Privasea AI Network Whitepaper

Privasea Technology

Abstract. As the amount of data being generated and the number

of users accessing data-driven applications increase, there are concerns
about privacy protection and the lack of computational power. One po-
tential solution to these issues is AI computation networks, which can
offer efficient methods to stimulate computation power and maintain pri-
vacy throughout the data processing cycle. This whitepaper introduces
the Privasea AI Network, which allows multiple parties to collaborate
without revealing sensitive information. Our proposed system employs
Fully Homomorphic Encryption (FHE) technology to ensure the privacy
and security of data during the AI computation process. Additionally,
we provide demonstrations of AI models running on the Privasea AI
Network to showcase its effectiveness.

1 Introduction
1.1 Objectives
Machine learning is a powerful technology that has the potential to significantly
improve our lives. By using advanced algorithms to analyse large amounts of
data, machine learning can help people make better decisions, solve complex
problems, and even predict future events.
However, there are concerns about the privacy and security of personal data,
as many sensitive types of information such as medical records, financial informa-
tion and personal identification information require external computing power
for AI processing. This has created a need for privacy-preserving AI that can
protect each individual’s privacy while still allowing accurate machine learning.
Privasea AI Network is designed to address the aforementioned issues and
provide AI solutions that protect privacy. One of its primary objectives is to
comply with data protection regulations, such as the General Data Protection
Regulation (GDPR) in the European Union. These regulations have stringent
requirements for the collection, processing and storage of personal data. To meet
these requirements, organisations can use privacy preserving AI techniques that
ensure personal data is protected during the model training and inference pro-
cess.
Another objective is to safeguard users’ sensitive data from unauthorised
access. Data leakage can result in substantial harm to individuals whose data
has been compromised. Privacy-preserving AI techniques can help prevent data
breaches by encrypting sensitive data during AI processing.
Finally, privacy-preserving AI can aid in enhancing trust in machine learn-
ing systems. Many individuals are hesitant to share their personal data with
2

organisations because they are concerned about how it will be used. By using
privacy-preserving AI techniques to protect personal data during machine learn-
ing, organisations can help build trust and encourage more people to share their
data.

1.2 Overview

Privasea AI Network is a privacy-preserving machine learning project that uses

Fully Homomorphic Encryption or FHE as its core technology. The project aims
to bridge the gap between user data and distributed computing power while
ensuring security. One of the key features of Privasea AI Network is its strong
security and comprehensive functionality.
FHE is a powerful technology that permits arbitrary computations to be
performed on encrypted data. As a result, sensitive data can be processed with-
out ever being exposed in plaintext form. Privasea leverages this technology to
enable users to securely upload their encrypted data to the Privasea storage
layer and transfer it to the distributed computing nodes for processing. By using
FHE, Privasea AI Network guarantees that user data is always encrypted in the
network. The encrypted data can only be decrypted by the user, which ensures
that sensitive information remains inaccessible to anyone else. This provides a
high level of security and privacy for users.
In addition to its robust security guarantees, Privasea AI Network provides
comprehensive functionality for machine learning tasks and has low communi-
cation requirements compared with MPC solutions. This means that users can
utilise the platform without being concerned about long time online constraints.
The project supports a diverse range of machine learning algorithms and also
enables users to upload models of their choice. This makes it simple for users to
leverage the latest machine learning techniques while maintaining the security
of their data.
In conclusion, Privasea AI Network is a powerful privacy-preserving machine
learning project that uses Fully Homomorphic Encryption or FHE as its core
technology. The project offers strong security guarantees, low communication
requirements, and comprehensive functionality. This makes it an attractive op-
tion for users who want to take advantage of distributed computing power while
ensuring that their data remains secure.

2 FHE Fundamentals

The concept of FHE was first introduced by Rivest et al. in 1978 [1], and over the
following thirty years, many cryptographers worked to develop partially homo-
morphic encryption schemes that preserved homomorphism for single addition or
multiplication operations. These included multiplication-homomorphic schemes
such as RSA and ElGamal [2], and addition-homomorphic schemes such as Pal-
lier [3].
 Privasea AI Network Whitepaper 3

In 2009, Craig Gentry proposed the first fully homomorphic encryption scheme
based on ideal lattices [4,5]. Gentry’s approach involved constructing a some-
what homomorphic encryption scheme that can homomorphically evaluate lim-
ited circuit depth, and then performing so-called bootstrapping operations. This
resulted in a scheme that could homomorphically calculate any depth circuit.
Since Gentry’s breakthrough, there has been significant progress in the de-
velopment of FHE schemes [6,7,8,9,10,11,12,13,14,15,16,17,18]. Currently, most
FHE schemes are based on the Learning with Errors (LWE) problem or its ring
variant (RLWE) on lattice [19,20]. These schemes can be divided into three main
categories based on their plaintext space and computation method: BGV/BFV
schemes perform arithmetic calculations on finite fields; CKKS schemes perform
approximate arithmetic calculations on real/complex numbers; GSW/FHEW/TFHE
schemes can easily calculate logical circuits.

2.1 BGV Scheme

In 2012, Brakerski et al. proposed the BGV scheme [10]. They constructed a
new multiplication method, using tensor product and so-called relinearization
technologies, to ensure that the ciphertexts will be decrypted into the prod-
uct of plaintexts. However, each addition or multiplication operation will cause
noise expansion. BGV proposed a module switching technique, which can re-
duce the relative size of noise and noise upper bound by switching the modulus
once after homomorphic multiplication. Therefore, it can calculate circuits of
any depth without bootstrapping as long as the module sequence is set appro-
priately according to the required circuit depth during parameter selection. This
scheme greatly improved the efficiency of homomorphic implementation, and
had a certain degree of usability. Later, this scheme was continuously optimized
and improved, such as SIMD parallel computing.

Encryption/Decryption

Given plaintext m ∈ {0, 1},m = (m, 0), r ← R2 , e = (e0 , e1 ) ← χ2

– Key Generation: a ← Rq , e ← χ, b = −as + 2e mod q ∈ Rq ,

sk = (1, s) ∈ R22

pk = (b, a) ∈ R2q
– Encryption:

c = (c0 , c1 ) = r · pk + m + 2e = (rb + m + 2e0 , ra + 2e1 ) ∈ R2q

– Decryption:
m = ⟨c, sk⟩ mod q mod 2
4

Homomorphic Evaluation

Given two BGV cyphertexts c1 = (c10 , c11 ),c2 = (c20 , c21 )

– Homomorphic Addition: c+ = c1 ⊕ c2 = (c10 + c20 , c11 + c21 )

– Homomorphic Multiplication: c× = c1 ⊗ c2 = (c10 c20 , c10 c21 + c11 c20 ) +

c11 c21 · rlk
where rlk denotes relinearization key:
 ′
b1 = −a′1 s + e1 + 1, a′1

 b′2 = −a′2 s + e2 + s, a′2 
rlk =  b′3 = −a′3 s + e3 + s, a′3 


b′4 = −a′4 s + e4 + s2 , a′4

Fig. 1. BGV encoding and homomorphic multiplication

Modulus Switching

After performing homomorphic multiplication, the resulting ciphertext c× sat-

isfies the equation ⟨c× , sk ′ ⟩ = m1 · m2 + 2e · (r1 m2 + r2 m1 ) + r1 r2 · (2e)2 . The
size of the noise changes from O(e) to O(e2 ). The modulus switching tech-
nique is used to address the issue of exponential noise expansion. The imple-
mentation method is as follows: Given the original ciphertext c, let c′ repre-
sent the integer closest to ⌈ pq · c⌋ and satisfy c = c′ mod 2, In other words,
c′ ← Scale(c, q, p, 2). Then, ⟨c′ , sk⟩ mod p mod 2 = ⟨c, sk⟩ mod q mod 2,
p
and satisfies |⟨c′ , sk⟩ mod p| < .
2

2.2 BFV Scheme

 Privasea AI Network Whitepaper 5

In 2012, Brakerski and Junfeng Fan et al. respectively proposed fully homomor-
phic encryption schemes based on LWE and RLWE that do not require modulus
switching [12,11,13]. The BFV scheme is a combination of these schemes. This
scheme is different from the BGV scheme in the message encoding method. The
message is multiplied by a scaling factor before encryption. Therefore, to ensure
the homomorphism, BFV’s multiplication needs to divide the expansion factor
after tensor product and relinearization, which simultaneously reduces noise, and
thus it does not need modulus switching.

Encryption/Decryption

Given plaintext m ∈ Rt , m = (m, 0), r ← R2 , e = (e0 , e1 ) ← χ2

– Key Generation: a, a′ ← Rq , e, e′ ← χ, b = −as + e mod q ∈ Rq ,

sk = (1, s) ∈ R22

pk = (b, a) ∈ R2q
q 2 ′
rlk = (b′ = −a′ s + e′ + · s , a ) ∈ R2q
t
– Encryption:
q q
c = (c0 , c1 ) = r · pk + m + e = (rb + · m + e0 , ra + e1 ) ∈ R2q
t t
– Decryption:
t
m = ⌊ · ⟨c, sk⟩ mod q⌉ mod t
q
Homomorphic Evaluation

Given two BFV cyphertexts c1 = (c10 , c11 ),c2 = (c20 , c21 )

– Homomorphic Addition: c+ = c1 ⊕ c2 = (c10 + c20 , c11 + c21 )

q
– Homomorphic Multiplication: c× = c1 ⊗ c2 = · (c10 c20 , c10 c21 +
t
q
c11 c20 ) + · c11 c21 · rlk
t

2.3 CKKS Scheme

In 2017, Cheon et al. proposed CKKS scheme which is a homomorphic scheme

that performs approximate arithmetic calculations on real/complex numbers
[15]. This scheme targets scenarios such as machine learning that do not require
exact calculation results. In 2018, the team implemented CKKS’s bootstrap-
ping. In terms of implementation, the HEAAN open-source library was released
6

Fig. 2. BFV encoding and homomorphic multiplication

at the same time as the paper. In addition, due to necessity of floating-point ho-
momorphic operations in specific scenarios, the HElib and SEAL libraries have
also updated support for CKKS schemes.

