ZIPsZoo Proposals
All Proposals
ZIP-0275

Privacy-Preserving AI Training (FHE)

Final

Fully Homomorphic Encryption applied to AI training and inference, enabling computation on encrypted wildlife data without decryption

Type
Standards Track
Category
AI
Author
Zoo Labs Foundation
Created
2024-10-01
fheprivacyhomomorphic-encryptionencrypted-inferenceconfidential-compute

ZIP-0423: Privacy-Preserving AI Training (FHE)

Abstract

This proposal specifies the application of Fully Homomorphic Encryption (FHE) to AI model training and inference, enabling computation on encrypted data without ever decrypting it. For conservation applications, this means sensitive wildlife data (endangered species locations, anti-poaching patrol routes, genetic samples) can be used to improve AI models while remaining encrypted throughout the entire pipeline -- from data collection through training to inference.

Motivation

Conservation data sensitivity requires privacy guarantees beyond differential privacy (ZIP-0410):

  1. Endangered species locations: GPS coordinates of critically endangered species (< 100 individuals remaining) are classified intelligence. Exposure enables poaching.
  2. Anti-poaching routes: Patrol patterns, if exposed, allow poachers to evade detection.
  3. Genetic data: DNA samples from endangered species have black-market value.
  4. Indigenous knowledge: Traditional ecological knowledge shared under cultural protocols that prohibit public disclosure.

FHE provides the strongest possible privacy guarantee: the data is never decrypted during computation, so even a compromised training node cannot access raw data.

Specification

FHE Scheme

  • Scheme: CKKS (Cheon-Kim-Kim-Song) for approximate arithmetic on encrypted floating-point data
  • Security level: 128-bit post-quantum security
  • Bootstrapping: Programmable bootstrapping for arbitrary circuit depth

Encrypted Training Pipeline

Data Provider                  Training Node
(conservation org)             (untrusted compute)
      │                              │
      │ Encrypt(data, pk)            │
      ├─────────────────────────────>│
      │                              │ FHE_Train(enc_data, enc_model)
      │                              │ (all operations on ciphertext)
      │         enc_gradient         │
      │<─────────────────────────────┤
      │                              │
      │ Decrypt(enc_gradient, sk)    │
      │ Apply to local model         │

Performance

OperationFHE OverheadThroughput
Forward pass (7B model)1000x1 sample/sec
Gradient computation500x2 samples/sec
Inference (1.5B model)100x10 samples/sec

Hybrid Approach

For practical deployment, combine FHE with trusted execution environments (TEEs):

  • Sensitive data operations: FHE (maximum privacy)
  • Non-sensitive computations: TEE (good privacy, better performance)
  • Router decides per-operation based on data sensitivity classification

Research Papers

Implementation

  • hanzo/candle: Rust ML framework with FHE operator support
  • hanzo/node: Blockchain node with FHE-enabled compute
  • zoo/contracts: Smart contracts for FHE key management

Timeline

  • Originated: October 2024 (FHE for AI research)
  • Research: zoo-fhe and zoo-fhe-ai published Q4 2024
  • Implementation: FHE inference pipeline in Hanzo Candle 2025