[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"project-72345":3},{"id":4,"name":5,"fullName":6,"owner":7,"repo":5,"description":8,"homepage":9,"htmlUrl":10,"language":11,"languages":10,"totalLinesOfCode":10,"stars":12,"forks":13,"watchers":14,"openIssues":15,"contributorsCount":16,"subscribersCount":16,"size":16,"stars1d":16,"stars7d":17,"stars30d":18,"stars90d":16,"forks30d":16,"starsTrendScore":16,"compositeScore":19,"rankGlobal":10,"rankLanguage":10,"license":10,"archived":20,"fork":20,"defaultBranch":21,"hasWiki":22,"hasPages":20,"topics":23,"createdAt":10,"pushedAt":10,"updatedAt":29,"readmeContent":30,"aiSummary":31,"trendingCount":16,"starSnapshotCount":16,"syncStatus":17,"lastSyncTime":32,"discoverSource":33},72345,"nesa","nesaorg\u002Fnesa","nesaorg","Run AI models end-to-end encrypted.","https:\u002F\u002Fnesa.ai",null,"Python",3154,245,279,3,0,2,20,29.17,false,"main",true,[24,25,26,27,28],"ai","deep-learning","encryption","llms","privacy","2026-06-12 02:03:02","\u003Cdiv align=\"center\">\n\n\u003C!-- Logo with light mode support -->\n\u003Cpicture>\n  \u003Csource media=\"(prefers-color-scheme: light)\" srcset=\"docs\u002Fnesa-logo-light.png\">\n  \u003Cimg alt=\"Nesa Logo\" src=\"docs\u002Fnesa-logo.png\" width=\"33%\">\n\u003C\u002Fpicture>\n\u003Cbr>\n\u003Cbr>\n\u003Cp>\nNesa: Run AI models end-to-end encrypted.\n\u003C\u002Fp>\n\n\u003Ch3 style=\"margin-top: 15px; margin-bottom: 15px; display: flex; justify-content: center; align-items: center; gap: 15px;\">\n  \u003Ca href=\"https:\u002F\u002Fdiscord.gg\u002FTK89MgJDkz\" style=\"text-decoration: none;\">\n    \u003Cimg alt=\"Discord\" src=\"https:\u002F\u002Fimg.shields.io\u002Fbadge\u002F-Discord-7289DA?style=flat&logo=discord&logoColor=white\">\u003C\u002Fa>\n  \u003Ca href=\"https:\u002F\u002Fx.com\u002Fnesaorg\u002F\" style=\"text-decoration: none;\">\n    \u003Cimg alt=\"X\" src=\"https:\u002F\u002Fimg.shields.io\u002Ftwitter\u002Ffollow\u002Fnesaorg?style=social\">\n  \u003C\u002Fa>\n\u003C\u002Fh3>\n\n\u003C!-- GitHub Repo Stats -->\n[![GitHub Repo stars](https:\u002F\u002Fimg.shields.io\u002Fgithub\u002Fstars\u002Fnesaorg\u002FEquivariant-Encryption-for-AI)](https:\u002F\u002Fgithub.com\u002Fnesaorg\u002FEquivariant-Encryption-for-AI\u002Fstargazers)\n[![GitHub Repo forks](https:\u002F\u002Fimg.shields.io\u002Fgithub\u002Fforks\u002Fnesaorg\u002FEquivariant-Encryption-for-AI)](https:\u002F\u002Fgithub.com\u002Fnesaorg\u002FEquivariant-Encryption-for-AI\u002Fnetwork\u002Fmembers)\n[![GitHub followers](https:\u002F\u002Fimg.shields.io\u002Fgithub\u002Ffollowers\u002Fnesaorg?label=Follow)](https:\u002F\u002Fgithub.com\u002Fnesaorg)\n\u003C\u002Fdiv>\n\n\u003C!---\n---\n-->\n\nForget multi-million dollar on-prem infrastructure, get the same privacy guarantees in an API: run AI like the biggest enterprises do.\n\n## Features ##\n\n\u003Ctable border=\"0\">\n \u003Ctr>\n    \u003Ctd>\u003Cb style=\"font-size:30px\">Full Privacy\u003C\u002Fb>\u003C\u002Ftd>\n    \u003Ctd>nesa serves AI with zero visibility on underlying data and full blindness on query\u003C\u002Fb>\u003C\u002Ftd>\n \u003C\u002Ftr>\n \u003Ctr>\n    \u003Ctd>\u003Cb style=\"font-size:30px\">Speedy \u003C\u002Ftd>\n    \u003Ctd>nesa delivers no latency on encrypted inference (\u003C0.1% original execution time)\u003C\u002Ftd>\n \u003C\u002Ftr>\n\u003Ctr>\n    \u003Ctd>\u003Cb style=\"font-size:30px\">Wide Model Coverage\u003C\u002Fb>\u003C\u002Ftd>\n    \u003Ctd>nesa supports encrypting Llama, Mistral, Stable Diffusion and thousands of models\u003C\u002Ftd>\n\n \u003C\u002Ftr>\n \u003Ctr>\n    \u003Ctd>\u003Cb style=\"font-size:30px\">Cost Savings\u003C\u002Fb>\u003C\u002Ftd>\n    \u003Ctd>nesa can deliver significant cost savings by API vs. on-prem AI infrastructure\u003C\u002Ftd>\n \u003C\u002Ftr>\n\u003Ctr>\n    \u003Ctd>\u003Cb