Efficient and Privacy-Preserving Decision Tree Inference via Homomorphic Matrix Multiplication and Leaf Node Pruning

Abstract

Cloud computing is widely used by organizations and individuals to outsource computation and data storage. With the growing adoption of machine learning as a service (MLaaS), machine learning models are being increasingly deployed on cloud platforms. However, operating MLaaS on the cloud raises significant privacy concerns, particularly regarding the leakage of sensitive personal data and proprietary machine learning models. This paper proposes a privacy-preserving decision tree (PPDT) framework that enables secure predictions on sensitive inputs through homomorphic matrix multiplication within a three-party setting involving a data holder, a model holder, and an outsourced server. Additionally, we introduce a leaf node pruning (LNP) algorithm designed to identify and retain the most informative leaf nodes during prediction with a decision tree. Experimental results show that our approach reduces prediction computation time by approximately 85% compared to conventional protocols, without compromising prediction accuracy. Furthermore, the LNP algorithm alone achieves up to a 50% reduction in computation time compared to approaches that do not employ pruning.

1. Introduction

It has been a long time since data was referred to as “the oil of the 21st century”. Today, many of the world’s most valuable companies thrive by collecting and monetizing vast amounts of data. However, such data often include sensitive personal information, making it inaccessible for public or collaborative use—not only due to commercial interests but also to mitigate privacy risks. Despite the significant potential of data sharing in addressing pressing societal challenges such as crime prevention, public health, and elder care, privacy concerns continue to severely limit the practical use of sensitive datasets across institutional boundaries. To address this challenge, privacy-preserving machine learning (PPML) has emerged as a key paradigm for enabling data-driven insights without compromising confidentiality.

One of the most prominent PPML frameworks is federated learning (FL) [1], which allows multiple parties to collaboratively train machine learning models without sharing their raw data. Each participant trains a local model and shares only model updates with a central server, preserving data privacy. However, FL assumes that participants have sufficient computational capacity for local training. In many real-world settings, particularly for devices or institutions with limited resources, local computation must be outsourced, raising new privacy concerns–even under semi-honest threat models.

This paper focuses on another type of PPML scenario in which a local entity securely outsources prediction computations. In our setting, both the data and the model remain encrypted, ensuring the confidentiality of sensitive user input and the intellectual property of the model provider. This setup is especially effective in protecting against model inversion attacks [2], which constitute a well-known vulnerability in machine learning-as-a-service (MLaaS) platforms. To implement secure outsourced prediction, we employ homomorphic encryption (HE) [3], particularly in its somewhat homomorphic variant, named somewhat homomorphic encryption (SHE) [4], which supports a limited number of encrypted additions and multiplications with significantly improved efficiency over fully homomorphic schemes. This enables practical encrypted inference in real-world scenarios. Among the various machine learning models, decision trees are particularly attractive for privacy-preserving inference due to their interpretability and low computational cost. As a result, a growing body of research has focused on designing cryptographic protocols for privacy-preserving decision tree (PPDT) inference that minimize both communication and computational overhead while preserving privacy.

1.1. Related Work

Existing PPDT protocols can be broadly classified based on the cryptographic primitives they employ.

HE-based protocols: 

HE supports computation over encrypted data without requiring decryption. Akavia et al. [5] used low-degree polynomial approximations to support non-interactive inference with communication costs independent of tree depth. Frery et al. [6], Hao et al. [7], and Shin et al. [8] adopted the TFHE, BFV, and CKKS schemes, respectively, for efficient computation with low multiplicative depth. Cong et al. [9] reported ciphertext size comparisons and proposed homomorphic traversal algorithms across various commonly used HE schemes. Most existing HE-based PPDT protocols are designed for two-party settings, similar to the linear-function-based scheme proposed by Tai et al. [10].

Protocols based on other cryptographic primitives: 

Zheng et al. [11] employed additive secret sharing in a two-server setting, ensuring that no single party gained access to both the model and the data, while maintaining low communication overhead. MPC-based approaches, such as those reported b Wu et al. [12], combine additive HE with oblivious transfer (OT), offering strong privacy guarantees but often suffering from scalability issues, particularly with deep trees. Differential privacy (DP), although more commonly used during training [13], can complement cryptographic inference methods by adding noise to outputs to mask sensitive patterns. However, DP typically compromises utility and operates orthogonally to encrypted inference techniques.

Within this landscape, several notable HE-based PPDT approaches stand out. Tai et al. [10] proposed a prediction protocol using linear functions and DGK-based integer comparison [14], reducing complexity at the cost of requiring bitwise encryption. Lu et al. [15] enhanced efficiency via the XCMP protocol, based on Ring-LWE SHE, although it struggled with large input bit lengths and unstable ciphertexts. Saha and Koshiba [16] addressed this with SK17, encoding integer bits as polynomial coefficients to support larger comparisons. Wang et al. [17] further improved SK17 by introducing a faster comparison protocol and a non-interactive variant with reduced ciphertext functionality.

Despite these advancements, existing protocols still face challenges in simultaneously achieving high efficiency, scalability, low communication overhead, and full tree structure confidentiality—especially under realistic semi-honest adversary models.

1.2. Our Contributions

To overcome the above-mentioned limitations, we propose a novel three-party PPDT inference protocol that achieves secure, structure-hiding, and communication-efficient decision tree predictions over encrypted data and models. The key innovations of our work are as follows:

• Homomorphic matrix multiplication-based inference: Departing from polynomial approximation and linear path evaluation methods [10], we introduce homomorphic matrix multiplication as the primary operation for encrypted path computation. This novel application supports structured and scalable evaluation of encrypted inputs.
• Leaf node pruning during inference: We propose leaf node pruning at inference time, a novel runtime optimization that reduces the number of nodes involved in computation, significantly improving performance. Unlike traditional model pruning during training, this technique operates during encrypted inference.
• Structure-hiding inference protocol: The decision tree structure—including internal nodes and branching conditions—is fully hidden from both the client and the server. By ensuring that all path computations are homomorphically encrypted, the protocol mitigates leakage risks present in prior PPDT methods.
• Semi-interactive three-party architecture: Our protocol requires only one round of interactive communication between the data holder (client) and the outsourced server. No interaction is required from the model holder during inference. This design enables low-latency, real-world deployment scenarios.

To achieve these properties, we adopt the efficient integer comparison protocol by Wang et al. [17] and the homomorphic matrix multiplication techniques from [18,19] for encrypted path evaluation. By integrating homomorphic matrix multiplication, inference-time leaf node pruning, and tree structure hiding into a semi-interactive three-party framework, our method enables efficient, secure, and practical decision tree inference in untrusted environments. We evaluated the proposed PPDT protocol on standard UCI datasets [20] to demonstrate its performance and practicality.

The algorithm design is detailed in Section 3, the experimental results are presented in Section 4, and the conclusions are provided in Section 5.

2. Preliminaries

In this section, we summarize the related approaches used in our proposal. In Section 2.1, we first review the concept of decision tree and the approach of decision tree classification via the linear function that was introduced by Tai et al. in [10], which was concerned with two kinds of secure computations—comparison at each node of tree and linear function calculation for prediction. We focus on how to improve the efficiency of the above two operations:

• Comparison: We use Wang et al.’s protocol [17] instead of the DGK approach [14] to improve the efficiency of secure comparison in each node.
• Prediction: We use secure inner product/matrix multiplication to replace linear function in order to outsource prediction while maintaining the tree model secret.

Therefore, we recall the secure comparison scheme proposed by Wang et al. [17] in Section 2.2 and the secure matrix multiplication introduced by Doung et al. [18] in Section 2.3. The two schemes are both constructed on the ring-LWE-based homomorphic encryption (see Appendix A for details). The notations in this paper are listed in Notations Section.

2.1. Existing Decision Tree Classification

2.1.1. Decision Tree

Figure 1 presents an example of a decision tree. The decision tree $\mathcal{T}:{\mathbb{Z}}^N\to \mathbb{Z}$ is a function that takes as input the feature vector $X=[X_0,\dots ,X_i,\dots ,X_{N-1}]$ and outputs the class $\mathcal{T}\left(X\right)\in \left\{c_j\right\}$ to which X belongs. Generally, the feature vector space is ${\mathbb{R}}^N$; however, in this paper, we denote it as ${\mathbb{Z}}^N$ because the input is the encrypted attribute data. This paper’s decision tree is a binary tree and consists of two types of nodes: decision nodes and leaf nodes. The decision node $D_j$ outputs a Boolean value $b_j=$$\mathbb{1}$$\{X_{{\lambda }_j}>t_j\}$ where ${\lambda }_j\in \left[N\right]$ is the feature vector’s index, and $t_j$ is the threshold. A leaf node $L_k$ holds the output value $\mathsf{score}\left(L_k\right)\in \mathcal{C}=\{C_0,\dots ,C_{K-1}\}$. In a binary tree, there are m decision nodes and $m+1$ leaf nodes. For example, Figure 1 shows the case of $K=3, m=3$, $\mathsf{score}\left(L_1\right)=C_0,$$\mathsf{score}\left(L_2\right)=C_1, \mathsf{score}\left(L_3\right)=C_0, \mathsf{score}\left(L_4\right)=C_2$.

