Homomorphic Encryptions for Privacy Preserving Vision

Preey Shah; Rohan Virani; Sanjari Srivastava

arxiv: 2606.25216 · v1 · pith:MIOYRTPWnew · submitted 2026-06-23 · 💻 cs.CR · cs.CV

Homomorphic Encryptions for Privacy Preserving Vision

Preey Shah , Rohan Virani , Sanjari Srivastava This is my paper

Pith reviewed 2026-06-25 22:36 UTC · model grok-4.3

classification 💻 cs.CR cs.CV

keywords homomorphic encryptionprivacy-preserving inferencecomputer visionconvolutional neural networksencrypted image classificationmachine learning on encrypted data

0 comments

The pith

Convolutional neural networks can classify images directly from encrypted data while incurring only a minimal drop in accuracy.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper shows that standard CNN operations can be rewritten to rely solely on the additions and multiplications allowed by fully homomorphic encryption, enabling inference on encrypted images. This matters because it lets organizations send sensitive visual data, such as medical scans, to external services for classification without ever exposing the raw content. The authors test the approach on MNIST and then on more demanding sets including Kuzushiji MNIST, Fashion-MNIST, and CIFAR-10, while extending support to multi-channel inputs and repeated convolutional layers. If the adaptation works, privacy-preserving vision inference becomes practical without large sacrifices in correctness.

Core claim

By rewriting conventional CNN layers to use only the additive and multiplicative operations permitted by a fully homomorphic encryption scheme, the authors obtain classification accuracy on encrypted images that remains close to the accuracy achieved on the corresponding unencrypted data across MNIST, Kuzushiji MNIST, Fashion-MNIST, and CIFAR-10. The same modifications also enable processing of colored images and stacking of multiple convolutional layers.

What carries the argument

Adapted CNN layers that replace standard convolutions and pooling with sequences of additions and multiplications compatible with fully homomorphic encryption while retaining sufficient numerical precision.

If this is right

Organizations can outsource image classification to third-party servers without sharing plaintext visual data.
The same layer modifications support both grayscale and color images as well as deeper stacks of convolutions.
Accuracy remains comparable to standard CNNs on benchmark datasets beyond the simplest MNIST case.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

The same rewriting strategy might apply to other neural architectures that rely mainly on linear operations.
Real-world deployment would still need to address the computational overhead of homomorphic operations on larger images.
Combining this encryption layer with differential privacy could further strengthen guarantees against reconstruction attacks.

Load-bearing premise

Standard CNN layers can be rewritten to use only the addition and multiplication operations permitted by the chosen homomorphic encryption scheme while preserving enough numerical precision for accurate classification on the tested datasets.

What would settle it

Running the adapted network on the same encrypted test sets and measuring a large gap between its accuracy and the unencrypted baseline accuracy would falsify the central claim.

Figures

Figures reproduced from arXiv: 2606.25216 by Preey Shah, Rohan Virani, Sanjari Srivastava.

**Figure 2.** Figure 2: Accuracy and inference time with changing bit scale ac [PITH_FULL_IMAGE:figures/full_fig_p007_2.png] view at source ↗

read the original abstract

Legal requirements might prevent organizations from sharing sensitive data like medical or financial details of consumers which prevents them from leveraging cloud based ML-as-a-service solutions provided by third party providers, which are quickly gaining popularity these days. In this project, we aim to perform inference tasks in Computer Vision in a privacy-preserving manner, i.e, by only looking at encrypted data. Recent advances in fully homomorphic encryption make this possible. A fully homomorphic encryption allows an arbitrary sequence of additive and multiplicative operations to be performed on encrypted data directly. Applying homomorphic encryptions to CNNs requires modifying the conventional CNN layers, so that they adhere to the encryption scheme. Our aim was to explore the best methods to create CNNs which can classify encrypted images directly. We used Microsoft SEAL for performing homomorphic encryption. The performance of these "encryption based CNNs" should be comparable with baseline accuracies of the same CNNs trained on unencrypted data, and the aim was to achieve as low of a hit on inference-time performance as possible. We successfully obtained minimal drop in classification accuracy for various datasets. We used MNIST as our baseline, which is popularly used in related research work and then explored more complex datasets like Kuzushiji MNIST, Fashion-MNIST and CIFAR-10 as a part of our contribution. Additionally, we also added support for more complex operations on top of TenSEAL, like processing colored images (multi-channel input), applying multiple convolutional layers and performing average pooling.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Desk Editor's Note private letter to a colleague

This is a student-style implementation extending TenSEAL to more CNN operations and datasets, but the abstract supplies no accuracy numbers or baselines so the central claim cannot be checked.

read the letter

The paper implements FHE-compatible CNN inference using TenSEAL on MNIST, Kuzushiji-MNIST, Fashion-MNIST and CIFAR-10. It adds multi-channel inputs, multiple convolutions and average pooling on top of the library. That is the concrete work done.

