Intelligent data privacy protection encryption inference method

By employing dual privacy masking and encryption on the user end, combined with a hybrid encrypted inference model and dynamic memory isolation technology, the problems of data privacy leakage and real-time performance in cloud-based inference mode are solved, achieving end-to-end encrypted processing and efficient and secure computation.

CN122247698APending Publication Date: 2026-06-19陈世恩

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Applications(China)
Current Assignee / Owner
陈世恩
Filing Date
2026-03-30
Publication Date
2026-06-19

Smart Images

  • Figure CN122247698A_ABST
    Figure CN122247698A_ABST
Patent Text Reader

Abstract

This invention provides an intelligent data privacy protection encrypted inference method, relating to the interdisciplinary fields of artificial intelligence and information security. Its key features include: the user terminal generating a random mask and session key for the current session; and using the random mask to perform a first layer of privacy masking on the original sensitive data to generate masked data. The advantages of this invention are: through a dual protection mechanism of "random masking + lightweight homomorphic encryption," encrypted processing of data is achieved throughout transmission, storage, and computation, completely eliminating the risk of plaintext leakage in the cloud. Simultaneously, by utilizing operator fusion, polynomial approximation, and heterogeneous parallel acceleration technologies, the computational overhead and latency of fully homomorphic encryption are significantly reduced. While ensuring privacy compliance for highly sensitive data in fields such as medical and financial sectors, it successfully balances security and real-time performance, solving the end-to-end privacy security bottleneck of cloud-based inference.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This invention relates to the field of interdisciplinary technology of artificial intelligence and information security, and in particular to an intelligent data privacy protection encrypted reasoning method. Background Technology

[0002] In recent years, artificial intelligence technology has developed rapidly, and cloud-based inference and data outsourcing have become mainstream application models, widely used in fields such as healthcare, finance, government affairs, and personal services. Due to limited local computing power and high model deployment costs, many demanding users, such as medical institutions and financial institutions, as well as ordinary individual users, have had to upload highly sensitive data such as medical images, financial data, and facial images to the cloud, relying on powerful computing capabilities to complete complex inference tasks such as image recognition, risk prediction, and intelligent diagnosis, in order to overcome hardware and performance bottlenecks.

[0003] Currently, mainstream "cloud-based inference" and "data outsourcing" models are facing severe privacy and security challenges. Under these models, users are forced to upload sensitive plaintext data to cloud servers, leading to multiple leakage risks throughout the entire process: First, during transmission, data is highly susceptible to man-in-the-middle (MitM) attacks, allowing for eavesdropping or tampering; second, during storage, cloud data typically resides in plaintext, meaning that if the database is compromised or internal personnel misuse it, massive amounts of privacy will be directly exposed; more critically, during computation, the CPU / GPU must read the plaintext data to perform inference, leaving the data instantly "naked" during cloud processing, theoretically giving cloud service providers the ability to view users' raw data.

[0004] While existing technologies attempt to introduce fully homomorphic encryption for ciphertext inference, their enormous computational overhead and high latency make them unsuitable for real-time requirements. Secure multi-party computation schemes, on the other hand, are limited by communication complexity and node coordination bottlenecks, hindering large-scale deployment. Furthermore, some existing schemes offer insufficient protection for intermediate feature maps during the inference process, allowing attackers to still reverse engineer user input by analyzing memory data. Simultaneously, models deployed in the cloud are themselves vulnerable to reverse engineering or theft. Therefore, addressing the leakage of transmission, storage, and computation processes caused by plaintext uploads while ensuring data privacy compliance (such as GDPR) in high-risk sectors like healthcare and finance, and balancing security and real-time performance, has become a critical technological bottleneck that urgently needs to be overcome. Summary of the Invention

[0005] The purpose of this invention is to provide an intelligent data privacy protection encrypted inference method, which solves the full-link privacy and security risks in the cloud inference mode caused by the requirement for users to upload plaintext data, such as transmission eavesdropping, cloud storage leakage, "naked" calculation process, and reverse inference of intermediate features. At the same time, it overcomes the problems of high computational overhead of homomorphic encryption and high complexity of multi-party communication, which makes it difficult to meet real-time requirements.