style=\"font-size:30px\">ChatGPT Compatible\u003C\u002Fb>\u003C\u002Ftd>\n    \u003Ctd>nesa has a ChatGPT-compatible API for running encrypted AI with a one line change\u003C\u002Ftd>\n \u003C\u002Ftr>\n \u003Ctr>\n    \u003Ctd>\u003Cb style=\"font-size:30px\">Quick Set-up\u003C\u002Fb>\u003C\u002Ftd>\n    \u003Ctd>nesa is one click install and go. See documentation\u003C\u002Ftd>\n \u003C\u002Ftr>\n\u003C\u002Ftable>\n\n## How Nesa Achieves Blind AI: Equivariant Encryption (EE) ##\n\nAt Nesa, privacy is a critical objective. On our path toward universal private AI, we confronted a key challenge: **how can we perform inference on neural networks without exposing the underlying input and output data to external parties, while returning requests without high latency?** Traditional approaches, such as differential privacy, ZKML or homomorphic encryption (HE), while conceptually strong, fall short in practical deployments for complex neural architectures. These methods struggle to handle non-linear operations efficiently, often imposing substantial computational overhead that makes them infeasible to integrate into real-time or large-scale systems.\n\nEquivariant Encryption (EE) is a new security technology by Nesa, similar to Homomorphic Encryption (HE) in arithmetic-based privacy-preserving structure, but executed inside unique discrete architectures designed to provide complete inference encryption without additional latency.\n\nThe result is the first portable on-prem AI infrastructure solution inside of an API. Your cloud provider cannot see your data and queries with Nesa.\n\n## Equivariant Encryption (EE) vs. Homomorphic Encryption (HE)\n\nA snapshot of Equivariant Encryption's properties versus homomorphic encryption:\n\n| **Feature** | **Equivariant Encryption (EE)** | **Homomorphic Encryption (HE)** |\n| --- | --- | --- |\n| Latency Overhead | Zero | Very High |\n| Non-Linear Operations | Exact | Approximation Needed  |\n| User Key Control | Direct & Custom | Schema-Defined  |\n| Cryptographic Hardness | Massive Combinatorial Complexity | Standard Hardness Assumptions |\n\n**Zero overhead:** Nesa's EE provides the same latency as plaintext inference, with no slowdowns.\n\n**100k+ factorial:** Nesa's EE has a massive combinatorial complexity, contributing to the strongest security guarantees.\n\n## Our Journey to Equivariant Encryption\n\nWe have implemented and investigated numerous methodologies that promise end-to-end data privacy. We began with deep orchestration work in **Trusted Execution Environments (TEE)** which is a hardware solution that decrypts, transforms, and re-encrypts data in secure memory. The issue with TEEs, besides cost and access, is that they still provide full back-door administrator access to your data, which for many enterprises and use cases is insufficient. **Differential privacy** seeks to obscure sensitive details by adding statistical noise, but it cannot fully prevent inference on raw data once it is processed by a model. **Homomorphic encryption**, on the other hand, is mathematically elegant: it permits computations directly on encrypted data. This is achieved through operations that are homomorphic to addition and multiplication, enabling algebraic manipulation of ciphertexts that, once decrypted, yield the correct plaintext results. Such a property is exceptionally appealing in scenarios like outsourced cloud computations, where one can perform inference off-site without revealing the sensitive inputs.\n\nHowever, standard HE schemes are tailored around arithmetic operations. Neural networks, especially those with layers like attention mechanisms, activation functions, or normalization steps, do not map cleanly onto ring or field operations alone. Adapting HE to these complex transformations typically incurs prohibitive computational costs, slowing inference to impractical speeds.