Encryption/Decryption

Given plaintext m ∈ Rq , m = (m, 0), r ← R2 , e = (e0 , e1 ) ← χ2

– Key Generation: a, a′ ← Rq , e, e′ ← χ, b = −as + e mod q ∈ Rq , b′ =

−a′ s + e′ mod q ∈ Rq
sk = (1, s) ∈ R22

pk = (b, a) ∈ R2q

rlk = (b′ = −a′ s + e′ + ps2 , a′ ) ∈ R2pq

– Encryption:

c = (c0 , c1 ) = r · pk + m + e = (rb + m + e0 , ra + e1 ) ∈ R2q

– Decryption:
m′ = m + ẽ = ⟨c, sk⟩ mod q

Homomorphic Evaluation

Given two CKKS cyphertexts c1 = (c10 , c11 ),c2 = (c20 , c21 )

– Homomorphic Addition: c+ = c1 ⊕ c2 = (c10 + c20 , c11 + c21 )

– Homomorphic Multiplication: c× = c1 ⊗ c2 = (c10 c20 , c10 c21 + c11 c20 ) +

c11 c21 · rlk j m
– Rescale: c′ ← qqℓℓ′ c× , where qqℓℓ′ ≈ p−1 is the rescale factor.
 Privasea AI Network Whitepaper 7

Fig. 3. CKKS encoding and homomorphic multiplication

2.4 GSW/FHEW/TFHE Scheme

In 2013, Gentry et al. proposed the GSW scheme [14]. The characteristic of
this scheme is bit-wise encryption. The ciphertext space is a matrix ring, thus
addition and multiplication on this ring naturally satisfy homomorphism and do
not require specific design. The key to implementing leveled fully homomorphic
encryption is Flatten technology, which controls the noise expansion after opera-
tions. Brakerski et al. designed a bootstrapping algorithm for the GSW scheme,
it takes about half an hour for one bootstrapping operation. In 2015, Ducas et
al. proposed the FHEW scheme [21]. This scheme borrowed GSW’s ciphertext
form and constructed an accumulator with GSW ciphertexts on rings to achieve
bootstrapping, reducing the time for one bootstrapping to 0.69 seconds and re-
leasing FHEW open-source library. In 2016, Chillotti et al. continued to study
this idea and proposed the TFHE scheme [16,17,18]. This scheme also borrowed
GSW’s ciphertext form and used external multiplication of ring GSW cipher-
texts and LWE ciphertexts to construct an efficient CMUX gate. It was applied
to build blind rotation algorithms during bootstrapping to further reduce one
bootstrapping time to 0.013 seconds.

LWE Encryption/Decryption

Given plaintext m ∈ Zt , a ← Znq , e ← χ,

– Key Generation:
s ← {0, 1}n , sk = s
8

Fig. 4. LWE

– Encryption:
t
c = (a, b = −a · s + e + · m) ∈ Zn+1
q
q
– Decryption:
t
m = ⌊ (b + a · s) mod q⌉ mod t
q
RLWE Encryption/Decryption

Given plaintext m ∈ Rt , a ← Rq , e ← χ,
– Key Generation:
s ← R2 , sk = s
– Encryption:
t
c = (a, b = −a · s + e + · m) ∈ R2q
q
– Decryption:
t
m = ⌊ b + a · s mod q⌉ mod t
q
RGSW

Pdg −1
We say that t0 , · · · , tdg −1 is
a gadget decomposition of t ∈ Rq if t = i=0 gi ·
ti where ⃗g = g0 , . . . , gdg −1 is a gadget vector, and ∥ti ∥∞ < Bg . We then
give the definitions of RLWE’ and RGSW. For a gadget vector ⃗g , we define
RLWE′z (m) and RGSWz (m) as follows:

RLWE′z (m) := RLWEz (g0 · m) , RLWEz (g1 · m) , · · · , RLWEz gdg −1 · m ∈ R2d

q

RGSWz (m) := RLWE′z (z · m), RLWE′z (m) ∈ Rq2×2d

Homomorphic Evaluation
 Privasea AI Network Whitepaper 9

Fig. 5. RLWE

Fig. 6. RGSW

– External Product (⊡):

⊡ : RGSW × RLWE → RLWE

(A, b) 7−→ A ⊡ b = gadget−1 (b) · A

– Internal Product (⊠):

⊠ : RGSW × RGSW → RGSW

gadget−1 (b1 ) · A
   
A ⊠ b1
(A, B) 7−→ A ⊠ B =  : = : 
A ⊠ bn gadget−1 (bn ) · A

2.5 Key Switching Algorithm

Key switching can switch the secret key to a new one, but the message is the
same. That is, Alice can easily share her data with Bob, by switching her ci-
phertext to which Bob can decrypt. Privasea use this technique to transfer the
evaluation result. There are mainly three kinds of key switching:
10

Fig. 7. Key Switching

– Private KS: Private key switching algorithm refers to computing a given

secret function while switching keys from LWE to (R)LWE ciphertext.

– Public KS: Public key switching algorithm refers to computing a given

public function while switching keys from LWE to (R)LWE ciphertext.

– RLWE to RLWE KS: RLWE to RLWE key switching algorithm can

switch keys from RLWE to RLWE.

3 Machine Learning Fundamentals

Machine learning is a branch of artificial intelligence (AI) and Computer Science,

which is defined as the ability of machines to learn automatically from data and
algorithms, Improve their performance from past experiences and make decisions
without being explicitly programmed.
The machine-learning process begins with a collection of historical data such
as direct experience or instructions. With this data, it builds logical models for
future inference. Whenever it receives new data It predicts the outcomes with the
help of this model. The process of Machine Learning is shown in Figure 8. Ma-
chine Learning algorithms can be further classified into three types: supervised
learning, unsupervised learning and reinforcement learning.

3.1 Supervised Learning

Supervised learning is a type of machine learning algorithm that uses a labelled

dataset (called the training dataset) to make predictions. The training dataset
includes input data and response values. From it, the supervised learning algo-
rithm seeks to build a model that can make predictions of the response values
for a new dataset. A test dataset is often used to validate the model. Using
 Privasea AI Network Whitepaper 11

Fig. 8. Machine learning process

larger training datasets often yield models with higher predictive power that
can generalize well for new datasets.
Supervised learning includes two categories of algorithms: classification and
regression.

– Classification: A classification problem is when the output variables to be

predicted are discreet in nature, such as “Red” or “blue” or “disease” and
“no disease”.
– Regression: A regression problem is when the output variable is a real value,
such as “dollars” or “weight”.

3.2 Unsupervised learning

A central goal of unsupervised learning is to acquire representations from unla-
beled data or experience that can be used for more effective learning of down-
stream tasks from modest amounts of labeled data. Two types of unsupervised
learning are Generative models and Manifold learning.

3.2.1 Generative Models The Generative model is an essential type of un-

supervised learning. ”Generative” describes a class of statistical models. By the
Generative model, we can generate new data that is not contained in the train-
ing data set. Generative models take a training set, consisting of samples drawn
from a distribution pdata , and learns to represent an estimate of that distribu-
tion somehow. The result is a probability distribution pmodel . In some cases,
the model estimates pmodel explicitly. In other cases, the model is only able to
generate samples from pmodel . Some models are able to do both.
Generative models, which attempt to create a classification (recogniser or
encoder) network and a generative image (generative model) model at the same
time. This approach has its origins in the pioneering work of Goodfellow and Ben-
gio [22], the architecture of Generative adversarial networks is shown in Figure
9. Deep generative models that can learn via the principle of maximim likeli-
hood differ with respect to how they represent or approximate the likelihood. We
12

Fig. 9. Generative adversarial networks architecture

construct the taxonomy of Generative models shown in Figure 10. Every leaf in
this taxonomic tree has some advantages and disadvantages. On the left branch
of this taxonomic tree [23,24,25,26,27,28], models construct an explicit density,
pmodel (x; θ), and thus an explicit likelihood which can be maximized. Among
these explicit density models, the density may be computationally tractable, or
it may be intractable, meaning that to maximize the likelihood it is necessary
to make either variatioanl approximations or Monte Carlo approximations (or
both). On the right branch of the tree [22,29,30], the model does not explicitly
represent a probability distribution over the space where the data lies. Instead,
the model provides some way of interacting less directly with this probability
distribution. Typically the indirect means of interacting with the probability
distribution is the ability to draw samples from it. Some of these implicit mod-
els that offer the ability to sample from the distribution do so using a Markov
Chain; the model defines a way to stochastically transform an existing sample in
order to obtain another sample from the same distribution. Others are able to
generate a sample in a single step, starting without any input. While the models
used for GANs can sometimes be constructed to define an explicit density, the
training algorithm for GANs makes use only of the model’s ability to generate
samples. GANs are thus trained using the strategy from the rightmost leaf of
the tree: using an implicit model that samples directly from the distribution
represented by the model.

