Hybrid FL: Integrating HE and DP

• HE and DP Hybrid Federated Learning is a framework that combines homomorphic encryption and differential privacy to secure model updates while balancing utility and overhead.
• It employs strategies like client-side mode selection, parameter sensitivity partitioning, and round-based interleaving to dynamically allocate privacy mechanisms.
• Empirical validations in biomedical, image classification, and vertical setups demonstrate near-optimal accuracy with reduced computational and communication costs.

Homomorphic Encryption (HE) and Differential Privacy (DP) hybrid federated learning—HE and DP–Hybrid FL—refers to a class of federated learning protocols that combine homomorphic encryption and differential privacy mechanisms within a unified workflow to balance privacy guarantees, model utility, and computational/communication efficiency. These frameworks aim to address the respective trade-offs of HE (high utility, high computation/communication overhead) and DP (lower overhead, but utility loss due to noise), and flexibly allocate or interleave the protections at the client, parameter, or round level. Recent advances manifest in multi-modal, adaptive, or interleaved designs, as well as in specialized vertical and horizontal federated learning architectures.

1. System Architectures and Adversarial Models

HE–DP hybrid frameworks support various FL scenarios, including horizontal FL with decentralized non-IID data and vertical FL where multiple organizations hold feature-partitioned data. The principal actors are central servers (or aggregators), distributed clients (data owners), and sometimes dedicated decryption servers, as in two-server models (Li et al., 6 Aug 2025).

• Clients: Each client $k$ holds private data $D_k$, never leaving the device or organization.
• Server(s): Aggregate updates, orchestrate training rounds, but may be honest-but-curious.
• Key/Decryption Managers: In some frameworks (e.g., SelectiveShield), a key-distribution server holds the secret key, preventing the aggregator from decrypting collected ciphertexts (Li et al., 6 Aug 2025).

Adversarial models typically assume a semi-honest/threatening server seeking to reconstruct or infer user data from model updates, as well as potential eavesdroppers and (less frequently) non-colluding clients. Threats include membership and reconstruction attacks at both the communication and final model levels. In vertical FL, participant organizations are semi-honest and aim to protect both intermediate results (IR) and eventual model output from each other (Wang et al., 2020).

2. Core Methodological Elements

Hybrid HE–DP FL protocols operationalize one or more of the following strategies:

• Client-side mode selection: Each client may select either HE or DP mode per round based on computational resources ($\mathrm{comp}_k$) and privacy needs (e.g., DP budget $\epsilon_k$). Threshold-based policies determine when to use HE (encryption of gradients, no noise injection) versus DP (Gaussian mechanism with norm clipping on gradients and noise addition) (Negoya et al., 8 Nov 2025).
• Parameter sensitivity partitioning: Frameworks such as SelectiveShield compute the Fisher Information per parameter and negotiate encrypted/DP/noised/personalized partitions among clients. Sensitive parameters are encrypted with CKKS, personalized parameters are retained locally, and the remainder are perturbed by adaptive DP (Li et al., 6 Aug 2025).
• Round-based interleaving: Alternating rounds of HE-based and DP-based aggregation (or additional synthetic data rounds) are orchestrated, with the interleaving ratio $\rho$ governing the trade-off between privacy protection and resource consumption (Wang et al., 5 Mar 2026).

Table 1. Protection Allocation Strategies

Dimension	Example Approach	Reference
Per-client	Resource/requirement-based HE/DP selection	(Negoya et al., 8 Nov 2025)
Per-parameter	Fisher-based split: HE for sensitive, DP for rest	(Li et al., 6 Aug 2025)
Per-round	Interleaving HE and DP rounds	(Wang et al., 5 Mar 2026)

3. HE and DP Mechanisms in Hybrid FL

Homomorphic Encryption: Both CKKS (approximate, supports real vectors) (Negoya et al., 8 Nov 2025, Li et al., 6 Aug 2025, Wang et al., 5 Mar 2026) and BFV (exact, additive-only) (Sébert et al., 2022) schemes are used. HE clients encrypt gradients or selected sensitive parameters; the server sums ciphertexts homomorphically and then decrypts (either itself or via a decryption server).

• Encryption/Decryption overhead is $O(d \cdot \mathrm{EncCost})$ per vector of dimension $d$, with communication expansion typically $4\times$–$5\times$ over plaintext (Li et al., 6 Aug 2025).
• Parameter packing (e.g., $10^6$ parameters → $D_k$0 MB ciphertexts for $D_k$1 of parameters) makes selective encryption practical at scale (Li et al., 6 Aug 2025).