Figure 1. Decision tree example.

2.1.2. Decision Tree Classification via Linear Function [10]

The Boolean output of the decision node $D_j$, $b_j=1\left(0\right)$ indicates that the next node is the left (right) child. For edges ${\mathsf{e}}_{j,0}$ and ${\mathsf{e}}_{j,1}$, respectively connecting to the left child and the right child from the decision node $D_j$, we define the corresponding edge cost $\mathsf{ec}$ as follows:

$${\mathsf{ec}}_{j,0}:=1-b_j,{\mathsf{ec}}_{j,1}:=b_j.$$

(1)

From the root node of the decision tree to each leaf node, only one path is determined. We define the path cost ${\mathsf{pc}}_k$ as the sum of the edge costs in ${\mathsf{Path}}_k$—the path from root node to the leaf node $L_k$. The edge cost ${\mathsf{ec}}_{j,0}$ and ${\mathsf{ec}}_{j,1}$ are determined by $b_j$, which is the comparison result of decision node $D_j$. Thereafter, the path cost for each leaf node is defined by a linear function of $b_j$. For example, the following ${\mathsf{pc}}_1,{\mathsf{pc}}_2,{\mathsf{pc}}_3$, and ${\mathsf{pc}}_4$ denote the path costs for leaf nodes $L_1,L_2,L_3$, and $L_4$ in Figure 1, respectively:

$$\begin{array}{cc}\hfill {\mathsf{pc}}_1& ={\mathsf{ec}}_{1,0}=1-b_1,\hfill \\ \hfill {\mathsf{pc}}_2& ={\mathsf{ec}}_{1,1}+{\mathsf{ec}}_{2,0}+{\mathsf{ec}}_{3,0}=b_1+(1-b_2)+(1-b_3)=2+b_1-b_2-b_3,\hfill \\ \hfill {\mathsf{pc}}_3& ={\mathsf{ec}}_{1,1}+{\mathsf{ec}}_{2,0}+{\mathsf{ec}}_{3,1}=b_1+(1-b_2)+b_3=1+b_1-b_2+b_3,\hfill \\ \hfill {\mathsf{pc}}_4& ={\mathsf{ec}}_{1,1}+{\mathsf{ec}}_{2,1}=b_1+b_2.\hfill \end{array}$$

(2)

The comparison results $b_j$ indicate that the edge cost to the next node is 0, while the edge cost to the other node is 1. As a result, only the path leading to a specific leaf node $L_k$ has a total cost ${\mathsf{pc}}_k=0$; all other paths have non-zero costs. The classification result is returned if and only if ${\mathsf{pc}}_k=0$, meaning the output corresponds to the label stored in the leaf node $L_k$.

This can be illustrated with a concrete example (see Bob in Figure 1): Bob’s attributes are height $<170$, weight $>60$, and age $>25$, which yield comparison results $b_1=0$, $b_2=1$, and $b_3=1$, respectively. Substituting these into Equation (2), we compute the path costs as follows: ${\mathsf{pc}}_1={\mathsf{pc}}_3={\mathsf{pc}}_4=1$, and only ${\mathsf{pc}}_2=0$. Therefore, the output for Bob is $C_1$, the label held by leaf node $L_2$.

2.2. Secure Comparison Protocol

In this subsection, we describe the protocol proposed by Wang et al. [17], which securely computes the comparison of decision trees.

2.2.1. $\mu$-bit Integer Comparison [14]

Assume that Alice and Bob respectively have two $\mu$-bit integers, a and b, and consider how to compare two integers without revealing the values of a and b between Alice and Bob. Let us define the binary vectors for a and b as follows: $a^{\mathsf{b}}=[a_0,\dots ,a_{\mu -1}]$ and $b^{\mathsf{b}}=[b_0,\dots ,b_{\mu -1}]$. In addition, let us define the following two binary vectors $a_i^{\mathsf{b}}$ and $b_i^{\mathsf{b}}$$(1\le i\le \mu -1)$ where the first i-bits are the same as those in $a^{\mathsf{b}}$ and $b^{\mathsf{b}}$ while the remaining upper bits are set to zeros.

$$\begin{array}{cc}\hfill a_i^{\mathsf{b}}& =[a_0,\dots ,a_{i-1},0,\dots ,0],\hfill \\ \hfill b_i^{\mathsf{b}}& =[b_0,\dots ,b_{i-1},0,\dots ,0].\hfill \end{array}$$

(3)

To compare the two integers a and b, let us define the following $d_i$:

$$d_i=w_i+v_i,$$

(4)

where

$$\begin{array}{cc}\hfill w_i& =⟨a_i^{\mathsf{b}}-b_i^{\mathsf{b}},a_i^{\mathsf{b}}-b_i^{\mathsf{b}}⟩\ge 0,\hfill \\ \hfill v_i& =a_i-b_i+1.\hfill \end{array}$$

(5)

Here, $w_i$ is an inner product for calculating how many bits are different between $a_i^{\mathsf{b}}$ and $b_i^{\mathsf{b}}$. Therefore, $w_i=0$ implies that the first i bits of a and b are the same (i.e., $[a_0,\dots ,a_{i-1}]=[b_0,\dots ,b_{i-1}]$). Next, we look at the $(i+1)$-th bit of a and b when $w_i=0$ is satisfied. Here, $v_i=a_i-b_i+1$ could have the three values: 0, 1, or 2. If $(a_i,b_i)=(0,1)$ (i.e., $a<b$), $v_i=0$; otherwise, $v_i$ = 1 or 2. That is, if $v_i=0$, $a<b$ is satisfied under $w_i=0$; otherwise, $a\ge b$ is satisfied. Therefore, to identify whether $a<b$ is satisfied, we merely need to check if $d_i$ in Equation (4) is 0 for any position of i ($i\in \{0,1,\dots ,\mu -1\}$).

2.2.2. Packing Method

For a $\mu$-bit length integer u whose binary vector is denoted as $u^{\mathsf{b}}=[u_0,\dots ,u_{\mu -1}]$, the following packing polynomials are defined:

$$\begin{array}{c}\hfill \begin{array}{cc}\hfill {\mathsf{poly}}_1\left(u^{\mathsf{b}}\right)& =\sum _{i=0}^{\mu -1}{u}_i{x}^i,\hfill \\ \hfill {\mathsf{poly}}_2\left(u^{\mathsf{b}}\right)& =\sum _{d=1}^{\mu -1}\sum _{j=0}^{d-1}{u}_j{x}^{\mu d-j}.\hfill \end{array}\end{array}$$

(6)

Using this packing method, we have [17]

$$\begin{array}{c}\hfill \mathsf{poly}\left(d\right)=({\mathsf{poly}}_1\left(a^{\mathsf{b}}\right)-{\mathsf{poly}}_1\left(b^{\mathsf{b}}\right))({\mathsf{poly}}_2\left(a^{\mathsf{b}}\right)-{\mathsf{poly}}_2\left(b^{\mathsf{b}}\right)+{\mathsf{poly}}_{1\to 3})+\widetilde{\mathsf{poly}}\left(\mathbf{1}\right),\end{array}$$

(7)

where $\mathbf{1}=(1,1,\dots ,1)$ denotes the binary vector of the $\mu$-bit integer $2^{\mu }-1$, and ${\mathsf{poly}}_{1\to 3}={\sum }_{i=1}^{\mu }{x}^{(\mu -1)(i-1)}$ and $\widetilde{\mathsf{poly}}\left(\mathbf{1}\right)={\mathsf{poly}}_1\left(\mathbf{1}\right){\mathsf{poly}}_{1\to 3}$ can be computed offline in advance. The coefficient of $x^{i\mu }(i=0,\dots ,\mu -1)$ in $\mathsf{poly}\left(d\right)$ is $d_i$.

2.2.3. Secure Comparison Protocol

Wang et al. proposed three enhanced secure comparison protocols in [17]. Here, we recall the most efficient one that uses the packing method defined by Equation (6). There are three participants in this protocol. Alice and Bob who have $\mu$-bit integers a and b, respectively, compare a and b without revealing the data through a server. The server obtains the comparison result, which is the output of the protocol. The protocol is described as follows:

1.

Alice generates a secret–public key pair $(sk,pk)$ and sends $pk$ to Bob and the server.

2.

Alice and Bob compute

$${\left[\left[a\right]\right]}_i:=\mathsf{Enc}(pk,{\mathsf{poly}}_i\left(a^{\mathsf{b}}\right))$$

(8)

and

$${\left[\left[b\right]\right]}_i:=\mathsf{Enc}(pk,{\mathsf{poly}}_i\left(b^{\mathsf{b}}\right))$$

(9)

for $i=1,2,$ respectively, and send the results to the server.

3.