3.2.2 Manifold Learning Manifold learning is an approach to non-linear di-

mensionality reduction, which can be viewed as the non-linear version of PCA.
The field of manifold learning is defined by the fact that it makes this assump-
tion explicit: it assumes that the observed data lie on a low-dimensional manifold
embedded in a higher-dimensional space. Though supervised variants exist, the
typical manifold learning problem is unsupervised: it learns the high-dimensional
structure of the data from the data itself, without the use of predetermined classi-
 Privasea AI Network Whitepaper 13

Fig. 10. Taxonomy of Generative models

fications. In particular, the manifold learning hypothesis underlies most popular

dimensionality reduction techniques: PCA, Isomaps [31], Laplacian Eigenmaps
[32], Diffusion maps [33], local linear embeddings [34], local tangent space align-
ment [35], etc.

3.3 Reinforcement Learning

Reinforcement Learning is a type of machine learning technique that enables an
agent to learn in an interactive environment by trial and error using feedback
from its own actions and experiences. Some key terms that describe the basic
elements of an Reinforcement Learning problem are:
– Environment: Physical world in which the agent operates.
– State: Current situation of the agent.
– Reward: Feedback from the environment.
– Policy: Method to map agent’s state to actions.
– Value: Future reward that an agent would receive by taking an action in a
particular state.
The architecture of Reinforcement Learning is illustrated in Figure 11.
Reinforcement learning algorithms can be classified into two types: model-
free algorithms and model-based algorithms. On the one hand, the model-free
algorithm does not require the model of the environment and interacts directly
with the real environment to obtain feedback. Mnih et al. [36] propose the Deep
Q-network (DQN), which is based on Q-learning and CNN network structure
and utilizes Q-network rather than Q-table to choose the action that maximizes
14

Fig. 11. Reinforcement Learning architecture.

Q value in a given state. Since the DQN algorithm tends to overestimate the
Q-value, Hasselt et al. [37] propose the Double DQN algorithm, in which an-
other Q-network is introduced to make decisions, so that the original Q-network
only estimates the Q-value without making decisions. Silver et al. [38] propose
the Deterministic Policy Gradient (DPG) algorithm to choose a deterministic
action for the current state. It can be shown theoretically that the gradient of
the deterministic policy equals the expectation of the Q-function’s gradient and
the deterministic policy is more efficient than the stochastic one. Lillicrap et
al. [39] propose Deep Deterministic Policy Gradient (DDPG) algorithm based
on DPG [38] by altering the Q function to Q-network. Moreover, they add a
target Q network and a target policy network to improve the stability of their
algorithm. Schulman et al. [40] present the Trust Region Policy Optimization
(TRPO) method, which provides a monotonic approach to policy improvement
in order to assure that the new policy is not worse than the original policy.
The Actor-Critic method is essential in model-free algorithms, the framework
of the Actor-Critic is displayed in Figure 12. On the other hand, model-based
algorithms require the simulation of the environment and obtaining feedback via
interaction with the simulated environment. Prior to executing an action, the
agent has the capability to generate predictions regarding the subsequent state
and corresponding rewards. There are some typical methods such as Dyna [41],
Model-based policy optimization (MBPO) [42], Model-based value expansion
(MVE) [43], etc.

4 Privasea AI Network
In an era where data privacy is of paramount importance, the need for secure and
privacy-preserving Artificial Intelligence (AI) solutions has become increasingly
critical. To address this challenge, we present a cutting-edge architecture for a
Privasea AI Network that combines the power of Fully Homomorphic Encryption
(FHE) and blockchain-based incentives. This innovative network allows users to
harness the potential of AI while ensuring the utmost confidentiality of their
sensitive data.
 Privasea AI Network Whitepaper 15

Fig. 12. The Actor-Critc framework.

4.1 Solutions
Our solutions enable users to leverage the abundant distributed computing re-
sources provided by the blockchain while retaining complete control over their
data and models during AI processing. The core technology is called Fully Ho-
momorphic Encryption. Privasea AI Network divides FHE from theory to ap-
plication into the following four layers: Application Layer, Optimisation Layer,
Arithmetic Layer and Primitive Layer. The network provides both generalised
and customised solutions to bridge the gap between user privacy and distributed
computing resources during AI processing, covering all four layers of FHE.

4.1.1 Generalised solution with HESea

The generalised solution of Privasea AI Network encompasses the bottom two

layers of homomorphic application, which is accomplished through the devel-
opment and open-sourcing of the HESea library. This library contains various
FHE implementations such as TFHE, CKKS, BGV/BFV, and more. (For de-
tails on the HESea library, please refer to section 3.1.) Users can encrypt their
data or models using a Fully Homomorphic Encryption scheme from the HESea
library and then upload them to the Privasea-AI Network. Once uploaded, users
can access the distributed computing resources in the network to perform ma-
chine learning or other computations on their data in an encrypted state. The
network supports a variety of computation models including neural networks,
decision trees, clustering analysis, and other models, which can be either pub-
licly available on the network or provided by the user. Users have the flexibility
and control to upload their personal models, either publicly or encrypted, to the
network. The encrypted result can be returned to users or shared with others
using the FHE key switching function, providing a secure way to share encrypted
data.

4.1.2 Customised solution

16

Fig. 13. Four Layers of FHE

 Privasea AI Network Whitepaper 17

Privasea AI Network’s customised solution covers the top two layers of homo-
morphic application: the Application Layer and Optimisation Layer. This allows
for more specific and tailored solutions to meet the unique needs of each user. In
addition to the functions and features of the generalised solution, the customised
solution has two important features: efficiency and user-friendliness. ‘Efficiency’
refers to the customised optimisation of homomorphic AI computation models
for users by Privasea AI Network. Compared to basic solutions in other homo-
morphic libraries, these customised computations can provide more than 1,000
times speedup. The term ‘user-friendly’ means that users do not need to have
a background in cryptography or programming to use it. To perform machine
learning processing, users simply need to upload their encrypted data or models
to the network and specify the type of processing they want to perform. The
network takes care of the rest by securely accessing the distributed computing
resources on the blockchain and returning or sharing the results in an encrypted
form. This makes the platform accessible to a wide range of users, regardless of
their technical expertise.

4.2 Architecture for Privasea AI Network

Fig. 14. Architecture for Privasea AI Network

At the heart of Privasea lies the concept of Fully Homomorphic Encryption

(FHE), a revolutionary cryptographic technique that allows computations to
be performed directly on encrypted data. By leveraging FHE, we eliminate the
need to expose raw data, enabling computations to be performed directly on
encrypted data. This ensures that the privacy of the data is preserved throughout
the entire workflow, including model training and evaluation. To facilitate the
implementation of FHE, Privasea incorporates a basic FHE library called HESea.
This library equips developers with essential tools and functions to securely
18

perform computations on encrypted data, such as addition, multiplication, and

even evaluation of machine learning models. HESea empowers users to unlock
the potential of their data without compromising privacy.
The Private AI Network also features an Application API, a user-friendly in-
terface that simplifies interaction with the network. Through the Privasea API,
users can securely submit their data, request model training, and obtain pre-
dictions while enjoying the benefits of end-to-end encryption. It handles the en-
cryption and decryption processes seamlessly, abstracting away the complexity
of FHE while ensuring data privacy and security.
Facilitating the execution of computations on encrypted data is the Pri-
vanetix, a decentralized computation network comprising a multitude of nodes.
Comprising high-performance machines with integrated HESea libraries, Pri-
vanetix provides the necessary computational resources to perform FHE-based
operations on encrypted data. The collaboration among Privanetix nodes enables
efficient and scalable execution of privacy-preserving machine learning tasks.
To incentivize active participation and foster a collaborative ecosystem, Pri-
vasea Network incorporates a blockchain-based incentive mechanism. Through
smart contracts deployed on the blockchain, the incentive mechanism tracks the
registrations and contributions of Privanetix nodes, validates computations, and
rewards active participants accordingly. This ensures that contributors are moti-
vated to provide their computational resources, while maintaining transparency
and fairness throughout the network.
Privasea empowers organizations and individuals to unlock the potential of
their data without compromising privacy. By combining the power of Fully Ho-
momorphic Encryption, the simplicity of the HESea library, the accessibility of
the Privasea API, the computational capabilities of Privanetix, and the fair-
ness of the blockchain-based incentive mechanism, Privasea paves the way for
privacy-preserving AI applications in various domains.

4.3 Components of Privasea AI Network

The Privasea AI network comprises four core components that work synergisti-
cally to deliver secure and private AI capabilities:

– HESea Library: This component enables secure computations on encrypted

data. By utilizing homomorphic encryption techniques, the HESea Library
ensures that data privacy and security are maintained throughout AI tasks.

– Privasea API: Serving as the gateway to the Privasea AI network, the Pri-
vasea API provides developers with an application programming interface to
integrate privacy-preserving AI capabilities into their applications. It offers
a range of tools and functionalities for seamless interaction with the network.

– Privanetix: Privanetix empowers secure computation by utilizing high-

performance nodes. It leverages advanced techniques such as secure multi-
party computation and federated learning to enable collaborative AI training
 Privasea AI Network Whitepaper 19

while preserving data privacy and confidentiality.

