all these properties. By enabling each server to independently process secret-shared data, our protocol avoids communication and computation ov erhead typically associated with bandwidth constraints and network delays in W AN en vironments. More- ov er , despite its enhanced security and efﬁciency beneﬁts, our proof-of-concept implementation shows performance that remains comparable to e xisting protocols. R E F E R E N C E S [1] Y . Zheng, H. Duan, C. W ang, R. W ang, and S. Nepal, “Securely and efﬁciently outsourcing decision tree inference, ” IEEE Tr ans. Depend. Secur e Comput. , vol. 19, no. 3, pp. 1841–1855, 2022. DOI: 10.1109/TDSC.2020.3040012 [2] A. Riasi, J. Guajardo and T . Hoang, “Priv acy-preserving veriﬁable neural network inference service, ” Pr oc. of IEEE ACSA C , pp. 683–698, 2024. DOI: 10.1109/ACSA C63791.2024.00063 [3] J. W eng, J. W eng, G. T ang, A. Y ang, M. Li and J. -N. Liu, “pvCNN: Priv acy-preserving and veriﬁable con volutional neural netw ork testing, ” IEEE Tr ans. Info. F or . Sec. , vol. 18, pp. 2218-2233, 2023. DOI: 10.1109/TIFS.2023.3262932. [4] A. Alouﬁ, P . Hu, H. W . H. W ong and S. S. M. Chow , “Blindfolded ev aluation of random forests with multi-key homomorphic encryption, ” IEEE T rans. Depend. Secure Comput. , vol. 18, no. 4, pp. 1821–1835, 2021. DOI: 10.1109/TDSC.2019.2940020 [5] W . J. Lu, J. J. Zhou, and J. Sakuma, “Non-interactive and output expressi ve pri vate comparison from homomorphic encryption, ” Proc. of AsiaCCS , 2018. [6] R. Cramer , R. Gennaro, and B. Schoenmakers, “ A secure and optimally efﬁcient multi-authority election scheme, ” Proc. of EUROCRYPT , 2001. [7] C. Gentry , “Fully homomorphic encryption using ideal lattices, ” Proc. of ACM STOC , 2009. [8] J. Groth, “Short pairing-based non-interactiv e zero-knowledge arguments, ” Proc. of ASIACR YPT , pp. 321–340, 2010. [9] C. Dong, J. W eng, J. Liu, Y . Zhang, Y . T ong, A. Y ang, Y . Cheng, and S. Hu, “Fusion: Efﬁcient and secure inference resilient to malicious servers. ” Pr oc. of NDSS , 2023. [10] D. Beaver , “Ef ﬁcient multiparty protocols using circuit randomization, ” in Pr oc. of CRYPTO , 1991. [11] R. Cramer , I. Damg ˚ ard, and Y . Ishai, “Share con version, pseudorandom secret-sharing and applications to secure computation, ” In Proc. of TCC , 2005. [12] A. Shamir, “How to share a secret, ” Commun. ACM , vol. 22, no. 11, pp. 612–613, Nov . 1979. [13] X. Liu, Y . Zheng, X. Y uan and X. Y i, “Securely outsourcing neural network inference to the cloud With lightweight techniques, ” IEEE T rans. Depend. Secure Comput. , vol. 20, no. 1, pp. 620–636, 2023. DOI: 10.1109/TDSC.2022.3141391 [14] G. He, Y . Ren, G. He, G. Feng and X. Zhang, “PPNNI: Privac y- preserving neural network inference against adversarial example attack, ” IEEE T rans. Serv . Comput. , vol. 17, no. 6, pp. 4083–4096, 2024. DOI: 10.1109/TSC.2024.3399648 [15] H. Tsuchida, T . Nishide, and Y Maeda,“Pri vate decision tree ev aluation with constant rounds via (only) SS-3PC over ring, ” Pr oc. of Pr ovSec , 2020. [16] N. Cheng, N. Gupta, A. Mitrokotsa, H. Morita, and K. T ozawa, “ Constant-round private decision tree evaluation for secret shared data, ” Pr oc. of P oPETs , 2024. [17] K. Ji, B. Zhang, T . Lu, L. Li and K. Ren, “UC secure pri vate branching program and decision tree ev aluation, ” IEEE T rans. Depend. Secur e Comput. , vol. 20, no. 4, pp.2836–2848, 2023. DOI: 10.1109/TDSC.2022.3202916 [18] L. Liu, J. Su, R. Chen, J. Chen, G. Sun, and J. Li, “Secure and fast