thesis.bib

@software{noauthor_data61python-paillier_2022,
	title = {data61/python-paillier},
	rights = {{GPL}-3.0},
	url = {https://github.com/data61/python-paillier},
	abstract = {A library for Partially Homomorphic Encryption in Python},
	publisher = {{CSIRO} Data61 Engineering \& Design},
	urldate = {2022-02-27},
	date = {2022-02-27},
	note = {original-date: 2014-11-05T07:15:28Z},
	keywords = {cryptography, homomorphic-encryption, paillier, python},
}

@article{pulido-gaytan_privacy-preserving_2021,
	title = {Privacy-preserving neural networks with Homomorphic encryption: Challenges and opportunities},
	volume = {14},
	issn = {1936-6450},
	url = {https://doi.org/10.1007/s12083-021-01076-8},
	doi = {10.1007/s12083-021-01076-8},
	shorttitle = {Privacy-preserving neural networks with Homomorphic encryption},
	abstract = {Classical machine learning modeling demands considerable computing power for internal calculations and training with big data in a reasonable amount of time. In recent years, clouds provide services to facilitate this process, but it introduces new security threats of data breaches. Modern encryption techniques ensure security and are considered as the best option to protect stored data and data in transit from an unauthorized third-party. However, a decryption process is necessary when the data must be processed or analyzed, falling into the initial problem of data vulnerability. Fully Homomorphic Encryption ({FHE}) is considered the holy grail of cryptography. It allows a non-trustworthy third-party resource to process encrypted information without disclosing confidential data. In this paper, we analyze the fundamental concepts of {FHE}, practical implementations, state-of-the-art approaches, limitations, advantages, disadvantages, potential applications, and development tools focusing on neural networks. In recent years, {FHE} development demonstrates remarkable progress. However, current literature in the homomorphic neural networks is almost exclusively addressed by practitioners looking for suitable implementations. It still lacks comprehensive and more thorough reviews. We focus on the privacy-preserving homomorphic encryption cryptosystems targeted at neural networks identifying current solutions, open issues, challenges, opportunities, and potential research directions.},
	pages = {1666--1691},
	number = {3},
	journaltitle = {Peer-to-Peer Networking and Applications},
	shortjournal = {Peer-to-Peer Netw. Appl.},
	author = {Pulido-Gaytan, Bernardo and Tchernykh, Andrei and Cortés-Mendoza, Jorge M. and Babenko, Mikhail and Radchenko, Gleb and Avetisyan, Arutyun and Drozdov, Alexander Yu},
	urldate = {2022-02-27},
	date = {2021-05-01},
	langid = {english},
	file = {Springer Full Text PDF:/home/ketl1/Zotero/storage/EA95UFXX/Pulido-Gaytan et al. - 2021 - Privacy-preserving neural networks with Homomorphi.pdf:application/pdf},
}

@online{noauthor_fully_2021,
	title = {Fully Homomorphic Encryption ({FHE}) Frameworks},
	url = {https://blog.openmined.org/brief-history-of-homomorphic-encryption-frameworks/},
	abstract = {Attendees of First Workshop of Homomorphic Encryption ({HE}) {communityHomomorphic} Encryption cryptosystem is a cryptosystem whose decryption is a morphism. Decrypt(a*b) = Decrypt(a) * Decrypt(b) Homomorphic Encryption cryptosystem allows operate on ciphertexts without decryption. It ensures end-to-end semantically secure, which is ensuring security against honest but curious adversaries. Different},
	titleaddon = {{OpenMined} Blog},
	urldate = {2022-02-27},
	date = {2021-10-01},
	langid = {english},
}

@online{noauthor_homomorphic_nodate,
	title = {Homomorphic Encryption Standardization – An Open Industry / Government / Academic Consortium to Advance Secure Computation},
	url = {https://homomorphicencryption.org/},
	urldate = {2022-02-27},
	langid = {american},
}

@software{microsoft_corporation_microsoft_2022,
	title = {Microsoft {SEAL}},
	rights = {{MIT}},
	url = {https://github.com/microsoft/SEAL},
	abstract = {Microsoft {SEAL} is an easy-to-use and powerful homomorphic encryption library.},
	publisher = {Microsoft},
	author = {Microsoft Corporation},
	urldate = {2022-02-27},
	date = {2022},
	note = {original-date: 2018-11-09T00:33:14Z},
	keywords = {cryptography, homomorphic-encryption, encryption},
}

@software{noauthor_eva_2022,
	title = {{EVA} - Compiler for Microsoft {SEAL}},
	rights = {{MIT}},
	url = {https://github.com/microsoft/EVA},
	abstract = {Compiler for the {SEAL} homomorphic encryption library},
	publisher = {Microsoft},
	urldate = {2022-02-27},
	date = {2022-02-23},
	note = {original-date: 2020-10-09T19:35:04Z},
}

@article{mouchet_lattigo_2020,
	title = {Lattigo: a Multiparty Homomorphic Encryption Library in Go},
	pages = {6},
	author = {Mouchet, Christian and Bossuat, Jean-Philippe and Troncoso-Pastoriza, Juan and Hubaux, Jean-Pierre},
	date = {2020},
	langid = {english},
	file = {Mouchet et al. - 2020 - Lattigo a Multiparty Homomorphic Encryption Libra.pdf:/home/ketl1/Zotero/storage/DIP8YJQP/Mouchet et al. - 2020 - Lattigo a Multiparty Homomorphic Encryption Libra.pdf:application/pdf},
}

@software{tune_insight_sa_lattigo_2022,
	title = {Lattigo v3},
	rights = {Apache-2.0},
	url = {https://github.com/tuneinsight/lattigo},
	shorttitle = {Lattigo},
	abstract = {A library for lattice-based homomorphic encryption in Go},
	publisher = {Tune Insight},
	author = {Tune Insight {SA} and {EPFL}-{LDS}},
	urldate = {2022-02-24},
	date = {2022},
	note = {original-date: 2019-08-12T15:14:22Z},
	keywords = {lattice-based-crypto, secure-multi-party-computation},
}

@software{noauthor_tenseal_2022,
	title = {{TenSEAL}},
	rights = {Apache-2.0},
	url = {https://github.com/OpenMined/TenSEAL},
	abstract = {A library for doing homomorphic encryption operations on tensors},
	publisher = {{OpenMined}},
	urldate = {2022-02-24},
	date = {2022-02-23},
	note = {original-date: 2020-01-25T14:36:55Z},
	keywords = {cryptography, homomorphic-encryption, python, encryption, cpp, deep-learning, docker-image, hacktoberfest, microsoft-seal, tensor},
}

@software{noauthor_concrete_2022,
	title = {Concrete Numpy},
	url = {https://github.com/zama-ai/concrete-numpy},
	abstract = {Concrete Numpy is a python package that contains the tools data scientists need to compile various numpy functions into their Fully Homomorphic Encryption ({FHE}) equivalents. Concrete Numpy goes on top of the Concrete Library and its Compiler.},
	publisher = {Zama},
	urldate = {2022-03-01},
	date = {2022-02-27},
	note = {original-date: 2021-09-06T07:59:31Z},
	keywords = {homomorphic-encryption, python, data-science, fhe, numpy, privacy, tfhe},
}

@software{noauthor_pysyft_2022,
	title = {{PySyft}},
	rights = {Apache-2.0},
	url = {https://github.com/OpenMined/PySyft},
	abstract = {A library for answering questions using data you cannot see},
	publisher = {{OpenMined}},
	urldate = {2022-03-01},
	date = {2022-03-01},
	note = {original-date: 2017-07-18T20:41:16Z},
	keywords = {cryptography, python, deep-learning, hacktoberfest, privacy, federated-learning, pytorch, secure-computation, syft},
}

@inproceedings{juvekar_gazelle_2018,
	title = {\{{GAZELLE}\}: A Low Latency Framework for Secure Neural Network Inference},
	isbn = {978-1-939133-04-5},
	url = {https://www.usenix.org/conference/usenixsecurity18/presentation/juvekar},
	shorttitle = {\{{GAZELLE}\}},
	eventtitle = {27th {USENIX} Security Symposium ({USENIX} Security 18)},
	pages = {1651--1669},
	author = {Juvekar, Chiraag and Vaikuntanathan, Vinod and Chandrakasan, Anantha},
	urldate = {2022-03-01},
	date = {2018},
	langid = {english},
	file = {Full Text PDF:/home/ketl1/Zotero/storage/PRQA5TRC/Juvekar et al. - 2018 - \{GAZELLE\} A Low Latency Framework for Secure Neur.pdf:application/pdf},
}

@software{noauthor_tenseal_2022-1,
	title = {{TenSEAL} tutorials},
	rights = {Apache-2.0},
	url = {https://github.com/OpenMined/TenSEAL/tree/main/tutorials},
	abstract = {A library for doing homomorphic encryption operations on tensors},
	publisher = {{OpenMined}},
	urldate = {2022-03-02},
	date = {2022-03-01},
	note = {original-date: 2020-01-25T14:36:55Z},
}

@article{laine_simple_nodate,
	title = {Simple Encrypted Arithmetic Library 2.3.},
	pages = {34},
	author = {Laine, Kim},
	langid = {english},
	file = {Laine - Simple Encrypted Arithmetic Library 2.3..pdf:/home/ketl1/Zotero/storage/DCCH8AKJ/Laine - Simple Encrypted Arithmetic Library 2.3..pdf:application/pdf},
}

@article{benaissa_tenseal_2021,
	title = {{TenSEAL}: A Library for Encrypted Tensor Operations Using Homomorphic Encryption},
	url = {http://arxiv.org/abs/2104.03152},
	shorttitle = {{TenSEAL}},
	abstract = {Machine learning algorithms have achieved remarkable results and are widely applied in a variety of domains. These algorithms often rely on sensitive and private data such as medical and financial records. Therefore, it is vital to draw further attention regarding privacy threats and corresponding defensive techniques applied to machine learning models. In this paper, we present {TenSEAL}, an open-source library for Privacy-Preserving Machine Learning using Homomorphic Encryption that can be easily integrated within popular machine learning frameworks. We benchmark our implementation using {MNIST} and show that an encrypted convolutional neural network can be evaluated in less than a second, using less than half a megabyte of communication.},
	journaltitle = {{arXiv}:2104.03152 [cs]},
	author = {Benaissa, Ayoub and Retiat, Bilal and Cebere, Bogdan and Belfedhal, Alaa Eddine},
	urldate = {2022-03-02},
	date = {2021-04-28},
	eprinttype = {arxiv},
	eprint = {2104.03152},
	keywords = {Computer Science - Cryptography and Security, Computer Science - Machine Learning},
	file = {arXiv Fulltext PDF:/home/ketl1/Zotero/storage/ESP7QPDD/Benaissa et al. - 2021 - TenSEAL A Library for Encrypted Tensor Operations.pdf:application/pdf},
}

@article{dathathri_eva_2020,
	title = {{EVA}: An Encrypted Vector Arithmetic Language and Compiler for Efficient Homomorphic Computation},
	url = {http://arxiv.org/abs/1912.11951},
	doi = {10.1145/3385412.3386023},
	shorttitle = {{EVA}},
	abstract = {Fully-Homomorphic Encryption ({FHE}) offers powerful capabilities by enabling secure offloading of both storage and computation, and recent innovations in schemes and implementations have made it all the more attractive. At the same time, {FHE} is notoriously hard to use with a very constrained programming model, a very unusual performance profile, and many cryptographic constraints. Existing compilers for {FHE} either target simpler but less efficient {FHE} schemes or only support specific domains where they can rely on expert-provided high-level runtimes to hide complications. This paper presents a new {FHE} language called Encrypted Vector Arithmetic ({EVA}), which includes an optimizing compiler that generates correct and secure {FHE} programs, while hiding all the complexities of the target {FHE} scheme. Bolstered by our optimizing compiler, programmers can develop efficient general-purpose {FHE} applications directly in {EVA}. For example, we have developed image processing applications using {EVA}, with a very few lines of code. {EVA} is designed to also work as an intermediate representation that can be a target for compiling higher-level domain-specific languages. To demonstrate this, we have re-targeted {CHET}, an existing domain-specific compiler for neural network inference, onto {EVA}. Due to the novel optimizations in {EVA}, its programs are on average 5.3x faster than those generated by {CHET}. We believe that {EVA} would enable a wider adoption of {FHE} by making it easier to develop {FHE} applications and domain-specific {FHE} compilers.},
	pages = {546--561},
	journaltitle = {Proceedings of the 41st {ACM} {SIGPLAN} Conference on Programming Language Design and Implementation},
	author = {Dathathri, Roshan and Kostova, Blagovesta and Saarikivi, Olli and Dai, Wei and Laine, Kim and Musuvathi, Madanlal},
	urldate = {2022-03-02},
	date = {2020-06-11},
	eprinttype = {arxiv},
	eprint = {1912.11951},
	keywords = {Computer Science - Cryptography and Security, Computer Science - Machine Learning, Computer Science - Programming Languages, D.3.3, D.3.4},
	file = {arXiv Fulltext PDF:/home/ketl1/Zotero/storage/L24ELLXI/Dathathri et al. - 2020 - EVA An Encrypted Vector Arithmetic Language and C.pdf:application/pdf},
}

@software{schneider_awesome_2022,
	title = {Awesome Homomorphic Encryption},
	url = {https://github.com/jonaschn/awesome-he},
	abstract = {✨ Awesome - A curated list of amazing Homomorphic Encryption libraries, software and resources},
	author = {Schneider, Jonathan},
	urldate = {2022-03-02},
	date = {2022-03-02},
	note = {original-date: 2018-02-21T02:38:07Z},
	keywords = {cryptography, homomorphic-encryption, awesome, awesome-list, homomorphic-cryptography-scheme, homomorphic-encryption-library, security},
}

@software{noauthor_helib_2022,
	title = {{HElib}},
	rights = {Apache-2.0},
	url = {https://github.com/homenc/HElib},
	abstract = {{HElib} is an open-source software library that implements homomorphic encryption. It supports the {BGV} scheme with bootstrapping and the Approximate Number {CKKS} scheme. {HElib} also includes optimizations for efficient homomorphic evaluation, focusing on effective use of ciphertext packing techniques and on the Gentry-Halevi-Smart optimizations.},
	publisher = {homenc},
	urldate = {2022-03-02},
	date = {2022-03-02},
	note = {original-date: 2013-04-05T13:55:09Z},
	keywords = {cryptography, encryption, bgv, crypto, crypto-library, encryption-library, helib, privacy-by-design, privacy-enhancing-technologies},
}

@software{palisade_palisade_2022,
	title = {{PALISADE}},
	url = {https://gitlab.com/palisade/palisade-release},
	abstract = {This is the stable version of the {PALISADE} lattice cryptography library. The current version is 1.11.6 (released on January 28, 2022). Please read the project wiki for information...},
	author = {{PALISADE}},
	urldate = {2022-03-02},
	date = {2022},
	file = {User manual:/home/ketl1/Zotero/storage/M3YHP9F4/PALISADE  PALISADE Release.pdf:application/pdf},
}

