Comparison of Fully Homomorphic Encryption and Garbled Circuit Techniques in Privacy-Preserving Machine Learning Inference

TL;DR

This work conducts a system-level comparison of two PPML inference paradigms, Fully Homomorphic Encryption and Garbled Circuits, by implementing an identical two-layer neural network under both schemes. Using CKKS with SEAL for FHE and TinyGarble2.0 for GC, the study evaluates round-trip time, memory, communication, and output accuracy under a semi-honest model. Key findings show that GC delivers faster, more memory-efficient inference but leaks model structure and requires multiple interaction rounds, whereas FHE provides non-interactive inference with stronger privacy at the cost of substantial computation and memory overhead. The results offer practical guidance on selecting PPML backends based on latency, bandwidth, security, and scalability needs, and point toward hybrid approaches and deeper architectures for future work.

Abstract

Machine Learning (ML) is making its way into fields such as healthcare, finance, and Natural Language Processing (NLP), and concerns over data privacy and model confidentiality continue to grow. Privacy-preserving Machine Learning (PPML) addresses this challenge by enabling inference on private data without revealing sensitive inputs or proprietary models. Leveraging Secure Computation techniques from Cryptography, two widely studied approaches in this domain are Fully Homomorphic Encryption (FHE) and Garbled Circuits (GC). This work presents a comparative evaluation of FHE and GC for secure neural network inference. A two-layer neural network (NN) was implemented using the CKKS scheme from the Microsoft SEAL library (FHE) and the TinyGarble2.0 framework (GC) by IntelLabs. Both implementations are evaluated under the semi-honest threat model, measuring inference output error, round-trip time, peak memory usage, communication overhead, and communication rounds. Results reveal a trade-off: modular GC offers faster execution and lower memory consumption, while FHE supports non-interactive inference.

Figures (9)

• Figure 1: FHE-based inference setup: The client encrypts input $x$ using a public key and sends ciphertext $enc\_x$, public key, and other required keys except secret key to the server. The server homomorphically evaluates $f$ to get $enc\_y$, which the client decrypts using his secret key to recover $y$.
• Figure 2: GC-based inference setup: The server garbles the circuit $C$ representing $f$, and both parties engage in an interactive protocol involving label generation, oblivious transfer (OT), transmission of the garbled circuit ($GC$) and garbled tables ($GT$) with metadata, and secure evaluation ($Eval$). Output labels are sent to the client for decoding to obtain the final output $y$.
• Figure 3: Pipeline view of the GC-based secure inference protocol. This figure depicts the inference pipeline, highlighting party roles, message exchanges, and the sequential evaluation of precompiled circuit netlists.
• Figure 4: Round-trip time comparison across plain, GC, and FHE modes. The bar chart displays the mean round-trip time for each case on a logarithmic scale. Exact values (in seconds) are shown inside each bar, while slowdown relative to the PLAIN baseline is indicated above the bars as a multiplier. The slowdown is computed as the ratio of each protocol's mean round-trip time to that of the PLAIN baseline, using fixed ordering for fair comparison.
• Figure 5: Peak memory usage comparison across PLAIN, GC, and FHE protocols. Each bar indicates the mean of the maximum resident set size (MaxRSS) observed across multiple inference runs, where MaxRSS for each run is determined as the higher of the two party-specific memory usages (Alice or Bob). The chart uses a logarithmic scale to visualize large differences in memory footprint across protocols. Relative memory expansion compared to the PLAIN baseline is annotated near or within each bar, computed as the ratio of mean peak memory usage to the PLAIN baseline.