The useful part is the engineering extension: showing how to map those extra operations while staying inside the supported arithmetic. If the code is clean and released, it could save someone else a few days of trial and error with the library.

The soft spot is the complete absence of numbers. The abstract says "minimal drop in classification accuracy" but gives no values, no standard deviations, no comparison to the unencrypted baseline on the same architecture, and no description of how layers were approximated or how precision was managed. Without those, the main result is unverified. The work also follows the standard mapping from prior FHE-CNN papers rather than introducing a new technique.

This is the kind of project report that might help a practitioner who already knows the literature and wants a TenSEAL example for vision. It does not contain a result strong enough to stand on its own in a conference or journal. I would not bring it to a reading group unless the group is specifically collecting implementation notes, and I would not cite it. It does not look ready for peer review in its current form; the missing quantitative evidence is the main blocker.

Referee Report

2 major / 0 minor

Summary. The manuscript describes an implementation of CNNs adapted for fully homomorphic encryption (using Microsoft SEAL and TenSEAL) to enable privacy-preserving inference on encrypted images. It claims successful classification with minimal accuracy drop on MNIST, Kuzushiji-MNIST, Fashion-MNIST, and CIFAR-10, plus extensions for multi-channel inputs, multiple convolutions, and average pooling.

Significance. If the reported accuracy results hold with proper baselines and are reproducible, the work provides an engineering contribution by extending open-source HE libraries to support standard CV operations, which could aid practical deployment of privacy-preserving ML-as-a-service. However, the absence of quantitative metrics in the abstract limits assessment of novelty relative to prior HE-CNN work.

major comments (2)

[Abstract] Abstract: the central claim of 'minimal drop in classification accuracy' for the listed datasets is unsupported by any numerical results, baselines, error bars, or description of layer approximations (e.g., how ReLU or other non-polynomial activations are handled under the +/* constraint of the HE scheme). This is load-bearing for the paper's success assertion.
[Abstract] The manuscript relies on external libraries (SEAL/TenSEAL) without detailing the specific CNN modifications or precision-management techniques used; the weakest assumption (that standard layers can be rewritten while preserving classification accuracy) therefore cannot be evaluated from the provided text.

Simulated Author's Rebuttal

2 responses · 0 unresolved

We thank the referee for the constructive feedback. We address the major comments point by point below and have revised the manuscript to improve clarity and support for our claims.

read point-by-point responses

Referee: [Abstract] Abstract: the central claim of 'minimal drop in classification accuracy' for the listed datasets is unsupported by any numerical results, baselines, error bars, or description of layer approximations (e.g., how ReLU or other non-polynomial activations are handled under the +/* constraint of the HE scheme). This is load-bearing for the paper's success assertion.

Authors: We agree that the abstract would be strengthened by including specific numerical results. In the revised manuscript, we have updated the abstract to report the classification accuracies achieved on MNIST, Kuzushiji-MNIST, Fashion-MNIST, and CIFAR-10, along with comparisons to the unencrypted baselines. We have also added a concise description of the polynomial approximations used for non-linear activations such as ReLU to satisfy the additive/multiplicative constraints of the HE scheme. Expanded details, including any error bars from our experiments, remain in the results section. revision: yes
Referee: [Abstract] The manuscript relies on external libraries (SEAL/TenSEAL) without detailing the specific CNN modifications or precision-management techniques used; the weakest assumption (that standard layers can be rewritten while preserving classification accuracy) therefore cannot be evaluated from the provided text.

Authors: We acknowledge that additional detail on the modifications is warranted for proper evaluation. We have added a dedicated subsection in the methods that explicitly describes the extensions made to TenSEAL, including support for multi-channel inputs, multiple convolutional layers, and average pooling, as well as the precision-management techniques applied during encrypted inference. This revision clarifies how standard CNN layers were adapted while preserving accuracy. revision: yes

Circularity Check

0 steps flagged

No significant circularity identified

full rationale

The paper is an empirical implementation report describing CNN modifications for homomorphic encryption using external open-source libraries (Microsoft SEAL, TenSEAL) and reporting classification accuracies on standard public datasets (MNIST and variants, CIFAR-10). No mathematical derivation chain, equations, fitted parameters, or self-citations are present that could reduce claims to inputs by construction. The central result (minimal accuracy drop) is an observed experimental outcome rather than a self-referential prediction or renamed ansatz. This matches the reader's assessment of negligible circularity risk.