@inproceedings{brakerski_leveled_2012,
	title = {(Leveled) fully homomorphic encryption without bootstrapping},
	doi = {10.1145/2090236.2090262},
	abstract = {A novel approach to fully homomorphic encryption ({FHE}) that dramatically improves performance and bases security on weaker assumptions, using some new techniques recently introduced by Brakerski and Vaikuntanathan ({FOCS} 2011). We present a novel approach to fully homomorphic encryption ({FHE}) that dramatically improves performance and bases security on weaker assumptions. A central conceptual contribution in our work is a new way of constructing leveled fully homomorphic encryption schemes (capable of evaluating arbitrary polynomial-size circuits), without Gentry's bootstrapping procedure.
 Specifically, we offer a choice of {FHE} schemes based on the learning with error ({LWE}) or ring-{LWE} ({RLWE}) problems that have 2λ security against known attacks. For {RLWE}, we have:
 • A leveled {FHE} scheme that can evaluate L-level arithmetic circuits with Õ(λ · L3) per-gate computation -- i.e., computation quasi-linear in the security parameter. Security is based on {RLWE} for an approximation factor exponential in L. This construction does not use the bootstrapping procedure.
 • A leveled {FHE} scheme that uses bootstrapping as an optimization, where the per-gate computation (which includes the bootstrapping procedure) is Õ(λ2), independent of L. Security is based on the hardness of {RLWE} for quasi-polynomial factors (as opposed to the sub-exponential factors needed in previous schemes).
 We obtain similar results to the above for {LWE}, but with worse performance.
 Based on the Ring {LWE} assumption, we introduce a number of further optimizations to our schemes. As an example, for circuits of large width -- e.g., where a constant fraction of levels have width at least λ -- we can reduce the per-gate computation of the bootstrapped version to Õ(λ), independent of L, by batching the bootstrapping operation. Previous {FHE} schemes all required Ω(λ3.5) computation per gate.
 At the core of our construction is a much more effective approach for managing the noise level of lattice-based ciphertexts as homomorphic operations are performed, using some new techniques recently introduced by Brakerski and Vaikuntanathan ({FOCS} 2011).},
	booktitle = {{ITCS} '12},
	author = {Brakerski, Zvika and Gentry, Craig and Vaikuntanathan, V.},
	date = {2012},
	file = {Submitted Version:/home/ketl1/Zotero/storage/NY7JGGVQ/Brakerski et al. - 2012 - (Leveled) fully homomorphic encryption without boo.pdf:application/pdf},
}

@software{cryptolab_inc_heaan_2022,
	title = {{HEAAN}},
	url = {https://github.com/snucrypto/HEAAN},
	publisher = {Cryptography {LAB} in Seoul National University},
	author = {{CryptoLab} inc},
	urldate = {2022-03-02},
	date = {2022},
	note = {original-date: 2016-08-09T15:51:58Z},
}

@online{python_python_nodate,
	title = {Python Bindings: Calling C or C++ From Python – Real Python},
	url = {https://realpython.com/python-bindings-overview/},
	shorttitle = {Python Bindings},
	abstract = {What are Python bindings? Should you use ctypes, {CFFI}, or a different tool? In this step-by-step tutorial, you'll get an overview of some of the options you can use to call C or C++ code from Python.},
	author = {Python, Real},
	urldate = {2022-03-02},
	langid = {english},
}

@article{kim_logistic_2018,
	title = {Logistic regression model training based on the approximate homomorphic encryption},
	volume = {11},
	issn = {1755-8794},
	url = {https://doi.org/10.1186/s12920-018-0401-7},
	doi = {10.1186/s12920-018-0401-7},
	abstract = {Security concerns have been raised since big data became a prominent tool in data analysis. For instance, many machine learning algorithms aim to generate prediction models using training data which contain sensitive information about individuals. Cryptography community is considering secure computation as a solution for privacy protection. In particular, practical requirements have triggered research on the efficiency of cryptographic primitives.},
	pages = {83},
	number = {4},
	journaltitle = {{BMC} Medical Genomics},
	shortjournal = {{BMC} Medical Genomics},
	author = {Kim, Andrey and Song, Yongsoo and Kim, Miran and Lee, Keewoo and Cheon, Jung Hee},
	urldate = {2022-03-02},
	date = {2018-10-11},
	keywords = {Homomorphic encryption, Logistic regression, Machine learning},
	file = {Full Text PDF:/home/ketl1/Zotero/storage/4AG6FUPG/Kim et al. - 2018 - Logistic regression model training based on the ap.pdf:application/pdf},
}

@software{noauthor_pyheaan_2022,
	title = {{PYHEAAN}},
	rights = {{MIT}},
	url = {https://github.com/Huelse/HEAAN-Python},
	abstract = {{HEAAN} lib binds for Python},
	urldate = {2022-03-03},
	date = {2022-02-18},
	note = {original-date: 2019-09-26T09:37:19Z},
	keywords = {homomorphic-encryption, python, encryption, heaan, heaan-lib, heaan-python},
}

@software{hugang_seal-python_2022,
	title = {{SEAL}-Python},
	rights = {{MIT}},
	url = {https://github.com/Huelse/SEAL-Python},
	abstract = {Microsoft {SEAL} 3.X For Python},
	author = {{HuGang}},
	urldate = {2022-03-03},
	date = {2022},
	note = {original-date: 2019-07-15T09:16:52Z},
	keywords = {homomorphic-encryption, encryption, microsoft-seal, he, pyseal, python-bindings, seal, seal-python},
}

@software{danezis_petlib_2022,
	title = {petlib},
	rights = {{BSD}-2-Clause},
	url = {https://github.com/gdanezis/petlib},
	abstract = {A python library that implements a number of Privacy Enhancing Technolgies},
	author = {Danezis, George},
	urldate = {2022-03-03},
	date = {2022-03-02},
	note = {original-date: 2014-11-22T14:37:53Z},
}

@software{ibarrondo_ibarrondpyfhel_2022,
	title = {ibarrond/Pyfhel},
	rights = {{GPL}-3.0},
	url = {https://github.com/ibarrond/Pyfhel},
	abstract = {{PYthon} For Homomorphic Encryption Libraries, perform encrypted computations such as sum, mult, scalar product or matrix multiplication in Python, with {NumPy} compatibility. Uses {SEAL}/{PALISADE} as backends, implemented using Cython.},
	author = {Ibarrondo, Alberto},
	urldate = {2022-03-03},
	date = {2022-03-02},
	note = {original-date: 2017-06-12T04:15:07Z},
	keywords = {homomorphic-encryption, python, homomorphic-encryption-library, helib, seal, cython, encrypted-computation, encrypted-data, palisade},
}

@inproceedings{han_logistic_2019,
	title = {Logistic Regression on Homomorphic Encrypted Data at Scale},
	doi = {10.1609/aaai.v33i01.33019466},
	abstract = {The experiment shows that an encrypted model with a sufficient Kolmogorov Smirnow statistic value can be obtained in ∼17 hours in a single machine, and demonstrates the practical feasibility of the logistic regression training on large encrypted data, for the first time to the best of the knowledge. Machine learning on (homomorphic) encrypted data is a cryptographic method for analyzing private and/or sensitive data while keeping privacy. In the training phase, it takes as input an encrypted training data and outputs an encrypted model without ever decrypting. In the prediction phase, it uses the encrypted model to predict results on new encrypted data. In each phase, no decryption key is needed, and thus the data privacy is ultimately guaranteed. It has many applications in various areas such as finance, education, genomics, and medical field that have sensitive private data. While several studies have been reported on the prediction phase, few studies have been conducted on the training phase.In this paper, we present an efficient algorithm for logistic regression on homomorphic encrypted data, and evaluate our algorithm on real financial data consisting of 422,108 samples over 200 features. Our experiment shows that an encrypted model with a sufficient Kolmogorov Smirnow statistic value can be obtained in ∼17 hours in a single machine. We also evaluate our algorithm on the public {MNIST} dataset, and it takes ∼2 hours to learn an encrypted model with 96.4\% accuracy. Considering the inefficiency of homomorphic encryption, our result is encouraging and demonstrates the practical feasibility of the logistic regression training on large encrypted data, for the first time to the best of our knowledge.},
	booktitle = {{AAAI}},
	author = {Han, Kyoohyung and Hong, Seungwan and Cheon, J. and Park, D.},
	date = {2019},
	file = {Full Text:/home/ketl1/Zotero/storage/PKYHXRS2/Han et al. - 2019 - Logistic Regression on Homomorphic Encrypted Data .pdf:application/pdf},
}

@report{akavia_privacy-preserving_2019,
	title = {Privacy-Preserving Decision Tree Training and Prediction against Malicious Server},
	url = {https://eprint.iacr.org/2019/1282},
	abstract = {Privacy-preserving machine learning enables secure outsourcing of machine learning tasks to an untrusted service provider (server) while preserving the privacy of the user's data (client). Attaining good concrete efficiency for complicated machine learning tasks, such as training decision trees, is one of the challenges in this area. Prior works on privacy-preserving decision trees required the parties to have comparable computational resources, and instructed the client to perform computation proportional to the complexity of the entire task.

In this work we present new protocols for privacy-preserving decision trees, for both training and prediction, achieving the following desirable properties: 1. Efficiency: the client's complexity is independent of the training-set size during training, and of the tree size during prediction. 2. Security: privacy holds against malicious servers. 3. Practical usability: high accuracy, fast prediction, and feasible training demonstrated on standard {UCI} datasets, encrypted with fully homomorphic encryption. To the best of our knowledge, our protocols are the first to offer all these properties simultaneously.

The core of our work consists of two technical contributions. First, a new low-degree polynomial approximation for functions, leading to faster protocols for training and prediction on encrypted data. Second, a design of an easy-to-use mechanism for proving privacy against malicious adversaries that is suitable for a wide family of protocols, and in particular, our protocols; this mechanism could be of independent interest.},
	number = {1282},
	author = {Akavia, Adi and Leibovich, Max and Resheff, Yehezkel S. and Ron, Roey and Shahar, Moni and Vald, Margarita},
	urldate = {2022-03-03},
	date = {2019},
	keywords = {cryptographic protocols, fully homomorphic encryption, decision trees, prediction, privacy-preserving machine learning, secure outsourcing, training},
	file = {ePrint IACR Full Text PDF:/home/ketl1/Zotero/storage/6NLHPSPI/Akavia et al. - 2019 - Privacy-Preserving Decision Tree Training and Pred.pdf:application/pdf},
}

@article{park_he-friendly_2020,
	title = {{HE}-Friendly Algorithm for Privacy-Preserving {SVM} Training},
	volume = {8},
	issn = {2169-3536},
	doi = {10.1109/ACCESS.2020.2981818},
	abstract = {Support vector machine ({SVM}) is one of the most popular machine learning algorithms. It predicts a pre-defined output variable in real-world applications. Machine learning on encrypted data is becoming more and more important to protect both model information and data against various adversaries. While some studies have been proposed on inference or prediction phases, few have been reported on the training phase. Homomorphic encryption ({HE}) for the arithmetic of approximate numbers scheme enables efficient arithmetic evaluations of encrypted data of real numbers, which encourages to develop privacy-preserving machine learning training algorithm. In this study, we propose an {HE}-friendly algorithm for the {SVM} training phase which avoids inefficient operations and numerical instability on an encrypted domain. The inference phase is also implemented on the encrypted domain with fully-homomorphic encryption which enables real-time prediction. Our experiment showed that our {HE}-friendly algorithm outperformed the state-of-the-art logistic regression classifier with fully homomorphic encryption on toy and real-world datasets. To the best of our knowledge, this study is the first practical algorithm for training an {SVM} model with fully homomorphic encryption. Therefore, our result supports the development of practical applications of the privacy-preserving {SVM} model.},
	pages = {57414--57425},
	journaltitle = {{IEEE} Access},
	author = {Park, Saerom and Byun, Junyoung and Lee, Joohee and Cheon, Jung Hee and Lee, Jaewook},
	date = {2020},
	note = {Conference Name: {IEEE} Access},
	keywords = {fully homomorphic encryption, Cryptography, Computational modeling, data privacy, Encryption, Machine learning algorithms, Prediction algorithms, privacy-preserving training, support vector machine, Support vector machines, Training},
	file = {IEEE Xplore Full Text PDF:/home/ketl1/Zotero/storage/3RZXMU9H/Park et al. - 2020 - HE-Friendly Algorithm for Privacy-Preserving SVM T.pdf:application/pdf},
}

@article{cheon_ensemble_2018,
	title = {Ensemble Method for Privacy-Preserving Logistic Regression Based on Homomorphic Encryption},
	volume = {6},
	issn = {2169-3536},
	doi = {10.1109/ACCESS.2018.2866697},
	abstract = {Homomorphic encryption ({HE}) is one of promising cryptographic candidates resolving privacy issues in machine learning on sensitive data such as biomedical data and financial data. However, {HE}-based solutions commonly suffer from relatively high computational costs due to a large number of iterations in the optimization algorithms such as gradient descent ({GD}) for the learning phase. In this paper, we propose a new method called ensemble {GD} for logistic regression, a commonly used machine learning technique for binary classification. Our ensemble method reduces the number of iterations of {GD}, which results in substantial improvement on the performance of logistic regression based on {HE} in terms of speed and memory. The convergence of ensemble {GD} based on {HE} is guaranteed by our theoretical analysis on the erroneous variant of ensemble {GD}. We implemented ensemble {GD} for the logistic regression based on an approximate {HE} scheme {HEAAN} on {MNIST} data set and Credit data set from {UCI} machine learning repository. Compared to the standard {GD} for logistic regression, our ensemble method requires only about 60\% number of iterations, which results in 60-70\% reduction on the running time of total learning procedure in encrypted state, and 30-40\% reduction on the storage of encrypted data set.},
	pages = {46938--46948},
	journaltitle = {{IEEE} Access},
	author = {Cheon, Jung Hee and Kim, Duhyeong and Kim, Yongdai and Song, Yongsoo},
	date = {2018},
	note = {Conference Name: {IEEE} Access},
	keywords = {homomorphic encryption, Machine learning, Encryption, Machine learning algorithms, Convergence, Ensemble, gradient descent with errors, Logistics, Privacy, privacy-preserving logistic regression},
	file = {IEEE Xplore Full Text PDF:/home/ketl1/Zotero/storage/PKZGJAFP/Cheon et al. - 2018 - Ensemble Method for Privacy-Preserving Logistic Re.pdf:application/pdf},
}

@incollection{albrecht_homomorphic_2021,
	location = {Cham},
	title = {Homomorphic Encryption Standard},
	isbn = {978-3-030-77286-4 978-3-030-77287-1},
	url = {https://link.springer.com/10.1007/978-3-030-77287-1_2},
	pages = {31--62},
	booktitle = {Protecting Privacy through Homomorphic Encryption},
	publisher = {Springer International Publishing},
	author = {Albrecht, Martin and Chase, Melissa and Chen, Hao and Ding, Jintai and Goldwasser, Shafi and Gorbunov, Sergey and Halevi, Shai and Hoffstein, Jeffrey and Laine, Kim and Lauter, Kristin and Lokam, Satya and Micciancio, Daniele and Moody, Dustin and Morrison, Travis and Sahai, Amit and Vaikuntanathan, Vinod},
	editor = {Lauter, Kristin and Dai, Wei and Laine, Kim},
	urldate = {2022-03-03},
	date = {2021},
	langid = {english},
	doi = {10.1007/978-3-030-77287-1_2},
	file = {Albrecht et al. - 2021 - Homomorphic Encryption Standard.pdf:/home/ketl1/Zotero/storage/RGAFC54U/Albrecht et al. - 2021 - Homomorphic Encryption Standard.pdf:application/pdf},
}

