Paper 2020/721

MP2ML: A Mixed-Protocol Machine Learning Framework for Private Inference

Fabian Boemer
Rosario Cammarota
Daniel Demmler
Thomas Schneider
Hossein Yalame, TU Darmstadt

Privacy-preserving machine learning (PPML) has many applications, from medical image classification and anomaly detection to financial analysis. nGraph-HE enables data scientists to perform private inference of deep learning (DL) models trained using popular frameworks such as TensorFlow. nGraph-HE computes linear layers using the CKKS homomorphic encryption (HE) scheme. The non-polynomial activation functions, such as MaxPool and ReLU, are evaluated in the clear by the data owner who obtains the intermediate feature maps. This leaks the feature maps to the data owner from which it may be possible to deduce the DL model weights. As a result, such protocols may not be suitable for deployment, especially when the DL model is intellectual property. In this work, we present MP2ML, a machine learning framework which integrates nGraph-HE and the secure two-party computation framework ABY, to overcome the limitations of leaking the intermediate feature maps to the data owner. We introduce a novel scheme for the conversion between CKKS and secure multi-party computation to execute DL inference while maintaining the privacy of both the input data and model weights. MP2ML is compatible with popular DL frameworks such as TensorFlow that can infer pre-trained neural networks with native ReLU activations. We benchmark MP2ML on the CryptoNets network with ReLU activations, on which it achieves a throughput of 33.3 images/s and an accuracy of 98.6%. This throughput matches the previous state-of-the-art work, even though our protocol is more accurate and scalable.

Note: The first hybrid HE-MPC framework that integrates with a DL framework such as TensorFlow. The implementation is available in:

Available format(s)
Publication info
Published elsewhere. ARES'20
private machine learning homomorphic encryption secure multi-party computation
Contact author(s)
yalame @ encrypto cs tu-darmstadt de
2022-06-06: last of 3 revisions
2020-06-16: received
See all versions
Short URL
Creative Commons Attribution


      author = {Fabian Boemer and Rosario Cammarota and Daniel Demmler and Thomas Schneider and Hossein Yalame},
      title = {MP2ML: A Mixed-Protocol Machine Learning Framework for Private Inference},
      howpublished = {Cryptology ePrint Archive, Paper 2020/721},
      year = {2020},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.