Trident: A Secure Framework for Flexible Artificial Intelligence Model Lifecycle Management in Public Clouds

The growing demand for computing power drives more artificial intelligence (AI) model owners to outsource their models to public clouds, relying on cloud servers to manage which users can use, train, or upgrade AI models. Unfortunately, existing work cannot simultaneously manage the entire model lifecycle in public clouds when considering model stealing attacks, where cloud servers covertly replicate AI models and deliver AI services to unauthorized users for profit. As a result, model owners are forced to conduct training and upgrades in private environments before deploying models to clouds for service delivery, which poses significant challenges in collaboration and maintenance, particularly for models requiring frequent upgrades. In this paper, we introduce Trident, the first secure cloud-based framework for flexible AI model lifecycle management, including availability, trainability, and upgradability. By leveraging multiple cryptographic techniques, such as access control trees, Trident ensures that AI models and their management policies are tightly coupled, compelling cloud servers to execute only specified model operations without violating management policies, thereby resisting model stealing attacks. Rather than straightforward cryptographic applications, we address a series of technical challenges, including shifting the focus of access control trees from data to model management and maintaining downward-compatible model management rights. We propose two detailed constructions: Semi-Trident and Full-Trident, tailored for semi-delegation and full-delegation scenarios, i.e., whether model owners need to interact with cloud servers while delivering AI services. Theoretical complexity analysis and security analysis prove the competitive efficiency and security. Experimental results show that compared to assembling existing partial-function schemes, Semi-Trident and Full-Trident achieve around 3.6× improvement in time costs and 5× improvement in communication overhead.