Every AI model is only as valuable as the data it trains on. And that training data—medical records, biometric templates, financial transactions, customer PII—represents the most sensitive information an organization holds. The paradox: the data must be accessible enough for the model to learn from it, yet protected enough that a breach does not expose millions of records.
Most organizations solve this by building walls around the data. Access controls restrict who can reach the training cluster. Data vaults encrypt datasets at rest. Anonymization strips identifiers before training begins. These measures reduce risk. They do not eliminate it. The model still processes plaintext during training. That plaintext window—where data exists unencrypted in GPU VRAM, CPU cache, and system memory—is where breaches happen.
Four Threat Vectors for AI Training Data
Understanding what you are defending against determines which security measures actually matter. AI training data faces four distinct threat vectors, each exploiting a different stage of the pipeline.
1. Data Exfiltration
The most direct attack: someone steals the training dataset. This can happen through a compromised storage account, a rogue employee with access to the data lake, a misconfigured S3 bucket, or a supply chain attack on a data processing tool. The 2024 National Public Data breach exposed 2.9 billion records because a threat actor accessed an unprotected database containing Social Security numbers, addresses, and birth dates that were being used for background check AI models.
Encryption at rest protects against some exfiltration scenarios. But if the training pipeline decrypts the data into a shared compute environment—which it must for plaintext training—any process with memory access can read it.
2. Model Memorization
Neural networks memorize training data. This is not a bug; it is how they learn. The problem is that memorized data can be extracted. Researchers have demonstrated that GPT-style models will reproduce training examples verbatim when prompted correctly. A model trained on medical records may regurgitate patient diagnoses. A model trained on financial data may leak transaction details.
Differential privacy adds noise to mitigate memorization, but it degrades model accuracy. And it does nothing to protect the data during training—only the outputs afterward.
3. Data Poisoning
Adversaries inject malicious data into training sets to corrupt model behavior. Poisoned data can cause a fraud detection model to ignore specific transaction patterns, a biometric system to accept forged templates, or a content moderation model to miss targeted categories. Poisoning attacks are difficult to detect because the malicious samples look normal individually—their effect only manifests in aggregate model behavior.
4. Unauthorized Access
Training pipelines run on shared infrastructure: cloud VMs, Kubernetes clusters, managed ML platforms. Every component in the chain—data loaders, preprocessing scripts, training frameworks, logging systems—has potential access to plaintext data. A compromised dependency, a logging library that captures input tensors, or an observability agent that snapshots memory can expose training data without anyone detecting it. The attack surface is not the model. It is the entire infrastructure stack underneath it.
Why Access Controls Are Not Enough
Access controls answer the question: who can reach the data? They do not answer: what happens to the data once it is reached? A training job running with valid credentials decrypts data into memory, processes it across GPUs, writes intermediate tensors to disk, logs metrics that may contain data fragments, and produces model checkpoints that encode training examples.
Even with perfect access controls, the data exists in plaintext across dozens of locations during a single training run. Encrypting it at rest protects the storage layer. TLS protects the network layer. Neither protects the compute layer. And the compute layer is where AI training happens.
Traditional encryption requires decryption before computation. AI requires computation on data. Therefore, traditional encryption and AI computation are fundamentally incompatible. The data must be unprotected at the exact moment it is most valuable—during processing.
How FHE Training Works
Fully homomorphic encryption solves this by making decryption unnecessary. FHE encodes data into polynomial rings where mathematical operations on ciphertext produce results identical to operations on plaintext. Addition and multiplication on encrypted values correspond exactly to addition and multiplication on the underlying data. Since all AI training operations—gradient calculations, matrix multiplications, activation functions, loss computations—decompose into additions and multiplications, they can run entirely on encrypted data.
The training pipeline changes as follows. The data owner encrypts the training dataset locally using their FHE keys. The encrypted dataset is sent to the training infrastructure. The training job runs standard operations—forward passes, backpropagation, weight updates—but every operation targets ciphertext instead of plaintext. The training infrastructure never sees the raw data. It never sees intermediate values. It produces encrypted model weights that, when decrypted by the data owner, are mathematically identical to weights trained on plaintext.
This eliminates three of the four threat vectors by construction. Exfiltration yields only ciphertext indistinguishable from random noise. Memorization occurs on encrypted representations that cannot be reversed without the decryption key. Unauthorized access to the compute layer exposes only encrypted tensors. Data poisoning remains a separate challenge that requires input validation, but the attack surface is dramatically reduced because the adversary cannot inspect the data they are trying to poison.
H33's Approach to Secure AI Training Data
H33 implements the BFV fully homomorphic encryption scheme with production-grade optimizations that make encrypted computation viable at scale. The core pipeline processes encrypted operations at 38.5 microseconds each—fast enough for real-time inference and practical for training workloads.
Key technical elements that make this work:
- Montgomery NTT with Harvey lazy reduction — eliminates modular division from the hot path. Butterfly values remain in [0, 2q) between stages, deferring reduction. This alone provides a 20x speedup over textbook implementations.
- SIMD batching — 32 independent data points packed into a single ciphertext using CRT-based slot encoding. One encrypted operation processes 32 samples simultaneously.
- ZK-STARK proof of correct computation — every encrypted operation produces a zero-knowledge proof that the computation was performed correctly on the ciphertext. The data owner can verify results without trusting the training infrastructure.
- Dilithium post-quantum signatures — all proofs and results are signed with ML-DSA (FIPS 204) lattice-based signatures that resist both classical and quantum attacks.
The entire stack—FHE encryption, ZK proof generation, and post-quantum signing—runs in a single API call. No GPU required. One ARM CPU (AWS Graviton4) sustains 2,172,518 operations per second. Per-operation cost is less than $0.000001.
Securing AI training data is not about building better walls around plaintext. It is about eliminating plaintext from the pipeline entirely. FHE makes this mathematically possible. H33 makes it operationally practical—at microsecond latencies and million-operation-per-second throughput.