\n\nDespite this, the conceptual promise of HE—running inference on encrypted data without decryption—prompted us to seek an alternative. We aimed to preserve the protective qualities of encrypted computation while working around the bottlenecks introduced by non-linear neural functions.\n\n## Equivariant Encryption for Neural Networks\n\nOur solution is **Equivariant Encryption (EE)**. The term **equivariance** signifies a change in representation that preserves the operational structure from the model’s perspective. In other words, we transform the input data into an encrypted domain where the neural network’s computations can be carried out as though it were processing plaintext, all while maintaining the secrecy of the underlying information.\n\n\u003Cdiv align=\"center\">\n  \u003Cimg src=\"docs\u002Fee.png\" alt=\"equivariant encryption diagram\">\n\u003C\u002Fdiv>\n\nRather than relying exclusively on arithmetic operations compatible with HE, EE integrates specialized transformations designed around the internal properties of neural networks. We exploit the known architecture, layer composition, and input-output mappings of the model to construct a system in which each step of inference operates correctly on encrypted inputs. This approach avoids expensive retraining on encrypted datasets. Instead, by following a set of mathematical guidelines, we can generate a new variant of the model that works with our encryption schema in a matter of seconds.\n\nFormally, given some plaintext $p$, and some ciphertext $c$, with $p$ = decrypt($c$), our EE framework ensures that decrypt(nonlinear($c$)) = nonlinear($p$), where \"nonlinear\" represents a specific set of **non-linear neural functions**. Note that our framework is general, and $p$ can represent any appropriate format of plaintext data: scalar, vector, or tensor. Currently, our framework directly supports the following set of activation and processing functions: ReLU, GeLU, SiLU, RMS Normalization, and Layer Normalization.\n\nCrucially, the complexity of inference under EE does not surpass that of the unencrypted version. Each forward pass through the network involves approximately the same computational cost. Thus, **inference latency remains unchanged**, a significant advantage compared to conventional HE-based techniques.\n\nTo illustrate this with a tangible example, consider transformer-based models like ChatGPT, Claude, or Llama. These models employ tokenizers to convert text into discrete tokens, each mapped to an integer token ID. Under EE, we implement a specialized tokenizer that produces a different, encrypted set of token IDs. The network, now adapted to EE, treats these encrypted token IDs as standard inputs. It processes them identically to how it would process normal tokens, ultimately returning encrypted output tokens that can be decrypted locally by the user. The following diagram outlines this workflow:\n\n\u003Cdiv align=\"center\">\n  \u003Cimg src=\"docs\u002Ftokenizer.png\" alt=\"tokenizer diagram\">\n\u003C\u002Fdiv>\n\nIn this setup, all data traveling over the network remains encrypted, and the transformations that produce and consume these tokens are carefully chosen to deny any straightforward method for recovering the plaintext. The attacker sees only encrypted tokens and a model variant designed to operate on that encrypted space, providing no direct, low-cost avenue to extract the original information.