[0006] To achieve the above-mentioned objectives, the technical solution adopted by this invention is as follows:

[0007] The intelligent data privacy protection encrypted inference method is characterized by comprising: generating a random mask and a session key for the current session on the user terminal; performing a first layer of privacy masking processing on the original sensitive data using the random mask to generate masked data; performing a second layer of encryption processing on the masked data using the session key to generate final ciphertext data; and uploading the final ciphertext data to a cloud inference server.

[0008] The cloud-based inference server loads a pre-built hybrid cryptographic inference model within a Trusted Execution Environment (TEE), which includes linear operators and nonlinear approximation operators adapted for cryptographic operations.

[0009] The cloud-based inference server directly performs forward propagation calculations on the data using the hybrid encryption inference model without decrypting the final ciphertext data. The linear layer calculations are performed directly in the cipher domain or mask domain based on the algebraic properties of the masked data, while the nonlinear layer calculations are performed using polynomial approximation or obfuscated circuit techniques. The entire process generates intermediate feature maps of the cipher or mask state and the final cipher inference result.

[0010] During the computation process, an independent, dynamically encrypted memory page is allocated to store the intermediate feature map for the current inference task, and the stored content is subjected to real-time secondary random perturbation to prevent memory dump attacks.

[0011] The cloud-based inference server employs a constant-time execution strategy and a random noise-filling mechanism to perform ciphertext computation and returns the final encrypted inference result to the user.

[0012] The user terminal uses the session key and random mask to decrypt and reverse the masking of the received results in sequence to obtain the plaintext inference result.

[0013] As an improvement, the first layer of privacy masking process adopts an additive secret sharing or XOR secret sharing mechanism to split the original sensitive data into at least two shares, wherein the first share is used as masking data to participate in subsequent encryption, and the second share is retained locally by the user.

[0014] The second layer of encryption uses a lightweight homomorphic encryption algorithm or a lattice-based encryption scheme to support direct addition and restricted multiplication operations on the masked data in the cloud.

[0015] As an improvement, secure model deployment steps are also included:

[0016] The model owner performs an equivalent transformation on the weight parameters of the original deep learning model, absorbing the mathematical effects of the random mask into the bias terms or weight matrix of the linear layer to generate the transformed encrypted weights.

[0017] The encrypted weights are encapsulated and embedded into the Trusted Execution Environment (TEE) of the cloud inference server to ensure that the model parameters are not exposed in plaintext form in the regular memory space outside the TEE during instantiation and operation.

[0018] As an improvement, the hybrid cryptographic inference model implements an operator fusion strategy:

[0019] Combining consecutive linear encryption operators into a single composite operator reduces the number of ciphertext expansions and communication rounds.

[0020] For nonlinear activation functions that do not support direct dense-state operations, the scheme with the highest polynomial approximation goodness is dynamically selected or the obfuscation circuit module in the multi-party secure computation protocol is enabled for alternative computation, and a unified data format conversion is implemented at the computation switching point.

[0021] As an improvement, the aforementioned dynamic encrypted memory protection specifically includes:

[0022] Allocate a separate memory page with a non-contiguous physical address for each concurrent inference thread. Access to this memory page is only open to the inference process within the current TEE.

[0023] After each layer of network computation is completed, a secondary random mask related to the current computation context is immediately applied to the generated intermediate feature map, so that even if an attacker obtains the physical image in memory, they will not be able to restore the effective feature information through differential analysis.

[0024] Immediately after the current inference task is completed, destroy the independent memory page and all associated random mask generation seeds.

[0025] As an improvement, the aforementioned anti-side-channel attack mechanism specifically includes:

[0026] Monitor the execution time of ciphertext operations. If the actual calculation time is less than the preset standard time window, insert a no-operation instruction to fill it in, ensuring that the total execution time for all input data is constant.

[0027] Introducing random voltage fluctuations or dummy computational loads into power-sensitive regions masks the differences in energy consumption characteristics caused by different input data, preventing the inference of original inputs or model weights through power analysis.

[0028] As an improvement, a two-way enhanced identity authentication process is also included:

[0029] The client and the cloud inference server negotiate and generate a temporary session key based on elliptic curve cryptography.