– Privasea Smart contract kit: This component promotes fairness and ac-
tive participation within the Privasea AI network. It utilizes smart contracts,
integrated with blockchain technology, to ensure transparency, immutability,
and trust in the execution of AI tasks.

Together, these core components form the foundation of the Privasea AI

network, enabling secure, private, and efficient AI operations while prioritizing
the protection of sensitive data.

4.3.1 HESea Library

HESea is an advanced library for Fully Homomorphic Encryption (FHE),
purposefully designed to facilitate secure computations. It is built upon and
modified from the Palisade library 1 . Leveraging state-of-the-art cryptographic
techniques and optimized for high performance, HESea equips developers with
a versatile, user-friendly, and powerful toolkit suitable for a wide array of use
cases. The library offers support for multiple FHE schemes, including TFHE,
CKKS, BGV, BFV, and more, enabling computations to be performed directly
on encrypted data, eliminating the need for decryption. This guarantees the
security and privacy of sensitive information, effectively safeguarding against
privacy breaches and security threats.
Within the library, users have access to a diverse set of functions for execut-
ing various operations. These include fundamental primitives such as Boolean
gates, algebraic addition, and multiplication, as well as arithmetic operations like
ReLU and Sigmoid, and logical operations including sorting, comparison, and
extraction. HESea incorporates advanced techniques like ciphertext packing and
batching to optimize the processing of large datasets, minimizing the number of
operations required and thereby enhancing efficiency and performance.
HESea boasts a simple and intuitive API that caters to users of all levels,
from beginners to experts. Its efficiency is further amplified by leveraging under-
lying mathematical acceleration techniques such as Number Theoretic Transform
(NTT) and Fast Fourier Transform (FFT). This makes HESea an exceptional
choice for a wide range of use cases, ensuring smooth and efficient execution of
secure computations.
Furthermore, HESea extends its capabilities to encompass the evaluation of
machine learning models on encrypted data. This transformative feature en-
ables users to train and deploy models while maintaining the privacy of their
data. By leveraging HESea’s functions, users can perform predictions and evalu-
ations without compromising the confidentiality of the underlying information,
unleashing the potential of privacy-preserving machine learning.
Being an open-source library, HESea offers users the freedom to inspect and
modify the code as required. Extensive documentation, including tutorials and
1
https://gitlab.com/palisade/
20

examples, is provided to support users in seamlessly integrating HESea into their

projects.
In conclusion, HESea serves as a vital tool for developers and researchers
working with secure computations. Its comprehensive set of functions and tools
empower users to perform a wide range of computations on encrypted data,
allowing for privacy-preserved analytics, secure machine learning, and confiden-
tial data processing. By providing a solid foundation for FHE-based operations,
HESea revolutionizes the way secure computations are conducted, paving the
way for a future where privacy and data security are seamlessly integrated.

4.3.2 Privasea API

At the forefront of the Privasea AI network lies the Application API, a vi-
tal interface that empowers developers to interact effortlessly with the system.
This API offers an extensive range of functions and endpoints, streamlining
essential operations such as data submission, model training, and predictions.
With a strong emphasis on security, the API ensures encrypted communication
and seamlessly manages encryption/decryption processes using the cutting-edge
HESea library.
The Privasea API acts as a seamless bridge between developers and the
Privasea AI network, providing a user-friendly platform for efficiently manag-
ing data and machine learning tasks. Through carefully crafted functions and
endpoints, developers can securely submit their data, initiate model training
processes, and request accurate predictions. By simplifying the interaction pro-
cess, the API reduces complexities and allows developers to focus on extracting
valuable insights from their data.
Security is paramount, and the Application API ensures the utmost protec-
tion by leveraging the power of the HESea library to handle encryption and
decryption processes. This guarantees that sensitive data remains encrypted
throughout transmission and processing, effectively preserving privacy at ev-
ery stage. By seamlessly integrating HESea into the API, data remains shielded
without compromising operational efficiency or the accuracy of predictions.
The Application API serves as a robust and secure channel for developers to
leverage the capabilities of the Privasea AI network. By offering a comprehensive
suite of functions and endpoints, it empowers developers to efficiently manage
their data, leverage advanced machine learning techniques, and derive valuable
insights. With secure communication and encryption management at its core, the
API acts as a trusted gateway, enabling developers to confidently and effortlessly
unlock the full potential of the Privasea AI network.

4.3.3 Privanetix
Privanetix stands as a decentralized computation network, harnessing the
power of numerous computation nodes to facilitate secure and efficient processing
of encrypted data. This network is composed of a collection of high-performance
computation nodes, working together to execute essential machine learning al-
gorithms in a secure manner. Each node within Privanetix is equipped with the
 Privasea AI Network Whitepaper 21

cutting-edge HESea library, enabling them to carry out operations on encrypted

data with remarkable efficiency.
The primary objective of Privanetix is to preserve data privacy while achiev-
ing optimal computational performance. By utilizing encryption techniques, data
remains safeguarded throughout the computation process. The computation
nodes, armed with the HESea library, possess the capability to seamlessly process
encrypted data, providing a secure environment for executing machine learning
algorithms.
These high-performance nodes, united under the Privanetix network, play
a critical role in safeguarding the privacy and security of the overall system.
Leveraging their collective computational power and the advanced capabilities
of the HESea library, they work in unison to handle the complexities of encrypted
data processing. This ensures that operations on sensitive information are carried
out with utmost efficiency, without compromising the privacy of the underlying
data.
Privanetix represents a pioneering solution that combines decentralized com-
putation with the power of HESea. By leveraging this network of computation
nodes equipped with the HESea library, users can confidently engage in secure
computations on encrypted data, unlocking the potential of privacy-preserving
machine learning. With Privanetix, data privacy and computational efficiency
go hand in hand, revolutionizing the way secure computations are performed in
the realm of AI and data analytics.

4.3.4 Privasea Smart Contract Kit

At the core of the privacy AI network resides a robust incentive mechanism
based on blockchain technology, serving as a catalyst for collaboration and fair-
ness. Powered by the Privasea Smart Contract Kit, this mechanism effectively
tracks the registration and contributions of Privanetix nodes, validates their
computations, and distributes rewards accordingly. By leveraging smart con-
tracts, the mechanism ensures transparency, fairness, and actively incentivizes
participation within the network.
Operating as a trusted intermediary, the blockchain-based incentive mech-
anism capitalizes on the immutability and transparency of the blockchain to
monitor and reward the contributions of Privanetix nodes. Through the imple-
mentation of smart contracts, a reliable framework is established for interactions
among participants, guaranteeing accurate evaluation of computations and eq-
uitable allocation of rewards.
Within this mechanism, Privanetix nodes are motivated to actively engage in
the network and contribute their computational resources. By efficiently tracking
and validating the computations performed by each node, the incentive mecha-
nism ensures that rewards are distributed proportionally to their contributions.
This approach fosters active participation, cultivating a collaborative ecosystem
where all participants are motivated to share their expertise and resources.
The Privasea Smart Contract Kit, serving as the backbone of the incen-
tive mechanism, facilitates transparent and automated interactions. It handles
22

various aspects such as initializing registration, tracking contributions, validat-

ing computations, and distributing rewards, eliminating the need for centralized
control. By leveraging the decentralized nature of the blockchain, the smart con-
tracts establish an environment of trust, fairness, and accountability.
Through the blockchain-based incentive mechanism, the privacy AI network
fosters an ecosystem where participants are encouraged to actively contribute,
knowing that their efforts will be acknowledged and rewarded. By transparently
tracking contributions, validating computations, and distributing rewards fairly,
this mechanism promotes fairness, motivates collaboration, and drives continu-
ous growth and development within the network.

4.4 Roles in Privasea AI Network

In the Privasea AI Network, three distinct roles play vital roles in ensuring the
smooth functioning and collaborative nature of the ecosystem: Data Owners,
Privanetix Nodes, Decryptors, and Result Receivers.

Fig. 15. Roles in Privasea AI Network

– Data Owners: Data Owners are individuals or entities who possess and
control the valuable datasets within the network. As the custodians of data,
they have the authority to determine how their data is shared and utilized
within the network. Data Owners play a crucial role in preserving privacy
and determining the level of access granted to Privanetix Nodes and Decryp-
tors. They have the power to define data sharing agreements, set permissions,
and specify the terms under which their data can be accessed and utilized.

– Privanetix Nodes: Privanetix Nodes are the computational powerhouses

within the Privasea AI Network. These nodes contribute their processing
 Privasea AI Network Whitepaper 23

resources to perform complex computations on encrypted data. Equipped

with the advanced HESea library and integrated with the blockchain-based
incentive mechanism, Privanetix Nodes execute secure and efficient compu-
tations while preserving the privacy of the underlying data. They actively
participate in the network by processing encrypted data, training machine
learning models, and contributing to collaborative tasks. Privanetix Nodes
ensure the integrity and confidentiality of computations and are an essential
component in achieving the network’s objectives.

– Decryptors: Decryptors serve as the result retrievers in the final computa-

tion process. Their role involves retrieving encrypted results from Privanetix
Nodes and decrypting them using the appropriate keys through the Pri-
vasea API. The primary responsibility of Decryptors is to securely obtain
the computation results and ensure the confidentiality and integrity of the
data during the retrieval process.