The server computes

$$\begin{array}{c}\hfill \left[\left[d\right]\right]:=({\left[\left[a\right]\right]}_1\ominus {\left[\left[b\right]\right]}_1)\otimes ({\left[\left[a\right]\right]}_2\ominus {\left[\left[b\right]\right]}_2\oplus {\mathsf{poly}}_{1\to 3})\oplus \widetilde{\mathsf{poly}}\left(\mathbf{1}\right).\end{array}$$

(10)

4.

The server masks $\left[\right[d\left]\right]$ in encrypted form using random polynomial $\gamma \leftarrow {\mathcal{Z}}_p$

$$\left[\left[d^{\prime }\right]\right]:=\left[\left[d\right]\right]\oplus \gamma$$

(11)

and sends $\left[\left[d^{\prime }\right]\right]$ to Alice.

5.

Alice decrypts $\left[\left[d^{\prime }\right]\right]$

$$d^{\prime }=\mathsf{Dec}(sk,\left[\left[d^{\prime }\right]\right])$$

(12)

and sends $d^{\prime }$ back to the server.

6.

The server unmasks d from $d^{\prime }$ as follows:

$$d=d^{\prime }-\gamma =\sum _{i=0}^{\mu -1}{d}_i{x}^{i\mu }+\mathsf{other}\mathsf{terms}\mathsf{of}\mathsf{degree},$$

(13)

and then verifies whether any $i\mu$-th term for $i=0,\dots ,\mu -1$ is 0. If so $a<b$; otherwise, $a\ge b$.

2.3. Ring-LWE-Based Secure Matrix Multiplication

Doung et al. proposed secure matrix multiplication [18] using the packing method proposed by Yasuda et al. [19]. For an ℓ-dimension vector $U=[u_0,u_1,\dots ,u_{\ell -1}]$, the following two polynomials are defined:

$$\begin{array}{c}\hfill \begin{array}{cc}\hfill {\mathsf{poly}}_1\left(U\right)& =\sum _{m=0}^{\ell -1}{u}_m{x}^m,\hfill \\ \hfill {\mathsf{poly}}_t\left(U\right)& =-\sum _{m=0}^{\ell -1}{u}_m{x}^{n-m}.\hfill \end{array}\end{array}$$

(14)

Note that for any two vectors $A=[a_0,a_1,\dots ,a_{\ell -1}]$ and $B=[b_0,b_1,$$\dots ,b_{\ell -1}]$, using the above packing method, we have

$$\begin{array}{c}\hfill {\mathsf{poly}}_1\left(A\right)\times {\mathsf{poly}}_t\left(B\right)=⟨A,B⟩+\mathsf{other}\mathsf{terms}\mathsf{of}\mathsf{degree},\end{array}$$

(15)

where the constant term of ${\mathsf{poly}}_1\left(A\right)\times {\mathsf{poly}}_t\left(B\right)$ provides the inner product $⟨A,B⟩$.

Let $\mathit{U}$ be a (k, ℓ) matrix and  let $U_1,\dots ,U_k$ denote the row vectors of $\mathit{U}$. For matrix $\mathit{U}$, the packing method is defined as follows:

$$\begin{array}{cc}\hfill {\mathsf{poly}}_{mat}\left(\mathit{U}\right)& ={\mathsf{poly}}_1\left(U_1\right)+\dots +{\mathsf{poly}}_1\left(U_k\right)x^{(k-1)\ell }\hfill \\ \hfill & =\sum _{i=1}^k{\mathsf{poly}}_1\left(U_i\right)x^{(i-1)\ell }.\hfill \end{array}$$

(16)

Assume that $k\ell \le n$ (n: dimension of polynomial $x^n+1$). Letting $(k,\ell )$ matrix be

$$\begin{array}{c}\hfill \mathit{A}=\left[\begin{array}{c}{A}_1\\ ⋮\\ A_k\end{array}\right]\end{array}$$

(17)

and letting B denote an ℓ-dimensional vector, we have

$${\mathsf{poly}}_{mat}\left(\mathit{A}\right)\times {\mathsf{poly}}_t\left(B\right)=\sum _{i=1}^k{\mathsf{poly}}_1\left(A_i\right)\times {\mathsf{poly}}_t\left(B\right)x^{(i-1)\ell },$$

(18)

where the coefficient of $x^{(i-1)\ell }(i=1,\dots ,k)$ is $⟨A_i,B⟩$, the inner product of vectors $A_i$ and B.

3. PPDT Classification Model

In this section, we propose a PPDT classification model that mainly consists of the following two processing parts:

(1) Path cost calculation and (2) secure integer comparison.

The basic idea of the path cost calculation comes from the Tai et al.’s decision tree classification protocol via linear function [10] where a decision tree model is treated as a plaintext under a two-party computation setting (see Section 2.1). In contrast, we extend the Tai et al.’s protocol such that not only input data but also a decision tree model can be encrypted to hide actual contents between a data provider and a model provider. To actualize this, we propose a secure three-party path cost calculation by extending the PPDT protocol proposed by Tai et al. [10] using the integer comparison protocol described in Section 2.2 that was proposed by Wang et al. [17].

3.1. Computation Model

To address the practical considerations of deploying our proposed algorithm in real-world cloud environments, we consider a scenario in which an organization that owns a decision tree classification model outsources the inference task by sending encrypted data to a cloud service provider (e.g., AWS and Google Cloud). Figure 2 illustrates the structure of our computational model, which involves three entities: the client, who possesses the feature vector to be classified; the model holder, who holds the trained decision tree; and the cloud server, which performs the encrypted computation on behalf of the model holder.

• The client encrypts the feature vectors and sends them to the model holder, who then encrypts the information needed to calculate the decision tree’s path cost and threshold.
• The client’s encrypted feature vectors are sent to the server, relaying the model holder, to conceal the information (${\lambda }_i$) about which elements of the feature vector threshold of the decision node should compare.
• On behalf of the model holder, the server performs the necessary calculation for the decision tree prediction and sends the client’s encrypted classification results.
• The client decrypts the information and obtains the classification results.

Figure 2. Our computation model.

Even if the organization does not maintain its own servers, decision tree classification with privacy preservation is possible. The concrete process of the protocol is shown in Section 3.3.

A Representative Application of Online Medical Diagnostics

Machine-learned diagnostic models developed by medical institutions represent valuable intellectual property that is central to their competitive advantage. These institutions seek to offer diagnostic services without disclosing proprietary models, and cloud-based computation provides a practical solution to scale such services while reducing local computational costs.

However, concerns related to data confidentiality and model privacy present challenges for real-world deployment. Clients demand privacy-preserving services that do not expose their sensitive health data, while cloud service providers typically prefer not to manage or store sensitive information due to increased compliance and security risks.

Therefore, enabling secure and efficient inference over encrypted data and models aligns with the interests of all stakeholders. Our approach allows computations to be carried out on encrypted inputs and models, thereby mitigating privacy concerns and reducing the operational burdens associated with sensitive data management on cloud platforms.

3.2. Computation of Path Cost by Matrix × Vector Operation

In our method, we encrypt the path costs described in Section 2.1 and send them to the server to keep decision tree model secrets and allow the server to calculate the path costs. Specifically, we transform the path cost ${\mathsf{pc}}_k=p_{k,0}+p_{k,1}{b}_1+\dots +p_{k,m}{b}_m$ for a leaf node $L_k$. Therefore, we introduce two vectors, $P_k$ and B, that can be used to calculate the path cost:

$$\begin{array}{c}\hfill {\mathsf{pc}}_k=⟨[p_{k,0},p_{k,1},\dots ,p_{k,m}],[1,b_1,\dots ,b_m]⟩=⟨P_k,B⟩.\end{array}$$

(19)

Here, B is a comparison result vector while $P_k$ is a path vector. We define path matrix $\mathit{P}$ of decision tree $\mathcal{T}$ as follows:

$$\begin{array}{c}\hfill \mathit{P}=\left[\begin{array}{c}{P}_1\\ ⋮\\ P_{m+1}\end{array}\right].\end{array}$$

(20)

Therefore, it is possible to replace the calculation of the path cost of the decision tree by $\mathit{P}\times B$. To obtain the correct multiplication result for a $(k,\ell )$ matrix and a vector of length ℓ using Equation (18), the constraint $k\ell \le n$ must be satisfied. Path matrix $\mathit{P}$ is an $(m+1,m+1)$ matrix; thus ${(m+1)}^2\le n$ must be satisfied. Therefore, we divide the unconstrained path matrix $\mathit{P}$ into several rows and compute each of them. Specifically, $\mathit{P}$ is an $(m+1,m+1)$ matrix; thus, $m^{\prime }=\lfloor n/(m+1)\rfloor$ rows can be computed. The path matrix is divided into $S=\lceil (m+1)/m^{\prime }\rceil$ matrices. When $S>(m+1)/m^{\prime }$, we add vector $I=[1,0,\dots ,0]$ for several times so that each partitioned matrix has $m^{\prime }$ rows, which hides the size of the decision tree. With the above operations, we obtain S$(m^{\prime },m+1)$ path matrices as follows:

$$\begin{array}{c}\hfill {\mathit{P}}_1=\left[\begin{array}{c}{P}_1\\ ⋮\\ P_{m^{\prime }}\end{array}\right],{\mathit{P}}_2=\left[\begin{array}{c}{P}_{m^{\prime }+1}\\ ⋮\\ P_{2m^{\prime }}\end{array}\right],\dots ,{\mathit{P}}_S=\left[\begin{array}{c}{P}_{(S-1)m^{\prime }+1}\\ ⋮\\ P_{m+1}\\ I\\ ⋮\\ I\end{array}\right].\end{array}$$

(21)

Therefore, the secure matrix × vector operation in Section 2.3 allows us to securely compute the path cost with the encrypted path matrix.