\n\n## In-Depth Comparison: HE vs. EE\n\nBelow is a more detailed breakdown of how Equivariant Encryption matches or outperforms the expectations we have from traditional Homomorphic Encryption methods:\n\n| Property | Homomorphic Encryption (HE) | Equivariant Encryption (EE) |\n| --- | --- | --- |\n| **Data Confidentiality (Server Blindness)** | The server never sees plaintext data. | The server never sees plaintext data. |\n| **End-to-end Encrypted Computation** | Operations fully on encrypted data, no intermediate decryptions. | EE models run directly on encrypted tokens, no intermediate decryptions. |\n| **User-Controlled Encryption** | Users should hold keys and control encryption\u002Fdecryption. | Only the user can map plaintext to transformed tokens. |\n| **Preservation of Accuracy** | The decrypted output should match the result of plaintext inference. | EE ensures final results are identical to plaintext inference outputs. |\n| **Support for Arbitrary Model Structures** | HE struggles with non-linearities and complex NN layers. | EE is designed for modern neural architectures and non-linearities. |\n| **Minimal Performance Overhead** | HE incurs very large computational overhead. | EE imposes no overhead; latency matches that on plaintext data. |\n| **No Approximation of Functions** | HE may require approximations of complex operations. | EE avoids approximations, preserving exact neural network functions. |\n| **Scalability to Large Models** | Handling large models under HE is impractical. | EE scales naturally with large models without any computational penalties. |\n| **Compatibility with Existing Pipelines** | HE often requires extensive pipeline modifications. | EE does a one-time transformation, then pipelines operate as normal. |\n| **Clear Security Model & Robustness** | HE is rooted in strong theoretical foundations. | EE provides a massively complex and secure combinatorial search space. |\n\n## Attacks on EE Security\n\nWe have tested Equivariant Encryption with various baseline attack vectors, which can be found here: https:\u002F\u002Fgithub.com\u002Fnesaorg\u002Fnesa\u002Fblob\u002Fmain\u002FAttack_Paper.pdf\n\n### LLM-as-a-Judge Attack\n\nUsing a state-of-the-art large language model such as GPT-4o to evaluate whether the output P(Oi) is a good answer to the prompt P(Ii).\n\n### Linguistic Domain Knowledge Attack\n\nUsing domain knowledge to design the loss function L, so that the loss L can capture the semantic meaning in the (decrypted) input, output and between.\n\n### Brute-force Algorithm Attack\n\nThe most naive method is brute force, trying all possible permutations P and choosing the one with the minimal loss value. This algorithm requires time complexity of N!, which is infeasible.\n\n### Random Sampling Attack\n\nRandomly sampling M permutations and choosing the one with the lowest loss value. One can also try genetic algorithms to mix and cross-over multiple tries at different permutations.\n\n### Hill-climbing Algorithm Attack\n\nStarting with an arbitrary initial permutation P. The set of moves is the set of permutations that one can reach by transposing two elements of the permutation.\n\n## Try EE for Yourself\nEquivariant Encryption (EE) isn’t just a theoretical concept—it’s fully operational and ready to explore today! We’ve provided two demo models on Hugging Face so you can see, firsthand, how EE keeps data encrypted end-to-end while preserving the model’s functionality and accuracy.\n\nAvailable Test Models:\n- **[nesaorg\u002Fdistilbert-sentiment-encrypted](https:\u002F\u002Fhuggingface.co\u002Fnesaorg\u002Fdistilbert-sentiment-encrypted)**\n  An encrypted version of DistilBert for sentiment classification. It demonstrates how text is encrypted before the model sees it, yet you still get accurate sentiment predictions on the decrypted output, 100% locally.\n\n- **[nesaorg\u002FLlama-3.2-1B-Instruct-Encrypted](https:\u002F\u002Fhuggingface.co\u002Fnesaorg\u002FLlama-3.2-1B-Instruct-Encrypted)**\nEncrypted version of a Llama-3.2-based model for interactive chat. This demo is half on Nesa's network, which is great for showing that only encrypted data is sent back and forth. The server doesn't have access to the tokenizer.