@online{noauthor_malb_nodate,
	title = {malb / lwe-estimator — Bitbucket},
	url = {https://bitbucket.org/malb/lwe-estimator/src/master/},
	urldate = {2022-03-04},
}

@article{duboue_machine_nodate,
	title = {Machine Learning on Encrypted Data using Homomorphic Encryption},
	pages = {39},
	author = {Duboue, Pablo},
	langid = {english},
	file = {Duboue - Machine Learning on Encrypted Data using Homomorph.pdf:/home/ketl1/Zotero/storage/JRER3BX6/Duboue - Machine Learning on Encrypted Data using Homomorph.pdf:application/pdf},
}

@software{danywin_ckks_2021,
	title = {{CKKS} encoding / decoding},
	url = {https://github.com/dhuynh95/homomorphic_encryption_intro/blob/aecf07eec1074f816dddc7c0d1027290ef5121ba/01_encoding_decoding_ckks.ipynb},
	abstract = {Notebooks for the {HE} introduction},
	author = {{DanyWin}},
	urldate = {2022-03-07},
	date = {2021-05-29},
	note = {original-date: 2020-06-21T12:27:56Z},
}

@software{quah_ptensor_2021,
	title = {{pTensor}},
	rights = {{MIT}},
	url = {https://github.com/IanQS/pTensor},
	abstract = {A numpy-like wrapper around {PALISADE} library for the intersection of Homomorphic Encryption and Machine Learning},
	author = {Quah, Ian},
	urldate = {2022-03-07},
	date = {2021-02-02},
	note = {original-date: 2021-01-07T22:21:41Z},
	keywords = {homomorphic-encryption, encryption, palisade, cpp11, machine-learning, privacy-preserving-machine-learning},
}

@software{noauthor_he_2022,
	title = {{HE} Transformer for {nGraph}},
	rights = {Apache-2.0},
	url = {https://github.com/IntelAI/he-transformer},
	abstract = {{nGraph}-{HE}: Deep learning with Homomorphic Encryption ({HE}) through Intel {nGraph}},
	publisher = {{IntelAI}},
	urldate = {2022-03-07},
	date = {2022-02-20},
	note = {original-date: 2019-09-24T22:14:20Z},
}

@software{lab_encrypt-everything-everywhere_2022,
	title = {Encrypt-Everything-Everywhere},
	rights = {{GPL}-3.0},
	url = {https://github.com/momalab/e3},
	abstract = {E3: Encrypt-Everything-Everywhere framework for compiling C++ programs with encrypted operands.},
	author = {lab, {MoMA}},
	urldate = {2022-03-07},
	date = {2022-02-23},
	note = {original-date: 2018-10-04T05:54:16Z},
}

@report{chielle_e3_2018,
	title = {E3: A Framework for Compiling C++ Programs with Encrypted Operands},
	url = {https://eprint.iacr.org/2018/1013},
	shorttitle = {E3},
	abstract = {In this technical report we describe E3 (Encrypt-Everything-Everywhere), a framework which enables execution of standard C++ code with homomorphically encrypted variables. The framework automatically generates protected types so the programmer can remain oblivious to the underlying encryption scheme. C++ protected classes redefine operators according to the encryption scheme effectively making the introduction of a new {API} unnecessary. At its current version, E3 supports a variety of homomorphic encryption libraries, batching, mixing different encryption schemes in the same program, as well as the ability to combine modular computation and bit-level computation.},
	number = {1013},
	author = {Chielle, Eduardo and Mazonka, Oleg and Gamil, Homer and Tsoutsos, Nektarios Georgios and Maniatakos, Michail},
	urldate = {2022-03-07},
	date = {2018},
	keywords = {Fully Homomorphic Encryption, applications, Data Privacy, General-purpose computation, Privacy-preserving computation},
	file = {ePrint IACR Full Text PDF:/home/ketl1/Zotero/storage/6GLKU7NH/Chielle et al. - 2018 - E3 A Framework for Compiling C++ Programs with En.pdf:application/pdf},
}

@software{raven_python-fhez_2022,
	title = {Python-{FHEz}},
	rights = {{OSL}-3.0},
	url = {https://github.com/DreamingRaven/python-fhez},
	abstract = {Official mirror of Python-{FHEz}; Python Fully Homomorphic Encryption ({FHE}) Library for Encrypted Deep Learning as a Service ({EDLaaS}).},
	author = {Raven},
	urldate = {2022-03-17},
	date = {2022-03-11},
	note = {original-date: 2020-03-21T11:28:27Z},
	keywords = {cryptography, deep-learning, fhe, machine-learning, docker, fully-homomorphic-encryption, kubernetes},
}

@article{liu_survey_2018,
	title = {A Survey on Security Threats and Defensive Techniques of Machine Learning: A Data Driven View},
	volume = {6},
	issn = {2169-3536},
	doi = {10.1109/ACCESS.2018.2805680},
	shorttitle = {A Survey on Security Threats and Defensive Techniques of Machine Learning},
	abstract = {Machine learning is one of the most prevailing techniques in computer science, and it has been widely applied in image processing, natural language processing, pattern recognition, cybersecurity, and other fields. Regardless of successful applications of machine learning algorithms in many scenarios, e.g., facial recognition, malware detection, automatic driving, and intrusion detection, these algorithms and corresponding training data are vulnerable to a variety of security threats, inducing a significant performance decrease. Hence, it is vital to call for further attention regarding security threats and corresponding defensive techniques of machine learning, which motivates a comprehensive survey in this paper. Until now, researchers from academia and industry have found out many security threats against a variety of learning algorithms, including naive Bayes, logistic regression, decision tree, support vector machine ({SVM}), principle component analysis, clustering, and prevailing deep neural networks. Thus, we revisit existing security threats and give a systematic survey on them from two aspects, the training phase and the testing/inferring phase. After that, we categorize current defensive techniques of machine learning into four groups: security assessment mechanisms, countermeasures in the training phase, those in the testing or inferring phase, data security, and privacy. Finally, we provide five notable trends in the research on security threats and defensive techniques of machine learning, which are worth doing in-depth studies in future.},
	pages = {12103--12117},
	journaltitle = {{IEEE} Access},
	author = {Liu, Qiang and Li, Pan and Zhao, Wentao and Cai, Wei and Yu, Shui and Leung, Victor C. M.},
	date = {2018},
	note = {Conference Name: {IEEE} Access},
	keywords = {Machine learning, Machine learning algorithms, Support vector machines, Training, adversarial samples, defensive techniques, Security, security threats, Taxonomy, Testing, Training data},
	file = {IEEE Xplore Full Text PDF:/home/ketl1/Zotero/storage/RLNN3DV7/Liu et al. - 2018 - A Survey on Security Threats and Defensive Techniq.pdf:application/pdf},
}

@inproceedings{fredrikson_model_2015,
	location = {Denver Colorado {USA}},
	title = {Model Inversion Attacks that Exploit Confidence Information and Basic Countermeasures},
	isbn = {978-1-4503-3832-5},
	url = {https://dl.acm.org/doi/10.1145/2810103.2813677},
	doi = {10.1145/2810103.2813677},
	abstract = {Machine-learning ({ML}) algorithms are increasingly utilized in privacy-sensitive applications such as predicting lifestyle choices, making medical diagnoses, and facial recognition. In a model inversion attack, recently introduced in a case study of linear classifiers in personalized medicine by Fredrikson et al. [13], adversarial access to an {ML} model is abused to learn sensitive genomic information about individuals. Whether model inversion attacks apply to settings outside theirs, however, is unknown.},
	eventtitle = {{CCS}'15: The 22nd {ACM} Conference on Computer and Communications Security},
	pages = {1322--1333},
	booktitle = {Proceedings of the 22nd {ACM} {SIGSAC} Conference on Computer and Communications Security},
	publisher = {{ACM}},
	author = {Fredrikson, Matt and Jha, Somesh and Ristenpart, Thomas},
	urldate = {2022-03-23},
	date = {2015-10-12},
	langid = {english},
	file = {Fredrikson et al. - 2015 - Model Inversion Attacks that Exploit Confidence In.pdf:/home/ketl1/Zotero/storage/Z4MGJLHX/Fredrikson et al. - 2015 - Model Inversion Attacks that Exploit Confidence In.pdf:application/pdf},
}

@article{keydana_rstudio_2020,
	title = {{RStudio} {AI} Blog: Hacking deep learning: model inversion attack by example},
	url = {https://blogs.rstudio.com/tensorflow/posts/2020-05-15-model-inversion-attacks/},
	shorttitle = {{RStudio} {AI} Blog},
	abstract = {Compared to other applications, deep learning models might not seem too likely as victims of privacy attacks. However, methods exist to determine whether an entity was used in the training set (an adversarial attack called member inference), and techniques subsumed under "model inversion" allow to reconstruct raw data input given just model output (and sometimes, context information). This post shows an end-to-end example of model inversion, and explores mitigation strategies using {TensorFlow} Privacy.},
	author = {Keydana, Sigrid},
	urldate = {2022-03-23},
	date = {2020-05-15},
}

@inproceedings{he_model_2019,
	location = {San Juan Puerto Rico {USA}},
	title = {Model inversion attacks against collaborative inference},
	isbn = {978-1-4503-7628-0},
	url = {https://dl.acm.org/doi/10.1145/3359789.3359824},
	doi = {10.1145/3359789.3359824},
	abstract = {The prevalence of deep learning has drawn attention to the privacy protection of sensitive data. Various privacy threats have been presented, where an adversary can steal model owners’ private data. Meanwhile, countermeasures have also been introduced to achieve privacy-preserving deep learning. However, most studies only focused on data privacy during training, and ignored privacy during inference. In this paper, we devise a new set of attacks to compromise the inference data privacy in collaborative deep learning systems. Specifically, when a deep neural network and the corresponding inference task are split and distributed to different participants, one malicious participant can accurately recover an arbitrary input fed into this system, even if he has no access to other participants’ data or computations, or to prediction {APIs} to query this system. We evaluate our attacks under different settings, models and datasets, to show their effectiveness and generalization. We also study the characteristics of deep learning models that make them susceptible to such inference privacy threats. This provides insights and guidelines to develop more privacy-preserving collaborative systems and algorithms.},
	eventtitle = {{ACSAC} '19: 2019 Annual Computer Security Applications Conference},
	pages = {148--162},
	booktitle = {Proceedings of the 35th Annual Computer Security Applications Conference},
	publisher = {{ACM}},
	author = {He, Zecheng and Zhang, Tianwei and Lee, Ruby B.},
	urldate = {2022-03-23},
	date = {2019-12-09},
	langid = {english},
	file = {He et al. - 2019 - Model inversion attacks against collaborative infe.pdf:/home/ketl1/Zotero/storage/3AH228W9/He et al. - 2019 - Model inversion attacks against collaborative infe.pdf:application/pdf},
}

@article{mohan_secure_2018,
	title = {Secure and Privacy Preserving Mail Servers using Modified Homomorphic Encryption ({MHE}) Scheme},
	volume = {9},
	issn = {21565570, 2158107X},
	url = {http://thesai.org/Publications/ViewPaper?Volume=9&Issue=3&Code=ijacsa&SerialNo=16},
	doi = {10.14569/IJACSA.2018.090316},
	abstract = {Electronic mail (Email) or the paperless mail is becoming the most acceptable, faster and cheapest way of formal and informal information sharing between users. Around 500 billion mails are sent each day and the count is expected to be increasing. Today, even the sensitive and private information are shared through emails, thus making it the primary target for attackers and hackers. Also, the companies having their own mail server, relies on cloud system for storing the mails at a lower cost and maintenance. This affected the privacy of users as the searching pattern is visible to the cloud. To rectify this, we need to have a secure architecture for storing the emails and retrieve them according to the user queries. Data as well as the queries and computations to retrieve the relevant mails should be hidden from the third party. This article proposes a modified homomorphic encryption ({MHE}) technique to secure the mails. Homomorphic encryption is made practical using {MHE} and by incorporating Map Reduce parallel programming model, the execution time is exponentially reduced. Well known techniques in information retrieval, like Vector Space model and Term Frequency – Inverse Document Frequency ({TF}-{IDF}) concepts are utilized for finding relevant mails to the query. The analysis done on the dataset proves that our method is efficient in terms of execution time and in ensuring the security of the data and the privacy of the users.},
	number = {3},
	journaltitle = {International Journal of Advanced Computer Science and Applications},
	shortjournal = {ijacsa},
	author = {Mohan, Lija and Elayidon, Sudheep},
	urldate = {2022-03-23},
	date = {2018},
	langid = {english},
	file = {Mohan and Elayidon - 2018 - Secure and Privacy Preserving Mail Servers using M.pdf:/home/ketl1/Zotero/storage/IVZJ8FYJ/Mohan and Elayidon - 2018 - Secure and Privacy Preserving Mail Servers using M.pdf:application/pdf},
}

@inproceedings{hidano_model_2017,
	location = {Calgary, {AB}},
	title = {Model Inversion Attacks for Prediction Systems: Without Knowledge of Non-Sensitive Attributes},
	isbn = {978-1-5386-2487-6},
	url = {https://ieeexplore.ieee.org/document/8476925/},
	doi = {10.1109/PST.2017.00023},
	shorttitle = {Model Inversion Attacks for Prediction Systems},
	abstract = {While online services based on machine learning ({ML}) have been attracting considerable attention in both academic and business, privacy issues are becoming a threat that cannot be ignored. Recently, Fredrikson et al. [{USENIX} 2014] proposed a new paradigm of model inversion attacks, which allows an adversary to expose the sensitive information of users by using an {ML} system for an unintended purpose. In particular, the attack reveals the sensitive attribute values of the target user by using their non-sensitive attributes and the output of the {ML} model. Here, for the attack to succeed, the adversary needs to possess the non-sensitive attribute values of the target user prior to the attack. However, in reality, even if this information (i.e., non-sensitive attributes) is not necessarily information the user regards as sensitive, it may be difficult for the adversary to actually acquire it.},
	eventtitle = {2017 15th Annual Conference on Privacy, Security and Trust ({PST})},
	pages = {115--11509},
	booktitle = {2017 15th Annual Conference on Privacy, Security and Trust ({PST})},
	publisher = {{IEEE}},
	author = {Hidano, Seira and Murakami, Takao and Katsumata, Shuichi and Kiyomoto, Shinsaku and Hanaoka, Goichiro},
	urldate = {2022-03-29},
	date = {2017-08},
	langid = {english},
	file = {Hidano et al. - 2017 - Model Inversion Attacks for Prediction Systems Wi.pdf:/home/ketl1/Zotero/storage/WYH5PDHL/Hidano et al. - 2017 - Model Inversion Attacks for Prediction Systems Wi.pdf:application/pdf},
}

