BioShield is a privacy-preserving face recognition system combining Torus Fully Homomorphic Encryption (TFHE, GGSW/GLWE scheme) with Gaussian image masking and Spherical K-Means cluster routing for secure biometric identification. The server evaluates cosine similarity entirely over encrypted embeddings — no plaintext biometric data ever leaves the client — while achieving 89 ms end-to-end query latency at N=200 (LFW) with a 20.5× speedup over brute-force TFHE and 67 KB per-query communication.
Before FaceNet feature extraction, independent Gaussian noise ε ~ N(0, σ²I), σ=0.1, is added to the input image:
Î = clip(I + ε, 0, 1)
Applied at both enrollment and authentication. Under key compromise, the adversary recovers only masked embeddings {f(Î_i)}, with GAN reconstruction quality degraded by ΔSSIM = +0.015 (measured on LFW, 5 subjects). Gaussian noise at σ=0.1 is the unique Pareto-optimal masking strategy: it achieves the highest defense gain while preserving cosine similarity at 0.727 (above threshold τ=0.7).
At enrollment, feature vectors are assigned to one of K=100 cluster buckets via Spherical K-Means. At query time, the client identifies the top-3 nearest cluster centroids in plaintext (O(Kd) operations) and sends only those cluster IDs to the server. The server restricts homomorphic comparisons to M=Nk/K candidates, reducing HE computation by K/k-fold:
- N=200, K=100, k=3: M≈6 candidates, 20.5× HE speedup, 67 KB total
- N=5,749, K=100, k=3: M=172 candidates, 32.1× HE speedup, 100.7 ms total
- N=5,749, K=200, k=3: M=86 candidates, 33.3× HE speedup, 94.3 ms, 799 KB
Each enrolled embedding coefficient x̄_l is stored as a GGSW ciphertext C_l = GGSW.Enc(x̄_l; sk). The query is negacyclically twisted and packed into a single GLWE ciphertext. The server evaluates:
ct_{s_i} = Σ_{l=1}^{d} C_{i,l} ⊠ ct_{q_l}
The client decrypts scores s_i = Dec(ct_{s_i}; sk) / Δ² and outputs pid_{i*} if s_{i*} ≥ τ. Zero approximation error; 128-bit IND-CPA security under Ring-LWE.
| Metric | Value |
|---|---|
| End-to-end query latency | 89 ms |
| FaceNet inference (dominant) | 87.8 ms (98.7%) |
| HE inner-product time | 0.6 ms |
| Per-query communication | 67 KB (12.1 KB upload + 54.9 KB download) |
| HE speedup vs. brute-force | 20.5× (N=200), 32.1× (N=5,749) |
| GAN inversion ΔSSIM (Gaussian σ=0.1) | +0.015 (best among 4 strategies) |
| Masked-to-original cosine similarity | 0.727 (above τ=0.7) |
| TFHE security level | 128-bit (Ring-LWE) |
| Scaling factor Δ | 500 |
| Strategy | ΔSSIM (↑ better) | Cosine Similarity (↑ better) | Pareto-Optimal |
|---|---|---|---|
| Gaussian (σ=0.1) | +0.015 | 0.727 | ✓ |
| Random Block (40×40) | +0.003 | 0.897 | ✗ |
| Partial Occlusion (30%) | −0.007 | 0.12 | ✗ (utility lost) |
| Gaussian Blur (k=15) | +0.003 | 0.810 | ✗ |
- Python 3.10
- The
biovitecompiled TFHE extension (included asbiovite/biovite.cpython-310-x86_64-linux-gnu.so) - CPU-only (no GPU required); tested on Intel Xeon 2.10 GHz, Ubuntu 6.8.0
Install Python dependencies:
pip install -r requirements.txtpython build_database.pyDownloads LFW (~180 MB), extracts 512-d FaceNet embeddings, fits Spherical K-Means (K=100), and encrypts all templates as GGSW ciphertexts.
python run_experiment.pySequentially runs: database construction → protocol evaluation (genuine + impostor accuracy) → gradient inversion attack → GAN inversion attack.
python test_protocol.pypython reconstruction_attack.py --samples 5 # gradient inversion
python gan_inversion_attack.py --test 5 # GAN inversionpython demo/precompute_lfw.py # pre-compute demo database features
python demo/app.py # launch at http://localhost:7860The demo provides:
- Reconstruction Attack panel: visualise GAN decoder output from original vs masked features
- Enrollment panel: encrypt a face, inspect GGSW ciphertext size
- Matching panel: run the full privacy-preserving query protocol with timing breakdown
BioShield/
├── config.py System-wide parameters (K, k, Δ, τ, σ)
├── facenet_encoder.py FaceNet (InceptionResnetV1) + masking pipeline
├── image_masker.py Gaussian, block, occlusion, blur masking strategies
├── kmeans_clustering.py Spherical K-Means (fit, assign, top-k routing)
├── encryption.py BioVite TFHE wrapper (GGSW enroll, GLWE query, ⊠)
├── database.py Cluster-indexed encrypted face database
├── lfw_dataset.py LFW downloader and masked variant generator
├── build_database.py End-to-end database construction script
├── run_experiment.py Full experiment pipeline orchestrator
├── test_protocol.py Genuine/impostor accuracy evaluation
├── reconstruction_attack.py Gradient-based feature inversion attack
├── gan_inversion_attack.py GAN-based (learned decoder) inversion attack
├── requirements.txt
├── demo/
│ ├── app.py Gradio interactive demo
│ ├── gan_decoder.py Convolutional face decoder
│ └── precompute_lfw.py Batch feature extraction for demo
└── biovite/
├── __init__.py
└── biovite.cpython-310-x86_64-linux-gnu.so TFHE compiled extension
@inproceedings{bioshield2026,
title = {{BioShield}: Privacy-Preserving Face Recognition via Accelerated
Fully Homomorphic Encryption},
booktitle = {BlockSys 2026},
year = {2026},
url = {https://github.com/acpk-hash/BioShield}
}MIT License.