Secure Diffusion Model Unlocked: Efficient Inference via Score Distillation

We appreciate your insightful comments.

[W1] The techniques for polynomial approximation of nonlinear functions in Section 3.1 appear to have been proposed in previous studies.

We agree that each approximation trick is not novel in a general context. However, our intention is not to propose superior approximation methods for each operation in a general context. Instead, we aim to introduce straightforward approximation techniques specifically tailored for private inference within conditional diffusion models (~1.45B parameters), which entail extensive computations across a wide range of values. Given this challenge, we focus on proposing stable approximations that operate effectively over short value ranges with feasible outcomes.

[W2] I am also concerned about the validity of the experimental evaluation of the proposed method.

To further strengthen our paper, we will add the validation under other architectures with other datasets in the revision. Nevertheless, it is important to emphasize that our current experiments were conducted using MSCOCO-30K, a widely used benchmark dataset for zero-shot text-to-image generation, and Stable Diffusion, a large, standard model that is widely adopted in this field. This ensures that our initial validation was performed under a well-established and representative setting [1-5].

[1] Ramesh, Aditya, et al. "Zero-shot text-to-image generation." International conference on machine learning. ICML, 2021.

[2] Rombach, Robin, et al. "High-resolution image synthesis with latent diffusion models." CVPR, 2022.

[3] Saharia, Chitwan, et al. "Photorealistic text-to-image diffusion models with deep language understanding." NeurIPS, 2022.

[4] Kang, Minguk, et al. "Scaling up gans for text-to-image synthesis." CVPR, 2023.

[5] Chen, Junsong, et al. "PixArt-$\alpha$: Fast Training of Diffusion Transformer for Photorealistic Text-to-Image Synthesis." ICLR, 2024.

[Q1] What are the hyperparameters of the proposed method, and how are they configured to achieve the trade-off between latency and performance?

Hyperparameters of SDU are suggested in lines 320-323. The trade-off between latency and performance is only associated with the number of steps in conditional generation, while other hyperparameters have negligible impact on latency and affect only performance. The trade-off with respect to the number of conditional generation steps is illustrated in Figure 5, where performance is preserved up to 10 steps. However, reducing the number of steps further results in performance degradation.

Specifically, for $m$, our goal is to correct the scores of conditional generation to align with the distribution of the original model. To achieve this, we set $m$ to satisfy that the number of steps used in unconditional generation is equal to the number of steps used in the original model. For example, if the number of steps used for conditional generation is 10 and the original model uses 50 steps, we set $m=5$. Similarly, if the number of steps for conditional generation is 5, we set $m=10$. For the trade-off with respect to $m$, there is almost no trade-off between performance and latency according to $m$ since $m$ does not affect latency significantly. Specifically, the operations for unconditional generation are performed in plaintext space, making them nearly 60 times faster than conditional generation as shown in Table 1. Moreover, since these operations are independent of the user input, they can be precomputed offline. As a result, the impact of $m$ on latency is negligible. However, if $m$ is set to induce that the number of steps used in unconditional generation is smaller than the number of steps used in the original model, distortion in the score values can occur, potentially leading to slight performance degradation. Therefore, since the latency impact of $m$ is negligible compared to the latency of conditional generation, we recommend setting $m$ to achieve that the number of steps used in unconditional generation is equal to the number of steps used in the original model to maintain consistency and avoid performance loss.

[Q2] How robust is the proposed framework across different types of diffusion models?

While the scale of approximations may vary depending on the model, SDU adopts a noise correction approach during the sampling process, making it compatible with any diffusion model architecture. To further enhance our paper, we will add the validation under other architectures in the revision.

We appreciate your constructive feedback.

[W1] The presentation is also confusing and that isn't helping.

We apologize for the unclear definitions. $\epsilon_\theta$ refers to the noise vector predicted by the model based on the input. Specifically, when diffusion models were first proposed, they predicted the mean ($\mu_\theta$) of the latent variable at timestep $t-1$ using the latent variable at the next timestep $t$. However, this approach yielded inferior performance compared to GANs. In DDPM, it was shown that by utilizing the forward process, $\mu_\theta$ can be expressed in terms of $x_0$ and noise ($\epsilon$). Furthermore, minimizing the loss to match $\Vert \mu_\theta - \mu\Vert$ is equivalent—except for a constant scale—to predicting the noise $\Vert\epsilon_\theta - \epsilon\Vert$ directly. Training the model this way enables diffusion models to achieve performance comparable to GANs. In this context, $\epsilon_\theta$ is introduced as the noise prediction of the model. For $\hat \epsilon_\theta$, this indicates the noise predicted by the approximated models. To discriminate it from the prediction of the original model ($\epsilon_\theta$), we use $\hat{\epsilon}_\theta$. We will add definitions of them in the revision.

