Skip to main content


Oblivious Neural Network Computing via Homomorphic Encryption

Article metrics

  • 2662 Accesses

  • 14 Citations


The problem of secure data processing by means of a neural network (NN) is addressed. Secure processing refers to the possibility that the NN owner does not get any knowledge about the processed data since they are provided to him in encrypted format. At the same time, the NN itself is protected, given that its owner may not be willing to disclose the knowledge embedded within it. The considered level of protection ensures that the data provided to the network and the network weights and activation functions are kept secret. Particular attention is given to prevent any disclosure of information that could bring a malevolent user to get access to the NN secrets by properly inputting fake data to any point of the proposed protocol. With respect to previous works in this field, the interaction between the user and the NN owner is kept to a minimum with no resort to multiparty computation protocols.



  1. 1.

    Hornik K, Stinchcombe M, White H: Multilayer feedforward networks are universal approximators. Neural Networks 1989, 2(5):359-366. 10.1016/0893-6080(89)90020-8

  2. 2.

    Rivest RL, Adleman L, Dertouzos ML: On data banks and privacy homomorphisms. In Foundations of Secure Computation. Academic Press, New York, NY, USA; 1978:169-178.

  3. 3.

    Pinkas B: Cryptographic techniques for privacy-preserving data mining. ACM SIGKDD Explorations Newsletter 2002, 4(2):12-19. ACM special interest group on knowledge discovery and data minin 10.1145/772862.772865

  4. 4.

    Goldreich O, Micali S, Wigderson A: How to play any mental game or a completeness theorem for protocols with honest majority. In Proceedings of the 19th Annual ACM Symposium on Theory of Computing (STOC '87), May 1987, New York, NY, USA. ACM Press; 218-229.

  5. 5.

    Chaum D, Crépeau C, Damgård I: Multiparty unconditionally secure protocols. In Proceedings of the 20th Annual ACM Symposium on Theory of Computing (STOC '88), May 1988, Chicago, Ill, USA. ACM Press; 11-19.

  6. 6.

    Lindell Y, Pinkas B: Privacy preserving data mining. Proceedings of the 20th Annual International Cryptology Conference on Advances in Cryptology (CRYPTO '00), August 2000, Santa Barbara, Calif, USA, Lecture Notes in Computer Science 1880: 36-54.

  7. 7.

    Agrawal R, Srikant R: Privacy-preserving data mining. In Proceedings of the ACM SIGMOD International Conference on Management of Data, May 2000, Dallas, Tex, USA. ACM Press; 439-450.

  8. 8.

    Chang Y-C, Lu C-J: Oblivious polynomial evaluation and oblivious neural learning. Theoretical Computer Science 2005, 341(1–3):39-54.

  9. 9.

    Laur S, Lipmaa H, Mielikäihen T: Cryptographically private support vector machines. In Proceedings of the 12th ACM SIGKDD International Conference on Knowledge Discovery and Data Mining (KDD '06), August 2006, Philadelphia, Pa, USA. ACM Press; 618-624.

  10. 10.

    Kantarcioglu M, Vaidya J: Privacy preserving naive bayes classifier for horizontally partitioned data. Proceedings of the Workshop on Privacy Preserving Data Mining, November 2003, Melbourne, Fla, USA

  11. 11.

    Yang Z, Wright RN: Improved privacy-preserving Bayesian network parameter learning on vertically partitioned data. In Proceedings of the 21st International Conference on Data Engineering Workshops (ICDEW '05), April 2005, Tokyo, Japan. IEEE Computer Society; 1196.

  12. 12.

    Wright R, Yang Z: Privacy-preserving Bayesian network structure computation on distributed heterogeneous data. In Proceedings of the 10th ACM SIGKDD International Conference on Knowledge Discovery and Data Mining (KDD '04), August 2004, Seattle, Wash, USA. ACM Press; 713-718.

  13. 13.