@inproceedings{podschwadt_classification_2020,
	title = {Classification of Encrypted Word Embeddings using Recurrent Neural Networks},
	abstract = {Deep learning has made many exciting applications possible and given the popularity of social networks and user generated content everyday there is no shortage of data for these applications. The content generated by the users is written or spoken in natural language which needs to be processed by computers. Recurrent Neural Networks ({RNNs}) are a popular choice for language processing due to their ability to process sequential data. On the other hand, this data is some of the most privacy sensitive information. Therefore, privacy-preserving methods for natural language processing are crucial. In this paper, we focus on settings where a client has private data and wants to use machine learning as a service ({MLaaS}) to perform classification on the data without the need to disclose the data to the entity offering the service. We employ homomorphic encryption techniques to achieve this. Homomorphic encryption allows for data being processed without it being decrypted thereby protecting the users privacy. Although homomorphic encryption has been used for privacy-preserving machine learning, most of the work has been focused on image processing and convolutional neural networks ({CNNs}), but {RNNs} have not been studied. In this work, we use homomorphic encryption to build privacy-preserving {RNNs} for natural language processing tasks. We show that {RNNs} can be run over encrypted data without loss in accuracy compared to a plaintext implementation by evaluating our system on a sentinment classification task on the {IMDb} movie review dataset.},
	booktitle = {Proceedings of the {PrivateNLP} 2020: Workshop on Privacy in Natural Language Processing},
	author = {Podschwadt, Robert and Takabi, Daniel},
	date = {2020},
	langid = {english},
	file = {Podschwadt and Takabi - 2020 - Classification of Encrypted Word Embeddings using .pdf:/home/shinja/.zotero/storage/2KY2JCDH/Podschwadt and Takabi - 2020 - Classification of Encrypted Word Embeddings using .pdf:application/pdf},
}

@incollection{galbraith_approximate_2022,
	location = {Cham},
	title = {Approximate Homomorphic Encryption with Reduced Approximation Error},
	volume = {13161},
	isbn = {978-3-030-95311-9 978-3-030-95312-6},
	url = {https://link.springer.com/10.1007/978-3-030-95312-6_6},
	abstract = {The Cheon-Kim-Kim-Song ({CKKS}) homomorphic encryption scheme is currently the most efficient method to perform approximate homomorphic computations over real and complex numbers. Although the {CKKS} scheme can already be used to achieve practical performance for many advanced applications, e.g., in machine learning, its broader use in practice is hindered by several major usability issues, most of which are brought about by relatively high approximation errors and the complexity of dealing with them.},
	pages = {120--144},
	booktitle = {Topics in Cryptology – {CT}-{RSA} 2022},
	publisher = {Springer International Publishing},
	author = {Kim, Andrey and Papadimitriou, Antonis and Polyakov, Yuriy},
	editor = {Galbraith, Steven D.},
	urldate = {2022-04-22},
	date = {2022},
	langid = {english},
	doi = {10.1007/978-3-030-95312-6_6},
	note = {Series Title: Lecture Notes in Computer Science},
	file = {Kim et al. - 2022 - Approximate Homomorphic Encryption with Reduced Ap.pdf:/home/ketl1/Zotero/storage/ZG5QD4A2/Kim et al. - 2022 - Approximate Homomorphic Encryption with Reduced Ap.pdf:application/pdf},
}

@online{noauthor_ckks_2020,
	title = {{CKKS} explained: Part 1, Vanilla Encoding and Decoding},
	url = {https://blog.openmined.org/ckks-explained-part-1-simple-encoding-and-decoding/},
	shorttitle = {{CKKS} explained},
	abstract = {First part of the series {CKKS} explained where we see how to implement a vanilla encoder and decoder.},
	titleaddon = {{OpenMined} Blog},
	urldate = {2022-04-26},
	date = {2020-09-01},
	langid = {english},
}

@article{rosenthal_datenschutz_2022,
	title = {Datenschutz und {KI}: Worauf in der Praxis zu achten ist},
	issn = {1664-848X},
	url = {https://jusletter-it.weblaw.ch/issues/2022/22-April-2022/datenschutz-und-ki--_c9a8e8e535.html},
	doi = {10.38023/b0b03958-c363-4151-8e01-00f4ac6d8512},
	shorttitle = {Datenschutz und {KI}},
	number = {22},
	journaltitle = {Jusletter-{IT}},
	author = {Rosenthal, David},
	urldate = {2022-04-27},
	date = {2022},
	langid = {german},
	file = {Rosenthal - 2022 - Data protection and AI (Translated).pdf:/home/ketl1/Zotero/storage/9P6DLW9N/Rosenthal - 2022 - Data protection and AI (Translated).pdf:application/pdf;Rosenthal - 2022 - Datenschutz und KI Worauf in der Praxis zu achten.pdf:/home/ketl1/Zotero/storage/6B6DQQH5/Rosenthal - 2022 - Datenschutz und KI Worauf in der Praxis zu achten.pdf:application/pdf},
}

@incollection{galbraith_numerical_2019,
	location = {Cham},
	title = {Numerical Method for Comparison on Homomorphically Encrypted Numbers},
	volume = {11922},
	isbn = {978-3-030-34620-1 978-3-030-34621-8},
	url = {http://link.springer.com/10.1007/978-3-030-34621-8_15},
	abstract = {We propose a new method to compare numbers which are encrypted by Homomorphic Encryption ({HE}). Previously, comparison and min/max functions were evaluated using Boolean functions where input numbers are encrypted bit-wise. However, the bit-wise encryption methods require relatively expensive computations for basic arithmetic operations such as addition and multiplication.},
	pages = {415--445},
	booktitle = {Advances in Cryptology – {ASIACRYPT} 2019},
	publisher = {Springer International Publishing},
	author = {Cheon, Jung Hee and Kim, Dongwoo and Kim, Duhyeong and Lee, Hun Hee and Lee, Keewoo},
	editor = {Galbraith, Steven D. and Moriai, Shiho},
	urldate = {2022-05-24},
	date = {2019},
	langid = {english},
	doi = {10.1007/978-3-030-34621-8_15},
	note = {Series Title: Lecture Notes in Computer Science},
	file = {Cheon et al. - 2019 - Numerical Method for Comparison on Homomorphically.pdf:/home/ketl1/Zotero/storage/JG45TJDJ/Cheon et al. - 2019 - Numerical Method for Comparison on Homomorphically.pdf:application/pdf},
}

@misc{chialva_conditionals_2019,
	title = {Conditionals in Homomorphic Encryption and Machine Learning Applications},
	url = {http://arxiv.org/abs/1810.12380},
	abstract = {Homomorphic encryption aims at allowing computations on encrypted data without decryption other than that of the final result. This could provide an elegant solution to the issue of privacy preservation in data-based applications, such as those using machine learning, but several open issues hamper this plan. In this work we assess the possibility for homomorphic encryption to fully implement its program without relying on other techniques, such as multiparty computation ({SMPC}), which may be impossible in many use cases (for instance due to the high level of communication required). We proceed in two steps: i) on the basis of the structured program theorem [Bohm, Jacopini] we identify the relevant minimal set of operations homomorphic encryption must be able to perform to implement any algorithm; and ii) we analyse the possibility to solve -and propose an implementation for- the most fundamentally relevant issue as it emerges from our analysis, that is, the implementation of conditionals (requiring comparison and selection/jump operations). We show how this issue clashes with the fundamental requirements of homomorphic encryption and could represent a drawback for its use as a complete solution for privacy preservation in data-based applications, in particular machine learning. Our approach for comparisons is novel and entirely embedded in homomorphic encryption, while previous studies relied on other techniques, such as {SMPC}, demanding high level of communication among parties, and decryption of intermediate results from data-owners. A number of studies have indeed dealt with comparisons, but typically their algorithms rely on other techniques, such as secure multiparty computation, which required a) high level of communication among parties, and b) the data owner to decrypt intermediate results. Our protocol is also provably safe (sharing the same safety as the homomorphic encryption schemes), differently from other techniques such as Order-Preserving/Revealing-Encryption ({OPE}/{ORE}).},
	number = {{arXiv}:1810.12380},
	publisher = {{arXiv}},
	author = {Chialva, Diego and Dooms, Ann},
	urldate = {2022-05-24},
	date = {2019-05-09},
	langid = {english},
	eprinttype = {arxiv},
	eprint = {1810.12380 [cs]},
	note = {Number: {arXiv}:1810.12380},
	keywords = {Computer Science - Cryptography and Security, Computer Science - Machine Learning},
	file = {Chialva and Dooms - 2019 - Conditionals in Homomorphic Encryption and Machine.pdf:/home/ketl1/Zotero/storage/PM9L4E3D/Chialva and Dooms - 2019 - Conditionals in Homomorphic Encryption and Machine.pdf:application/pdf},
}

@incollection{paillier_public-key_1999,
	location = {Berlin, Heidelberg},
	title = {Public-Key Cryptosystems Based on Composite Degree Residuosity Classes},
	volume = {1592},
	isbn = {978-3-540-65889-4},
	url = {http://link.springer.com/10.1007/3-540-48910-X_16},
	abstract = {This paper investigates a novel computational problem, namely the Composite Residuosity Class Problem, and its applications to public-key cryptography. We propose a new trapdoor mechanism and derive from this technique three encryption schemes : a trapdoor permutation and two homomorphic probabilistic encryption schemes computationally comparable to {RSA}. Our cryptosystems, based on usual modular arithmetics, are provably secure under appropriate assumptions in the standard model.},
	pages = {223--238},
	booktitle = {Advances in Cryptology — {EUROCRYPT} ’99},
	publisher = {Springer Berlin Heidelberg},
	author = {Paillier, Pascal},
	editor = {Stern, Jacques},
	urldate = {2022-06-17},
	date = {1999},
	langid = {english},
	doi = {10.1007/3-540-48910-X_16},
	note = {Series Title: Lecture Notes in Computer Science},
	file = {Paillier - 1999 - Public-Key Cryptosystems Based on Composite Degree.pdf:/home/ketl1/Zotero/storage/7ZV9Z7BA/Paillier - 1999 - Public-Key Cryptosystems Based on Composite Degree.pdf:application/pdf},
}

@inproceedings{gentry_fully_2009,
	location = {Bethesda, {MD}, {USA}},
	title = {Fully homomorphic encryption using ideal lattices},
	isbn = {978-1-60558-506-2},
	url = {http://portal.acm.org/citation.cfm?doid=1536414.1536440},
	doi = {10.1145/1536414.1536440},
	abstract = {We propose a fully homomorphic encryption scheme – i.e., a scheme that allows one to evaluate circuits over encrypted data without being able to decrypt. Our solution comes in three steps. First, we provide a general result – that, to construct an encryption scheme that permits evaluation of arbitrary circuits, it suffices to construct an encryption scheme that can evaluate (slightly augmented versions of) its own decryption circuit; we call a scheme that can evaluate its (augmented) decryption circuit bootstrappable.},
	eventtitle = {the 41st annual {ACM} symposium},
	pages = {169},
	booktitle = {Proceedings of the 41st annual {ACM} symposium on Symposium on theory of computing - {STOC} '09},
	publisher = {{ACM} Press},
	author = {Gentry, Craig},
	urldate = {2022-06-17},
	date = {2009},
	langid = {english},
	file = {Gentry - 2009 - Fully homomorphic encryption using ideal lattices.pdf:/home/ketl1/Zotero/storage/NJCCQV4X/Gentry - 2009 - Fully homomorphic encryption using ideal lattices.pdf:application/pdf},
}

@incollection{cheon_bootstrapping_2018,
	location = {Cham},
	title = {Bootstrapping for Approximate Homomorphic Encryption},
	volume = {10820},
	isbn = {978-3-319-78380-2 978-3-319-78381-9},
	url = {https://link.springer.com/10.1007/978-3-319-78381-9_14},
	abstract = {This paper extends the leveled homomorphic encryption scheme for an approximate arithmetic of Cheon et al. ({ASIACRYPT} 2017) to a fully homomorphic encryption, i.e., we propose a new technique to refresh low-level ciphertexts based on Gentry’s bootstrapping procedure.},
	pages = {360--384},
	booktitle = {Advances in Cryptology – {EUROCRYPT} 2018},
	publisher = {Springer International Publishing},
	author = {Cheon, Jung Hee and Han, Kyoohyung and Kim, Andrey and Kim, Miran and Song, Yongsoo},
	editor = {Nielsen, Jesper Buus and Rijmen, Vincent},
	urldate = {2022-06-17},
	date = {2018},
	langid = {english},
	doi = {10.1007/978-3-319-78381-9_14},
	note = {Series Title: Lecture Notes in Computer Science},
	file = {Cheon et al. - 2018 - Bootstrapping for Approximate Homomorphic Encrypti.pdf:/home/ketl1/Zotero/storage/SCEGM9RQ/Cheon et al. - 2018 - Bootstrapping for Approximate Homomorphic Encrypti.pdf:application/pdf},
}

@article{lecun_gradient-based_1998,
	title = {Gradient-Based Learning Applied to Document Recognition},
	volume = {86},
	doi = {10.1109/5.726791},
	abstract = {Multilayer neural networks trained with the back-propagation algorithm constitute the best example of a successful gradient based learning technique. Given an appropriate network architecture,
gradient-based learning algorithms can be used to synthesize a complex decision surface that can classify high-dimensional patterns, such as handwritten characters, with minimal preprocessing. This paper reviews various methods applied to handwritten character recognition and
compares them on a standard handwritten digit recognition task.
Convolutional neural networks, which are specifically designed to deal with the variability of 2D shapes, are shown to outperform all other techniques. Real-life document recognition systems are composed of multiple modules including field extraction, segmentation recognition, and language modeling. A new learning paradigm, called graph transformer networks ({GTN}), allows such multimodule systems to be trained globally using gradient-based methods so as to minimize an overall performance measure. Two systems for online handwriting recognition are described. Experiments demonstrate the advantage of global training, and the flexibility of graph transformer networks. A graph transformer network for reading a bank cheque is also described. It uses convolutional neural network character recognizers combined with global training techniques to provide record accuracy on business and personal cheques. It is deployed commercially and reads several million cheques per day},
	pages = {2278--2324},
	journaltitle = {Proceedings of the {IEEE}},
	shortjournal = {Proceedings of the {IEEE}},
	author = {Lecun, Yann and Bottou, Leon and Bengio, Y. and Haffner, Patrick},
	date = {1998-12-01},
	file = {Full Text PDF:/home/ketl1/Zotero/storage/M7LFM37N/Lecun et al. - 1998 - Gradient-Based Learning Applied to Document Recogn.pdf:application/pdf},
}

@inproceedings{lopez-alt_--fly_2012,
	location = {New York, New York, {USA}},
	title = {On-the-fly multiparty computation on the cloud via multikey fully homomorphic encryption},
	isbn = {978-1-4503-1245-5},
	url = {http://dl.acm.org/citation.cfm?doid=2213977.2214086},
	doi = {10.1145/2213977.2214086},
	abstract = {We propose a new notion of secure multiparty computation aided by a computationallypowerful but untrusted “cloud” server. In this notion that we call on-the-fly multiparty computation ({MPC}), the cloud can non-interactively perform arbitrary, dynamically chosen computations on data belonging to arbitrary sets of users chosen on-the-fly. All user’s input data and intermediate results are protected from snooping by the cloud as well as other users. This extends the standard notion of fully homomorphic encryption ({FHE}), where users can only enlist the cloud’s help in evaluating functions on their own encrypted data.},
	eventtitle = {the 44th symposium},
	pages = {1219},
	booktitle = {Proceedings of the 44th symposium on Theory of Computing - {STOC} '12},
	publisher = {{ACM} Press},
	author = {López-Alt, Adriana and Tromer, Eran and Vaikuntanathan, Vinod},
	urldate = {2022-08-02},
	date = {2012},
	langid = {english},
	file = {López-Alt et al. - 2012 - On-the-fly multiparty computation on the cloud via.pdf:/home/ketl1/Zotero/storage/52K4W3HM/López-Alt et al. - 2012 - On-the-fly multiparty computation on the cloud via.pdf:application/pdf},
}