[0030] Both parties exchange digital certificates containing hardware fingerprint information to verify identity legitimacy and establish a secure transmission channel bound to a specific session ID to ensure that only authorized users can initiate requests and only legitimate cloud nodes can receive data.

[0031] As an improvement, to meet real-time requirements, the computation process adopts a heterogeneous parallel acceleration strategy:

[0032] Utilize the parallel computing units of GPUs or dedicated encryption accelerator cards (ASICs) to perform block-based parallel inference on batch-processed ciphertext data;

[0033] The encryption strength is dynamically adjusted based on the data sensitivity. A fully homomorphic encryption path is used for highly sensitive feature areas, while a lightweight masking path is used for low-sensitivity or non-critical areas. The encrypted results are then fused and output at the cloud security gateway.

[0034] An intelligent data privacy protection encrypted inference system is characterized by comprising: a user terminal module configured to generate a random mask and session key, perform dual privacy masking and encryption of data, and decrypt and demask the results;

[0035] The secure transmission module is configured to establish a two-way authenticated encrypted communication channel between the user terminal module and the cloud inference server to prevent man-in-the-middle attacks and replay attacks.

[0036] The cloud-based inference service module is equipped with a Trusted Execution Environment (TEE) and a hybrid encrypted inference model. It is configured to receive ciphertext data within the TEE, perform encrypted / masked state calculations without any plaintext throughout the process, and implement dynamic memory isolation protection.

[0037] The model security management module is configured to perform weight equivalence transformation, encrypted storage, integrity verification, and anti-reverse engineering protection on cloud-based models.

[0038] A computer-readable storage medium having a computer program stored thereon, characterized in that, when the computer program is executed by a processor, it implements the steps of the intelligent data privacy-preserving inference method based on hybrid dense-state computation and dynamic memory isolation as described in any one of claims 1 to 8.

[0039] The beneficial effects of this invention are as follows: through the dual protection mechanism of "random masking + lightweight homomorphic encryption", the encrypted processing of data is achieved throughout the transmission, storage and computing process, completely eliminating the risk of plaintext leakage in the cloud.

[0040] By combining a TEE trusted environment, dynamic encrypted memory isolation, and anti-side-channel attack strategies, it effectively defends against advanced attacks such as memory dumping, differential analysis, and power consumption analysis.

[0041] Meanwhile, by utilizing operator fusion, polynomial approximation, and heterogeneous parallel acceleration technologies, the computational overhead and latency of fully homomorphic encryption are significantly reduced. While ensuring the privacy and compliance of highly sensitive data in medical, financial, and other fields, a balance between security and real-time performance is successfully achieved, solving the end-to-end privacy and security bottleneck of cloud inference. Attached Figure Description

[0042] Figure 1 This is an overall flowchart of the intelligent data privacy protection encrypted reasoning method of the present invention.

[0043] Figure 2 This is an overall architecture diagram of the intelligent data privacy protection encrypted inference system of the present invention. Detailed Implementation

[0044] To make the content of this invention easier to understand, the technical solutions of the embodiments of this invention will be clearly and completely described below with reference to the accompanying drawings. Identical components are represented by the same reference numerals. It should be noted that the terms "front," "rear," "left," "right," "up," and "down" used in the following description refer to directions in the accompanying drawings, while the terms "inner" and "outer" refer to directions toward or away from the geometric center of a specific component, respectively.

[0045] like Figure 1 As shown, the intelligent data privacy protection encrypted inference method is characterized by the following steps: The user terminal generates a random mask and session key for the current session; the random mask is used to perform a first layer of privacy masking on the original sensitive data to generate masked data; the session key is used to perform a second layer of encryption on the masked data to generate final ciphertext data; the final ciphertext data is uploaded to a cloud inference server; the cloud inference server loads a pre-built hybrid encrypted inference model within a Trusted Execution Environment (TEE), the model including linear operators and nonlinear approximation operators adapted for encrypted operations; the cloud inference server directly uses the hybrid encrypted inference model to perform forward propagation calculations on the data without decrypting the final ciphertext data; wherein, the linear layer calculation is performed directly in the encrypted or masked domain based on the algebraic properties of the masked data, and the nonlinear layer calculation is performed using polynomial approximation or obfuscated circuit techniques, generating intermediate feature maps of the encrypted or masked states and the final encrypted inference result throughout the process;

