Efficient FHE-based private machine learning
Efficient ciphertext denoising and data packing techniques, combined with optimized encryption parameters and low-rank adaptation, address the slowness and cost issues of existing homomorphic encryption, enhancing the speed and efficiency of private computations in cloud-based machine learning.
Patent Information
- Authority / Receiving Office
- WO · WO
- Patent Type
- Applications
- Current Assignee / Owner
- VISA INTERNATIONAL SERVICE ASSOCIATION
- Filing Date
- 2026-01-05
- Publication Date
- 2026-07-09
AI Technical Summary
Existing homomorphic encryption methods for private computations, particularly in cloud computing, are significantly slower and more computationally expensive, making computationally demanding tasks like private machine learning impractical due to the need for costly bootstrapping operations and complex ciphertext rotations.
Implement efficient ciphertext denoising methods, such as partial decryption and masking, and data packing techniques to reduce the number of operations required, along with optimized encryption parameters and low-rank adaptation models, to enhance the speed and efficiency of private computations.
These methods significantly improve the speed of private computations, achieving performance improvements of up to 11446% in certain tasks, making private machine learning on the cloud more feasible and efficient.
Smart Images

Figure US2026010182_09072026_PF_FP_ABST
Abstract
Description
EFFICIENT FHE-BASED PRIVATE MACHINE LEARNING CROSS-REFERENCES TO RELATED APPLICATIONS
[0001] This is a PCT application that claims priority to U. S. Provisional Application No. 63 / 742,354, filed on January 6, 2025, which is herein incorporated by reference.BACKGROUND
[0002] “Encryption” is a process in cryptography by which “plaintext” data (often referred to as “messages”) can be transformed into “ciphertext” data, data which hides the meaning of the original plaintext data. For example, a message “Hello!” can be encrypted to produce a ciphertext “dj9[xz”. “Decryption” is a process by which ciphertexts can be transformed back into their corresponding plaintext. Ideally, only authorized entities can decrypt ciphertexts to recover the original messages. Encryption and decryption are often performed using “cryptographic keys”, which can comprise data that enables the encryption of plaintext and the decryption of corresponding ciphertexts. A “cryptosystem” can refer to system or set of operations that are used to implement encryption, decryption, the generation of cryptographic keys, etc.
[0003] A “homomorphism” is a map between algebraic structures that preserves operations of those structures. As an example, if is “additively homomorphic,” then / (4) + / (5) = / (4 + 5) = / (9). “Homomorphic encryption” relates to cryptosystems for which the encryption and decryption functions can be considered homomorphisms between the “plaintext space” and “ciphertext space”. For example, if Enc(4) and Enc(5) are ciphertexts encrypting the numbers 4 and 5 respectively and were produced using an additively homomorphic cryptosystem, then Enc(4) + Enc(5) = Enc 4 + 5) = Enc(9). “Fully Homomorphic Encryption” (FHE) generally relates to cryptosystems that permits arbitrary (e.g., any) operations or computations performed on ciphertext.
[0004] The benefit of homomorphic encryption is that it enables various useful operations to be performed privately. As an example, a computer system could perform operations on encrypted data without the computer system or its operators ever “knowing” the plaintext of the data it is processing. For example, a server1KILPATRICK TOWNSEND 80329055 1computer operating a hypothetical private navigation application based on FHE could calculate the estimated time of arrival for a driver of a car (a “client”), without ever knowing the driver’s current location, destination, route, or velocity, thereby preserving the driver’s privacy. Instead, the driver could provide that information to the server computer in encrypted form (e.g., via a smartphone application), which could then privately determine the driver’s estimated time of arrival (in encrypted form) and transmit it back to the smartphone. The smartphone could then decrypt the estimated time of arrival and display it to the driver. In this way, the driver’s privacy is maintained, as only the driver is aware of their destination, estimated time of arrival, etc.
[0005] In “cloud computing”, a client can perform computing tasks using external computer resources provided “on the cloud” (e.g., the Internet), rather than (or in addition to) their own computing resources. Cloud computing is particularly useful when clients have limited immediate access to computing resources or have highly demanding computational tasks. For example, three-dimensional (3D) artists may have sufficient computing power to compose scenes using 3D modeling software but may not have sufficient computing power to render such scenes. Such 3D artists could use cloud-based rendering services to render their scenes instead of using their own computer systems. As another example, while artificial intelligence (Al) applications such as generative Al have become popular, only a small percentage of users possess the computing resources needed to actually produce high-quality Al-generated images, video, audio, etc., on their own computer systems. Such users can instead request Al generated content from cloud-based “machine learning as a service” (MLaaS) systems, which can perform computationally intensive operations associated with generative Al and return the results to those users.
[0006] Private computation via homomorphic encryption is desirable in cloud computing environments due to the inherent privacy and intellectual property concerns associated with cloud services, as well as privacy rules and regulations such as HIPAA
[0077] and GDPR
[0078] , As an example, a 3D artist using a cloud-based rendering service must transmit their work to the rendering service so that it can be rendered, and there is always the possibility that a dishonest operator of the rendering service sells or uses an artist’s work without their permission. However, if 2KILPATRICK TOWNSEND 80329055 1a cloud-based rendering server computer performed private rendering using homomorphic encryption, the server computer and its operators never have access to artists work products or any generated renderings in unencrypted form.Consequently, 3D artists can feel secure that their work is protected from unauthorized use.
[0007] Unfortunately, performing private computations using homomorphic encryption is much slower (approximately 10,000 times slower
[0070] ) and more computationally expensive than performing comparable computations on unencrypted (plaintext) data. It is especially unfortunate for the outlook of computationally demanding cloud-based services (e.g., cloud-based rendering, cloud-based machine learning, etc.), which suffer significantly from the many orders of magnitude slowdown associated with homomorphic encryption. Consequently, many private computing applications using homomorphic encryption, including private machine learning, are practically infeasible using existing methods.
[0008] Embodiments address these and other problems, individually and collectively.SUMMARY
[0009] This Summary is provided to introduce a selection of concepts in a simplified form that are further described herein in the Detailed Description. This Summary is not intended to identify key factors or essential features of the claimed subject matter, nor is it intended to be used to limit the scope of the claimed subject matter.
[0010] Embodiments of the present disclosure are directed to various methods and systems related to privately performing computationally intensive tasks using homomorphic encryption (HE) and fully homomorphic encryption (FHE). Such tasks can include (but are not limited to) private training, inference, and fine-tuning (e.g., using novel low-rank adaptation models according to embodiments) of machine learning models in a cloud computing environment. Embodiments include efficient “bootstrapping” methods based on two party threshold decryption, efficient data packing methods, and efficient homomorphic encryption parameter optimization methods. These methods outperform current approaches to HE-based machine learning in both speed and scalability. As described in more detail further below,3KILPATRICK TOWNSEND 80329055 1embodiments are between 12 and 174 times faster than current state of the art FHE systems on a variety of machine learning tasks.
[0011] As described in the Background, privately performing a computing task using homomorphic encryption is several orders of magnitudes slower than performing analogous plaintext operations. Among other reasons, this is because (A) homomorphic encryption involves performing computationally expensive operations that are not needed in plaintext computation, and (B) the security requirements of private computation complicate operations that are frequently performed in computing tasks (e.g., matrix multiplications performed during machine learning), causing those operations to take longer and require greater computing resources to perform.
[0012] With regards to (A) private computation using homomorphic encryption often involves performing computationally expensive “bootstrapping” operations that are not needed in plaintext computation, which are used to periodically reset cryptographic noise that accumulates during repeated private computations using FHE. If this noise is allowed to accumulate without bootstrapping, decryption eventually becomes impossible, as any resulting plaintexts will comprise random values rather than meaningful data. In very general terms, existing bootstrapping methods generally involve a computer system homomorphically decrypting ciphertexts and re-encrypting them using a new secret key, such that the plaintext data is not revealed to the computer system. Unfortunately, these bootstrapping methods involve performing large numbers of homomorphic encryption operations, and can take seconds or minutes to perform, greatly slowing down private computation processes.
[0013] Embodiments address this problem by providing a novel and efficient ciphertext denoising method, sometimes referred to as “PP-BOOT”. While this method is not technically “bootstrapping” (as discussed in the Detailed Description), it largely serves the same purpose as bootstrapping. Thus, for ease of explanation, such methods may be referred to as efficient bootstrapping methods according to embodiments or using other similar terms.
[0014] In summary, computer systems according to embodiments can use partial decryption (via two-party threshold encryption
[0061] ) and masking to refresh4KILPATRICK TOWNSEND 80329055 1ciphertexts, a novel method that is faster and more efficient than other bootstrapping methods, with only millisecond-level communication costs between computer systems performing bootstrapping methods according to embodiments. As a general summary, in embodiments, once bootstrapping becomes necessary, a first computer system can homomorphically mask a ciphertext, partially decrypt that ciphertext, then send the partially decrypted masked ciphertext to a second computer system. The second computer system can then decrypt the partially decrypted masked ciphertext to produce a masked plaintext, thereby resetting the noise level. Due to the masking, the second computer system cannot determine plaintext data from the masked plaintext, maintaining privacy. The masked plaintext can then be re-encrypted and homomorphically unmasked to reproduce the ciphertext. Private computation can then continue on the ciphertext until bootstrapping again becomes necessary, at which point the process can be repeated.
[0015] With regards to (B), HE-based private computation often complicates operations that are frequently and repeatedly performed during computing tasks, causing those operations to take much longer to perform. As a more specific example, it is generally not possible to perform private matrix multiplication on ciphertext using standard techniques (e.g., dot products), as it is generally not possible to access arbitrary rows or columns of encrypted vectors and matrices. To overcome this, computationally expensive “ciphertext rotations” are performed on ciphertext vectors, which enable matrix multiplication to be performed using element-wise ciphertext multiplication (itself a slow and computationally demanding task) and element-wise ciphertext addition. Unfortunately, ciphertext rotations are slow and computationally costly, and must be performed frequently due to the ubiquity of matrix multiplication in computational tasks such as machine learning.
[0016] Some embodiments address this problem by providing novel data packing methods (sometimes referred to as “r-slice data packing”) that reduce the number of operations (particularly ciphertext rotation and ciphertext multiplication operations) that need to be performed during matrix multiplication of encrypted data. As a consequence, embodiments of the present disclosure can greatly improve the speed of private computations that involve large numbers of matrix multiplications, including private machine learning tasks. For example, as discussed in the Detailed 5KILPATRICK TOWNSEND 80329055 1Description below, using data packing methods according to embodiments resulted in a 262% speed improvement on a private variable autoencoder (VAE) inference task, a 465% speed improvement on a private logistic regression task, and a11,446% speed improvement on a private graph convolutional network (GCN) inference task, i.e., the private GCN inference task was completed 114.46 times faster when using data packing methods according to embodiments than when not using data packing methods according to embodiments.
[0017] Various other methods and aspects of embodiments are described in the Detailed Description below. These include, for example, an automated encryption parameter selection method (or “Auto- / V method”) that can be used to further improve speed and efficiency in private computations. In general terms, some homomorphic cryptosystems map vectors to cyclotomic polynomials in order to perform encryption, and the degree N of such a cyclotomic polynomial can be set by the individual implementing those cryptosystems. In existing private computation systems, it is often preferable for a polynomial to have a high degree (e.g., N = 216), as increasing the degree increases the number of private computations that can be performed before bootstrapping needs to be performed, decreasing the frequency of costly bootstrapping operations. However, because bootstrapping methods according to embodiments are much more efficient than conventional bootstrapping methods, the choice of the degree N does not have to be set to limit bootstrapping operations. As such, in some embodiments, a computer system can use methods according to embodiments in order to set encryption parameters instead minimize the number of ciphertext rotation operations and communication rounds that need to be performed during private computation, further improving the speed and efficiency of private computations.
[0018] These and other methods according to embodiments can be applied to a variety of private computationally intensive tasks, including private machine learning inference on the cloud and private machine learning model fine-tuning on the cloud. Private machine learning model fine-tuning on the cloud can be achieved by using methods according to embodiments along with novel low-rank adaptation (LoRA) models according to embodiments (sometimes referred to as “FHE-LoRA”). FHE-LoRA models and methods according to embodiments can be used to privately fine-tune “backbone” machine learning models in an efficient manner, improving 6KILPATRICK TOWNSEND 80329055 1model accuracy. Such FHE-LoRA use a different architecture than conventional LoRA models, addressing various computational challenges associated with private evaluation of conventional LoRA models using homomorphic encryption (e.g., due to their integration with the backbone machine learning models that they fine-tune).
[0019] In more detail, one embodiment is directed to a method performed by a first computer system. The first computer system can receive a first secret key share, which can correspond to a second secret key share, a secret key, and a public key. The first computer system can also receive a ciphertext input encrypted using the public key from a client computer. The first computer system can perform a set of homomorphic operations corresponding to a private computing task on the ciphertext until a ciphertext level corresponding to a ciphertext partial result corresponding to the ciphertext input is reduced to a threshold ciphertext level. In this way, the first computer system can produce the ciphertext partial result. The first computer system can mask the ciphertext partial result, thereby producing a masked ciphertext partial result. The first computer system can partially decrypt the mask ciphertext partial result using the first secret key share, thereby producing a partially decrypted masked ciphertext partial result. The first computer system can transmit the partially decrypted masked ciphertext partial result to a second computer system. The second computer system can decrypt the partially decrypted masked ciphertext partial result using the second secret key share to produce a masked plaintext partial result. The second computer system can encrypt the masked plaintext partial result using the public key, thereby reproducing the masked ciphertext partial results with the ciphertext level restored to a maximum ciphertext level. The second computer system can cause the private computing task to be completed using the masked ciphertext partial result by (A) causing the masked ciphertext partial result to be homomorphically unmasked, thereby reproducing the ciphertext partial result with the ciphertext level restored to the maximum ciphertext level, and (B) causing one or more additional sets of homomorphic operations corresponding to the private computing task to be performed using (i) the ciphertext partial result or (ii) the ciphertext partial result and one or more additional ciphertext partial results produced by the one or more additional sets of homomorphic operations. In this way, the second computer system can cause a ciphertext result to be produced and transmitted to a client computer. The client computer can decrypt the ciphertext7KILPATRICK TOWNSEND 80329055 1result using the secret key to produce a plaintext result. The client computer can perform further processing on the plaintext result.
[0020] Another embodiment is directed to a method performed by a second computer system. The second computer system can receive a second secret key share, which can correspond to a first secret key share, a secret key, and a public key. The second computer system can also receive a partially decrypted masked ciphertext partial result from a first computer system. The first computer system could have produced the partially decrypted masked ciphertext partial result during a private computing task in which one or more sets of homomorphic operations were performed. A ciphertext level of the partially decrypted masked ciphertext partial result can be equal to a threshold ciphertext level. The second computer system can decrypt the partially decrypted masked ciphertext partial result using the second secret key share, thereby producing a masked plaintext partial result. The second computer system can encrypt the masked plaintext partial result using the public key, thereby producing a masked ciphertext partial result with the ciphertext level restored to a maximum ciphertext level. The second computer system can cause the private computing task to be completed using the masked ciphertext partial result by (A) causing the masked ciphertext partial result to be homomorphically unmasked, thereby producing a ciphertext partial result with the ciphertext level restored to the maximum ciphertext level, and (B) causing one or more additional sets of homomorphic operations to be performed using (i) the ciphertext partial result or (ii) the ciphertext partial result and one or more additional ciphertext partial results produced by the one or more additional sets of homomorphic operations, thereby causing a ciphertext result to be produced and transmitted to a client computer. The client computer can decrypt the ciphertext partial result using the secret key to produce a plaintext result. The client computer can perform further processing on the plaintext result.
[0021] In addition to the methods described above (and other methods), some embodiments are directed to computer systems or other devices that can be configured to perform the methods described above or other methods. For example, one embodiment is directed to a computer system comprising a processor and a non-transitory computer readable medium coupled to the processor. The non-transitory computer readable medium can comprise instructions executable by the 8KILPATRICK TOWNSEND 80329055 1processor for performing the methods described above (or other methods described in the detailed description below).
[0022] A better understanding of the nature and advantages of embodiments of the present disclosure may be gained with reference to the following detailed description and the accompanying drawings. Reference to the remaining portions of the specification, including the drawings and claims, will realize other features and advantages of the present disclosure. Further features and advantages of the present disclosure, as well as the structure and operation of various embodiments of the present disclosure, are described in detail below with respect to the accompanying drawings. In the drawings, like reference numbers can indicate identical or functionally similar elements.TERMS
[0023] A “server computer” may refer to a computer or cluster of computers. A server computer can include a powerful computing system, such as a large mainframe. Server computers can also include minicomputer clusters or a group of servers functioning as a unit. In one example, a server computer can include a database server coupled to a web server. A server computer may comprise one or more computational apparatuses and may use any of a variety of computing structures, arrangements, and compilations for servicing requests from one or more client computers.
[0024] A “client computer” may refer to a computer or cluster of computers that receives some service from a server computer (or another computing system). The client computer may access this service via a communication network such as the Internet or any other appropriate communication network. A client computer may make requests to server computers including requests for data. As an example, a client computer can request a video stream from a server computer associated with a movie streaming service. As another example, a client computer may request data from a database server. A client computer may comprise one or more computational apparatuses and may use a variety of computing structures, arrangements, and compilations for performing its functions, including requesting and receiving data or services from server computers.9KILPATRICK TOWNSEND 80329055 1
[0025] A “memory” may refer to any suitable device or devices that may store electronic data. A suitable memory can comprise a non-transitory computer readable medium that stores instructions that can be executed by a processor to implement a desired method. Examples of memories including one or more memory chips, disk drives, etc. Such memories can operate using any suitable electrical, optical, and / or magnetic mode of operation.
[0026] A “processor” may refer to any suitable data computation device or devices. A processor can comprise one or more microprocessors working together to achieve a desired function. A processor can include a CPU that comprises at least one high-speed data processor adequate to execute program components for executing user and / or system generated requests. A CPU can be a microprocessor such as AMD’s Athlon, Duron and / or Opteron; IBM and / or Motorola’s PowerPC; IBM’s and Sony’s Cell processor; Intel’s Celeron, Itanium, Pentium, Xenon, and / or Xscale; and / or the like processor(s).
[0027] A “feature” may refer to an individual measurable property or characteristic of a phenomenon. One or more features can be described using a “feature vector,” e.g., a structured list of data (such as numerical data) representing those features. A feature can be input into a model to determine an output. As an example, in pattern recognition and machine learning, a feature vector can comprise an n-dimensional vector of numerical features that represent some object. In some machine learning contexts, a numerical representation of objects can facilitate processing and statistical analysis. For image processing, for example, feature values might correspond to the pixels of an image. As another example, when feature vectors represent text, the features may comprise occurrence frequency of textual terms. Feature vectors can be equivalent to the vectors of explanatory variables used in statistical procedures such as linear regression.
[0028] A “dataset” may include any set of one or more “observations” or “data values.” A “data value” can include any data element. A “data element” can refer to a set of data that can be grouped into a single unit, enabling comparison between that data element and other data elements. For example, a data element can comprise a single numerical value (e.g., the speed of a vehicle in miles per hour) or could comprise multiple numerical values (e.g., 60 speed recordings of a vehicle10KILPATRICK TOWNSEND 80329055 1corresponding to each minute of an hour-long period). Data elements comprising multiple data values can be organized into various forms or structures, including “data tables,” e.g., comprising data elements organized in rows and columns (or any other suitable structure). A data element may comprise the input to a machine learning model, and individual data values within that data element may comprise features values. A data value can comprise a “data vector,” one or more values (represented in vector form) corresponding to a data element or observation.
[0029] “Sampling” may include any process or method used to collect data values. Sampling can be used to collect data values from an existing dataset. The act of sampling may result in a “sample,” one or more data values collected from the dataset during sampling. Datasets can be sampled via a variety of means. For example, “random sampling” involves sampling data values from a dataset randomly.
[0030] The term “artificial intelligence model” or “machine learning model” can refer to a model that may be used to predict outcomes to achieve a pre-defined goal. A machine learning model may be developed using “machine learning”, in which training data is classified based on known or inferred patterns.
[0031] " Machine learning" can include an artificial intelligence process in which software applications may be trained to make accurate predictions (or any other outputs) through learning. The predictions can be generated by applying input data to a predictive model (or “prediction model”) formed from performing statistical analyses on aggregated data. A model can be trained using training data, such that the model may be used to make accurate predictions. The prediction can be, for example, a classification of an image (e.g., identifying images of cats on the Internet), or as another example, a recommendation (e.g., a movie that a user may like or a restaurant that a consumer might enjoy).
[0032] A “machine learning model” (ML model) can refer to a software module configured to be run on one or more processors to provide a classification or numerical value of a property of one or more samples. An ML model can include various parameters (e.g., for coefficients, weights, thresholds, functional properties of function, such as activation functions). As examples, an ML model can include at least 10, 100, 1,000, 5,000, 10,000, 50,000, 100,000, or one million parameters. An ML model can be generated using sample data (e.g., training samples) to make11KILPATRICK TOWNSEND 80329055 1predictions on test data. Various numbers of training samples can be used, e.g., at least 10, 100, 1,000, 5,000, 10,000, 50,000, 100,000, or at least 200,000 training samples.
[0033] A machine learning model can comprise an “unsupervised learning model”. Examples of unsupervised learning models include hidden Markov model (HMM), clustering (e.g., hierarchical clustering, k-means, mixture models, modelbased clustering, density-based spatial clustering of applications with noise (DBSCAN), and OPTICS algorithm), approaches for learning latent variable models such as Expectation-maximization algorithm (EM), method of moments, and blind signal separation techniques (e.g., principal component analysis, independent component analysis, non-negative matrix factorization, singular value decomposition), and anomaly detection (e.g., local outlier factor and isolation forest).
[0034] A machine learning model cam comprise a “supervised learning model”. Example supervised learning models may include different approaches including analytical learning, statistical models, artificial neural network (e.g. including convolutional and / or transformer layers) that may have 1-10 layers as examples, recurrent neural network (e.g., long short term memory, LSTM), boosting (meta-algorithm), bootstrap aggregating (bagging) such as random forests, support vector machine (SVM), support vector (SVR), Bayesian statistics, case-based reasoning, decision tree learning, inductive logic programming, linear regression, logistic regression, Gaussian process regression, genetic programming, group method of data handling, kernel estimators, learning automata, learning classifier systems, minimum message length (decision trees, decision graphs, etc.), multilinear subspace learning, naive Bayes classifier, maximum entropy classifier, conditional random field, nearest neighbor algorithm, probably approximately correct learning (PAC) learning, ripple down rules, a knowledge acquisition methodology, symbolic machine learning algorithms, subsymbolic machine learning algorithms, minimum complexity machines (MCM), ordinal classification, data pre-processing, handling imbalanced datasets, statistical relational learning, or Proaftn (a multicriteria classification algorithm), or an ensemble of any of these types. Supervised learning models can be trained in various ways using various cost / loss functions that define the error from the known label (e.g., least squares and absolute difference from known classification) and various optimization techniques, e.g., using12KILPATRICK TOWNSEND 80329055 1backpropagation, steepest descent, conjugate gradient, and Newton and quasiNewton techniques.
[0035] The process of “training” a machine learning model may include any steps used to prepare a machine learning model to perform some task. Often training involves determining or optimizing a set of “parameters” (which characterize the machine learning model) that result in acceptable model performance. Training can be performed in a series of “training rounds” during which training data is used to update the parameters of the machine learning model, for example, based on a loss value.
[0036] A “loss value” or “error value” may include any value that indicates the deviation between a result of some process, method, or function and an expected, desired, or correct result. For example, if a machine learning model can detect anomalies in a dataset comprising 100 data values, 17 of which are anomalous, if the machine learning model only detects 15 of the 17 anomalous data values, the loss value could comprise, e.g., 2 (17 - 15). Loss values can be used to train and evaluate the training of machine learning models, e.g., by optimizing machine learning model parameters by minimizing the loss value, using processes such as stochastic gradient descent or backpropagation.
[0037] A “hyperparameter” can include any value used to configure a machine learning model that is external to the machine learning model. Typically, a hyperparameter is set, and is not estimated or determined from the training data used to train the machine learning model.
[0038] A machine learning model may comprise multiple “sub-models”, “layers,” or “modules”, which may refer to parts of a larger machine learning system. For example, a machine learning model could comprise a long short-term memory layer (which itself can comprise multiple layers), in addition to an attention layer and a linear layer. Layers can be organized in series, such that the input to a machine learning system is processed by a first set of layers, which produces an output that is then processed by a subsequent set of layers, and so forth until the output of the machine learning model is produced by the final layer in the series.
[0039] An “embedding” can refer to a representation of data, usually within an “embedding space”, a theoretical region in which embeddings can be compared via 13KILPATRICK TOWNSEND 80329055 1vector operations. For example, an embedding can comprise a vector representation of an image, which can be used to evaluate the similarity of that image to other images, or e.g., determine whether that image contains or depicts a particular subject (e.g., a cat). Embeddings can be used within the field of machine learning, thereby enabling machine learning models to perform certain tasks, particularly tasks that are difficult or subjective. In some cases, an embedding can comprise a lower-dimensional representation of a corresponding element of data, enabling more efficient processing due to the reduced logical size of the embedding relative to the logical size of the original element of data.
