VHENN：基于环上零知识证明协议的可验证同态加密神经网络推理方案

In recent years, neural network inference services such as ChatGPT and DeepSeek have provided small and medium-sized enterprises and individuals with access to advanced AI capabilities without requiring massive datasets or extensive computational power. These services have made it possible to harness the representation power of neural networks across a wide range of applications, from natural language processing to image recognition, enabling users to achieve sophisticated results with minimal technical expertise. However, the widespread adoption of these services has raised significant privacy concerns, particularly in scenarios where sensitive user data is involved. Two critical issues arise in neural network inference services that must be addressed: (1) ensuring that users' data and inference results are protected from potential leaks during the inference process, and (2) providing a mechanism for verifying the authenticity of models and correctness of inference results while preserving the privacy of the model itself. To address these challenges, cryptographic techniques such as Homomorphic Encryption (HE) and Secure Multiparty Computation (MPC) have been explored to safeguard user data and inference results, enabling computations on encrypted or shared data without exposing sensitive information. However, despite these advances, neither HE nor MPC alone can address the dual requirements of privacy preservation and verifiability in neural network inference. Zero-Knowledge Proofs (ZKPs) have been introduced to ensure the verifiability of models and inference results without revealing sensitive model details, but integrating these cryptographic tools into a single, cohesive framework that addresses both privacy and verifiability remains an open challenge. In this paper, we propose VHENN (Verifiable Homomorphic Encrypted Neural Network Inference Scheme), a novel scheme that combines homomorphic encryption and zero-knowledge proofs to provide a solution for both privacy and verifiability in neural network inference. Our approach is built on Rinocchio, a Zero-Knowledge Succinct Non-Interactive Argument of Knowledge (zk-SNARK) protocol, which is tailored for ring circuits. Rinocchio is particularly well-suited for verifiable with homomorphic encryption schemes due to its compatibility with schemes based on ring polynomials. By leveraging Rinocchio, we achieve verifiability of homomorphically encrypted computations, allowing us to confirm the verifiability of encrypted computations without revealing the underlying computed data. The core innovation of VHENN lies in its ability to integrate verifiable homomorphic encryption with neural network inference. This integration ensures that user data, models and inference results are fully protected during the inference process, while also providing verifiable guarantees of model authenticity and result correctness. Furthermore, the scheme addresses the efficiency challenges associated with combining homomorphic encryption and zero-knowledge proofs. Specifically, our approach takes advantage of the Single Instruction, Multiple Data (SIMD) feature of homomorphic encryption, which allows multiple operations to be performed simultaneously on encrypted data. This significantly reduces the number of constraints in the construction of zero-knowledge proofs, cutting them by 1 to 3 orders of magnitude compared to non-SIMD solutions. Experimental results demonstrate the effectiveness of VHENN in reducing computational overhead. Compared to other privacy-preserving inference schemes, VHENN achieves substantial improvements in the computation time required for trusted setup, proof generation, and verification—by more than 4 orders of magnitude.