3.3. Proposed Protocol

The protocol’s detailed procedure is illustrated in Figure 3 and Algorithm 1. It comprises eight steps involving data transmission and computation. Let K represent the number of classes in the classification task $\mathcal{C}=\{C_0,C_1,\dots ,C_{K-1}\}$.

Figure 3. Flowchart of the proposed protocol, where $\left[\right[·\left]\right]$ denotes the ciphertext of “·”.

The following provides a step-by-step description of the protocol:

Step 1 (client): 

The client generates a secret–public key pair $(sk,pk)$ and sends $pk$ to the model holder and server.

Step 2 (client): 

The client encrypts each element of a feature vector by packing it using Equation (6).

$$\begin{array}{cc}\hfill {\left[\left[X_i\right]\right]}_1& =\mathsf{Enc}(pk,{\mathsf{poly}}_1\left(x_i^{\mathsf{b}}\right)),\hfill \\ \hfill \left[X_i\right]{]}_2& =\mathsf{Enc}(pk,{\mathsf{poly}}_2\left(x_i^{\mathsf{b}}\right)).\hfill \end{array}$$

(22)

For $i=1,\dots ,N$, the client sends ciphertexts to the model holder.

Step 3 (model holder): 

For $j=1,\dots ,m$, the model holder encrypts threshold $t_j$ by packing it using the Equation (6).

$$\begin{array}{cc}\hfill {\left[\left[t_j\right]\right]}_1& =\mathsf{Enc}(pk,{\mathsf{poly}}_1\left(t_j^{\mathsf{b}}\right)),\hfill \\ \hfill \left[t_j\right]{]}_2& =\mathsf{Enc}(pk,{\mathsf{poly}}_2\left(t_j^{\mathsf{b}}\right)).\hfill \end{array}$$

(23)

For $k=1,\dots ,m+1$, the model holder generates path vector $P_k$ multiplied by a random number

$$\begin{array}{c}\hfill P_k^{\prime }=r_k·P_k,\end{array}$$

(24)

and the following classification result vector is generated:

$$\begin{array}{c}\hfill V_k:=r_k^{\prime }·P_k+[\mathsf{score}\left(L_k\right),0,\dots ,0],\end{array}$$

(25)

where $\mathsf{score}\left(L_k\right)\in \mathcal{C},r_k,r_k^{\prime }\in {\mathbb{Z}}_p^{*}$. As described in Section 3.2, the model holder generates S path matrices $P_1,\dots ,P_S$ and S classification result matrices $V_1,\dots ,V_S$. Note that the path vector and classification result vector corresponding to the same path should be in the same matrix row.

For $s=1,\dots ,S$, path matrix ${\mathit{P}}_s$ and classification result matrix ${\mathit{V}}_s$ are encrypted as follows:

$$\begin{array}{cc}\hfill {\left[\left[{\mathit{P}}_s\right]\right]}_{mat}& =\mathsf{Enc}(pk,{\mathsf{poly}}_{mat}\left({\mathit{P}}_s\right)),\hfill \\ \hfill \left[{\mathit{V}}_s\right]{]}_{mat}& =\mathsf{Enc}(pk,{\mathsf{poly}}_{mat}\left({\mathit{V}}_s\right)),\hfill \end{array}$$

(26)

where Equation (16) is used to compute ${\mathsf{poly}}_{mat}$. A pair of ciphertexts of the elements of a threshold and its comparative feature vector

$$\begin{array}{c}\hfill ({\left[\left[X_{{\lambda }_j}\right]\right]}_1,{\left[\left[X_{{\lambda }_j}\right]\right]}_2),({\left[\left[t_j\right]\right]}_1,{\left[\left[t_j\right]\right]}_2),\end{array}$$

(27)

and ciphertext pairs of the path matrices and classification result matrices

$$\begin{array}{c}\hfill {\left[\left[{\mathit{P}}_s\right]\right]}_{mat},{\left[\left[{\mathit{V}}_s\right]\right]}_{mat}\end{array}$$

(28)

are sent to the server for $j=1,\dots ,m$ and $s=1,\dots ,S$, respectively.

Step 4 (server): 

The server calculates $\left[\left[d_j\right]\right]$ in Equation (10) as $a=t_j,b=X_{{\lambda }_j}$. The server masks $\left[\left[d_j\right]\right]$ in encrypted form using random polynomial ${\gamma }_j\leftarrow {\mathcal{Z}}_p$ and then sends $\left[\left[d_j^{\prime }\right]\right]$ to the client.

Step 5 (client): 

The client decrypts $\left[\left[d_j^{\prime }\right]\right]$ and obtains $d_j^{\prime }=\mathsf{Dec}(sk,\left[\left[d_j^{\prime }\right]\right])$, which is then returned to the server.

Step 6 (server): 

The server obtains $d_j$ from Equation (13) and the comparison result vector $B=[1,b_1,\dots ,b_m]$. If any of the $i\mu$-th $(i=0,\dots ,\mu -1)$ coefficients in $d_j$ is zero, then $b_j=1$; otherwise, $b_j=0$.

Step 7 (server): 

The server packs the comparison result vector B using Equation () to obtain ${\mathsf{poly}}_t\left(B\right)$. The server calculates

$$\begin{array}{cc}\hfill \left[\left[{\tilde{\mathit{P}}}_s\right]\right]& ={\left[\left[{\mathit{P}}_s^{\prime }\right]\right]}_{mat}\otimes {\mathsf{poly}}_t\left(B\right),\hfill \\ \hfill \left[{\tilde{\mathit{V}}}_s\right]]& ={\left[\left[{\mathit{V}}_s\right]\right]}_{mat}\otimes {\mathsf{poly}}_t\left(B\right)\hfill \end{array}$$

(29)

for $s=1,\dots ,S$ and sends $(\left[\left[{\tilde{\mathit{P}}}_s\right]\right],\left[\left[{\tilde{\mathit{V}}}_s\right]\right])$ to the client.

Step 8 (client): 

The client obtains the number of path matrix $S=\lceil (m+1)/m^{\prime }\rceil$ using Equation (21), where $m^{\prime }=\lfloor n/(m+1)\rfloor$. Then, for $s=1,\dots ,S$, it decrypts $\left[\left[{\tilde{\mathit{P}}}_s\right]\right]$ to obtain a polynomial with randomized non-zero coefficients for the path matrix ${\tilde{\mathit{P}}}_s$, in which coefficients of $x^{(k-1)(m+1)}$ are k-th path cost ${\mathsf{pc}}_k·r_k$ according to Equations (19) and (20). Since ${\mathsf{pc}}_k·r_k=0\iff {\mathsf{pc}}_k=0$, then it is verified whether any $(k-1)(m+1)$-th term for $k=1,\dots ,m^{\prime }$ is 0, which implies the corresponding path cost ${\mathsf{pc}}_k=0$. If so, the corresponding leaf of $\mathcal{T}$ is the classification result according to Equation (25), and the client decrypts $\left[\left[{\tilde{\mathit{V}}}_s\right]\right]$ and obtains $C_{out}$ from the coefficient of $x^{(k-1)(m+1)}$.