[0040] A “cryptographic key” may refer to information that can be used to encrypt or decrypt data. In some cases, a cryptographic key can comprise a long string of bits or other characters (e.g., a 1024-bit cryptographic key). A cryptographic key can be used to encrypt “plaintexts” (e.g., messages or other data that can be readily interpreted by humans or computers) to produce “ciphertexts” (e.g., messages or other data that cannot be interpreted by humans or computers without decryption). A cryptographic key can likewise be used to decrypt ciphertexts to produce plaintexts. In “symmetric cryptography”, the same cryptographic key is used to perform encryption and decryption. In “asymmetric cryptography”, two different keys may be used, e.g., if one cryptographic key is used to encrypt plaintext to produce ciphertext, a different cryptographic key is used to decrypt that ciphertext to recover the plaintext. In some asymmetric cryptography, one cryptographic key is referred to as a “public key” (which may be published or otherwise generally available), and another cryptographic key is referred to as a “private key” or “secret key” (which may only be known to a small number of entities or computer systems (e.g., one)).
[0041] “Secret sharing” may refer to techniques used to distribute data (sometimes referred to as a “secret”) among a group of participants, such that each participant receives a “share” of the “secret-shared data.” Typically, no single party has access to the data, but some group of parties possessing some number of secret shares can collectively reconstruct the data using their respective shares. Secret sharing can be used to share a secret key among some number of parties, such that each party possesses a “secret key share”. Using their secret key shares, those parties can collectively perform encryption or decryption.14KILPATRICK TOWNSEND 80329055 1
[0042] “Multi-party computation” may refer to computations performed by multiple parties, usually using some combination of data belonging to each individual participant. A “secure” multi-party computation may refer to a multi-party computation that does not leak or otherwise reveal the parties’ data while the computation is being performed. Secret sharing techniques (among other techniques) can be used to implement secure multi-party computation.BRIEF DESCRIPTION OF THE DRAWINGS
[0043] FIG. 1 shows an example of a four slot ciphertext rotation operation.
[0044] FIG. 2A shows a latency breakdown profile for homomorphic evaluation of one 64 channel convolutional layer.
[0045] FIG. 2B shows a latency breakdown profile for a fully complete linear layer.
[0046] FIG. 2C compares the latency of various homomorphic operations under different maximum ciphertext levels.
[0047] FIG. 3 shows a diagram of a private computation system comprising a first computer system and a second computer system that can perform some methods according to embodiments.
[0048] FIG. 4 shows a diagram of a private fine-tuning system according to embodiments that uses low-rank adaptation.
[0049] FIG. 5 shows pseudocode corresponding to an output-aware r-slice data packing method according to embodiments.
[0050] FIG. 6A compares the number of homomorphic rotation operations associated with private feature extraction matrix multiplication operations on tensors encoded using conventional diagonal-encoding methods and tensors encoded using output-aware r-slice data packing methods according to embodiments.
[0051] FIG. 6B compares the number of homomorphic rotation operations associated with private feature transformation matrix multiplication operations on tensors encoded using Orion
[0021] , Fhelipe
[0045] , and output-aware r-slide data packing methods according to embodiments.15KILPATRICK TOWNSEND 80329055 1
[0052] FIG. 7 shows pseudocode corresponding to an automated encryption parameter selection method according to embodiments.
[0053] FIG. 8 shows a table summarizing the results of end-to-end benchmark experiments comparing methods according to embodiments to existing methods on various private machine learning tasks.
[0054] FIG. 9 shows a bar graph comparing the latency of various homomorphic operations for existing FHE methods and methods according to embodiments using various cyclotomic polynomial degrees.
[0055] FIG. 10 shows a table summarizing the result of an ablation study on bootstrapping methods according to embodiments.
[0056] FIG. 11 shows a table summarizing performance trade-offs for different encryption parameters when using methods according to embodiments to perform various machine learning tasks.
[0057] FIG. 12 shows a table summarizing the results of an ablation study corresponding to r-slice data packing methods according to embodiments.
[0058] FIG. 13 shows a table of micro-benchmarking results of r-slice data packing methods according to embodiments for feature extraction and feature transformation.
[0059] FIG. 14 shows a table summarizing a performance evaluation of LoRA-based fine-tuning methods according to embodiments.
[0060] FIG. 15 shows a table summarizing a comparison between LoRA-based fine-tuning methods according to embodiments and state of the art transfer learning methods.
[0061] FIG. 16 shows a computer system according to some embodiments.DETAILED DESCRIPTION
[0062] Before the present invention is described in greater detail, it should be understood that this invention is not limited to particular embodiments described, as such may vary. It should also be understood that the terminology used herein is for the purpose of describing particular embodiments only, and is not intended to be16KILPATRICK TOWNSEND 80329055 1limiting, since the scope of the present invention will be limited only by the appended claims. Efforts have been made to ensure accuracy with respect to numbers used (e.g., amounts, temperature, etc.) but some experimental errors and deviations should be accounted for.I. INTRODUCTION
[0063] As described above, embodiments of the present disclosure relate to methods for efficiently performing private computations (particularly for computationally intensive tasks such as machine learning inference and fine-tuning) using threshold homomorphic encryption. It is assumed that a potential practitioner of methods according to embodiments has some familiarity with threshold encryption, homomorphic encryption (including leveled homomorphic encryption and fully homomorphic encryption) as well as cryptosystems that can be used to perform private computation using homomorphic encryption (e.g., CKKS
[0012] , BGV [6], and BFV
[0022] ) and the various “primitive” homomorphic operations that can be used to implement more complex computations.
[0064] However, in order to orient the reader, a description of homomorphic encryption, threshold encryption, relevant notation, and various homomorphic encryption operations is provided below. This description may help the reader better understand the current state of the art, challenges associated with performing private computation using homomorphic encryption (including the high computation cost associated with particular homomorphic encryption operations), embodiments of the present disclosure, and the technical advantages and improvements provided by embodiments of the present disclosure.A. Basic Summary LHE vs FHE
[0065] As described above, Homomorphic encryption enables direct computation on encrypted data (ciphertexts) due to the “homomorphism” between the plaintext and ciphertext spaces, thereby enabling private computation. A powerful server computer could, conceptually, use homomorphic encryption to perform some computing task for a client computer based on that client computer’s inputs, without having access to those inputs in unencrypted form, thereby preserving the privacy of those inputs. In the field of cryptography, private17KILPATRICK TOWNSEND 80329055 1computation is usually framed as the evaluation of “circuits”, implementations of methods as the evaluation of sequences of minor operations (“gates”), without e.g., loops or conditionals. For example, a private computation could be performed by privately evaluating a Boolean circuit.
[0066] Homomorphic encryption can be categorized into two types: Leveled homomorphic encryption (LHE) and fully homomorphic encryption (FHE). LHE supports a limited number of sequential operations on ciphertexts before requiring decryption, whereas FHE allows an unlimited number of operations through a process called bootstrapping
[0025] (described in more detail further below), which “refreshes” the ciphertext, enabling continued computation.
[0067] LHE is suitable for simpler tasks, such as implementing shallow networks like LeNet5
[0049] with restricted accuracy, but more accurate models, such as ResNet-20
[0032] , require significantly more operations, necessitating the use of FHE. While many FHE systems primarily support integer [6, 21] or Boolean
[0013] operations or circuits, the Cheon-Kim-Kim-Song (CKKS) system
[0012] enables fixed-point arithmetic on real numbers, making it ideal for real-world applications like Machine Learning as a Service (MLaaS).B. Threshold Encryption
[0068] Threshold encryption involves splitting a secret key into secret key shares (e.g., via additive secret sharing) and distributing those secret key shares among multiple parties [24, 54, 61], Decryption of ciphertext can be performed if a threshold number of those parties (e.g., computer systems) participate in the decryption process using their respective secret key shares. For example, in a “three out of five” threshold encryption system, a secret key can be split into five secret key shares and distributed to five parties, and decryption can be performed if at least three parties participate in the decryption process with at least three secret key shares. More formally, threshold encryption is robust against the loss of up to n - t parties (where t is the threshold required for decryption and n is the total number of parties) and resists collusion among fewer than t parties. Threshold encryption enables privacy and security in distributed environments, ensuring that sensitive data remains protected even in collaborative or multi-party computational settings.18KILPATRICK TOWNSEND 80329055 1
[0069] In additive secret sharing, the secret key sk is divide into n shares sk1,sk2,...,sknsuch that sk = sk1+ sk2H - 1- sknmod Q, such that each party securely holds one secret key share. Here Q is a modulus associated with a cryptosystem (e.g., CKKS, see the notation description further below. This decentralized key distribution mitigates the risk of the leakage of the secret key, as no party individually possesses the full secret key. Given a ciphertext ct = (c0, q) = Encpk(m) where m comprises a plaintext message and Encpk(-) is encryption using a public key pk, during collective decryption, each party can compute a partial decryption by applying the corresponding key share on the ciphertext. Specifically, each party computes dt= PDecsk.(ct) = q ■ sktmod Q, which ensures that the secret key remains divided divided among the parties. Here PDecsk.(-) is the partial decryption operation. Eventually, all partial decryption shares are then combined, resulting in m = Decsk(ct)= c0+ dtmod Q = c0+ q * sk mod Q, recovering the plaintext message. Here Decsk(-) is the decryption operation.
[0070] However, one potential issue in collective decryption is that any secret key share could be recovered from the partial decryption by the corresponding party who just divides the received partial decryption by q. To protect the partially decrypted data against this form of attack, in some methods according to embodiments, “smudging” noise can be introduced into the partial decryption, such that PDecsk.(ct) = q ■ skt+ esmimod Q. Here, esmiis the random noise sampled from a discrete Gaussian with variance 2λ, which does not affect the correctness of decryption.C. Notation
[0071] Having summarized homomorphic encryption and threshold encryption, it may be helpful to describe some notation used throughout the present disclosure, as well as some homomorphic operations that can be used to perform private computations. The computational cost associated with performing homomorphic operations is a problem that generally makes HE-based private computation (using existing methods) practically infeasible. Understanding these homomorphic operations can facilitate a better understanding of existing methods, as well as the advantages of methods and systems according to embodiments.19KILPATRICK TOWNSEND 80329055 1
[0072] The description below primary focuses on the notation and homomorphic operations used in the Cheon-Kim-Kim-Song cryptosystem
[0012] , a leveled homomorphic encryption approach that facilitates arithmetic operations on encrypted fixed-point numbers, and which provides configurable precision. This is achieved by considering the encryption noise
[0048] as a natural error inherent in approximation computations, and by discarding the least significant bits of these computations through a process known as rescaling (described in more detail below). CKKS further allows “packing” (also referred to as “batching”) which enables multiple data values to be packed into a single ciphertext
[0074] , enabling the execution of encrypted computations in a Single Instruction Multiple Data (SIMD) manner, somewhat addressing the runtime and memory overhead associated with homomorphic operations. For these various useful properties, CKKS is well suited for use with embodiments of the present disclosure.
[0073] However, it should be understood that embodiments of the present disclosure can also use other homomorphic cryptosystems, such as BGV [6], BFV
[0022] , or any other suitable cryptosystem. For the sake of brevity, the description below focuses on the CKKS cryptosystem, and BGV, BFV (which share similar operations to CKKS), and other suitable cryptosystems will not be discussed. It is assumed that a potential practitioner of methods according to embodiments has the ability to adapt the disclosed methods and systems to other suitable cryptosystems.
[0074] In terms of notation, in this disclosure, N refers to the degree of a cyclotomic polynomial (or the degree of a polynomial quotient ring) used to perform encryption.
[0075] L refers to the maximum level of a ciphertext (or “maximum ciphertext level”), which can comprise the number of consecutive homomorphic multiplications that can be performed without bootstrapping. refers to the current multiplicative level (or “ciphertext level”) for a ciphertext. A ciphertext with a current multiplicative level of can be represented by a pair of N x ( + 1) matrices. Each homomorphic multiplication decreases by one, and once it reaches zero, further HE operations may render the ciphertext undecryptable. Bootstrapping can be performed to return the current level back to the maximum level L. Performing conventional bootstrapping consumes Lbootciphertext levels. Thus, bootstrapping is performed20KILPATRICK TOWNSEND 80329055 1before £ < L^00t. Further, if L is not greater than Lboot, private computation may be impossible, as bootstrapping cannot be performed without exhuasing the noise budget.
[0076] Q refers to the ciphertext modulus, and q0,...,qLare the L prime moduli.
[0077] evkmultis anevaluation key used to perform ciphertext-ciphertext multiplication operations, and evk^ is an evaluation key for ciphertext-rotation operations with a rotation amount p.
[0078] pk refers to a public key that can be used, e.g., to encrypt client input data in order to perform private computation on that input data, sk refers to a secret key that can be used e.g., to decrypt ciphertext ct to produce plaintext pt. sktcan refer to the ithsecret key share of a secret key.
[0079] refers to a security level in bits. A security level of e.g., = 128 bits [9], means that breaking encryption of ciphertexts would require approximately 2128operations.D. Homomorphic Operations
[0080] CKKS additionally supports various homomorphic operations, including “primitive” operations, which form the foundations for more complex operations, such as linear transformations and convolutions. Together, these operations underpin a variety of applications in encrypted computing, ensuring functionality and security through modular polynomial arithmetic and key management.
[0081] A “key-switching” operation can be used to convert a Learning With Errors (LWE) or Ring Learning With Errors (RLWE) encryption of a message using one secret key to an encryption of that message using another secret key. Likewise, a “modulus change” operation can be used to change the modulus of the coefficients homomorphically.
[0082] A “ciphertext addition” operation can be used to homomorphically add two ciphertexts together, represented by Add(ctltct2y ct±+ ct2. More specifically, Given two ciphertexts ct±= (b1(X),a1(X)) and ct2= (b2(X),a2(X)), where b;(X) = ciiQO • s(X) + m (X), ciphertext addition is achieved via element-wise summation: Add(ctltct2) = (^IQO + b^Xya^X) + a2(X)))- 21KILPATRICK TOWNSEND 80329055 1
[0083] A “ciphertext-plaintext multiplication” operation can be used to homomorphically multiply a ciphertext by a plaintext, thereby scaling the ciphertext by an unencrypted scalar or polynomial, facilitating some computations. Herein, ciphertext-plaintext multiplication can be represented by Pmult(ct,pt) ct ■ pt.
[0084] A “ciphertext-ciphertext multiplication” operation can be used to homomorphically multiply a ciphertext and another ciphertext, represented by Cmult(ct1, ct2. ct ■ ct2. Given two ciphertexts ct and ct2, ciphertext-ciphertext multiplication can involve tensor product computation and key-switching. The tensor product yields (d0(X),d1(X),d2(X)) through polynomial multiplication. The final multiplication result is computed via (d0(X), dx(X), d2(X)) ■ (l,sk,sk2followed by key-switching with an evaluation key (evkmult) to ensure decryption compatibility.
[0085] A “ciphertext rotation” operation can be used to apply Galois automorphisms to ciphertext, leading to a cyclic shift of the slot vector, and can be represented by Rot(ct,p As an example, Rot(ct,p) transforms an encryption of (v0, - ) into an encryption of (vfc,,v0,.... Vp- where N is the polynomialmodulus degree. FIG. 1 shows an example of a four slot ciphertext rotation operation that transforms an original ciphertext 102 into a rotated ciphertext 104. As a more specific example, given a vector z encrypted in ct = (c0, q), a rotation by p maps z to z p) using automorphism, transforming ct to ct' = (c0(X5P),q(X5P))
[0042] , Here, the polynomial coefficients are rearranged based on<7p(i) = i ■ 5Pmod N. Keyswitching with a dedicated evaluation key (evk^) restores ct' to be decryptable using (l,sfc). The rotation is computed as Rot ct,p) = (c0(X5P), 0) + P-1(q(X5P) ■ evk^) and enables manipulation of encrypted vectors.
[0086] Additionally, CKKS supports a “rescaling” operation, represented by Rescale(ct, A):ct / ^, which is used to manage the noise produced during HE operations and prevent ciphertexts from growing too large, enabling CKKS to perform multiple consecutive multiplications before bootstrapping needs to be performed. In more detail, homomorphic operations (particularly ciphertextciphertext multiplication) amplify ciphertext noise, potentially resulting in decryption failures if not managed properly. CKKS address this issue using rescaling, which manages the noise by dividing the ciphertext by the last prime modulus qL. After22KILPATRICK TOWNSEND 80329055 1rescaling, the qLresidue polynomial is discarded, reducing the size of the ciphertext. The ciphertext continues losing the residues of qL-lt...,q1with each rescale operation during HE applications until only one residue polynomial remains, at which point no additional multiplication operations can be performed.
[0087] As mentioned above, some FHE systems based on LHE provide a “bootstrapping” operation to restore the multiplicative level of a ciphertext from the current ciphertext level to to the maximum ciphertext level L, enabling further operations. Bootstrapping primarily involves homomorphic linear transforms and approximate sine evaluations
[0029] , broken down into hundreds of primitive homomorphic operations. Among these, ciphertext-ciphertext multiplication and ciphertext rotation can constitute more than 77% of the bootstrapping time
[0014] , As described above, since bootstrapping itself consumes Lb00tlevels, the parameter L must be larger than Lb00t, and more generally, a larger L reduces the frequency of bootstrapping. The value of Lb00ttypically ranges from 10 to 20, depending on the bootstrapping method used. Methods that use larger Lb00tsupport more precise and faster computations
[0028] ,
[0088] It should be understood that “bootstrapping” methods according to embodiments (described in more detail further below) are different than the bootstrapping methods described above. While bootstrapping methods according to embodiments can also be used to refresh ciphertexts and continue private computation, bootstrapping methods according to embodiments are achieved via masked decryption and re-encryption using two-party threshold encryption, rather than e.g., homomorphic linear transformations and approximate sine evaluations. This greatly reduces the number of computationally demanding homomorphic operations that need to be performed. Additionally, bootstrapping methods according to embodiments do not consume any multiplicative levels (instead of e.g., 10 to 20 as described above). As a consequence, Bootstrapping methods according to embodiments need to be performed less frequently than conventional bootstrapping methods, further improving performance.E. Applications of HE-Based Private Computation
[0089] Having introduced some concepts related to homomorphic encryption and its operations, threshold encryption, and the various notation used through this 23KILPATRICK TOWNSEND 80329055 1disclosure, it may be helpful to review potential applications of private computation using homomorphic encryption (particularly private machine learning), as well as challenges and existing work in the field.
[0090] Large-scale machine learning models, pre-trained on large datasets such as lmageNet-21K and WikiText
[0057] , have demonstrated strong performance across a wide range of tasks, including image classification
[0031] , object detection, and language generation [7, 76], With the growing popularity of cloud-based machine learning as a service (MLaaS) platforms [1, 3, 4], these models have become highly accessible to users and organizations. Increasingly, machine learning applications also depend on fine-tuning foundation models with smaller domain-specific datasets to support specialized tasks. However, in some cases inference and fine-tuning can involve sensitive data, such as medical records, financial transactions, and proprietary business information, raising privacy and security concerns, particularly in view of regulations such as GDPR
[0078] and HIPPA
[0077] , Addressing privacy concerns is needed in order to enable deployment of MLaaS in privacy-sensitive domains.
[0091] One solution is to use homomorphic encryption (HE) [6, 12, 13, 25], which enables computations directly on encrypted data. By keeping sensitive information encrypted throughout inference or fine-tuning in the cloud and ensuring that only the clients can decrypt the result using their private key, homomorphic encryption enhances privacy and security in public MLaaS environments. However, the practicality of “non-interaction HE-only solutions”, in which the client uploads encrypted data once and receives encrypted results at the end without participating during computation, is limited by the overhead of encrypted operations.F. Problem - Computational Cost of Operations
[0092] As described herein, homomorphic operations are often orders of magnitude slower than their plaintext counterparts. In addition, private computation using homomorphic encryption often complicates operations that are performed during computing tasks, further increasing latency. As an example, it is generally not possible to perform private matrix multiplication on ciphertext using standard techniques because it is not possible to access arbitrary rows or columns of encrypted vectors and matrices. As a result, homomorphic evaluation of machine 24KILPATRICK TOWNSEND 80329055 1learning models, in which matrix-matrix and matrix vector multiplications are ubiquitous, is more computationally demanding than evaluating their plaintext counterparts. As an example, a homomorphically evaluated convolutional neural network, operating on F input channels with a kernel size of K, requires K2- 1 ciphertext rotation operations to perform convolution on a single channel (“inner rotations”) and an additional F - 1 rotation operations for the F channels (“outer rotations”). As a result, homomorphic evaluation of a convolutional neural network requires a large number of computationally expensive ciphertext rotation operations, which are not needed during plaintext evaluation, greatly increasing computation time relative to plaintext evaluation. This is shown in FIG. 2A, which provides a latency breakdown profile for one 64 channel convolution layer that indicates that ciphertext rotations contribute the most to total evaluation time (66.7%) out of various homomorphic operations. FIG. 2B similarly provides a latency breakdown profile for homomorphic evaluation of a complete linear layer model with weight matrix size 4096x4096 under N = 214. For the fully complete linear layer [35, 67], 97.5% of the total evaluation time was spent performing ciphertext rotations.
[0093] FIG. 2C provides an evaluation of the latency associated with various ciphertext operations under an encryption parameter N = 216, each orders of magnitudes slower than their plaintext counterparts
[0036] , As shown in FIG. 2C, ciphertext rotation and ciphertext-ciphertext multiplication are the two most expensive operations, and take longer than ciphertext-plaintext multiplication and ciphertext addition to perform (approximately 40-50x longer than ciphertext addition [35,76]), particularly at high maximum ciphertext levels L. This is in part because ciphertext rotation and ciphertext-ciphertext multiplication involve complex automorphism and computationally expensive key switching operations
[0070] ,
[0094] Unfortunately, bootstrapping operations are by far the most expensive homomorphic encryption operation and can take up to 100 times longer to perform than ciphertext rotation and ciphertext-ciphertext multiplication, taking dozens of seconds on a CPU
[0051] and hundreds of milliseconds on a GPU
[0093] , Further, bootstrapping is largely unavoidable for inference and fine-tuning of large-scale machine learning models and must be invoked frequently (e.g., over 1000 times for a single ResNet-20 inference), creating a major bottleneck in private machine learning [25, 50, 52],25KILPATRICK TOWNSEND 80329055 1G. Prior Attempts to Perform He-Based Private ML
[0095] There have been various prior attempts to privately perform computationally expensive tasks such as machine learning inference and address some of the computational cost issues described above. One line of research focuses on algorithmic and hardware optimizations to accelerate encrypted machine learning under fully HE-based, non-interactive protocols [8, 15, 18, 26, 35, 41, 50, 65, 82], These approaches rely on bootstrapping to refresh noisy ciphertexts and support deep circuit evaluations, employ optimized data packing and algorithmic designs [29, 40, 50] to reduce the overall complexity of HE operations, use techniques such as dedicated ciphertext packing to exploit single instruction multiple data (SIMD) parallelism for vectorized computing on CPUs and GPUs [8, 18, 41], and further use specialized hardware accelerators to speed up primitive HE operations like bootstrapping [42, 49],
[0096] Despite these efforts, bootstrapping remains an apparently unavoidable bottleneck in end-to-end secure machine learning, and a large gap persists between theoretical progress and practical secure machine learning. For example, state of the art HE-encrypted fine-tuning on CIFAR-10 using a Vision Transformer backbone can take up to 52 minutes on a GPU, with bootstrapping and matrix multiplication accounting for 35% and 55% of the run-time, respectively
[0052] ,
[0097] Additionally, existing ciphertext packing methods based on row-major formats [21, 29, 40, 45, 50] are not output-oriented, leading to the performance of redundant HE operations (e.g., excessive ciphertext rotations) to compute unnecessary intermediate results. More recent approaches [2, 52, 71] adopt matrix blocking and zero-padding to reduce rotation complexity, but they sacrifice ciphertext slot utilization and increase the overall computational complexity of ciphertext multiplication and ciphertext addition operations. Moreover, modern machine learning models often involve changes in intermediate dimensions, which can lead to slot underutilization in intermediate ciphertexts. Existing approaches typically overlook the importance of maintaining high slot utilization during layer-wise processing and struggle to adapt to dynamic changes in intermediate dimensions. This ciphertext underutilization reduces the effectiveness of SIMD parallelism, which is useful for performing the homomorphic computations associated with machine26KILPATRICK TOWNSEND 80329055 1learning workloads. This limitation highlights a key efficiency gap that is addressed by embodiments, as described further below.