Axiom & Free-Parameter Ledger

0 free parameters · 1 axioms · 0 invented entities

The central claim rests on the standard assumption that FHE schemes support sufficient depth of multiplication before noise growth prevents accurate decryption, plus the modeling choice that CNN operations can be approximated by polynomials or other FHE-compatible functions without destroying classification performance.

axioms (1)

domain assumption Fully homomorphic encryption supports an arbitrary number of additions and a limited number of multiplications on ciphertexts before noise prevents correct decryption.
Invoked when stating that CNN layers can be performed directly on encrypted data.

pith-pipeline@v0.9.1-grok · 5795 in / 1142 out tokens · 21373 ms · 2026-06-25T22:36:41.945923+00:00 · methodology

discussion (0)

Reference graph

Works this paper leans on

19 extracted references · 1 linked inside Pith

[1]

J. Amin, M. Sharif, and A. Haldorai. Brain tumor detection and classification using machine learning: a comprehensive survey.Complex Intell. Syst., 2021

2021
[2]

Benaissa, B

A. Benaissa, B. Retiat, B. Cebere, and A. E. Belfedhal. Tenseal: A library for encrypted tensor operations using ho- momorphic encryption, 2021

2021
[3]

Chillotti, N

I. Chillotti, N. Gama, M. Georgieva, and M. Izabach `ene. Tfhe: Fast fully homomorphic encryption over the torus. Journal of Cryptology, 2019

2019
[4]

Disabato, A

S. Disabato, A. Falcetta, A. Mongelluzzo, and M. Roveri. A privacy-preserving distributed architecture for deep- learning-as-a-service. pages 1–8, 07 2020

2020
[5]

Feldmann, N

A. Feldmann, N. Samardzic, A. Krastev, S. Devadas, R. Dreslinski, K. Eldefrawy, N. Genise, C. Peikert, and D. Sanchez. F1: A fast and programmable accelerator for fully homomorphic encryption (extended version), 2021

2021
[6]

C. Gentry. Fully homomorphic encryption using ideal lat- tices. InProceedings of the Forty-First Annual ACM Sym- posium on Theory of Computing, STOC ’09, page 169–178, New York, NY , USA, 2009. Association for Computing Ma- chinery

2009
[7]

Gentry, A

C. Gentry, A. Sahai, and B. Waters. Homomorphic en- cryption from learning with errors: Conceptually-simpler, asymptotically-faster, attribute-based. InCRYPTO, pages 75–92. Springer, 2013

2013
[8]

Y . Li, A. Esteva, B. Kuprel, R. A. Novoa, J. Ko, and S. Thrun. Skin cancer detection and tracking using data synthesis and deep learning.CoRR, abs/1612.01074, 2016

Pith/arXiv arXiv 2016
[9]

Z. Liu, P. Luo, X. Wang, and X. Tang. Deep learning face attributes in the wild. InProceedings of International Con- ference on Computer Vision (ICCV), December 2015

2015
[10]

L ´opez-Alt, E

A. L ´opez-Alt, E. Tromer, and V . Vaikuntanathan. On- the-fly multiparty computation on the cloud via multikey fully homomorphic encryption.IACR Cryptol. ePrint Arch., 2013:94, 2012

2013
[11]

Marcel and Y

S. Marcel and Y . Rodriguez. Torchvision the machine-vision package of torch. InProceedings of the 18th ACM Interna- tional Conference on Multimedia, MM ’10, page 1485–1488, New York, NY , USA, 2010. Association for Computing Ma- chinery

2010
[12]

Naehrig, K

M. Naehrig, K. Lauter, and V . Vaikuntanathan. Can homo- morphic encryption be practical? pages 113–124, 10 2011

2011
[13]

L. T. Phong, Y . Aono, T. Hayashi, L. Wang, and S. Moriai. Privacy-preserving deep learning via additively homomor- phic encryption.IEEE Transactions on Information Foren- sics and Security, 13(5):1333–1345, 2018

2018
[14]

R. L. Rivest, L. Adleman, and M. L. Dertouzos
[15]

Ryffel, A

T. Ryffel, A. Trask, M. Dahl, B. Wagner, J. Mancuso, D. Rueckert, and J. Passerat-Palmbach. A generic frame- work for privacy preserving deep learning, 2018

2018
[16]

Microsoft SEAL (release 4.0).https://github.com/ Microsoft/SEAL, Mar. 2022. Microsoft Research, Red- mond, W A

2022
[17]

D. Wang, Y . Zhang, K. Zhang, and L. Wang. Focalmix: Semi-supervised learning for 3d medical image detection. In Proceedings of the IEEE/CVF Conference on Computer Vi- sion and Pattern Recognition (CVPR), June 2020

2020
[18]

P. Xie, M. Bilenko, T. Finley, R. Gilad-Bachrach, K. Lauter, and M. Naehrig. Crypto-nets: Neural networks over en- crypted data, 2014

