Skip to main content

Oblivious Neural Network Computing via Homomorphic Encryption


The problem of secure data processing by means of a neural network (NN) is addressed. Secure processing refers to the possibility that the NN owner does not get any knowledge about the processed data since they are provided to him in encrypted format. At the same time, the NN itself is protected, given that its owner may not be willing to disclose the knowledge embedded within it. The considered level of protection ensures that the data provided to the network and the network weights and activation functions are kept secret. Particular attention is given to prevent any disclosure of information that could bring a malevolent user to get access to the NN secrets by properly inputting fake data to any point of the proposed protocol. With respect to previous works in this field, the interaction between the user and the NN owner is kept to a minimum with no resort to multiparty computation protocols.



  1. 1.

    Hornik K, Stinchcombe M, White H: Multilayer feedforward networks are universal approximators. Neural Networks 1989, 2(5):359-366. 10.1016/0893-6080(89)90020-8

    Article  Google Scholar 

  2. 2.

    Rivest RL, Adleman L, Dertouzos ML: On data banks and privacy homomorphisms. In Foundations of Secure Computation. Academic Press, New York, NY, USA; 1978:169-178.

    Google Scholar 

  3. 3.

    Pinkas B: Cryptographic techniques for privacy-preserving data mining. ACM SIGKDD Explorations Newsletter 2002, 4(2):12-19. ACM special interest group on knowledge discovery and data minin 10.1145/772862.772865

    Article  Google Scholar 

  4. 4.

    Goldreich O, Micali S, Wigderson A: How to play any mental game or a completeness theorem for protocols with honest majority. In Proceedings of the 19th Annual ACM Symposium on Theory of Computing (STOC '87), May 1987, New York, NY, USA. ACM Press; 218-229.

    Google Scholar 

  5. 5.

    Chaum D, Crépeau C, Damgård I: Multiparty unconditionally secure protocols. In Proceedings of the 20th Annual ACM Symposium on Theory of Computing (STOC '88), May 1988, Chicago, Ill, USA. ACM Press; 11-19.

    Chapter  Google Scholar 

  6. 6.

    Lindell Y, Pinkas B: Privacy preserving data mining. Proceedings of the 20th Annual International Cryptology Conference on Advances in Cryptology (CRYPTO '00), August 2000, Santa Barbara, Calif, USA, Lecture Notes in Computer Science 1880: 36-54.

    MathSciNet  Google Scholar 

  7. 7.

    Agrawal R, Srikant R: Privacy-preserving data mining. In Proceedings of the ACM SIGMOD International Conference on Management of Data, May 2000, Dallas, Tex, USA. ACM Press; 439-450.

    Google Scholar 

  8. 8.

    Chang Y-C, Lu C-J: Oblivious polynomial evaluation and oblivious neural learning. Theoretical Computer Science 2005, 341(1–3):39-54.

    MATH  MathSciNet  Article  Google Scholar 

  9. 9.

    Laur S, Lipmaa H, Mielikäihen T: Cryptographically private support vector machines. In Proceedings of the 12th ACM SIGKDD International Conference on Knowledge Discovery and Data Mining (KDD '06), August 2006, Philadelphia, Pa, USA. ACM Press; 618-624.

    Chapter  Google Scholar 

  10. 10.

    Kantarcioglu M, Vaidya J: Privacy preserving naive bayes classifier for horizontally partitioned data. Proceedings of the Workshop on Privacy Preserving Data Mining, November 2003, Melbourne, Fla, USA

    Google Scholar 

  11. 11.

    Yang Z, Wright RN: Improved privacy-preserving Bayesian network parameter learning on vertically partitioned data. In Proceedings of the 21st International Conference on Data Engineering Workshops (ICDEW '05), April 2005, Tokyo, Japan. IEEE Computer Society; 1196.

    Chapter  Google Scholar 

  12. 12.

    Wright R, Yang Z: Privacy-preserving Bayesian network structure computation on distributed heterogeneous data. In Proceedings of the 10th ACM SIGKDD International Conference on Knowledge Discovery and Data Mining (KDD '04), August 2004, Seattle, Wash, USA. ACM Press; 713-718.

    Google Scholar 

  13. 13.

    Jagannathan G, Wright RN: Privacy-preserving distributed k-means clustering over arbitrarily partitioned data. In Proceeding of the 11th ACM SIGKDD International Conference on Knowledge Discovery in Data Mining (KDD '05), August 2005, Chicago, Ill, USA. ACM Press; 593-599.

