pith. sign in

arxiv: 2606.22928 · v1 · pith:UW7YQE4Lnew · submitted 2026-06-22 · 💻 cs.CR

HADES: Privacy-Preserving Federated Learning via Selective Feature Encryption and Hybrid Model Fusion

Pith reviewed 2026-06-26 07:58 UTC · model grok-4.3

classification 💻 cs.CR
keywords federated learningprivacy preservationhomomorphic encryptionprincipal component analysishybrid model fusionselective encryptionreconstruction attacksmultiparty computation
0
0 comments X

The pith

HADES uses PCA to encrypt only the most privacy-sensitive features in federated learning, then fuses an encrypted sub-network with a plaintext one to match vanilla accuracy while cutting reconstruction attack success and runtime.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper introduces HADES as a hybrid framework for federated learning that avoids the cost of encrypting every feature. It applies principal component analysis to rank features by sensitivity, encrypts only the top-ranked ones with multiparty homomorphic encryption, and trains the rest in plaintext. The two resulting networks are combined through a fusion step so the final model behaves as a single end-to-end system. A packing scheme tailored to the full network architecture removes unnecessary rotations during the encrypted computation. Experiments show the approach reaches the same test accuracy as standard federated learning while lowering both attack success and wall-clock time relative to fully encrypted baselines.

Core claim

HADES shows that PCA-based selection of features for multiparty homomorphic encryption, combined with simultaneous plaintext training on the unselected features and subsequent model fusion, produces a federated model whose accuracy equals that of vanilla federated learning, whose reconstruction attack vulnerability drops substantially, and whose runtime improves over fully encrypted pipelines.

What carries the argument

The hybrid fusion mechanism that merges an MHE-trained sub-network on PCA-selected features with a plaintext sub-network on the remaining features into one end-to-end model.

If this is right

  • Runtime scales with the fraction of features encrypted rather than the full feature set.
  • Reconstruction attack success rate falls when only PCA-selected features receive encryption.
  • The network-wide packing scheme removes rotations that would otherwise be performed for every layer.
  • End-to-end training remains possible without separate post-processing steps after fusion.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

  • The same selective-encryption pattern could be tested on tabular medical or financial datasets where only a minority of columns carry sensitive information.
  • An adaptive variant might recompute PCA on each round of federated training to track shifting feature importance.
  • The fusion step suggests that privacy budgets could be allocated per feature rather than uniformly across the entire input.

Load-bearing premise

PCA reliably ranks features so that encrypting only the highest-ranked ones blocks reconstruction attacks while the fusion step keeps overall accuracy intact.

What would settle it

A reconstruction attack that recovers private data from the selectively encrypted model at the same rate as from a non-encrypted model, or a fused model whose test accuracy falls more than a few percent below the vanilla federated baseline on the same datasets.

Figures

Figures reproduced from arXiv: 2606.22928 by Erg\"un Batuhan Kaynak, Kerem Bayramoglu, Sinem Sav.

Figure 1
Figure 1. Figure 1: HADES’s system overview. The initialization phase involves selecting the clear-text and encrypted (privacy-sensitive) [PITH_FULL_IMAGE:figures/full_fig_p005_1.png] view at source ↗
Figure 2
Figure 2. Figure 2: Qualitative iDLG reconstructions for the fusion model [PITH_FULL_IMAGE:figures/full_fig_p009_2.png] view at source ↗
Figure 3
Figure 3. Figure 3: Test accuracy (%) versus the number of encrypted PCA-selected features ( [PITH_FULL_IMAGE:figures/full_fig_p010_3.png] view at source ↗
Figure 4
Figure 4. Figure 4: Training time as a function of the encrypted-feature set ( [PITH_FULL_IMAGE:figures/full_fig_p011_4.png] view at source ↗
read the original abstract

