Papers
Topics
Authors
Recent
Search
2000 character limit reached

Privacy-Preserving Machine Learning

Updated 15 April 2026
  • Privacy-Preserving Machine Learning is a field that integrates cryptographic and statistical techniques, such as differential privacy and MPC, to protect sensitive data during ML model training and inference.
  • It employs methods like homomorphic encryption and trusted execution environments to secure data processing while balancing accuracy, performance, and privacy trade-offs.
  • Practical protocols in PPML enable secure federated learning and distributed linear regression, offering measurable privacy guarantees and real-world applicability.

Privacy-preserving machine learning (PPML) is a set of methods, protocols, and cryptographic or statistical mechanisms designed to enable ML model training and inference over sensitive data without disclosing that data or, in some settings, the model itself. PPML aims to counter a spectrum of threats including data reconstruction, membership inference, attribute inference, and unauthorized access to confidential models in environments ranging from outsourced cloud computation to collaborative analytics among mutually distrusting organizations (Al-Rubaie et al., 2018, Xu et al., 2021). The domain encompasses differential privacy, secure multi-party computation (MPC), homomorphic encryption (HE), functional encryption (FE), trusted hardware enclaves, privacy-preserving federated learning, and hybrid workflows.

1. Threat Models and Privacy Guarantees

PPML is motivated by adversaries with access to different system components: raw training data, model parameters (white-box), or merely inference APIs (black-box). Notable attacks are:

  • Reconstruction attacks: Attempting to recover original input data from stored model features or parameters.
  • Model inversion: Synthesizing inputs to match a given output, revealing information about training examples.
  • Membership inference: Determining if a given data point was in the training set based on subtle output differences.
  • Property inference: Deducing sensitive attributes of the dataset or individuals from intermediate or final model artifacts (Al-Rubaie et al., 2018).

Central to most PPML formalizations is (ε,δ)-differential privacy, which ensures that the model's output statistically hides the participation of any individual record, and various notions of simulation-based or ideal/real security in MPC/HE protocols.

2. Principal Technical Approaches

2.1 Differential Privacy

  • Mechanisms: Add calibrated noise to gradients (DP-SGD), aggregated model updates, or directly to outputs. DP-SGD is the standard for deep networks (Al-Rubaie et al., 2018, Xu et al., 2021).
    • Laplace mechanism for pure ε-DP, Gaussian for (ε,δ)-DP.
    • Placement: Input perturbation, objective perturbation, gradient perturbation, or output perturbation.
  • Trade-off: Increased privacy (lower ε) incurs demonstrable test accuracy loss; DP-SGD with ε ≈ 8 achieves >98% on MNIST (Al-Rubaie et al., 2018, Xu et al., 2021).

2.2 Secure Multi-Party Computation (MPC)

  • Core idea: Parties secret-share their data and collaborate to compute a global function (training or inference) such that no party learns the others' inputs beyond what the function output implies.
  • Protocols: Additive secret sharing, Beaver triples, garbled circuits, ABY3, SPDZ, BLAZE, SWIFT, Morse-STF, etc.
    • Linear layers: Secure dot-products, extended Beaver triples for matrix/convolutional layers (Zhang et al., 2021).
    • Non-linearities: MPC-friendly polynomial approximations of sigmoid, ReLU, softmax via Fourier or Chebyshev expansions (Zhang et al., 2021).
  • Formal security: Semi-honest or fully malicious models, depending on protocol; robustness can be extended to guaranteed output delivery (GOD) or fairness (Patra et al., 2020, Koti et al., 2020).
  • Scalability: Protocols such as Morse-STF attain >4.9× speedup on CNNs over state-of-the-art, and secure deep inference with modest communication for multiparty settings (Zhang et al., 2021, Lu et al., 2024).

