## **🧠 Privacy-Preserving Mental Health Risk Detection**

This demo project demonstrates a lightweight privacy-preserving AI system for detecting early mental health risk from short text messages using encrypted inference. We simulate a realistic healthcare scenario where patient-generated data must remain confidential—yet still usable for AI-powered triage. By combining sentence embeddings, classical machine learning, and Fully Homomorphic Encryption (FHE), we enable secure inference on encrypted inputs without revealing sensitive text.

**🔐 Key Features**

**Federated Learning Scenario**: Model is trained locally; inference is performed securely on encrypted user inputs—ideal for settings with distributed, sensitive healthcare data.


**Privacy-Preserving AI**: Raw user data never leaves the client side unencrypted—computation and risk scoring occur securely in ciphertext space.

**Sentence Embeddings**: Uses all-MiniLM-L6-v2 to convert input text into dense semantic vectors.

**Encrypted Inference with TenSEAL**: Applies the CKKS scheme to run logistic regression on encrypted embeddings.


In [None]:
!pip install sentence-transformers tenseal

**🧮 Introduction to CKKS and TenSEAL**

To enable privacy-preserving inference over sensitive clinical text, this project leverages the CKKS (Cheon-Kim-Kim-Song) scheme for approximate homomorphic encryption. Unlike traditional encryption, CKKS supports arithmetic directly on encrypted real numbers, making it ideal for machine learning workflows involving floating-point operations like dot products and linear models.

We use [TenSEAL](https://github.com/OpenMined/TenSEAL) — a Python library built on top of Microsoft SEAL — to:



*   Encrypt high-dimensional sentence embeddings (e.g., from MiniLM)
*   Perform encrypted linear inference (e.g., logistic regression)
*   Decrypt only the final result, preserving end-to-end confidentiality
*   By operating entirely on ciphertexts, TenSEAL allows computations to be outsourced to untrusted environments (e.g., cloud or remote nodes) without revealing inputs, model parameters, or intermediate results.











In [2]:
import numpy as np
import pandas as pd
from sklearn.model_selection import train_test_split
from sklearn.linear_model import LogisticRegression
from sklearn.metrics import classification_report
from sentence_transformers import SentenceTransformer

# 1. Simulate 400 labeled text messages
mental_health_texts = [
    "I feel hopeless and tired all the time.",
    "Lately, I can't concentrate and everything feels overwhelming.",
    "I barely talk to anyone and feel isolated.",
    "School is stressing me out beyond what I can handle.",
    "I have no energy to do anything, even things I used to enjoy.",
    "I feel anxious constantly, even when nothing is wrong.",
    "I'm not sleeping well and my appetite is gone.",
    "Everything feels meaningless and I just want to be left alone.",
    "I cry randomly and can't explain why.",
    "Even getting out of bed feels like a chore."
] * 20  # 200 samples

no_problem_texts = [
    "I’ve been sleeping well and enjoying my time with friends.",
    "I feel confident and motivated about my goals.",
    "I’ve been going for daily walks and eating healthy.",
    "Things at school are busy but manageable.",
    "I enjoy socializing and staying active.",
    "Life has been stable and I’m feeling grateful.",
    "I’ve been productive and focused lately.",
    "My energy levels are good and I feel optimistic.",
    "I’ve been taking care of myself and feeling balanced.",
    "Everything is going smoothly and I’m content."
] * 20  # 200 samples

texts = mental_health_texts + no_problem_texts
labels = [1]*200 + [0]*200

df = pd.DataFrame({'text': texts, 'mental_health_problem': labels})
df = df.sample(frac=1, random_state=42).reset_index(drop=True)

# 2. Encode messages into embeddings
encoder = SentenceTransformer("all-MiniLM-L6-v2")
X_embeddings = encoder.encode(df['text'].tolist())
y = df['mental_health_problem'].values

# 3. Split and train
X_train, X_test, y_train, y_test = train_test_split(X_embeddings, y, test_size=0.2, stratify=y, random_state=42)

model = LogisticRegression(max_iter=1000)
model.fit(X_train, y_train)

# 4. Evaluate
y_pred = model.predict(X_test)
print("Classification Report:\n", classification_report(y_test, y_pred))


The secret `HF_TOKEN` does not exist in your Colab secrets.
To authenticate with the Hugging Face Hub, create a token in your settings tab (https://huggingface.co/settings/tokens), set it as secret in your Google Colab and restart your session.
You will be able to reuse this secret in all of your notebooks.
Please note that authentication is recommended but still optional to access public models or datasets.