@inproceedings{sav_poseidon_2021,
	location = {Virtual},
	title = {{POSEIDON}: Privacy-Preserving Federated Neural Network Learning},
	isbn = {978-1-891562-66-2},
	url = {https://www.ndss-symposium.org/wp-content/uploads/ndss2021_6C-1_24119_paper.pdf},
	doi = {10.14722/ndss.2021.24119},
	shorttitle = {{POSEIDON}},
	abstract = {In this paper, we address the problem of privacypreserving training and evaluation of neural networks in an N-party, federated learning setting. We propose a novel system, {POSEIDON}, the first of its kind in the regime of privacy-preserving neural network training. It employs multiparty lattice-based cryptography to preserve the confidentiality of the training data, the model, and the evaluation data, under a passive-adversary model and collusions between up to N − 1 parties. To efficiently execute the secure backpropagation algorithm for training neural networks, we provide a generic packing approach that enables Single Instruction, Multiple Data ({SIMD}) operations on encrypted data. We also introduce arbitrary linear transformations within the cryptographic bootstrapping operation, optimizing the costly cryptographic computations over the parties, and we define a constrained optimization problem for choosing the cryptographic parameters. Our experimental results show that {POSEIDON} achieves accuracy similar to centralized or decentralized non-private approaches and that its computation and communication overhead scales linearly with the number of parties. {POSEIDON} trains a 3-layer neural network on the {MNIST} dataset with 784 features and 60K samples distributed among 10 parties in less than 2 hours.},
	eventtitle = {Network and Distributed System Security Symposium},
	booktitle = {Proceedings 2021 Network and Distributed System Security Symposium},
	publisher = {Internet Society},
	author = {Sav, Sinem and Pyrgelis, Apostolos and Troncoso-Pastoriza, Juan Ramón and Froelicher, David and Bossuat, Jean-Philippe and Sousa, Joao Sa and Hubaux, Jean-Pierre},
	urldate = {2022-08-02},
	date = {2021},
	langid = {english},
	file = {Sav et al. - 2021 - POSEIDON Privacy-Preserving Federated Neural Netw.pdf:/home/ketl1/Zotero/storage/XYNLZYJP/Sav et al. - 2021 - POSEIDON Privacy-Preserving Federated Neural Netw.pdf:application/pdf},
}

@misc{shumailov_manipulating_2021,
	title = {Manipulating {SGD} with Data Ordering Attacks},
	url = {http://arxiv.org/abs/2104.09667},
	doi = {10.48550/arXiv.2104.09667},
	abstract = {Machine learning is vulnerable to a wide variety of attacks. It is now well understood that by changing the underlying data distribution, an adversary can poison the model trained with it or introduce backdoors. In this paper we present a novel class of training-time attacks that require no changes to the underlying dataset or model architecture, but instead only change the order in which data are supplied to the model. In particular, we find that the attacker can either prevent the model from learning, or poison it to learn behaviours specified by the attacker. Furthermore, we find that even a single adversarially-ordered epoch can be enough to slow down model learning, or even to reset all of the learning progress. Indeed, the attacks presented here are not specific to the model or dataset, but rather target the stochastic nature of modern learning procedures. We extensively evaluate our attacks on computer vision and natural language benchmarks to find that the adversary can disrupt model training and even introduce backdoors.},
	number = {{arXiv}:2104.09667},
	publisher = {{arXiv}},
	author = {Shumailov, Ilia and Shumaylov, Zakhar and Kazhdan, Dmitry and Zhao, Yiren and Papernot, Nicolas and Erdogdu, Murat A. and Anderson, Ross},
	urldate = {2022-08-09},
	date = {2021-06-05},
	eprinttype = {arxiv},
	eprint = {2104.09667 [cs]},
	keywords = {Computer Science - Cryptography and Security, Computer Science - Machine Learning, Computer Science - Artificial Intelligence, Computer Science - Computer Vision and Pattern Recognition},
	file = {arXiv Fulltext PDF:/home/ketl1/Zotero/storage/6XUWVBMN/Shumailov et al. - 2021 - Manipulating SGD with Data Ordering Attacks.pdf:application/pdf},
}

@inproceedings{viand_sok_2021,
	title = {{SoK}: Fully Homomorphic Encryption Compilers},
	url = {http://arxiv.org/abs/2101.07078},
	doi = {10.1109/SP40001.2021.00068},
	shorttitle = {{SoK}},
	abstract = {Fully Homomorphic Encryption ({FHE}) allows a third party to perform arbitrary computations on encrypted data, learning neither the inputs nor the computation results. Hence, it provides resilience in situations where computations are carried out by an untrusted or potentially compromised party. This powerful concept was first conceived by Rivest et al. in the 1970s. However, it remained unrealized until Craig Gentry presented the first feasible {FHE} scheme in 2009. The advent of the massive collection of sensitive data in cloud services, coupled with a plague of data breaches, moved highly regulated businesses to increasingly demand confidential and secure computing solutions. This demand, in turn, has led to a recent surge in the development of {FHE} tools. To understand the landscape of recent {FHE} tool developments, we conduct an extensive survey and experimental evaluation to explore the current state of the art and identify areas for future development. In this paper, we survey, evaluate, and systematize {FHE} tools and compilers. We perform experiments to evaluate these tools' performance and usability aspects on a variety of applications. We conclude with recommendations for developers intending to develop {FHE}-based applications and a discussion on future directions for {FHE} tools development.},
	pages = {1092--1108},
	booktitle = {2021 {IEEE} Symposium on Security and Privacy ({SP})},
	author = {Viand, Alexander and Jattke, Patrick and Hithnawi, Anwar},
	urldate = {2022-08-09},
	date = {2021-05},
	eprinttype = {arxiv},
	eprint = {2101.07078 [cs]},
	keywords = {Computer Science - Cryptography and Security},
	file = {arXiv Fulltext PDF:/home/ketl1/Zotero/storage/N4S2IB4F/Viand et al. - 2021 - SoK Fully Homomorphic Encryption Compilers.pdf:application/pdf},
}

@misc{aslett_encrypted_2015,
	title = {Encrypted statistical machine learning: new privacy preserving methods},
	url = {http://arxiv.org/abs/1508.06845},
	doi = {10.48550/arXiv.1508.06845},
	shorttitle = {Encrypted statistical machine learning},
	abstract = {We present two new statistical machine learning methods designed to learn on fully homomorphic encrypted ({FHE}) data. The introduction of {FHE} schemes following Gentry (2009) opens up the prospect of privacy preserving statistical machine learning analysis and modelling of encrypted data without compromising security constraints. We propose tailored algorithms for applying extremely random forests, involving a new cryptographic stochastic fraction estimator, and na{\textbackslash}"\{i\}ve Bayes, involving a semi-parametric model for the class decision boundary, and show how they can be used to learn and predict from encrypted data. We demonstrate that these techniques perform competitively on a variety of classification data sets and provide detailed information about the computational practicalities of these and other {FHE} methods.},
	number = {{arXiv}:1508.06845},
	publisher = {{arXiv}},
	author = {Aslett, Louis J. M. and Esperança, Pedro M. and Holmes, Chris C.},
	urldate = {2022-08-09},
	date = {2015-08-27},
	eprinttype = {arxiv},
	eprint = {1508.06845 [cs, stat]},
	keywords = {Computer Science - Cryptography and Security, Computer Science - Machine Learning, Statistics - Machine Learning, Statistics - Methodology},
	file = {arXiv Fulltext PDF:/home/ketl1/Zotero/storage/ULSS3P4N/Aslett et al. - 2015 - Encrypted statistical machine learning new privac.pdf:application/pdf},
}

@misc{ge_fedner_2020,
	title = {{FedNER}: Privacy-preserving Medical Named Entity Recognition with Federated Learning},
	url = {http://arxiv.org/abs/2003.09288},
	doi = {10.48550/arXiv.2003.09288},
	shorttitle = {{FedNER}},
	abstract = {Medical named entity recognition ({NER}) has wide applications in intelligent healthcare. Sufficient labeled data is critical for training accurate medical {NER} model. However, the labeled data in a single medical platform is usually limited. Although labeled datasets may exist in many different medical platforms, they cannot be directly shared since medical data is highly privacy-sensitive. In this paper, we propose a privacy-preserving medical {NER} method based on federated learning, which can leverage the labeled data in different platforms to boost the training of medical {NER} model and remove the need of exchanging raw data among different platforms. Since the labeled data in different platforms usually has some differences in entity type and annotation criteria, instead of constraining different platforms to share the same model, we decompose the medical {NER} model in each platform into a shared module and a private module. The private module is used to capture the characteristics of the local data in each platform, and is updated using local labeled data. The shared module is learned across different medical platform to capture the shared {NER} knowledge. Its local gradients from different platforms are aggregated to update the global shared module, which is further delivered to each platform to update their local shared modules. Experiments on three publicly available datasets validate the effectiveness of our method.},
	number = {{arXiv}:2003.09288},
	publisher = {{arXiv}},
	author = {Ge, Suyu and Wu, Fangzhao and Wu, Chuhan and Qi, Tao and Huang, Yongfeng and Xie, Xing},
	urldate = {2022-08-09},
	date = {2020-03-25},
	eprinttype = {arxiv},
	eprint = {2003.09288 [cs]},
	keywords = {Computer Science - Computation and Language},
	file = {arXiv Fulltext PDF:/home/ketl1/Zotero/storage/MKQUC8G7/Ge et al. - 2020 - FedNER Privacy-preserving Medical Named Entity Re.pdf:application/pdf},
}

@incollection{cheon_homomorphic_2017,
	location = {Cham},
	title = {Homomorphic Encryption for Arithmetic of Approximate Numbers},
	volume = {10624},
	isbn = {978-3-319-70693-1 978-3-319-70694-8},
	url = {http://link.springer.com/10.1007/978-3-319-70694-8_15},
	abstract = {We suggest a method to construct a homomorphic encryption scheme for approximate arithmetic. It supports an approximate addition and multiplication of encrypted messages, together with a new rescaling procedure for managing the magnitude of plaintext. This procedure truncates a ciphertext into a smaller modulus, which leads to rounding of plaintext. The main idea is to add a noise following significant figures which contain a main message. This noise is originally added to the plaintext for security, but considered to be a part of error occurring during approximate computations that is reduced along with plaintext by rescaling. As a result, our decryption structure outputs an approximate value of plaintext with a predetermined precision.},
	pages = {409--437},
	booktitle = {Advances in Cryptology – {ASIACRYPT} 2017},
	publisher = {Springer International Publishing},
	author = {Cheon, Jung Hee and Kim, Andrey and Kim, Miran and Song, Yongsoo},
	editor = {Takagi, Tsuyoshi and Peyrin, Thomas},
	urldate = {2022-08-09},
	date = {2017},
	langid = {english},
	doi = {10.1007/978-3-319-70694-8_15},
	note = {Series Title: Lecture Notes in Computer Science},
	file = {Cheon et al. - 2017 - Homomorphic Encryption for Arithmetic of Approxima.pdf:/home/ketl1/Zotero/storage/TB3ZEN9A/Cheon et al. - 2017 - Homomorphic Encryption for Arithmetic of Approxima.pdf:application/pdf},
}

@article{fan_somewhat_2012,
	title = {Somewhat Practical Fully Homomorphic Encryption},
	url = {https://eprint.iacr.org/2012/144},
	journaltitle = {Cryptology {ePrint} Archive},
	author = {Fan, Junfeng and Vercauteren, Frederik},
	urldate = {2022-08-09},
	date = {2012},
	langid = {english},
	file = {Full Text PDF:/home/ketl1/Zotero/storage/8HEXLX2U/Fan and Vercauteren - 2012 - Somewhat Practical Fully Homomorphic Encryption.pdf:application/pdf},
}

@incollection{cheon_full_2019,
	location = {Cham},
	title = {A Full {RNS} Variant of Approximate Homomorphic Encryption},
	volume = {11349},
	isbn = {978-3-030-10969-1 978-3-030-10970-7},
	url = {http://link.springer.com/10.1007/978-3-030-10970-7_16},
	abstract = {The technology of homomorphic encryption has improved rapidly in a few years. The cutting edge implementations are efficient enough to use in practical applications. Recently, Cheon et al. ({ASIACRYPT}’17) proposed a homomorphic encryption scheme which supports an arithmetic of approximate numbers over encryption. This scheme shows the current best performance in computation over the real numbers, but its implementation could not employ core optimization techniques based on the Residue Number System ({RNS}) decomposition and the Number Theoretic Transformation ({NTT}).},
	pages = {347--368},
	booktitle = {Selected Areas in Cryptography – {SAC} 2018},
	publisher = {Springer International Publishing},
	author = {Cheon, Jung Hee and Han, Kyoohyung and Kim, Andrey and Kim, Miran and Song, Yongsoo},
	editor = {Cid, Carlos and Jacobson, Michael J.},
	urldate = {2022-08-09},
	date = {2019},
	langid = {english},
	doi = {10.1007/978-3-030-10970-7_16},
	note = {Series Title: Lecture Notes in Computer Science},
	file = {Cheon et al. - 2019 - A Full RNS Variant of Approximate Homomorphic Encr.pdf:/home/ketl1/Zotero/storage/HGRGQIX8/Cheon et al. - 2019 - A Full RNS Variant of Approximate Homomorphic Encr.pdf:application/pdf},
}

@incollection{halevi_improved_2019,
	location = {Cham},
	title = {An Improved {RNS} Variant of the {BFV} Homomorphic Encryption Scheme},
	volume = {11405},
	isbn = {978-3-030-12611-7 978-3-030-12612-4},
	url = {http://link.springer.com/10.1007/978-3-030-12612-4_5},
	abstract = {We present an optimized implementation of the Fan-Vercauteren variant of Brakerski’s scale-invariant homomorphic encryption scheme. Our algorithmic improvements focus on optimizing decryption and homomorphic multiplication in the Residue Number System ({RNS}), using the Chinese Remainder Theorem ({CRT}) to represent and manipulate the large coefficients in the ciphertext polynomials. In particular, we propose efficient procedures for scaling and {CRT} basis extension that do not require translating the numbers to standard (positional) representation. Compared to the previously proposed {RNS} design due to Bajard et al. [3], our procedures are simpler and faster, and introduce a lower amount of noise. We implement our optimizations in the {PALISADE} library and evaluate the runtime performance for the range of multiplicative depths from 1 to 100. For example, homomorphic multiplication for a depth-20 setting can be executed in 62 ms on a modern server system, which is already practical for some outsourced-computing applications. Our algorithmic improvements can also be applied to other scale-invariant homomorphic encryption schemes, such as {YASHE}.},
	pages = {83--105},
	booktitle = {Topics in Cryptology – {CT}-{RSA} 2019},
	publisher = {Springer International Publishing},
	author = {Halevi, Shai and Polyakov, Yuriy and Shoup, Victor},
	editor = {Matsui, Mitsuru},
	urldate = {2022-08-09},
	date = {2019},
	langid = {english},
	doi = {10.1007/978-3-030-12612-4_5},
	note = {Series Title: Lecture Notes in Computer Science},
	file = {Halevi et al. - 2019 - An Improved RNS Variant of the BFV Homomorphic Enc.pdf:/home/ketl1/Zotero/storage/EY8AB24J/Halevi et al. - 2019 - An Improved RNS Variant of the BFV Homomorphic Enc.pdf:application/pdf},
}