[0098] Another line of research focuses on hybrid solutions that combine homomorphic encryption with two-party computation and secret sharing [34, 37, 55, 56, 58, 62, 80], These methods typically offload the expensive bootstrapping operations to the client side by sending intermediate ciphertext results in secret-shared form for decryption and re-encryption, thereby avoiding bootstrapping and reducing communication overhead for secure matrix-matrix multiplications compared to traditional MPC protocols [17, 44, 47, 59, 60], While such approaches improve performance, communication costs remain a major bottleneck, particularly for large-scale model inference, since they usually require communication at every evaluation layer and cannot fully exploit the multiplicative depth supported by state of the art homomorphic encryption systems for consecutive layer computations. As an example, evaluating ResNet-32 on CIFAR requires over 200 seconds and 6.5 GB of data transfer
[0058] ,
[0099] Notably, recent work BLB
[0080] leverages the CKKS system
[0012] with MPC to reduce communication overhead in a hybrid protocol. The work optimizes communication at the circuit level by fusing consecutive multiplication operations into a single operator (such methods can be integrated into methods according to embodiments to further reduce communication usage). In contrast, methods according to embodiments directly enable multiple consecutive layers to be evaluated entirely within the homomorphic encryption domain, thereby reducing the frequency of communication and improving overall inference efficiency. Moreover, some embodiments integrate homomorphic encryption with threshold decryption
[0054] and cloud-side 2PC to eliminate client-side involvement, further optimizing end-to-end latency.
[0100] Several works also leverage trusted execution environments (TEEs), such as Intel SGX, to bypass bootstrapping by performing decryption and reencryption securely within the enclave on the server [79. 100], However, due to limited computation resource, one-time SGX-bootstrapping also requires a latency of 1.44 s under N = 215parameters. Besides, these approaches require placing the full secret key inside the TEE, raising potential security risks due to side-channel27KILPATRICK TOWNSEND 80329055 1vulnerabilities against TEEs, and weakening the security guarantee of sensitive client data [95, 96], By contrast, embodiments leverage partial decryption and reencryption using threshold homomorphic encryption protocols across two parties to ensure strong security guarantees.H. Design Principles of Embodiments
[0101] In summary, the various existing methods for performing HE-based private computation remain unsatisfactory, either incurring prohibitive computational overhead or introducing large computational costs. In contrast to prior attempts, embodiments of the present disclosure provide a more practical solution to better balance computation and communication costs, greatly improving HE-based private computation (including private machine learning inference and fine-tuning).
[0102] Embodiments of the present disclosure greatly reduce communication overhead compared to previous approaches by better exploiting the multiplicative depth of state of the art homomorphic encryption systems like CKKS. The multiplicative depth of such systems supports the evaluation of multiple computationally intensive operations (e.g., the evaluation of multiple consecutive machine learning layers, e.g., multiple matrix-matrix multiplications), up to the bootstrapping threshold, without requiring communication. This is in contrast to existing HE-MPC approaches [34, 37, 58], which typically require communication after each encrypted layer computation, thereby underutilizing the capability of systems like CKKS for consecutive encrypted computation, thereby incurring excessive communication overhead.
[0103] Further, methods according to embodiments involve performing efficient SIMD-parallel processing on both initially packed and intermediate ciphertext by using maximum ciphertext slot utilization, minimizing wasted computational resources from empty or invalid slots. Typically, intermediate ciphertexts generated using layer-wise processing often become sparsely packed (i.e., contain empty or invalid slots) due to feature dimension reductions (resulting from e.g., 1x1 convolutions or classification layers in machine learning).Subsequent stages, such as feature expansion or gradient backpropagation, can project ciphertexts back to higher dimensions, resulting in excessive and costly ciphertext operations, particularly ciphertext rotation and ciphertext-ciphertext 28KILPATRICK TOWNSEND 80329055 1multiplication, greatly increasing computational overhead. Existing state of the art ciphertext packing methods largely overlook this inefficiency when optimizing matrixmatrix multiplications, which dominate computationally intensive tasks such as private machine learning inference and fine-tuning. By contrast, “output-aware r-slice data packing methods” according to embodiments achieve much greater ciphertext slot utilization, resulting in faster and more efficient performance, as discussed further below.
[0104] Additionally, methods according to embodiments reduce client involvement, comparable to non-interactive HE-only approaches, while maintaining strong security guarantees. Embodiments of the present disclosure minimize client responsibility, performing all private computations, including refreshing ciphertexts via decryption and re-encryption “bootstrapping” using computer systems according to embodiments.
[0105] Across experimental tasks corresponding to a range of representative machine learning benchmarks, including private inference on graph convolution networks (GCNs), ResNet, variational autoencoders (VAE), and regression models, as well as logistic regression training and low rank adaptation (LoRA) fine-tuning, embodiments outperform current state of the art works in the field of HE-based private computation. Embodiments of the present disclosure perform their respective tasks up to 173.59x, 130.84x, and 12.77x faster than non-interactive FHE-Nexus (NDSS’25), HE+2PC hybrid protocol BOLT (S& P’24), and private fine-tuning HETAL (ICML’23) respectively. Embodiments of the present disclosure set a new performance standard in the field of HE-based private computation and advance HE-based private machine learning inference toward practical usability.II. EMBODIMENTSA. Summary of Embodiments
[0106] Embodiments of the present disclosure and these experiments are described in more detail further below. These include efficient bootstrapping methods according to embodiments, output-aware r-slice data packing methods according to embodiments, parameter selection methods according to embodiments,29KILPATRICK TOWNSEND 80329055 1and private model fine-tuning methods according to embodiments using low-rank adaptation.
[0107] As a general summary, some embodiments are directed to novel bootstrapping methods, which greatly reduce the time and computational cost associated with denoising ciphertexts during HE-based private computation by replacing conventional bootstrapping operations, which are slow and computationally demanding. In embodiments, two computer systems can perform fast and secure ciphertext denoising using partial decryption and re-encryption via threshold cryptography. Embodiments can be used to denoise ciphertexts with a latency on the order of milliseconds (i.e., orders of magnitude faster than conventional bootstrapping), without compromising security and without requiring client involvement.
[0108] Efficient bootstrapping methods according to embodiments can be used to perform various private computing tasks, including private machine learning model inference and private model fine-tuning. Private model fine-tuning can be further improved using novel fully homomorphic low rank adaptation methods, systems, and machine learning models according to embodiments. Sometimes referred to herein as “FHE-LoRA,” such embodiments comprise novel machine learning modules and methods for HE-friendly fine-tuning of model adapters, preserves the utility of pre-trained backbone models by avoiding modifications to their complex non-linear components, while also maintaining a low computational depth, thereby reducing inference costs. These integrated modules enable efficient fine-tuning and secure inference without compromising accuracy or increasing computational overhead.
[0109] To further reduce computational overhead and improve the speed and efficiency of computationally intensive private computing tasks (e.g., private machine learning), some embodiments are directed to an output-oriented r-slice data packing method that minimizes costly ciphertext rotation operations and ciphertext-ciphertext multiplication operations due to wasted slot utilization. In general, a computer system according to embodiments can “repack” sparse ciphertexts, aggregating them into fewer, fully packed ciphertexts, thereby reducing the number of homomorphic operations that need to be performed, improving speed and efficiency.30KILPATRICK TOWNSEND 80329055 1
[0110] Additionally, some embodiments are directed to an automatic encryption parameter selection method (or “auto- / V method”), which can minimize latency by optimizing encryption parameters for homomorphic encryption evaluation circuits. A computer system can perform encryption parameter selection methods according to embodiments to determine parameters that reduce the number of homomorphic operations that need to be performed, thereby improving the speed and efficiency of computationally demanding private computations.B. PP-BOOT
[0111] As described above, some embodiments are directed to novel ciphertext denoising methods, which greatly reduce the time and computational cost associated with denoising ciphertexts during HE-based private computation. These methods are summarized then described in more detail with reference to FIG. 3, which depicts an HE-based private computation system according to some embodiments. As described in the Summary, it should be understood that the term “bootstrapping” is used herein for ease of explanation. Technically, efficient “bootstrapping” methods according to embodiments comprise ciphertext denoising methods via threshold decryption and re-encryption. However, as such methods serve as a substitute for bootstrapping, the term is used for convenience.
[0112] In summary, a client computer 302 can use first computer system 304 and second computer system 306 (which may comprise server computers associated with a cloud service provider) to perform a private computing task on the client computer’s 302 input data. As an example, the input data could comprise features that a client wishes to evaluate via a machine learning model, a task which client computer 302 is not powerful enough to perform. Additionally, this input data can be private or sensitive, such that the client is unwilling (or unable due to privacy rules or regulations) to provide that input data to the first computer system 304 and the second computer system 306 in unencrypted form. As a more concrete example, a client could comprise a small healthcare provider that wants to perform a genomics screening for a patient, but cannot perform that screening on their own, and does not wish to violate that patient’s privacy by providing the client’s genomic data (in unencrypted form) to operator(s) of the first computer system 304 and the second computer system 306.31KILPATRICK TOWNSEND 80329055 1
[0113] Embodiments assume that the first computer system 304 and the second computer system 306 are operated by honest-but-curious parties, i.e., such parties will follow methods according to embodiments, but may attempt to learn private information. In order to preserve privacy, client computer 302 can encrypt input data, thereby generating a ciphertext input, which the client computer 302 can transmit to the first computer system 304 and / or the second computer system 306 instead of the plaintext input data. The ciphertext input can be encrypted using a public key, which may correspond to a secret key. Both the secret key and the public key can be generated by a key generator 308. The secret key can be split into two secret key shares, and the public key and the two secret key shares can be transmitted to first computer system 304 and second computer system 306, such that one computer system receives one key share, the other computer system receives the other key share, and both computer systems receive the public key. It is assumed that first computer system 304 and second computer system 306 are not colluding, and thus neither computer system has access to the other computer system’s secret key share. Thus, neither computer system can fully decrypt the ciphertext input, preventing either computer system or their respective operators from acquiring the client computer’s 302 input data in plaintext form.
[0114] Either computer system can then perform homomorphic operations corresponding to a private computing task on the ciphertext input, producing a “ciphertext partial result” with each step of the private computation (except for the final step, which produces a “ciphertext result”). Eventually, the noise budget for the private computation may be exhausted (e.g., the multiplicative level of the ciphertext partial result reaches a threshold level, e.g., zero). At this point, the first computer system 304 and second computer system 306 can perform efficient bootstrapping methods according to embodiments to denoise the ciphertext partial result.
[0115] In summary, whichever computer system was last performing private computations (e.g., first computer system 304) can mask the ciphertext partial result of those computations, partially decrypt the masked ciphertext partial result using its secret key share, then transmit a partially decrypted masked ciphertext partial result to the other computer system (e.g., second computer system 306), e.g., over a TLS channel. The other computer system can then complete the decryption of the32KILPATRICK TOWNSEND 80329055 1masked partially decrypted ciphertext partial result, producing a masked plaintext partial result. The other computer system can then re-encrypt the masked plaintext partial result using the public key, then homomorphically unmask the resulting masked ciphertext partial result, reproducing the ciphertext partial result with the ciphertext level restored to a maximum ciphertext level L.
[0116] The private computing task can then be continued by either computer system, repeating efficient bootstrapping methods according to embodiments as necessary (e.g., each time the ciphertext level is reduced to a threshold ciphertext level, e.g., zero) until a ciphertext result is produced. At this point, either computer system (e.g., whichever computer system performed the final homomorphic operations) can transmit the ciphertext result to client computer 302. Client computer 302 can then decrypt the ciphertext result using the secret key. If necessary, various further processing can be performed based on the plaintext computation result, examples of which are provided further below.
[0117] in some embodiments the first computer system 304 can comprise a first trusted execution environment 310 and the second computer system can comprise a second trusted execution environment 312. In order to mitigate the risk of collusion between the first computer system 304 and the second computer system 306, methods according to embodiments can be performed using first trusted execution environment 310 and second trusted execution environment 312, e.g., secure computations can be performed within these trusted execution environments, secret key shares can be stored within these trusted execution environments, etc. To further improve security, first trusted execution environments 310 and second trusted execution environment 312 can comprise trusted execution environments produced by different non-colluding vendors, reducing the risk of side-channel attacks. This ensures that even if one trusted execution environment is compromised, the confidentiality of the data is maintained, as no single trusted execution environment has access to the complete secret key. Client computer 302 can use authentication service provider 314 and authentication service provider 316 (e.g., comprising the vendors of trusted execution environment 310 and trusted execution environment 312) to authenticate trusted execution environment 310 and trusted execution environment 312.33KILPATRICK TOWNSEND 80329055 1
[0118] It should be appreciated that the numbers of devices, entities, and components shown in FIG. 3 were selected for simplicity of illustration and explanation. It should be understood that systems according to embodiments of the present disclosure can include more than one of each device, entity, component, computer system, etc. For example, first computer system 304 and second computer system 306 could perform MLaaS services for a variety of client computers including client computer 302, and such client computers can use multiple key generators 308. In addition, some systems according to embodiments may include a lesser number of devices, entities, and / or components or a greater number of devices, entities, and / or components than those shown in FIG. 3.
[0119] In more detail, if trusted execution environment 310 and trusted execution environment 312 are being used to perform methods according to embodiments, at step 318, the client computer 302 can request authentication of first trusted execution environment 310 and second trusted execution environment 312 from authentication service provider 314 and authentication service provider 316. In some embodiments, authentication service provider 314 and authentication service provider 316 can comprise non-colluding vendors or manufactures of trusted execution environment 310 and trusted execution environment 312. In some embodiments, client computer 302 can request authentication via a message transmitted to authentication service provider 314 and authentication service provider 316, e.g., requesting that those authentication service providers verify that the first trusted execution environment 310 and the second trusted execution environment 312 are legitimate trusted execution environments that will execute valid code using valid data.
[0120] At step 320, first trusted execution environment 310 and second trusted execution environment 312 can be authenticated via remote attestation, e.g., by authentication service provider 314 and authentication service provider 316.While a detailed description of remote attestation is generally beyond the scope of this disclosure, in general, authentication service provider 314 and authentication service provider 316 can send a message requesting signed state data from first trusted execution environment 310 and second trusted execution environment 312 respectively. First trusted execution environment 310 and second trusted execution environment 312 can then collect state data representative of their current internal 34KILPATRICK TOWNSEND 80329055 1states, comprising e.g., a cryptographic hash of loaded application code, runtime parameters and settings, specific hardware and firmware versions of the trusted execution environments, etc., then each sign their respective state data using their respective private keys (creating digital signatures) and transmit the encrypted state data to their respective authentication service provider. Authentication service providers 314 and 316 can then use corresponding public keys to verify the digital signatures, then verify the correctness of the state data provided by the trusted execution environments.
[0121] Alternatively, in some embodiments, client computer 302 can perform verification itself, i.e., by requesting signed state data from first trusted execution environment 310 and second trusted execution environment 312, verifying digital signatures, verifying correctness of state data, etc. As such, even in embodiments in which first trusted execution environment 310 and second trusted execution environment 312 are used, authentication service provider 314, authentication service provider 316, and step 318 may be optional.
[0122] At step 322, a key generator 308 can generate a public-private key pair comprising a public key pk and a secret key sk. The key generator 308 can additionally generate a first secret key share sk and a second secret key share sk2from the secret key, e.g., via additive secret sharing, e.g., sk = sk + sk2mod Q, where Q is the modulus of the underlying cryptosystem, i.e., a cryptosystem that permits leveled homomorphic encryption (LHE) and / or fully homomorphic encryption (FHE). As such, in some embodiments the first secret key share can correspond to the second secret key share, the secret key, and the public key. Likewise, the second secret key share can correspond to the first secret key share, the secret key, and the public key. After generating the cryptographic keys and secret key shares, the key generator 308 can provide the public key pk, the secret key sk, the first secret key share sk and the second secret key share sk2to the client computer 302. In some embodiments, client computer 302 can comprise the key generator 308, i.e., client computer 302 can generate the public-private key pair, the first secret key share, and the second secret key share.
[0123] It should be understood however that in embodiments, any appropriate LHE or FHE cryptosystem can be used, such as CKKS
[0012] , BGV [6], or BFV
[0022] ,35KILPATRICK TOWNSEND 80329055 1and cryptographic keys and key shares can be generated in accordance with the key generation methods defined by such cryptosystems.
[0124] At step 324, client computer 302 can homomorphically encrypt its input for a private computation using the public key pk, producing a ciphertext input. Such an input can comprise any conceivable inputs to a private computing task, e.g., sensitive data that is to be operated on using a computationally demanding process that the client computer 302 is not powerful enough to perform. In the context of private machine learning inference, the ciphertext inputs can comprise an encrypted set of machine learning model features and the private computing task (performed by the first computer system 304 and the second computer system 306) can comprise a private machine learning inference task. A ciphertext result, resulting from the private machine learning task could then comprise an encrypted machine learning model output produced using a machine learning model. For example, client computer’s 302 ciphertext input could comprise private medical data that a client operator of the client computer 302 (e.g., a doctor, a patient, etc.) wishes to privately evaluate using a diagnostic machine learning model corresponding to first computer system 304 and second computer system 306, and the ciphertext result could comprise an encrypted diagnosis report, e.g., indicating the probabilities or risk factors for various diseases.
[0125] At step 326, the client computer 302 can transmit the public key, the first secret key share sk and the second secret key share sk2, and the ciphertext input to first computer system 304 and second computer system 306, such that each computer system receives the public key, and one of the secret key shares. Thus, in some embodiments, the first computer system 304 can receive the first secret key share and the second computer system can receive the second secret key share at step 326. Additionally, in some embodiments the first computer system can receive the ciphertext input (encrypted using the public key) from the client computer 302 at step 326.
[0126] Alternatively, the key generator 308 can transmit the public key, the first secret key share, and the second secret key share to the first computer system 304 and the second computer system 306, e.g., if the client computer 302 and key generator 308 comprise different systems or devices.36KILPATRICK TOWNSEND 80329055 1
[0127] The first computer system 304 and the second computer system 306 can comprise server computers that perform private computing tasks (e.g., using methods according to embodiments) on behalf of client computers, e.g., as part of a private “machine learning as a service” (MLaaS) system. As described in more detail below with reference to FIG. 16, first computer system 304 and second computer system 306 can each comprise one or more processors (not pictured) and a non-transitory computer readable medium (e.g., a hard drive, also not pictured) coupled to the one or more processors. The non-transitory computer readable media can comprise code or instructions, executable by the one or more processors, for performing methods according to embodiments.
[0128] Client computer 302 can transmit the public key, the first secret key share, the second secret key share, and the ciphertext input to first computer system 304 and second computer system 306 over a communication network (not pictured), which can take any suitable form, and may include any one and / or the combination of the following: a direct interconnection; the Internet; a Local Area Network (LAN); a Metropolitan Area Network (MAN); an Operating Missions as Nodes on the Internet (OMNI); a secured custom connection; a Wide Area Network (WAN); a wireless network (e.g., employing protocols such as, but not limited to a Wireless Application Protocol (WAP), l-mode, and / or the like); and / or the like. Messages between computers and devices in the system of FIG. 3 and / or over a communication network may be transmitted using a secure communication protocol, such as, but not limited to, File Transfer Protocol (FTP); HyperText Transfer Protocol (HTTP); Secure HyperText Transfer Protocol (HTTPS); Secure Socket Layer (SSL), ISO (e.g., ISO 8583) and / or the like. Any suitable communication protocol can be used to communicate over the communication network, e.g., for the purpose of creating one or more communication channels. A communication channel may, in some instances, comprise a secure communication channel, which may be established in any known manner, such as through the use of mutual authentication, a session key, and establishment of a Secure Socket Layer (SSL) session.
[0129] In some embodiments, the first computer system 304 and the second computer system 306 can receive and store their secret key shares using their respective trusted execution environments. For example, the first computer system 304 can receive the first secret key share from the client computer 302 via a first 37KILPATRICK TOWNSEND 80329055 1transport layer security (TLS) channel between the first trusted execution environment 310 and the client computer 302, such that the first secret key is stored in the first trusted execution environment 310. Likewise, the second computer system 306 can receive the second secret key share from the client computer 302 via a second transport layer security (TLS) channel between the second trusted execution environment 312 and the client computer 302, such that the second secret key share is stored in the second trusted execution environment 312. In this way the client computer 302 can bypass any potentially untrusted infrastructure associated with first computer system 304, second computer system 306, or any communication networks.
[0130] In some private computing tasks, only one computer system may be able to meaningfully perform private computation on the ciphertext inputs at a time. For example, in private machine learning inference, if the first computer system 304 and the second computer system 306 each possess the same machine learning model, having both computer systems perform private machine learning inference simultaneously may result in redundant operations. As such, it may only be necessary for the client computer 302 to transmit the ciphertext input to either the first computer system 304 or second computer system 306.
[0131] Alternatively, if the private computation supports multi-batch processing, the client computer 302 could divide its input into two batches, encrypt each batch with the secret key, then transmit a first batch ciphertext to the first computer system 304 and a second batch ciphertext to the second computer system 306, enabling each computer system to begin performing private computations on its respective batch in parallel. For example, if the client computer 302 wanted to use the first computer system 304 and the second computer system 306 to perform private facial recognition on 1000 images, client computer 302 could divide those 1000 images into two 500 image batches, encrypt those batches, then send the first batch ciphertext to the first computer system 304 and the second batch ciphertext to the second computer system 306.
[0132] It should be understood that steps in methods according to embodiments can be performed in any suitable order. For example, client computer 302 could generate and transmit the secret key shares to the first computer system38KILPATRICK TOWNSEND 80329055 1304 and second computer system 306 (i.e., perform part of step 326), then request authentication (step 318), then transmit the ciphertext inputs to first computer system 304 and second computer system 306 upon authentication of trusted execution environment 310 and trusted execution environment 312 (perform the rest of step 326), or any other suitable ordering.
[0133] At step 328, one or both computer systems can perform a private computing task on the ciphertext input until a noise budget has been exhausted, thereby producing a ciphertext partial result. For example, in some embodiments the first computer system 304 can perform a set of homomorphic operations corresponding to the private computing task on the ciphertext input until a ciphertext level corresponding to the ciphertext partial result (which corresponds to the ciphertext input) is reduced to a threshold ciphertext level, thereby producing the ciphertext partial result. If the private computation allows batch processing, both computer systems can perform step 328 simultaneously on their respective batch ciphertexts.
[0134] For ease of explanation, the description below generally describes the case where only one computer system performs the private computing task at a time, starting with the first computer system at step 328. However it should be understood that the second computer system 306 can instead initiate private computation by performing step 328. More generally it should be understood that the terms “first” and “second” are intended only to differentiate the two computer system and are not intended to indicate an order or priority among the two computer systems.
[0135] The steps performed during the private computing task depend on context in which methods and systems according to embodiments are being used. For example, the operations performed at step 328 may be different if, e.g., the first computer system 304 and the second computer system 306 are being used to perform private 3D rendering than if the first computer system 304 and the second computer system 306 are being used to perform private machine learning inference.
[0136] As an example, in the context of machine learning inference, a private computing task can comprise, e.g., performing homomorphic operations (e.g., ciphertext additions, multiplications, rotations, etc.) in order to privately evaluate39KILPATRICK TOWNSEND 80329055 1matrix multiplications between a ciphertext and weight matrices associated with each layer of a machine learning model, thereby producing a ciphertext partial result. In an initial set of homomorphic operations, the ciphertext input can be homomorphically applied to a first layer of the machine learning model, thereby producing a ciphertext partial result corresponding to the output of that layer. In a subsequent set of homomorphic operations, the ciphertext partial result can be homomorphically applied to the second layer of the machine learning model, and so on. In some embodiments, each computer system can possess the same model with identical weights, e.g., stored on the computer systems in plaintext form, enabling both computer systems to perform homomorphic operations corresponding to a private machine learning inference task (e.g., the first computer system 304 at step 328 and the second computer system 306 at step 342).
[0137] As described further above, performing private computations can reduce the ciphertext level of a ciphertext (e.g., the ciphertext partial result). Once the multiplicative level reaches a threshold ciphertext level (e.g., 0), the noise budget has been exhausted, and further private computation cannot be performed without risking rendering the ciphertext result undecipherable. As such, once the ciphertext level of the ciphertext partial result has been reduced to the threshold ciphertext level, the first computer system 304 and the second computer system 306 can perform steps 330-340 to restore the noise budget by restoring the ciphertext level of the ciphertext partial result back to the maximum ciphertext level, at which point the private computing task can continue (e.g., via one or more additional sets of homomorphic operations) at step 342. This process can be repeated until the private computing task has been completed, at which point an encrypted computation result can be returned to the client computer 302 at step 344.
[0138] At step 330, the first computer system 304 can mask the ciphertext partial result, thereby producing a masked ciphertext partial result. In some embodiments, the first computer system 304 can homomorphically mask the ciphertext partial result using a random mask M. In some embodiments, the random mask M can comprise an integer or integers. In some embodiments, the first computer system 304 can generate the random mask by sampling from a uniform distribution with maximum bits A, where A is the bound on all possible values of integer representations of the client’s plaintext data. In some embodiments, the 40KILPATRICK TOWNSEND 80329055 1computer system can mask the ciphertext partial result using additive homomorphism, i.e., ct' = (CQ, C{) = Encpk(X) + M = Encpk(X + M), where ct' is the masked ciphertext partial result, Encpk(X) represents the ciphertext partial result (i.e., an encryption of the client input X using the public key pk after it has been operated on by the first computer system 304), M is the mask, and ct' = (CQ, ci) = Encpk(X + M) is the masked ciphertext partial result. In some embodiments, the first computer system 304 can mask the ciphertext partial result using the first trusted execution environment 310, i.e., the ciphertext partial result can be masked inside the first trusted execution environment 310.