2014
[19]

Q. Yang, Y . Liu, T. Chen, and Y . Tong. Federated machine learning: Concept and applications.ACM Trans. Intell. Syst. Technol., 10(2), jan 2019. 7

2019

[1] [1]

J. Amin, M. Sharif, and A. Haldorai. Brain tumor detection and classification using machine learning: a comprehensive survey.Complex Intell. Syst., 2021

2021

[2] [2]

Benaissa, B

A. Benaissa, B. Retiat, B. Cebere, and A. E. Belfedhal. Tenseal: A library for encrypted tensor operations using ho- momorphic encryption, 2021

2021

[3] [3]

Chillotti, N

I. Chillotti, N. Gama, M. Georgieva, and M. Izabach `ene. Tfhe: Fast fully homomorphic encryption over the torus. Journal of Cryptology, 2019

2019

[4] [4]

Disabato, A

S. Disabato, A. Falcetta, A. Mongelluzzo, and M. Roveri. A privacy-preserving distributed architecture for deep- learning-as-a-service. pages 1–8, 07 2020

2020

[5] [5]

Feldmann, N

A. Feldmann, N. Samardzic, A. Krastev, S. Devadas, R. Dreslinski, K. Eldefrawy, N. Genise, C. Peikert, and D. Sanchez. F1: A fast and programmable accelerator for fully homomorphic encryption (extended version), 2021

2021

[6] [6]

C. Gentry. Fully homomorphic encryption using ideal lat- tices. InProceedings of the Forty-First Annual ACM Sym- posium on Theory of Computing, STOC ’09, page 169–178, New York, NY , USA, 2009. Association for Computing Ma- chinery

2009

[7] [7]

Gentry, A

C. Gentry, A. Sahai, and B. Waters. Homomorphic en- cryption from learning with errors: Conceptually-simpler, asymptotically-faster, attribute-based. InCRYPTO, pages 75–92. Springer, 2013

2013

[8] [8]

Y . Li, A. Esteva, B. Kuprel, R. A. Novoa, J. Ko, and S. Thrun. Skin cancer detection and tracking using data synthesis and deep learning.CoRR, abs/1612.01074, 2016

Pith/arXiv arXiv 2016

[9] [9]

Z. Liu, P. Luo, X. Wang, and X. Tang. Deep learning face attributes in the wild. InProceedings of International Con- ference on Computer Vision (ICCV), December 2015

2015

[10] [10]

L ´opez-Alt, E

A. L ´opez-Alt, E. Tromer, and V . Vaikuntanathan. On- the-fly multiparty computation on the cloud via multikey fully homomorphic encryption.IACR Cryptol. ePrint Arch., 2013:94, 2012

2013

[11] [11]

Marcel and Y

S. Marcel and Y . Rodriguez. Torchvision the machine-vision package of torch. InProceedings of the 18th ACM Interna- tional Conference on Multimedia, MM ’10, page 1485–1488, New York, NY , USA, 2010. Association for Computing Ma- chinery

2010

[12] [12]

Naehrig, K

M. Naehrig, K. Lauter, and V . Vaikuntanathan. Can homo- morphic encryption be practical? pages 113–124, 10 2011

2011

[13] [13]

L. T. Phong, Y . Aono, T. Hayashi, L. Wang, and S. Moriai. Privacy-preserving deep learning via additively homomor- phic encryption.IEEE Transactions on Information Foren- sics and Security, 13(5):1333–1345, 2018

2018

[14] [14]

R. L. Rivest, L. Adleman, and M. L. Dertouzos

[15] [15]

Ryffel, A

T. Ryffel, A. Trask, M. Dahl, B. Wagner, J. Mancuso, D. Rueckert, and J. Passerat-Palmbach. A generic frame- work for privacy preserving deep learning, 2018

2018

[16] [16]

Microsoft SEAL (release 4.0).https://github.com/ Microsoft/SEAL, Mar. 2022. Microsoft Research, Red- mond, W A

2022

[17] [17]

D. Wang, Y . Zhang, K. Zhang, and L. Wang. Focalmix: Semi-supervised learning for 3d medical image detection. In Proceedings of the IEEE/CVF Conference on Computer Vi- sion and Pattern Recognition (CVPR), June 2020

2020

[18] [18]

P. Xie, M. Bilenko, T. Finley, R. Gilad-Bachrach, K. Lauter, and M. Naehrig. Crypto-nets: Neural networks over en- crypted data, 2014

2014

[19] [19]

Q. Yang, Y . Liu, T. Chen, and Y . Tong. Federated machine learning: Concept and applications.ACM Trans. Intell. Syst. Technol., 10(2), jan 2019. 7

2019