[0046] During the computation process, an independent dynamic encrypted memory page is allocated to store the intermediate feature map for the current inference task, and the stored content is subjected to real-time secondary random perturbation to prevent memory dump attacks. The cloud inference server introduces a constant-time execution strategy and a random noise filling mechanism to perform ciphertext operations and returns the final encrypted inference result to the user. The user uses the session key and random mask to decrypt and reverse demask the received result in turn to obtain the plaintext inference result.

[0047] Secondly, the first layer of privacy masking uses an additive secret sharing or XOR secret sharing mechanism to split the original sensitive data into at least two shares. The first share is used as masking data for subsequent encryption, while the second share is retained locally by the user. The second layer of encryption uses a lightweight homomorphic encryption algorithm or a lattice-based encryption scheme to support direct addition and restricted multiplication operations on the masking data in the cloud.

[0048] In addition, it includes the following steps for secure model deployment: The model owner performs an equivalent transformation on the weight parameters of the original deep learning model, absorbs the mathematical effect of the random mask into the bias term or weight matrix of the linear layer, and generates the transformed encrypted weights; the encrypted weights are encapsulated and embedded into the Trusted Execution Environment (TEE) of the cloud inference server to ensure that the model parameters are not exposed in plaintext form in the regular memory space outside the TEE during instantiation and operation.

[0049] In other words, the hybrid cryptographic inference model implements an operator fusion strategy: it merges consecutive linear cryptographic operators into a composite operator to reduce the number of ciphertext expansions and communication rounds; for nonlinear activation functions that do not support direct cryptographic operations, it dynamically selects the scheme with the highest polynomial approximation fit or enables the obfuscation circuit module in the multi-party secure computation protocol for alternative computation, and implements a unified data format conversion at the computation switching point.

[0050] Secondly, the dynamic encrypted memory protection specifically includes: allocating independent memory pages with non-contiguous physical addresses to each concurrent inference thread, with access permissions for these memory pages only open to the inference process within the current TEE; immediately applying a secondary random mask related to the current computation context to the generated intermediate feature map after each layer of network computation is completed, so that even if an attacker obtains the physical image of the memory, they cannot reconstruct the effective feature information through differential analysis; and immediately destroying the independent memory pages and all related random mask generation seeds after the current inference task ends.

[0051] like Figure 1 As shown, the anti-side-channel attack mechanism specifically includes: monitoring the execution time of ciphertext operations; if the actual computation time is less than a preset standard time window, inserting no-operation instructions to fill the gap, ensuring that the total execution time corresponding to all input data is constant; introducing random voltage fluctuations or dummy computational loads in power-sensitive areas to mask the differences in energy consumption characteristics caused by different input data, preventing the inference of original inputs or model weights through power analysis. It also includes a two-way enhanced authentication process: the user terminal and the cloud inference server negotiate and generate a temporary session key based on elliptic curve cryptography; both parties exchange digital certificates containing hardware fingerprint information to verify identity legitimacy and establish a secure transmission channel bound to a specific session ID, ensuring that only authorized users can initiate requests and only legitimate cloud nodes can receive data.

[0052] like Figure 1 As shown, to meet real-time requirements, the computation process adopts a heterogeneous parallel acceleration strategy: the parallel computing units of GPUs or dedicated encryption accelerator cards (ASICs) are used to perform block-based parallel inference on the batch-processed ciphertext data; the encryption strength is dynamically adjusted according to the data sensitivity, a fully homomorphic encryption path is used for highly sensitive feature regions, and a lightweight mask path is used for low-sensitivity or non-critical regions, and the fusion output of the encrypted results is completed at the cloud security gateway.