[0139] This masking process ensures that no individual computer system can learn the client’s plaintext input data, even after the masked ciphertext partial result is decrypted (e.g., at steps 332-336), preserving the client’s privacy. Notably, as efficient bootstrapping methods according to embodiments may be performed several times during private computation (particularly for computationally demanding tasks), the first computer system 304 (and the second computer system 306) may generate several different masks during private computation, e.g., by randomly sampling integers from a uniform distribution each time a new mask is generated. Further details on mask generation processes can be found in
[0024] ,
[0140] At step 332, the first computer system 304 can partially decrypt the masked ciphertext partial result ct' using the first secret key share skltthereby producing a partially decrypted masked ciphertext partial result PDecski(ct'), e.g., via PDecski(ct') = c ■ skr+ esm lmod Q, where esm lis smudging noise sampled from a discrete Gaussian distribution with variance 2λand Q is the modulus. In some embodiments, step 332 can be performed in trusted execution environment 310, i.e., the first computer system 304 can partially decrypt the masked ciphertext partial result using the first trusted execution environment. As a result, applications operating on the first computer system 304 and any operators of first computer system 304 may not have direct access to the first secret key share sk or the decrypted masked ciphertext partial result PDecski(ct').
[0141] At step 334, the first computer system 304 can transmit the partially decrypted masked ciphertext partial result PDecski(ct') to the second computer system 306. As such, at step 334, the second computer system 306 can receive the 41KILPATRICK TOWNSEND 80329055 1partially decrypted masked ciphertext partial result from the first computer system 304, which, as described above, may have been produced by the first computer system 304 during a private computation task in which one or more sets of homomorphic operations were performed, reducing the ciphertext level of the partially decrypted masked ciphertext partial result to the threshold ciphertext level (step 328).
[0142] In some embodiments, at step 334 the first computer system 304 can additionally encrypt the random mask using the public key, thereby producing an encrypted random mask Encpk(M), which the first computer system 304 can additionally transmit to the second computer system 306. Later (at step 340), the second computer system 306 can use the encrypted random mask to homomorphically unmask the masked ciphertext partial result. In some embodiments, the first computer system 304 can also transmit the masked ciphertext partial result ct' to the second computer system 306. In some embodiments, the partially decrypted masked ciphertext partial result, the masked ciphertext partial result, and the encrypted random mask can all be transmitted in a message msg, represented herein as a tuple, i.e., msg = (PDecski(ct'), ct', Encpk(M) ). At the second computer system 306, a malicious program or operator cannot recover the first secret key sk based on the data contained in msg due to the smudging noise esml, thereby preserving privacy of both the client’s input data and the first secret key sk.
[0143] The first computer system 304 can transmit the partially decrypted masked ciphertext partial result (and any other data) to the second computer system 306 using any suitable method, e.g., over a communication network such as the Internet, via a local area network, etc. In some embodiments, the first computer system 304 and second computer system 306 can establish a secure communication channel (e.g., a TLS channel or SSL channel), enabling private transmission of the partially decrypted masked ciphertext partial result. In some embodiments, the first computer system 304 can transmit the partially decrypted masked ciphertext partial result (and any other data) to the second computer system 306 via a third transport security layer channel (or any other suitable secure channel, e.g., SSL) between the first trusted execution environment 310 and the second42KILPATRICK TOWNSEND 80329055 1trusted execution environment 312, such that the second computer system 306 receives the partially decrypted masked ciphertext partial result in the second trusted execution environment 312.
[0144] In some embodiments, the first computer system 304 can additionally generate and transmit a computation identifier or any other suitable data that may enable the second computer system 306 to continue the private computing task at step 342. As a simplified example, if the private computation comprises private inference using a machine learning model with five layers, and approximately 1000 homomorphic operations are performed for each layer, then a computation identifier could comprises e.g., a pair of numbers such as [3, 874], indicating that that the last performed operation was the 874thhomomorphic operation for the 3rdlayer of the machine learning model, that the ciphertext partial result corresponds to the result of this operation, and that private computation should continue with the 875thhomomorphic operation for the 3rdlayer of the machine learning model. In this way, the computation identifier can enable the continuation of the private computing task after bootstrapping is complete.
[0145] At step 336, the second computer system 306 can decrypt the partially decrypted masked ciphertext partial result using the second secret key share sk2, thereby producing a masked plaintext partial result X + M via the decryption principle of threshold homomorphic encryption. By decrypting (and subsequently reencrypting) the partially decrypted masked ciphertext partial result, the second computer system 306 effectively resets the noise level, permitting future homomorphic operations (after the masked plaintext partial result is re-encrypted and unmasked, as described below). Because the second computer system 306 does not have access to the random mask in plaintext form, the second computer system 306 is unable to unmask the masked plaintext partial result to acquire a plaintext partial result (i.e., plaintext partial computations produced based on the client’s private inputs), thereby preserving the client’s privacy. In some embodiments, second computer system 306 can perform step 336 using trusted execution environment 312, i.e., the partially decrypted masked ciphertext can be decrypted using the second secret key share within second trusted execution environment 312.43KILPATRICK TOWNSEND 80329055 1
[0146] At step 338, the second computer system 306 can encrypt the masked plaintext partial result using the public key pk (e.g., received from the client computer 302 or the key generator 308 at step 326), thereby reproducing the masked ciphertext partial result with the ciphertext level restored to a maximum ciphertext level L. In some embodiments, the second computer system 306 can encrypt the masked plaintext partial result within second trusted execution environment 312.
[0147] After encrypting the masked plaintext partial result, the second computer system 306 can cause the private computing task to be completed. The second computer system 306 can do so by first causing the masked ciphertext partial result to be homomorphically unmasked, thereby reproducing the ciphertext partial result with the ciphertext level restored to the maximum ciphertext level.Subsequently, the second computer system 306 can cause one or more additional sets of homomorphic operations corresponding to the private computing task to be performed using the (i) the ciphertext partial result, or (ii) the ciphertext partial result and one or more additional ciphertext partial results produced by the one or more additional sets of homomorphic operations, thereby causing a ciphertext result to be produced and transmitted to a client computer (step 344). In general terms, in some embodiments, the one or more additional sets of homomorphic operations can comprise all of the homomorphic operations that need to be performed to complete the private computing task, which may be performed by the first computer system 304, the second computer system 306, or a combination thereof.
[0148] There are various ways in which the second computer system 306 can cause the masked ciphertext partial result to be homomorphically unmasked (a process generally corresponding to step 340, described below), e.g., either homomorphically unmasking the masked ciphertext partial result itself, or transmitting the masked ciphertext partial result back to the first computer system 304, enabling the first computer system 304 to homomorphically unmask the masked ciphertext partial result. Likewise, there are various ways in which the second computer system 306 can cause one or more additional sets of homomorphic operations corresponding to the private computing task to be performed (a process generally corresponding to step 342, described below), i.e., by performing some number of sets of homomorphic operations itself, then transmitting a resulting partially decrypted masked ciphertext partial result to the first computer system 30444KILPATRICK TOWNSEND 80329055 1(enabling the first computer system 304 to perform denoising and continue the private computing task), or just by transmitting the masked ciphertext partial result back to the first computer system 304, enabling the first computer system 304 to homomorphically unmask the masked ciphertext partial result and continue the private computing task.
[0149] At step 340, either the first computer system 304 or the second computer system 306 can homomorphically unmask the masked ciphertext partial result (e.g., using the encrypted random mask), e.g., by homomorphically subtracting the encrypted mask Enc^M^ from the masked ciphertext partial result EnCpk(X + M to produce the ciphertext partial result EnCpk(X), i.e., EnCpk(X) = EnCpk(X + M) - Encpk(M). As such, in some embodiments, at step 340, the second computer system 306 can cause the private computation to be completed by transmitting the masked ciphertext partial result to the first computer system 304, such that the first computer system 304 can homomorphically unmask the masked ciphertext partial result, thereby reproducing the ciphertext partial result with the ciphertext level restored to the maximum ciphertext level L. In other embodiments, the second computer system 306 can homomorphically unmask the masked ciphertext partial result, thereby reproducing the ciphertext partial result with the ciphertext level restored to the maximum ciphertext level.
[0150] Afterwards, at step 342, either the first computer system 304 or the second computer system 306 can continue performing private computation, e.g., by performing the one or more additional sets of homomorphic operations.Homomorphic operations can be performed until the ciphertext level of the any ciphertext partial results is reduced to the threshold ciphertext level, at which point steps 330-340 can be repeated. This entire process can be repeated until the private computation is completed and a ciphertext result has been produced. Once the private computation has been completed, at step 344, either the first computer system 304 or the second computer system 306 can transmit the ciphertext result to the client computer 302, e.g., whichever computer system performed the final homomorphic operation can transmit the ciphertext result of that homomorphic operation to the client computer 302.45KILPATRICK TOWNSEND 80329055 1
[0151] There are various ways that step 342 can be performed, depending on how the first computer system 304 and the second computer system 306 are configured to perform the private computing task, the nature of the private computing task being performed, and the number of homomorphic operations (in the one or more additional sets of homomorphic operations) that need to be performed to complete the private computing task. For example, in some embodiments the one or more additional sets of homomorphic operations can comprise a second set of homomorphic operations. In some embodiments, the first computer system 304 can perform step 342 by performing the second set of homomorphic operations on the ciphertext partial result, thereby producing the ciphertext result. In other embodiments, the second computer system 306 can perform step 342 by performing the second set of homomorphic operations on the ciphertext partial result, thereby producing the ciphertext result.
[0152] As an alternative, the one or more additional sets of homomorphic operations can comprise a second set of homomorphic operations and one or more subsequent sets of homomorphic operations, e.g., homomorphic operations that need to be performed after the second set of homomorphic operations are completed. In this case, to cause the private computing task to be completed, at step 342, the second computer system 306 can perform the second set of homomorphic operations on the ciphertext partial result until a second ciphertext level of a second ciphertext partial result (i.e., the partial result of the second set of homomorphic operations) is reduced to the threshold level. In this way, the second computer system can produce the second ciphertext partial result.
[0153] The second computer system 306 and first computer system 304 can then repeat the bootstrapping process (steps 330-340) described above on the second ciphertext partial result, but this time initiated by the second computer system 306. In other words, the second computer system 306 can mask the second ciphertext partial result, thereby producing a second masked ciphertext partial result (step 330), partially decrypt the second masked ciphertext partial result using the second secret key share, thereby generating a second partially decrypted masked ciphertext partial result (step 332), and transmit the second partially decrypted masked ciphertext partial result to the first computer system 304 (step 334). The first computer system 304 can then decrypt the second partially decrypted masked 46KILPATRICK TOWNSEND 80329055 1ciphertext partial result using the first secret key share, thereby producing a masked plaintext partial result (step 336) and encrypt the second masked plaintext partial result using the public key, thereby reproducing the second masked ciphertext partial result with the second ciphertext level restored to the maximum ciphertext level (step 338).
[0154] The first computer system 304 can subsequently cause the private computing task to be completed using the second masked ciphertext partial result by causing the second masked ciphertext partial result to be homomorphically unmasked, thereby reproducing the second ciphertext partial result with the second ciphertext level restored to the maximum ciphertext level (step 340). The first computer system 304 can additionally cause the one or more subsequent sets of homomorphic operations to be performed on (iii) the second ciphertext partial result or (iv) the second ciphertext partial results and one or more subsequent ciphertext partial results produced by the one or more subsequent sets of homomorphic operations, thereby causing the ciphertext result to be produced (step 342) and transmitted to the client computer 302 (step 344).
[0155] As described above, there are various ways that steps 340 and 342 can be performed, e.g., either by the first computer system 304 or second computer system 306. In some embodiments, the first computer system 304 can cause the second masked ciphertext partial result to be homomorphically unmasked by homomorphically unmasking the second masked ciphertext partial result itself.Subsequently, if the one or more subsequent sets of homomorphic operations comprise a third set of homomorphic operations, the first computer system 304 could cause the one or more subsequent sets of homomorphic operations to be performed by performing the third set of homomorphic operations on the second ciphertext partial result, thereby producing the ciphertext partial result.
[0156] It should be understood that the line of description provided above can be extended to any number of sets of homomorphic operations and any number of ciphertext partial results (e.g., a third ciphertext partial result, a fourth ciphertext partial result, etc.). More generally, it should be understood that in methods according to embodiments, any number of homomorphic operations can be performed on any number of ciphertext partial results, either by one computer47KILPATRICK TOWNSEND 80329055 1system or both computer systems (e.g., alternating) until the ciphertext result is produced.
[0157] At step 344, the first computer system 304 or the second computer system 306 (e.g., whichever computer system performed a final set of homomorphic operations) can transmit the ciphertext result to client computer 302 in any suitable manner, e.g., over a communication network such as the Internet (e.g., the same communication network over which the first computer system 304 and second computer system 306 received the first key share, second key share, ciphertext input, etc.), via a secure communication channel, etc.
[0158] At step 346, the client computer 302 can decrypt the ciphertext result using the secret key, thereby producing a plaintext result. Optionally, at step 348, the client computer 302 can perform any applicable further processing based on the plaintext result. Such further processing may depend on the nature of the private computing task performed by the first computer system 304 and the second computer system 306. For example, if the first computer system 304 and the second computer system 306 performed private 3D rendering for client computer 302, then the plaintext result may comprise an image generated by rendering an encrypted 3D model file, and the further processing could comprise, e.g., displaying the image, uploading the image to a website, etc. As another example, if the first computer system 304 and the second computer system 306 performed private machine learning facial recognition for a client computer 302 that manages access to a secure building, then the plaintext result could comprise a classification indicating whether an individual located at the entry to the building is authorized to access the building (generated based on facial recognition), and the further processing could comprise, e.g., electronically unlocking the door of the building in order to grant the individual access to the building (presuming that the individual is authorized). As another example, if the first computer system 304 and the second computer system 306 perform private machine learning based genomics screening on a patient for a client computer 302 associated with a medical practice, then the plaintext result could comprise data indicating risk factors for various diseases, and the further processing could comprise, e.g., automatically scheduling a follow-up appointment in a calendar application, sending an email to an email address associated with the patient indicating that their genetic screening has been completed, etc. More examples of 48KILPATRICK TOWNSEND 80329055 1further processing operations are described below in the context of embodiments of the present disclosure, e.g., LoRA-based model fine-tuning methods according to embodiments described below with reference to FIG. 4.1. Application: Fine-Tuning on Cloud (FHE-LoRA)
[0159] The method of FIG. 3 can be used to perform various private computing tasks, including model fine-tuning using FHE-LoRA (low-rank adaptation) methods and machine learning models according to embodiments, which address some of the difficulties associated with performing model fine-tuning using low-rank adaptation.
[0160] For context, LoRA
[0033] is a recently developed method for model fine-tuning, particularly suited for fine-tuning large “backbone” models. LoRA has several strengths, including parameter efficiency, memory efficiency, and flexibility. More specifically, fine-tuning using LoRA is useful because LoRA models often have a small fraction of the parameters of the backbone models they are fine-tuning. For example, a diffusion model characterized by a 6.8 GB parameter set can be finetuned using a LoRA model characterized by a 0.22 GB parameter set (approximately 30 times smaller). As such, fine-tuning by training a LoRA model is quicker and less computationally demanding than fine-tuning by re-training a backbone model, as the speed and complexity of training in the plaintext space is proportional to the number of model parameters.
[0161] A LoRA model generally works by processing the inputs or intermediate products of a backbone model (e.g., embeddings produced by layers of the backbone model) using pairs of low-rank adaptation matrices, rather than individual weight matrices. The result of this processing can then be re-integrated into the backbone model, e.g., by being combined with intermediate products of the backbone model then processed using a subsequent layer of the backbone model. In this way, a LoRA model can be used to change the intermediate products and outputs of a backbone machine learning model, without otherwise modifying the backbone machine learning model. This can be useful for fine-tuning, as the LoRA model, rather than the backbone model, can be trained during fine-tuning.49KILPATRICK TOWNSEND 80329055 1
[0162] One dimension (i.e., the “rank”) of the low-rank adaptation matrices used in LoRA models is typically much smaller than the corresponding dimension of a comparable weight matrix. As a result, the total number of parameters (weights) of a pair of low rank adaptation matrices is typically much smaller than the total number of parameters of a comparable weight matrix. As an example, a 10,000 x 10,000 weight matrix (comprising 100,000,000 parameters) could be replaced by a 10,000 x 100 low-rank adaptation matrix and a 100 x 100,000 low-rank adaptation matrix, which have a matrix product that is the same dimensions as the weight matrix, but only comprise 2,000,000 total parameters, thereby reducing the parameter count by a factor of 50. As the time and computation complexity associated with training machine learning models is proportional to the parameter count, using low-rank adaptation matrices reduces the time and complexity of performing model fine-tuning than direct retraining of backbone models.
[0163] In more specific terms, in one LoRA configuration, the output of the ithlayer of a machine learning system comprising a backbone machine learning model and a LoRA module (which can be part of a larger LoRA model) can be represented by Yt= XtWt + Xt Wt = XiWt + X^At, where Ytis the output of the ithlayer, Xtis the input to the ithlayer, Wtis a weight matrix associated with the ithlayer (and thus the matrix multiplication X^ is effectively the output of the ithlayer of the backbone model in the absence of LoRA), and X^Wi = X^A, is the output of the LoRA module corresponding to the ithlayer, i.e., the matrix multiplication of the inputs and low-rank adaptation matrices Btand At. During model fine-tuning, a computer system could fine-tune the parameters of the (presumably smaller) low-rank adaptation matrices Btand Atrather than the (presumably larger) weight matrix Wt, reducing the memory footprint, improving computation speed and efficiency, and enabling fine-tuning of large models using limited computing resources. In addition, LoRA can be individually applied to various types of layers within a backbone model (e.g., attention layers, fully connected layers, convolution layers, etc.), allowing for targeted fine-tuning of specific components of a backbone model without modifying the backbone model’s architecture.
[0164] Unfortunately, directly using state of the art LoRA modules to perform private fine-tuning via homomorphic encryption of a private dataset is computationally inefficient and also requires modifying the architecture of the50KILPATRICK TOWNSEND 80329055 1backbone model, eliminating one of the advantages of using LoRA. Generally, in order to perform private fine-tuning using LoRA, the client’s inputs to LoRA modules must be encrypted. Thus, the weights of the LoRA modules after performing an update during private training are also ciphertexts. This means that the next pretrained layer of the backbone model has to be evaluated using HE-inference operations rather than performing standard plaintext evaluation. Further, because homomorphic encryption systems generally do not support non-linear operations, non-linear model activation functions in the backbone model have to be replaced with approximate polynomial functions in order to perform HE-inference. These approximate polynomial functions can negatively affect model accuracy
[0091] and are slow and computationally expensive to perform.
[0165] However, some embodiments of the present disclosure use a novel LoRA architecture that do not require modifications to pretrained backbone models or their non-linear activation functions, thereby improving accuracy and speed.Methods according to embodiments for performing private fine-tuning and inference using FHE-LoRA are described below with reference to FIG. 4.
[0166] FIG. 4 shows a diagram of a system and method for performing low-rank adaptation methods according to embodiments, particularly using a low-rank adaptation model 422 (e.g., an FHE-LoRA model according to embodiments) used to perform classification (e.g., via classification layer 428). In the system of FIG. 4, a client computer 402 can possess a (pre-trained) client machine learning model 404. The client computer 402 or its operator may wish to leverage the service and computational resource provided by a cloud machine learning as a service (MLaaS) system in order to perform LoRA-based model fine-tuning or inference using the client’s data. To this end, the client computer 402 can communicate with a system comprising a first computer system and second computer system 420 (e.g., the system of FIG. 3 described above), which may train or evaluate the low-rank adaptation model 422 responsive to the communication from the client computer.
[0167] The client machine learning model 404 can comprise a plurality of layers 406-408 and a final model layer 410, e.g., comprising pre-trained encoders defined by their respective sets of pre-trained model weights. It should be understood that the number of layers shown in FIG. 4 was selected for ease of51KILPATRICK TOWNSEND 80329055 1illustration and is not intended to be limiting. The client computer 402 can use the plurality of layers 406-408 and the final layer 410 to produce a plurality of client model layer outputs 412-414 and a final client model layer output 416 (all of which can comprise embeddings) produced using final layer 410 based on the inputs to the plurality of layers 406-408 and the final layer 410. For example, client computer 402 can use layer 406 to produce client model layer output 412 based on input data 418 (which can also comprise an embedding), then use layer 408 to produce client model layer output 414 based on client model layer output 412, then use final layer 410 to produce final client model layer output 416 based on client model layer output 414.
[0168] The client computer 402 can encrypt the plurality of client model layer outputs 412-414, thereby generating a plurality of encrypted client model layer outputs 434-436. The client computer 402 can also encrypt the final client model layer output 416, thereby generating an encrypted final client model layer output 438. The client computer 402 can transmit the plurality of encrypted client model layer outputs 434-436 and the encrypted final client model layer output 438 to the first computer system and second computer system 420 for use in a private computing task (e.g., private training of low-rank adaptation model 422 or private inference using low-rank adaptation model 422). This private computing task can comprise the private computing task of FIG. 3. As such, in some embodiments, the ciphertext input (received at step 326 of the method of FIG. 3) can comprise a plurality of encrypted client model layers outputs corresponding to a plurality of layers in a client machine learning model and an encrypted final client model layer output corresponding to a final layer of the client machine learning model.
[0169] One or both of the first computer system and second computer system 420 can possess a copy of the low-rank adaptation model 422. The low-rank adaptation model 422 can comprise a plurality of low-rank adaptation modules 424-426 (also referred to as ’’low-rank adaptation elements”) as well as a classification layer 428 (e.g., a fully connected layer, a multilayer perceptron, etc.). Each low-rank adaptation module can comprise a pair of low-rank matrices, e.g., low-rank adaptation module 424 can comprise low-rank matrix 430 and low-rank matrix 432.
[0170] The first computer system and second computer system 420 can use the plurality of low-rank adaptation modules 424-426 to privately evaluate the plurality of52KILPATRICK TOWNSEND 80329055 1encrypted client model layer outputs 434-436, thereby producing a plurality of encrypted low-rank adaptation outputs 444. For example, the first computer system and second computer system 420 can use low-rank adaptation module 424 to privately evaluate encrypted client model layer output 434 and use low-rank adaptation module 426 to privately evaluate encrypted client model layer output 436.
[0171] The private computing task of FIG. 3 can include the private evaluation of the plurality of encrypted client model layer outputs 434-436 using the plurality of low-rank adaptation modules 424-426 (in addition to other private operations). Thus in some embodiments, the set of homomorphic operations and the one or more additional sets of homomorphic operations (described above with reference to steps 328 and 342 of FIG. 3) can include a first plurality of homomorphic operations corresponding to the private evaluation of the plurality of encrypted client model layer outputs 434-438 using the plurality of low-rank adaptation module 424-426, which can result in the plurality of encrypted low rank adaptation outputs 444. This first plurality of homomorphic operations could comprise, e.g., homomorphic operations associated with performing matrix multiplications between encrypted client model layer outputs and low-rank matrices, e.g., privately computing the matrix product of encrypted client model layer output 434, low-rank matrix 430, and low-rank matrix 432.
[0172] Once the ciphertext level of a ciphertext partial result produced via the first plurality of homomorphic operations is reduced to a threshold ciphertext level (e.g., zero), the first computer system and second computer system 420 can perform efficient bootstrapping methods according to embodiments (e.g., steps 330-340 of FIG. 3), thereby refreshing the ciphertext level to the maximum ciphertext level.Afterwards, the first computer system and second computer system 420 can continue to perform the private computing task (e.g., private training or inference of low-rank adaptation model 422).
[0173] Unlike normal approaches to LoRA, in which the outputs of LoRA modules are re-integrated into backbone models for further processing, low-rank adaptation methods according to embodiments involve a novel combination step 442. In combination step 442, the first computer system and second computer system 420 can privately combine the plurality of encrypted low-rank adaptation53KILPATRICK TOWNSEND 80329055 1outputs 444 and the encrypted final client model layer output 438, thereby producing an encrypted combination 446. In some embodiments, the private computing task of FIG. 3 can include privately performing combination step 442. As such, in some embodiments, the set of homomorphic operations and the one or more additional sets of homomorphic operations can include one or more homomorphic operations corresponding to a private combination of the plurality of encrypted low-rank adaptation outputs 444 and the encrypted final client model layer output 438. The one or more homomorphic operations can result in the encrypted combination 446.
