Skip to content


  • Research Article
  • Open Access

Oblivious Neural Network Computing via Homomorphic Encryption

EURASIP Journal on Information Security20072007:037343

  • Received: 27 March 2007
  • Accepted: 1 June 2007
  • Published:


The problem of secure data processing by means of a neural network (NN) is addressed. Secure processing refers to the possibility that the NN owner does not get any knowledge about the processed data since they are provided to him in encrypted format. At the same time, the NN itself is protected, given that its owner may not be willing to disclose the knowledge embedded within it. The considered level of protection ensures that the data provided to the network and the network weights and activation functions are kept secret. Particular attention is given to prevent any disclosure of information that could bring a malevolent user to get access to the NN secrets by properly inputting fake data to any point of the proposed protocol. With respect to previous works in this field, the interaction between the user and the NN owner is kept to a minimum with no resort to multiparty computation protocols.


  • Neural Network
  • Data Processing
  • Activation Function
  • Data Security
  • Network Weight


Authors’ Affiliations

Department of Electronics and Telecommunications, University of Florence, Via S.Marta 3, Firenze, 50139, Italy
Department of Information Engineering, University of Siena, Via Roma 56, Siena, 53100, Italy


  1. Hornik K, Stinchcombe M, White H: Multilayer feedforward networks are universal approximators. Neural Networks 1989, 2(5):359-366. 10.1016/0893-6080(89)90020-8View ArticleGoogle Scholar
  2. Rivest RL, Adleman L, Dertouzos ML: On data banks and privacy homomorphisms. In Foundations of Secure Computation. Academic Press, New York, NY, USA; 1978:169-178.Google Scholar
  3. Pinkas B: Cryptographic techniques for privacy-preserving data mining. ACM SIGKDD Explorations Newsletter 2002, 4(2):12-19. ACM special interest group on knowledge discovery and data minin 10.1145/772862.772865View ArticleGoogle Scholar
  4. Goldreich O, Micali S, Wigderson A: How to play any mental game or a completeness theorem for protocols with honest majority. In Proceedings of the 19th Annual ACM Symposium on Theory of Computing (STOC '87), May 1987, New York, NY, USA. ACM Press; 218-229.Google Scholar
  5. Chaum D, Crépeau C, Damgård I: Multiparty unconditionally secure protocols. In Proceedings of the 20th Annual ACM Symposium on Theory of Computing (STOC '88), May 1988, Chicago, Ill, USA. ACM Press; 11-19.View ArticleGoogle Scholar
  6. Lindell Y, Pinkas B: Privacy preserving data mining. Proceedings of the 20th Annual International Cryptology Conference on Advances in Cryptology (CRYPTO '00), August 2000, Santa Barbara, Calif, USA, Lecture Notes in Computer Science 1880: 36-54.MathSciNetGoogle Scholar
  7. Agrawal R, Srikant R: Privacy-preserving data mining. In Proceedings of the ACM SIGMOD International Conference on Management of Data, May 2000, Dallas, Tex, USA. ACM Press; 439-450.Google Scholar
  8. Chang Y-C, Lu C-J: Oblivious polynomial evaluation and oblivious neural learning. Theoretical Computer Science 2005, 341(1–3):39-54.MATHMathSciNetView ArticleGoogle Scholar
  9. Laur S, Lipmaa H, Mielikäihen T: Cryptographically private support vector machines. In Proceedings of the 12th ACM SIGKDD International Conference on Knowledge Discovery and Data Mining (KDD '06), August 2006, Philadelphia, Pa, USA. ACM Press; 618-624.View ArticleGoogle Scholar
  10. Kantarcioglu M, Vaidya J: Privacy preserving naive bayes classifier for horizontally partitioned data. Proceedings of the Workshop on Privacy Preserving Data Mining, November 2003, Melbourne, Fla, USAGoogle Scholar
  11. Yang Z, Wright RN: Improved privacy-preserving Bayesian network parameter learning on vertically partitioned data. In Proceedings of the 21st International Conference on Data Engineering Workshops (ICDEW '05), April 2005, Tokyo, Japan. IEEE Computer Society; 1196.View ArticleGoogle Scholar