[0053] like Figure 2 As shown, the intelligent data privacy protection encrypted inference system is characterized by comprising: a user terminal module configured to generate random masks and session keys, perform dual privacy masking and encryption of execution data, and decrypt and demask the results; a secure transmission module configured to establish a two-way authenticated encrypted communication channel between the user terminal module and the cloud inference server to prevent man-in-the-middle attacks and replay attacks; a cloud inference service module, which deploys a Trusted Execution Environment (TEE) and a hybrid encrypted inference model, configured to receive ciphertext data within the TEE, perform encrypted / masked state calculations without plaintext throughout the process, and implement dynamic memory isolation protection; and a model security management module configured to perform weight equivalence transformation, encrypted storage, integrity verification, and anti-reverse engineering protection on the cloud model.

[0054] A computer-readable storage medium having a computer program stored thereon, characterized in that, when the computer program is executed by a processor, it implements the steps of the intelligent data privacy-preserving inference method based on hybrid dense computation and dynamic memory isolation as described in any one of claims 1 to 8.

[0055] In the implementation process, firstly, the client generates a unique random mask and session key for each session. An additive or XOR secret sharing mechanism is used to perform the first layer of privacy masking on the original sensitive data, generating masked data. Then, a lightweight encryption scheme based on lattice cryptography is used for the second layer of encryption on this masked data, forming the final ciphertext data, which is then uploaded to the cloud inference server through a secure two-way authentication channel. The cloud server loads a hybrid encrypted inference model with equivalent transformations within a Trusted Execution Environment (TEE). This model incorporates the mathematical effects of the random mask into the linear layer parameters, enabling the server to directly perform forward propagation calculations on the ciphertext data without decryption. The computation process involves several layers. The linear layer utilizes the algebraic properties of the masked data to execute directly in the cryptic or masked domain, while the nonlinear layer employs polynomial approximation or obfuscated circuit techniques. During computation, each inference task is allocated an independent dynamically encrypted memory page. Immediately after each layer's computation, a second random perturbation is applied to the intermediate feature map. A constant-time execution strategy and a random noise filling mechanism are used to defend against side-channel attacks. After computation, the cloud returns the cryptic inference result to the user. The user then uses the locally stored session key and random mask to decrypt and demask the data sequentially, ultimately obtaining the plaintext inference result. Throughout the process, it is ensured that the original data, intermediate features, and model parameters are never exposed in plaintext form in the cloud's regular memory or transmission links.

[0056] The above description is merely a preferred embodiment of the present invention and is not intended to limit the present invention. Any modifications, equivalent substitutions, and improvements made within the spirit and principles of the present invention should be included within the scope of protection of the present invention.

Claims

1. An intelligent data privacy-preserving encrypted inference method, characterized in that, include: The user client generates a random mask and a session key for this session. The random mask is used to perform a first layer of privacy masking on the original sensitive data to generate masked data. The session key is used to perform a second layer of encryption on the masked data to generate final ciphertext data. The final ciphertext data is then uploaded to the cloud inference server. The cloud-based inference server loads a pre-built hybrid cryptographic inference model within a Trusted Execution Environment (TEE), which includes linear operators and nonlinear approximation operators adapted for cryptographic operations. The cloud-based inference server directly performs forward propagation calculations on the data using the hybrid encryption inference model without decrypting the final ciphertext data. The linear layer calculations are performed directly in the cipher domain or mask domain based on the algebraic properties of the masked data, while the nonlinear layer calculations are performed using polynomial approximation or obfuscated circuit techniques. The entire process generates intermediate feature maps of the cipher or mask state and the final cipher inference result. During the computation process, an independent, dynamically encrypted memory page is allocated to store the intermediate feature map for the current inference task, and the stored content is subjected to real-time secondary random perturbation to prevent memory dump attacks. The cloud-based inference server employs a constant-time execution strategy and a random noise-filling mechanism to perform ciphertext computation and returns the final encrypted inference result to the user. The user terminal uses the session key and random mask to decrypt and reverse the masking of the received results in sequence to obtain the plaintext inference result.

2. The intelligent data privacy protection encrypted inference method according to claim 1, characterized in that, The first layer of privacy masking process uses an additive secret sharing or XOR secret sharing mechanism to split the original sensitive data into at least two shares, where the first share is used as masking data to participate in subsequent encryption, and the second share is retained locally by the user. The second layer of encryption uses a lightweight homomorphic encryption algorithm or a lattice-based encryption scheme to support direct addition and restricted multiplication operations on the masked data in the cloud.