decision tree ev aluation on outsourced cloud data, ” Proc. of ML4CS , 2019. [19] J. P . Ma, R. K. T ai, Y . Zhao, and S. S. Chow , “Let’s stride blindfolded in a forest: Sublinear multi-client decision trees evaluation. ” Pr oc. of NDSS , 2020. [20] Y . Zheng, C. W ang, R. W ang, H. Duan, and S. Nepal, “Optimizing secure decision tree inference outsourcing, ” IEEE T rans. Depend. Secur e Comput. , v ol. 20, no. 4, pp. 3079–3092, 2023. DOI: 10.1109/TDSC.2022.3194048 [21] J. Liang, Z. Qin, S. Xiao, L. Ou and X. Lin, “Efﬁcient and secure decision tree classiﬁcation for cloud-assisted online diagnosis services, ” IEEE T rans. Depend. Secure Comput. , vol. 18, no. 4, pp. 1632–1644, 2021. DOI: 10.1109/TDSC.2019.2922958 [22] M. Zhang, Y . Chen and W . Susilo, “Decision tree e valuation on sensitiv e datasets for secure e-healthcare systems, ” IEEE T rans. Depend. Secur e Comput. , vol. 20, no. 5, pp. 3988–4001, 2023. DOI: 10.1109/TDSC.2022.3219849 JOURNAL OF L A T E X CLASS FILES, VOL. 14, NO. 8, A UGUST 2021 18 [23] H. Qian, B. W ang, M. Y uan, S. Gao, and Y . Song, “Financial distress prediction using a corrected feature selection measure and gradient boosted decision tree, ” Expert Syst. Appl. , vol. 190, p. 116202, 2022. [24] Y . Zheng, R. Lu, Y . Guan, J. Shao and H. Zhu, “Efﬁcient privac y- preserving similarity range query with quadsector tree in eHealthcare, ” IEEE T rans. Serv . Comput. , vol. 15, no. 5, pp. 2742–2754, 2022. DOI: 10.1109/TSC.2021.3081350 [25] C. D. Francescomarino, M. Dumas, F . M. Maggi and I. T einemaa, “Clustering-based predicti ve process monitoring, ” IEEE T rans. Serv . Comput. , vol. 12, no. 6, pp. 896–909, 2019. DOI: 10.1109/TSC.2016.2645153 [26] K. Xu, B. H. M. T an, L. P . W ang, K. M. M. Aung, and H. W ang, “Priv acy-preserving outsourcing decision tree ev aluation from homo- morphic encryption, ” J. Inf. Secur . Appl. , vol. 77, p. 103582, 2023. [27] I. Dam ˚ agrd, M. Fitzi, E. Kiltz, J. B. Nielsen, and T . T oft, “Unconditionally secure constant-rounds multi-party computation for equality , comparison, bits and exponentiation, ” Pr oc. of TCC , 2006. [28] T . Nishide and K. Ohta, “Multiparty computation for interval, equality , and comparison without bit-decomposition protocol, ” Pr oc. of PKC , 2007. [29] T . I. Reistad and T . T oft, “Secret sharing comparison by transformation and rotation, ” Pr oc, of ICITS , 2007. [30] K. Sutradhar and H. Om, “ A privac y-preserving comparison protocol, ” IEEE T rans. Comput. , vol. 72, no. 6, pp. 1815–1821, 2023. DOI: 10.1109/TC.2022.3215640 [31] I. Damg ˚ ard, M. Geisler , and M. Krøigaard, “Ef ﬁcient and secure comparison for on-line auctions, ” Pr oc. of A CISP , 2007. [32] C. Gentry , S. Halevi, and C. S. Jutla, and M. Raykova, “Priv ate database access with HE-over -ORAM architecture, ” Proc. of ACNS , 2015. [33] E. Boyle, L. Kohl, and P . Scholl, “Homomorphic Secret Sharing from Lattices Without FHE. ” Pr oc. of EUR OCRYPT , 2019. [34] E. Boyle, N. Gilboa, and Y . Ishai, “Breaking the circuit size barrier for secure computation under DDH. ” Pr oc. of CRYPT O , 2016. [35] C. Orlandi, P . Scholl, and S. Y akoubov , “The rise of Paillier: homomorphic secret sharing and public-key silent O T, ” Pr oc. of EUR OCRYPT , 2021. [36] D. Abram, I. Damg ˚ ard, C. Orlandi, and P . Scholl. “ An algebraic framew ork for silent preprocessing with trustless setup and activ e security , ” Pr oc. of CRYPT O 2022. [37] ´ A. Kiss, M. Naderpour , J. Liu, N. Asokan, and T . Schneider, “SoK: modular and ef ﬁcient private decision tree ev aluation, ” Proc. of P oPETs , 2019. [38] R. Cleve, “T owards optimal simulations of formulas by bounded-width programs, ” in Pr oc. of STOC , 1990. [39] R. K. H. T ai, J. P . K. Ma, Y . Zhao, and S. S. M. Chow , “Priv acy-preserving decision trees ev aluation via linear functions, ” in Pr oc. of ESORICS , 2017. [40] I. Dam ˚ agrd, V . P astro, N. Smart, and S. Zakarias, “Multiparty computation from somewhat homomorphic encryption, ” Pr oc. of CRYPT O , 2012. [41] A. R. Choudhuri, A. Goel, A. Hegde, and A. Jain, “Homomorphic secret sharing with veriﬁable ev aluation, ” Proc. of TCC , pp. 614–650, 2025. [42] M. D. Cock, R. Dowsley , C. Horst, R. Katti, A. C. Nascimento, W .-S. Poon, and S. T ruex, “Efﬁcient and priv ate scoring of decision trees, support vector machines and logistic regression models based on pre-computation, ” IEEE T rans. Depend. Secure Comput. , vol. 16, no. 2, pp. 217–230, 2017. DOI: 10.1109/TDSC.2017.2679189 [43] R. Bost, R. A. Popa, S. T u, and S. Goldwasser , “Machine learning classiﬁcation over encrypted data, ” Pr oc. of NDSS , 2015, pp. 1–14. [44] J. Bai, X. Song, X. Zhang, Q. W ang, S. Cui, E. Chang and G. Russello, “Mostree: malicious secure priv ate decision tree ev aluation with sublinear communication, ” Proc. of ACM A CSAC , 2023. [45] D. J. W u, T . Feng, M. Naehrig, and K. Lauter , “Priv ately ev aluating decision trees and random forests, ” Pr oc. of P oPETs , 2016. [46] S. Y uan, H. Li, X. Qian, M. Hao, Y . Zhai and G. Xu, “Efﬁcient and pri vacy-preserving outsourcing of gradient boosting decision tree inference, ” IEEE T rans. Serv . Comput. , vol. 17, no. 5, pp. 2334–2348, 2024. DOI: 10.1109/TSC.2024.3395928 [47] K. Cong, D. Das, J. Park, and H. V . L. Pereira, “SortingHat: Efﬁcient Priv ate Decision Tree Evaluation via Homomorphic Encryption and T ransciphering, ” Pr oc. of ACM CCS , 2022. [48] R. Akhav an Mahdavi, H. Ni, D. Linkov , and F . Kerschbaum, “Level Up: Priv ate Non-Interactiv e Decision Tree Ev aluation using Lev elled Homomorphic Encryption, ” Pr oc. of ACM CCS , 2023. [49] K. Cong, J. Kang, G. Nicolas, and J. Park, “Faster Priv ate Decision T ree Evaluation for Batched Input from Homomorphic Encryption, ” Pr oc. of SCN , 2024. [50] L. F . Zhang and H. W ang, “Multi-server v eriﬁable computation of lo w- degree polynomials, ” Pr oc. of IEEE S&P , pp. 596–613, 2022. [51] T . Gong, R. Henry , A. Psomas and A. Kate, “More is Merrier: Relax the Non-Collusion Assumption in Multi-Server PIR, ” Pr oc. of IEEE S&P , pp. 4348-4366, 2024. [52] M. Fischlin, “ A cost-ef fective pay-per-multiplication comparison method for millionaires, ” Pr oc. of CT -RSA , 2001. [53] F . Kerschbaum and O. T erzidis, “Filtering for private collaborative benchmarking, ” Pr oc. of ETRICS , 2006. [54] B. Schoenmakers and P . Tuyls, “Practical two-party computation based on the conditional gate, ” Pr oc. of ASIACRYPT , 2004. [55] X. Chen and L. F . Zhang, “Publicly veriﬁable homomorphic secret sharing for polynomial ev aluation. ” IEEE T rans. Info. F or . Sec. , vol. 18, pp. 4609–4624, 2023. DOI: 10.1109/TIFS.2023.3298258 [56] S. G. Akl and H. Meijer , “ A fast pseudo random permutation generator with applications to cryptology , ” Pr oc. of CRYPT O , 1984. [57] J. H. Friedman, “Stochastic gradient boosting, ” COMPUT . STA T . D A TA. AN. , vol. 38, no. 4, pp. 367-378, 2002. [58] M. Kelly , R. Longjohn, and K. Nottingham. (2017) The UCI machine learning repository. [Online]. A v