Standard machine learning requires plaintext access to data. Every training example, every inference input, every intermediate activation exists as unencrypted numbers in memory. PPML replaces this assumption with cryptographic protocols that achieve the same computational results without exposing the underlying data to any party except the data owner.
The Three Pillars of PPML
Each PPML technique provides a different privacy guarantee with different performance characteristics. Understanding the tradeoffs is essential for choosing the right approach — or for understanding why combining them yields the strongest result.
Fully Homomorphic Encryption (FHE)
FHE allows a server to compute on encrypted data without decrypting it. The data owner encrypts their input locally, sends the ciphertext to the server, and the server performs the computation — matrix multiplications, inner products, comparisons — entirely on ciphertext. The encrypted result is returned to the data owner, who decrypts it locally. At no point does the server see plaintext.
The mathematical foundation is polynomial ring arithmetic. Data is encoded into polynomials over finite fields, and encryption adds structured noise. Addition and multiplication on the ciphertext polynomials correspond to addition and multiplication on the plaintext values. The noise grows with each operation, but modern leveled FHE schemes (like BFV and CKKS) carefully manage noise budgets to complete complex computations without bootstrapping.
Privacy guarantee: The server learns nothing about the input or output. Even a complete server compromise reveals only ciphertext that is computationally indistinguishable from random data.
Best for: Single-server inference, biometric matching, encrypted database queries, fraud detection on encrypted transactions.
Zero-Knowledge Proofs (ZK)
Zero-knowledge proofs allow one party (the prover) to convince another party (the verifier) that a statement is true without revealing any information beyond the truth of the statement itself. In the PPML context, ZK proofs verify that a computation was performed correctly on private data without exposing what that data is.
For example, a ZK proof can demonstrate that a biometric match score exceeds a threshold without revealing the score, the template, or the probe. The verifier knows only that the authentication succeeded or failed — nothing about the biometric data itself.
H33 uses ZK-STARKs (Scalable Transparent Arguments of Knowledge), which provide post-quantum security because they rely on hash functions rather than elliptic curve assumptions. STARK proofs are larger than SNARK proofs but require no trusted setup and resist quantum attacks.
Privacy guarantee: The verifier learns only the truth of the statement. No information about the witness (private data) is revealed.
Best for: Compliance proofs (age verification, accreditation checks), audit trails, credential verification without data disclosure.
Secure Multi-Party Computation (MPC)
MPC distributes a computation across multiple parties such that no single party sees the complete input. Each party holds a share of the data, performs local computation on their share, and the results are combined to produce the final output. Even if a subset of parties collude, they cannot reconstruct the original data.
In a typical 2-party MPC setting, the data owner splits their input into random shares and sends one share to each computation server. Each server processes its share independently. The shares are recombined only at the data owner's end. Neither server alone can reconstruct the input.
Privacy guarantee: No single party (or a threshold of colluding parties) learns anything beyond their prescribed output.
Best for: Collaborative analytics across organizations, federated model training, joint fraud detection between banks that cannot share raw customer data.
Why H33 Combines All Three
Each technique has limitations when used alone. FHE provides the strongest single-server privacy but cannot prove computation correctness to a third party. ZK proofs verify correctness but do not encrypt the computation itself. MPC distributes trust but requires multiple non-colluding servers.
H33's production pipeline combines all three in a single API call. FHE encrypts the data and performs the computation on ciphertext. A ZK-STARK proof attests that the FHE computation was performed correctly — that the server did not substitute a fake result. A Dilithium (ML-DSA) post-quantum signature binds the proof to the batch, providing a tamper-proof audit trail that survives quantum attacks.
This triple-layer architecture delivers three simultaneous guarantees: the data is never exposed (FHE), the computation is verifiably correct (ZK), and the attestation is quantum-resistant (Dilithium). No single technique provides all three.
Production Performance
The combined pipeline completes in 1,232 microseconds per 32-user batch: 939 microseconds for FHE computation, 291 microseconds for Dilithium attestation, and 0.059 microseconds for cached ZK-STARK lookup. That is 38.5 microseconds per individual authentication — faster than a typical DNS lookup.
H33 sustains 2,172,518 authentications per second on a single AWS Graviton4 instance. The per-authentication cost is less than one millionth of a cent. Privacy-preserving machine learning is no longer a research topic. It is a production capability at commodity pricing.