In this paper, we address the challenge of privacy-preserving training in federated learning (FL) by introducing a novel framework that selectively encrypts only the most privacy-sensitive features while leaving the remaining data and the corresponding model portion unencrypted. We propose HADES, a hybrid system that identifies and encrypts the most critical features, ensuring both privacy protection and computational efficiency. Unlike fully encrypted FL training pipelines, which suffer from high computational overhead, HADES integrates an encrypted and non-encrypted training pipeline via a fusion mechanism, enabling seamless interaction between encrypted and plaintext model representations. To achieve this, we use PCA to identify and encrypt the most privacy-sensitive features, which significantly reduces reconstruction attack success in FL. Building on this insight, we design a hybrid FL system that trains an end-to-end encrypted network via multiparty homomorphic encryption (MHE) on the selected features while simultaneously training a plaintext network on the remaining features. These two networks are then integrated using a fusion mechanism. We also introduce a general packing scheme that eliminates redundant rotations by considering the entire neural network architecture. Finally, we demonstrate that HADES matches the accuracy of vanilla FL while preserving privacy and achieving optimized runtime through selective encryption.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

2 major / 1 minor

Summary. The manuscript proposes HADES, a hybrid federated learning framework for privacy preservation that applies PCA to identify and selectively encrypt the most privacy-sensitive features using multiparty homomorphic encryption (MHE) while training a parallel plaintext network on the remaining features. These are fused via a hybrid mechanism, and a general packing scheme is introduced to reduce redundant rotations across the neural network architecture. The central claim is that this selective approach matches the accuracy of vanilla FL, substantially reduces reconstruction attack success, and yields runtime gains compared to fully encrypted pipelines.

Significance. If the privacy and accuracy claims are substantiated, the selective-encryption-plus-hybrid-fusion design could offer a practical efficiency improvement over full MHE in FL deployments. The packing scheme, if shown to be architecture-aware and general, would be a concrete technical contribution. The work sits within the standard toolkit of FL privacy techniques but does not yet demonstrate falsifiable privacy metrics or ablation evidence that would elevate its impact.

major comments (2)
  1. [Abstract] Abstract: the claim that PCA identifies the 'most privacy-sensitive features' such that encrypting only those features 'significantly reduces reconstruction attack success' is load-bearing for the privacy guarantee, yet no attack model, quantitative privacy metric (reconstruction MSE, membership-inference AUC, etc.), or ablation against random/gradient-norm selection is supplied to show that high-variance directions coincide with directions exploitable by reconstruction adversaries.
  2. [Abstract] Abstract: the hybrid fusion step is asserted to enable 'seamless interaction' and to preserve end-to-end accuracy without loss relative to vanilla FL, but no combined loss function, convergence argument, or derivation for integrating the MHE and plaintext sub-networks is provided; this assumption is load-bearing for the accuracy-matching claim.
minor comments (1)
  1. The abstract states 'we demonstrate' accuracy parity and runtime gains but supplies no dataset names, baseline comparisons, or result tables; a concise summary of the experimental setup should appear in the abstract or early sections.

Simulated Author's Rebuttal

2 responses · 0 unresolved

Thank you for the opportunity to respond to the referee's comments on our manuscript. We address each major comment point by point below and will revise the paper to strengthen the presentation of our claims.

read point-by-point responses
  1. Referee: [Abstract] Abstract: the claim that PCA identifies the 'most privacy-sensitive features' such that encrypting only those features 'significantly reduces reconstruction attack success' is load-bearing for the privacy guarantee, yet no attack model, quantitative privacy metric (reconstruction MSE, membership-inference AUC, etc.), or ablation against random/gradient-norm selection is supplied to show that high-variance directions coincide with directions exploitable by reconstruction adversaries.

