CKKS ("approximate" scheme) — FHE family for real numbers. Controlled approximation noise (~10⁻⁹). It is the standard scheme for ML inference over continuous feature vectors — exactly the case of this embedding.

2 048 = ResNet-50 output — ResNet-50 (25M parameters, trained on ImageNet or a clinical dataset) produces a 2 048-activation vector at its penultimate layer. This vector captures all the diagnostically relevant information from an image of any size (224×224 to 4000×4000).

Fits in 1 ciphertext — 2 048 slots occupied out of 8 192 available. 6 144 slots remain empty. CKKS processes everything in parallel with a handful of operations.

Depth 3 — Enough for: 1 Mul (embedding × weights) + 1 InnerSum + 1 scalar Mul + Adds. The final linear classifier only consumes 2-3 levels.

RLWE base · ~128 bits — Same problem as ML-KEM/ML-DSA standardized by NIST as post-quantum cryptography.

sk (secret key) — The only one that can decrypt. It stays locked in the patient app, protected by the iPhone Secure Enclave or the Android Trusted Execution Environment.

pk (public key) — Lets anyone encrypt data to you. It is sent to the vendor. It cannot decrypt — only encrypt. Like a mailbox with a slot: anyone drops in, only you open it.

rlk (relinearization) — Lets the vendor multiply ciphertexts. Without rlk, multiplication is forbidden. With rlk, multiplication is possible without revealing anything.

Galois keys (rotation) — Enable vector-sum operations (InnerSum). Needed for the inner product of the logistic model.

Heavy CNN in cleartext, locally — Running a ResNet-50 (25M parameters, conv layers, BatchNorm, ReLU, pooling) under FHE would be orders of magnitude more expensive and infeasible in production. The industry standard solution is: run the CNN in cleartext on the patient/hospital device, where the image is already authorized.

2048-float embedding — The penultimate ResNet-50 layer is a 2048-activation vector after GlobalAveragePool. ~37% of those activations are non-zero (sparse, typical of ReLU). This vector preserves all the diagnostically relevant information for classification.

Not invertible in practice — Inverting ResNet-50 (2048 → original 16M-pixel image) is an open research problem. "Model inversion" attacks only recover generic, blurry images — never the patient's specific mammogram.

8 ms just to encrypt — Encrypting the 2048-dim vector takes ~8 ms on commodity CPU. Extracting the embedding with ResNet-50 would take ~1s on CPU or ~200ms on GPU — but it happens in cleartext, with no FHE overhead.

Pseudo-random bytes — Each ciphertext is built by adding a carefully calibrated "noise" polynomial. To any observer without the secret key, it is statistically indistinguishable from pure noise.

No fragile chain of custody — The difference vs today's model: the cleartext image passes through dozens of hops (CDN, load balancer, microservice, database, logs). Each is a leakage point. Under FHE, each hop only sees pseudo-random bytes.

Even if it leaks — If an attacker captures all the vendor's traffic for months, they still cannot extract a single image. The guarantee is mathematical, not based on "hoping no one looks".

Element-wise Mul — Multiplies each of the 2048 embedding activations by the corresponding classifier weight. CKKS runs them all in parallel in a single operation.

InnerSum over 2048 slots — Sums the 2048 products to obtain the logit (inner product + bias). Internally it uses log₂(2048) = 11 Galois rotations. It is the most expensive step of the pipeline.

Sigmoid linearization — The real sigmoid is non-linear and expensive in FHE. For a single inference where logits land in the [-2, +2] range, we approximate with a line: p ≈ 0.5 + 0.2·z. Error < 0.03 in the useful region.

79 ms total — Real measured time. Acceptable for non-emergency diagnosis. In production with FPGA/HEXL acceleration, it drops to ~10 ms.

9 decimal places — The gap between the CKKS computation and the plaintext computation is on the order of 10⁻⁹. For comparison: the sensitivity/specificity of any clinical classifier is on the order of 10⁻³. 9 decimals of precision is absurdly more than enough.

Robust threshold — Since the decision is binary (probability > 0.5 or not), tiny numerical variations do not flip the final classification. A 10⁻⁹ error would never turn a 0.51 score into 0.49.

Reproducible audit — Any independent auditor can rerun the same operation on the same encrypted embedding and get exactly the same score. Mathematical reproducibility is part of the clinical and regulatory guarantee.

Attempt: the vendor tries to read the encrypted embedding it received.

Defense: without the secret key (on the patient's device), the ciphertext bytes are pseudo-random. Recovering the cleartext embedding would require solving Ring-LWE at N=16 384 — ~2¹²⁸ operations. Infeasible.

Attempt: hypothetically, the vendor obtains the cleartext embedding (imagine a breach). It tries to invert ResNet-50 to reconstruct the image.

Defense: inverting ResNet-50 (2048 → 16 million pixels) is an open research problem. Known "model inversion" attacks (Fredrikson 2015, Zhang 2020) only recover generic, blurry images — never the patient's specific mammogram. For clinical diagnosis, the attack is absolutely insufficient.

Attempt: the vendor tries to infer the image from the final score alone (0.798).

Defense: 1 output number, 2048 features, 16 million input pixels. Massively under-determined system. Information-theoretically allows recovery of ~0 bits of the original image.

LGPD art. 11 + HIPAA — Health data is a special category. Under traditional architecture, sending a clinical image to a foreign vendor is an international transfer of sensitive data. Under FHE + local embedding, the "transfer" is mathematically null: the vendor receives pseudo-random bytes. The data was technically never shared. This is the pattern used by Owkin in Sanofi-Roche partnerships for oncology imaging.