ailable: https://archive.ics.uci.edu [59] F . Pedregosa et al., “Scikit-learn: machine learning in Python, ” in J. Mach. Learn. Res. , vol. 12, pp. 2825–2830, 2011. [60] V . Shoup. (2021) NTL: A library for doing number theory. [Online]. A vailable: https://libntl.org/ [61] Ookla. (2025) “Speedtest Global Index, ” [Online]. A vailable: https: //www .speedtest.net/global- index/ S U P P L E M E N T A RY M A T E R I A L Recall that in the SFS algorithm, the client downloads the encrypted mapping matrix C M once and reuses it to locally compute C M x via the additive homomorphism of HSS . The key reason the client must hold C M locally is that the computation exploits the client’ s priv ate input x : since x s,i is a known plaintext bit, multiplying C M j,s by x s,i reduces to a conditional selection—either including or excluding C M j,s from the summation without requiring any ciphertext-cipherte xt multiplication. If, howe ver , we wish to delegate this computation entirely to the servers so that the client need only upload her encrypted feature vector without downloading C M , the servers must ev aluate the product of two ciphertexts, namely C M j,s and C x s,i . This operation is not supported by the group-based HSS schemes [34]–[36], whose underlying encryption scheme is linearly homomorphic over a group and therefore admits no ciphertext-cipherte xt multiplication. In contrast, an HSS instantiation based on the RL WE assumption [33] employs a somewhat homomorphic encryption (SHE) scheme as its underlying primitiv e, which supports one le vel of ciphertext- ciphertext multiplication. Under such an instantiation, the client encrypts her feature vector x bit by bit as { C x s,i } via HSS.Input for s ∈ [ n ] , i ∈ [ t ] and uploads the result to the servers; the model provider sends C M directly to the servers rather than making it publicly downloadable. Each server then computes: C ( M x ) j,i ← n X s =1 CMult ( C M j,s , C x s,i ) , for every j ∈ [ m ] , i ∈ [ t ] , where CMult denotes the ciphertext- ciphertext multiplication supported by the underlying SHE scheme, and the summation denotes repeated application of JOURNAL OF L A T E X CLASS FILES, VOL. 14, NO. 8, A UGUST 2021 19 Add . The servers thereby obtain C M x and proceed with the remainder of the protocol as before. The trade-of f, howe ver , is non-trivial. In RL WE-based SHE , each ciphertext-ciphertext multiplication increases the multi- plicativ e depth by one, which causes the ciphertext size to at least double. Consequently , the server -side storage and com- putation costs at least double compared with the group-based instantiation. Furthermore, unlike the original scheme—where the client performs only lightweight local operations using plaintext x and the downloaded C M —the client must now encrypt x under the more expensi ve RL WE-based HSS for ev ery inference. Consequently , this variant is particularly well- suited for deployments characterized by: (i) a large and di verse client population where each client issues only a small number of queries, making amortization of the one-time do wnloading cost ineffecti ve; (ii) resource-constrained or stateless clients (e.g., IoT devices, browser -based applications) that cannot maintain persistent local storage.

Silent Guardians: Independent and Secure Decision Tree Evaluation Without Chatter

Original Paper

Comments & Academic Discussion

Leave a Comment

Original Paper

Related Papers

Comments & Academic Discussion

Leave a Comment