    Authors: We thank the referee for this observation. The manuscript reports experimental results indicating that selective encryption of PCA-identified features reduces reconstruction attack success relative to plaintext baselines. However, we agree that an explicit attack model, specific quantitative metrics (e.g., reconstruction MSE), and ablations versus random or gradient-norm feature selection are not provided. We will revise the manuscript to add a dedicated threat-model section, report the requested quantitative privacy metrics, and include the suggested ablation studies. revision: yes

  2. Referee: [Abstract] Abstract: the hybrid fusion step is asserted to enable 'seamless interaction' and to preserve end-to-end accuracy without loss relative to vanilla FL, but no combined loss function, convergence argument, or derivation for integrating the MHE and plaintext sub-networks is provided; this assumption is load-bearing for the accuracy-matching claim.

    Authors: We acknowledge that the hybrid fusion mechanism is described at a high level without the formal details requested. The current version does not supply the combined loss function, a derivation for integrating the encrypted and plaintext sub-networks, or a convergence argument. We will revise the paper to include these elements, providing the explicit loss formulation and either a theoretical sketch or expanded empirical analysis confirming accuracy preservation. revision: yes

Circularity Check

0 steps flagged

No significant circularity; claims rely on standard techniques without self-referential definitions or reductions.

full rationale

The paper presents HADES as a design that applies PCA for feature selection, MHE for the encrypted sub-network, and a fusion step for the hybrid model. None of these steps reduce by the paper's own equations or definitions to tautological inputs; PCA is invoked as an off-the-shelf variance-ranking tool, the fusion is described as an integration mechanism, and performance matching vanilla FL is asserted as an empirical outcome rather than a fitted quantity renamed as a prediction. No self-citation chains, uniqueness theorems, or ansatzes smuggled via prior work appear in the provided text. The central premises are therefore independent design choices whose validity can be checked against external benchmarks (attack success rates, accuracy deltas) without internal circularity.

Axiom & Free-Parameter Ledger

0 free parameters · 2 axioms · 1 invented entities

The framework rests on domain assumptions about feature sensitivity detection and the security properties of the hybrid fusion; no free parameters or invented entities are quantified in the abstract.

axioms (2)
  • domain assumption PCA identifies the most privacy-sensitive features for encryption
    Invoked when the abstract states that PCA is used to select features that significantly reduce reconstruction attack success.
  • domain assumption The fusion mechanism integrates encrypted and plaintext representations without information leakage or accuracy loss
    Required for the hybrid training claim but not justified in the abstract.
invented entities (1)
  • general packing scheme for neural network architecture no independent evidence
    purpose: Eliminates redundant rotations in the encrypted computation
    Introduced as a supporting technique but no independent evidence or details provided.

pith-pipeline@v0.9.1-grok · 5747 in / 1447 out tokens · 21661 ms · 2026-06-26T07:58:43.329437+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Reference graph

Works this paper leans on

47 extracted references · 12 canonical work pages · 1 internal anchor

  1. [1]

    Federated Optimization: Distributed Machine Learning for On-Device Intelligence

    J. Kone ˇcn`y, H. B. McMahan, D. Ramage, and P. Richt ´arik, “Federated optimization: Distributed machine learning for on-device intelligence,” CoRR, vol. abs:1610.02527, 2016

  2. [2]

    Federated learning of deep networks using model averaging,

    H. B. McMahan, E. Moore, D. Ramage, and B. A. y Arcas, “Federated learning of deep networks using model averaging,”CoRR, vol. abs/1602.05629, 2016. [Online]. Available: http://arxiv.org/abs/ 1602.05629

  3. [3]

    How to backdoor federated learning,

    E. Bagdasaryan, A. Veit, Y . Hua, D. Estrin, and V . Shmatikov, “How to backdoor federated learning,”CoRR, vol. abs/1807.00459, 2018. [Online]. Available: http://arxiv.org/abs/1807.00459

  4. [4]

    Deep models under the GAN: Information leakage from collaborative deep learning,

    B. Hitaj, G. Ateniese, and F. Perez-Cruz, “Deep models under the GAN: Information leakage from collaborative deep learning,” inACM CCS, 2017

