Could you specify how much does Concrete ML protect the model?
Currently, Concrete-ML (v1.0.0) is focused toward protecting users’ privacy at inference time. The model (even once compiled) is transparent and one can see both its parameters (e.g. neural network weights) and it’s computational graph (e.g. neural network architecture).
That being said, it is totally possible to encrypt model’s parameters which grants a protection at the model level.
Note that open problems such as black box attacks remain valid even if parameters are encrypted since a user would know both inputs and outputs to a given query on the encrypted model.
So for the Client to encrypt their data for a particular model, they need the
client.zip file, right? Does it reveal anything about the model to the Client?
The client.zip will reveal the quantization parameters that are needed to transform floating point inputs to integers and FHE model integer outputs to floating point. Furthermore, the client.zip reveals whether any post-processing (like argmax or majority vote) needs to be applied to the FHE circuit outputs.