[0174] Further steps can depend on whether the private computing task comprises training the low-rank adaptation model 422 or using it to perform finetuned inference. In some embodiments, in which the private computing task (e.g., of FIG. 3) comprises private training of the low-rank adaptation model 422, the set of homomorphic operations and the one or more additional sets of homomorphic operations can further include a second plurality of homomorphic operations corresponding to private training of the low-rank adaptation model 422 based on the encrypted combination. The second plurality of homomorphic operations can produce the ciphertext result 440, which can comprise an encrypted parameter set corresponding to the low-rank adaptation model 422. Specific details on private machine learning model training, e.g., backpropagation, are beyond the scope of this disclosure. Generally however, in order to train a low-rank adaptation module, the first computer system and second computer system 420 can privately compute a gradient (e.g., an averaged gradient) of the loss function L with respect to the parameters of low rank adaptation matrices A and B (e.g., low-rank matrix 430 and low-rank matrix 432) ’ viadA = XT(y^dT-BT)J= - d^W-BTand dB = (VXA')7T(v^dT')7= ATdW’ in which Y is an activation value. The first computer system and second computer system 420 can further employ the formulas (i) A^ = Vtct~^W((Pct- Yct)TX’)BT, (ii) B& = Ktct- ^ATW((Pct- Yctyx'\ (iii) V& = (1 - YtWt+1 + and (iv) Kt+i = (1 - + YtBf, in which Pct= Softmax(X(Vt r'), to perform backpropagation.
[0175] In other embodiments, in which the private computing task comprises private inference using the low-rank adaptation model 422, the second plurality of homomorphic operations can correspond to a private evaluation of the encrypted 54KILPATRICK TOWNSEND 80329055 1ciphertext using the classification layer 428. The second plurality of homomorphic operations can result in the ciphertext result 440, which can comprise an encrypted classification.
[0176] In some embodiments, the parameters of the low-rank adaptation model 422 can be synchronized during private computations. For example, if the first computer system and the second computer system 420 are performing private model fine-tuning using low-rank adaptation model 422, during efficient bootstrapping methods according to embodiments, one of the computer system can transmit the encrypted intermediate model weights along with any applicable partially decrypted masked ciphertext partial results to the other computer system, enabling the other computer system to continue performing private computations after denoising.
[0177] After completing private fine-tuning or inference, thereby producing ciphertext result 440, the first computer system and second computer system 420 can transmit the ciphertext result 440 to the client computer 402. The client computer 402 can decrypt the ciphertext result 440 and perform further processing as needed. For example, if the ciphertext result 440 comprises an encrypted parameter set corresponding to the low-rank adaptation model 422, the client computer 402 can decrypt the ciphertext result 440 to produce a plaintext result comprising a parameter set corresponding to the low-rank adaptation model 422. The client computer 402 could then perform further processing by performing inference using the client machine learning model 404 and the low-rank adaptation model 422, i.e., “fine-tuning” client machine learning model 404 using low-rank adaptation model 422. As another example, if the ciphertext result 440 comprises an encrypted facial recognition classification indicating that an individual is authorized to access a secure building, client computer 402 could decrypt the facial recognition classification and perform further processing by sending a signal to unlock an electronic door, thereby granting the individual access to the secure building.C. Output-Aware R-Slice Data Packing
[0178] As described above, some embodiments are directed to output-aware r-slice data packing methods according to embodiments. A computer system can use these methods to minimize the number of unnecessary homomorphic operations 55KILPATRICK TOWNSEND 80329055 1performed due to wasted slot utilization. These methods reduce amortized overhead and maximize data processing efficiency in a variety of private computation tasks, including private machine learning inference and fine-tuning. These output-aware r-slice data packing methods may be particularly useful for private low-rank adaptation, e.g., as described above, as (consistent with their name) low-rank adaptation matrices usually have a low-rank r, e.g., r « E, and thus private matrix multiplication operations lead to a large dimensional change and wasted ciphertext slots. By performing r-slice data packing methods according to embodiments before performing private matrix-multiplication operations during low-rank adaptation, a computer system (e.g., a first computer system or second computer system described above with reference to FIGs. 3 or 4) can reduce the number of homomorphic operations that need to be performed during private matrix-matrix multiplication operations (particularly ciphertext rotation operations), thereby improving the speed and efficiency of FHE-LoRA methods according to embodiments.
[0179] For more context, cryptosystems such as CKKS enable “packing” encryptions of multiple data values into single ciphertexts. For example, instead of individually encrypting the numbers 123, 456, and 789 to produce three ciphertexts, a single ciphertext can be generated that stores all three of those numbers. Each number could be stored in a different “slot” of the ciphertext. Storing multiple data values in a single ciphertext enables more efficient private computation using e.g., Single Instruction Multiple Data (SIMD) processing [74, 75], It is possible for slots in ciphertexts to be empty, i.e., not store encrypted data values. Empty slots represented a wasted opportunity to perform SIMD private computation on data that could have been stored in those slots. Thus, wasted slot utilization over multiple ciphertexts can lead to ineffective computation, relative to more densely packed ciphertexts.
[0180] Wasted slot utilization is relatively common in existing approaches to private machine learning fine-tuning and inference. This is because the outputs of computations frequently performed in machine learning (e.g., matrix-matrix and matrix-vector multiplications) are often different sizes from the inputs to those computations, while the ciphertext representations of those inputs and outputs are fixed. For example, a graph convolution network (GCN) may reduce an input 56KILPATRICK TOWNSEND 80329055 1containing approximately 3700 features down to an output containing 32 intermediate features after a weight matrix multiplication is performed, i.e., the input dimension E = 3700 and the output dimension r = 32. Loosely speaking, if those 3700 features were stored in a fully packed ciphertext, the resulting intermediate ciphertext now only uses 32 out of the 3700 slots, i.e., the intermediate ciphertext wastes 3668 slots (i.e., E - r = 3700 - 32 = 3668). This is a problem for future private computations on the intermediate ciphertext, which may involve a large number of homomorphic operations (e.g., ciphertext rotation and ciphertextciphertext multiplication) that are (in loose terms) being performed on slots that do not actually contain data and are thus largely pointless.
[0181] In other words for feature-extraction operations performed during private machine learning, multiplying a ciphertext fully-packing E elements with a weight matrix of dimension E x r, yields an output ciphertext where r slots contain valid data. When r < E, this leads to E - r wasted slots per ciphertext. Since homomorphic operations are executed in a SIMD fashion, such low slot utilization reduces throughput per ciphertext from E to r, thereby degrading overall computation efficiency. When these underutilized ciphertexts are further propagated into subsequent layers, e.g. a ciphertext with r valid slots is multiplied by an r x E matrix, both computational and memory overheads worsen due to redundant HE operations and ciphertexts.
[0182] Embodiments address this problem by providing methods for packing ciphertexts based on the size of the size of the output dimension r, hence the term “output aware r-slice data packing methods”. Methods according to embodiments are more efficient, adaptive, and better tailored to the actual requirements of layerwise processing during private machine learning inference. These methods maximize slot utilization and minimize rotation complexity, thereby improving computation efficiency.
[0183] The description of methods according to embodiments below considers two cases in which the input and output dimensions E and r of a private matrixmatrix multiplication may differ. In the first case, corresponding to feature extraction, represented by the matrix multiplication XW, X is a matrix of real numbers of dimensions Bsand E, while W (e.g., a weight matrix) is a matrix of real numbers of57KILPATRICK TOWNSEND 80329055 1dimensions E and r, i.e., X e HSfisX£' and W e IR£xr. In the second case, corresponding to feature transformation, represented by the matrix multiplication X'W', X' is a matrix of real numbers of dimensions Bsand r, while W' is a matrix of real numbers of dimensions r and E, i.e., X' e IRSsXrand W e HxE. E = r is treated as a special case of the second case.
[0184] An output-aware r-slice data packing method according to embodiments can be better understood with reference to the pseudocode of FIG. 5.
[0185] By performing steps associated with the pseudocode of FIG. 5, a computer system (e.g., the first computer system or second computer system of FIGs. 3 or 4) can determine a number of slices per rank s and a number of feature groups F based on the rank size r, a ciphertext slot count M and embedding dimension E, e.g., s = ” and F = (line 504). The computer system can then permute an input embedding X e IRBsX£' into a four-dimensional structure with dimensions Bsx r x s x F to facilitate slicing and packing operations, (line 506). For each feature group f, the computer system can iteratively flatten (e.g., in a round robin manner) the Bsx r x s slice corresponding to that feature group along its dimensions into a one-dimensional tensor suitable for encryption (nested for loops of lines 510-530 with the one-dimensional tensor initialized at line 502). The computer system can encrypt the flattened tensor and store it sequentially, e.g., by appending it to an encrypted input list encinput(line 528, with the encrypted input list initialized at line 508). By organizing data into r-slice ciphertexts, the computer system can ensure efficient utilization of available slots, minimizing redundant computations. The final output is a list of encrypted tensors encinput, which can be used in private computations (line 532).
[0186] In some embodiments, the ciphertext input of the method of FIG. 3 can comprise an encrypted matrix comprising one or more encrypted elements. A first dimension of the encrypted matrix can comprise a batch dimension Bsand a second dimension of the encrypted matrix can comprise an embedding dimension E. The one or more homomorphic operations can correspond to a private matrix multiplication between the encrypted matrix and a matrix. In some embodiments, the matrix can comprise a low-rank weight matrix corresponding to a low-rank adaptation module. A first dimension of the matrix can comprise the embedding dimension and 58KILPATRICK TOWNSEND 80329055 1a second dimension of the matrix can comprise a matrix rank r. In some embodiments, the matrix rank can be less than the embedding dimension. The first computer system can transform the ciphertext input into an encrypted onedimensional tensor comprising a plurality of sets of encrypted elements from the encrypted matrix. The plurality of sets of encrypted elements (e.g., the slices described above) can be determined based on the batch dimension, the embedding dimension, and the matrix rank (e.g., according to the formulas s = ” and F =
[0187] Likewise, in some embodiments, the ciphertext partial result of the method of FIG. 3 can comprise an encrypted matrix comprising one or more encrypted elements. A first dimension of the encrypted matrix can comprise a batch dimension, a second dimension of the encrypted matrix can comprise an embedding dimension. Further, the one or more additional sets of homomorphic operations can correspond to a private matrix multiplication between the encrypted matrix and a matrix (e.g., a weight matrix or a low-rank weight matrix corresponding to a low-rank adaptation module). A first dimension of the matrix can comprise the embedding dimension and a second dimension of the matrix can comprise an embedding rank. The first computer system can transform the ciphertext partial result into an encrypted one-dimensional tensor comprising a plurality of sets of encrypted elements from the encrypted matrix. The plurality of sets of encrypted elements can be determined based on the batch dimension, the embedding dimension, and the matrix rank. In some embodiments, the computer system can perform this transformation homomorphically.
[0188] In some embodiments, a client computer (e.g., client computer 302 of FIG. 3) can perform r-slice data packing methods according to embodiments prior to transmitting the ciphertext input to the first computer system and the second computer system. As such, in some embodiments, the ciphertext input can comprise an encrypted one-dimensional tensor generated based on a plaintext input matrix. A first dimension of the plaintext input matrix can comprise a batch dimension. A second dimension of the plaintext input matrix can comprise an embedding dimension. The one or more homomorphic operations can correspond to a private matrix multiplication between the plaintext input matrix, represented by the encrypted one-dimensional tensor, and a matrix. A first dimension of the matrix can comprise59KILPATRICK TOWNSEND 80329055 1the embedding dimension. A second dimension of the matrix can comprise a matrix rank. The client computer can generate the encrypted one-dimensional tensor based on the plaintext input matrix by determining a plurality of sets of elements from the plaintext input matrix based on the batch dimension, the embedding dimension, and the matrix rank, e.g., generating the one-dimensional tensor by concatenating the plurality of sets of elements (e.g., corresponding to line 520 of FIG. 5) and encrypting the one-dimensional tensor, thereby generating the encrypted onedimensional tensor (e.g., corresponding to line 528 of FIG. 5).
[0189] Performing a private matrix-matrix multiplication operation using ciphertexts packed using methods according to embodiments may require less homomorphic operations than performing a private matrix-matrix multiplication operation using ciphertexts packed using other data packing methods. Additionally, the homomorphic operations performed during a private matrix-matrix multiplication operations using ciphertexts packed using methods according to embodiments may be different than the homomorphic operations used to perform private matrix-matrix operations using ciphertexts packed using other data packing methods. A brief description of private matrix-matrix multiplication operations in the feature extraction case XW and the feature transformation case X'W' is provided below. Additionally, a comparison of the efficiency of private matrix-matrix multiplication operations performed on ciphertexts packed using methods according to embodiments versus private matrix-matrix multiplication operations performed on ciphertexts using state of the art methods is provided further below with reference to FIGs. 6A and 6B.
[0190] In the feature extraction case, XW, a computer system performing a private matrix-matrix multiplication operation can perform s x Bsoffset rotations on a packed ciphertexts to generate r copies of the ciphertexts. Subsequently, the computer system can homomorphically multiply each ciphertext by its corresponding weights from the weight matrix W and aggregate the result into a single intermediate ciphertext. Afterwards, the computer system can perform data aggregation by performing log(s) consecutive rotate-and-add operations to obtain the ciphertext encrypting XW, completing the matrix-matrix multiplication.
[0191] In the feature transformation case X'W', the process is generally reversed. The computer system can first perform log(s) consecutive rotate-and-add60KILPATRICK TOWNSEND 80329055 1operations to expand a packed ciphertext into a higher dimensional form.Afterwards, the computer system can multiply the expanded ciphertexts with the corresponding weights from the weight matrix W'. The computer system can sum up the results across all intermediate ciphertexts to produce the final ciphertext that encrypts X'W', completing the matrix-matrix multiplication.
[0192] In order to perform SIMD processing, the weight matrices W and W' can be encoded into a diagonal-encoding format
[0029] , e.g., similar to the diagonalencoding format used in data packing methods such as Orion. The weight matrices W and W' can also be duplicated Bstimes to match the batch size of the input X. This duplication enables efficient parallel computation in the encrypted domain.
[0193] These operations may be better understood with reference to FIGs. 6A and 6B, which generally compare processes for performing matrix multiplications on ciphertexts packed using r-slice data packing methods according to embodiments, conventional diagonal-encoding methods
[0029] , and state of the art ciphertext packing methods Orion (ASPLOS’25)
[0021] and Fhelipe (S& P’24)
[0045] , FIG. 6A relates to a feature extraction case and FIG. 6B relates to the feature transformation case.
[0194] FIG. 6A considers a private matrix multiplication between a ciphertext 602 X of dimensions 1 x 8 and a weight matrix W of dimensions 8 x 2 (not pictured). Thus E = 8 and r = 2. The ciphertext 602, generated using r-slice data packing methods according to embodiments, is divided into slice 604 and slice 606. To perform a private matrix-matrix multiplication, a computer system can perform one slice-wise ciphertext rotation on the ciphertext 602 to obtain two aligned ciphertext copies. The computer system can then multiply the aligned ciphertext copies with corresponding weight vectors from the weight matrix W, resulting in two immediate ciphertextsThe computer system can sum the intermediate ciphertexts to produce another intermediate ciphertext ct'. The computer system can then perform a slice-wise data reduction on the intermediate ciphertext ct' by performing log(4) = 2 ciphertext rotation operations to combine each slot within its respective slice.
[0195] By contrast, using conventional diagonal-encoding
[0029] , the input ciphertext is rotated 8 - 1 = 7 times to produce 8 rotated copies of the ciphertext. After this rotation, each ciphertext slot is aligned for multiplication with the weight matrix W and summation. Therefore it takes seven total ciphertext rotation61KILPATRICK TOWNSEND 80329055 1operations to perform matrix multiplication (in this example case) on ciphertexts encoded using conventional diagonal-encoding methods, versus only three (1 + log(4) = 3) ciphertext rotation operations to perform matrix multiplication on ciphertexts encoded using r-slice data packing methods according to embodiments. Thus, methods according to embodiments reduce the number of ciphertext rotation operations performed during private matrix multiplications, improving the speed and efficiency of private computations that involve matrix multiplications, e.g., private machine learning model inference.
[0196] FIG. 6B considers a private matrix multiplication between a ciphertext input matrix 608 X' of dimensions 1 x 2 and a weight matrix W’ of dimensions 2 x 8 (not pictured). Thus r = 8 and E = 2 and two valid data elements in the ciphertext are used to produce eight outputs. Thus the number of valid slots per ciphertext increases from two to eight. In general, a computer system can reverse the process described above with reference to FIG. 6A in order to perform data expansion. The computer system can first perform log(4) = 2 ciphertext rotation operations to duplicate the valid data elements in ciphertext 608 throughout the slots. The computer system can then multiply the resulting ciphertext by the weight matrix W', then perform one ciphertext rotation operation to produce the output ciphertext, for a total of 1 + log(4) = 3 ciphertext rotation operations.
[0197] By contrast, performing a feature transformation matrix multiplication using ciphertexts packed using other methods requires more ciphertext rotation operations. Orion (ASPLOS’25)
[0021] requests four times as many ciphertext rotation operations to compute eight outputs from two ciphertext slots. Fhelipe (S& P’24)
[0045] requires log(4) ciphertext rotations for every two output slots, resulting in a total of 4 x log(4) ciphertext rotations. A more detailed theoretical complexity comparison between methods according to embodiments and Orion is presented below.
[0198] Assuming a ciphertext in Orion is fully packed with E features, aggregating these features for the output requires aligning data within the ciphertext into the same slot for SIMD addition. This alignment incurs numerous rotations, as each element must be shifted appropriately. For each ciphertext, this process involves up to E - 1 rotations. Thus the total rotation complexity of Orion is -^-(F -1). By contrast, the rotation complexity for evaluating XW matrix multiplications62KILPATRICK TOWNSEND 80329055 1using r-slice data packing methods according to embodiments comprises two terms. The first is the complexity of slice-wise rotation operations on input ciphertexts O(r -1), and the second is the complexity of data aggregation within slices O(log(s)). Thus the total rotation complexity is(r - 1) + ^^-log(s). Because E > r, methods according to embodiments have complexity on the order of O(log(s) + r), which is better than Orion’s complexity on the order of O(E).
[0199] In general, for HE-based model training or fine-tuning, after the output Y of a layer is computed in the forward pass (i.e., the matrix multiplication Y = XW), the resulting matrix Y can be used to update model weights (e.g., of the weight matrix W) in a backward propagation phase of model training. The backward propagation phase of HE-based model training can involve matrix multiplications between an encrypted matrix and the transpose of another matrix, and thus a brief discussion of the theoretical rotation complexity of private transpose matrix multiplications performed using ciphertext matrices packed using r-slice data packing methods according to embodiments may be helpful.
[0200] Unlike forward pass computations, multiplication with a transposed weight matrix aggregates data along the opposite dimension, i.e., if data is aggregated along the F-dimenson in a forward pass, it is aggregated along the r-dimension in the backward pass. To perform transposed matrix multiplications in the backwards pass, a computer system can rotate each ciphertext packing an encrypted weight matrix W one time. Next, the computer system can perform a ciphertext-ciphertext multiplication operation between the rotated ciphertexts of the weight matrix W and the ciphertext encrypting Y to compute the results used to update the weights of the weight matrix W. The extra rotation complexity incurred while evaluating matrix-and-transposed matrix multiplications on ciphertexts packed (B XEXT' \- D. Auto-N
[0201] Some embodiments are directed to an automated encryption parameter selection method (or “auto- / V method”), which can minimize latency by optimizing encryption parameters for homomorphic encryption evaluation circuits. A computer system can perform encryption parameter selection methods according to63KILPATRICK TOWNSEND 80329055 1embodiments to determine parameters that reduce the number of homomorphic encryption operations that need to be performed, thereby improving the speed and efficiency of computationally demanding private computations, e.g., a private computing task as described above with reference to FIG. 3.
[0202] For context, in HE-based private computation, the polynomial degree parameter N and maximum multiplicative level parameter L influence the maximum supported homomorphic encryption circuit depth, the number of available data slots per ciphertext, communication latency, and the per-operation latency of homomorphic operations such as ciphertext rotation and ciphertext-ciphertext multiplication. Larger values of N and L have the benefit of decreasing the number of bootstrapping operations that need to be performed. This is because bootstrapping is performed once the current multiplicative level of a ciphertext is reduced to a threshold ciphertext level by homomorphic operations. By starting at a higher level L, it is possible to perform more homomorphic operations between each bootstrapping operation, thus reducing the total number of bootstrapping operations that are performed over the course of a private computation. Larger values of N and L also have the benefit of reducing communication overhead, e.g., increasing N from 213to 215on a private inference task using ResNet-20 can reduce communication overhead by a factor of 8
[0041] ,
[0203] Unfortunately, larger values of N and L have the downside of increasing the amount of time it takes to perform homomorphic operations. FIG. 2C (described above) shows how increasing the value of L greatly increases the per-operation latency of ciphertext rotation and ciphertext-ciphertext multiplication (as those operations need to be performed on higher level ciphertexts
[0042] ). Even still, because conventional bootstrapping has such significant latency compared to homomorphic operations like ciphertext rotation and ciphertext-ciphertext multiplication (e.g., taking hundreds of times as long to perform), prior works [42, 50] often adopt large polynomial degrees, e.g., 216or 217, to reduce bootstrapping frequency.
[0204] However, because bootstrapping methods according to embodiments are considerably faster and more efficient than conventional bootstrapping methods (refer to the experiments described further below), it is not necessary to use large64KILPATRICK TOWNSEND 80329055 1values of N and L to minimize the number of bootstrapping operations. Additionally, because bootstrapping methods according to embodiments consume less (or zero) multiplicative levels, bootstrapping methods according to embodiments enable some linear computations to be performed at lower multiplicative levels, which usually isn’t possible when conventional bootstrapping is used.
[0205] Instead, in embodiments, encryption parameters can be optimized based on other considerations, such as the number and latency of homomorphic encryptions that need to be performed during private computation, communication overhead (e.g., due to the frequency of communications or transmission volume between a first computer system and a second computer system during efficient bootstrapping methods according to embodiments), etc. In this way, embodiments of the present disclosure can provide further speed and efficiency benefits to HE-based private computations.
[0206] As such, in some embodiments, a computer system can perform an automatic encryption parameter selection method in order to determine encryption parameters to use for subsequent HE-based private computation operations (e.g., the method described above). This automatic encryption parameter selection method can be thought of as a compiler method for efficient private computation. The computer system can use various data, such as input tensor dimensions, encoding strategy data, and evaluation circuit descriptions to determine optimal encryption parameters N and L, while adhering to system-level constraints like memory usage and communication overhead.
[0207] Thus, in some embodiments, before performing a set of homomorphic encryption operations (e.g., as described above with reference to FIG. 3), a first computer system (e.g., first computer system 304 of FIG. 3) can determine a set of homomorphic encryption parameters from a plurality of candidate sets of encryption parameters based on an estimated number of ciphertext rotation operations and / or an estimated number of ciphertext-ciphertext multiplication operations. The set of homomorphic encryption parameters can minimize the estimate number of ciphertext rotation operations and / or the estimated number of ciphertext-ciphertext multiplication operations. A first secret key share, a second secret key share, a secret key, a public key, a set of homomorphic operations (e.g., performed at step65KILPATRICK TOWNSEND 80329055 1328 of FIG. 3), and one or more additional sets of homomorphic operations (e.g., performed at step 342 of FIG. 3) can correspond to the set of encryption parameters. For example, the set of encryption parameters can characterize a cryptosystem (e.g., CKKS) to which the first secret key share, the second secret key share, the secret key, the public key, the first set of homomorphic operations and the second set of homomorphic operations correspond. In some embodiments, the set of homomorphic operations and the one or more additional sets of homomorphic operations can include a plurality of ciphertext rotation operations and a plurality of ciphertext-ciphertext multiplication operations. Consequently, by determining a set of homomorphic encryption parameters that minimize the estimated number of ciphertext rotation operations and / or the estimated number of ciphertext-ciphertext multiplication operations, the first computer system can determine a set of homomorphic encryption parameters that reduces the number of homomorphic operations in the set of homomorphic operations and the one or more additional sets of homomorphic operations, thereby reducing the time it takes for the first computer system and the second computer system to complete the private computing task.
[0208] In some embodiments, the set of homomorphic encryption parameters can include a cyclotomic polynomial degree N and / or a maximum ciphertext level L. In some embodiments, the set of homomorphic encryption parameters can be determined based on an estimated transmission volume (e.g., in gigabytes of data) between the first computer system and the second computer system (in addition to the estimated number of ciphertext rotation operations and / or the estimated number of ciphertext-ciphertext multiplication operations. The estimated transmission volume can be less than a threshold transmission volume.