2.3 Homomorphic Encryption (HE)

  • Technique: All computation occurs over encrypted data; the evaluator sees neither raw data nor intermediate results.
    • Somewhat HE: e.g., Paillier (additively homomorphic), Brakerski–Gentry–Vaikuntanathan (BGV), or Fan–Vercauteren (BFV) for low/mid-degree circuits.
    • CKKS: Arithmetic over approximate values, suited for neural nets.
    • TFHE: Efficient bit-level gates supporting general computation (Jiang et al., 2022).
  • Use cases:
    • Inference on encrypted queries: PINFER protocols for regression/classification/NNs (Joye et al., 2019); functional approximation for NN activations (Chebyshev polynomials) to remain within depth bounds (Khan et al., 2021, Khan et al., 2023).
    • Distributed learning: Multi-key FHE for collaborative training without revealing local datasets (Jiang et al., 2022).
  • Performance: Polynomial activation approximations, batching, and hardware acceleration (SIMD/FV) drastically reduce inference time—e.g., Blind Faith achieves 0.7% accuracy loss compared to plaintext (Khan et al., 2021, Khan et al., 2023).

2.4 Trusted Execution Environments (TEE)

  • Architecture: Code, data, and model reside in a secure enclave (e.g., Intel SGX), possibly extended to trusted accelerators.
  • Security boundary: Ensured via remote attestation, secure channels, and authenticated encryption of off-chip DRAM/PCIe exchanges; all code/data transfer use AES-GCM (with integrity), hardware-enforced key handling, and register MACs (Xie et al., 2020).
  • Overhead: Practical DNN workloads (e.g., ResNet-18) incur ≈8% slowdown under AES-GCM protection; hardware design cost is marginal (<5% area overhead) (Xie et al., 2020).

2.5 Federated Learning with Secure Aggregation

  • Workflow: Decentralized clients train local models; updates are securely aggregated on a central server augmented with DP noise and masking (Bonawitz protocol and descendants).
  • Privacy property: Server learns aggregate only; no client’s update or data is exposed (Al-Rubaie et al., 2018, Xu et al., 2021).
  • Enhancements: Compositional privacy loss accounting (Renyi DP), robustness to dropouts, hierarchical/clustered aggregation (Xu et al., 2021).

3. Hybrid and Emerging Methods

  • Representation learning: Auto-encoders or NN feature extractors yield latent-space vectors exchanged in place of raw data; privacy empirically quantified by reconstruction error (Quintero-Ossa et al., 2022, Sarmadi et al., 2022).
  • Compressive multi-kernel learning: Dimensionality reduction (e.g., via kernel DCA) compresses data to utility-preserving, privacy-destructive projections, then combines multiple kernels with SNR-based weighting to balance utility and privacy loss (Chanyaswad et al., 2021).

4. Practical Protocols and Performance Benchmarks

Method Security Model Performance Overhead Privacy Guarantee Example Reference
DP-SGD Statistical 5–10% lower accuracy (ε ≈ 1) (ε,δ)-DP (Xu et al., 2021)
MPC (Morse-STF) Semi/malicious 1.8–4.9× speedup (over SOTA) Simulation-based (ideal/real) (Zhang et al., 2021)
HE (BFV/FV) Information-theoretic <1% accuracy loss, 10–100× slower (old SOTA), now seconds/epoch Semantic, LWE-based entropy (Khan et al., 2021, Khan et al., 2023)
TEE+Accelerator Hardware + crypto ~8% slowdown (CNNs), FC layers higher End-to-end (enclave+accelerator) (Xie et al., 2020)
FL + Secure Agg. Statistical/crypto <2× comm. overhead, same accuracy Client-level DP, aggregate privacy (Al-Rubaie et al., 2018, Xu et al., 2021)
  • Advanced MPC (BLAZE, SWIFT, Morse-STF) attains <1% test accuracy drop with throughput up to 245× over semi-honest baselines (Patra et al., 2020, Koti et al., 2020, Lu et al., 2024).
  • In HE, state-of-the-art schemes resize networks and quantize activations for multiplicative depth ≦15, enabling privacy-preserving MNIST/CIFAR-10 inference with sub-second latency on commodity CPUs (Khan et al., 2021, Khan et al., 2023).
  • TEEs, with cryptographically protected accelerators, generalize to any DMA-capable ML hardware at moderate cost (Xie et al., 2020).
  • Representation learning plus SMPC achieves 3–8 pp accuracy drop while substantially reducing leakage (membership inference AUC ≈ 0.5), scalable to credit-card fraud detection and synthetic collaborative settings (Sarmadi et al., 2022).

