Volley Revolver: A Novel Matrix-Encoding Method for Privacy-Preserving Deep Learning (Inference++)
John Chiang
TL;DR
This work tackles the scalability bottleneck of privacy-preserving CNN inference under fully homomorphic encryption by removing the requirement that a single ciphertext contains an entire input image. It introduces Volley Revolver, a multi-ciphertext encoding and computation framework that partitions high-resolution inputs across multiple ciphertexts and employs a novel multi-ciphertext matrix multiplication with specialized encodings and virtual ciphertexts to simulate three-dimensional data structures. The approach preserves the algebraic structure needed for efficient homomorphic convolution and matrix multiplication, enables parallelism across ciphertexts and hardware threads, and extends practical encrypted inference to larger inputs and deeper networks. The authors provide a concrete MNIST demonstration with a practical implementation, detailing architecture, training-in-the-clear, parameter choices, and performance, and they publicize their code, highlighting the method’s potential for real-world privacy-preserving inference.
Abstract
Privacy-preserving inference of convolutional neural networks (CNNs) using homomorphic encryption has emerged as a promising approach for enabling secure machine learning in untrusted environments. In our previous work, we introduced a matrix-encoding strategy that allows convolution and matrix multiplication to be efficiently evaluated over encrypted data, enabling practical CNN inference without revealing either the input data or the model parameters. The core idea behind this strategy is to construct a three-dimensional representation within ciphertexts that preserves the intrinsic spatial structure of both input image data and model weights, rather than flattening them into conventional two-dimensional encodings. However, this approach can operate efficiently $only$ when the number of available plaintext slots within a ciphertext is sufficient to accommodate an entire input image, which becomes a critical bottleneck when processing high-resolution images. In this paper, we address this fundamental limitation by proposing an improved encoding and computation framework that removes the requirement that a single encrypted ciphertext must fully contain one input image. Our method reformulates the data layout and homomorphic operations to partition high-resolution inputs across multiple ciphertexts while preserving the algebraic structure required for efficient convolution and matrix multiplication. As a result, our approach enables privacy-preserving CNN inference to scale naturally beyond the slot-capacity constraints of prior methods, making homomorphic evaluation of CNNs practical for higher-resolution and more complex datasets.