Skip to content
A Framework for Machine Learning on Encrypted Data
Branch: master
Clone or download
yanndupis Add normalization, checks to Conv2D attributes (#488)
* add additional normalization, checks on attributes

* move normalize_data_format to seperate file

* fix lint

* add more tests
Latest commit 183c632 May 21, 2019
Type Name Latest commit message Commit time
Failed to load latest commit information.
.circleci Make linting separate task in Makefile Apr 26, 2019
bin add pylint to requirements.txt, fix make lint, pass CI, PR comments May 10, 2019
docs fix flag names in examples May 21, 2019
examples parameterize FL example with local filenames May 21, 2019
models fix mnist example with .pb file (#247) Oct 17, 2018
operations add pylint to requirements.txt, fix make lint, pass CI, PR comments May 10, 2019
tests add pylint to requirements.txt, fix make lint, pass CI, PR comments May 10, 2019
tf_encrypted Add normalization, checks to Conv2D attributes (#488) May 21, 2019
tools/gcp linting tools/ May 10, 2019
.dockerignore dont copy build artifacts when building docker container (#305) Nov 23, 2018
.gitignore queued online triple generation May 13, 2019
.pylintrc add TF .pylintrc, change Makefile to run pylint May 10, 2019 Release candidate 0.5.2-rc1 Apr 24, 2019
Dockerfile switch to docker jessie to avoid ABI compatibilities (#372) Dec 21, 2018
LICENSE Dropout Labs Inc., Contributions (#91) Sep 6, 2018
Makefile add pylint to requirements.txt, fix make lint, pass CI, PR comments May 10, 2019
NOTICE use "TF Encrypted" everywhere Feb 27, 2019 missing link May 15, 2019
docker-compose.yml Migrate (#440) Apr 24, 2019
meta.yaml Release 0.5.2 Apr 24, 2019
requirements.txt add pylint to requirements.txt, fix make lint, pass CI, PR comments May 10, 2019 add pylint to requirements.txt, fix make lint, pass CI, PR comments May 10, 2019

TF Encrypted

TF Encrypted is a Python library built on top of TensorFlow for researchers and practitioners to experiment with privacy-preserving machine learning. It provides an interface similar to that of TensorFlow, and aims at making the technology readily available without first becoming an expert in machine learning, cryptography, distributed systems, and high performance computing.

In particular, the library focuses on:

  • Usability: The API and its underlying design philosophy make it easy to get started, use, and integrate privacy-preserving technology into pre-existing machine learning processes.
  • Extensibility: The architecture supports and encourages experimentation and benchmarking of new cryptographic protocols and machine learning algorithms.
  • Performance: Optimizing for tensor-based applications and relying on TensorFlow's backend means runtime performance comparable to that of specialized stand-alone frameworks.
  • Community: With a primary goal of pushing the technology forward the project encourages collaboration and open source over proprietary and closed solutions.
  • Security: Cryptographic protocols are evaluated against strong notions of security and known limitations are highlighted.

See below for more background material, explore the examples, or visit the documentation to learn more about how to use the library. You are also more than welcome to join our Slack channel for all questions around use and development.

Status License PyPI CircleCI Badge Documentation


TF Encrypted is available as a package on PyPI supporting Python 3.5+ and TensorFlow 1.12.0+ which can be installed using:

pip3 install tf-encrypted

Alternatively, installing from source can be done using:

git clone
cd tf-encrypted
pip3 install -r requirements.txt
pip3 install -e .

This latter is useful on platforms for which the pip package has not yet been compiled but is also needed for development. Note that this will get you a working basic installation, yet a few more steps are required to match the performance and security of the version shipped in the pip package, see the installation instructions.

Custom build of TensorFlow For 1.12.0

TF Encrypted officially supports TensorFlow 1.13.1 but if you have a need to run on 1.12.0 and want to take advantage of the int64 tensor speed improvements you'll have to make use of a custom build.

Such builds are available for macOS and Linux as a temporary solution until the next official release of TensorFlow is out (version 1.13), but no guarantees are made about them and they should be treated as pre-alpha. See more in the installation instructions.


The following is an example of simple matmul on encrypted data using TF Encrypted:

import tensorflow as tf
import tf_encrypted as tfe

def provide_input():
    # normal TensorFlow operations can be run locally
    # as part of defining a private input, in this
    # case on the machine of the input provider
    return tf.ones(shape=(5, 10))

# define inputs
w = tfe.define_private_variable(tf.ones(shape=(10,10)))
x = tfe.define_private_input('input-provider', provide_input)

# define computation
y = tfe.matmul(x, w)

with tfe.Session() as sess:
    # initialize variables
    # reveal result
    result =

For more information, check out the documentation or the examples.


  • High-level APIs for combining privacy and machine learning. So far TF Encrypted is focused on its low-level interface but it's time to figure out what it means for interfaces such as Keras when privacy enters the picture.

  • Tighter integration with TensorFlow. This includes aligning with the upcoming TensorFlow 2.0 as well as figuring out how TF Encrypted can work closely together with related projects such as TF Privacy and TF Federated.

  • Support for third party libraries. While TF Encrypted has its own implementations of secure computation, there are other excellent libraries out there for both secure computation and homomorphic encryption. We want to bring these on board and provide a bridge from TensorFlow.

Background & Further Reading

The following texts provide further in-depth presentations of the project:

Project Status

TF Encrypted is experimental software not currently intended for use in production environments. The focus is on building the underlying primitives and techniques, with some practical security issues postponed for a later stage. However, care is taken to ensure that none of these represent fundamental issues that cannot be fixed as needed.

Known limitations

  • Elements of TensorFlow's networking subsystem does not appear to be sufficiently hardened against malicious users. Proxies or other means of access filtering may be sufficient to mitigate this.


Don't hesitate to send a pull request, open an issue, or ask for help! You can do so either via GitHub or by joining our Slack channel. Check out our contribution guide for more information!

The project was originally started by Morten Dahl but has since benefitted enormously from the efforts of several contributors, most notably Dropout Labs and members of the OpenMined community (in alphabetical order):


Licensed under Apache License, Version 2.0 (see LICENSE or Copyright as specified in NOTICE.

You can’t perform that action at this time.