– Result Receivers: Result Receivers act as the final recipients of the de-
crypted computation results. Result Receivers may perform additional op-
erations on the decrypted results, such as further analysis, processing, or in-
tegration with other systems or applications. This allows for the utilization
of the computation results in a broader context, enabling informed decision-
making and deriving valuable insights.

Together, these roles create a collaborative ecosystem within the Privasea

AI Network, where Data Owners control data access, Privanetix Nodes provide
secure computations, Decryptors decrypt the computation results, and Result
Receivers securely handle and utilize the decrypted data. This comprehensive
approach ensures the smooth functioning of the network while maintaining pri-
vacy and security throughout the process. This multi-faceted approach fosters
privacy-focused machine learning and secure computations, driving the network’s
advancement while maintaining data privacy and security.

4.5 Workflow of Privasea AI Network

The Privasea AI network follows a well-coordinated workflow comprising inter-

connected steps, all aimed at ensuring secure and private AI operations. The
overall process begins with the data owner submitting a private AI task to the
Privasea AI network. The Privanetix nodes then securely handle this task, and
subsequently transmit the encrypted result to the decryptor. The decryptor, in
turn, decrypts the result and shares it with the designated Result Receivers.
Below are the detailed procedures involved:

– User Registration: Data Owners initiate their registration process on the

privacy AI network by providing the necessary authentication and autho-
rization credentials. This step ensures that only authorized users can access
24

Fig. 16. Workflow for Privasea AI Network

the system and participate in the network’s activities.

– Task Submission: Data Owners submit their computation tasks along with
the required input data through the Privasea API. To prioritize security and
privacy, the data is encrypted using the powerful HESea library before trans-
mission. This encryption safeguards the data from unauthorized access, while
Data Owners also specify the authorized Decryptors and Result Receivers
who can access the final results.

– Task Assignment: The blockchain-based smart contract, deployed on the

network, assigns the computation tasks to suitable Privanetix nodes based
on their availability and capabilities. This dynamic assignment process en-
sures efficient resource allocation and distribution of computational tasks.

– Encrypted Computation: The designated Privanetix nodes receive en-

crypted data and conduct computations utilizing the HESea library. They
execute machine learning algorithms securely on the encrypted data, guar-
anteeing the preservation of privacy during the entire process. Importantly,
these computations are performed without the need to decrypt the sensitive
data, thus maintaining its confidentiality. Additionally, to further verify the
integrity of the computation, the Privanetix nodes generate zero-knowledge
proofs for these steps. These proofs serve as evidence that the computa-
tions were carried out correctly, without revealing any specific details about
the encrypted data. These zero-knowledge proofs are essential for later ver-
ification and provide assurance regarding the validity and accuracy of the
computations performed.

– Key Switching: After completing the computations, the assigned Privanetix

nodes employ key switching techniques to ensure that the final result is au-
 Privasea AI Network Whitepaper 25

thorized and accessible only to the designated Decryptors. This additional

security measure enhances control over the computation results, ensuring
that they are accessible only to authorized parties.

– Result Verification: After completing the computations, the Privanetix

nodes transmit both the encrypted result and the corresponding zero-knowledge
proof back to the blockchain-based smart contract for future verification.
The utilization of techniques like zero-knowledge proofs (ZKP) allows for
the validation of the computed results’ integrity and authenticity, all while
safeguarding the confidentiality of the raw data. This crucial verification
process guarantees the reliability of the results and upholds trust within the
network by providing a transparent and trustworthy mechanism for validat-
ing the computations.

– Incentive Mechanism: The blockchain-based incentive mechanism, gov-

erned by the smart contract, plays a crucial role in tracking the contribu-
tions of Privanetix nodes, validating their computations, and distributing
rewards accordingly. By enforcing predefined rules and incentives encoded
in the contract, this mechanism promotes fairness and actively encourages
participation from the Privanetix nodes, ultimately driving the network’s
growth and development.

– Result Retrieval: Decryptors utilize the Privasea API to access encrypted

results. Their first task is to verify the integrity of the computation, ensur-
ing that the Privanetix nodes have performed the computation as intended
by the data owner. In the event of a failed verification, the decryptor will
submit a proof transaction to the Privasea Smart Contract, reporting the
misconduct of the Privanetix nodes. As a consequence, the assigned Pri-
vanetix nodes will face penalties (slashing). On the other hand, if the veri-
fication process is successful, the decryptors proceed to decrypt the results
using the appropriate decryption keys. This crucial step maintains the con-
fidentiality of the data while delivering the desired output to the users. By
implementing these measures, the Privasea AI network ensures the accuracy
and trustworthiness of the computation results, fostering a secure and reli-
able environment for data processing.

– Result delivery: The decrypted result is shared with the designated Re-
sult Receiver predetermined by the Data Owner using Proxy Re-encryption
technology. This additional step ensures secure delivery of the result to the
intended recipient while preserving data privacy.

Throughout the entire workflow, from data submission to result delivery, the
user’s data remains encrypted and secure. The encryption techniques employed,
along with the use of HESea, preserve the privacy and confidentiality of the
data, minimizing the risk of unauthorized access or data breaches.By following
26

this comprehensive workflow, the privacy AI network ensures that sensitive data
is protected, computations are performed securely, and participants are fairly
incentivized, fostering a collaborative and privacy-preserving environment for
AI-driven tasks and applications.

5 Case Study
5.1 Private XGBoost Prediction
A regression tree is a type of decision tree model specifically designed for solv-
ing regression problems. The computation process of a regression tree involves
feature selection, data splitting, computation of leaf node outputs, and recursive
operations. By iteratively partitioning the feature space and generating output
values, regression trees can effectively handle nonlinear relationships, missing
values, and outliers, while still providing interpretability.

Fig. 17. Regression Tree

However, one common challenge with regression trees is overfitting. To miti-

gate this issue and enhance generalization, they are often combined with ensem-
ble learning methods such as XGBoost(eXtreme Gradient Boosting). During the
prediction phase, decisions are made based on feature thresholds, traversing the
tree until reaching a leaf node. The output value at the leaf node is then used
as the prediction for the corresponding sample.
XGBoost is a gradient boosting tree algorithm that utilizes an ensemble
method of decision trees. It sequentially trains numerous weak classifiers (deci-
sion trees) and merges them to form a robust classifier. The workflow of XGBoost
can be broken down into the subsequent stages:

– 1.Initialization: First, initialize the model’s predictions to a constant value.

Typically, the initial prediction can be obtained by calculating the average
value of all samples in the training set.
 Privasea AI Network Whitepaper 27

Fig. 18. EXtreme Gradient Boosting Tree(XGBoost)

– 2.Compute negative gradients of the loss function: Next, compute the

negative gradient of the loss function between the current model’s predic-
tions and the true labels. The choice of loss function depends on the problem
type, for example, squared loss can be used for regression problems, and log-
arithmic loss can be used for binary classification problems.

– 3.Train weak classifiers: Train a weak classifier (decision tree) using the
current model’s predictions as input features. In this case, the decision tree
is a special type of tree called a regression tree. A regression tree is a binary
tree where each leaf node contains a real value representing the model’s pre-
dicted output at that leaf node.

– 4.Update model predictions: Apply the trained regression tree to the

current model’s predictions and update the model’s prediction results. The
output of the regression tree can be seen as the correction to the model’s
predictions, further improving the model’s performance.

– 5.Regularization:To prevent overfitting, introduce regularization terms to

control the model’s complexity. This can be achieved by limiting the num-
ber of leaf nodes or the weights of leaf nodes in each regression tree, or by
introducing regularization parameters.

– 6.Update the model: Merge the current trained regression tree with the
previous regression trees to obtain a new model. This can be achieved by
adding the output of the new regression tree to the previous model’s predic-
tions.

– 7.Repeat training: Repeat steps 2 to 6 until a stopping condition is met,

such as reaching the maximum number of iterations, the improvement of
the loss function is below a threshold, or the model’s performance meets the
requirements.
28

– 8.Combining the week classifiers:Finally, XGBoost combines the pre-

dictions of multiple weak classifiers by summing them to obtain the final
model’s predictions. During the prediction phase, input the test samples
into each regression tree one by one, get the predictions from each tree, and
then sum them to get the final prediction output.

Fully homomorphic encryption (FHE) is a useful option when a user wants

to use a trained xgboost model but does not want to reveal the data to the
model supplier. To ensure privacy and security, we can leverage FHE to en-
able privacy-preserving computations within the XGBoost prediction process.
As previously mentioned, XGBoost combines the predictions of multiple regres-
sion trees by summing them to obtain the final prediction. Since FHE inherently
supports addition operations, the main challenge lies in performing the decision
tree computation on fully homomorphic ciphertexts.
The prediction process of a decision tree can be decomposed into two distinct
steps: comparison and selection. These steps lend themselves well to homomor-
phic evaluation using TFHE schemes. The comparison step can be represented
by an indicator function that determines the difference between two numbers.
Its output is 1 when the difference is greater than 0 and -1 otherwise. TFHE
bootstrapping enables the realization of this indicator function. On the other
hand, the selection step can be conceptualized as a gate circuit that yields the
value of the 0th position when provided with input 0, and outputs the value of
the 1st position when given input 1. This behavior aligns with that of a CMUX
(multiplexer) gate.

Fig. 19. Private Prediction of XGboost

 Privasea AI Network Whitepaper 29

By encrypting the outcomes of the decision tree’s leaf nodes and employing
TFHE bootstrapping for the comparison process, as well as CMUX gates for the
selection process, we can successfully perform the computation of the decision
tree on fully homomorphic ciphertexts. Consequently, we obtain the encrypted
output of the leaf nodes, enabling the computation of the decision tree on fully
homomorphic ciphertexts.

