Hi all, I would like to ask if TFHE is circuit private, that is can some information about the function being evaluated on encrypted ciphertexts being leaked by the outcome of the evaluation to the party decrypting the result? I have read that in general FHE security does not prevent such an information leakage to occur, so, I am wondering if TFHE ciphertexts can exhibit such a leakage or not.
I am thinking about a scenario where Concrete-ML is used by a MLaaS entity which would like to keep its model private to perform inference on encrypted user data: would the lack of circuit privacy in TFHE mean that users could potentially learn the model from the result of the inference?
In the case of MLaaS for example the user interacting with your service can indeed try to reverse-engineer your model since they know both the input and the output of the model.
That said anyone eavesdropping would only see encrypted data passing through, thus making it impossible for them to reverse engineer the model.
Also something to take into account is that depending on your model it might take quite a lot of queries to reverse engineer the model. Since each user provides the server with his own evaluation key the server is still able to track down the number the queries per user thus making him able to rate limit a user trying to attack the model.
Thanks a lot for your clarification. I believe that the query-based reverse engineering attack you mentioned is kind of unavoidable but reasonably easy to prevent for complex models, as you pointed out.
However, if TFHE is not circuit private, then I suppose that the output ciphertext and the noise of such a ciphertext might in principle exhibit some leakage of the model, as mentioned for instance in https://eprint.iacr.org/2022/1459; so I am wondering if more powerful attacks could be mounted by exploiting such a leakage or it is mostly a theoretical leakage with few practical consequences.
I know it might be a complex question to be answered, so even understanding if you considered this potential threat in the design of TFHE or you excluded it from the threat model (at least for now) would be interesting.
Currently, there appears to be no documented attack exploiting TFHE noise structure to recompute evaluation circuits. However, this certainly does not mean that such attacks cannot be mounted. Understanding concrete attacks against the circuit privacy of TFHE would certainly be an interesting research direction though.
The summary is that plain TFHE should definitely not be used in cases where the evaluation circuit contains secret information. However, if an application requires circuit privacy, one can use the techniques from the paper you mentioned in your previous post .