  5. [5]

    Beyond inferring class representatives: User-level privacy leakage from federated learning,

    Z. Wang, M. Song, Z. Zhang, Y . Song, Q. Wang, and H. Qi, “Beyond inferring class representatives: User-level privacy leakage from federated learning,” inIEEE INFOCOM 2019 - IEEE Conference on Computer Communications, 2019, pp. 2512–2520. JOURNAL OF LATEX CLASS FILES, VOL. 14, NO. 8, AUGUST 2021 13

  6. [6]

    Exploiting unintended feature leakage in collaborative learning,

    L. Melis, C. Song, E. De Cristofaro, and V . Shmatikov, “Exploiting unintended feature leakage in collaborative learning,” in2019 IEEE Symposium on Security and Privacy (SP), 2019, pp. 691–706

  7. [7]

    Comprehensive privacy analysis of deep learning: Passive and active white-box inference attacks against centralized and federated learning,

    M. Nasr, R. Shokri, and A. Houmansadr, “Comprehensive privacy analysis of deep learning: Passive and active white-box inference attacks against centralized and federated learning,” inIEEE S&P, 2019

  8. [8]

    Gan enhanced membership inference: A passive local attack in federated learning,

    J. Zhang, J. Zhang, J. Chen, and S. Yu, “Gan enhanced membership inference: A passive local attack in federated learning,” inIEEE Inter- national Conference on Communications (ICC). IEEE, 2020, pp. 1–6

  9. [9]

    Privacy-preserving deep learning,

    R. Shokri and V . Shmatikov, “Privacy-preserving deep learning,” inACM Conference on Computer and Communications Security (CCS), 2015

  10. [10]

    Learning differentially private recurrent language models,

    H. B. McMahan, D. Ramage, K. Talwar, and L. Zhang, “Learning differentially private recurrent language models,” inInternational Conference on Learning Representations, 2018. [Online]. Available: https://openreview.net/forum?id=BJ0hF1Z0b

  11. [11]

    Ldp-fed: Federated learning with local differential privacy,

    S. Truex, L. Liu, K.-H. Chow, M. E. Gursoy, and W. Wei, “Ldp-fed: Federated learning with local differential privacy,” inProceedings of the third ACM international workshop on edge systems, analytics and networking, 2020, pp. 61–66

  12. [12]

    Local differential privacy is not enough: A sample reconstruction attack against federated learning with local differential privacy,

    Z. You, X. Dong, S. Li, S. Ma, and Y . Shen, “Local differential privacy is not enough: A sample reconstruction attack against federated learning with local differential privacy,”IEEE Transactions on Information Forensics and Security, 2024

  13. [13]

    Sok: Secure aggregation based on cryptographic schemes for federated learning,

    M. Mansouri, M. ¨Onen, W. B. Jaballah, and M. Conti, “Sok: Secure aggregation based on cryptographic schemes for federated learning,” PoPETs, 2023

  14. [14]

    Secure aggregation in federated learning via multiparty homomorphic encryption,

    E. Hosseini and A. Khisti, “Secure aggregation in federated learning via multiparty homomorphic encryption,” in2021 IEEE Globecom Workshops (GC Wkshps). IEEE, 2021, pp. 1–6

  15. [15]

    {BatchCrypt}: Efficient homomorphic encryption for{Cross-Silo}federated learning,

    C. Zhang, S. Li, J. Xia, W. Wang, F. Yan, and Y . Liu, “{BatchCrypt}: Efficient homomorphic encryption for{Cross-Silo}federated learning,” in2020 USENIX annual technical conference (ATC 20), 2020

  16. [16]

    Brendan and Patel, Sarvar and Ramage, Daniel and Segal, Aaron and Seth, Karn , title =

    K. Bonawitz, V . Ivanov, B. Kreuter, A. Marcedone, H. B. McMahan, S. Patel, D. Ramage, A. Segal, and K. Seth, “Practical secure aggregation for privacy-preserving machine learning,” inProceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, ser. CCS ’17. New York, NY , USA: Association for Computing Machinery, 2017, p. 1175–1...