5.2 Secure KYC

KYC stands for ”Know Your Customer” and refers to a process that cryp-
tocurrency exchanges and other financial institutions implement to verify the
identities of their customers. It is a standard practice in the financial industry
and is aimed at preventing money laundering, fraud, and other illicit activities.
Privasea proposed the solution for secure KYC in face recognition. Privacy-
preserving face recognition using Fully Homomorphic Encryption (FHE) involves
leveraging encryption techniques to ensure the security and privacy of sensitive
facial data throughout the face recognition process. Here are the details of the
steps:

– 1. Register ID with photos: The user provides their ID, including a photo.
The client extracts facial features from the ID photo using a feature extrac-
tion algorithm (e.g., ResNet18). The client embeds the extracted features
into a representation, such as a vector. The client encrypts the ID embed-
dings using Privasea API, which provides FHE capabilities. The encrypted
embeddings are securely sent to a secure database for storage.

– 2. Submit Selfie Verification Task: The user takes a selfie using a cam-
era or mobile device. The client extracts facial features from the selfie image
using the same feature extraction algorithm used in the ID registration step.
The client embeds the extracted features into a representation. The client
encrypts the selfie embeddings using Privasea API (FHE). The encrypted
embeddings are sent to the assigned Privanetix node along with a facial
check request. The request is a blockchain transaction containing necessary
information such as the selected Privanetix node, the selected decryptor, and
the unique identifier of the encrypted ID embeddings in the secure database.

– 3. Retrieve the Encrypted Embedding of ID Images: The assigned

Privanetix node retrieves the encrypted ID embeddings associated with the
user from the secure database.

– 4. Process the Facial Check in the Ciphertext Domain: Using FHE

capabilities, the Privanetix node performs calculations on the encrypted ID
and selfie embeddings, such as calculating the distance between them. The
Privanetix node compares the distance with a predefined threshold to deter-
mine similarity. The result remains in the ciphertext domain.
30

– 5. Send Encrypted Result to Decryptor: The Privanetix node sends

the encrypted boolean result to the decryptor for further processing.

– 6. Decryption and Result Extraction: The decryptor, possessing the

private key, decrypts the received result to obtain the final check result (e.g.,
yes or no).

– 7. Result Delivery: The decryptor securely delivers the final result to the
designated institutes or entities that require it using Proxy Re-encryption
(PRE) or another suitable method.

Fig. 20. Secure face recognition

The technical key in this solution lies in the homomorphic calculation of the
similarity in the face embedding vector.
In a plaintext model, the similarity between face embeddings is generally
measured using cosine distance. Cosine distance is a common metric used to
measure the similarity between two vectors. It calculates the cosine of the angle
between the two vectors, with a value of 1 indicating that the vectors are identical
and a value of 0 indicating that they are orthogonal.
Cosine distance is a measure of similarity between two non-zero vectors de-
fined in an inner product space. It is the cosine of the angle between the vectors;
that is, it is the dot product of the vectors divided by the product of their
lengths. The cosine similarity always belongs to the interval 1. The cosine of two
non-zero vectors can be derived by using the Euclidean dot product formula:
given two d-dimensional vectors of attributes, x and y, the cosine similarity is
represented using a dot product and magnitude as
xT y
d(x, y) = 1 − .
∥x∥∥y∥
 Privasea AI Network Whitepaper 31

However, the cosine distance function is not friendly to homomorphic eval-

uations because it uses division and Euclidean norm calculations, which will
bring a lot of computational overhead to homomorphic distance calculation.
We use a transformation method to convert division and Euclidean norm into
homomorphic-friendly addition and multiplication. Specifically, we have the fol-
lowing observations:

d
xT y X x
d(x, y) = 1 − = 1 − x̃T ỹ = 1 − x̃i ỹi , where x̃ = .
∥x∥∥y∥ i=1
∥x∥

Therefore, we only need to convert the face embedding vector x into its nor-
malized representation x̃ before performing homomorphic evaluations to quickly
achieve homomorphic distance calculation.
Throughout this process, the sensitive facial data, including ID photos and
selfie images, remains encrypted. The use of FHE ensures that calculations can
be performed on the encrypted data without revealing the underlying infor-
mation. By applying encryption techniques, privacy is preserved, and the face
recognition process is conducted securely and privately, safeguarding the privacy
of the individuals involved.

6 Token Economics
6.1 Overview of Token Economics
The PRVA token serves as the utility token within the Privasea AI network,
playing a crucial role in facilitating transactions, incentivizing participants and
enabling on-chain governance. It also acts as a medium of exchange, enabling
users to access privacy AI services and unlock various functionalities within the
ecosystem. The value of the PRVA token is primarily driven by the demand for
the network’s services, which encompass privacy-preserving machine learning
and other AI-based features.
Specifically, the PRVA token serves the following purposes within the ecosys-
tem:
– Transaction Facilitation: PRVA tokens act as a medium of exchange
within the network, allowing users to access and pay for privacy AI ser-
vices offered by Privasea AI. These services may include data anonymiza-
tion, privacy-preserving machine learning, secure data sharing, and other
privacy-focused AI solutions. The token streamlines transactions, making it
easier for participants to engage with the network and utilize its services.

– Incentives and Rewards: PRVA tokens play a vital role in providing in-
centives to the diverse participants within the network.Various contributors,
including Privanetix nodes that offer privacy services and Decryptors that
providing decryption services, have the opportunity to earn PRVA tokens
32

through their contributions to the network. This can include tasks such as
supporting network operations, upkeeping the infrastructure, or delivering
valuable services.

– Governance and Voting: PRVA tokens grant holders the right to partic-
ipate in the governance of the Privasea AI network. Token holders can have
voting power and influence over important network decisions. These deci-
sions may include protocol upgrades, funding allocations, or other significant
aspects related to the network’s development and operation. By involving
token holders in the governance process, Privasea AI aims to foster a decen-
tralized and community-driven decision-making framework.

– Staking and Network Security: PRVA tokens may play a role in network
security through staking mechanisms. Token holders can lock up their PRVA
tokens as a form of collateral, contributing to the stability and security of
the network while potentially earning rewards.

– Access to Exclusive Features: The PRVA token may provide users with
access to additional features or exclusive benefits within the Privasea AI net-
work. This can include priority access to certain services, discounts, or en-
hanced functionalities, offering token holders added value and utility within
the ecosystem.

Through these various purposes, the PRVA token enhances the functionality,
participation, and overall ecosystem of the Privasea AI network, fostering a
thriving community of users and contributors.
It’s also important to note that the specific details of tokenomics, including
token distribution percentages and minting mechanisms, may vary based on the
design and implementation of the Privasea AI project. For the most accurate and
up-to-date information, it is recommended to refer to official project resources
or documentation provided by Privasea AI.

6.2 Token Distribution Plan

The distribution of PRVA tokens in the Privasea AI network is carefully struc-
tured to achieve a balance between attracting strategic investors, fostering com-
munity engagement, incentivizing network participation, and supporting ongoing
development.
The distribution plan consists of the following proportions and mechanisms:
1 Mining/Staking (45%):
• The largest portion of the tokens, will be allocated to staking nodes
that provide Fully Homomorphic Encryption (FHE) and other privacy
services within the project.
• These tokens will serve as incentives for the nodes, encouraging their
active participation and contribution to the network.
 Privasea AI Network Whitepaper 33

• Attractive staking rewards will be developed and distributed.

2 Team Allocation (10%):

• This allocation is aimed at rewarding and supporting the team respon-
sible for the development, maintenance, and growth of the Privasea AI
network.
• The team has the longest vision of the project and the tokens are dis-
tributed depending on the performance of the team members.
• The goal is to keep our team together in the long term; continuity is one
of the keys to success.

3 Backer (20%):
• The tokens will be allocated to backers, including venture capi- talists
(VC) and other supporters, who don´t just provide money, but bring us
added value.
• This allocation aims to attract external investment and foster partner-
ships to accelerate the network’s development and adoption.
• These funds will be used to expand the team and advance development
through to mainnet and launch.

4 Marketing and Community Development Allocation (15%):

• The tokens will be dedicated to marketing and community development
initiatives.
• These tokens will be utilized to raise awareness about Privasea AI, drive
user adoption, and foster a vibrant and engaged community around the
project.
• Several marketing campaigns are planned at different times. Attention
is paid to ensuring that we work with users and KOLs who believe in
Privasea’s long-term success.

5 Reserve (6%):
• This category primarily applies to items that cannot be planned, such
as future regulations that need to be met or licenses that need to be
applied for.
• If no unplanned problems arise, this category is released for future de-
velopment. We want to constantly improve and set new goals.
• If we notice in the course of development that we could use external sup-
port from experts in an area, parts of this can also be used for advisor
allocation.

6 Liquidity (4%):
• This liquidity is essential because it ensures that participants can en-
ter or exit their positions without causing significant price movements,
facilitating growth for the market.
34

• When there is a good amount of liquidity in a token pool, it means that

there is a significant amount of tokens available for trading. This allows
for larger buy and sell orders without impacting the price too easy in
either direction
• It is necessary for Market making and also can also be used for possible
new Dex/Cex Listings. allocation.