@incollection{bossuat_efficient_2021,
	location = {Cham},
	title = {Efficient Bootstrapping for Approximate Homomorphic Encryption with Non-sparse Keys},
	volume = {12696},
	isbn = {978-3-030-77869-9 978-3-030-77870-5},
	url = {https://link.springer.com/10.1007/978-3-030-77870-5_21},
	abstract = {We present a bootstrapping procedure for the full-{RNS} variant of the approximate homomorphic-encryption scheme of Cheon et al., {CKKS} (Asiacrypt 17, {SAC} 18). Compared to the previously proposed procedures (Eurocrypt 18 \& 19, {CT}-{RSA} 20), our bootstrapping procedure is more precise, more efficient (in terms of {CPU} cost and number of consumed levels), and is more reliable and 128-bit-secure. Unlike the previous approaches, it does not require the use of sparse secret-keys. Therefore, to the best of our knowledge, this is the first procedure that enables a highly efficient and precise bootstrapping with a low probability of failure for parameters that are 128-bit-secure under the most recent attacks on sparse R-{LWE} secrets.},
	pages = {587--617},
	booktitle = {Advances in Cryptology – {EUROCRYPT} 2021},
	publisher = {Springer International Publishing},
	author = {Bossuat, Jean-Philippe and Mouchet, Christian and Troncoso-Pastoriza, Juan and Hubaux, Jean-Pierre},
	editor = {Canteaut, Anne and Standaert, François-Xavier},
	urldate = {2022-08-09},
	date = {2021},
	langid = {english},
	doi = {10.1007/978-3-030-77870-5_21},
	note = {Series Title: Lecture Notes in Computer Science},
	file = {Bossuat et al. - 2021 - Efficient Bootstrapping for Approximate Homomorphi.pdf:/home/ketl1/Zotero/storage/PUY6EJHG/Bossuat et al. - 2021 - Efficient Bootstrapping for Approximate Homomorphi.pdf:application/pdf},
}

@article{costache_precision_2022,
	title = {On the precision loss in approximate homomorphic encryption},
	url = {https://eprint.iacr.org/2022/162},
	journaltitle = {Cryptology {ePrint} Archive},
	author = {Costache, Anamaria and Curtis, Benjamin R. and Hales, Erin and Murphy, Sean and Ogilvie, Tabitha and Player, Rachel},
	urldate = {2022-08-09},
	date = {2022},
	langid = {english},
	file = {Full Text PDF:/home/ketl1/Zotero/storage/93Q47666/Costache et al. - 2022 - On the precision loss in approximate homomorphic e.pdf:application/pdf},
}

@article{kim_secure_2018,
	title = {Secure Logistic Regression Based on Homomorphic Encryption: Design and Evaluation},
	volume = {6},
	issn = {2291-9694},
	url = {http://medinform.jmir.org/2018/2/e19/},
	doi = {10.2196/medinform.8805},
	shorttitle = {Secure Logistic Regression Based on Homomorphic Encryption},
	abstract = {Learning a model without accessing raw data has been an intriguing idea to the security and machine learning researchers for years. In an ideal setting, we want to encrypt sensitive data to store them on a commercial cloud and run certain analysis without ever decrypting the data to preserve the privacy. Homomorphic encryption technique is a promising candidate for secure data outsourcing but it is a very challenging task to support real-world machine learning tasks. Existing frameworks can only handle simplified cases with low-degree polynomials such as linear means classifier and linear discriminative analysis.},
	pages = {e19},
	number = {2},
	journaltitle = {{JMIR} Medical Informatics},
	shortjournal = {{JMIR} Med Inform},
	author = {Kim, Miran and Song, Yongsoo and Wang, Shuang and Xia, Yuhou and Jiang, Xiaoqian},
	urldate = {2022-08-09},
	date = {2018-04-17},
	langid = {english},
	file = {Kim et al. - 2018 - Secure Logistic Regression Based on Homomorphic En.pdf:/home/ketl1/Zotero/storage/HVFPEFKW/Kim et al. - 2018 - Secure Logistic Regression Based on Homomorphic En.pdf:application/pdf},
}

@misc{chiang_privacy-preserving_2022,
	title = {Privacy-Preserving Logistic Regression Training with a Faster Gradient Variant},
	url = {http://arxiv.org/abs/2201.10838},
	abstract = {Logistic regression training on an encrypted dataset has been an attractive idea to security concerns for years. In this paper, we propose a faster gradient variant called Quadratic Gradient for logistic regression and implement it via a special homomorphic encryption scheme. The core of this gradient variant can be seen as an extension of the simplified fixed Hessian from Newton’s method, which extracts information from the Hessian matrix into the naive gradient, and thus can be used to enhance Nesterov’s accelerated gradient ({NAG}), Adagrad, etc. We evaluate various gradient ascent methods with this gradient variant on the gene dataset provided by the 2017 {iDASH} competition and the image dataset from the {MNIST} database. Experimental results show that the enhanced methods converge faster and sometimes even to a better convergence result. We also implement the gradient variant in full batch {NAG} and mini-batch {NAG} for training a logistic regression model on a large dataset in the encrypted domain. Equipped with this gradient variant, full batch {NAG} and mini-batch {NAG} are both faster than the original ones.},
	number = {{arXiv}:2201.10838},
	publisher = {{arXiv}},
	author = {Chiang, John},
	urldate = {2022-08-09},
	date = {2022-01-26},
	langid = {english},
	eprinttype = {arxiv},
	eprint = {2201.10838 [cs]},
	keywords = {Computer Science - Cryptography and Security, Computer Science - Machine Learning},
	file = {Chiang - 2022 - Privacy-Preserving Logistic Regression Training wi.pdf:/home/ketl1/Zotero/storage/LU66GPN6/Chiang - 2022 - Privacy-Preserving Logistic Regression Training wi.pdf:application/pdf},
}

@article{bonte_privacy-preserving_2018,
	title = {Privacy-preserving logistic regression training},
	volume = {11},
	issn = {1755-8794},
	url = {https://bmcmedgenomics.biomedcentral.com/articles/10.1186/s12920-018-0398-y},
	doi = {10.1186/s12920-018-0398-y},
	abstract = {Background: Logistic regression is a popular technique used in machine learning to construct classification models. Since the construction of such models is based on computing with large datasets, it is an appealing idea to outsource this computation to a cloud service. The privacy-sensitive nature of the input data requires appropriate privacy preserving measures before outsourcing it. Homomorphic encryption enables one to compute on encrypted data directly, without decryption and can be used to mitigate the privacy concerns raised by using a cloud service.
Methods: In this paper, we propose an algorithm (and its implementation) to train a logistic regression model on a homomorphically encrypted dataset. The core of our algorithm consists of a new iterative method that can be seen as a simplified form of the fixed Hessian method, but with a much lower multiplicative complexity.
Results: We test the new method on two interesting real life applications: the first application is in medicine and constructs a model to predict the probability for a patient to have cancer, given genomic data as input; the second application is in finance and the model predicts the probability of a credit card transaction to be fraudulent. The method produces accurate results for both applications, comparable to running standard algorithms on plaintext data.
Conclusions: This article introduces a new simple iterative algorithm to train a logistic regression model that is tailored to be applied on a homomorphically encrypted dataset. This algorithm can be used as a privacy-preserving technique to build a binary classification model and can be applied in a wide range of problems that can be modelled with logistic regression. Our implementation results show that our method can handle the large datasets used in logistic regression training.},
	pages = {86},
	issue = {S4},
	journaltitle = {{BMC} Medical Genomics},
	shortjournal = {{BMC} Med Genomics},
	author = {Bonte, Charlotte and Vercauteren, Frederik},
	urldate = {2022-08-09},
	date = {2018-10},
	langid = {english},
	file = {Bonte and Vercauteren - 2018 - Privacy-preserving logistic regression training.pdf:/home/ketl1/Zotero/storage/AE9VCR3G/Bonte and Vercauteren - 2018 - Privacy-preserving logistic regression training.pdf:application/pdf},
}

@article{chen_logistic_2018,
	title = {Logistic regression over encrypted data from fully homomorphic encryption},
	volume = {11},
	issn = {1755-8794},
	url = {https://bmcmedgenomics.biomedcentral.com/articles/10.1186/s12920-018-0397-z},
	doi = {10.1186/s12920-018-0397-z},
	abstract = {One of the tasks in the 2017 {iDASH} secure genome analysis competition was to enable training of logistic regression models over encrypted genomic data. More precisely, given a list of approximately 1500 patient records, each with 18 binary features containing information on specific mutations, the idea was for the data holder to encrypt the records using homomorphic encryption, and send them to an untrusted cloud for storage. The cloud could then apply a training algorithm on the encrypted data to obtain an encrypted logistic regression model, which can be sent to the data holder for decryption. In this way, the data holder could successfully outsource the training process without revealing either her sensitive data, or the trained model, to the cloud. Our solution to this problem has several novelties: we use a multi-bit plaintext space in fully homomorphic encryption together with fixed point number encoding; we combine bootstrapping in fully homomorphic encryption with a scaling operation in fixed point arithmetic; we use a minimax polynomial approximation to the sigmoid function and the 1-bit gradient descent method to reduce the plaintext growth in the training process. As a result, our training over encrypted data takes 0.4–3.2 hours per iteration of gradient descent.},
	pages = {81},
	issue = {S4},
	journaltitle = {{BMC} Medical Genomics},
	shortjournal = {{BMC} Med Genomics},
	author = {Chen, Hao and Gilad-Bachrach, Ran and Han, Kyoohyung and Huang, Zhicong and Jalali, Amir and Laine, Kim and Lauter, Kristin},
	urldate = {2022-08-09},
	date = {2018-10},
	langid = {english},
	file = {Chen et al. - 2018 - Logistic regression over encrypted data from fully.pdf:/home/ketl1/Zotero/storage/B9FU2FL7/Chen et al. - 2018 - Logistic regression over encrypted data from fully.pdf:application/pdf},
}

@misc{chen_when_2021,
	title = {When Homomorphic Encryption Marries Secret Sharing: Secure Large-Scale Sparse Logistic Regression and Applications in Risk Control},
	url = {http://arxiv.org/abs/2008.08753},
	shorttitle = {When Homomorphic Encryption Marries Secret Sharing},
	abstract = {Logistic Regression ({LR}) is the most widely used machine learning model in industry for its efficiency, robustness, and interpretability. Due to the problem of data isolation and the requirement of high model performance, many applications in industry call for building a secure and efficient {LR} model for multiple parties. Most existing work uses either Homomorphic Encryption ({HE}) or Secret Sharing ({SS}) to build secure {LR}. {HE} based methods can deal with highdimensional sparse features, but they incur potential security risks. {SS} based methods have provable security, but they have efficiency issue under high-dimensional sparse features. In this paper, we first present {CAESAR}, which combines {HE} and {SS} to build secure largescale sparse logistic regression model and achieves both efficiency and security. We then present the distributed implementation of {CAESAR} for scalability requirement. We have deployed {CAESAR} in a risk control task and conducted comprehensive experiments. Our experimental results show that {CAESAR} improves the state-of-theart model by around 130 times.},
	number = {{arXiv}:2008.08753},
	publisher = {{arXiv}},
	author = {Chen, Chaochao and Zhou, Jun and Wang, Li and Wu, Xibin and Fang, Wenjing and Tan, Jin and Wang, Lei and Liu, Alex X. and Wang, Hao and Hong, Cheng},
	urldate = {2022-08-09},
	date = {2021-05-31},
	langid = {english},
	eprinttype = {arxiv},
	eprint = {2008.08753 [cs]},
	keywords = {Computer Science - Cryptography and Security, Computer Science - Machine Learning},
	file = {Chen et al. - 2021 - When Homomorphic Encryption Marries Secret Sharing.pdf:/home/ketl1/Zotero/storage/YQ267RJK/Chen et al. - 2021 - When Homomorphic Encryption Marries Secret Sharing.pdf:application/pdf},
}

@article{mouchet_multiparty_2021,
	title = {Multiparty Homomorphic Encryption from Ring-Learning-with-Errors},
	volume = {2021},
	issn = {2299-0984},
	url = {https://petsymposium.org/popets/2021/popets-2021-0071.php},
	doi = {10.2478/popets-2021-0071},
	abstract = {We propose and evaluate a securemultiparty-computation ({MPC}) solution in the semihonest model with dishonest majority that is based on multiparty homomorphic encryption ({MHE}). To support our solution, we introduce a multiparty version of the Brakerski-Fan-Vercauteren homomorphic cryptosystem and implement it in an open-source library. {MHE}-based {MPC} solutions have several advantages: Their transcript is public, their offline phase is compact, and their circuit-evaluation procedure is noninteractive. By exploiting these properties, the communication complexity of {MPC} tasks is reduced from quadratic to linear in the number of parties, thus enabling secure computation among potentially thousands of parties and in a broad variety of computing paradigms, from the traditional peer-to-peer setting to cloud-outsourcing and smart-contract technologies. {MHE}-based approaches can also outperform the state-of-the-art solutions, even for a small number of parties. We demonstrate this for three circuits: private input selection with application to private-information retrieval, component-wise vector multiplication with application to private-set intersection, and Beaver multiplication triples generation. For the first circuit, privately selecting one input among eight thousand parties’ (of 32 {KB} each) requires only 1.31 {MB} of communication per party and completes in 61.7 seconds. For the second circuit with eight parties, our approach is 8.6 times faster and requires 39.3 times less communication than the current methods. For the third circuit and ten parties, our approach generates 20 times more triples per second while requiring 136 times less communication per-triple than an approach based on oblivious transfer. We implemented our scheme in the Lattigo library and open-sourced the code at github.com/ldsec/lattigo.},
	pages = {291--311},
	number = {4},
	journaltitle = {Proceedings on Privacy Enhancing Technologies},
	author = {Mouchet, Christian and Troncoso-Pastoriza, Juan and Bossuat, Jean-Philippe and Hubaux, Jean-Pierre},
	urldate = {2022-08-09},
	date = {2021-10-01},
	langid = {english},
	file = {Mouchet et al. - 2021 - Multiparty Homomorphic Encryption from Ring-Learni.pdf:/home/ketl1/Zotero/storage/QIGP5SKW/Mouchet et al. - 2021 - Multiparty Homomorphic Encryption from Ring-Learni.pdf:application/pdf},
}

@article{ananth_multiparty_2020,
	title = {Multiparty Homomorphic Encryption (or: On Removing Setup in Multi-Key {FHE})},
	url = {https://eprint.iacr.org/2020/169},
	shorttitle = {Multiparty Homomorphic Encryption (or},
	journaltitle = {Cryptology {ePrint} Archive},
	author = {Ananth, Prabhanjan and Jain, Abhishek and Jin, Zhengzhong},
	urldate = {2022-08-09},
	date = {2020},
	langid = {english},
	file = {Full Text PDF:/home/ketl1/Zotero/storage/76SJI56B/Ananth et al. - 2020 - Multiparty Homomorphic Encryption (or On Removing.pdf:application/pdf},
}