    Jagannathan G, Wright RN: Privacy-preserving distributed k-means clustering over arbitrarily partitioned data. In Proceeding of the 11th ACM SIGKDD International Conference on Knowledge Discovery in Data Mining (KDD '05), August 2005, Chicago, Ill, USA. ACM Press; 593-599.

  14. 14.

    Yao AC: Protocols for secure computations. Proceedings of the 23rd Annual Symposium on Foundations of Computer Science, November 1982, Chicago, Ill, USA 160-164.

  15. 15.

    Yao A: How to generate and exchange secrets. Proceedings of the 27th Annual Symposium on Foundations of Computer Science (FOCS '86), October 1986, Toronto, Ontario, Canada 162-167.

  16. 16.

    Paillier P: Public-key cryptosystems based on composite degree residuosity classes. In Proceedings of International Conference on the Theory and Application of Cryptographic Techniques (EUROCRYPT '99), May 1999, Prague, Czech Republic, Lecture Notes is Computer Science. Volume 1592. Springer; 223-238.

  17. 17.

    Barni M, Orlandi C, Piva A: A privacy-preserving protocol for neural-network-based computation. In Proceedings of the 8th Multimedia and Security Workshop (MM & Sec '06), September 2006, Geneva, Switzerland. ACM Press; 146-151.

  18. 18.

    Goldwasser S, Micali S: Probabilistic encryption. Journal of Computer and System Sciences 1984, 28(2):270-299. 10.1016/0022-0000(84)90070-9

  19. 19.

    Damgård I, Jurik M: A generalisation, a simplification and some applications of Paillier's probabilistic public-key system. Proceedings of the 4th International Workshop on Practice and Theory in Public Key Cryptography (PKC '01), February 2001, Cheju Island, Korea 119-136.

  20. 20.

    Catalano D: The bit security of Paillier's encryption scheme and a new, efficient, public key cryptosystem, Ph.D. thesis. Università di Catania, Catania, Italy; 2002.

  21. 21.

    Goethals B, Laur S, Lipmaa H, Mielikäinen T: On private scalar product computation for privacy-preserving data mining. Proceedings of the 7th Annual International Conference in Information Security and Cryptology (ICISC '04), December 2004, Seoul, Korea 104-120.

  22. 22.

    Cox IJ, Linnartz J-PMG: Public watermarks and resistance to tampering. Proceedings the 4th IEEE International Conference on Image Processing (ICIP '97), October 1997, Santa Barbara, Calif, USA 3: 3-6.

  23. 23.

    Kalker T, Linnartz J-PMG, van Dijk M: Watermark estimation through detector analysis. Proceedings of IEEE International Conference on Image Processing (ICIP '98), October 1998, Chicago, Ill, USA 1: 425-429.

  24. 24.

    Dolev D, Dwork C, Naor M: Nonmalleable cryptography. SIAM Journal on Computing 2000, 30(2):391-437. 10.1137/S0097539795291562

  25. 25.

    Mitchell TM: Machine Learning. McGraw-Hill, New York, NY, USA; 1997.

  26. 26.

    Fouque P-A, Stern J, Wackers J-G: CryptoComputing with rationals. Proceedings of the 6th International Conference on Financial-Cryptography (FC '02), March 2002, Southampton, Bermuda, Lecture Notes in Computer Science 2357: 136-146.

  27. 27.

    Gorman RP, Sejnowski TJ: Analysis of hidden units in a layered network trained to classify sonar targets. Neural Networks 1988, 1(1):75-89. 10.1016/0893-6080(88)90023-8

Download references

Author information

Correspondence to C Orlandi.

Rights and permissions

Open Access This article is distributed under the terms of the Creative Commons Attribution 2.0 International License (, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

Reprints and Permissions

About this article

Cite this article

Orlandi, C., Piva, A. & Barni, M. Oblivious Neural Network Computing via Homomorphic Encryption. EURASIP J. on Info. Security 2007, 037343 (2007) doi:10.1155/2007/37343

Download citation


  • Neural Network
  • Data Processing
  • Activation Function
  • Data Security
  • Network Weight