Classification Report:
               precision    recall  f1-score   support

           0       1.00      1.00      1.00        40
           1       1.00      1.00      1.00        40

    accuracy                           1.00        80
   macro avg       1.00      1.00      1.00        80
weighted avg       1.00      1.00      1.00        80



**🔓 Plaintext Inference Version**

This simplified version demonstrates the same mental health risk detection pipeline without encryption, serving as a baseline for comparison.

*   Text messages are embedded using a pretrained MiniLM model.
*   A logistic regression classifier predicts mental health risk based on those embeddings.
*   Inference is performed directly on plaintext vectors using a standard dot product.
*   Useful for validating model performance before deploying privacy-preserving encrypted inference.


In [3]:
# 5. Predict on new input (plaintext inference)
test_text = "I feel hopeless and tired all the time."
embedding = encoder.encode([test_text])[0]
score = np.dot(model.coef_[0], embedding) + model.intercept_[0]
probability = 1 / (1 + np.exp(-score))

print(f"\nPrediction probability for:\n\"{test_text}\"\n→ {probability:.4f}")
print("✅ Risk Detected" if probability > 0.5 else "✅ No Risk Detected")



Prediction probability for:
"I feel hopeless and tired all the time."
→ 0.9036
✅ Risk Detected


**🔐 Why Encryption Matters in Clinical AI: Protecting Against Embedding Leakage**



*   🔓 Note: In clinical environments, using plaintext or even unencrypted embeddings is generally not permitted, as embeddings—though not directly human-readable—can still be vulnerable to inversion or re-identification attacks.








In [4]:
from sentence_transformers import SentenceTransformer
from sklearn.metrics.pairwise import cosine_similarity
import numpy as np

# 1. Load encoder and corpus of possible texts
encoder = SentenceTransformer("all-MiniLM-L6-v2")
corpus_sentences = [
    "I feel tired and sad all the time.",
    "I'm excited about my new project.",
    "Everything feels meaningless.",
    "I can't concentrate on anything lately.",
    "I’ve been sleeping well and eating healthy.",
    "Life is overwhelming and I want to cry.",
    "My motivation is gone and I feel hopeless."
]

# 2. Encode known corpus of candidate sentences
corpus_embeddings = encoder.encode(corpus_sentences)

# 3. Simulate intercepted embedding (e.g., from a client query)
simulated_embedding = embedding = encoder.encode([test_text])[0]  # This is what gets intercepted

# 4. Attacker attempts reconstruction via cosine similarity
similarities = cosine_similarity([simulated_embedding], corpus_embeddings)
closest_idx = np.argmax(similarities)

# 5. Display result
print(f"❗ Intercepted embedding likely corresponds to:")
print(f"🔍 Closest match: \"{corpus_sentences[closest_idx]}\"")
print(f"📈 Similarity score: {similarities[0][closest_idx]:.4f}")



❗ Intercepted embedding likely corresponds to:
🔍 Closest match: "I feel tired and sad all the time."
📈 Similarity score: 0.7972




**🔐 Encrypted Inference with CKKS (TenSEAL)**

This version demonstrates inference over encrypted input using the CKKS homomorphic encryption scheme via the TenSEAL library.


*   This setup mimics a privacy-preserving inference service where sensitive user input remains encrypted throughout the prediction process—ideal for federated healthcare settings or scenarios involving untrusted compute infrastructure.
*   The input embedding (from MiniLM) is encrypted using CKKS before being sent to the model.
*   The logistic regression model performs a dot product and adds bias entirely in ciphertext space.
*   The encrypted result is decrypted only after computation, and the sigmoid function is applied client-side to produce a probability score.












In [5]:
import tenseal as ts

# 5. Setup TenSEAL encryption context
context = ts.context(
    ts.SCHEME_TYPE.CKKS,
    poly_modulus_degree=8192,
    coeff_mod_bit_sizes=[60, 40, 40, 60]
)
context.global_scale = 2 ** 40
context.generate_galois_keys()

# 6. Encrypted inference
test_text = "I feel hopeless and tired all the time."
#test_text = "I am good."
embedding = encoder.encode([test_text])[0]

encrypted_vec = ts.ckks_vector(context, embedding.tolist())

weights = model.coef_[0]
bias = model.intercept_[0]

# Compute encrypted dot product + bias
encrypted_result = encrypted_vec.dot(weights) + bias

# Decrypt and apply sigmoid
score = encrypted_result.decrypt()[0]
probability = 1 / (1 + np.exp(-score))

print(f"\nEncrypted prediction probability for:\n\"{test_text}\"\n→ {probability:.4f}")
print("✅ Risk Detected" if probability > 0.5 else "✅ No Risk Detected")


Encrypted prediction probability for:
"I feel hopeless and tired all the time."
→ 0.9036
✅ Risk Detected


**🛡️ Simulated Attacker Scenario: Why Homomorphic Encryption Prevents Data Leakage**

This section demonstrates how a malicious actor — even if they intercept the encrypted embedding or encrypted inference result — cannot extract any meaningful information.

