Verifiable deep learning training service

What is claimed is: 1. A method, in a data processing system, comprising: executing, by a deep learning training service framework, a FrontNet subnet model of a deep learning model in a trusted execution environment of the deep learning training service framework; executing, by the deep learning training service framework, a BackNet subnet model of the deep learning model in the deep learning training service framework external to the trusted execution environment, wherein the FrontNet subnet model comprises a first predetermined number of consecutive layers of the deep learning model from an input layer of the deep learning model to an intermediate layer, and wherein the BackNet subnet model comprises a second predetermined number of consecutive layers of the deep learning model from a layer, subsequent to the intermediate layer, to an output layer of the deep learning model; decrypting, by a security module executing within the trusted execution environment, one or more encrypted training datasets; training, by training logic of the deep learning training service framework, the FrontNet subnet model and BackNet subnet model of the deep learning model based on the decrypted training datasets, wherein the FrontNet subnet model is trained within the trusted execution environment and provides intermediate representations to the BackNet subnet model which is trained external to the trusted execution environment using the intermediate representations; releasing, by the deep learning training service framework, a trained deep learning model comprising a trained FrontNet subnet model and a trained BackNet subnet model, to one or more client computing devices; and generating, by a fingerprint generation module executing within the trusted execution environment, one or more first fingerprint data structures for the one or more training datasets, wherein each first fingerprint data structure comprises a fingerprint that is a normalized feature embedding of a penultimate layer of the BackNet subnet model. 2. The method of claim 1 , wherein: the one or more client computing devices comprises a plurality of computing devices associated with a plurality of different training dataset providers, and wherein the security module executing within the trusted execution environment prevents training dataset providers from accessing training datasets provided by other training dataset providers, and each of the training datasets provided by the different training dataset providers are used during the training of the FrontNet subnet model and the BackNet subnet model of the deep learning model to generate the trained deep learning model, and wherein the same trained deep learning model is released to each of the different training dataset providers with the FrontNet subnet model encrypted with an encryption key specific to the training dataset provider. 3. The method of claim 1 , further comprising: receiving, by the deep learning training service framework, the one or more encrypted training datasets from the one or more client computers; and in response to receiving the one or more encrypted training datasets: prior to decrypting the one or more encrypted training datasets, authenticating, by the security module, training dataset providers of the one or more training dataset providers; and discarding, by the security module, any training datasets from training dataset providers that do not pass the authentication from further use during training of the FrontNet subnet model and BackNet subnet model of the deep learning model. 4. The method of claim 3 , further comprising, in response to receiving the one or more encrypted training datasets: verifying, by the security module, the integrity of the one or more training datasets; and discarding, by the security module, any training datasets that do not pass the verification from further use during training of the FrontNet subnet model and BackNet subnet model of the deep learning model. 5. The method of claim 1 , further comprising: generating, by a fingerprint generation module executing within the trusted execution environment, one or more first fingerprint data structures for the one or more training datasets, wherein each first fingerprint data structure comprises a fingerprint that is a feature embedding of a selected layer of the deep learning model; and storing, by the fingerprint generation module, the generated one or more first fingerprint data structures in an evidence storage. 6. The method of claim 5 , further comprising: processing, by the trained deep learning model, new input data to generate an output result and a second fingerprint data structure corresponding to the new input data; receiving, from a client device of the one or more client devices, a query comprising the second fingerprint data structure; searching, by a query module executing in the deep learning training service framework, the evidence storage for a first fingerprint data structure similar to the second fingerprint data structure based on a distance function that measures a similarity between embeddings of the fingerprint data structures in the evidence storage and the second fingerprint data structure, and identifying the first fingerprint data structure as a fingerprint data structure in the evidence storage having a smallest distance; and identifying, by the query module, a training dataset, of the one or more training datasets, and a corresponding training dataset provider based on an entry in the evidence storage corresponding to the first fingerprint data structure. 7. The method of claim 6 , further comprising: performing at least one of a debugging operation or a root cause analysis on the trained deep learning model based on the identified training dataset and identified corresponding training dataset provider. 8. The method of claim 1 , further comprising: negotiating, with a plurality of the training dataset providers, a customized partitioning point hyperparameter for the training dataset provider prior to training a corresponding instance of the deep learning model, wherein the customized partitioning point defines one of a last intermediate layer of the FrontNet subnet model or a first layer of the BackNet subnet model, and wherein the partitioning point hyperparameter is different for at least two of the training dataset providers; and configuring, for each instance of the deep learning model corresponding to each of the one or more training dataset providers, the first predetermined number of consecutive layers of the FrontNet subnet model and the second predetermined number of consecutive layers of the BackNet subnet model based on the customized partitioning point hyperparameter for the training dataset provider. 9. The method of claim 5 , wherein generating one or more first fingerprint data structures for the one or more training datasets comprises generating, for each training data instance in the one or more training datasets, a first fingerprint data structure comprising a tuple data structure that specifies a fingerprint, a class label of the training data instance used to train the deep learning model, a data source identifier, and a hash digest of the training data instance. 10. The method of claim 9 , wherein the fingerprint in the tuple data structure is a normalized feature embedding of a penultimate layer of the BackNet subnet model. 11. The method of claim 1 , further comprising: processing a query comprising a second fingerprint data structure based on the one or more first fingerprint data structures to identify a training dataset corresponding to a first fingerprint data structure based on a similarity evaluation of the fingerpr