Privacy preserving split learning

Abstract

Split Learning enables collaborative model training without sharing raw data; however, its traditional form remains vulnerable because plaintext intermediate activations and gradients can leak sensitive information. These leakages enable attacks such as input reconstruction, label and property inference, and model manipulation, undermining the privacy guarantees that split learning aims to provide. This thesis addresses these limitations by designing a privacy-preserving split learning system. The proposed design inverts the conventional workflow so that labels, loss computation, and backpropagation remain entirely on the client, while all server-side computation is performed in the encrypted domain using homomorphic encryption. As a result, the server never observes plaintext activations, labels, or gradients during training, eliminating known attack surfaces. To make encrypted split learning practical, the thesis introduces an estimator that models ciphertext noise growth, bootstrapping requirements, and end-to-end runtime as functions of network architecture and split placement. The estimator jointly captures encrypted server-side computation and plaintext client-side computation, enabling noise- and budget-aware split selection without exhaustive empirical profiling. Our contributions include: (i) identifying and analyzing the components of traditional split learning that lead to privacy leakage, (ii) designing an inverted split learning system that eliminates information leakage by executing all server-side computation over encrypted data, and (iii) developing an estimator that enables the efficient use of homomorphic encryption in split learning under cryptographic and computational constraints.