Algorithm 1 Efficient PPDT Inference via Homomorphic Matrix Multiplication

Input:  $X=(X_1,\dots ,X_N)$: $X_i$ denotes the i-th feature vector of data X with N features, and $\mathcal{T}=(t_1,\dots ,t_m)$: $t_j$ denotes the j-th threshold of decision tree $\mathcal{T}$ with m decision nodes. n: degree of polynomial, S: number of path matrices, $\mu$: maximum bit length of $X_i$ and $t_j$. Output:  Classification result $C_{out}$ 1: Client generates a secret–public key pair $(sk,pk)$ and sends $pk$ to the model holder and server. Client encrypts each feature vector of data X (refer to Equation (22)) 2: for $i=1$ to N do 3:    ${\left[\left[X_i\right]\right]}_1\leftarrow \mathsf{Enc}(pk,{\mathsf{poly}}_1\left(x_i^{\mathsf{b}}\right))$, ${\left[\left[X_i\right]\right]}_2\leftarrow \mathsf{Enc}(pk,{\mathsf{poly}}_2\left(x_i^{\mathsf{b}}\right)).$ 4: end for 5: return $\left[\left[X\right]\right]={\left\{({\left[\left[X_i\right]\right]}_1,{\left[\left[X_i\right]\right]}_2)\right\}}_{i=1}^N$, sends $\left[\right[X\left]\right]$ to Model holder. Model holder encrypts threshold $t_j$ (refer to Equation (23)) 6: for $j=1$ to m do 7:    ${\left[\left[t_j\right]\right]}_1\leftarrow \mathsf{Enc}(pk,{\mathsf{poly}}_1\left(t_j^{\mathsf{b}}\right))$, ${\left[\left[t_j\right]\right]}_2\leftarrow \mathsf{Enc}(pk,{\mathsf{poly}}_2\left(t_j^{\mathsf{b}}\right))$. 8: end for 9: return  $\left[\left[t\right]\right]=\{{\left[\left[t_j\right]\right]}_1,{\left[\left[t_j\right]\right]}_2\}$ Model holder generates path matrix P and classification result matrix V (refer to Equations (24) and (25)) 10: for $k=1$ to $m+1$ do 11:    generate $P_k$, select $r_k,r_k^{\prime }\in {\mathbb{Z}}_p^{*}$,    compute $P_k^{\prime }\leftarrow r_k·P_k$, $V_k:=r_k^{\prime }·P_k+[\mathsf{score}\left(L_k\right),0,\dots ,0].$ 12: end for 12: return $P,V$ is divided into S matrices $P_1,\dots ,P_S$ and $V_1,\dots ,V_S$, as shown in Equation (21). The Model Holder encrypts path matrices and classification result matrices (refer to Equations (16) and (26)) 14: for $s=1$ to S do 15:    ${\left[\left[{\mathit{P}}_s\right]\right]}_{mat}\leftarrow \mathsf{Enc}(pk,{\mathsf{poly}}_{mat}\left({\mathit{P}}_s\right))$, ${\left[\left[{\mathit{V}}_s\right]\right]}_{mat}\leftarrow \mathsf{Enc}(pk,{\mathsf{poly}}_{mat}\left({\mathit{V}}_s\right)).$ 16: end for 17: return $\left[\left[\mathit{P}\right]\right]=\left\{\left[\left[{\mathit{P}}_s\right]\right]\right\},\left[\left[\mathit{V}\right]\right]=\left\{\left[\left[{\mathit{V}}_s\right]\right]\right\}$, and sends $\left[\right[X\left]\right],\left[\right[t\left]\right],\left[\right[\mathit{P}\left]\right],\left[\right[\mathit{V}\left]\right]$ to Cloud Server. Server calculates d via one-round communication with the Client (refer to Equation (10)) 18: for $j=1$ to S do 19:    computes $\left[\left[d_j\right]\right]\leftarrow ({\left[\left[t_j\right]\right]}_1\ominus {\left[\left[X_{\lambda }\right]\right]}_1)\otimes ({\left[\left[t_j\right]\right]}_2\ominus {\left[\left[X_{\lambda }\right]\right]}_2\oplus {\mathsf{poly}}_{1\to 3})\oplus \widetilde{\mathsf{poly}}\left(\mathbf{1}\right).$ 20:    selects ${\gamma }_j\in {\mathcal{Z}}_p$, computes $\left[\left[d_j^{\prime }\right]\right]\leftarrow \left[\left[d_j\right]\right]\oplus {\gamma }_j$, and sends $\left[\left[d_j^{\prime }\right]\right]$ to Client. 21: end for 22: return $\left[\left[d^{\prime }\right]\right]=\left\{\left[\left[d_j^{\prime }\right]\right]\right\}$, and sends $\left[\left[d^{\prime }\right]\right]$ to Client. 23: Client decrypts $d^{\prime }\leftarrow \mathsf{Dec}(\left[\left[d^{\prime }\right]\right],sk)$ and sends it to Server. Server computes the comparison result vector B (refer to Equation (13)) 24: for $j=1$ to m do 25:    for $i=0$ to $\mu -1$ do 26:      let $b_j=0$ 27:      if ∃i-th coefficient in $d_j$ = 0 then 28:         $b_j\leftarrow b_j+1$ 29:      end if 30:    end for 31: end for 32: return  $B=[1,b_1,\dots ,b_m]$ Server computes encrypted path and classification result matrices (refer to Equations () and (29)) 33: for $s=1$ to S do 34:    $\left[\left[{\tilde{\mathit{P}}}_s\right]\right]\leftarrow {\left[\left[{\mathit{P}}_s^{\prime }\right]\right]}_{mat}\otimes {\mathsf{poly}}_t\left(B\right)$, $\left[\left[{\tilde{\mathit{V}}}_s\right]\right]\leftarrow {\left[\left[{\mathit{V}}_s\right]\right]}_{mat}\otimes {\mathsf{poly}}_t\left(B\right)$. 35: end for 36: return $(\left[\left[{\tilde{\mathit{P}}}_s\right]\right],\left[\left[{\tilde{\mathit{V}}}_s\right]\right])$ and sends to Client. Client decrypts and obtains the classification result (refer to Equations (19), (20) and (25)) 37: The default class is $C_{out}=\varnothing$ 38: for $s=1$ to S do 39:    ${\tilde{\mathit{P}}}_s\leftarrow \mathsf{Dec}(\left[\left[{\tilde{\mathit{P}}}_s\right]\right],sk)$ 40:    for $k=1$ to $m^{\prime }$ do 41:      if ∃($(k-1)(m+1)$-th coefficients in $P_s$ = 0) then 42:         computes ${\tilde{\mathit{V}}}_s\leftarrow \mathsf{Dec}(\left[\left[{\tilde{\mathit{V}}}_s\right]\right],sk)$. 43:         $C_{out}\leftarrow$ the coefficient of $x^{(k-1)(m+1)}$ 44:      end if 45:    end for 46: end for 47: return  $C_{out}$

3.4. Leaf Node Pruning (LNP)

In this subsection, we describe how to reduce the number of path costs to be calculated. Let the number of leaf nodes of decision tree $\mathcal{T}$ be $m+1$ and the number of classes to be classified be $K=\left|\mathcal{C}\right|$. In this case, we do not calculate the path cost for one class (e.g., $C_0$) but only the path cost for the other $K-1$ items. We compute the path cost corresponding to $K-1$ classes, and if any of them is 0, the output is the class corresponding to the path. If none of them is 0, the output is class $C_0$ corresponding to the uncalculated path. The detailed procedure is illustrated in Algorithm 3.

Algorithm 2 Efficiency-Enhanced PPDT with LNP (Algorithm 1+LNP)

Input:  $X=(X_1,\dots ,X_N)$: $X_i$ denotes the i-th feature vector of data X with N features, and $\mathcal{T}=(t_1,\dots ,t_m)$: $t_j$ denotes the j-th threshold of decision tree $\mathcal{T}$ with m nodes. n: degree of polynomial, S: number of path matrices, $\mu$: maximum bit length of $X_i$ and $t_j$ $K=\left|\mathcal{C}\right|$: number of classes $\mathcal{C}=\{C_0,C_1,\dots ,C_{K-1}\}$ Output:  Classification result $C_{out}$ 1: Given path matrix P and classification result matrix V for $\mathcal{T}$ with $m+1$ leaf nodes. Model holder prunes leaf nodes that result to the default class ⇒ this process (Lines 2–9 bellow) being inserted between Line 12 and Line 13 of Algorithm 1 2: for $i=1$ to $m+1$ do 3:    checks classification value score on leaf node $L_i$ of $\mathcal{T}$, 4:    if ($\mathsf{score}\left(L_i\right)=C_0$) then 5:      deletes $P_i$ and $V_i$ from P and V, respectively. 6:      $P\leftarrow P\setminus P_i$, $V\leftarrow V\setminus V_i$ 7:    end if 8: end for 9: return  $P,V$ 10: Given encrypted path matrix $\left[\left[{\tilde{\mathit{P}}}_s\right]\right]$ and classification result matrix $\left[\left[{\tilde{\mathit{V}}}_s\right]\right]$ (Line 36 of Algorithm 1) Client decrypts and obtains classification result (refer to Equations (19), (20) and (25)) ⇒ this process (Lines 11–21 bellow) replaces Lines 37–47 of Algorithm 1 11: Default class is $C_{out}=C_0$ 12: for $s=1$ to S do 13:    ${\tilde{\mathit{P}}}_s\leftarrow \mathsf{Dec}(\left[\left[{\tilde{\mathit{P}}}_s\right]\right],sk)$ 14:    for $k=1$ to $m^{\prime }$ do 15:      if ∃($(k-1)(m+1)$-th coefficients in $P_s$ = 0) then 16:         computes ${\tilde{\mathit{V}}}_s\leftarrow \mathsf{Dec}(\left[\left[{\tilde{\mathit{V}}}_s\right]\right],sk)$. 17:         $C_{out}\leftarrow$ the coefficient of $x^{(k-1)(m+1)}$ 18:      end if 19:    end for 20: end for 21: return  $C_{out}$

Note that the default class $C_0$ must be securely shared in advance between the client and the model holder. Assigning the majority class as the default is generally more effective. The selection of the class excluded from computation depends on the classification task, as outlined below:

Binary classification tasks 

(e.g., disease detection, abnormality detection): Only the decision path for class 1 (positive or anomalous) is evaluated. If the result is 0, class 1 is returned; otherwise, class 0 (negative or normal) is output.

