This 2016 paper by Ran Gilad-Bachrach, Nathan Dowlin, Kim Laine, Kristin Lauter, Michael Naehrig, and John Wernsing at Microsoft Research, presented at ICML, demonstrated CryptoNets: a neural network that makes predictions on data it never sees in the clear. The data owner encrypts their input, the cloud service runs the model on the ciphertext, and returns an encrypted result that only the owner can decrypt. The server learns neither the input nor the output.
The trick is homomorphic encryption, a form of encryption that allows certain mathematical operations to be performed directly on encrypted values, so that decrypting the result gives the same answer as if the operations had been done on the plaintext. The catch is that homomorphic schemes support only limited operations, essentially additions and multiplications, and become slow and noisy as computations deepen. The authors redesigned a neural network to fit within those constraints, replacing operations like the standard activation function with polynomial approximations the encryption could handle. On the MNIST digit-recognition task they reached “99% accuracy” while processing “around 59000 predictions per hour on a single PC,” showing the approach was not merely theoretical.
This addressed a specific and common worry: organizations want to use cloud machine learning services but cannot legally or commercially hand sensitive inputs, medical images, financial records, to a third party in readable form.
For a business reader, CryptoNets is the proof of concept for encrypted inference: sending data to an AI service for analysis without the service, or anyone who breaches it, ever being able to read that data. It remains computationally expensive, but it defined what privacy-preserving outsourced AI could look like and seeded a continuing line of practical work.