Testing and Understanding Deviation Behaviors in FHE-Hardened Machine Learning Models

Yiteng PENG; Daoyuan WU; Zhibo LIU; Dongwei XIAO; Zhenlan JI; Juergen RAHMEL; Shuai WANG

doi:10.1109/ICSE55347.2025.00107

Testing and Understanding Deviation Behaviors in FHE-Hardened Machine Learning Models

Yiteng PENG, Daoyuan WU^*, Zhibo LIU, Dongwei XIAO, Zhenlan JI, Juergen RAHMEL, Shuai WANG^*

^*Corresponding author for this work

Research output: Book Chapters | Papers in Conference Proceedings › Conference paper (refereed) › Research › peer-review

1 Citation (Scopus)

Abstract

Fully homomorphic encryption (FHE) is a promising cryptographic primitive that enables secure computation over encrypted data. A primary use of FHE is to support privacypreserving machine learning (ML) on public cloud infrastructures. Despite the rapid development of FHE-based ML (or HE-ML), the community lacks a systematic understanding of their robustness. In this paper, we aim to systematically test and understand the deviation behaviors of HE-ML models, where the same input causes deviant outputs between FHE-hardened models and their plaintext versions, leading to completely incorrect model predictions. To effectively uncover deviation-triggering inputs under the constraints of expensive FHE computations, we design a novel differential testing tool called HEDIFF, which leverages the margin metric on the plaintext model as guidance to drive targeted testing on FHE models. For the identified deviation inputs, we further analyze them to determine whether they exhibit general noise patterns that are transferable. We evaluate HEDIFF using three popular HE-ML frameworks, covering 12 different combinations of models and datasets. HEDIFF successfully detected hundreds of deviation inputs across almost every tested FHE framework and model. We also quantitatively show that the identified deviation inputs are (visually) meaningful in comparison to regular inputs. Further schematic analysis reveals the root cause of these deviant inputs and allows us to generalize their noise patterns for more directed testing. Our work sheds light on enabling robust HE-ML for real-world usage.

Original language	English
Title of host publication	Proceedings - 2025 IEEE/ACM 47th International Conference on Software Engineering, ICSE 2025
Publisher	IEEE Computer Society
Pages	2251-2263
Number of pages	13
ISBN (Electronic)	9798331505691
ISBN (Print)	9798331505707
DOIs	https://doi.org/10.1109/ICSE55347.2025.00107
Publication status	Published - Jul 2025
Externally published	Yes
Event	47th IEEE/ACM International Conference on Software Engineering - Ottawa, Canada Duration: 26 Apr 2025 → 6 May 2025

Conference

Conference	47th IEEE/ACM International Conference on Software Engineering
Abbreviated title	ICSE 2025
Country/Territory	Canada
City	Ottawa
Period	26/04/25 → 6/05/25

Bibliographical note

Acknowledgement:
We thank the anonymous reviewers for their valuable feedback. We also thank the developers of the HE-ML projects we used in our evaluation.

Publisher Copyright:
© 2025 IEEE.

Funding

The HKUST authors were supported in part by a RGC GRF grant under the contract 16214723, RGC CRF grant under the contract C6015-23G, and research fund provided by HSBC.

Access to Document

10.1109/ICSE55347.2025.00107

Cite this

@inproceedings{148f4e539fda4ae6a7f4d91413a4ad02,

title = "Testing and Understanding Deviation Behaviors in FHE-Hardened Machine Learning Models",

abstract = "Fully homomorphic encryption (FHE) is a promising cryptographic primitive that enables secure computation over encrypted data. A primary use of FHE is to support privacypreserving machine learning (ML) on public cloud infrastructures. Despite the rapid development of FHE-based ML (or HE-ML), the community lacks a systematic understanding of their robustness. In this paper, we aim to systematically test and understand the deviation behaviors of HE-ML models, where the same input causes deviant outputs between FHE-hardened models and their plaintext versions, leading to completely incorrect model predictions. To effectively uncover deviation-triggering inputs under the constraints of expensive FHE computations, we design a novel differential testing tool called HEDIFF, which leverages the margin metric on the plaintext model as guidance to drive targeted testing on FHE models. For the identified deviation inputs, we further analyze them to determine whether they exhibit general noise patterns that are transferable. We evaluate HEDIFF using three popular HE-ML frameworks, covering 12 different combinations of models and datasets. HEDIFF successfully detected hundreds of deviation inputs across almost every tested FHE framework and model. We also quantitatively show that the identified deviation inputs are (visually) meaningful in comparison to regular inputs. Further schematic analysis reveals the root cause of these deviant inputs and allows us to generalize their noise patterns for more directed testing. Our work sheds light on enabling robust HE-ML for real-world usage.",

author = "Yiteng PENG and Daoyuan WU and Zhibo LIU and Dongwei XIAO and Zhenlan JI and Juergen RAHMEL and Shuai WANG",

note = "Acknowledgement: We thank the anonymous reviewers for their valuable feedback. We also thank the developers of the HE-ML projects we used in our evaluation. Publisher Copyright: {\textcopyright} 2025 IEEE.; 47th IEEE/ACM International Conference on Software Engineering, ICSE 2025 ; Conference date: 26-04-2025 Through 06-05-2025",