  17. [17]

    Poseidon: Privacy-preserving federated neural network learning,

    S. Sav, A. Pyrgelis, J. R. Troncoso-Pastoriza, D. Froelicher, J.-P. Bossuat, J. S. Sousa, and J.-P. Hubaux, “Poseidon: Privacy-preserving federated neural network learning,” inNDSS, 2021

  18. [18]

    Privacy- preserving federated recurrent neural networks,

    S. Sav, A. Diaa, A. Pyrgelis, J.-P. Bossuat, and J.-P. Hubaux, “Privacy- preserving federated recurrent neural networks,”PoPETs, vol. 2023, pp. 500–521. [Online]. Available: https://api.semanticscholar.org/CorpusID: 251135050

  19. [19]

    Hercules: Boosting the performance of privacy-preserving federated learning,

    G. Xu, X. Han, S. Xu, T. Zhang, H. Li, X. Huang, and R. H. Deng, “Hercules: Boosting the performance of privacy-preserving federated learning,”IEEE Transactions on Dependable and Secure Computing, vol. 20, no. 5, pp. 4418–4433, 2023

  20. [20]

    Sphinx: Enabling privacy-preserving online learning over the cloud,

    H. Tian, C. Zeng, Z. Ren, D. Chai, J. Zhang, K. Chen, and Q. Yang, “Sphinx: Enabling privacy-preserving online learning over the cloud,” in IEEE Symposium on Security and Privacy (SP), 2022, pp. 2487–2501

  21. [21]

    idlg: Improved deep leakage from gradients,

    B. Zhao, K. R. Mopuri, and H. Bilen, “idlg: Improved deep leakage from gradients,” 2020. [Online]. Available: https://arxiv.org/abs/2001.02610

  22. [22]

    Privacy-preserving federated learning using homo- morphic encryption,

    J. Park and H. Lim, “Privacy-preserving federated learning using homo- morphic encryption,”Applied Sciences, vol. 12, no. 2, p. 734, 2022

  23. [23]

    Blindfl: Segmented federated learning with fully homomorphic encryption,

    E. Gronberg, L. d’Aliberti, M. Saebo, and A. Hook, “Blindfl: Segmented federated learning with fully homomorphic encryption,”arXiv preprint arXiv:2501.11659, 2025

  24. [24]

    Privacy-preserving decentralized federated learning over time-varying communication graph,

    Y . Lu, Z. Yu, and N. Suri, “Privacy-preserving decentralized federated learning over time-varying communication graph,”ACM Trans. Priv. Secur., vol. 26, no. 3, Jun. 2023. [Online]. Available: https://doi.org/10.1145/3591354

  25. [25]

    Maskcrypt: Federated learning with selective ho- momorphic encryption,

    C. Hu and B. Li, “Maskcrypt: Federated learning with selective ho- momorphic encryption,”IEEE Transactions on Dependable and Secure Computing, vol. 22, no. 1, pp. 221–233, 2025

  26. [26]

    Cryptonets: Applying neural networks to encrypted data with high throughput and accuracy,

    R. Gilad-Bachrach, N. Dowlin, K. Laine, K. Lauter, M. Naehrig, and J. Wernsing, “Cryptonets: Applying neural networks to encrypted data with high throughput and accuracy,” inProceedings of The 33rd International Conference on Machine Learning, ser. Proceedings of Machine Learning Research, M. F. Balcan and K. Q. Weinberger, Eds., vol. 48. New York, New Yo...