[0209] Automated parameter optimization methods may be better understood with reference to the pseudocode of FIG. 7. In general, by performing steps corresponding to the pseudocode of FIG. 7, a computer system (e.g., the first computer system 304 of FIG. 3) can perform a search over a set of candidate values of N based on a minimization of the total latency of rotation operations performed by an evaluation circuit (•) and a given communication round budget C (a threshold transmission volume). Such an evaluation circuit (•) can correspond to a private computing task, e.g., private machine learning model inference, private machine learning model fine-tuning, etc., as described above with reference to FIGs. 3 and 4.66KILPATRICK TOWNSEND 80329055 1
[0210] After initializing a minimum rotation number (or latency) tracker Rotmin(line 702), the computer system can iterate over the plurality of candidate sets of homomorphic encryption parameters, which can comprise candidate (cyclotomic) polynomial degrees N (for loop of lines 704-715). For each candidate polynomial degree, the computer system can determine the number (or latency) of rotation operations corresponding to that candidate polynomial degree (line 706). If the number (or latency) of rotation operations is less than the minimum rotation number (or latency) tracker Rotmin, and that candidate polynomial degree does not cause the number of communication rounds to exceed the communication round budget, i.e., the estimated transmission volume is less than the threshold transmission volume (line 708), then the computer system can update the optimal polynomial degree tracker and the minimum rotation number (or latency) tracker Rotmin(lines 710 and 712). After performing this process for each candidate polynomial degree, the computer system can return the optimal polynomial degree N* at line 716, which can comprise the polynomial degree that minimizes the number (or latency) of rotation operations that are performed when evaluating circuit (•).III. EXPERIMENTS
[0211] Several experiments were conducted in order to evaluate the performance and practicality of embodiments of the present disclosure. These experiments were performed using several widely recognized datasets and a range of well-known neural network architectures.
[0212] The experimental datasets related to a variety of machine learning tasks, including image classification, character recognition, anomaly detection, and graph inference. Methods according to embodiments were tested using these datasets in both inference and fine-tuning experiments. The experimental datasets included Citeseer
[0072] (a citation network with 3,327 scientific publications, each represented by 3,703 binary word features); KDD’99
[0038] (a benchmark dataset for anomaly detection with tabular data containing 41 features); NTU-RGB+D
[0073] (a large-scale human action recognition dataset with input tensor in a 2 x 3 x 256 x 25 tensor format for two individuals with 3D skeleton joints over time); MNIST
[0049] (70k grayscale images of handwritten digits); CIFAR-10
[0046] (60k color images across 10 object classes); CIFAR-100
[0046] (60k color images across 100 fine-grained classes);67KILPATRICK TOWNSEND 80329055 1and EMNIST Balanced Letters
[0016] (145,600 grayscale images of 26 merged-case alphabet letters, evenly distributed across classes). Together, these datasets reflect diverse tasks and offer comprehensive benchmarks for evaluating model performance across varied computational settings.
[0213] The experimental neural network architectures included a variety of well-known neural network architectures, including transformer-based models, graph-based models, and residual models, enabling methods according to embodiments to be evaluated in different domains. The experimental model architectures include ViT-Patch 16-224
[0020] , a vision transformer that processes images as sequences of 16x16 patches using 12 transformer layers and 12 attention heads (which has achieved strong performance on classification tasks); GCN
[0067] , a graph convolutional model for link prediction with 2 hidden layers; VAE
[0027] , a variational auto-encoder model with a three layer encoder and a three layer decoder; ST-GCN-6-256
[0081] , a graph convolutional model for skeleton-based action recognition that captures both spatial and temporal dynamics from human joint sequences; ResNet-20
[0032] , a compact residual network with 20 convolutional layers, designed for efficient image classification on datasets like CIFAR-10 and CIFAR-100, using shortcut connections to alleviate gradient vanishing. Additionally, Logistic Regression was used on the MNIST dataset for binary classification experiments.
[0214] In these experiments, the softmax implementation in [52, 82] was used, and various polynomial activation approximations were used for the non-linear activation functions of GCN, VAE, ST-GCN-6-256 [66, 67], ResNet-20
[0059] , and Logistic Regression [30, 39], For fine-tuning experiments, backbone models were trained on MNIST, CIFAR-10, EMNIST-Letters, and CIFAR-100 with hyperparameters of 7 / 9 / 15 / 20 epochs and batch sizes of 1024 / 2048 / 2048 / 2048, using learning rates of 0.2 / 0.1 / 0.1 / 0.1, respectively. Additionally, following [50, 82], a bootstrapping method based on
[0010] (with updates to meet the latest security and precision requirements) was used for comparison with bootstrapping methods according to embodiments.
[0215] For all experiments, a scaling factor of A= 240was used to ensure the accuracy of encrypted inference and fine-tuning. Thus, each rescale operation68KILPATRICK TOWNSEND 80329055 1consumed 40 bits of the ciphertext modulus Q. Experiments included four different parameter settings varying from {N = 213, 214, 215, 216}, all of which are chosen with the appropriate Q to guarantee a A = 128-bit security level [5], Although prior work
[0071] attempts to optimize parameter selection through theoretical analysis, the relationship between parameters and HE operation latency in real-world implementations does not fully align with theoretical analysis. Thus, the experiments present four representative parameter configurations to illustrate performance tradeoffs due to different parameter settings.
[0216] Experiments were conducted on a computer system equipped with AMD Ryzen Threadripper PRO 7975WX CPU and NVIDIA RTX A6000 GPUs.Experiments used liberate-fhe v0.9.0
[0019] to implement the RNS-variant of CKKS
[0011] . In the experiments, it was assumed that the round-trip latency for transferring intermediate ciphertexts between two servers with 3 Gbps bandwidth was 0.8 ms in the LAN setting.
[0217] Methods according to embodiments were compared to two state of the art baselines. The first baseline is non-interactive FHE-based machine learning GPU inference, implemented using Nexus (NDSS’25)
[0082] , The second baseline is a homomorphic encryption and two-party computation (HE+2PC) hybrid protocol. Since no prior HE+2PC methods have been evaluated on GPUs, the baseline HE+2PC protocol was implemented following BOLT (S& P’24)
[0062] , using a one-time linear multiplication followed by a single round of communications. Non-linear functions were evaluated using polynomial approximation for both baseline methods and methods according to embodiments. Experimental evaluation metrics mainly consist of communication usage, computation latency, and the number of HE operations performed. As demonstrated by the experiments, methods according to embodiments approve performance without affecting inference latency.
[0218] End-to-end performance experiments, summarized in the table of FIG.8, demonstrate that methods according to embodiments (labeled “Ours” in the table) consistently outperform all benchmarks in terms of total latency. Methods according to embodiments perform 173.49x, 82.66x, 14.07x, 63.44x, and 58.99x faster than the FHE benchmark for experiments involving GCN, VAE, ST-GCN-6-256, ResNet-20, and Logistic Regression respectively. For all experimental model architectures69KILPATRICK TOWNSEND 80329055 1excluding VAE, methods according to embodiments achieved the best performance in the LAN and WAN settings with N = 213,214,214,215for GCN, ST-GCN-6-256, ResNet-20, and Logistic Regression respectively. For VAE, methods according to embodiments achieve the best performance with N = 213in the LAN setting and 214in the WAN setting.
[0219] Generally, by replacing expensive bootstrapping methods with efficient bootstrapping methods according to embodiments, reducing the number of homomorphic encryption operations that are performed (e.g., via r-slice data packing methods according to embodiments), and reducing communication overhead, methods according to embodiments achieve the lowest computation latency across all benchmarks. Moreover, methods according to embodiments demonstrate even better efficiency when evaluating models with complex operations and large matrix multiplications. For example, while GCN does not require bootstrapping, it still achieves the largest latency speedup due to layer-wise r-slice data packing methods according to embodiments, which efficiently handles the large feature dimension reduction from 3703 to 32 via weight matrix multiplication. Thus methods according to embodiments are particularly useful for improving the efficiency of large private machine learning tasks, e.g., tasks involving deeper or wider model architectures, more neural network layers, more intensive computation operations, large scale matrix multiplications, etc.
[0220] Further, compared to the HE+2PC benchmark, methods according to embodiments greatly reduces communication cost with theoretical guarantees. For instance, in benchmark Logistic Regression, a computer system using the HE+2PC benchmark incurs one communication per multiplication operation, while a computer method performing according to embodiments (under the best configuration N = 215) can perform 16 multiplications before requiring a single communication. The HE+2PC therefore conducts much more frequent communication achieving much lower latency improvements, especially for extensively deep computation circuit. This is evidenced by the HE+2PC benchmark’s 1,07x latency speedup on the logistic regression task in the WAN setting, which is much less than the 15.92x latency speedup achieved by methods according to embodiments in the same setting.70KILPATRICK TOWNSEND 80329055 1
[0221] Further experiments were performed to compare latency for efficient bootstrapping methods according to embodiments, homomorphic encryption operations (including ciphertext-ciphertext multiplications and ciphertext rotations), and a conventional bootstrapping method for various encryption parameters N.These experiments are summarized in the bar graph of FIG. 9. The y-axis corresponds to different encryption parameters and operations for methods according to embodiments, as well as existing bootstrapping methods. The x-axis depicts the latency in milliseconds (ms) on a log scale.
[0222] For bootstrapping methods according to embodiments, latency remains consistently low, ranging between 9 ms and 14 ms across all encryption parameter values, and is even faster than ciphertext-ciphertext multiplication and ciphertext rotation when N = 216. This demonstrates the efficiency of bootstrapping methods according to embodiments across various encryption parameters. In contrast, the conventional bootstrapping method had a significantly higher latency of 1907 ms, over 100 times slower than bootstrapping methods according to embodiments.Additionally, during private computations, methods according to embodiments perform bootstrapping operations less frequently than conventional bootstrapping methods because methods according to embodiments consume less ciphertext levels (e.g., 0) than conventional bootstrapping methods, resulting in even greater performance improvements. For example, in the experiments of FIG. 9, the maximum ciphertext level L = 35 and the conventional bootstrapping method consumes Lboot= 14 levels, versus zero levels for bootstrapping methods according to embodiments. Thus, using bootstrapping methods according to embodiments, private computations can be performed for all 35 levels before bootstrapping needs to be performed, while using conventional bootstrapping, private computations can only be performed for 35 - 14 = 21 levels before bootstrapping needs to be performed.
[0223] An ablation study for bootstrapping methods according to embodiments was also conducted for various machine learning task. The ablation study focused on latency, communication overhead, and overall latency speedup. The results are summarized in the table of FIG. 10. To ensure a fair comparison, the encryption parameter N was fixed for each machine learning task: 214for GCN (a shallow model) and 216for the remaining deeper models. Each benchmark includes two 71KILPATRICK TOWNSEND 80329055 1baselines: (i) the original HE implementation, and (ii) a level-saving variant designed to reduce bootstrapping frequency. For GCN, VAE, and ST-GCN- 6-25, the baselines are CryptoGCN and LinGCN. CryptoGCN preserves all activation layers and approximates them using degree-2 polynomials, while LinGCN prunes 1, 1, and 7 redundant activation layers from GCN, VAE, and ST-GCN-6-25, respectively. For ResNet-20, comparisons were made with Lee et al.
[0050] , which employs high-degree (27) ReLU polynomial approximations, and AESPA
[0063] , which uses degree-2 approximations with some accuracy trade-off. For logistic regression, baselines used both degree-7 and degree-3 polynomial approximations.
[0224] Across all benchmarks, methods according to embodiments greatly reduce latency, even when compared to level-saving baselines, while incurring only modest communication overhead. This efficiency gain stems from two main factors: (1) elimination of bootstrapping operations, and (2) faster HE operations enabled by lower-level ciphertexts. The benefits are especially pronounced in the high-level ciphertext setting (N = 216), where methods according to embodiments achieves speedups of 4.4x for VAE, 4.83x for ST-GCN-6-256, 11,37x for ResNet-20, and 3.58x for logistic regression. In contrast, level-saving baselines such as LinGCN
[0064] , AESPA
[0063] , and HELR
[0030] provided limited speedup due to constraints on noise budget and model expressiveness. In the case of VAE and GCN, where bootstrapping is not required, the primary latency improvement arose from operating on ciphertexts at reduced multiplicative depth.
[0225] These results show that methods according to embodiments reduce latency across diverse machine learning tasks, independent of model complexity or circuit depth. For ResNet-20, which incurs bootstrapping after nearly every convolutional layer, bootstrapping overhead accounts for over 70% of total latency. Methods according to embodiments eliminate these expensive operations entirely, resulting in the most substantial improvement (11,37x). For logistic regression, while methods according to embodiments reduce HE computation time to 68.92 seconds, the iterative training process incurs the highest communication cost (0.399 GB), slightly limiting the overall speedup to 3.58x. Finally, for GCN, which has the shallowest circuit and operates under a lower encryption parameter (N = 214), bootstrapping is unnecessary. Despite this, methods according to embodiments still72KILPATRICK TOWNSEND 80329055 1achieve modest latency improvements (1.25x), highlighting their ability to accelerate even lightweight models.
[0226] Additional experiments were conducted to evaluate trade-offs associated with different encryption parameters N = 213, 214, 215, 216across the five benchmarks in terms of communication usage, HE computation latency, latency in the WAN setting, latency in the LAN setting, and each corresponding speedup. The results of these experiments are summarized in the table of FIG. 11. GCN was only evaluated using N = 213, 214, as GCN only requires at most N = 214and seven ciphertext levels.
[0227] For all benchmarks, using smaller N generally improved overall latency due to reduced per-operation costs. Specifically, GCN and VAE achieved the lowest HE computation latency at N = 213. For the remaining three benchmarks, the optimal latency occurred at N = 214, as their larger data sizes required more ciphertexts. When N is further reduced (e.g., to 213), the increase in the number of ciphertexts leads to a higher total number of HE operations, which offsets the gains from faster individual operations. As a result, the computation latency speedup begins to saturate.
[0228] However, the optimal choice for minimizing overall latency is not always aligned with the lowest HE computation latency. For instance, in logistic regression, the extensive communication overhead leads to high LAN and WAN, exceeding even the computation time, particularly in WAN environments when using N = 214. In such cases, selecting a larger N (which reduces the number of required bootstrapping invocations) results in lower total latency. This is especially beneficial for tasks with deep multiplication circuits, such as logistic regression. Notably, this also explains why logistic regression achieves the highest overall speedup using methods according to embodiments, since it requires many iterations of matrix multiplications, and therefore reducing the number of bootstrapping calls has a much greater impact on overall latency than in other benchmarks.
[0229] Additionally, an ablation study for r-slice data packing methods according to embodiments was performed across three benchmarks, GCN, VAE, and Logistic Regression, which each involve intensive HE matrix multiplications. The result of the ablation study is summarized in the table of FIG. 12, which reports 73KILPATRICK TOWNSEND 80329055 1both the number of HE operations and the total latency. The conventional BSGS approach for HE matrix multiplications from Orion
[0021] was used as a baseline.
[0230] The results show that r-slice data packing methods according to embodiments result in substantial latency improvements: 2.62x for VAE, 114.46x for GCN, and 4.65x for Logistic Regression. Notably, GCN benefitted the most due to its large input feature dimension (3703), which is reduced to 32 after a weight matrix multiplication (compared to 144^2 in Logistic Regression and 512^256 in VAE). Since methods according to embodiments avoid generating redundant ciphertexts and performing unnecessary homomorphic operations, benchmarks with larger input dimensions and smaller output dimensions show greater latency improvements from r-slice data packing methods according to embodiments.
[0231] Further, various micro-benchmarking experiments were performed to evaluate r-slice data packing methods according to embodiments, as summarized in the table of FIG. 13. The table of FIG. 13 evaluates the performance of r-slice data packing methods according to embodiments on two types of matrix multiplications: XW, representing feature extraction, and X'W', representing feature transformation. The table of FIG. 13 reports computation latency and speedup factors for r-slice data packing methods according to embodiments and with various state of the art packing methods, including Orion
[0021] , DiagABT
[0052] , and Fhelipe
[0045] ,
[0232] For the feature extraction case ( W), r-slice packing methods according to embodiments consistently outperform the three baselines. As an example, under the configuration (a,b,r) = (128, 128,4), computation time was reduced from 0.054 seconds (Orion) to 0.013 seconds (r-slice), achieving a 3.93* speedup. As matrix dimensions increased, the performance gains became more pronounced. In the configuration (2048, 768, 16), computation time is reduced from 13.133 seconds (Orion) to 0.311 seconds (r-slice), yielding a 42.2* speedup. These performance gains are due in part to the output-aware design of methods according to embodiments, which reduce rotation usage and minimize wasted slots, thereby improving ciphertext utilization and achieving higher throughput in encrypted matrix multiplications, leading to latency improvements.
[0233] Similarly, for the feature transformation case (X'W'), r-slice data packing methods according to embodiments again outperform the three baselines.74KILPATRICK TOWNSEND 80329055 1In the (128, 128, 4) configuration, latency was reduced from 0.048 seconds (Orion) to 0.015 seconds (r-slice), a 3.29* speedup. In the (2048, 768, 16) configuration, latency was reduced from 12.813 seconds (Orion) to 1.390 seconds (r-slice), a 9.22* speedup. Although DiagABT and Fhelipe also provided speedup, they fail to effectively reuse empty ciphertext slots to reduce redundant ciphertexts and require extensive rotations when mapping small inputs to large outputs, resulting in limited overall gains.
[0234] Methods according to embodiments can further benefit from techniques such as lazy relinearization
[0053] , enabling even greater speed improvements when combined with r-slice data packing methods according to embodiments. Overall, methods according to embodiments achieve consistent performance gains for various matrix multiplication operations, with especially high-speed improvements for large-scale inputs. These results demonstrate the scalability and efficiency of r-slice data packing methods according to embodiments, demonstrating their suitability for HE-based computationally intensive machine learning workflows.
[0235] In addition to the experiments described above, further experiments were performed to evaluate the applicability of methods according to embodiments to FHE-based fine-tuning, e.g., using FHE-LoRA models according to embodiments, as described above. To avoid modifying the backbone model, LoRA was adapted for use with HE, such that the forward pass computation was defined as Y = (Xo+where each Xtis an encrypted embedding from a selected encoder layer (from the backbone model), and At, Btare LoRA parameters. The result is added to the output Xofrom the final encoder layer (of the backbone model) and multiplied with the classifier weight matrix W (also of the backbone model) to produce the prediction logits Y. The Nesterov Accelerated Gradient (NAG) optimization method was used to update the encrypted weights, following
[0052] , This design allows fine-tuning on more complex tasks (e.g., CIFAR-100) with lower latency and without modifying the backbone model. When the fine-tuned LoRA modules B and A are synchronized between two servers performing FHE-LoRA methods according to embodiments, after bootstrapping, private computations can continue to be performed without transmission of the encrypted ciphertext.75KILPATRICK TOWNSEND 80329055 1
[0236] Several recent works have explored private finetuning with LoRA modules under different assumptions than those presented herein. For example,
[0068] requires approximation of the softmax function in the pre-trained backbone using a Gaussian kernel. Meanwhile,
[0023] offloads only the linear computations to the cloud under HE, while keeping LoRA module updates and non-linear function evaluations on the client side. In contrast, experimental implementations of embodiments performed both linear and non-linear fine-tuning computations entirely in the cloud, while keeping client data private throughout.
[0237] The table of FIG. 14 shows a performance evaluation of FHE-LoRA methods according to embodiments across four datasets: MNIST, CIFAR-10, EMNIST, and CIFAR-100. The evaluation metrics include the number of FHE-LoRA parameters, the number of epochs, accuracy, latency, and communication overhead.
[0238] For the MNIST dataset, when the number of FHE-LoRA parameters is zero, the model achieves 96.3% accuracy in the same number of epochs, with a low latency of 390.33 seconds but a higher communication overhead of 0.71 GB. When the number of FHE-LoRA parameters is 8, accuracy improves to 97.1% in just three epochs, while latency increases to 1957.08 seconds and communication overhead drops to 0.3 GB.
[0239] For the CIFAR-10 dataset, when the number of FHE-LoRA parameters is zero, the model achieves 95.6% accuracy in the same number of epochs, with latency of 243.81 seconds and 0.38 GB communication overhead. When the number of FHE-LoRA parameters is 8, methods according to embodiments improve the accuracy to 97.3% in five epochs, with 1877.22 seconds latency and 0.21 GB communication overhead.
[0240] For the EMNIST dataset, when the number of FHE-LoRA parameters is zero, the model achieves 85.1% accuracy in 15 epochs, taking 4044.06 seconds and using 0.86 GB communication overhead. When the number of FHE-LoRA parameters is 8, accuracy increases to 90.7% in seven epochs, but latency rises to 27,572.75 seconds with the same communication costs.
[0241] For the CIFAR-100 dataset, when the number of FHE-LoRA parameters is zero, the model achieves 86.4% accuracy over 20 epochs, with latency of 1882.95 seconds and 0.86 GB communication overhead. When the 76KILPATRICK TOWNSEND 80329055 1number of FHE-LoRA parameters is 8, accuracy improves to 91.5% in 10 epochs, with reduced latency (1,375.1 seconds) and communication (0.43 GB).
[0242] As shown by the table, increasing the number of FHE-LoRA modules according to embodiments improves model accuracy, especially for complex datasets like EMNIST and CIFAR-100. Additionally, the required number of epochs for convergence also reduces, leading to less communications. Although overall latencies increased, methods according to embodiments offer advantages in terms of flexibility and efficiency, allowing users to balance accuracy, latency, and communication overhead by adjusting the number of FHE-LoRA modules.
[0243] Further experiments were performed comparing FHE-LoRA modules according to embodiments with the state of the art HETAL
[0052] method. HETAL
[0052] is a privacy-preserving framework for transfer learning that leverages CKKS to securely train models on encrypted client data. It achieves high efficiency through optimized encrypted matrix multiplication and an accurate softmax approximation, reducing computational overhead. However, it does not reduce computational overhead from bootstrapping. In these experiments, the FHE-LoRA parameter was set to zero, which is equivalent to “final layer only” fine-tuning, similar to the fine-tuning used in HETAL. The results of these experiments are summarized in the table of FIG. 15.
[0244] As shown in FIG. 15, HETAL achieves an accuracy of 96.7% over 7 epochs with a latency of 3442.29 seconds on the MNIST dataset and achieves an accuracy of 96.5% over 9 epochs with a latency of 3114.30 seconds on the CIFAR-10 dataset. FHE-LoRA methods according to embodiments achieve similar accuracy, but additionally provide latency improvements, performing fine-tuning 8.83x faster on the MNIST dataset and 12.71 x faster on the CIFAR-10 dataset with a small amount of communication cost. Further, r-slice data packing methods according to embodiments better handle dimensional changes of intermediate data during fine-tuning than the DiagABT method used in HETAL (see e.g., FIG. 13 and the description thereof further above, which show the superior performance of r-slice data packing methods according to embodiment over DiagABT), and thus methods according to embodiments also improve the latency resulting from HE matrix multiplications performed during fine-tuning.77KILPATRICK TOWNSEND 80329055 1IV. CONCLUSION
[0245] In conclusion, embodiments of the present disclosure combine leveled homomorphic encryption (e.g., via CKKS
[0012] , BGV [6], or BFV
[0022] ) with multiparty computation to enable efficient, secure private computation, private machine learning inference and fine-tuning. Novel bootstrapping methods according to embodiments, output-aware r-slice data packing methods, and automated encryption parameter selection methods greatly reduce the latency and communication overhead of private computations performed using homomorphic encryption. As described above, experiments performed on models such as GCNs, ResNet, VAEs, Logistic Regression, and LoRA-based fine-tuning evaluated on GPU platforms demonstrate up to up to 173.49x, 130.84x, and 12.77x speedups over Nexus (NDSS’25), BOLT (S& P’24), and HETAL (ICML’23) evaluated under GPU platforms, respectively.V. COMPUTER SYSTEM
[0246] FIG. 16 shows an example computer system 1600 according to some embodiments. For example, computer system 1600 could comprise a first computer system or a second computer system (e.g., depicted in FIG. 3) that can perform methods according to embodiments. Computer system 1600 can comprise any variety of computing devices, e.g., a server computer, a desktop or laptop computer, a tablet, a mobile phone, a smartwatch, etc. Computer systems mentioned herein may utilize any suitable number of subsystems. Examples of such subsystems are shown in computer system 1600. In some embodiments, a computer system includes a single computer apparatus and the subsystems can be the components of the computer apparatus. In other embodiments, a computer system can include multiple computer apparatuses with internal components, each being a subsystem of the computer system.
[0247] The subsystems shown in computer system 1600 can be connected via a system bus 1620. Additional subsystems such as a printer 1618, keyboard 1614, computer readable medium 1622 (including system memory, storage devices, etc.), data collection device 1616 (e.g., a camera, microphone, accelerometer, GPS unit, fingerprint scanner, etc.), monitor 1610 (e.g., a display screen, such as an LED display), which is coupled to display adaptor 1608, and others, are shown.Peripherals and input / output (I / O) devices, which couple to I / O controller 1606, can 78KILPATRICK TOWNSEND 80329055 1be connected to computer system 1600 by any number of means known in the art such as an input / output port 1612 (e.g., USB, FireWire®). Likewise, I / O port 1612 or an external interface 1604 (e.g., Ethernet, Wi-Fi, Near Field Communication, Bluetooth, ZigBee interfaces, etc.) can be used to connect computer system 1600 to various networks, devices, and computer systems, such as a wide area network such as the Internet, a mouse input device, a scanner, an access device (e.g., a point-of-sale terminal), a resource provider computer, etc. A trusted execution environment 1634 can be used by computer system 1600 to securely perform the various homomorphic operations described herein, as well as store a secret key share 1636.