Multi-class classification tasks: 

Only $K-1$ classes are evaluated. If the dataset exhibits class imbalance (e.g., ImageNet), the majority class is assigned as the default. In the absence of such imbalance (e.g., MNIST), one class is randomly selected to serve as the default (i.e., the class not evaluated).

We next use a simple example to illustrate homomorphic matrix multiplication and the leaf node pruning process based on Figure 1 to enhance clarity and aid in reader understanding.

Example 1.

Figure 1 shows a decision tree example that is for three classes $\mathcal{C}=\{C_0,C_1,C_2\}$, in which the majority class $C_0$ is assigned as the default. Feature vector $X:=(X_1,X_2,X_3)$, where $X_1$, $X_2$ and $X_3$ denote height, weight, and age, respectively. For example, client Bob, whose feature vector $X=(X_1,X_2,X_3)=(150,64,32)$, tries to use the service to inference his health status. Decision tree $\mathcal{T}$ has $m=3$ nodes with threshold $(t_1,t_2,t_3)=(170,60,25)$. In this case, the comparison result vector can be expressed as $B=(1,b_1,b_2,b_3)$.

From Figure 1, it can be easily seen that Bob’s data should be classified to leaf node $L_2$ by ${\mathsf{Path}}_2$. In the following, we show how to perform classification inference using client Bob’s data and the model holder’s decision tree model while keeping them encrypted. According to Equations (2) and (19), we have

$$\begin{array}{cc}\hfill {\mathsf{pc}}_1& =⟨P_1,B⟩=⟨[1,-1,0,0],[1,b_1,b_2,b_3]⟩,\hfill \\ \hfill {\mathsf{pc}}_2& =⟨P_2,B⟩=⟨[2,1,-1,-1],[1,b_1,b_2,b_3]⟩,\hfill \\ \hfill {\mathsf{pc}}_3& =⟨P_3,B⟩=⟨[1,1,-1,1],[1,b_1,b_2,b_3]⟩,\hfill \\ \hfill {\mathsf{pc}}_4& =⟨P_4,B⟩=⟨[0,1,1,0],[1,b_1,b_2,b_3]⟩.\hfill \end{array}$$

(30)

Therefore,

$$\begin{array}{c}\hfill \mathit{P}=\left[\begin{array}{c}{P}_1\\ P_2\\ P_3\\ P_4\end{array}\right]=\left[\begin{array}{cccc}1& -1& 0& 0\\ 2& 1& -1& -1\\ 1& 1& -1& 1\\ 0& 1& 1& 0\end{array}\right].\end{array}$$

(31)

LNP process:  Pruning the leaf nodes with class $C_0$, i.e., $L_1$ and $L_3$, while multiplying $P_k$ by a random non-zero numbers $r_k,r_k^{\prime }\in {\mathbb{Z}}_p^{*}(k=2,4)$, we obtain the path matrix

$$\begin{array}{c}\hfill {\mathit{P}}^{\prime }=\left[\begin{array}{c}{r}_2{P}_2\\ r_4{P}_4\end{array}\right]=\left[\begin{array}{c}{P}_1^{\prime }\\ P_2^{\prime }\end{array}\right]=\left[\begin{array}{cccc}2r_2& r_2& -r_2& -r_2\\ 0& r_4& r_4& 0\end{array}\right],\end{array}$$

(32)

and the corresponding classification result matrix

$$\begin{array}{c}\hfill {\mathit{V}}^{\prime }=\left[\begin{array}{c}{r}_2^{\prime }{P}_2+[C_1,0,0,0]\\ r_4^{\prime }{P}_4+[C_2,0,0,0]\end{array}\right]=\left[\begin{array}{cccc}2r_2^{\prime }+C_1& r_2^{\prime }& -r_2^{\prime }& -r_2^{\prime }\\ C_2& r_4^{\prime }& r_4^{\prime }& 0\end{array}\right].\end{array}$$

(33)

Instead of using the original matrices P and V, we only need to use the pruned matrices $P^{\prime }$ and $V^{\prime }$ for calculation, thus saving computational cost, as shown in Figure 4.

Figure 4. Image for LNP.

The following two processes are run on encrypted statuses.

Comparison on each node:  To check whether $X_i>t_i$ at node $D_i$, let μ denote the bit length of the two integers $X_i$ and $t_i$, where $i=1,2,3$. For ease of explanation, we use $X_3,t_3$ as an example, with a bit length of ${\mu }_3=6$.

• Bob encrypts each feature of his own data using Equations (6) and (9).

  $$\left[\left[X\right]\right]:={\{{\left[\left[X_i\right]\right]}_1,{\left[\left[X_i\right]\right]}_2\}}_{i=1}^3={\{\mathsf{Enc}(pk,{\mathsf{poly}}_1\left(X_i\right)),\mathsf{Enc}(pk,{\mathsf{poly}}_2\left(X_i\right))\}}_{i=1}^3,$$

  (34)

  where $X_3=32=$(100000)₂ in binary, ${\mathsf{poly}}_1\left(32\right)=1,{\mathsf{poly}}_2\left(32\right)=x^6+x^{12}+x^{18}+x^{24}+x^{30}$.
• Model holder encrypts each threshold of $\mathcal{T}$ using Equations (6) and (8).

  $$\left[\left[t\right]\right]:={\{{\left[\left[t_i\right]\right]}_1,{\left[\left[t_i\right]\right]}_2\}}_{i=1}^3={\{\mathsf{Enc}(pk,{\mathsf{poly}}_1\left(t_i\right)),\mathsf{Enc}(pk,{\mathsf{poly}}_2\left(t_i\right))\}}_{i=1}^3,$$

  (35)

  where $t_3=25=$(11001)₂ in binary, ${\mathsf{poly}}_1\left(25\right)=x+x^2+x^5,{\mathsf{poly}}_2\left(25\right)=x^{11}+x^{16}+x^{17}+x^{22}+x^{23}+x^{28}+x^{29}$.
• Server runs homomorphic operation to obtain polynomials of the comparison result and then adds a random polynomial using Equation (10) over a polynomial ring ${\mathcal{Z}}_q$, which implies $x^n=-1modq$, as follows.

  $$\begin{array}{cc}\hfill \left[\right[d\left]\right]:=& {\left\{\left[\left[d_i\right]\right]\right\}}_{i=1}^3\hfill \\ \hfill =& {\left\{\mathsf{Enc}\left(pk,({\mathsf{poly}}_1\left(t_i\right)-{\mathsf{poly}}_1\left(X_i\right))({\mathsf{poly}}_2\left(t_i\right)-{\mathsf{poly}}_2\left(X_i\right)+{\mathsf{poly}}_{1\to 3})+\widetilde{\mathsf{poly}\left(\mathbf{1}\right)}\right)\right\}}_{i=1}^3,\hfill \\ \hfill \left[d^{\prime }\right]]:=& {\left\{\left[\left[d_i+\gamma \right]\right]\right\}}_{i=1}^3,\hfill \end{array}$$

  (36)

  where $\gamma \in {\mathcal{Z}}_q$.
• Bob decrypts $\left[\left[d^{\prime }\right]\right]$ and sends $d^{\prime }$ back to the server. After removing the random polynomial γ from $d^{\prime }$, the server can obtain comparison results from $d={\left\{d_i\right\}}_{i=1}^3$ by checking whether ∃ any coefficient of $x^{(i-1)\mu }=0$. If so $X_i>t_i$, set $b_i=1$; otherwise, $b_i=0$.
  For example, $d_3=3x^6+x^{12}+4x^{18}+4x^{24}+4x^{30}+\mathsf{other}\mathsf{terms}$, which is the coefficient of $x^0=0$, so $b_3=1$. Similarly, $b_1=0,b_2=0$; therefore, $B=[1,b_1,b_2,b_3]=[1,0,0,1]$.

