To address dual privacy leakage risks—of both user inputs and model parameters—in sparse high-depth decision tree inference under cloud environments, this paper proposes a privacy-preserving inference framework tailored for incomplete trees. Methodologically, it introduces a novel “level-site” distributed model partitioning architecture that splits the decision tree layer-by-layer along depth and deploys partitions across mutually distrusting domains. It further designs a timing-attack-resistant secure comparison protocol, integrated with lightweight secure multi-party computation (MPC) primitives. The framework eliminates cache- and timing-based side-channel vulnerabilities while provably preserving bidirectional privacy. Evaluation shows that our approach reduces average inference latency by 32.7% compared to state-of-the-art baselines, supports secure outsourced deployment, and achieves a strong balance between rigorous security guarantees and practical efficiency.

A decision tree is an easy-to-understand tool that has been widely used for classification tasks. On the one hand, due to privacy concerns, there has been an urgent need to create privacy-preserving classifiers that conceal the user’s input from the classifier. On the other hand, with the rise of cloud computing, data owners are keen to reduce risk by outsourcing their model, but want security guarantees that third parties cannot steal their decision tree model. To address these issues, Joye and Salehi introduced a theoretical protocol that efficiently evaluates decision trees while maintaining privacy by leveraging their comparison protocol that is resistant to timing attacks. However, their approach was not only inefficient but also prone to side-channel attacks. Therefore, in this paper, we propose a new decision tree inference protocol in which the model is shared and evaluated among multiple entities. We partition our decision tree model by each level to be stored in a new entity we refer to as a "level-site." Utilizing this approach, we were able to gain improved average run time for classifier evaluation for a non-complete tree, while also having strong mitigations against side-channel attacks.