SelectFormer in Data Markets: Privacy-Preserving and Efficient Data Selection for Transformers with Multi-Party Computation

Main weaknesses:

• I don't know the literature extensively, but I wonder if MPCFormer is really the strongest baseline against which we should evaluate SelectFormer (the other baselines, Oracle and Random, are useful to set the delay/accuracy range but are not real alternatives to SelectFormer). Indeed, as the authors note, "MPCFORMER’s model distillation approach is ill-suited to data selection", and I wonder if this is the reason behind MPCFormer's particularly poor accuracy (Table 3). The paper mentions THE-X (Chen et al, 2022), which could be a stronger baseline. Another potentially relevant paper is Bolt, published at S&P 24: https://eprint.iacr.org/2023/1893. I don't know these works in detail, but they might be more amenable to data selection than MPCFormer if they do not rely on data distillation or data-dependent approximations. In short, I am worried that MPCFormer might be a strawman against which SelectFormer shines too easily.
• Another concern is that the techniques proposed in this paper seem to only apply to a quite specific application, namely MPC data selection. Hence, depending on how widespread MPC data selection is, SelectFormer could have a pretty limited impact. Indeed, the authors note that their "MLP approximation is specifically suitable for data selection while impractical for model inference directly", which might limit the applicability of SelectFormer to other problems.
• Finally, I am not an expert in MPC systems, but I am a bit skeptical of the blanket claim that "No prior MPC systems exploit such parallelism". I remember a similar idea being mentioned by Meta in a research whitepaper (https://research.facebook.com/publications/private-computation-framework-2-0/), and a cursory web search returned a preprint showing how "it is possible to carefully orchestrate the computation and communication steps to overlap" in ML MPC training and inference (https://arxiv.org/pdf/2209.13643). The paper might still be making valuable contributions in MPC parallelism, but highlighting such contributions might benefit from a more detailed comparison to prior work.

Minor comments:

• typo: "Note that we cannot directly compare to PUMA Dong et al. (2023), which is designed under 3 compute parties. and three computing parties."
• I can't find the data showing that MPS reduces total delay by 33% to 61%. Is this from the difference between PM and PMT in Figure 6? Maybe this would be easier to break down if there was a delay column in Table 4?

1. The pipeline of the algorithm is not clear. In multi phase selection, why do you need to query the candidate data? Whether or not to select this subset of data depends on the test data performance. It seems that when you train the MLP, except for the selected data, you also generate an Gaussian distribution for the layer, but how to use this distribution to supervise fine-tuning is not clear. In sum, I hope there will be an algorithm pipeline to clearly show each steps and which parameters are hyper-parameters.
2. The results in Table 2 is surprising. Does it mean that MLP is enough and we can drop all non-linear layer since some of your results show that all emulations with MLP outperform no emulations.
3. The gap between MLP and non-linear module is simply shown by the final accuracy of your task, which may contain much randomness. Could you explain the gap in embedding layer? Like how much embedding difference for different layer emulation.
4. The experimental results are not clear. E.g., in Table 3, did you test the model under the same communication and computation budget? In Figure 5, what does 1 phase mean? How many phased do you use in the "ours"? Why not compare your delay with the baseline MPCFormer?
5. Lack of analysis. As your work focus on improving the efficiency and keeping performance, it is important to specifically analyze the computation and communication costs.

The MLP dimensions, proxy layers, and selectivity per round are chosen via grid search, which might limit the practicality of the method. It would be nice to have either "standard" guidance for choosing these parameters or a justification for grid search being practical. See Questions below.

The paper also needs some editing, there are some major typography errors, though I expect this is easy to handle in a revision. For example:

• Line 82, citation to ??
• Line 398 - "under 3 compute parties" appears twice
• Line 498, $d_i$ is not formatted properly

• The paper is not polished or easy to read/understand
• It’s not clear if the paper compares against relevant baselines
• Imprecise threat model and privacy guarantees. The threat model does not clearly specify who should not learn what data
• How does the MPC handle nonlinearities in the MLP?
• The level of formalism in the paper is very low

In your privacy guarantees, please specify who learns or does not learn what information. For instance, if the data holder knows the architecture of the model(s) and they know the ranked entropy of their samples, why can’t they train the model locally on the most informative samples to approximate the private model? This leakage was not explored in the paper, to my knowledge.

The paper’s evaluation considers time-accuracy tradeoffs. However, these are mostly provided implicitly in tables that do not clearly show the tradeoff. It may be helpful to show a plot with selection time on one axis and accuracy on the other, and then see different baselines, including variants of your method. Specifically, based on the results in the Appendix, I think the 1-phase variant with a dimension 2 MLP may do well enough relative to the other hyperparameter settings, especially if you consider its lower delay. But it’s hard to judge from the tables provided. Can you produce this plot and compare it to the suggested hyperparameter settings?

A lot of notation seemed to be undefined or imprecisely defined. This made the paper difficult to read. For instance, in Sec. 4.1, “with a selectivity αi = Si/Si−1” if S_i is a dataset, do you mean the ratio of the cardinalities of S_i and S_{i-1}? In Sec 2.1 and 2.2 -- What is the difference between M_t and M_target? Why do you want to query all the samples in D on M_t instead of M_target? I thought M_t was the finetuned model, which is unknown until you finetune with the selected data? The notation $\hat M_i$ was not defined, and the proxy model was previously defined as $M_p$. And what is $M_g$ in Figure 2? It is not defined until later in the paper, in Section 4.2. But the definition doesn’t match Figure 2 (is it the bottom K or L layers?) What is the difference between $W_i$ and $w_i$?

In the same vein, the paper does not seem to formally write out the MPC algorithm or prove any guarantees.

The paper is missing several relevant references, including one potentially important baseline for comparison:

• Pang et al, “Bolt: Privacy-Preserving, accurate, and efficient inference for transformers” (S&P 2024)

Table 1 is hard to read. Please enlarge. Also what metric is it providing? Please make the table and caption self-contained. This is true also of the tables in the appendix, many of which don't specify what metric they are listing.

Minor comments:

• Intro: “As shown in ??,”
• The section “Workflow” is very difficult to follow—it’s not clear what you mean by ranking samples by entropy, for instance
• The model owner has a private, small validation set, on which she wants to maximize the test accuracy.  Do you mean validation accuracy?
• “offline generate a random triple called Beaver triple Beaver (1992)” wrong type of citation typo

• I am not an expert in MPC and may be missing relevant literature and requirements.