[0248] Computer system 1600 can include a plurality of the same components or subsystems, e.g., connected together by external interface 1604, by an internal interface, or via removal storage devices that can be connected and removed from one component to another component. Additionally, computer system 1600 may lack (even temporarily) some of the components and subsystems depicted in FIG.16. As such, it should be understood that the various components and subsystems depicted in FIG. 16 are optional.
[0249] The interconnection via system bus 1620 allows the processor 1602 (which may comprise a “central processor”, “central processing unit”, “CPU”, graphical processing unit, GPU, or other like terms) to communicate with each subsystem to control the execution of instructions or code from computer readable medium 1622 (e.g., system memory, a fixed disk such as a hard drive, a solid state drive, an optical disk, etc.), as well as the exchange of information between subsystems. Various data and software modules can be stored on computer readable medium 1622, including a machine learning models 1624, homomorphic operation module 1626, bootstrapping module 1628, data packing module 1630, and parameter selection module 1632, which can be used by computer system 1600 to implement various methods described herein. It should be understood that the particular data and software modules depicted in FIG. 16 (and their configuration) are intended to represent only one possible implementation, selected for ease of explanation, and are not intended to be limiting. Various other configurations may become apparent upon reading this disclosure, e.g., implementing methods according to embodiments using a single monolithic software module (and any 79KILPATRICK TOWNSEND 80329055 1associated data, including machine learning model parameters) rather than using data and software modules depicted in FIG. 16. Further, it should be understood that various data and / or software modules that could be included in computer readable medium 1622 of computer system 1600 are omitted for brevity. As an example, FIG. 16 does not depict an operating system (i.e., system software that manages hardware and software resources, provides common services and task scheduling, etc.), even though many computer systems have operating systems.
[0250] In brief, machine learning models 1624 can comprise any variety of machine learning model that the computer system 1600 could privately evaluate for a client computer, including LoRA-based fine tuning models according to embodiments. Homomorphic operation module 1626 can comprise any code, instructions, or data enabling the computer system 1600 to execute homomorphic operations (e.g., ciphertext rotation operations and ciphertext-ciphertext multiplication operations) in accordance with any applicable homomorphic cryptosystem (e.g., CKKS). Bootstrapping module 1628 can comprise any code, instructions, or data enabling the computer system 1600 to perform efficient bootstrapping methods according to embodiments, including code enabling secure communication between the computer system 1600 and a second computer system, e.g., for the purpose of denoising ciphertexts. Data packing module 1630 can comprise any code, instructions, or data enabling the computer system 1600 to perform r-slice data packing methods according to embodiments, including code to perform reshaping or transformation of matrices (homomorphically or otherwise) to one-dimensional tensors, enabling the more efficient performance of private matrix multiplications. Parameter selection module 1632 can comprise code, instructions, or data, enabling the computer system 1600 to perform automated parameter selection methods according to embodiments, e.g., by determining optimal parameter sets based on estimated numbers of homomorphic operations and / or communication volumes.
[0251] In closing, it should be understood that any of the computer systems mentioned herein may utilize any suitable number of subsystems. In some embodiments, a computer system includes a single computer apparatus, where the subsystems can be components of the computer apparatus. In other embodiments,80KILPATRICK TOWNSEND 80329055 1a computer system can include multiple computer apparatuses, each being a subsystem, with internal components.
[0252] Further, it should be understood that a computer system can include a plurality of the components or subsystems, e.g., connected together by external interface or by an internal interface. In some embodiments, computer systems, subsystems, or apparatuses can communicate over a network. In such instances, one computer can be considered a client and another computer a server, where each can be part of a same computer system. A client and a server can each include multiple systems, subsystems, or components.
[0253] It should be understood that any of the embodiments of the present invention can be implemented in the form of control logic using hardware (e.g., an application specific integrated circuit or field programmable gate array) and / or using computer software with a generally programmable processor in a modular or integrated manner, and thus a processor can include memory storing software instructions that configure hardware circuitry, as well as an FPGA with configuration instructions or an ASIC. As used herein a processor can include a single-core processor, multi-core processor on a same integrated chip, or multiple processing units on a single circuit board or networked. The computations can be performed in parallel by the different processing units and / or different processing threads of a single processing unit. Based on the disclosure and teachings provided herein, a person of ordinary skill in the art will know and appreciate other ways and / or methods to implement embodiments of the present invention using hardware and a combination of hardware and software.
[0254] Any of the software components or functions described in this application may be implemented as software code to be executed by a processor using any suitable computer language such as, for example, Java, C, C++, C#, Objective-C, Swift, or scripting language such as Perl or Python using, for example, conventional or object-oriented techniques. The software code may be stored as a series of instructions or commands on a computer readable medium for storage and / or transmission, suitable media include random access memory (RAM), a read only memory (ROM), a magnetic medium such as a hard-drive or a floppy disk, or an optical medium such as a compact disk (CD) or DVD (digital versatile disk) or Blu-ray81KILPATRICK TOWNSEND 80329055 1disk, flash memory, and the like. The computer readable medium may be any combination of such storage or transmission devices. In addition, the order of operations may be re-arranged. A process can be terminated when its operations are complete but could have additional steps not included in a figure. A process may correspond to a method, a function, a procedure, a subroutine, a subprogram, etc. When a process corresponds to a function, its termination may correspond to a return of the function to the calling function of the main function.
[0255] Such programs may also be encoded and transmitted using carrier signals adapted for transmission via wired, optical, and / or wireless networks (including the Internet) conforming to a variety of protocols. As such, a computer readable medium may be created using a data signal encoded with such programs. Computer readable media encoded with the program code may be packaged with a compatible device (e.g., as firmware) or provided separately from other devices (e.g., via Internet download). Any such computer readable medium may reside on or within a single computer product (e.g. a hard drive, a CD, or an entire computer system) and may be present on or within different computer products within a system or network. A computer system may include a monitor, printer or other suitable display for providing any of the results mentioned herein to a user.
[0256] Any of the methods described herein may be totally or partially performed with a computer system including one or more processors, which can be configured to perform the steps. Thus, embodiments can involve computer systems configured to perform the steps of any of the methods described herein, potentially with different components performing a respective step or a respective group of steps. Although presented as numbered steps, steps of methods herein can be performed at a same time or in a different order. Additionally, portions of these steps may be used with portions of other steps from other methods. Also, all or portions of a step may be optional. Additionally, any of the steps of any of the methods can be performed with modules, circuits, or other means for performing these steps.
[0257] Any operation performed with a processor may be performed in realtime. The term “real-time” may refer to computing operations or processes that are completed within a certain time constraint. As examples, a time constraint may be 30 seconds, 1 minute, 10 minutes, 30 minutes, 1 hour, 4 hours, 1 day, or 7 days.82KILPATRICK TOWNSEND 80329055 1
[0258] In some embodiments, computer systems, subsystems, or apparatuses can communicate over a network. In such instances, one computer can be considered a client and another computer a server, where each can be part of a same computer system. A client and a server can each involve multiple systems, subsystems, or components. In various embodiments, methods may involve various numbers of clients and / or servers, including at least 10, 20, 50, 100, 200, 500, 1,000, or 10,000 devices. Methods can include various numbers of communication messages between devices, including at least 100, 200, 500, 1,000, 10,000, 50,000, 100,000, 500,000, or one million communication messages. Such communications can involve at least 1 KB, 1 MB, 10 MB, 100 MB, 1 GB, 10 GB, or 100 GB of data.
[0259] The specific details of particular embodiments may be combined in any suitable manner without departing from the spirit and scope of embodiments of the invention. However, other embodiments of the invention may be directed to specific embodiments relating to each individual aspect, or specific combinations of these individual aspects.
[0260] The above description of exemplary embodiments of the invention has been presented for the purpose of illustration and description. It is not intended to be exhaustive or to limit the invention to the precise form described, and many modifications and variations are possible in light of the teaching above. The embodiments were chosen and described in order to best explain the principles of the invention and its practical applications to thereby enable others skilled in the art to best utilize the invention in various embodiments and with various modifications as are suited to the particular use contemplated.
[0261] The above description is illustrative and is not restrictive. Many variations of the invention will become apparent to those skilled in the art upon review of the disclosure. The scope of the invention should, therefore, be determined not with reference to the above description, but instead should be determined with reference to the pending claims along with their full scope or equivalents.
[0262] One or more features from any embodiment may be combined with one or more features of any other embodiment without departing from the scope of the invention.83KILPATRICK TOWNSEND 80329055 1
[0263] A recitation of “a”, “an” or “the” is intended to mean “one or more” unless specifically indicated to the contrary. The use of “or” is intended to mean an “inclusive or,” and not an “exclusive or” unless specifically indicated to the contrary. Reference to a “first” component does not necessarily require that a second component be provided. Moreover, reference to a “first” or “second” component does not limit the referenced component to a particular location unless explicitly stated. The term “based on” is intended to mean “based at least in part on.”
[0264] The claims may be drafted to exclude any elements which may be optional. As such, this statement is intended to serve as antecedent basis for use of such exclusive terminology as “solely”, “only”, and the like in connection with the recitation of claim elements, or the use of a “negative” limitation.
[0265] All patents, patent applications, publications and descriptions mentioned herein are incorporated by reference in their entirety for all purposes. None is admitted as prior art. Wherein a conflict exists between the instant application and a reference provided herein, the instant application shall dominate.84KILPATRICK TOWNSEND 80329055 1REFERENCES[1] Openai platform, https: / / platform.openai.com[2] Ehud Aharoni, Moran Baruch, Pradip Bose, Alper Buyuktosunoglu, Nir Drucker, Subhankar Pal, Tomer Pelleg, Kanthi Sarpatwar, Hayim Shaul, Omri Soceanu, et al. He-pex: Efficient machine learning under homomorphic encryption using pruning, permutation and expansion. arXiv preprint arXiv:2207.03384, 2022.[3] Amazon Web Services. Amazon sagemaker: Build train, and deploy machine learning models, https: / / aws.amazon.com / sagemaker / , 2023.Accessed: 2025-01-21[4] E Bisong. Google cloud platform for machine learning. Pages 59-64, 2019.[5] Jean-Phillipe Bossaut, Rosario Cammarota, llaria Chillotti, Benjamin R Curtis, Wei Dai, Huijing Gong, Erin Hales, Duhyeong Kim, Bryan Kumara, Changmin Lee, et al. Security guidelines for implementing homomorphic encryption. Cryptology ePrint Archive, 2024.[6] Zvika Brakerski and Vinod Vaikuntanathan. Leveled fully homomorphic encryption without bootstrapping. ACM Transactions on Computation Theory (TOCT), 6(3): 1-36, 2014.[7] Tom B Brown, Benjamin Mann, Nick Ryder, Melanie Subbiah, Jared Kaplan,Prafulla Dhariwal, Arvind Neelakantan, Pranav Shyam, Girish Sastry, Amanda Askell, et al. Language models are few-shot learners. Advances in Neural Information Processing Systems, 33:1877-1901, 2020.[8] Alon Brutzkus, Ran Gilad-Bachrach, and Oren Elisha. Low latency privacy preserving inference. In International Conference on Machine Learning, pages 812-821. PMLR, 2019.[9] Melissa Chase, Hao Chen, Jintai Ding, Shafi Goldwasser, Sergey Gorbunov, Jeffrey Hoffstein, Kristin Lauter, Satya Lokam, Dustin Moody, Travis Morrison, et al. Security of homomorphic encryption.HomomorphicEncryption.org, Redmond WA, Tech. Rep, 2017.85KILPATRICK TOWNSEND 80329055 1
[0010] Jung Hee Cheon, Kyoohyung Han, Andrey Kim, Miran Kim, and Yongsoo Song. Bootstrapping for approximate homomorphic encryption. Advances in Cryptology-EUROCRYPT 2018, 10820:360-384, 2018.
[0011] Jung Hee Cheon, Kyoohyung Han, Andrey Kim, Miran Kim, and Yongsoo Song. A full rns variant of approximate homomorphic encryption. In International Conference on Selected Areas in Cryptography, pages 347- 368. Springer, 2018.
[0012] Jung Hee Cheon, Andrey Kim, Miran Kim, and Yongsoo Song.Homomorphic encryption for arithmetic of approximate numbers. Advances in Cryptology-ASIACRYPT 2017, 10624:409-437, 2017.
[0013] llaria Chillotti, Nathalie Gama, Mariya Georgieva, and Malika Izabachene.Tfhe: fast fully homomorphic encryption over the torus. Journal of Cryptology, 33(1 ):34-91, 2020.
[0014] lllaria Chillotti, Nicholas Gama, Mariya Georieva, and Malika Izabachene.Faster fully homomorphic encryption: Bootstrapping in less than 0.1 seconds. In international conference on the theory and application of cryptology and information security, pages 3-33. Springer, 2016.
[0015] Edward Chou, Josh Beal, Daniel Levy, Serena Yeung, Albert Haque, and Li Fei-Fei. Faster cryptonets: Leveraging sparsity for real-world encrypted inference. arXiv preprint arXiv:1811.09953, 2018.
[0016] Gregory Cohen, Saeed Afshar, Jonathan Tapson, and Andre Van Schaik.Emnist: Extending mnist to handwritten letters. arXiv preprintarXiv: 1702.05373, 2017.
[0017] Anders Dalskov, Daniel Escudero, and Mercel Keller. Fantastic four:{Honest-Majority}{Four-Party} secure computation with malicious security. In 30th USENIX Security Symposium (USENIX Security 21), pages 2183-2200, 2021.
[0018] Rahul Dathathri, George Malone, Benjamin Naveh, Assaf Schuster, Oscar Silva, Michael B Taylor, et al. Chet: An optimizing compiler for fully homomorphic neural-networks. Proceedings of the IEEE International86KILPATRICK TOWNSEND 80329055 1Symposium on High Performance Computer Architecture, pages 370-382, 2019.
[0019] DESILO. Liberate. FHE: A New FHE Library for Bridging the Gap between Theory and Practice with a Focus on Performance and Accuracy, 2023. https: / / github.com / Desilo / liberate-fhe.
[0020] Alexey Dosovitskiy, Lucas Beyer, Alexander Kolesnikov, Dirk Weissenborn,Xiaohua Zhai, Thomas Unterthiner, Mostafa Dehghani, Matthias Minderer, Georg Heigold, Sylvain Geliy, Jakob Uszkoreit, and Neil Houlsby. An image is worth 16x16 words: Transformers for image recognition at scale.International Conference on Learning Representations (ICLR), 2021.
[0021] Austin Ebel, Karthik Garimella, and Brandon Reagen. Orion: A fully homomorphic encryption framework for deep learning. In Proceedings of the 30th ACM International Conference on Architectural Support for Programming Languages and Operating Systems, Volume 2, pages 734- 749, 2025.
[0022] Junfeng Fan and Frederik Vercauteren. Somewhat practical fully homomorphic encryption. IACR Cryptology ePrint Archive, 2012:144, 2012.
[0023] Jordan Frery, Roman Bredehoft, Jakub Klemsa, Arthur Meyre, and Andrei Stoian. Private lora fine-tuning of open-source Urns with homomorphic encryption. arXiv preprint arXiv2505.07329, 2025.
[0024] Davir Froelicher, Hyunghoon Cho, Manaswitha Edupalli, Joao Sa Sousa,Jean-Philippe Boussuat, Apostolos Pyrgelis, Juan R. Troncoso-Pastoriza, Bonnie Berger, and Jean-Pierre Hubaux. Scalable and Privacy Preserving Federated Principal Component Analysis. In 2023 IEEE Symposium on Security and Privacy (SP), pages 1908-1925, May 2023.
[0025] Craig Gentry. Fully homomorphic encryption using ideal lattices.Proceedings of the 41st Annual ACM Symposium on Theory of Computing (STOC), pages 169-178, 2009.
[0026] Ran Gilad-Bachrach, Nathan Dowlin, Kim Laine, Kristin Lauter, Michael Naehrig, and John Wernsing. Cryptonets: Applying neural networks to87KILPATRICK TOWNSEND 80329055 1encrypted data with high throughput and accuracy. In International conference on machine learning, pages 201-210. PMLR, 2016.
[0027] Gavin Gong. Tiny VAE on MNIST with network architecture search.https: / / github.com / visualDust / single-file-vae-example, 2023.
[0028] Shai Halevi, Yuriy Polyakov, and Victor Shoup. An improved ms variant of the bfv homomorphic encryption scheme. In Cryptographers’ Track at the RSA Conference, pages 83-105. Springer, 2019.
[0029] Shai Halevi and Victor Shoup, Algorithms in helib. In Annual Cryptology Conference, pages 554-571. Springer, 2014
[0030] Kyoohyung Han, Seungwan Hong, Jung Hee Cheon, and Daejun Park.Logistic regression on homomorphic encrypted data at scale. In Proceedings of the AAAI conference on artificial intelligence, volume 33, pages 9466-9471, 2019.
[0031] Kaiming He, Xiangyu Zhang, Shaoqing Ren, and Jian Sun. Deep residual learning for image recognition. In Proceedings of the IEEE conference on computer vision and pattern recognition, pages 770-778, 2016.
[0032] Kaiming He, Xiangyu Zhang, Shaoqing Ren, and Jian Sun. Deep residual learning for image recognition. In Proceedings of the IEEE conference on computer vision and pattern recognition, pages 770-778, 2016.
[0033] Edward J. Hu, Yelong Shen, Phillip Wallis, Zeyuan Allen-Zhu, Yuanzhi Li,Shean Wang, and Weizhu Chen. Lora: Low-rank adaptation of large language models. In Proceedings of the International Conference on Learning Representations (ICLR), 2022.
[0034] Zhicong Huang, Wen-jie Lu, Cheng Hong, and Jiansheng Ding. Cheetah:Lean and fast secure {Two-Party} deep neural network inference. In 31st USENIX Security Symposium (USENIX Security 22), pages 809-826, 2022.
[0035] Xiaoqian Jiang, Miran Kim, Kristin Lauter, and Yongsoo Song. Secure outsourced matrix computation and application to neural networks. In Proceedings of the 2018 ACM SIGSAC conference on computer and communications security, pages 1209-1222, 2018.88KILPATRICK TOWNSEND 80329055 1
[0036] N Jung and K Kim. Accelerating homomorphic encryption in machine learning via efficient batch encoding. In Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition Workshops, pages 123-130, 2021.
[0037] Chiraag Juvekar, Vinod Vaikuntanathan, and Anantha Chandrakasan.{GAZELLE}: A low latency framework for secure neural network inference. In 27th USENIX security symposium (USENIX security 18), pages 1651— 1669, 2018.
[0038] KDD Cup 1999 Organizers. Kdd cup 1999 data.http: / / kdd.ics.uci.edu / databases / kddcup99 / kddcup99.html, 1999.
[0039] Andrey Kim, Yongsoo Song, and Miran Lee. Secure logistic regression based on homomorphic encryption: Design and evaluation. IEEE Access, 6:46967-46977, 2018
[0040] Miran Kim, Xiaoqian Jiang, Kristin Lauter, Elkhan Ismayilzada, and Shayan Shams. Hear: Human action recognition via neural networks on homomorphically encrypted data. arXiv preprint arXiv:2104.09164, 2021.
[0041] Miran Kim, Xiaoqian Jiang, Kristin Lauter, Elkhan Ismayilzada, and Shayan Shams. Secure human action recognition by encrypted neural network inference. Nature communications, 13(1):4799, 2022.
[0042] Sangpyo Kim, Jongmin Kim, Michael Jaemin Kim, Wonkyung Jung, John Kim, Minsoo Rhu, and Jung Ho Ahn. Bts: An accelerator for bootstrappable fully homomorphic encryption. In Proceedings of the 49th annual international symposium on computer architecture, pages 711-725, 2022.
[0043] Thomas N Kipf and Max Welling. Semi-supervised classification with graph convolutional networks. arXiv preprint arXiv:1609.02907, 2016
[0044] Nishat Koti, Mahak Pancholi, Arpita Patra, and Ajith Suresh. {SWIFT}:Super-fast and robust {Privacy-Preserving} machine learning. In 30th USENIX Security Symposium (USENIX Security 21), pages 2651-2668, 202189KILPATRICK TOWNSEND 80329055 1
[0045] Aleksandar Krastev, Nikola Samardzic, Simon Langowski, Srinivas Devadas, and Daniel Sanchez. A tensor compiler with automatic data packing for simple and efficient fully homomorphic encryption. Proceedings of the ACM on Programming Languages, 8(PLDI): 126-150, 2024
[0046] Alex Krizhevsky and Geoffrey Hinton. Learning multiple layers of features from tiny images. Technical report, University of Toronto, 2009.
[0047] Nishant Kumar, Mayank Rathee, Nishanth Chandran, Divya Gupta, Aseem Rastogi, and Rahul Sharma. Cryptflow: Secure tensorflow interface. In 2020 IEEE Symposium on Security and Privacy (SP), pages 336-353.IEEE, 2020.
[0048] Kim Laine. Simple encrypted arithmetic library (seal) manual, 2017.
[0049] Yann LeCun, Leon Bottou, Yoshua Bengio, and Patrick Haffner. Gradientbased learning applied to document recognition. Proceedings of the IEEE, 86(11 ):2278-2324, 1998.
[0050] Eunsang Lee, Joon-Woo Lee, Junghyun Lee, Young-Sik Kim, Yongjune Kim, Jong-Seon No, and Woosuk Choi. Low-complexity deep convolutional neural networks on fully homomorphic encryption using multiplexed parallel convolutions. In International Conference on Machine Learning, pages 12403-12422. PMLR, 2022.
[0051] Joon-Woo Lee, HyungChul Kang, Yongwoo Lee, Woosuk Choi, Jieun Eom,Maxim Deryabin, Eunsang Lee, Junghyun Lee, Donghoon Yoo, Young-Sik Kim, et al. Privacy-preserving machine learning with fully homomorphic encryption for deep neural network. iEEE Access, 10:30039-30054, 2022.
[0052] Seewoo Lee, Garam Lee, Jung Woo Kim, Junbum Shin, and Mun-Kyu Lee.Hetal: efficient privacy-preserving transfer learning with homomorphic encryption. In International Conference on Machine Learning, pages 19010- 19035. PMLR, 2023.
[0053] Yongwoo Lee, Joon-Woo Lee, Young-Sik Kim, Yongjune Kim, Jong-Seon No, and HyungChul Kang. High-precision bootstrapping for approximate homomorphic encryption by error variance minimization. In Annual90KILPATRICK TOWNSEND 80329055 1International Conference on the Theory and Applications of Cryptographic Techniques, pages 551-580. Springer, 2022.
[0054] Wentao Li, Miran Kim, Kai Zhang, Han Chen, Xiaoqian Jiang, and Arif Harmanci. Collagene enables privacy-aware federated and collaborative genomic data analysis. Genome Biology, 24(1):204, 2023.
[0055] Zhengyi Li, Kang Yang, Jin Tan, Wen-jie Lu, Haoqi Wu, Xiao Wang, Yu Yu,Derun Zhao, Yancheng Zheng, Minyi Guo et al. Nimbus: Secure and efficient two-party inference for transformers. Advances in Neural Information Processing Systems, 37:21572-21600, 2024.
[0056] Wen-jie Lu, Zhicong Huang, Zhen Gu, Jingyu Li, Jian Liu, Cheng Hong, Kui Ren, Tao Wei, and WenGuang Chen. Bumblebee: Secure two-party inference framework for large transformers. Cryptology ePrint Archive, 2023.
[0057] Stephen Merity, Caiming Xiong, James Bradbury, and Richard Socher.Pointer sentinel mixture models. arXiv preprint arXiv:1609.07843, 2016.
[0058] Pratyush Mishra, Ryan Lehmkuhl, Akshayaram Srinivasan, Wenting Zheng, and Raluca Ada Popa. Delphi: A cryptographic inference system for neural networks. In Proceedings of the 2020 Workshop on Privacy-Preserving Machine Learning In Practice, pages 27-30, 2020.
[0059] Payman Mohassel and Peter Rindal. Aby3: A mixed protocol framework for machine learning. In Proceedings of the 2018 ACM SIGSAC conference on computer and communication security, pages 35-52, 2018.
[0060] Payman Mohassel and Yupeng Zhang. Secureml: A system for scalable privacy-preserving machine learning. In 2017 IEEE symposium on security and privacy (SP), pages 19-38. IEEE, 2017.
[0061] Christian Mouchet, Juan Troncoso-Pastoriza, Jean-Philippe Bossaut, and Jean-Pierre Hubaux. Multiparty homomorphic encryption from ring-learning- with-errors. Proceedings on Privacy Enhancing Technologies, 2021 (4): 291-311, 2021.91KILPATRICK TOWNSEND 80329055 1
[0062] Qi Pang, Jinhao Zhu, Hellen Mollering, Wanting Zheng, and Thomas Schneider. Bolt: Privacy-preserving, accurate and efficient inference for transformers. In 2024 IEEE Symposium on Security and Privacy (SP), pages 4753-4771. IEEE, 2024.
[0063] Jaiyoung Park, Michael Jaemin Kim, Wonkyung Jung, and Jung Ho Ahn.AESPA: accuracy preserving low-degree polynomial activation for fast private inference. CoRR, abs / 2201.05711, 2022.