\n\n### Local Web UI\nThe quickest way to experience EE is to use the local web UI we provide.\n\nFollow [demo\u002Freadme.md](demo\u002Freadme.md) to:\n1. Run the platform-specific start script to install dependencies.\n2. Wait for the local text-generation-WebUI to launch in your browser.\n3. Enter your prompt.\n4. Enjoy encrypted inference!\n\nUnder the hood, the text you type is turned into encrypted tokens, the model processes those tokens, and you see the final plaintext output only on your side. It’s a seamless experience with no extra overhead.\n\n### Manual Python Usage\n\nIf you’d like to peek under the hood, below are quick examples demonstrating how to load the models directly from Hugging Face and run basic inferences.\n\n##### Distillbert\n\n```python\nimport torch\n\nfrom transformers import  AutoModelForSequenceClassification, AutoTokenizer\n\n# Initialize model and tokenizer\nmodel_name  =  \"nesaorg\u002Fdistilbert-sentiment-encrypted\"\nmodel  =  AutoModelForSequenceClassification.from_pretrained(model_name)\ntokenizer  =  AutoTokenizer.from_pretrained(model_name)\ninputs  =  tokenizer(\"I feel much safer using the app now that two-factor authentication has been added\", return_tensors=\"pt\")\n\nwith torch.no_grad():\n\tlogits  =  model(**inputs).logits\nprobs  = torch.nn.Softmax(dim=-1)(logits)[0].tolist()\nclass_scores  = {model.config.id2label[i]: prob  for  i, prob  in  enumerate(probs)}\n\nsorted_class_scores  =  dict(sorted(class_scores.items(), key=lambda  item: item[1], reverse=True))\nprint(\"Class Scores:\", sorted_class_scores)\n```\n##### nesaorg\u002FLlama-3.2-1B-Instruct-Encrypted\nUnlike DistilBert, this model’s weights reside on Nesa’s secure server, but the tokenizer is on Hugging Face. You can still use the tokenizer to encode and decode text and then submit it for inference via the Nesa network!\n\n```python\n\n###### Load the Tokenizer\n\nfrom transformers import AutoTokenizer\n\nhf_token = \"\u003CHF TOKEN>\"  # Replace with your token\nmodel_id = \"nesaorg\u002FLlama-3.2-1B-Instruct-Encrypted\"\ntokenizer = AutoTokenizer.from_pretrained(model_id, token=hf_token, local_files_only=False)\n```\n\n###### Tokenize and Decode Text\n\n```python\ntext = \"I'm super excited to join Nesa's Equivariant Encryption initiative!\"\n\n# Encode text into token IDs\ntoken_ids = tokenizer.encode(text)\nprint(\"Token IDs:\", token_ids)\n\n# Decode token IDs back to text\ndecoded_text = tokenizer.decode(token_ids)\nprint(\"Decoded Text:\", decoded_text)\n```\n\n###### Example Output:\n\n```\nToken IDs: [128000, 1495, 1135, 2544, 6705, 284, 2219, 11659, 17098, 22968, 8707, 2544, 3539, 285, 34479]\nDecoded Text: I'm super excited to join Nesa's Equivariant Encryption initiative!\n```\n\n## The \"Hack EE\" Contest\n\n\u003Cimg width=\"1870\" alt=\"Hack_EE\" src=\"https:\u002F\u002Fgithub.com\u002Fuser-attachments\u002Fassets\u002F7f3b1150-41c7-442f-bc74-5abf0685c00b\" \u002F>\n&nbsp;\n&nbsp;\n\nWe invite the community to examine and test the security claims of Equivariant Encryption. As part of our commitment to transparency and continual refinement, we have organized a competition encouraging participants to probe for weaknesses and demonstrate potential exploits.\n\nFor details, please visit:\n[https:\u002F\u002Fgithub.com\u002Fnesaorg\u002FEquivariant-Encryption-for-AI\u002Fblob\u002Fmain\u002FCONTEST.md](https:\u002F\u002Fgithub.com\u002Fnesaorg\u002FEquivariant-Encryption-for-AI\u002Fblob\u002Fmain\u002FCONTEST.md)\n","Nesa 是一个用于运行端到端加密的AI模型的项目。其核心功能包括全隐私保护、低延迟加密推理、广泛支持多种AI模型（如Llama、Mistral和Stable Diffusion等），并通过API提供服务，相较于本地部署能够显著降低成本。该项目采用Equivariant Encryption技术，在保证数据完全不可见的同时，实现几乎无延迟的加密推理。Nesa适用于需要高度隐私保护但又希望利用AI技术的各种场景，例如金融、医疗健康和个人信息安全等领域。此外，它还提供了与ChatGPT兼容的API接口，便于用户快速集成使用。","2026-06-11 03:41:27","high_star"]