year = "2025",

month = jul,

doi = "10.1109/ICSE55347.2025.00107",

language = "English",

isbn = "9798331505707",

pages = "2251--2263",

booktitle = "Proceedings - 2025 IEEE/ACM 47th International Conference on Software Engineering, ICSE 2025",

publisher = "IEEE Computer Society",

address = "United States",

}

PENG, Y, WU, D, LIU, Z, XIAO, D, JI, Z, RAHMEL, J & WANG, S 2025, Testing and Understanding Deviation Behaviors in FHE-Hardened Machine Learning Models. in Proceedings - 2025 IEEE/ACM 47th International Conference on Software Engineering, ICSE 2025., 11029814, IEEE Computer Society, pp. 2251-2263, 47th IEEE/ACM International Conference on Software Engineering, Ottawa, Canada, 26/04/25. https://doi.org/10.1109/ICSE55347.2025.00107

Testing and Understanding Deviation Behaviors in FHE-Hardened Machine Learning Models. / PENG, Yiteng; WU, Daoyuan; LIU, Zhibo et al.
Proceedings - 2025 IEEE/ACM 47th International Conference on Software Engineering, ICSE 2025. IEEE Computer Society, 2025. p. 2251-2263 11029814.

Research output: Book Chapters | Papers in Conference Proceedings › Conference paper (refereed) › Research › peer-review

TY - GEN

T1 - Testing and Understanding Deviation Behaviors in FHE-Hardened Machine Learning Models

AU - PENG, Yiteng

AU - WU, Daoyuan

AU - LIU, Zhibo

AU - XIAO, Dongwei

AU - JI, Zhenlan

AU - RAHMEL, Juergen

AU - WANG, Shuai

PY - 2025/7

Y1 - 2025/7

N2 - Fully homomorphic encryption (FHE) is a promising cryptographic primitive that enables secure computation over encrypted data. A primary use of FHE is to support privacypreserving machine learning (ML) on public cloud infrastructures. Despite the rapid development of FHE-based ML (or HE-ML), the community lacks a systematic understanding of their robustness. In this paper, we aim to systematically test and understand the deviation behaviors of HE-ML models, where the same input causes deviant outputs between FHE-hardened models and their plaintext versions, leading to completely incorrect model predictions. To effectively uncover deviation-triggering inputs under the constraints of expensive FHE computations, we design a novel differential testing tool called HEDIFF, which leverages the margin metric on the plaintext model as guidance to drive targeted testing on FHE models. For the identified deviation inputs, we further analyze them to determine whether they exhibit general noise patterns that are transferable. We evaluate HEDIFF using three popular HE-ML frameworks, covering 12 different combinations of models and datasets. HEDIFF successfully detected hundreds of deviation inputs across almost every tested FHE framework and model. We also quantitatively show that the identified deviation inputs are (visually) meaningful in comparison to regular inputs. Further schematic analysis reveals the root cause of these deviant inputs and allows us to generalize their noise patterns for more directed testing. Our work sheds light on enabling robust HE-ML for real-world usage.

AB - Fully homomorphic encryption (FHE) is a promising cryptographic primitive that enables secure computation over encrypted data. A primary use of FHE is to support privacypreserving machine learning (ML) on public cloud infrastructures. Despite the rapid development of FHE-based ML (or HE-ML), the community lacks a systematic understanding of their robustness. In this paper, we aim to systematically test and understand the deviation behaviors of HE-ML models, where the same input causes deviant outputs between FHE-hardened models and their plaintext versions, leading to completely incorrect model predictions. To effectively uncover deviation-triggering inputs under the constraints of expensive FHE computations, we design a novel differential testing tool called HEDIFF, which leverages the margin metric on the plaintext model as guidance to drive targeted testing on FHE models. For the identified deviation inputs, we further analyze them to determine whether they exhibit general noise patterns that are transferable. We evaluate HEDIFF using three popular HE-ML frameworks, covering 12 different combinations of models and datasets. HEDIFF successfully detected hundreds of deviation inputs across almost every tested FHE framework and model. We also quantitatively show that the identified deviation inputs are (visually) meaningful in comparison to regular inputs. Further schematic analysis reveals the root cause of these deviant inputs and allows us to generalize their noise patterns for more directed testing. Our work sheds light on enabling robust HE-ML for real-world usage.

UR - https://www.scopus.com/pages/publications/105010316249

U2 - 10.1109/ICSE55347.2025.00107

DO - 10.1109/ICSE55347.2025.00107

M3 - Conference paper (refereed)

AN - SCOPUS:105010316249

SN - 9798331505707

SP - 2251

EP - 2263

BT - Proceedings - 2025 IEEE/ACM 47th International Conference on Software Engineering, ICSE 2025

PB - IEEE Computer Society

T2 - 47th IEEE/ACM International Conference on Software Engineering

Y2 - 26 April 2025 through 6 May 2025

ER -

Testing and Understanding Deviation Behaviors in FHE-Hardened Machine Learning Models

Abstract

Conference

Bibliographical note

Funding

Access to Document

Other files and links

Fingerprint

Cite this