Classification inference:

• The server runs a multiplication homomorphic operation for Bob using vector B and the following encrypted path matrix $\left[\left[{\mathit{P}}^{\prime }\right]\right]$ and classification result matrix $\left[\left[{\mathit{V}}^{\prime }\right]\right]$ based on Equations (14), (16) and (18)

  $$\begin{array}{cc}\hfill \left[\left[{\mathit{P}}^{\prime }\right]\right]& =\mathsf{Enc}\left({\mathsf{poly}}_{mat}\left({\mathit{P}}^{\prime }\right)\right)\hfill \\ \hfill & =\mathsf{Enc}\left(2r_2+r_{2}x-r_2{x}^2-r_2{x}^3+0·x^4+r_4{x}^5+r_4{x}^6+0·x^7\right),\hfill \\ \hfill \left[{\mathit{V}}^{\prime }\right]]& =\mathsf{Enc}\left({\mathsf{poly}}_{mat}\left({\mathit{V}}^{\prime }\right)\right)\hfill \\ \hfill & =\mathsf{Enc}\left((2r_2^{\prime }+C_1)+r_2^{\prime }x-r_2^{\prime }{x}^2-r_2^{\prime }{x}^3+C_2{x}^4+r_4^{\prime }{x}^5+r_4^{\prime }{x}^6\right)\hfill \end{array}$$

  (37)

  to obtain

  $$\begin{array}{cc}\hfill & \mathsf{Enc}\left({\mathsf{poly}}_{mat}\left({\mathit{P}}^{\prime }\right)\right)\otimes {\mathsf{poly}}_t\left(B\right)\hfill \\ \hfill & =\mathsf{Enc}\left((2r_2{x}^0+r_{2}x-r_2{x}^2-r_2{x}^3+r_4{x}^5+r_4{x}^6)(1-x^{n-3}-x^{n-2})\right)\hfill \\ \hfill & =\mathsf{Enc}\left(0·x^0+r_4{x}^4+\mathsf{other}\mathsf{terms}\right)\hfill \\ \hfill & =\mathsf{Enc}\left(F_{\mathsf{path}}\left(x\right)\right),\hfill \\ \hfill & \mathsf{Enc}\left({\mathsf{poly}}_{mat}\left({\mathit{V}}^{\prime }\right)\right)\otimes {\mathsf{poly}}_t\left(B\right)\hfill \\ \hfill & =\mathsf{Enc}\left(((2r_2^{\prime }+C_1)+r_2^{\prime }x-r_2^{\prime }{x}^2-r_2^{\prime }{x}^3+C_2{x}^4+r_4^{\prime }{x}^5+r_4^{\prime }{x}^6)(1-x^{n-3}-x^{n-2})\right)\hfill \\ \hfill & =\mathsf{Enc}\left(C_1{x}^0+(r_4+C_2)x^4+\mathsf{other}\mathsf{terms}\right)\hfill \\ \hfill & =\mathsf{Enc}\left(F_{\mathsf{class}}\left(x\right)\right).\hfill \end{array}$$

  (38)
• Bob decrypts and obtains the polynomial corresponding to a $(k,\ell )$-dimension path matrix $F_{\mathsf{path}}\left(x\right)$ and then checks its coefficients of $x^{(i-1)\ell }(i=1,\dots ,k)$ terms. In this example, $k=2,\ell =4$, so whether the coefficient of $x^0$ or $x^4$ is zero is checked.
  In fact,

  $$F_{\mathsf{path}}\left(x\right)=⟨P_1^{\prime },B⟩+⟨P_2^{\prime },B⟩·x^4+\mathsf{other}\mathsf{terms},$$

  $$F_{\mathsf{class}}\left(x\right)=(⟨P_1^{\prime },B⟩+C_1)+(⟨P_2^{\prime },B⟩+C_2)·x^4+\mathsf{other}\mathsf{terms},$$

  and since $⟨P_1^{\prime },B⟩=r_2⟨P_2,B⟩,⟨P_2^{\prime },B⟩=r_4⟨P_4,B⟩$,
  • the coefficient of $x^0$ is zero $\iff {\mathsf{pc}}_{\mathsf{2}}=⟨P_2,B⟩=0$, and
  • the coefficient of $x^4$ is zero $\iff {\mathsf{pc}}_{\mathsf{4}}=⟨P_4,B⟩=0$,
  which links to leaf nodes $L_2$ and $L_4$, respectively.
  As shown in Equation (38), since the coefficient of $x^0$ in the first polynomial is zero, if and only if ${\mathsf{pc}}_{\mathsf{2}}=0$, which means X is classified to leaf node $L_2$. Then, the coefficient of $x^0$ in the second polynomial is the classification result; that is, $C_{out}=C_1$.

3.5. Complexity

The client encrypts each element of the feature vectors with two different packing methods for comparison protocols and sends them to the model holder. The model holder encrypts the threshold for each decision node for $2m$ times. In addition, the path and classification result matrices are encrypted $S=\lceil (m+1)/m^{\prime }\rceil$$(m^{\prime }=\lfloor n/(m+1)\rfloor )$ times, respectively. The model holder sends the pairs of threshold and feature vector elements and the pairs of path and classification result matrices to the server. Next, the server and client cooperate to perform the comparison protocol for m times. In this case, the client performs decryption m times. The server performs homomorphic multiplication of the path and classification result matrices $2S$ times and sends the client results. The client obtains the classification result by decrypting the received path and classification result matrices $2S$ times.

3.6. Security Analysis

For a homomorphic encryption scheme, indistinguishability under chosen-plaintext attack (IND-CPA) is the basic security requirement. The SHE scheme used in the experiments in Section 4 is proven IND-CPA secure under the Ring-LWE assumption. In our proposed approach, as the input of the homomorphic computation consists of ciphertexts, the corresponding IND-CPA-secure SHE schemes will not be weakened.

Consider the entities involved in the protocol one by one (see Figure 3) and assume that they are all honest but curious and that they do not collude with one another.

• Client. The client can decrypt the ciphertext sent from the cloud server in Steps 5 and 7 using the secret key and obtain $d^{\prime }$ related to the comparison result and the decision tree structure. However, in Step 4, the noise from the cloud server is added for randomization. Therefore, the client receives a polynomial with completely random coefficients in $d^{\prime }$. Similarly, ${\tilde{\mathit{P}}}_s$ is also a polynomial with random coefficients except zero, which leads to the classification $C_{out}\in \mathcal{C}$; that is, the coefficient corresponding to ${\tilde{\mathit{V}}}_s$. Thus, the client can obtain the classification $C_{out}$ without knowing the decision tree model $\mathcal{T}$
• Model holder. The model holder only obtains the ciphertext of data X in Step 2, and IND-CPA security guarantees the privacy and security of the data.
• Cloud server. The server honestly performs homomorphic operations for the system but is curious about the data provided by the client and the model holder. In Step 3, it receives only encrypted inputs using an SHE scheme that satisfies IND-CPA security, ensuring the confidentiality of both user data and model parameters. Even if the server obtains the comparison result vector $B=[1,b_1,\dots ,b_m]$ from d sent in Step 5, it cannot recover the original data X nor infer meaningful information about the decision tree $\mathcal{T}$ (threshold t, path matrix P, and classification result V). This is due not only to encryption but also to randomization of P using noise terms $r_k$ and $r_k^{\prime }$ in Step 3, which prevents linkage $b_i(i=1,\dots ,m)$ to specific nodes of $\mathcal{T}$.

Beyond technical guarantees, our approach also addresses ethical challenges inherent to PPML in cloud environments. Specifically, it supports secure inference while protecting sensitive user data, ensuring model confidentiality and the reducing risks of unauthorized access or data misuse. These safeguards are especially crucial in sensitive domains such as healthcare and finance, where balancing performance with privacy and intellectual property protection is key to responsible AI deployment.

4. Experiments

4.1. Experimental Setup

We implemented the proposed PPDT protocol in C++ where the BFV method [21] in SEAL 3.3 [22] was used as the encryption library. In our implementation, the two comparison protocols were adopted: Wang et al.’s efficiency-enhanced scheme (Protocol-1 in [17]) and Lu et al.’s non-interactive private comparison (XCMP) [15]. The path cost calculation in Section 3.2 was implemented.

Parameter Choice. First, to ensure that the above comparison methods can accurately decrypt the comparison results, the parameters $n,q,p$, and $\sigma$ of the two methods must respectively satisfy the following two inequality requirements. Second, they must be selected to meet the 128-bit security level. The following parameters were used to ensure that the proposed model worked accurately and had 128-bit security, which is the currently recommended security level in [23]:

• Efficiency-enhanced scheme [17]
  $n=2048,{log}_{2}q=54,p=40,961,\sigma =3.2.$
  These satisfy the following inequality: $q>8p^2{\sigma }^4{n}^2+4p\sigma n^{2/3}$.
• XCMP [15]
  $n=$ 8192, ${log}_{2}q=110,p=$ 8191, $\sigma =3.2.$
  These satisfy the following inequality: $q>p^3{\sigma }^{2}n{(\sigma n+1)}^2+2p^2\sigma n(\sigma n+1)$.

Note that $\sigma =3.2$ is the default noise standard deviation used in Microsoft SEAL. The inequalities involving $n,q,p$, and $\sigma$ ensure the correctness of the corresponding comparison schemes. To support a maximum input bit length of ℓ, we chose n to satisfy the conditions from Wang et al. [17] (i.e., ${\ell }^2<n$) and Lu et al. [15] (i.e., $\ell <{log}_{2}n$). Based on these constraints, the comparison protocols could handle 32-bit and 13-bit integers for Wang et al.’s and Lu et al.’s schemes, respectively. This implies that the efficiency-enhanced scheme [17] supports comparisons of larger integers than does XCMP [15], even with a relatively smaller n. Given the selected n, we chose q to ensure a 128-bit security level as recommended in [23] and then determined p such that it satisfied the necessary inequalities while remaining efficient to compute.