  12. Wright R, Yang Z: Privacy-preserving Bayesian network structure computation on distributed heterogeneous data. In Proceedings of the 10th ACM SIGKDD International Conference on Knowledge Discovery and Data Mining (KDD '04), August 2004, Seattle, Wash, USA. ACM Press; 713-718.Google Scholar
  13. Jagannathan G, Wright RN: Privacy-preserving distributed k-means clustering over arbitrarily partitioned data. In Proceeding of the 11th ACM SIGKDD International Conference on Knowledge Discovery in Data Mining (KDD '05), August 2005, Chicago, Ill, USA. ACM Press; 593-599.View ArticleGoogle Scholar
  14. Yao AC: Protocols for secure computations. Proceedings of the 23rd Annual Symposium on Foundations of Computer Science, November 1982, Chicago, Ill, USA 160-164.Google Scholar
  15. Yao A: How to generate and exchange secrets. Proceedings of the 27th Annual Symposium on Foundations of Computer Science (FOCS '86), October 1986, Toronto, Ontario, Canada 162-167.Google Scholar
  16. Paillier P: Public-key cryptosystems based on composite degree residuosity classes. In Proceedings of International Conference on the Theory and Application of Cryptographic Techniques (EUROCRYPT '99), May 1999, Prague, Czech Republic, Lecture Notes is Computer Science. Volume 1592. Springer; 223-238.Google Scholar
  17. Barni M, Orlandi C, Piva A: A privacy-preserving protocol for neural-network-based computation. In Proceedings of the 8th Multimedia and Security Workshop (MM & Sec '06), September 2006, Geneva, Switzerland. ACM Press; 146-151.Google Scholar
  18. Goldwasser S, Micali S: Probabilistic encryption. Journal of Computer and System Sciences 1984, 28(2):270-299. 10.1016/0022-0000(84)90070-9MATHMathSciNetView ArticleGoogle Scholar
  19. Damgård I, Jurik M: A generalisation, a simplification and some applications of Paillier's probabilistic public-key system. Proceedings of the 4th International Workshop on Practice and Theory in Public Key Cryptography (PKC '01), February 2001, Cheju Island, Korea 119-136.Google Scholar
  20. Catalano D: The bit security of Paillier's encryption scheme and a new, efficient, public key cryptosystem, Ph.D. thesis. Università di Catania, Catania, Italy; 2002.Google Scholar
  21. Goethals B, Laur S, Lipmaa H, Mielikäinen T: On private scalar product computation for privacy-preserving data mining. Proceedings of the 7th Annual International Conference in Information Security and Cryptology (ICISC '04), December 2004, Seoul, Korea 104-120.Google Scholar
  22. Cox IJ, Linnartz J-PMG: Public watermarks and resistance to tampering. Proceedings the 4th IEEE International Conference on Image Processing (ICIP '97), October 1997, Santa Barbara, Calif, USA 3: 3-6.View ArticleGoogle Scholar
  23. Kalker T, Linnartz J-PMG, van Dijk M: Watermark estimation through detector analysis. Proceedings of IEEE International Conference on Image Processing (ICIP '98), October 1998, Chicago, Ill, USA 1: 425-429.Google Scholar
  24. Dolev D, Dwork C, Naor M: Nonmalleable cryptography. SIAM Journal on Computing 2000, 30(2):391-437. 10.1137/S0097539795291562MATHMathSciNetView ArticleGoogle Scholar
  25. Mitchell TM: Machine Learning. McGraw-Hill, New York, NY, USA; 1997.MATHGoogle Scholar
  26. Fouque P-A, Stern J, Wackers J-G: CryptoComputing with rationals. Proceedings of the 6th International Conference on Financial-Cryptography (FC '02), March 2002, Southampton, Bermuda, Lecture Notes in Computer Science 2357: 136-146.View ArticleGoogle Scholar
  27. Gorman RP, Sejnowski TJ: Analysis of hidden units in a layered network trained to classify sonar targets. Neural Networks 1988, 1(1):75-89. 10.1016/0893-6080(88)90023-8View ArticleGoogle Scholar


© C. Orlandi et al. 2007

This article is published under license to BioMed Central Ltd. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.