  27. [27]

    Private machine learning classification based on fully homomorphic encryption,

    X. Sun, P. Zhang, J. K. Liu, J. Yu, and W. Xie, “Private machine learning classification based on fully homomorphic encryption,”IEEE Transactions on Emerging Topics in Computing, vol. 8, no. 2, pp. 352– 364, 2020

  28. [28]

    Towards the alexnet moment for homomorphic encryption: Hcnn, the first homomorphic cnn on encrypted data with gpus,

    A. Al Badawi, C. Jin, J. Lin, C. F. Mun, S. J. Jie, B. H. M. Tan, X. Nan, K. M. M. Aung, and V . R. Chandrasekhar, “Towards the alexnet moment for homomorphic encryption: Hcnn, the first homomorphic cnn on encrypted data with gpus,”IEEE Transactions on Emerging Topics in Computing, vol. 9, no. 3, pp. 1330–1343, 2021

  29. [29]

    Towards deep neural network training on encrypted data,

    K. Nandakumar, N. Ratha, S. Pankanti, and S. Halevi, “Towards deep neural network training on encrypted data,” inProceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR) Workshops, June 2019

  30. [30]

    Neural networks and principal component analysis: Learning from examples without local minima,

    P. Baldi and K. Hornik, “Neural networks and principal component analysis: Learning from examples without local minima,”Neural Networks, vol. 2, no. 1, pp. 53–58, 1989. [Online]. Available: https://www.sciencedirect.com/science/article/pii/0893608089900142

  31. [31]

    Big data privacy preservation using principal component analysis and random projection in healthcare,

    R. Ratra, P. Gulia, N. S. Gill, and J. M. Chatterjee, “Big data privacy preservation using principal component analysis and random projection in healthcare,”Mathematical Problems in Engineering, vol. 2022, no. 1, p. 6402274, 2022

  32. [32]

    Multiparty homomorphic encryption from ring-learning-with-errors,

    C. Mouchet, J. Troncoso-Pastoriza, J.-P. Bossuat, and J.-P. Hubaux, “Multiparty homomorphic encryption from ring-learning-with-errors,” PoPETs, vol. 2021, no. 4, pp. 291–311, 2021

  33. [33]

    Multiparty homomorphic encryption: From theory to practice,

    C. V . Mouchet, “Multiparty homomorphic encryption: From theory to practice,” Ph.D. dissertation, EPFL, 2023

  34. [34]

    Attention in a Family of Boltzmann Machines Emerging From Modern Hopfield Networks

    J. Gao, P. Li, Z. Chen, and J. Zhang, “A survey on deep learning for multimodal data fusion,”Neural Computation, vol. 32, no. 5, pp. 829– 864, 05 2020. [Online]. Available: https://doi.org/10.1162/neco a 01273

  35. [35]

    Privacy preserving pca for multiparty modeling,

    Y . Liu, C. Chen, L. Zheng, L. xilinx Wang, J. Zhou, and G.-J. Liu, “Privacy preserving pca for multiparty modeling,”ArXiv, vol. abs/2002.02091, 2020. [Online]. Available: https://api.semanticscholar. org/CorpusID:211043587

  36. [36]

    Scalable and privacy-preserving federated principal component analysis,

    D. Froelicher, H. Cho, M. Edupalli, J. Sa Sousa, J.-P. Bossuat, A. Pyrge- lis, J. R. Troncoso-Pastoriza, B. Berger, and J.-P. Hubaux, “Scalable and privacy-preserving federated principal component analysis,” in2023 IEEE Symposium on Security and Privacy (SP), 2023, pp. 1908–1925

  37. [37]

    OpenFHE: Open-source fully homomorphic encryption library,

    A. A. Badawi, A. Alexandru, J. Bates, F. Bergamaschi, D. B. Cousins, S. Erabelli, N. Genise, S. Halevi, H. Hunt, A. Kim, Y . Lee, Z. Liu, D. Micciancio, C. Pascoe, Y . Polyakov, I. Quah, S. R.V ., K. Rohloff, J. Saylor, D. Suponitsky, M. Triplett, V . Vaikuntanathan, and V . Zucca, “OpenFHE: Open-source fully homomorphic encryption library,” Cryptology eP...