3. The intelligent data privacy protection encrypted inference method according to claim 2, characterized in that, It also includes steps for secure model deployment: The model owner performs an equivalent transformation on the weight parameters of the original deep learning model, absorbing the mathematical effects of the random mask into the bias terms or weight matrix of the linear layer to generate the transformed encrypted weights. The encrypted weights are encapsulated and embedded into the Trusted Execution Environment (TEE) of the cloud inference server to ensure that the model parameters are not exposed in plaintext form in the regular memory space outside the TEE during instantiation and operation.

4. The intelligent data privacy protection encrypted inference method according to claim 3, characterized in that, The hybrid cryptographic inference model executes an operator fusion strategy: Combining consecutive linear encryption operators into a single composite operator reduces the number of ciphertext expansions and communication rounds. For nonlinear activation functions that do not support direct dense-state operations, the scheme with the highest polynomial approximation goodness is dynamically selected or the obfuscation circuit module in the multi-party secure computation protocol is enabled for alternative computation, and a unified data format conversion is implemented at the computation switching point.

5. The intelligent data privacy protection encrypted inference method according to claim 1, characterized in that, The aforementioned dynamic encrypted memory protection specifically includes: Allocate a separate memory page with a non-contiguous physical address for each concurrent inference thread. Access to this memory page is only open to the inference process within the current TEE. After each layer of network computation is completed, a secondary random mask related to the current computation context is immediately applied to the generated intermediate feature map, so that even if an attacker obtains the physical image in memory, they will not be able to restore the effective feature information through differential analysis. Immediately after the current inference task is completed, destroy the independent memory page and all associated random mask generation seeds.

6. The intelligent data privacy protection encrypted inference method according to claim 1, characterized in that, The aforementioned anti-side-channel attack mechanism specifically includes: Monitor the execution time of ciphertext operations. If the actual calculation time is less than the preset standard time window, insert a no-operation instruction to fill it in, ensuring that the total execution time for all input data is constant. Introducing random voltage fluctuations or dummy computational loads into power-sensitive regions masks the differences in energy consumption characteristics caused by different input data, preventing the inference of original inputs or model weights through power analysis.

7. The intelligent data privacy protection encrypted inference method according to claim 2, characterized in that, It also includes a two-way enhanced identity authentication process: The client and the cloud inference server negotiate and generate a temporary session key based on elliptic curve cryptography. Both parties exchange digital certificates containing hardware fingerprint information to verify identity legitimacy and establish a secure transmission channel bound to a specific session ID to ensure that only authorized users can initiate requests and only legitimate cloud nodes can receive data.

8. The intelligent data privacy protection encrypted inference method according to claim 4, characterized in that, To meet real-time requirements, the computation process employs a heterogeneous parallel acceleration strategy: Utilize the parallel computing units of GPUs or dedicated encryption accelerator cards (ASICs) to perform block-based parallel inference on batch-processed ciphertext data; The encryption strength is dynamically adjusted based on the data sensitivity. A fully homomorphic encryption path is used for highly sensitive feature areas, while a lightweight masking path is used for low-sensitivity or non-critical areas. The encrypted results are then fused and output at the cloud security gateway.

9. An intelligent data privacy-protecting encrypted inference system, characterized in that, include: The user terminal module is configured to generate random masks and session keys, perform dual privacy masking and encryption of data, and decrypt and demask the results. The secure transmission module is configured to establish a two-way authenticated encrypted communication channel between the user terminal module and the cloud inference server to prevent man-in-the-middle attacks and replay attacks. The cloud-based inference service module is equipped with a Trusted Execution Environment (TEE) and a hybrid encrypted inference model. It is configured to receive ciphertext data within the TEE, perform encrypted / masked state calculations without any plaintext throughout the process, and implement dynamic memory isolation protection. The model security management module is configured to perform weight equivalence transformation, encrypted storage, integrity verification, and anti-reverse engineering protection on cloud-based models.

10. A computer-readable storage medium having a computer program stored thereon, characterized in that, When the computer program is executed by the processor, it implements the steps of the intelligent data privacy protection inference method based on hybrid dense state computation and dynamic memory isolation as described in any one of claims 1 to 8.