The experiments were conducted on a standard PC with the Core i7-7700K (4.20 GHz) processor using a single thread mode. We used scikit-learn, a standard open-source machine learning library in Python 3.7.2, to train the decision trees. In both the BFV method and the comparison protocol by Lu et al. [15], an input value must be represented as an integer $a\in {\mathbb{Z}}_n$. At every an appropriate number of times when the multiplication is performed, the fractional part of a value must be truncated, and it should be normalized within the range of $[0,2^{13})$.

In the performance evaluations, the computational time was measured by averaging over 10 trials for the following 8 data sets from the UCI machine learning repository [20]: Heart Disease(HD), Spambase (SP) (which were used for the benchmark in [15]), Breast Cancer Wisconsin (BC), Nursery (NS), Credit-Screening (CS), Shuttle (ST), EGG EYE State (EGG), and Bank Marketing (BK). The data set information and the parameters of the decision tree used are listed in Table 1.

Table 1. Data set information and the size of trained decision tree.

Dataset	Dataset			Model
	# Data	# Attributes  $\mathit{N}$	# Classes  $\mathit{C}$	# Nodes  $\mathit{m}$
BC	569	30	2	8
ST	43,500	9	7	24
CS	653	15	2	26
HD	720	13	5	35
NS	12,960	8	5	49
SP	4601	57	2	110
EGG	14,980	14	2	724
BK	45,211	16	2	1027

# denotes the number of data, attributes, classes, and decision nodes in the table for brevity.

4.2. Performance Comparisons

4.2.1. Path Cost Calculation

We compared the computational time to obtain the path costs under the three-party protocol when the proposed matrix multiplication in Section 3.2 and the Yasuda et al.’s homomorphic inner product calculation [19] were used. Table 2 shows the computational time for the path costs. We also show the computation time in parentheses when LNP was introduced into the proposed path cost calculation.

Table 2. Computation time for path cost calculation in two methods: matrix multiplication of Section 3.2 and the homomorphic inner product calculation of Yasuda et al. [19] that we proposed in [24]. The computation time for the matrix multiplication with the addition of LNP is provided in parentheses. The computation time for LNP was measured as an average of 10 trials for each dataset class.

Dataset Accuracy		Path Cost (ms)		Total Time (ms)
		Matrix (+LNP)	Inner Product	Matrix (+LNP)	Inner Product
BC	96.4%	0.25     (0.25)	3.04	44.19    (43.92)	63.58
ST	99.8%	0.25     (0.25)	6.74	66.85    (66.83)	117.51
CS	90.8%	0.25     (0.25)	7.47	77.57    (76.12)	134.64
HD	61.1%	0.25     (0.25)	9.73	98.82    (98.11)	174.34
NS	98.6%	0.50     (0.37)	11.72	130.87    (129.07)	235.04
SP	90.4%	1.72     (0.86)	13.13	321.89    (302.72)	490.04
EGG	69.8%	88.57   (46.20)	179.31	3425.44  (2516.35)	4442.00
BK	88.6%	247.63 (131.14)	252.87	6485.30  (4394.58)	6455.17

In calculating path costs by using the naive inner product, $m+1$ homomorphic multiplications are required. Therefore, as the number of nodes in a tree m increases, the computation time for path costs also increases. On the other hand, when calculating the path cost by matrix multiplication, for the decision tree of $m\le 35$ of Table 2, the path cost computation time was the same. The reason is that for parameter n, the entire path cost can be calculated with one matrix in the case of $m\le 35$. Therefore, for datasets other than BK, more than one path cost can be computed with one matrix. The computation time for the path cost was reduced by more than 90% compared to the inner product case. However, in the case of BK, only $\lfloor n/(m+1)\rfloor =\lfloor 2048/1028\rfloor =1$ path cost could be calculated with a single matrix multiplication. Hence, there is no difference in the computation time for matrix multiplication and inner product when $\lfloor n/(m+1)\rfloor =1$.

With LNP being applied, the path cost computation time remained unchanged for decision trees (e.g., BC, ST, CS, HD) with $m\le 35$, as all path costs could be computed within a single matrix. However, for larger trees (e.g., NS, SP, EGG, BK), LNP significantly reduced the computation time—by 26% for NS, 50% for SP, 48% for EGG, and 47% for BK. The effect correlated with the number of classes: datasets with fewer classes (SP, EGG, BK each with 2) benefited more than did NS (5 classes), as fewer classes enhance pruning efficiency. See Table 1 and Figure 5 for dataset-specific details.

Figure 5. Comparison of computation times with and without LNP across all datasets. For each dataset, the bar chart shows the path cost and total computation times, highlighting the reduction achieved by applying LNP. Datasets with fewer classes (e.g., SP, EGG, BK) showed more significant improvements due to more efficient pruning.

4.2.2. Protocol Efficiency

In this experiment, we used the XCMP of Lu et al. [15] for comparisons. We implemented two protocols and measured their computation times.

• To evaluate the efficiency of different homomorphic encryption approaches, we also integrated the XCMP scheme into the comparison component of the three-party protocol described in Section 3.3. The path cost computation was performed following the procedure outlined in Steps 6–8 of Section 3.3.
• A naive two-party protocol using XCMP by Lu et al. computed the result of two-party comparison (see Appendix B). Then, we computed the path cost under encrypt conditions by additive homomorphism.

Table 3 provides the measurement results.

Table 3. Computation time with XCMP [15] in the following scenarios: three-party with matrix multiplication and LNP; two-party with homomorphic addition of XCMP results for computing the path cost.

Dataset	Path Cost (ms)		Total Time (ms)
	Three-Party	Two-Party	Three-Party	Two-Party
BC	2.17	1577.51	302.19	1958.13
ST	2.17	11,745.70	647.51	12,724.20
CS	2.18	14,905.70	736.95	16,037.90
HD	2.18	27,041.40	961.19	28,298.90
NS	2.18	51,772.50	1321.47	54,268.10
SP	2.19	255,659.00	2996.92	263,008.00
EGG	74.01	10,947,300.00	19,432.90	11,013,300.00
BK	166.74	22,027,200.00	28,821.60	22,130,500.00

In the naive two-party protocol, the path cost calculation is performed only by homomorphic addition, so $O\left(m^2\right)$ addition is required. Therefore, the path cost calculation accounted more than 80% of the total time. In contrast, when applied to the proposed protocol, the path cost calculation time was reduced to 0.5% of the total time. As a result, the time reduction is achieved by applying XCMP to the proposed protocol on the experiments’ dataset. In particular, the reduction rate was higher for the EGG and BK datasets with a large number of decision nodes.

4.3. Time Complexity

To verify the computational complexity in Section 3.5, we measured the computation time of the proposed protocol for a decision tree constructed with the number of m decision nodes fixed between [10, 1000] using the BK dataset.

Figure 6 provides the experimental results that demonstrated that the computation time was linear with the number of decision nodes. There were several points at which there was a rapid increase in the number of times the model holder’s encryption was performed, the number of times the client was compounded, and the number of times the server’s path cost was computed. As illustrated in Section 3.5, these computation times depend on $S=\lceil (m+1)/m^{\prime }\rceil$, where $m^{\prime }=\lfloor n/(m+1)\rfloor$. Thus, as m increases, the computation time increases rapidly.

Figure 6. Computation time for decision nodes.

5. Conclusions

In this paper, we proposed a privacy-preserving decision tree prediction protocol that enables secure outsourcing using homomorphic encryption. The proposed method uses the comparison protocol proposed by Wang et al. [17] or Lu et al. [15] to encrypt both feature vectors of a data holder and decision tree parameters of a model holder, and the structure of a decision tree model is hidden against both data holder and outsourced servers by calculating the path cost using the homomorphic matrix multiplication proposed by Dung et al. [18].

Our experimental results demonstrate that the computation time for three-party protocol using XCMP [15] is drastically reduced by more than 85% compared to the naive two-party protocol without a reduction in the prediction accuracy. In addition, we compared the method using homomorphic matrix multiplication [18] with homomorphic inner product [19]. As a result, we confirmed that there were cases where the computation time was reduced by more than 90%. We also proposed a leaf node pruning (LNP) algorithm to accelerate the three-party prediction protocol. The computation time was reduced by up to 50% when the proposed LNP was applied.

However, the proposed method has certain limitations. In particular, while the comparison results at each decision node are revealed to the outsourced server, the server cannot determine which specific feature each node corresponds to. This contrasts with the protocol by Lu et al. [15], which prevents such leakage but incurs significantly higher computational costs. This highlights a fundamental trade-off between security and computational efficiency: our approach enhances scalability and performance at the cost of limited information leakage. In many practical scenarios, this trade-off may be acceptable; however, minimizing data exposure remains a critical objective. In future work, we will aim to design a more efficient protocol that preserves performance while eliminating any information leakage, thereby strengthening both privacy and practicality.