Three common attack attempts are shown:

**🔓 Direct Inspection of Encrypted Vector**

The attacker tries to read or print the contents of the encrypted vector.
→ Fails: CKKS ciphertexts are opaque; raw values are hidden.

**🔍 Cosine Similarity Matching**

The attacker tries to compare the encrypted vector with known plaintext embeddings (e.g. via cosine similarity) to infer meaning.
→ Fails: Encrypted vectors are not compatible with NumPy or sklearn operations.

**🔑 Decryption Without Proper Context**

The attacker creates a new TenSEAL context and attempts to decrypt the ciphertext.
→ Fails: Decryption requires the original private key tied to the encryption context.

In [6]:
# 🚨 Simulated Attacker Section
print("\n🛑 Simulated Attacker Tries to Extract Information...")

try:
    print("🔓 Trying to read encrypted vector directly:")
    print(encrypted_vec)
except Exception as e:
    print("❌ Cannot read encrypted vector:", e)

try:
    print("\n🔍 Trying cosine similarity on encrypted vector:")
    from sklearn.metrics.pairwise import cosine_similarity
    cosine_similarity([encrypted_vec], [embedding])  # Invalid: encrypted_vec is not a NumPy array
except Exception as e:
    print("❌ Cosine similarity failed:", e)

try:
    print("\n🔑 Trying to decrypt without context (attacker):")
    fake_context = ts.context(
        ts.SCHEME_TYPE.CKKS,
        poly_modulus_degree=8192,
        coeff_mod_bit_sizes=[60, 40, 40, 60]
    )
    fake_vec = ts.ckks_vector(fake_context, embedding.tolist())
    _ = fake_vec.decrypt()  # Decryption fails due to missing keys
except Exception as e:
    print("❌ Decryption failed (attacker has no private key):", e)



🛑 Simulated Attacker Tries to Extract Information...
🔓 Trying to read encrypted vector directly:
<tenseal.tensors.ckksvector.CKKSVector object at 0x7bf43b98ec90>

🔍 Trying cosine similarity on encrypted vector:
❌ Cosine similarity failed: float() argument must be a string or a real number, not 'CKKSVector'

🔑 Trying to decrypt without context (attacker):
❌ Decryption failed (attacker has no private key): no global scale


🔐 **Server-Side Encrypted Inference (Logistic + Homomorphic Sigmoid)**

- **Flow**: Client encrypts `x` → sends context (no SK) + `enc(x)` → server computes `enc(z)=enc(x)·w+b` and applies degree-5 sigmoid poly → returns `enc(prob)` → client decrypts.
- **Sigmoid poly (deg-5)**: σ(x) ≈ 0.5 + 0.2159198015·x − 0.0082176259·x³ + 0.0001825597·x⁵. Odd powers preserve symmetry (σ(−x)=1−σ(x)); good accuracy near the decision boundary with modest HE depth.
- **CKKS params**: N=16384; coeff_mod_bit_sizes `[60,40,40,40,40,60]`; global_scale `2^40`. Send public + relin + Galois keys only; secret key stays client-side.
- **Security**: Server sees opaque ciphertexts and cannot decrypt or run plaintext ops; only the client can recover `p`.

🤏 **Why decrypted `p` ≠ plaintext `p` (slight drift)**
- **CKKS is approximate**: fixed-point encoding + rescale/relinearize introduce tiny rounding noise that accumulates.
- **Polynomial ≠ true sigmoid**: degree-5 adds approximation error that grows with |z|.
- **Eval schedule**: multiply/add order under HE differs from pure float64.

*Reduce drift*: calibrate logits, use a larger scale or longer chain, or refit/raise the polynomial degree if depth allows.