@inproceedings{chen_efficient_2019,
	location = {London United Kingdom},
	title = {Efficient Multi-Key Homomorphic Encryption with Packed Ciphertexts with Application to Oblivious Neural Network Inference},
	isbn = {978-1-4503-6747-9},
	url = {https://dl.acm.org/doi/10.1145/3319535.3363207},
	doi = {10.1145/3319535.3363207},
	abstract = {Homomorphic Encryption ({HE}) is a cryptosystem which supports computation on encrypted data. Lo´pez-Alt et al. ({STOC} 2012) proposed a generalized notion of {HE}, called Multi-Key Homomorphic Encryption ({MKHE}), which is capable of performing arithmetic operations on ciphertexts encrypted under different keys.},
	eventtitle = {{CCS} '19: 2019 {ACM} {SIGSAC} Conference on Computer and Communications Security},
	pages = {395--412},
	booktitle = {Proceedings of the 2019 {ACM} {SIGSAC} Conference on Computer and Communications Security},
	publisher = {{ACM}},
	author = {Chen, Hao and Dai, Wei and Kim, Miran and Song, Yongsoo},
	urldate = {2022-08-09},
	date = {2019-11-06},
	langid = {english},
	file = {Chen et al. - 2019 - Efficient Multi-Key Homomorphic Encryption with Pa.pdf:/home/ketl1/Zotero/storage/JVDIJDQH/Chen et al. - 2019 - Efficient Multi-Key Homomorphic Encryption with Pa.pdf:application/pdf},
}

@misc{badawi_towards_2020,
	title = {Towards the {AlexNet} Moment for Homomorphic Encryption: {HCNN}, {the First} Homomorphic {CNN} on Encrypted Data with {GPUs}},
	url = {http://arxiv.org/abs/1811.00778},
	doi = {10.48550/arXiv.1811.00778},
	shorttitle = {Towards the {AlexNet} Moment for Homomorphic Encryption},
	abstract = {Deep Learning as a Service ({DLaaS}) stands as a promising solution for cloud-based inference applications. In this setting, the cloud has a pre-learned model whereas the user has samples on which she wants to run the model. The biggest concern with {DLaaS} is user privacy if the input samples are sensitive data. We provide here an efficient privacy-preserving system by employing high-end technologies such as Fully Homomorphic Encryption ({FHE}), Convolutional Neural Networks ({CNNs}) and Graphics Processing Units ({GPUs}). {FHE}, with its widely-known feature of computing on encrypted data, empowers a wide range of privacy-concerned applications. This comes at high cost as it requires enormous computing power. In this paper, we show how to accelerate the performance of running {CNNs} on encrypted data with {GPUs}. We evaluated two {CNNs} to classify homomorphically the {MNIST} and {CIFAR}-10 datasets. Our solution achieved a sufficient security level ({\textgreater} 80 bit) and reasonable classification accuracy (99\%) and (77.55\%) for {MNIST} and {CIFAR}-10, respectively. In terms of latency, we could classify an image in 5.16 seconds and 304.43 seconds for {MNIST} and {CIFAR}-10, respectively. Our system can also classify a batch of images ({\textgreater} 8,000) without extra overhead.},
	number = {{arXiv}:1811.00778},
	publisher = {{arXiv}},
	author = {Badawi, Ahmad Al and Chao, Jin and Lin, Jie and Mun, Chan Fook and Sim, Jun Jie and Tan, Benjamin Hong Meng and Nan, Xiao and Aung, Khin Mi Mi and Chandrasekhar, Vijay Ramaseshan},
	urldate = {2022-08-09},
	date = {2020-08-18},
	eprinttype = {arxiv},
	eprint = {1811.00778 [cs]},
	keywords = {Computer Science - Cryptography and Security, Computer Science - Machine Learning},
	file = {arXiv Fulltext PDF:/home/ketl1/Zotero/storage/96LW5JAC/Badawi et al. - 2020 - Towards the AlexNet Moment for Homomorphic Encrypt.pdf:application/pdf},
}

@misc{podschwadt_sok_2022,
	title = {{SoK}: Privacy-preserving Deep Learning with Homomorphic Encryption},
	url = {http://arxiv.org/abs/2112.12855},
	doi = {10.48550/arXiv.2112.12855},
	shorttitle = {{SoK}},
	abstract = {Outsourced computation for neural networks allows users access to state of the art models without needing to invest in specialized hardware and know-how. The problem is that the users lose control over potentially privacy sensitive data. With homomorphic encryption ({HE}) computation can be performed on encrypted data without revealing its content. In this systematization of knowledge, we take an in-depth look at approaches that combine neural networks with {HE} for privacy preservation. We categorize the changes to neural network models and architectures to make them computable over {HE} and how these changes impact performance. We find numerous challenges to {HE} based privacy-preserving deep learning such as computational overhead, usability, and limitations posed by the encryption schemes.},
	number = {{arXiv}:2112.12855},
	publisher = {{arXiv}},
	author = {Podschwadt, Robert and Takabi, Daniel and Hu, Peizhao},
	urldate = {2022-08-09},
	date = {2022-01-01},
	eprinttype = {arxiv},
	eprint = {2112.12855 [cs]},
	keywords = {Computer Science - Cryptography and Security, Computer Science - Machine Learning},
	file = {arXiv Fulltext PDF:/home/ketl1/Zotero/storage/CZ68YDC4/Podschwadt et al. - 2022 - SoK Privacy-preserving Deep Learning with Homomor.pdf:application/pdf},
}

@inproceedings{jiang_secure_2018,
	location = {Toronto Canada},
	title = {Secure Outsourced Matrix Computation and Application to Neural Networks},
	isbn = {978-1-4503-5693-0},
	url = {https://dl.acm.org/doi/10.1145/3243734.3243837},
	doi = {10.1145/3243734.3243837},
	abstract = {Homomorphic Encryption ({HE}) is a powerful cryptographic primitive to address privacy and security issues in outsourcing computation on sensitive data to an untrusted computation environment. Comparing to secure Multi-Party Computation ({MPC}), {HE} has advantages in supporting non-interactive operations and saving on communication costs. However, it has not come up with an optimal solution for modern learning frameworks, partially due to a lack of efficient matrix computation mechanisms.},
	eventtitle = {{CCS} '18: 2018 {ACM} {SIGSAC} Conference on Computer and Communications Security},
	pages = {1209--1222},
	booktitle = {Proceedings of the 2018 {ACM} {SIGSAC} Conference on Computer and Communications Security},
	publisher = {{ACM}},
	author = {Jiang, Xiaoqian and Kim, Miran and Lauter, Kristin and Song, Yongsoo},
	urldate = {2022-08-09},
	date = {2018-10-15},
	langid = {english},
	file = {Jiang et al. - 2018 - Secure Outsourced Matrix Computation and Applicati.pdf:/home/ketl1/Zotero/storage/MWAYTXQ4/Jiang et al. - 2018 - Secure Outsourced Matrix Computation and Applicati.pdf:application/pdf},
}

@misc{bellafqira_secure_2018,
	title = {Secure Multilayer Perceptron Based On Homomorphic Encryption},
	url = {http://arxiv.org/abs/1806.02709},
	doi = {10.48550/arXiv.1806.02709},
	abstract = {In this work, we propose an outsourced Secure Multilayer Perceptron ({SMLP}) scheme where privacy and confidentiality of both the data and the model are ensured during the training and the classification phases. More clearly, this {SMLP} : i) can be trained by a cloud server based on data previously outsourced by a user in an homomorphically encrypted form; ii) its parameters are homomorphically encrypted giving thus no clues to the cloud; and iii) it can also be used for classifying new encrypted data sent by the user returning him the encrypted classification result encrypted. The originality of this scheme is threefold. To the best of our knowledge, it is the first multilayer perceptron ({MLP}) secured in its training phase over homomorphically encrypted data with no problem of convergence. And It does not require extra-communications between the server and the user. It is based on the Rectified Linear Unit ({ReLU}) activation function that we secure with no approximation contrarily to actual {SMLP} solutions. To do so, we take advantage of two semi-honest non-colluding servers. Experimental results carried out on a binary database encrypted with the Paillier cryptosystem demonstrate the overall performance of our scheme and its convergence.},
	number = {{arXiv}:1806.02709},
	publisher = {{arXiv}},
	author = {Bellafqira, Reda and Coatrieux, Gouenou and Genin, Emmanuelle and Cozic, Michel},
	urldate = {2022-08-09},
	date = {2018-06-07},
	eprinttype = {arxiv},
	eprint = {1806.02709 [cs]},
	keywords = {Computer Science - Cryptography and Security},
	file = {arXiv Fulltext PDF:/home/ketl1/Zotero/storage/VYNNW66H/Bellafqira et al. - 2018 - Secure Multilayer Perceptron Based On Homomorphic .pdf:application/pdf},
}

@misc{rahulamathavan_privacy-preserving_2022,
	title = {Privacy-preserving Similarity Calculation of Speaker Features Using Fully Homomorphic Encryption},
	url = {http://arxiv.org/abs/2202.07994},
	doi = {10.48550/arXiv.2202.07994},
	abstract = {Recent advances in machine learning techniques are enabling Automated Speech Recognition ({ASR}) more accurate and practical. The evidence of this can be seen in the rising number of smart devices with voice processing capabilities. More and more devices around us are in-built with {ASR} technology. This poses serious privacy threats as speech contains unique biometric characteristics and personal data. However, the privacy concern can be mitigated if the voice features are processed in the encrypted domain. Within this context, this paper proposes an algorithm to redesign the back-end of the speaker verification system using fully homomorphic encryption techniques. The solution exploits the Cheon-Kim-Kim-Song ({CKKS}) fully homomorphic encryption scheme to obtain a real-time and non-interactive solution. The proposed solution contains a novel approach based on Newton Raphson method to overcome the limitation of {CKKS} scheme (i.e., calculating an inverse square-root of an encrypted number). This provides an efficient solution with less multiplicative depths for a negligible loss in accuracy. The proposed algorithm is validated using a well-known speech dataset. The proposed algorithm performs encrypted-domain verification in real-time (with less than 1.3 seconds delay) for a 2.8{\textbackslash}\% equal-error-rate loss compared to plain-domain verification.},
	number = {{arXiv}:2202.07994},
	publisher = {{arXiv}},
	author = {Rahulamathavan, Yogachandran},
	urldate = {2022-08-09},
	date = {2022-03-14},
	eprinttype = {arxiv},
	eprint = {2202.07994 [cs]},
	keywords = {Computer Science - Cryptography and Security},
	file = {arXiv Fulltext PDF:/home/ketl1/Zotero/storage/RFU5ZKLJ/Rahulamathavan - 2022 - Privacy-preserving Similarity Calculation of Speak.pdf:application/pdf},
}

@misc{lee_privacy-preserving_2021,
	title = {Privacy-Preserving Machine Learning with Fully Homomorphic Encryption for Deep Neural Network},
	url = {http://arxiv.org/abs/2106.07229},
	doi = {10.48550/arXiv.2106.07229},
	abstract = {Fully homomorphic encryption ({FHE}) is one of the prospective tools for privacypreserving machine learning ({PPML}), and several {PPML} models have been proposed based on various {FHE} schemes and approaches. Although the {FHE} schemes are known as suitable tools to implement {PPML} models, previous {PPML} models on {FHE} encrypted data are limited to only simple and non-standard types of machine learning models. These non-standard machine learning models are not proven efficient and accurate with more practical and advanced datasets. Previous {PPML} schemes replace non-arithmetic activation functions with simple arithmetic functions instead of adopting approximation methods and do not use bootstrapping, which enables continuous homomorphic evaluations. Thus, they could not use standard activation functions and could not employ a large number of layers. The maximum classification accuracy of the existing {PPML} model with the {FHE} for the {CIFAR}-10 dataset was only 77\% until now. In this work, we firstly implement the standard {ResNet}-20 model with the {RNS}-{CKKS} {FHE} with bootstrapping and verify the implemented model with the {CIFAR}-10 dataset and the plaintext model parameters. Instead of replacing the non-arithmetic functions with the simple arithmetic function, we use state-of-the-art approximation methods to evaluate these non-arithmetic functions, such as the {ReLU}, with sufficient precision [1]. Further, for the first time, we use the bootstrapping technique of the {RNS}-{CKKS} scheme in the proposed model, which enables us to evaluate a deep learning model on the encrypted data. We numerically verify that the proposed model with the {CIFAR}-10 dataset shows 98.67\% identical results to the original {ResNet}-20 model with non-encrypted data. The classification accuracy of the proposed model is 90.67\%, which is pretty close to that of the original {ResNet}-20 {CNN} model...},
	number = {{arXiv}:2106.07229},
	publisher = {{arXiv}},
	author = {Lee, Joon-Woo and Kang, {HyungChul} and Lee, Yongwoo and Choi, Woosuk and Eom, Jieun and Deryabin, Maxim and Lee, Eunsang and Lee, Junghyun and Yoo, Donghoon and Kim, Young-Sik and No, Jong-Seon},
	urldate = {2022-08-09},
	date = {2021-06-14},
	eprinttype = {arxiv},
	eprint = {2106.07229 [cs]},
	keywords = {Computer Science - Cryptography and Security, Computer Science - Machine Learning},
	file = {arXiv Fulltext PDF:/home/ketl1/Zotero/storage/MABY2425/Lee et al. - 2021 - Privacy-Preserving Machine Learning with Fully Hom.pdf:application/pdf},
}

@inproceedings{liu_oblivious_2017,
	location = {Dallas Texas {USA}},
	title = {Oblivious Neural Network Predictions via {MiniONN} Transformations},
	isbn = {978-1-4503-4946-8},
	url = {https://dl.acm.org/doi/10.1145/3133956.3134056},
	doi = {10.1145/3133956.3134056},
	abstract = {Machine learning models hosted in a cloud service are increasingly popular but risk privacy: clients sending prediction requests to the service need to disclose potentially sensitive information. In this paper, we explore the problem of privacy-preserving predictions: after each prediction, the server learns nothing about clients’ input and clients learn nothing about the model. We present {MiniONN}, the first approach for transforming an existing neural network to an oblivious neural network supporting privacy-preserving predictions with reasonable efficiency. Unlike prior work, {MiniONN} requires no change to how models are trained. To this end, we design oblivious protocols for commonly used operations in neural network prediction models. We show that {MiniONN} outperforms existing work in terms of response latency and message sizes. We demonstrate the wide applicability of {MiniONN} by transforming several typical neural network models trained from standard datasets.},
	eventtitle = {{CCS} '17: 2017 {ACM} {SIGSAC} Conference on Computer and Communications Security},
	pages = {619--631},
	booktitle = {Proceedings of the 2017 {ACM} {SIGSAC} Conference on Computer and Communications Security},
	publisher = {{ACM}},
	author = {Liu, Jian and Juuti, Mika and Lu, Yao and Asokan, N.},
	urldate = {2022-08-09},
	date = {2017-10-30},
	langid = {english},
	file = {Liu et al. - 2017 - Oblivious Neural Network Predictions via MiniONN T.pdf:/home/ketl1/Zotero/storage/WUEYDXKN/Liu et al. - 2017 - Oblivious Neural Network Predictions via MiniONN T.pdf:application/pdf},
}