[W2] There is no novelty specifically in secure computation itself here.

We agree that each approximation trick is not novel in a general context. However, our intention is not to propose superior approximation methods for each operation in a general context. Instead, we aim to introduce straightforward approximation techniques specifically tailored for private inference within conditional diffusion models (~1.45B parameters), which entail extensive computations across a wide range of values. Given this challenge, we focus on proposing stable approximations that operate effectively over short value ranges with feasible outcomes.

[Q9] It is unclear why the encrypted model was not tuned to match the original model from the beginning.

Pre-tuning the encrypted model requires significant additional computational costs. Specifically, SDv1.5 is a large model with 1.45B parameters trained on the extensive LAION-400M dataset consisting of 400M text-image pairs [6]. Pre-tuning such a model on this dataset requires considerable computational resources. In contrast, our SDU does not require additional fine-tuning and requires negligible additional computations since precomputations can be performed offline as mentioned in [W5]. Moreover, our method enables models to reduce denoising steps while improving performance, offering a significant advantage.

[6] Schuhmann, Christoph, et al. "LAION-400M: Open Dataset of CLIP-Filtered 400 Million Image-Text Pairs." NeurIPS Workshop, 2021.

We appreciate your valuable comments.

[W1-3, Q3-8] Concerns about approximation tricks.

Thank you for your detailed and insightful feedback. We agree that an in-depth analysis incorporating recent approximation approaches would make our work solid and strengthen our contributions. However, our intention is not to propose superior approximation methods for each operation in a general context. Instead, we aim to introduce straightforward approximation techniques specifically tailored for private inference within conditional diffusion models (~1.45B parameters), which entail extensive computations across a wide range of values. Given this challenge, we focus on proposing stable approximations that operate effectively over short value ranges with feasible outcomes.

[W4, Q2] The experiments are very limited. There is no comparison with prior research.

To the best of our knowledge, our work is the first to propose private inference on Text-to-Image diffusion models while preserving input privacy through encryption, so there is no prior work for direct comparison. For HE-Diffusion, as mentioned in the main paper, the model provides intermediate vectors from the middle layers to the server without encryption. This setup removes the need for approximation, so the performance drop would be small. However, it has a critical limitation—a privacy vulnerability from inversion attacks. For this reason, we did not include HE-Diffusion as a baseline, since comparison would not be fair. Instead, to demonstrate the effectiveness of our main contribution, SDU, we included varying own baselines. As upper bounds, we used the original model (50 steps) and an approximated model (50 steps). We also presented the performance of the approximated model (10 steps) without SDU as a comparative baseline.

For evaluation datasets, to further strengthen our paper, we will add the validation under other architectures with other datasets in the revision. Nevertheless, it is important to emphasize that our current experiments were conducted using MSCOCO-30K, the most widely used benchmark dataset for zero-shot text-to-image generation, and Stable Diffusion, a large, standard model that is widely adopted in this field. This ensures that our initial validation was performed under a well-established and representative setting [1-5].

[1] Ramesh, Aditya, et al. "Zero-shot text-to-image generation." International conference on machine learning. ICML, 2021.

[2] Rombach, Robin, et al. "High-resolution image synthesis with latent diffusion models." CVPR, 2022.

[3] Saharia, Chitwan, et al. "Photorealistic text-to-image diffusion models with deep language understanding." NeurIPS, 2022.

[4] Kang, Minguk, et al. "Scaling up gans for text-to-image synthesis." CVPR, 2023.

[5] Chen, Junsong, et al. "PixArt-$\alpha$: Fast Training of Diffusion Transformer for Photorealistic Text-to-Image Synthesis." ICLR, 2024.

[W5] The paper does not show any experiments to illustrate the efficiency of SDU.

The efficiency of SDU is demonstrated in Table 1. Compared to the approximated model (50 steps), our approach achieves nearly 5x faster inference, yet it maintains a superior FID score even compared to the original model. This shows that SDU enhances the efficiency of the Stable Diffusion model by enabling effective performance with fewer denoising steps. Additionally, while our method requires an additional 10 seconds during inference due to unconditional generation compared to the approximated model (10 steps), this step is independent of the input conditions and can be precomputed offline. As a result, in actual online inference, this approach effectively reduces the number of denoising steps without incurring any significant additional cost.

[Q1] It is necessary to measure performance in an MPC environment rather than in a plaintext setting.

Since conducting evaluations on MSCOCO-30K in an MPC setting requires an extensive amount of computational resources, we performed quantitative evaluations on the approximated model without encryption and communication. To complement the gap, we conduct experiments in MPC settings for qualitative studies and latency measurements. The qualitative study results, shown in Figures 4 and 6, demonstrate that applying SDU produces higher-quality images compared to the approximated model (50 steps) in MPC settings.