In conclusion, the token distribution plan for PRVA tokens in the Privasea
AI network is designed to strategically allocate tokens to key stakeholders, sup-
porting the development, growth, and sustainability of the ecosystem. Through
this well-thought-out distribution plan, Privasea AI aims to create value for all
participants while building a strong foundation for its network.

6.3 Token Minting Mechanism

To promote network growth, adoption, and sustainable development, the Pri-
vasea AI network will implement a minting mechanism that incorporates Static
Minting and Scaling Computation Power Minting.
1 Static Minting:The Static Minting component of the minting mechanism
in the Privasea AI network follows a simple exponential decay model. During
the early stages of the network, block rewards are set at their highest level,
offering significant incentives for miners to participate actively. However, as
the network matures over time, the block rewards experience a rapid de-
crease. This approach aims to encourage early miner engagement and ensure
a balanced distribution of rewards throughout the network’s growth.

• Higher block rewards are provided in the initial stages of the network to
incentivize and attract early miner participation.
• Miners are encouraged to contribute their computational power and re-
sources to the network through the allocation of rewards.
• This component acts as a counter pressure mechanism, mitigating po-
tential shocks or challenges that may arise within the network.

2 Scaling Computation Power Minting:To encourage continuous and sus-

tainable investment in computational power, the Privasea AI network im-
plements Scaling Computation Power Minting. This component dynamically
adjusts block rewards according to the total privacy computation power of
the network.

• Block rewards are proportional to the growth of the network’s total com-
putation power.
• Adjusts the exponential decay model during the network’s early stages
to promote steady investment in computational resources.
• Ensures that block rewards reflect the utility and value delivered by
miners and the network to clients.
 Privasea AI Network Whitepaper 35

• Rewards miners based on their contributions in relation to the overall

value of the network.

The allocation of rewards between Static Minting and Scaling Computation

Power Minting may vary based on the specific design of the Privasea AI network.
Striking a balance between early participation incentives and long-term network
growth is crucial. By combining Static Minting and Scaling Computation Power
Minting, the Privasea AI network aims to incentivize early participation while
fostering sustained investment and growth. This minting mechanism encourages
miners to contribute computational power and resources, ensuring the stability
and long-term success of the network

7 Application Scenarios

Fig. 21. Application Scenarios

7.1 Private IPFS Edge Pre-processing

The InterPlanetary File System (IPFS) is a decentralised peer-to-peer network

used for storing and sharing files. However, files shared on the IPFS network are
publicly visible and can potentially contain sensitive information. To mitigate
this issue, IPFS Edge Pre-processing could be implemented to process data be-
fore it is stored on the network. This pre-processing could involve using privacy-
enhancing techniques such as data anonymisation, encryption, and obfuscation.
36

We use FHE to protect sensitive data before it is shared on the IPFS network.
The pre-processing can be carried out using the Privasea AI Network, which
offers a secure and distributed network of computing resources for processing
and analysing data.
Here’s how the proposed system would work:

– A user submits a file to the IPFS network for storage and sharing.
– Before the file is stored on the IPFS network, it is pre-processed using
IPFS Edge Pre-processing. The pre-processing involves applying privacy-
enhancing techniques to the file to protect sensitive information.
– The pre-processing is done using the computing resources of the Privasea
AI Network. The user’s data is encrypted, anonymised, or obfuscated using
distributed processing techniques, ensuring that the data remains private
and secure.
– Once the pre-processing is complete, the file is stored on the IPFS network.
Other users on the network can access and share the file, but the sensitive
information in the file remains protected.

By combining IPFS Edge Pre-processing and Privasea AI Network, users

can store and share files on the IPFS network without compromising the pri-
vacy and security of sensitive information. The system provides a scalable and
efficient solution for protecting sensitive data on a decentralised network and
fully complies with data protection regulations such as Europe’s GDPR and the
California Consumer Privacy Act.

7.2 AI Modeling

Artificial intelligence development requires access to significant amounts of data

and computing power to train and optimise AI models. Privasea AI Network
offers a distributed network of computing resources to accelerate this training
process. Additionally, the network ensures privacy and security of sensitive data
throughout the training and processing stages. For example, a developer could
leverage Privasea AI Network to train a natural natural language processing
model on a massive dataset without jeopardising the privacy of the data. By
encrypting and processing the data across multiple nodes, the results could be
combined to improve the model’s accuracy.
Here’s how the proposed system would work:

– An organisation develops an AI model for a specific task, such as image

recognition or natural language processing.
– The organisation uses Privasea AI Network to train and optimise the model.
The data used for training is encrypted and processed using distributed com-
puting techniques, ensuring that sensitive data remains private and secure.
– The Privasea AI Network provides a secure and distributed network of com-
puting resources for training and optimising the model, reducing the time
and cost required for AI modeling.
 Privasea AI Network Whitepaper 37

– Once the model is trained and optimised, it can be deployed to perform the
specific task, such as recognising images or processing natural language.

By combining AI modeling with Privasea AI Network, organisations can train

and optimise AI models efficiently and cost-effectively, while also protecting sen-
sitive data. The system provides a scalable and secure solution for developing
AI models for various applications.

7.3 Secured KYC

KYC (Know Your Customer) is a process that financial institutions and other
organisations use to verify the identity of their customers. KYC is an important
process for preventing fraud and complying with regulations. However, KYC
also involves collecting sensitive personal information from customers, such as ID
cards, passports, and financial statements. To protect the privacy of customers’
personal information, KYC data must be processed securely.
Secured KYC is a privacy-focused KYC solution that uses encryption and
other privacy-enhancing techniques to protect sensitive customer data. Privasea
AI Network could be used to provide the computing resources needed to securely
process KYC data in real-time.
Here’s how the proposed system would work:

– A customer submits their KYC data by FHE encryption first to a financial

institution or other organisation for verification.
– The organisation uses Secured KYC to process the data, ensuring that it
is encrypted and processed using privacy-enhancing techniques to protect
sensitive information. Here, FHE can be used for the verifying function.
– The processing is done using Privasea AI Network, which provides a secure
and distributed network of computing resources for processing and analysing
data without decrypting it.
– Once the processing is complete, the organisation can verify the customer’s
identity and comply with KYC regulations, while also protecting the cus-
tomer’s privacy.

By combining Secured KYC and Privasea AI Network, organisations can

process KYC data securely and efficiently, while also protecting the privacy of
their customers. The system provides a scalable and cost-effective solution for
ensuring KYC compliance while minimising the risk of fraud and data breaches.

7.4 Medical Image Processing

Medical image processing requires high-performance computing resources to

analyse and diagnose images. With Privasea AI Network, medical profession-
als and researchers could use a distributed network of computing resources to
process medical images while maintaining the privacy and security of patient
data. For example, a radiologist could use Privasea AI Network to process a
38

large dataset of medical images for a research study. The network could be used
to distribute the processing workload across multiple nodes, with the results
combined to improve the accuracy of the analysis. The patient data would be
encrypted and secured throughout the processing and analysis stages to protect
patient privacy.
Here’s how the proposed system would work:

– Medical images, such as X-rays or MRI scans, are encrypted using FHE
before being stored or transmitted.
– The encrypted medical images are then processed using Privasea AI Net-
work, which provides a distributed network of computing resources for AI
processing.
– The FHE-encrypted medical images are processed using AI models trained
on similarly encrypted data, preserving the privacy of the sensitive patient
information.
– Once the processing is complete, the encrypted medical images are decrypted
for use by medical professionals.

By using FHE encryption in conjunction with Privasea AI Network, medical

images can be processed securely and efficiently while protecting the privacy
of patient data. The system provides a scalable and cost-effective solution for
medical image processing that complies with privacy regulations and enhances
patient trust.

7.5 Facial Recognition

Facial recognition technology involves analysing and matching facial features to

identify individuals. However, facial data is sensitive and can be used to invade
privacy if not properly secured. To address this issue, Privasea AI Network could
use encryption techniques such as FHE to secure facial data and ensure privacy.
For example, when a user submits their facial data to the network for identifi-
cation, the data would first be encrypted using FHE. The encrypted data would
then be processed by the network’s computing resources, without ever revealing
the original facial data. The output of the processing would also be encrypted,
ensuring that only the user who submitted the original facial data could decrypt
and access the results.
In this way, facial recognition technology can be utilised on the Privasea
AI Network without compromising user privacy. By leveraging encryption, fa-
cial data remains secure and confidential, while still allowing for accurate facial
recognition analysis to be performed.