@misc{mihara_neural_2020,
	title = {Neural Network Training With Homomorphic Encryption},
	url = {http://arxiv.org/abs/2012.13552},
	doi = {10.48550/arXiv.2012.13552},
	abstract = {We introduce a novel method and implementation architecture to train neural networks which preserves the confidentiality of both the model and the data. Our method relies on homomorphic capability of lattice based encryption scheme. Our procedure is optimized for operations on packed ciphertexts in order to achieve efficient updates of the model parameters. Our method achieves a significant reduction of computations due to our way to perform multiplications and rotations on packed ciphertexts from a feedforward network to a back-propagation network. To verify the accuracy of the training model as well as the implementation feasibility, we tested our method on the Iris data set by using the {CKKS} scheme with Microsoft {SEAL} as a back end. Although our test implementation is for simple neural network training, we believe our basic implementation block can help the further applications for more complex neural network based use cases.},
	number = {{arXiv}:2012.13552},
	publisher = {{arXiv}},
	author = {Mihara, Kentaro and Yamaguchi, Ryohei and Mitsuishi, Miguel and Maruyama, Yusuke},
	urldate = {2022-08-09},
	date = {2020-12-25},
	eprinttype = {arxiv},
	eprint = {2012.13552 [cs]},
	keywords = {Computer Science - Cryptography and Security},
	file = {arXiv Fulltext PDF:/home/ketl1/Zotero/storage/RJDJVPE9/Mihara et al. - 2020 - Neural Network Training With Homomorphic Encryptio.pdf:application/pdf},
}

@misc{brutzkus_low_2019,
	title = {Low Latency Privacy Preserving Inference},
	url = {http://arxiv.org/abs/1812.10659},
	doi = {10.48550/arXiv.1812.10659},
	abstract = {When applying machine learning to sensitive data, one has to find a balance between accuracy, information security, and computational-complexity. Recent studies combined Homomorphic Encryption with neural networks to make inferences while protecting against information leakage. However, these methods are limited by the width and depth of neural networks that can be used (and hence the accuracy) and exhibit high latency even for relatively simple networks. In this study we provide two solutions that address these limitations. In the first solution, we present more than \$10{\textbackslash}times\$ improvement in latency and enable inference on wider networks compared to prior attempts with the same level of security. The improved performance is achieved by novel methods to represent the data during the computation. In the second solution, we apply the method of transfer learning to provide private inference services using deep networks with latency of \${\textbackslash}sim0.16\$ seconds. We demonstrate the efficacy of our methods on several computer vision tasks.},
	number = {{arXiv}:1812.10659},
	publisher = {{arXiv}},
	author = {Brutzkus, Alon and Elisha, Oren and Gilad-Bachrach, Ran},
	urldate = {2022-08-09},
	date = {2019-06-06},
	eprinttype = {arxiv},
	eprint = {1812.10659 [cs, stat]},
	keywords = {Computer Science - Machine Learning, Statistics - Machine Learning},
	file = {arXiv Fulltext PDF:/home/ketl1/Zotero/storage/LGY523EX/Brutzkus et al. - 2019 - Low Latency Privacy Preserving Inference.pdf:application/pdf},
}

@incollection{bourse_fast_2018,
	location = {Cham},
	title = {Fast Homomorphic Evaluation of Deep Discretized Neural Networks},
	volume = {10993},
	isbn = {978-3-319-96877-3 978-3-319-96878-0},
	url = {https://link.springer.com/10.1007/978-3-319-96878-0_17},
	abstract = {The rise of machine learning as a service multiplies scenarios where one faces a privacy dilemma: either sensitive user data must be revealed to the entity that evaluates the cognitive model (e.g., in the Cloud), or the model itself must be revealed to the user so that the evaluation can take place locally. Fully Homomorphic Encryption ({FHE}) offers an elegant way to reconcile these conflicting interests in the Cloudbased scenario and also preserve non-interactivity. However, due to the inefficiency of existing {FHE} schemes, most applications prefer to use Somewhat Homomorphic Encryption ({SHE}), where the complexity of the computation to be performed has to be known in advance, and the efficiency of the scheme depends on this global complexity.},
	pages = {483--512},
	booktitle = {Advances in Cryptology – {CRYPTO} 2018},
	publisher = {Springer International Publishing},
	author = {Bourse, Florian and Minelli, Michele and Minihold, Matthias and Paillier, Pascal},
	editor = {Shacham, Hovav and Boldyreva, Alexandra},
	urldate = {2022-08-09},
	date = {2018},
	langid = {english},
	doi = {10.1007/978-3-319-96878-0_17},
	note = {Series Title: Lecture Notes in Computer Science},
	file = {Bourse et al. - 2018 - Fast Homomorphic Evaluation of Deep Discretized Ne.pdf:/home/ketl1/Zotero/storage/Z622HQAR/Bourse et al. - 2018 - Fast Homomorphic Evaluation of Deep Discretized Ne.pdf:application/pdf},
}

@article{badawi_privft_2020,
	title = {{PrivFT}: Private and Fast Text Classification With Homomorphic Encryption},
	volume = {8},
	issn = {2169-3536},
	doi = {10.1109/ACCESS.2020.3045465},
	shorttitle = {{PrivFT}},
	abstract = {We present an efficient and non-interactive method for Text Classification while preserving the privacy of the content using Fully Homomorphic Encryption ({FHE}). Our solution (named Private Fast Text ({PrivFT})) provides two services: 1) making inference of encrypted user inputs using a plaintext model and 2) training an effective model using an encrypted dataset. For inference, we use a pre-trained plaintext model and outline a system for homomorphic inference on encrypted user inputs with zero loss to prediction accuracy compared to the non-encrypted version. In the second part, we show how to train a supervised model using fully encrypted data to generate an encrypted model. For improved performance, we provide a {GPU} implementation of the Cheon-Kim-Kim-Song ({CKKS}) {FHE} scheme that shows 1 to 2 orders of magnitude speedup against existing implementations. We build {PrivFT} on top of our {FHE} engine in {GPUs} to achieve a run time per inference of 0.17 seconds for various Natural Language Processing ({NLP}) public datasets. Training on a relatively large encrypted dataset is more computationally intensive requiring 5.04 days.},
	pages = {226544--226556},
	journaltitle = {{IEEE} Access},
	author = {Badawi, Ahmad Al and Hoang, Louie and Mun, Chan Fook and Laine, Kim and Aung, Khin Mi Mi},
	date = {2020},
	note = {Conference Name: {IEEE} Access},
	keywords = {homomorphic encryption, Cryptography, Computational modeling, data privacy, Encryption, Training, Cloud computing, Data models, data security, Electronic mail, graphics processors, natural language processing},
	file = {IEEE Xplore Full Text PDF:/home/ketl1/Zotero/storage/JK2T4AYI/Badawi et al. - 2020 - PrivFT Private and Fast Text Classification With .pdf:application/pdf},
}

@misc{peng_danger_2019,
	title = {Danger of using fully homomorphic encryption: A look at Microsoft {SEAL}},
	url = {http://arxiv.org/abs/1906.07127},
	doi = {10.48550/arXiv.1906.07127},
	shorttitle = {Danger of using fully homomorphic encryption},
	abstract = {Fully homomorphic encryption is a promising crypto primitive to encrypt your data while allowing others to compute on the encrypted data. But there are many well-known problems with fully homomorphic encryption such as {CCA} security and circuit privacy problem. Despite these problems, there are still many companies are currently using or preparing to use fully homomorphic encryption to build data security applications. It seems that the full homomorphic encryption is very close to practicality and these problems can be easily mitigated in implementation. Although the those problems are well known in theory, there is no public discussion of their actual impact on real application. Our research shows that there are many security pitfalls in fully homomorphic encryption from the perspective of practical application. The security problems of a fully homomorphic encryption in a real application is more severe than imagined. In this paper, we will take Microsoft {SEAL} as an examples to introduce the security pitfalls of fully homomorphic encryption from the perspective of implementation and practical application},
	number = {{arXiv}:1906.07127},
	publisher = {{arXiv}},
	author = {Peng, Zhiniang},
	urldate = {2022-08-09},
	date = {2019-06-17},
	eprinttype = {arxiv},
	eprint = {1906.07127 [cs]},
	keywords = {Computer Science - Cryptography and Security},
	file = {arXiv Fulltext PDF:/home/ketl1/Zotero/storage/RSEUSM6A/Peng - 2019 - Danger of using fully homomorphic encryption A lo.pdf:application/pdf},
}

@misc{wang_variational_2022,
	title = {Variational Model Inversion Attacks},
	url = {http://arxiv.org/abs/2201.10787},
	doi = {10.48550/arXiv.2201.10787},
	abstract = {Given the ubiquity of deep neural networks, it is important that these models do not reveal information about sensitive data that they have been trained on. In model inversion attacks, a malicious user attempts to recover the private dataset used to train a supervised neural network. A successful model inversion attack should generate realistic and diverse samples that accurately describe each of the classes in the private dataset. In this work, we provide a probabilistic interpretation of model inversion attacks, and formulate a variational objective that accounts for both diversity and accuracy. In order to optimize this variational objective, we choose a variational family defined in the code space of a deep generative model, trained on a public auxiliary dataset that shares some structural similarity with the target dataset. Empirically, our method substantially improves performance in terms of target attack accuracy, sample realism, and diversity on datasets of faces and chest X-ray images.},
	number = {{arXiv}:2201.10787},
	publisher = {{arXiv}},
	author = {Wang, Kuan-Chieh and Fu, Yan and Li, Ke and Khisti, Ashish and Zemel, Richard and Makhzani, Alireza},
	urldate = {2022-08-09},
	date = {2022-01-26},
	eprinttype = {arxiv},
	eprint = {2201.10787 [cs]},
	keywords = {Computer Science - Cryptography and Security, Computer Science - Machine Learning},
	file = {arXiv Fulltext PDF:/home/ketl1/Zotero/storage/DYNQXJC6/Wang et al. - 2022 - Variational Model Inversion Attacks.pdf:application/pdf},
}

@misc{rigaki_survey_2021,
	title = {A Survey of Privacy Attacks in Machine Learning},
	url = {http://arxiv.org/abs/2007.07646},
	doi = {10.48550/arXiv.2007.07646},
	abstract = {As machine learning becomes more widely used, the need to study its implications in security and privacy becomes more urgent. Although the body of work in privacy has been steadily growing over the past few years, research on the privacy aspects of machine learning has received less focus than the security aspects. Our contribution in this research is an analysis of more than 40 papers related to privacy attacks against machine learning that have been published during the past seven years. We propose an attack taxonomy, together with a threat model that allows the categorization of different attacks based on the adversarial knowledge, and the assets under attack. An initial exploration of the causes of privacy leaks is presented, as well as a detailed analysis of the different attacks. Finally, we present an overview of the most commonly proposed defenses and a discussion of the open problems and future directions identified during our analysis.},
	number = {{arXiv}:2007.07646},
	publisher = {{arXiv}},
	author = {Rigaki, Maria and Garcia, Sebastian},
	urldate = {2022-08-09},
	date = {2021-04-01},
	eprinttype = {arxiv},
	eprint = {2007.07646 [cs]},
	keywords = {Computer Science - Cryptography and Security, Computer Science - Machine Learning},
	file = {arXiv Fulltext PDF:/home/ketl1/Zotero/storage/VRKYXH9I/Rigaki and Garcia - 2021 - A Survey of Privacy Attacks in Machine Learning.pdf:application/pdf},
}

@misc{boemer_ngraph-he_2019,
	title = {{nGraph}-{HE}: A Graph Compiler for Deep Learning on Homomorphically Encrypted Data},
	url = {http://arxiv.org/abs/1810.10121},
	doi = {10.48550/arXiv.1810.10121},
	shorttitle = {{nGraph}-{HE}},
	abstract = {Homomorphic encryption ({HE})---the ability to perform computation on encrypted data---is an attractive remedy to increasing concerns about data privacy in deep learning ({DL}). However, building {DL} models that operate on ciphertext is currently labor-intensive and requires simultaneous expertise in {DL}, cryptography, and software engineering. {DL} frameworks and recent advances in graph compilers have greatly accelerated the training and deployment of {DL} models to various computing platforms. We introduce {nGraph}-{HE}, an extension of {nGraph}, Intel's {DL} graph compiler, which enables deployment of trained models with popular frameworks such as {TensorFlow} while simply treating {HE} as another hardware target. Our graph-compiler approach enables {HE}-aware optimizations-- implemented at compile-time, such as constant folding and {HE}-{SIMD} packing, and at run-time, such as special value plaintext bypass. Furthermore, {nGraph}-{HE} integrates with {DL} frameworks such as {TensorFlow}, enabling data scientists to benchmark {DL} models with minimal overhead.},
	number = {{arXiv}:1810.10121},
	publisher = {{arXiv}},
	author = {Boemer, Fabian and Lao, Yixing and Cammarota, Rosario and Wierzynski, Casimir},
	urldate = {2022-08-09},
	date = {2019-04-02},
	eprinttype = {arxiv},
	eprint = {1810.10121 [cs]},
	note = {version: 3},
	keywords = {Computer Science - Cryptography and Security},
	file = {arXiv Fulltext PDF:/home/ketl1/Zotero/storage/2K8E3AQR/Boemer et al. - 2019 - nGraph-HE A Graph Compiler for Deep Learning on H.pdf:application/pdf},
}

@inproceedings{dowlin_cryptonets_2016,
	location = {New York, {NY}, {USA}},
	title = {{CryptoNets}: applying neural networks to encrypted data with high throughput and accuracy},
	series = {{ICML}'16},
	shorttitle = {{CryptoNets}},
	abstract = {Applying machine learning to a problem which involves medical, financial, or other types of sensitive data, not only requires accurate predictions but also careful attention to maintaining data privacy and security. Legal and ethical requirements may prevent the use of cloud-based machine learning solutions for such tasks. In this work, we will present a method to convert learned neural networks to {CryptoNets}, neural networks that can be applied to encrypted data. This allows a data owner to send their data in an encrypted form to a cloud service that hosts the network. The encryption ensures that the data remains confidential since the cloud does not have access to the keys needed to decrypt it. Nevertheless, we will show that the cloud service is capable of applying the neural network to the encrypted data to make encrypted predictions, and also return them in encrypted form. These encrypted predictions can be sent back to the owner of the secret key who can decrypt them. Therefore, the cloud service does not gain any information about the raw data nor about the prediction it made. We demonstrate {CryptoNets} on the {MNIST} optical character recognition tasks. {CryptoNets} achieve 99\% accuracy and can make around 59000 predictions per hour on a single {PC}. Therefore, they allow high throughput, accurate, and private predictions.},
	pages = {201--210},
	booktitle = {Proceedings of the 33rd International Conference on International Conference on Machine Learning - Volume 48},
	publisher = {{JMLR}.org},
	author = {Dowlin, Nathan and Gilad-Bachrach, Ran and Laine, Kim and Lauter, Kristin and Naehrig, Michael and Wernsing, John},
	urldate = {2022-08-09},
	date = {2016-06-19},
	file = {Dowlin et al. - CryptoNets Applying Neural Networks to Encrypted .pdf:/home/ketl1/Zotero/storage/KPK6LIU9/Dowlin et al. - CryptoNets Applying Neural Networks to Encrypted .pdf:application/pdf},
}

@article{rivest_data_1978,
	title = {{ON} {DATA} {BANKS} {AND} {PRIVACY} {HOMOMORPHISMS}},
	url = {https://www.scinapse.io},
	journaltitle = {Foundations of secure computation},
	author = {Rivest, Ronald L. and Adleman, Len and Dertouzos, Michael L.},
	urldate = {2022-08-18},
	date = {1978},
	file = {Full Text PDF:/home/ketl1/Zotero/storage/D38WK3VU/Rivest and Dertouzos - 1978 - ON DATA BANKS AND PRIVACY HOMOMORPHISMS.pdf:application/pdf},
}