5. Systematic PPML Evaluation and PGU Triad

Xu, Baracaldo, and Joshi propose a Phase–Guarantee–Utility (PGU) triad for systematic assessment:

  • Phase: Data prep (e.g., DP, compression), training (MPC, DP-SGD, HE), deployment (encrypted inference, TEE).
  • Guarantee: Local (input/aggregation), global (model), or end-to-end (pipeline) object- and pipeline-oriented privacy under specified threat models.
  • Utility: Model accuracy, computational burden, bandwidth, scalability, and scenario-specific fitness (e.g., train vs inference phase).

A key insight is that privacy, security strength, and utility are fundamentally in tension: for example, strong DP or high-dimensional compression attenuates accuracy, while full HE and MPC remain more communication/compute-bottlenecked than plaintext. Enhanced privacy (local+global DP, end-to-end encryption) requires careful utility tuning—remaining practical for Internet-scale deployments only via hardware acceleration, batching, and protocol hybridization (Xu et al., 2021).

6. Limitations and Future Challenges

  • Scalability: MPC/HE remain orders-of-magnitude slower for very large models, especially LLMs; performance gap of 10,000× for fully cryptographically protected LLM inference is not sustainable for interactive scenarios (Zhang et al., 30 Jul 2025).
  • Composition: End-to-end accounting for privacy loss across hybrid workflows (DP+MPC+HE).
  • Hardware trust: Formal coverage of TEE attack surfaces, especially for side-channels and compromised firmware.
  • Practical security: Malicious adversary models and output delivery robustness (GOD) are only recently attaining practical performance (Koti et al., 2020, Lu et al., 2024).
  • Representation leakage: Empirical defenses like autoencoders lack formal (ε,δ)-DP-like guarantees.
  • Benchmarking: Reporting of privacy-utility and resource tradeoffs on real workloads remains inconsistent; few works test full pipelines with human-in-the-loop privacy policy integration.

7. Application-Specific and Emerging Directions

  • Large-language-model (LLM) privacy: Modular orchestration (Agentic-PPML) splits intent parsing (insecure, low sensitivity) from cryptographically-secured vertical models, ‘deconstructing’ monolithic PPML for practical deployment (Zhang et al., 30 Jul 2025).
  • Privacy-preserving distributed linear regression: Multi-key FHE enables secure, scalable regression with per-round latency in hundreds of seconds, linear scaling with number of parties (Jiang et al., 2022).
  • Obfuscation and feature extraction: Model-agnostic data randomization (obfuscate functions) or privacy-preserving feature extractors empirically defeat model memorization and membership inference at minimal utility loss (Zhang et al., 2018, Sarmadi et al., 2022).
  • Kernel methods: SNR-weighted compressive multi-kernel learning achieves near-random privacy accuracy on sensitive tasks while retaining or improving utility, without formal DP bounds (Chanyaswad et al., 2021).

Privacy-preserving machine learning thus integrates algorithmic, cryptographic, and systems-level mechanisms to address rigorous threat models, with ongoing work focusing on efficiency, composability, and robustness. The field is converging on hybrid pipelines—balancing statistical, cryptographic, and hardware approaches—to provide flexible, robust, and auditably private machine learning for diverse application domains (Al-Rubaie et al., 2018, Xu et al., 2021, Xie et al., 2020, Zhang et al., 2021).

Topic to Video (Beta)

No one has generated a video about this topic yet.

Sign Up to Generate All Videos Subscribe on YouTube

Whiteboard

No one has generated a whiteboard explanation for this topic yet.

Sign Up to Generate

Follow Topic

Get notified by email when new papers are published related to Privacy-Preserving Machine Learning.

Sign Up to Follow Topic by Email