Privacy-Preserving Neural Networks (PPNN) are advanced to perform inference without breaching user privacy, which can serve as an essential tool for medical diagnosis to simultaneously achieve big data utility and privacy protection. As one of the key techniques to enable PPNN, Fully Homomorphic Encryption (FHE) is facing a great challenge that homomorphic operations cannot be easily adapted for non-linear activation calculations. In this paper, batch-oriented element-wise data packing and approximate activation are proposed, which train linear low-degree polynomials to approximate the non-linear activation function - ReLU. Compared with other approximate activation methods, the proposed fine-grained, trainable approximation scheme can effectively reduce the accuracy loss caused by approximation errors. Meanwhile, due to element-wise data packing, a large batch of images can be packed and inferred concurrently, leading to a much higher utility ratio of ciphertext slots. Therefore, although the total inference time increases sharply, the amortized time for each image actually decreases, especially when the batch size increases. Furthermore, knowledge distillation is adopted in the training process to further enhance the inference accuracy. Experiment results show that when ciphertext inference is performed on 4096 input images, compared with the current most efficient channel-wise method, the inference accuracy is improved by 1.65%, and the amortized inference time is reduced by 99.5%.

翻译：隐私保护神经网络（PPNN）旨在不泄露用户隐私的情况下执行推理，可成为医疗诊断中同时实现大数据效用与隐私保护的关键工具。作为实现PPNN的核心技术之一，全同态加密（FHE）面临重大挑战：同态运算难以直接适配非线性激活计算。本文提出面向批次的逐元素数据打包与近似激活方法，通过训练线性低阶多项式来逼近非线性激活函数ReLU。与其他近似激活方法相比，所提出的细粒度可训练近似方案能有效降低近似误差导致的精度损失。同时，基于逐元素数据打包，可对大批量图像进行并行打包与推理，从而显著提升密文槽的利用率。因此，尽管总推理时间大幅增加，但每张图像的均摊时间实际下降，尤其在批量规模增大时更为明显。此外，训练过程中引入知识蒸馏进一步提升推理精度。实验结果表明：对4096张输入图像进行密文推理时，与当前最高效的通道级方法相比，推理精度提升1.65%，均摊推理时间降低99.5%。