In [7]:
# -----------------------------------------------------------------------------
# 🔐 Encrypted logistic regression with server-side sigmoid (degree-5 poly)
#
#   Client constructs CKKS context at N=16384 with chain [60,40,40,40,40,60]
#   and global_scale=2**40, then encrypts the embedding x.
#
#   Client sends context (public/relin/galois keys only; NO secret key) + enc(x).
#
#   Server computes enc(z) = enc(x)·w + b, then approximates σ(z) with a 5th-degree
#   odd polynomial using TenSEAL's CKKSVector.polyval (ascending coefficients).
#
#   Client decrypts the resulting probability p for the final decision.
#
# About the 5th-degree approximation:
#   σ(x) ≈ 0.5 + 0.2159198015*x − 0.0082176259*x^3 + 0.0001825597*x^5
#   - Odd powers + 0.5 exploit σ(−x) = 1 − σ(x) and σ(0)=0.5.
#   - Degree-5 is a balance: good accuracy near the decision boundary with modest
#     multiplicative depth. Higher degrees cost more chain/precision.
#   - Empirically: on x∈[−4,4], max error ~4e−2; errors grow beyond |x|≈6, as all
#     low-degree polynomials eventually overshoot the [0,1] range.
#   - If your logits often exceed |6|, refit the polynomial for a wider band,
#     raise degree (if chain allows), or use piecewise/Chebyshev fits.
#
# CKKS notes:
#   - poly eval is done under encryption; TenSEAL manages rescale/relin as needed.
#   - Using zeros for even-power coefficients preserves symmetry and saves multiplies.
#   - The chosen chain length provides sufficient levels for dot + degree-5 eval.
# -----------------------------------------------------------------------------

weights = np.asarray(model.coef_[0], dtype=np.float64)
bias = float(model.intercept_[0])

# --- Choose input and compute PLAINTEXT baseline ---
test_text = "I'm hesitating"
emb = encoder.encode([test_text], convert_to_numpy=True)[0].astype(np.float64)
z_plain = float(np.dot(emb, weights) + bias)
p_plain = 1.0 / (1.0 + np.exp(-z_plain))
print(f"[PLAINTEXT] z={z_plain:.6f}  p={p_plain:.4f}")

# --- Client: TenSEAL CKKS context (bumped to N=16384 for deeper polynomial) ---
import tenseal as ts

ctx = ts.context(
    ts.SCHEME_TYPE.CKKS,
    poly_modulus_degree=16384,
    # Plenty of depth room for degree-5 polynomial:
    coeff_mod_bit_sizes=[60, 40, 40, 40, 40, 60],  # sum=280 (OK for N=16384)
)
ctx.global_scale = 2 ** 40
ctx.generate_galois_keys()
ctx.generate_relin_keys()

# Encrypt embedding
enc_vec = ts.ckks_vector(ctx, emb.tolist())

# --- Server: encrypted z = w·x + b, then sigmoid via degree-5 polynomial using polyval ---
def server_encrypted_prob(context_bytes: bytes, enc_vec_bytes: bytes,
                          weights: np.ndarray, bias: float) -> bytes:
    sctx = ts.context_from(context_bytes)
    enc_x = ts.ckks_vector_from(sctx, enc_vec_bytes)
    enc_logit = enc_x.dot(weights) + float(bias)

    # 5th-degree sigmoid approx (ascending powers for polyval):
    # σ(x) ≈ 0.5 + 0.2159198015 x − 0.0082176259 x^3 + 0.0001825597 x^5
    coeffs = [0.5, 0.2159198015, 0.0, -0.0082176259, 0.0, 0.0001825597]
    enc_prob = enc_logit.polyval(coeffs)  # TenSEAL handles rescale/relin internally
    return enc_prob.serialize()

# Send context WITHOUT secret key to server
ctx_bytes_no_sk = ctx.serialize(
    save_public_key=True, save_secret_key=False,
    save_galois_keys=True, save_relin_keys=True
)

enc_prob_bytes = server_encrypted_prob(
    ctx_bytes_no_sk,
    enc_vec.serialize(),
    weights,
    bias,
)

# --- Client decrypts (use ORIGINAL ctx that holds SK) ---
enc_prob = ts.ckks_vector_from(ctx, enc_prob_bytes)  # not a deserialized copy
p_he = float(enc_prob.decrypt()[0])

print(f"[HE DECRYPT] p={p_he:.4f}")
print("✅ Risk Detected" if p_he > 0.5 else "✅ No Risk Detected")


[PLAINTEXT] z=-0.348502  p=0.4137
[HE DECRYPT] p=0.4251
✅ No Risk Detected