[0064] Hongwu Peng, Ran Ran, Yukui Luo, et al. Ingcn: Structural linearized graph convolutional network for homomorphically encrypted inference. In Thirtyseventh Conference on Neural Information Processing Systems, 2023.
[0065] Ran Ran, Xinwei Luo, Wei Wang, Tao Liu, Gang Quan, Xiaolin Xu, Caiwen Ding, and Wujie Wen. SpENCNN: Orchestrating encoding and sparsity for fast homomorphically encrypted neural network inference. In Proceedings of the 40th International Conference on Machine Learning, volume 202, pages 28718-28728. PMLR, 2023.
[0066] Ran Ran, Wei Wang, Quan Gang, Jieming Yin, Nuo Xu, and Wujie Wen.Cryptogcn: Fast and scalable homomorphically encrypted graph convolutional network inference. Advances in Neural Information Processing Systems, 35:37676-37689, 2022.
[0067] Ran Ran, Nuo Xu, Tao Liu, Wei Wang, Gang Quan, and Wujie Wen.Penguin: Parallel-packed homomorphic encryption for fast graph convolutional network inference. Advances in Neural Information Processing Systems, 36:19104-19116, 2023.
[0068] Donghwan Rho, Taeseong Kim, Minje Park, Jung Woo Kim, Hyunsik Chae,Ernest K Ryu, and Jung Hee Cheon. Encryption-friendly llm architecture. arXiv preprint arXiv:2410.02486, 2024.
[0069] Nikola Samardzic, Axel Feldmann, Aleksandar Krastev, Srinivas Devadas,Ronald Dreslinski, Christopher Peikert, and Daniel Sanchez. F1: A fast and programmable accelerator for fully homomorphic encryption. In MICRO-54: 54th Annual IEEE / ACM International Symposium on Microarchitecture, MICRO ’21, page 238-252, 2021.92KILPATRICK TOWNSEND 80329055 1
[0070] Nikola Samardzic, Axel Feldmann, Aleksandar Krastev, Nathan Manohar, Nicholas Genise, Srinivas Devadas, Karim Eldefrawy, Chris Peikert, and Daniel Sanchez. Craterlake: a hardware accelerator for efficient unbounded computation on encrypted data. In ISCA, pages 173-187, 2022.
[0071] Sinem Sav, Apostolos Pyrgelis, Juan Ramon Troncoso-Pastoriza, David Froelicher, Jean-Philippe Bossuat, Joao Sa Sousa, and Jean-Pierre Hubaux. Poseidon: Privacy-preserving federated neural network learning. In Proceedings of the Network and Distributed Systems Security (NDSS) Symposium 2021.
[0072] Prithviraj Sen, Galileo Namata, Mustafa Bilgic, Lise Getoor, Brian Galligher, and Tina Eliassi-Rad. Collective classification in network data. Al magazine, 29(3): 93-93, 2008.
[0073] Amir Shahroudy, Jun Liu, Tian-Tson Ng, and Gang Wang. Ntu rgb+d: A large scale dataset for 3d human activity analysis. In Proceedings of the IEEE conference on computer vision and pattern recognition (CVPR), pages 1010-1019, 2016.
[0074] Nigel P Smart and Frederik Vercauteren. Fully homomorphic encryption with relatively small key and ciphertext sizes. In International Workshop on Public Key Cryptography, pages 420-443. Springer, 2010.
[0075] Nigel P Smart and Frederik Vercauteren. Fully homomorphic simd operations. Designs, codes and cryptography, 71:57-81, 2014.
[0076] Hugo Touvron, Louis Marin, Timothy Stone, Peter Albert, Amjad Almahairi,Yasmine Babaei, Nikolay Bashlykov, Shyamal Batra, Akshit Bhargava, Shruti Bhosale, et al. Llama 2: Open foundation and fine-tuned chat models. arXiv preprint arXiv:2307.09288, 2023.
[0077] U. S. Congress. Health Insurance Portability and Accountability Act of 1996.https: / / www.hhs.gov / hipaa / index.html, 1996. Public Law 104-191, 104th Congress.93KILPATRICK TOWNSEND 80329055 1
[0078] Paul Voigt and Axel Von dem Bussche. The eu general data protection regulation (gdpr). A Practical Guide, 1st Ed., Cham: Springer International Publishing, 10(3152676): 10-5555, 2017.
[0079] Wenhao Wang, Yichen Jiang, Qintao Shen, Weihao Huang, Hao Chen, Shuang Wang, XiaoFeng Wang, Haixu Tang, Kai Chen, Kristin Lauter, et al. Toward scalable fully homomorphic encryption through light trusted computing assistance. arXiv preprint arXiv:1905.07766, 2019.
[0080] Tianshi Xu, Chenqi Lin, Runsheng Wang, and Meng Li. Breaking the layer barrier: Remodeling private transformer inference with hybrid ckks and mpc. In 34th USENIX Security Symposium (USENIX Security 25), 2025
[0081] Sijie Yan, Yuanjun Xiong, and Dahua Lin. Spatial temporal graph convolutional networks for skeleton-based action recognition. In Proceedings of the AAAI Conference on Artificial Intelligence, volume 32, 2018.
[0082] Jiawen Zhang, Xinpeng Yang, Lipeng He, Kejia Chen, Wen-jie Lu, Yinghao Wang, Xiaoyang Hou, Jian Liu, Kui Ren, and Xiaohu Yang, Secure transformer inference made non-interactive. Cryptology ePrint Archive, 2024.
[0083] Ruiyu Zhu, Changchang Ding, and Yan Huang. Practical mpc+ fhe with applications in secure multi-party neural network evaluation. Cryptology ePrint Archive, 2020.
[0084] Song Bian, Weiwen Jiang, Qing Lu, Yiyu Shi, and Takashi Sato. Nass:Optimizing secure inference via neural architecture search. In ECAI 2020, pages 1746-1753. IOS Press, 2020.
[0085] Yifei Cai, Qiao Zhang, Rui Ning, Chunsheng Xin, and Hongyi Wu. Hunter:He-friendly structured pruning for efficient privacy-preserving deep learning. In Proceedings of the 2022 ACM on Asia Conference on Computer and Communications Security, pages 931-945, 2022.
[0086] Ilaria Chillotti, Nabil Gama, Mariya Georgieva, and Damien Izabachene.Faster bootstrapping with better moduli selection. International Conference94KILPATRICK TOWNSEND 80329055 1on the Theory and Application of Cryptology and Information Security (ASIACRYPT), 12491:667-699, 2020.
[0087] Roshan Dathathri, Olli Saarikivi, Hao Chen, Kim Laine, Kristin Lauter, Saeed Maleki, Madanlal Musuvathi, and Todd Mytkowicz. Chet: an optimizing compiler for fully-homomorphic neural-network inferencing. In Proceedings of the 40th ACM SIG PLAN conference on programming language design and implementation, pages 142-156, 2019.
[0088] Ian Goodfellow, Yoshua Bengio, and Aaron Courville. Deep learning. MIT press, 2016.
[0089] Shai Halevi, Yuriy Polyakov, and Victor Shoup. Bootstrapping for the bfv homomorphic encryption scheme. Cryptographers’ Track at the RSA Conference, pages 17-37, 2018.
[0090] Shai Halevi and Victor Shoup. Algorithms for homomorphic evaluation.Advances in Cryptology-EUROCRYPT 2011, 6632:347-365, 2011.
[0091] Meng Hao, Hongwei Li, Hanxiao Chen, Pengzhi Xing, Guowen Xu, and Tianwei Zhang. Iron: Private inference on transformers. Advances in neural information processing systems, 35:15718-15731, 2022.
[0092] Forrest N Iandola, Song Han, Matthew W Moskewicz, Khalid Ashraf, William J Dally, and Kurt Keutzer. Squeezenet: Alexnet-level accuracy with 50x fewer parameters and 0.5 mb model size. 2016.
[0093] Wonkyung Jung, Sangpyo Kim, Jung Ho Ahn, Jung Hee Cheon, and Younho Lee. Over 100x faster bootstrapping in fully homomorphic encryption through memory-centric optimization with gpus. IACR Transactions on Cryptographic Hardware and Embedded Systems, pages 114-148, 2021.
[0094] Andrey Kim, Jung Hee Kim, and Yongsoo Song. Improved precision for ckks bootstrapping. Designs, Codes and Cryptography, 88(2):376- 391, 2020.
[0095] Mengyuan Li, Luca Wilke, Jan Wichelmann, Thomas Eisenbarth, Radu Teodorescu, and Yinqian Zhang. A systematic look at ciphertext side95KILPATRICK TOWNSEND 80329055 1channels on amd sev-snp. In 2022 IEEE Symposium on Security and Privacy (SP), pages 337-351. IEEE, 2022.
[0096] Mengyuan Li, Yinqian Zhang, Huibo Wang, Kang Li, and Yueqiang Cheng.{CIPHERLEAKS}: Breaking constant-time cryptography on {AMD}{SEV} via the ciphertext side channel. In 30th USENIX Security Symposium (USENIX Security 21), pages 717-732, 2021.
[0097] Qian Lou, Song Bian, and Lei Jiang. Autoprivacy: Automated layer-wise parameter selection for secure neural network inference. Advances in Neural Information Processing Systems, 33:8638-8647, 2020.
[0098] Qian Lou and Lei Jiang. Hemet: A homomorphic-encryption-friendly privacypreserving mobile neural network architecture. In International conference on machine learning, pages 7102-7110. PMLR, 2021.
[0099] Christian Szegedy, Sergey Ioffe, Vincent Vanhoucke, and Alexander Alemi.Inception-v4, inception-resnet and the impact of residual connections on learning. In Proceedings of the AAAI conference on artificial Intelligence, volume 31, 2017.
[0100] Huizi Xiao, Qingyang Zhang, Qingqi Pei, and Weisong Shi. Privacypreserving neural network inference framework via homomorphic encryption and sgx. In 2021 IEEE 41st International Conference on Distributed Computing Systems (ICDCS), pages 751-761. IEEE, 2021.96KILPATRICK TOWNSEND 80329055 1
Claims
1. WHAT IS CLAIMED IS:
1. A method comprising:receiving, by a first computer system, a first secret key share, wherein the first secret key share corresponds to a second secret key share, a secret key, and a public key;receiving, by the first computer system, from a client computer, a ciphertext input encrypted using the public key;performing, by the first computer system, a set of homomorphic operations corresponding to a private computing task on the ciphertext input until a ciphertext level corresponding to a ciphertext partial result corresponding to the ciphertext input is reduced to a threshold ciphertext level, thereby producing the ciphertext partial result;masking, by the first computer system, the ciphertext partial result, thereby producing a masked ciphertext partial result;partially decrypting, by the first computer system, the masked ciphertext partial result using the first secret key share, thereby producing a partially decrypted masked ciphertext partial result; andtransmitting, by the first computer system, the partially decrypted masked ciphertext partial result to a second computer system, wherein the second computer system:decrypts the partially decrypted masked ciphertext partial result using the second secret key share, thereby producing a masked plaintext partial result,encrypts the masked plaintext partial result using the public key, thereby reproducing the masked ciphertext partial result with the ciphertext level restored to a maximum ciphertext level, andcauses the private computing task to be completed using the masked ciphertext partial result by (A) causing the masked ciphertext partial result to be homomorphically unmasked, thereby reproducing the ciphertext partial result with the ciphertext level restored to the maximum ciphertext level, and (B) causing one or more additional sets of homomorphic operations corresponding to the private computing task to be performed using (i) the ciphertext partial result or (ii) the ciphertext partial result and one or more 97KILPATRICK TOWNSEND 80329055 1additional ciphertext partial results produced by the one or more additional sets of homomorphic operations, thereby causing a ciphertext result to be produced and transmitted to a client computer, wherein the client computer decrypts the ciphertext result using the secret key thereby producing a plaintext result, and wherein the client computer performs further processing on the plaintext result.
2. The method of claim 1, wherein the one or more additional sets of homomorphic operations comprise a second set of homomorphic operations, wherein to cause the private computing task to be completed, the second computer system transmits the masked ciphertext partial result to the first computer system, and wherein the method further comprises:homomorphically unmasking, by the first computer system, the masked ciphertext partial result, thereby reproducing the ciphertext partial result with the ciphertext level restored to the maximum ciphertext level;performing, by the first computer system, the second set of homomorphic operations on the ciphertext partial result, thereby producing the ciphertext result; andtransmitting, by the first computer system, the ciphertext result to the client computer.
3. The method of claim 1, wherein the one or more additional sets of homomorphic operations comprise a second set of homomorphic operations, wherein to cause the private computing task to be completed, the second computer system homomorphically unmasks the masked ciphertext partial result, thereby reproducing the ciphertext partial result with the ciphertext level restored to the maximum ciphertext level and transmits the ciphertext partial result to the first computer system, and wherein the method further comprises:performing, by the first computer system, the second set of homomorphic operations on the ciphertext partial result, thereby producing the ciphertext result; andtransmitting, by the first computer system, the ciphertext result to the client computer.98KILPATRICK TOWNSEND 80329055 14. The method of claim 3, wherein masking the ciphertext partial result comprises homomorphically masking, by the first computer system, the ciphertext partial result using a random mask, and wherein the method further comprises:encrypting, by the first computer system, the random mask using the public key, thereby producing an encrypted random mask; andtransmitting, by the first computer system, to the second computer system, the encrypted random mask, wherein the second computer system homomorphically unmasks the masked ciphertext partial result using the encrypted random mask.
5. The method of claim 1, wherein the one or more additional sets of homomorphic operations comprise a second set of homomorphic operations, and wherein to cause the private computing task to be completed, the second computer system:homomorphically unmasks the masked ciphertext partial result, thereby reproducing the ciphertext partial result with the ciphertext level restored to the maximum ciphertext level;performs the second set of homomorphic operations on the ciphertext partial result, thereby producing the ciphertext result; andtransmits the ciphertext result to the client computer.
6. The method of claim 1, wherein:the one or more additional sets of homomorphic operations comprise a second set of homomorphic operations and one or more subsequent sets of homomorphic operations;to cause the private computing task to be completed, the second computer system:homomorphically unmasks the masked ciphertext partial result, thereby reproducing the ciphertext partial result with the ciphertext level restored to the maximum ciphertext level,performs the second set of homomorphic operations on the ciphertext partial result until a second ciphertext level of a second ciphertext partial result corresponding to the ciphertext partial result is 99KILPATRICK TOWNSEND 80329055 1reduced to the threshold ciphertext level, thereby producing the second ciphertext partial result,masks the second ciphertext partial result, thereby producing a second masked ciphertext partial result,partially decrypts the second masked ciphertext partial result using the second secret key share, thereby generating a second partially decrypted masked ciphertext partial result, andtransmits the second partially decrypted masked ciphertext partial result to the first computer system; andthe method further comprises:decrypting, by the first computer system, the second partially decrypted masked ciphertext partial result using the first secret key share, thereby producing a second masked plaintext partial result,encrypting, by the first computer system, the second masked plaintext partial result using the public key, thereby reproducing the second masked ciphertext partial result with the second ciphertext level restored to the maximum ciphertext level,causing, by the first computer system, the private computing task to be completed using the second masked ciphertext partial result by (C) causing the second masked ciphertext partial result to be homomorphically unmasked, thereby reproducing the second ciphertext partial result with the second ciphertext level restored to the maximum ciphertext level, and (D) causing the one or more subsequent sets of homomorphic operations to be performed on (iii) the second ciphertext partial result or (iv) the second ciphertext partial result and one or more subsequent ciphertext partial results produced by the one or more subsequent sets of homomorphic operations, thereby causing the ciphertext result to be produced and transmitted to the client computer.
7. The method of claim 6, wherein:the one or more subsequent sets of homomorphic operations comprise a third set of homomorphic operations;(C) causing the second masked ciphertext partial result to be homomorphically unmasked comprises homomorphically unmasking, by the first computer system, the second masked ciphertext partial result;100KILPATRICK TOWNSEND 80329055 1(D) causing the one or more subsequent sets of homomorphic operations to be performed comprises performing, by the first computer system, the third set of homomorphic operations on the second ciphertext partial result, thereby producing the ciphertext result; andthe method further comprises transmitting, by the first computer system, the ciphertext result to the client computer.
8. The method of claim 1, wherein the ciphertext input comprises an encrypted set of machine learning model features, wherein the ciphertext result comprises an encrypted machine learning model output produced using a machine learning model, and wherein the private computing task comprises a private machine learning inference task.
9. The method of claim 1, wherein:the first computer system comprises a first trusted execution environment;the second computer system comprises a second trusted execution environment;the first computer system receives the first secret key share from the client computer via a first transport layer security (TLS) channel between the first trusted execution environment and the client computer, such that the first secret key share is stored in the first trusted execution environment;the second computer system receives the second secret key share from the client computer via a second transport layer security channel between the second trusted execution environment and the client computer, such that the second secret key share is stored in the second trusted execution environment;the first computer system masks the ciphertext partial result using the first trusted execution environment;the first computer system partially decrypts the masked ciphertext partial result using the first trusted execution environment; andThe first computer system transmits the partially decrypted masked ciphertext partial result to the second computer system via a third transport security layer channel between the first trusted execution environment and the second trusted execution environment, such that the second computer system receives the101KILPATRICK TOWNSEND 80329055 1partially decrypted masked ciphertext partial result in the second trusted execution environment.
10. The method of claim 1, wherein:the ciphertext input comprises a plurality of encrypted client model layer outputs corresponding to a plurality of layers of a client machine learning model and an encrypted final client model layer output corresponding to a final layer of the client machine learning model;the ciphertext result comprises an encrypted parameter set corresponding to a low-rank adaptation (LoRA) model comprising a plurality of low-rank adaptation modules;the set of homomorphic operations and the one or more additional sets of homomorphic operations include:a first plurality of homomorphic operations corresponding to a private evaluation of the plurality of encrypted client model layer outputs using the plurality of low-rank adaptation modules, the first plurality of homomorphic operations resulting in a plurality of encrypted low-rank adaptation outputs,one or more homomorphic operations corresponding to a private combination of the plurality of encrypted low-rank adaptation outputs and the encrypted final client model layer output, the one or more homomorphic operation resulting in an encrypted combination, and a second plurality of homomorphic operations corresponding to private training of the low-rank adaptation model based on the encrypted combination, the second plurality of homomorphic operations resulting in the ciphertext result;the plaintext result comprises a parameter set corresponding to the low-rank adaptation model; andthe client computer performing further processing comprises the client computer performing inference using the client machine learning model and the low-rank adaptation model.
11. The method of claim 1, wherein:102KILPATRICK TOWNSEND 80329055 1the ciphertext input comprises a plurality of encrypted client model layer outputs corresponding to a plurality of layers of a client machine learning model and an encrypted final client model layer output corresponding to a final layer of the client machine learning model;the ciphertext result comprises an encrypted classification produced using a low-rank adaptation (LoRA) model comprising a plurality of low-rank adaptation modules and a classification layer;the plaintext result comprises a classification; andthe set of homomorphic operations and the one or more additional sets of homomorphic operations include:a first plurality of homomorphic operations corresponding to a private evaluation of the plurality of encrypted client model layer outputs using the plurality of low-rank adaptation modules, the first plurality of homomorphic operations resulting in a plurality of encrypted low-rank adaptation outputs,one or more homomorphic operation corresponding to a private combination of the plurality of encrypted low-rank adaptation outputs and the encrypted final client model layer output, the one or more homomorphic operations resulting in an encrypted combination, and a second plurality of homomorphic operations corresponding to private evaluation of the encrypted combination using the classification layer, the second plurality of homomorphic operations resulting in the ciphertext result.
12. The method of claim 1, wherein:the first secret key share, the second secret key share, the secret key, the public key, the set of homomorphic operations, and the one or more additional sets of homomorphic operations correspond to a set of homomorphic encryption parameters;the set of homomorphic operations and the one or more additional sets of homomorphic operations include a plurality of ciphertext rotation operations and a plurality of ciphertext-ciphertext multiplication operations; andthe method further comprises determining, by the first computer system, the set of homomorphic encryption parameters from a plurality of candidate103KILPATRICK TOWNSEND 80329055 1sets of encryption parameters based on an estimated number of ciphertext rotation operations and / or an estimated number of ciphertext-ciphertext multiplication operations, wherein the set of homomorphic encryption parameters minimizes the estimated number of ciphertext rotation operations and / or the estimated number of ciphertext-ciphertext multiplication operations.
13. The method of claim 12, wherein the set of homomorphic encryption parameters includes a cyclotom ic polynomial degree and / or the maximum ciphertext level.
14. The method of claim 12, wherein the set of homomorphic encryption parameters are determined based on an estimated transmission volume between the first computer system and the second computer system in addition to the estimated number of ciphertext rotation operations and / or the estimated number of ciphertext-ciphertext multiplication operations, wherein the estimated transmission volume is less than a threshold transmission volume.
15. The method of claim 1, wherein:the ciphertext input comprises an encrypted matrix comprising one or more encrypted elements;a first dimension of the encrypted matrix is a batch dimension;a second dimension of the encrypted matrix is an embedding dimension;the one or more homomorphic operations correspond to a private matrix multiplication between the encrypted matrix and a matrix;a first dimension of the matrix is the embedding dimension;a second dimension of the matrix is a matrix rank; andthe method further comprises transforming, by the first computer system, the ciphertext input into an encrypted one-dimensional tensor comprising a plurality of sets of encrypted elements from the encrypted matrix, wherein the plurality of sets of encrypted elements are determined based on the batch dimension, the embedding dimension, and the matrix rank.104KILPATRICK TOWNSEND 80329055 116. The method of claim 15, wherein the matrix comprises a low-rank weight matrix corresponding to a low-rank adaptation module, and wherein the matrix rank is less than the embedding dimension.
17. The method of claim 1, wherein:the ciphertext partial result comprises an encrypted matrix comprising one or more encrypted elements;a first dimension of the encrypted matrix is a batch dimension;a second dimension of the encrypted matrix is an embedding dimension;the one or more additional sets of homomorphic operations correspond to a private matrix multiplication between the encrypted matrix and a matrix;a first dimension of the matrix is the embedding dimension; a second dimension of the matrix is a matrix rank; andthe method further comprises, transforming, by the first computer system, the ciphertext partial result into an encrypted one-dimensional tensor comprising a plurality of sets of encrypted elements from the encrypted matrix, wherein the plurality of sets of encrypted elements are determined based on the batch dimension, the embedding dimension, and the matrix rank.
18. The method of claim 1, wherein:the ciphertext input comprises an encrypted one-dimensional tensor generated based on a plaintext input matrix;a first dimension of the plaintext input matrix is a batch dimension; a second dimension of the plaintext input matrix is an embedding dimension;the one or more homomorphic operations correspond to a private matrix multiplication between the plaintext input matrix, represented by the encrypted one-dimensional tensor and a matrix;a first dimension of the matrix is the embedding dimension; a second dimension of the matrix is a matrix rank; andthe client computer generates the encrypted one-dimensional tensor based on the plaintext input matrix by:105KILPATRICK TOWNSEND 80329055 1determining a plurality of sets of elements from the plaintext input matrix based on the batch dimension, the embedding dimension, and the matrix rank,generating a one-dimensional tensor by concatenating the plurality of sets of elements, andencrypting the one-dimensional tensor, thereby generating the encrypted one-dimensional tensor.
19. A method comprising:receiving, by a second computer system, a second secret key share, wherein the second secret key share corresponds to a first secret key share, a secret key, and a public key;receiving, by the second computer system, from a first computer system, a partially decrypted masked ciphertext partial result, wherein the partially decrypted masked ciphertext partial result was produced by the first computer system during a private computing task in which one or more sets of homomorphic operations were performed, wherein a ciphertext level of the partially decrypted masked ciphertext partial result is equal to a threshold ciphertext level;decrypting, by the second computer system, the partially decrypted masked ciphertext partial result using the second secret key share, thereby producing a masked plaintext partial result;encrypting, by the second computer system, the masked plaintext partial result using the public key, thereby producing a masked ciphertext partial result with the ciphertext level restored to a maximum ciphertext level; and causing, by the second computer system, the private computing task to be completed using the masked ciphertext partial result by (A) causing the masked ciphertext partial result to be homomorphically unmasked, thereby producing a ciphertext partial result with the ciphertext level restored to the maximum ciphertext level, and (B) causing one or more additional sets of homomorphic operation to be performed using (i) the ciphertext partial result or (ii) the ciphertext partial result and one or more additional ciphertext partial results produced by the one or more additional sets of homomorphic operations, thereby causing a ciphertext result to be produced and transmitted to a client computer, wherein the client computer decrypts106KILPATRICK TOWNSEND 80329055 1the ciphertext result using the secret key thereby producing a plaintext result, and wherein the client computer performs further processing on the plaintext result.
20. A computer system comprising:a processor; anda non-transitory computer readable medium coupled to the processor, the non-transitory computer readable medium comprising instructions executable by the processor for performing the method of claim 1.107KILPATRICK TOWNSEND 80329055 1