Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

PRISM: Privacy-preserving Inference System with Homomorphic Encryption and Modular Activation

Zeinab Elkhatib, Ali Sekmen, Kamrul Hasan

TL;DR

This work tackles privacy-preserving inference by enabling CNNs to run on encrypted data using CKKS homomorphic encryption. It introduces an HE-friendly CNN architecture and a low-degree polynomial activation (Softplus) obtained via a weighted minimax optimization, with BN folded into weights and a two-stage training/inference framework to minimize encrypted-depth. The method achieves 94.4% accuracy on CIFAR-10 with 2.42 seconds per encrypted sample and demonstrates competitive performance while maintaining data confidentiality, and it scales to CIFAR-100 with adjusted CKKS parameters. These results provide practical guidance for balancing cryptographic efficiency and predictive accuracy in secure deep learning deployments for critical infrastructure and sensitive domains.

Abstract

With the rapid advancements in machine learning, models have become increasingly capable of learning and making predictions in various industries. However, deploying these models in critical infrastructures presents a major challenge, as concerns about data privacy prevent unrestricted data sharing. Homomorphic encryption (HE) offers a solution by enabling computations on encrypted data, but it remains incompatible with machine learning models like convolutional neural networks (CNNs), due to their reliance on non-linear activation functions. To bridge this gap, this work proposes an optimized framework that replaces standard non-linear functions with homomorphically compatible approximations, ensuring secure computations while minimizing computational overhead. The proposed approach restructures the CNN architecture and introduces an efficient activation function approximation method to mitigate the performance trade-offs introduced by encryption. Experiments on CIFAR-10 achieve 94.4% accuracy with 2.42 s per single encrypted sample and 24,000 s per 10,000 encrypted samples, using a degree-4 polynomial and Softplus activation under CKKS, balancing accuracy and privacy.

PRISM: Privacy-preserving Inference System with Homomorphic Encryption and Modular Activation

TL;DR

This work tackles privacy-preserving inference by enabling CNNs to run on encrypted data using CKKS homomorphic encryption. It introduces an HE-friendly CNN architecture and a low-degree polynomial activation (Softplus) obtained via a weighted minimax optimization, with BN folded into weights and a two-stage training/inference framework to minimize encrypted-depth. The method achieves 94.4% accuracy on CIFAR-10 with 2.42 seconds per encrypted sample and demonstrates competitive performance while maintaining data confidentiality, and it scales to CIFAR-100 with adjusted CKKS parameters. These results provide practical guidance for balancing cryptographic efficiency and predictive accuracy in secure deep learning deployments for critical infrastructure and sensitive domains.

Abstract

With the rapid advancements in machine learning, models have become increasingly capable of learning and making predictions in various industries. However, deploying these models in critical infrastructures presents a major challenge, as concerns about data privacy prevent unrestricted data sharing. Homomorphic encryption (HE) offers a solution by enabling computations on encrypted data, but it remains incompatible with machine learning models like convolutional neural networks (CNNs), due to their reliance on non-linear activation functions. To bridge this gap, this work proposes an optimized framework that replaces standard non-linear functions with homomorphically compatible approximations, ensuring secure computations while minimizing computational overhead. The proposed approach restructures the CNN architecture and introduces an efficient activation function approximation method to mitigate the performance trade-offs introduced by encryption. Experiments on CIFAR-10 achieve 94.4% accuracy with 2.42 s per single encrypted sample and 24,000 s per 10,000 encrypted samples, using a degree-4 polynomial and Softplus activation under CKKS, balancing accuracy and privacy.

Paper Structure

This paper contains 10 sections, 17 equations, 2 figures, 7 tables.

Table of Contents

  1. Introduction
  2. Related Work
  3. Methodology
  4. Selection of Activation Function
  5. Network Architecture Used in the Training Phase
  6. Two-Stage Framework for Training and Encrypted Inference
  7. Plaintext Training Phase
  8. Encrypted Inference Phase
  9. Experimental Setup and Results
  10. Acknowledgement

Figures (2)

  • Figure 1: Complete Model Described
  • Figure 2: Swish, ReLU, and Softplus Activation Function Approximations