References

1. R. L. Rivest, L. M. Adleman, and M. L. Dertouzos. On data banks and privacy

homomorphisms. Foundations of Secure Compuation, 1978.
 Privasea AI Network Whitepaper 39

2. Taher El Gamal. A public key cryptosystem and a signature scheme based on

discrete logarithms. IEEE Trans. Inf. Theory, pages 469–472, 1984.
3. Pascal Paillier. Public-key cryptosystems based on composite degree residuosity
classes. EUROCRYPT’99, page 223–238. Springer-Verlag, 1999.
4. Craig Gentry. A fully homomorphic encryption scheme. 2009.
5. Craig Gentry. Fully homomorphic encryption using ideal lattices. In Proceedings
of the 41st Annual ACM Symposium on Theory of Computing, STOC 2009, pages
169–178, New York, 2009. ACM.
6. Nigel P. Smart and Frederik Vercauteren. Fully homomorphic encryption with
relatively small key and ciphertext sizes. In Public Key Cryptography - PKC 2010,
13th International Conference on Practice and Theory in Public Key Cryptography,
pages 420–443, Heidelberg, 2010. Springer.
7. Marten van Dijk, Craig Gentry, Shai Halevi, and Vinod Vaikuntanathan. Fully
homomorphic encryption over the integers. In Advances in Cryptology - EURO-
CRYPT 2010, 29th Annual International Conference on the Theory and Applica-
tions of Cryptographic Techniques, pages 24–43, Heidelberg, 2010. Springer.
8. Craig Gentry and Shai Halevi. Fully homomorphic encryption without squashing
using depth-3 arithmetic circuits. In IEEE 52nd Annual Symposium on Founda-
tions of Computer Science, FOCS, pages 107–109. IEEE Computer Society, 2011.
9. Craig Gentry and Shai Halevi. Implementing gentry’s fully-homomorphic encryp-
tion scheme. In Advances in Cryptology - EUROCRYPT 2011 - 30th Annual Inter-
national Conference on the Theory and Applications of Cryptographic Techniques,
Tallinn, Estonia, May 15-19, 2011. Proceedings, pages 129–148. Springer, 2011.
10. Zvika Brakerski, Craig Gentry, and Vinod Vaikuntanathan. (leveled) fully homo-
morphic encryption without bootstrapping. In Innovations in Theoretical Com-
puter Science 2012, pages 309–325, New York, 2012. ACM.
11. Zvika Brakerski. Fully homomorphic encryption without modulus switching from
classical gapsvp. In Advances in Cryptology - CRYPTO 2012 - 32nd Annual Cryp-
tology Conference, pages 868–886, Heidelberg, 2012. Springer.
12. Zvika Brakerski and Vinod Vaikuntanathan. Efficient fully homomorphic encryp-
tion from (standard) LWE. In IEEE 52nd Annual Symposium on Foundations of
Computer Science, FOCS 2011, Palm Springs, CA, USA, October 22-25, 2011,
pages 97–106. IEEE Computer Society, 2011.
13. Junfeng Fan and Frederik Vercauteren. Somewhat practical fully homomorphic
encryption. Cryptology ePrint Archive, Report 2012/144, 2012. https://eprint.
iacr.org/2012/144.
14. Craig Gentry, Amit Sahai, and Brent Waters. Homomorphic encryption from
learning with errors: Conceptually-simpler, asymptotically-faster, attribute-based.
In Advances in Cryptology - CRYPTO 2013 - 33rd Annual Cryptology Conference,
Santa Barbara, CA, USA, August 18-22, 2013. Proceedings, Part I, pages 75–92.
Springer, 2013.
15. Jung Hee Cheon, Andrey Kim, Miran Kim, and Yong Soo Song. Homomorphic
encryption for arithmetic of approximate numbers. In Advances in Cryptology -
ASIACRYPT 2017 - 23rd International Conference on the Theory and Applications
of Cryptology and Information Security, pages 409–437, Cham, 2017. Springer.
16. Ilaria Chillotti, Nicolas Gama, Mariya Georgieva, and Malika Izabachène. Faster
fully homomorphic encryption: Bootstrapping in less than 0.1 seconds. In Advances
in Cryptology - ASIACRYPT 2016 - 22nd International Conference on the Theory
and Application of Cryptology and Information Security, pages 3–33, Heidelberg,
2016. Springer.
40

17. Ilaria Chillotti, Nicolas Gama, Mariya Georgieva, and Malika Izabachène. Faster
packed homomorphic operations and efficient circuit bootstrapping for TFHE. In
Advances in Cryptology - ASIACRYPT 2017 - 23rd International Conference on
the Theory and Applications of Cryptology and Information Security, pages 377–
408, Cham, 2017. Springer.
18. Ilaria Chillotti, Nicolas Gama, Mariya Georgieva, and Malika Izabachène. TFHE:
fast fully homomorphic encryption over the torus. J. Cryptol., 33(1):34–91, 2020.
19. Oded Regev. On lattices, learning with errors, random linear codes, and cryptog-
raphy. J. ACM, 56(6):34:1–34:40, 2009.
20. Vadim Lyubashevsky, Chris Peikert, and Oded Regev. On ideal lattices and learn-
ing with errors over rings. In Advances in Cryptology - EUROCRYPT 2010, 29th
Annual International Conference on the Theory and Applications of Cryptographic
Techniques, pages 1–23, Heidelberg, 2010. Springer.
21. Léo Ducas and Daniele Micciancio. FHEW: bootstrapping homomorphic encryp-
tion in less than a second. In Advances in Cryptology - EUROCRYPT 2015 - 34th
Annual International Conference on the Theory and Applications of Cryptographic
Techniques, pages 617–640, Heidelberg, 2015. Springer.
22. Ian Goodfellow, Jean Pouget-Abadie, Mehdi Mirza, Bing Xu, David Warde-Farley,
Sherjil Ozair, Aaron Courville, and Yoshua Bengio. Generative adversarial net-
works. Communications of the ACM, 63(11):139–144, 2020.
23. Benigno Uria, Marc-Alexandre Côté, Karol Gregor, Iain Murray, and Hugo
Larochelle. Neural autoregressive distribution estimation. The Journal of Ma-
chine Learning Research, 17(1):7184–7220, 2016.
24. Aäron Van Den Oord, Nal Kalchbrenner, and Koray Kavukcuoglu. Pixel recurrent
neural networks. In International conference on machine learning, pages 1747–
1756. PMLR, 2016.
25. Ruslan Salakhutdinov and Hugo Larochelle. Efficient learning of deep boltzmann
machines. In Proceedings of the thirteenth international conference on artificial
intelligence and statistics, pages 693–700. JMLR Workshop and Conference Pro-
ceedings, 2010.
26. Mathieu Germain, Karol Gregor, Iain Murray, and Hugo Larochelle. Made: Masked
autoencoder for distribution estimation. In International conference on machine
learning, pages 881–889. PMLR, 2015.
27. Diederik P Kingma and Max Welling. Auto-encoding variational bayes. arXiv
preprint arXiv:1312.6114, 2013.
28. Tijmen Tieleman. Training restricted boltzmann machines using approximations
to the likelihood gradient. In Proceedings of the 25th international conference on
Machine learning, pages 1064–1071, 2008.
29. Alec Radford, Luke Metz, and Soumith Chintala. Unsupervised representation
learning with deep convolutional generative adversarial networks. arXiv preprint
arXiv:1511.06434, 2015.
30. Yoshua Bengio, Eric Laufer, Guillaume Alain, and Jason Yosinski. Deep gener-
ative stochastic networks trainable by backprop. In International Conference on
Machine Learning, pages 226–234. PMLR, 2014.
31. Joshua B Tenenbaum, Vin de Silva, and John C Langford. A global geometric
framework for nonlinear dimensionality reduction. science, 290(5500):2319–2323,
2000.
32. Mikhail Belkin and Partha Niyogi. Laplacian eigenmaps for dimensionality reduc-
tion and data representation. Neural computation, 15(6):1373–1396, 2003.
33. Ronald R Coifman and Stéphane Lafon. Diffusion maps. Applied and computational
harmonic analysis, 21(1):5–30, 2006.
 Privasea AI Network Whitepaper 41

34. Sam T Roweis and Lawrence K Saul. Nonlinear dimensionality reduction by locally
linear embedding. science, 290(5500):2323–2326, 2000.
35. Tianhao Zhang, Jie Yang, Deli Zhao, and Xinliang Ge. Linear local tangent space
alignment and application to face recognition. Neurocomputing, 70(7-9):1547–1553,
2007.
36. Volodymyr Mnih, Koray Kavukcuoglu, David Silver, Alex Graves, Ioannis
Antonoglou, Daan Wierstra, and Martin Riedmiller. Playing atari with deep rein-
forcement learning. arXiv preprint arXiv:1312.5602, 2013.
37. Hado Van Hasselt, Arthur Guez, and David Silver. Deep reinforcement learning
with double q-learning. In Proceedings of the AAAI conference on artificial intel-
ligence, volume 30, 2016.
38. David Silver, Guy Lever, Nicolas Heess, Thomas Degris, Daan Wierstra, and Mar-
tin Riedmiller. Deterministic policy gradient algorithms. In International confer-
ence on machine learning, pages 387–395. Pmlr, 2014.
39. Timothy P Lillicrap, Jonathan J Hunt, Alexander Pritzel, Nicolas Heess, Tom
Erez, Yuval Tassa, David Silver, and Daan Wierstra. Continuous control with
deep reinforcement learning. arXiv preprint arXiv:1509.02971, 2015.
40. John Schulman, Sergey Levine, Pieter Abbeel, Michael Jordan, and Philipp Moritz.
Trust region policy optimization. In International conference on machine learning,
pages 1889–1897. PMLR, 2015.
41. Richard S Sutton. Dyna, an integrated architecture for learning, planning, and
reacting. ACM Sigart Bulletin, 2(4):160–163, 1991.
42. Michael Janner, Justin Fu, Marvin Zhang, and Sergey Levine. When to trust
your model: Model-based policy optimization. Advances in neural information
processing systems, 32, 2019.
43. Vladimir Feinberg, Alvin Wan, Ion Stoica, Michael I Jordan, Joseph E Gonzalez,
and Sergey Levine. Model-based value expansion for efficient model-free reinforce-
ment learning. In Proceedings of the 35th International Conference on Machine
Learning (ICML 2018), 2018.