    Chapter  Google Scholar 

  14. 14.

    Yao AC: Protocols for secure computations. Proceedings of the 23rd Annual Symposium on Foundations of Computer Science, November 1982, Chicago, Ill, USA 160-164.

    Google Scholar 

  15. 15.

    Yao A: How to generate and exchange secrets. Proceedings of the 27th Annual Symposium on Foundations of Computer Science (FOCS '86), October 1986, Toronto, Ontario, Canada 162-167.

    Google Scholar 

  16. 16.

    Paillier P: Public-key cryptosystems based on composite degree residuosity classes. In Proceedings of International Conference on the Theory and Application of Cryptographic Techniques (EUROCRYPT '99), May 1999, Prague, Czech Republic, Lecture Notes is Computer Science. Volume 1592. Springer; 223-238.

    Google Scholar 

  17. 17.

    Barni M, Orlandi C, Piva A: A privacy-preserving protocol for neural-network-based computation. In Proceedings of the 8th Multimedia and Security Workshop (MM & Sec '06), September 2006, Geneva, Switzerland. ACM Press; 146-151.

    Google Scholar 

  18. 18.

    Goldwasser S, Micali S: Probabilistic encryption. Journal of Computer and System Sciences 1984, 28(2):270-299. 10.1016/0022-0000(84)90070-9

    MATH  MathSciNet  Article  Google Scholar 

  19. 19.

    Damgård I, Jurik M: A generalisation, a simplification and some applications of Paillier's probabilistic public-key system. Proceedings of the 4th International Workshop on Practice and Theory in Public Key Cryptography (PKC '01), February 2001, Cheju Island, Korea 119-136.

    Google Scholar 

  20. 20.

    Catalano D: The bit security of Paillier's encryption scheme and a new, efficient, public key cryptosystem, Ph.D. thesis. Università di Catania, Catania, Italy; 2002.

    Google Scholar 

  21. 21.

    Goethals B, Laur S, Lipmaa H, Mielikäinen T: On private scalar product computation for privacy-preserving data mining. Proceedings of the 7th Annual International Conference in Information Security and Cryptology (ICISC '04), December 2004, Seoul, Korea 104-120.

    Google Scholar 

  22. 22.

    Cox IJ, Linnartz J-PMG: Public watermarks and resistance to tampering. Proceedings the 4th IEEE International Conference on Image Processing (ICIP '97), October 1997, Santa Barbara, Calif, USA 3: 3-6.

    Article  Google Scholar 

  23. 23.

    Kalker T, Linnartz J-PMG, van Dijk M: Watermark estimation through detector analysis. Proceedings of IEEE International Conference on Image Processing (ICIP '98), October 1998, Chicago, Ill, USA 1: 425-429.

    Google Scholar 

  24. 24.

    Dolev D, Dwork C, Naor M: Nonmalleable cryptography. SIAM Journal on Computing 2000, 30(2):391-437. 10.1137/S0097539795291562

    MATH  MathSciNet  Article  Google Scholar 

  25. 25.

    Mitchell TM: Machine Learning. McGraw-Hill, New York, NY, USA; 1997.

    MATH  Google Scholar 

  26. 26.

    Fouque P-A, Stern J, Wackers J-G: CryptoComputing with rationals. Proceedings of the 6th International Conference on Financial-Cryptography (FC '02), March 2002, Southampton, Bermuda, Lecture Notes in Computer Science 2357: 136-146.

    Article  Google Scholar 

  27. 27.

    Gorman RP, Sejnowski TJ: Analysis of hidden units in a layered network trained to classify sonar targets. Neural Networks 1988, 1(1):75-89. 10.1016/0893-6080(88)90023-8

    Article  Google Scholar 

Download references

Author information



Corresponding author

Correspondence to C Orlandi.

Rights and permissions

Open Access This article is distributed under the terms of the Creative Commons Attribution 2.0 International License (, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

Reprints and Permissions

About this article

Cite this article

Orlandi, C., Piva, A. & Barni, M. Oblivious Neural Network Computing via Homomorphic Encryption. EURASIP J. on Info. Security 2007, 037343 (2007).

Download citation


  • Neural Network
  • Data Processing
  • Activation Function
  • Data Security
  • Network Weight