  38. [38]

    Mangasarian Olvi, W., S.: Breast Cancer Wisconsin (Diagnostic)

    W. et al., “Breast Cancer Wisconsin (Diagnostic),” UCI Machine Learn- ing Repository, 1993, DOI: https://doi.org/10.24432/C5DW2B

  39. [39]

    MNIST handwritten digit database,

    Y . LeCun and C. Cortes, “MNIST handwritten digit database,” 2010. [Online]. Available: http://yann.lecun.com/exdb/mnist/

  40. [40]

    Reading digits in natural images with unsupervised feature learning,

    Y . Netzer, T. Wang, A. Coates, A. Bissacco, B. Wu, and A. Ng, “Reading digits in natural images with unsupervised feature learning,” 2011. [Online]. Available: https://api.semanticscholar.org/CorpusID:16852518

  41. [41]

    R., Millman, K

    C. R. Harris, K. J. Millman, S. J. van der Walt, R. Gommers, P. Virtanen, D. Cournapeau, E. Wieser, J. Taylor, S. Berg, N. J. Smith, R. Kern, M. Picus, S. Hoyer, M. H. van Kerkwijk, M. Brett, A. Haldane, J. F. del R ´ıo, M. Wiebe, P. Peterson, P. G ´erard-Marchant, K. Sheppard, T. Reddy, W. Weckesser, H. Abbasi, C. Gohlke, and T. E. Oliphant, “Array progr...

  42. [42]

    R.,Practical Methods of Optimization

    F. R.,Practical Methods of Optimization. Wiley, 2000

  43. [43]

    SciPy 1.0: Fundamental Algorithms for Scientific Computing in Python,

    P. Virtanen, R. Gommers, T. E. Oliphant, M. Haberland, T. Reddy, D. Cournapeau, E. Burovski, P. Peterson, W. Weckesser, J. Bright, S. J. van der Walt, M. Brett, J. Wilson, K. J. Millman, N. Mayorov, A. R. J. Nelson, E. Jones, R. Kern, E. Larson, C. J. Carey,˙I. Polat, Y . Feng, E. W. Moore, J. VanderPlas, D. Laxalde, J. Perktold, R. Cimrman, I. Henrik- se...

  44. [44]

    Image quality assess- ment: from error visibility to structural similarity,

    Z. Wang, A. Bovik, H. Sheikh, and E. Simoncelli, “Image quality assess- ment: from error visibility to structural similarity,”IEEE Transactions on Image Processing, vol. 13, no. 4, pp. 600–612, 2004

  45. [45]

    The unreasonable effectiveness of deep features as a perceptual metric,

    R. Zhang, P. Isola, A. A. Efros, E. Shechtman, and O. Wang, “The unreasonable effectiveness of deep features as a perceptual metric,” in 2018 IEEE/CVF Conference on Computer Vision and Pattern Recogni- tion, 2018, pp. 586–595. JOURNAL OF LATEX CLASS FILES, VOL. 14, NO. 8, AUGUST 2021 14 SUPPLEMENTARY MATERIAL A. Glossary We provide the frequently used not...

  46. [46]

    a11 a12 a21 a22 # πrow(A) − − − − − →[a11, a12, a21, a22] B=

    Matrix Representation via Packing and Padding Strate- gies:One key challenge in implementing HE-based neural networks is efficiently encoding (packing) matrix representa- tions and operations while adhering to constraints imposed by HE. In this section, we provide the mathematical details of HE operations that enable neural network training under encrypti...

  47. [47]

    For neural networks with multiple layers, additional challenges arise

    Dynamic Packing for Deep Networks.:The previous representation example was given with a local scope. For neural networks with multiple layers, additional challenges arise. For example, if the amount of free slots required in the ciphertext is not calculated with a global view, there could be misalignment in further layers. Additionally, the representation...