Circuit privacy is a cryptographic property of a homomorphic evaluation that ensures the resulting ciphertext reveals no information about the specific function or circuit that was computed, beyond what can be inferred from the output itself. In standard homomorphic encryption, the evaluated ciphertext may leak details about the computation's structure; circuit privacy guarantees that the output is statistically indistinguishable from a fresh encryption of the result, thereby protecting proprietary model weights and architectures during encrypted inference.
Glossary
Circuit Privacy

What is Circuit Privacy?
A security property ensuring that the output of a homomorphic evaluation reveals no information about the evaluated function itself, protecting proprietary model architectures during encrypted inference.
Achieving circuit privacy typically requires the server to add controlled noise after the homomorphic computation, often through a technique called noise flooding or by integrating the privacy guarantee directly into the programmable bootstrapping step of schemes like TFHE. This property is critical for two-party scenarios where a client sends encrypted data to a server holding a secret model, ensuring the server's intellectual property—the model's topology and parameters—remains hidden even as it generates a prediction.
Key Properties of Circuit Privacy
Circuit privacy ensures that an evaluated homomorphic function reveals nothing about the function itself, protecting proprietary model architectures during encrypted inference.
Function Hiding Guarantee
The core property ensuring the evaluator learns nothing about the circuit beyond what is inferable from the output and the input size. This prevents an untrusted server from extracting proprietary model weights or architecture details during encrypted inference. It is a stronger guarantee than standard IND-CPA security, which only hides the plaintext data, not the computation being performed.
Output Distribution Indistinguishability
A circuit is private if its output distribution is computationally indistinguishable from that of a universal circuit receiving the same function description. This means the encrypted result looks identical regardless of whether a simple linear model or a complex deep neural network was evaluated. The property is formalized by requiring the existence of a simulator that can reproduce the evaluator's view without access to the private function.
Noise Flooding Technique
A primary method for achieving circuit privacy by smudging the final ciphertext with a large amount of fresh statistical noise. This drowns out the inherent noise signature that would otherwise leak information about the sequence of operations performed. The technique requires the noise bound to be superpolynomially larger than the functional noise, creating a trade-off between privacy strength and ciphertext modulus size.
Sanitization via Bootstrapping
In TFHE, programmable bootstrapping can simultaneously refresh the noise budget and sanitize the ciphertext distribution. By evaluating the decryption circuit homomorphically, the output ciphertext is re-encrypted with fresh randomness, erasing the accumulated noise pattern that encodes the computational history. This makes the output statistically independent of the evaluated function.
Separation from Standard FHE
Standard fully homomorphic encryption guarantees data privacy but not function privacy. A vanilla FHE ciphertext's noise growth pattern acts as a side channel, leaking the multiplicative depth and structure of the evaluated circuit. Circuit privacy is a distinct, optional property that must be explicitly constructed, often at a significant computational cost, to protect proprietary model IP in cloud inference scenarios.
Worst-Case vs. Average-Case Privacy
Circuit privacy can be defined with different adversarial models. Worst-case privacy guarantees indistinguishability for all possible functions and inputs, providing the strongest theoretical guarantee. Average-case or distributional privacy only requires indistinguishability for functions and inputs drawn from a specific distribution, which is often sufficient for practical machine learning deployments and can be achieved with lower overhead.
Frequently Asked Questions
Circuit privacy is a critical security property in homomorphic encryption that ensures the evaluated function remains hidden from the decrypting party. Below are the most common questions about protecting proprietary model architectures during encrypted inference.
Circuit privacy is a security property ensuring that the output of a homomorphic evaluation reveals no information about the evaluated function itself—only the result of applying that function to the encrypted input. In standard homomorphic encryption, the decrypting party receives a ciphertext that may leak structural details about the circuit that produced it. Circuit privacy guarantees that the decrypted output is indistinguishable from a fresh encryption of the result, effectively hiding whether the output came from a simple linear model or a complex deep neural network. This property is essential when a client sends encrypted data to a server for proprietary model inference and must not learn the model's architecture, weights, or depth.
Enabling Efficiency, Speed & Accuracy
Intelligent Analysis, Decision & Execution
We build AI systems for teams that need search across company data, workflow automation across tools, or AI features inside products and internal software.
Talk to Us
Search across company data
Give teams answers from docs, tickets, runbooks, and product data with sources and permissions.
Useful when people spend too long searching or get different answers from different systems.

Automate internal workflows
Use AI to route work, draft outputs, trigger actions, and keep approvals and logs in place.
Useful when repetitive work moves across multiple tools and teams.

Add AI to products and internal tools
Build assistants, guided actions, or decision support into the software your team or customers already use.
Useful when AI needs to be part of the product, not a separate tool.
Related Terms
Understanding circuit privacy requires familiarity with the core homomorphic encryption primitives and noise management techniques that enable private function evaluation.
Fully Homomorphic Encryption (FHE)
The foundational cryptographic scheme enabling arbitrary computation on encrypted data. Circuit privacy is a distinct security property layered on top of FHE to hide the evaluated function, not just the input data. Standard FHE guarantees input privacy, but the output ciphertext may leak information about the circuit's topology.
Bootstrapping
A computationally intensive procedure that refreshes a ciphertext's noise budget by homomorphically evaluating the decryption circuit. In the context of circuit privacy, bootstrapping is often the critical juncture where function information can leak. Privacy-preserving bootstrapping variants add additional randomness to sanitize the output.
Programmable Bootstrapping
An extension of bootstrapping in the TFHE scheme that simultaneously resets noise and evaluates a lookup table. This operation is central to circuit privacy because it can be designed to output a ciphertext that is statistically independent of the function being evaluated, effectively sanitizing the result.
Noise Flooding
A technique that drowns out function-dependent noise patterns by adding overwhelming statistical noise to the output ciphertext. This ensures the final ciphertext distribution depends only on the result, not the computation path. Noise flooding is the primary mechanism for achieving circuit privacy in schemes like TFHE.
IND-CPA Security
Indistinguishability under Chosen-Plaintext Attack—the standard semantic security guarantee for encryption. Circuit privacy extends beyond IND-CPA by requiring that the evaluation algorithm itself does not create a side channel. An IND-CPA secure scheme can still leak function information through the noise distribution of the output.
TFHE Scheme
A fast fully homomorphic encryption scheme evaluating binary gates via blind rotation. TFHE's gate-by-gate evaluation model makes it the primary candidate for circuit privacy because noise flooding can be applied per-gate, ensuring the output ciphertext reveals nothing about which gate was evaluated.

About the author
Prasad Kumkar
CEO & MD, Inference Systems
Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.
His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.
Partnered with leading AI, data, and software stack.
How We Work
Custom AI workflows for your Business
One-fit-all AI don't work for modern businesses. At Inferensys, we aim to understand your business & custom requirements; which we use to define most efficient agentic workflows, the data, and the tools for your business.
01
Review the use case
We understand the task, the users, and where AI can actually help.
Read more02
Pick the right approach
We define what needs search, automation, or product integration.
Read more03
Build the first useful version
We implement the part that proves the value first.
Read more04
Improve from there
We add the checks and visibility needed to keep it useful.
Read moreThe first call is a practical review of your use case and the right next step.
Talk to Us