Speech Processing

Image Analysis

Natural Language Processing

Physical Sciences

• $x$: images, audio, video, text

• $f$: parameters, functional form

• Protect user privacy.
• Prevent unauthorized access.

• Gain user's trust.
• Comply with regulations like GDPR.

• Protect intellectual property.
• Prevent attacks against model.

• Prevent leakage of training data.
• Comply with industry security standards.

• Multiplication
• Addition
• Rotation

Only replace non-linear activations with polynomials.

Limited scope for large computational efficiencies from minor modifications of existing architectures (about 2x-3x).

• MPCNN: Low-Complexity Convolutional Neural Networks on Fully Homomorphic Encryption Using Multiplexed Parallel Convolutions, ICML 2022
• AESPA: Accuracy Preserving Low-degree Polynomial Activation for Fast Private Inference, arXiv 2022
• REDsec: Running Encrypted Discretized Neural Networks in Seconds, NDSS 2023
• Wei Ao and Vishnu Boddeti, AutoFHE: Automated Adaption of CNNs for Efficient Evaluation over FHE, USENIX Security 2024

• Want to process larger images.
  • 112x112 for face recognition
  • 256x256 for image classification


• Encryption slot size is typically $16,384$.
  • Prior work processes 32x32 images.
  • Cannot encode and process high-resolution images.


• Increases computational costs.

• Preventing function leakage


• Obfuscate the noise term.
  • noise flooding
  • bootstrapping


• Randomize the input.
  • add noise

• Amina Bassit and Vishnu Boddeti, PrivaCT: Circuit Privacy in Constant Time for FHE Evaluation of Functions, (Under Review)

• Kernel-based function approximation: $$\hat{f}(x) = \sum_{i=1}^{n} \alpha_{i} K(x, x_i) + \bar{b}$$
  • We adopt RBF kernels $K(x,x_i) = \exp(-\gamma \|x-x_i\|^2)$
• Decompose RBF kernel into scalar functions:
  • $K(x,x_i) = \underbrace{\exp\big(-\gamma \|x\|^2\big)}_{\text{scalar function}} \times \underbrace{\exp\big(-\gamma \|x_i\|^2\big)}_{\text{constant}} \times \underbrace{\prod_{j=1}^{d} \exp(2\gamma x_{i,j} \cdot x_j)}_{\text{product of scalar functions}}$

  $$ K(x,x_i) = \tilde{g_i}(\|x\|^2) \times \prod_{j=1}^{d} g_{i,j}(x_j) $$

• Key Ideas:
• segment the domain
• piecewise low-degree polynomial approximation $$P(X) = \nu_0 + \nu_1 X + \cdots + \nu_n X^n$$
• polynomial evaluation using inner product $$P(X) = \langle \vec{\nu}, \vec{X} \rangle \text{ where } \vec{\nu} = (\nu_0,\nu_1, \cdots,\nu_n) \text{ and } \vec{X} = (1, X, \cdots,X^n)$$

Benefits:
• Low-complexity function supporting FHE evaluation using SIMD property.
• Operands can be independently encrypted.
• Constant-time function evaluation in FHE.
• prevents timing attacks

• Amina Bassit and Vishnu Boddeti, PrivaCT: Circuit Privacy in Constant Time for FHE Evaluation of Functions, (Under Review)

• Existing approaches: high-degree/composite polynomials
• Chebyshev approximation (green curves) $(deg=495)$ [BF24]
• Minmax composite Chebyshev approximation (orange curves) $(degrees = [5,5,5,7,7,7,7,7,27])$ [LL+21]
• PrivaCT's approximation improves with number of segments $(n_{seg})$ for a fixed degree $deg=3$.
  • Achieves lowest Hausdorff distance $(HD = 0.645)$ at $n_{seg}=16$.

PrivaCT adapts with the function's subtle curvatures.