Differential Privacy: DP clients apply local or user-level DP via Gaussian mechanism:

• Gradients are clipped to a threshold $D_k$2, and noise $D_k$3 is added, with $D_k$4 calibrated by privacy budgets $D_k$5 (Negoya et al., 8 Nov 2025).
• In parameter-partitioned or selective protection, only the non-encrypted/noised partitions receive DP perturbation (Li et al., 6 Aug 2025).
• Advanced accounting (moments accountant, Rényi DP) is used for tight composition over multiple rounds (Sébert et al., 2022, Li et al., 6 Aug 2025).

4. Protocol Workflow Variations

• PPML-Hybrid (Negoya et al., 8 Nov 2025): In each round, clients choose HE or DP. HE clients encrypt noise-free updates, DP clients clip and perturb gradients. Server aggregates HE gradients homomorphically and DP gradients in the clear; model is updated with combined sum.
• SelectiveShield (Li et al., 6 Aug 2025): Clients estimate per-parameter Fisher information, mask sensitive parameters for encryption, privately negotiate partitioning, and perform mixed encrypted/DP/noised/personalized update protocol. Server aggregates and forwards to decryption/key server for global model update and broadcast.
• Alt-FL (Wang et al., 5 Mar 2026): Implements three methods—Privacy Interleaving (PI), Synthetic Interleaving with DP (SI/DP), and Synthetic Interleaving with HE (SI/HE). The protocol alternates rounds (or parameter subsets) under HE or DP, with interleaving ratios controlling privacy and performance.

5. Privacy and Utility Trade-offs

Hybrid schemes interpolating between HE-only and DP-only realize a tunable privacy–utility–efficiency balance:

• Privacy: DP clients/mechanisms guarantee $D_k$6-DP at the record or user level; non-colluding HE clients guarantee cryptographic secrecy if no collusion between server and decryption parties occurs (Negoya et al., 8 Nov 2025). The overall system’s formal DP guarantee is governed by the weakest (most permissive) partition (typically DP) (Negoya et al., 8 Nov 2025).
• Utility: Noise is injected only for DP-processed components or clients. Signal-to-noise ratio scales inversely with the number of DP clients or the proportion of noise-injected parameters ($D_k$7 per coordinate). Increasing the HE portion improves utility at the cost of increased computational and communication overhead (Negoya et al., 8 Nov 2025, Wang et al., 5 Mar 2026).
• Efficiency: DP-only is fastest and lowest in communication; HE-only maximizes confidentiality but is slowest (3–4× the cost per round) (Negoya et al., 8 Nov 2025). Selective encryption, mask-based parameter partitioning, or interleaving can substantially reduce overheads while preserving strong protection for the most sensitive data (Li et al., 6 Aug 2025, Wang et al., 5 Mar 2026).

Table 2. Empirical Results (from (Negoya et al., 8 Nov 2025), PPML-Hybrid, $D_k$8)

Method	$D_k$9	$\mathrm{comp}_k$0(HE frac)	MSE (↓)	FL Time (s) (↓)
HE-only	$\mathrm{comp}_k$1	1.0	0.085	120
DP-only	4, $\mathrm{comp}_k$2	0.0	0.143	35
PPML-Hybrid	4, $\mathrm{comp}_k$3	0.5	0.092	70
PPML-Hybrid	8, $\mathrm{comp}_k$4	0.5	0.110	68

Similar trends are observed in SelectiveShield, where encrypting just $\mathrm{comp}_k$5 of parameters incurs minimal overhead ($\mathrm{comp}_k$6 s per round), and model accuracy for $\mathrm{comp}_k$7 matches or exceeds full-DP methods (Li et al., 6 Aug 2025). Alt-FL shows PI and SI/HE maintain high accuracy (within $\mathrm{comp}_k$8–$\mathrm{comp}_k$9 of non-private), substantial privacy (ASR $\epsilon_k$0), and controllable communication ($\epsilon_k$1 MB vs $\epsilon_k$2 MB for DP-only) (Wang et al., 5 Mar 2026).

6. Application Domains and Empirical Validations

Hybrid HE–DP FL has been demonstrated in multiple application domains:

• Biomedical omics and spatial transcriptomics: PPML-Hybrid enables high-fidelity model training on sensitive, non-IID patient data, preserving privacy and matching HE-only accuracy at $\epsilon_k$3–$\epsilon_k$4 less compute (Negoya et al., 8 Nov 2025).
• Image classification and text (EMNIST, CIFAR-10, Fashion-MNIST): Fully homomorphic protocols with DP and Poisson quantization yield (user-level) DP and moderate accuracy degradation (e.g., $\epsilon_k$5 at $\epsilon_k$6) with an amortized $\epsilon_k$7 HE overhead (Sébert et al., 2022). SelectiveShield outperforms both MaskCrypt and DP-FedAvg at tight privacy budgets (Li et al., 6 Aug 2025).
• Vertical FL for inter-institutional GLMs: Hybrid DP–HE (HDP-VFL) provides $\epsilon_k$8-DP for all internal exchanged results and joint DP for released model weights, with accuracy within $\epsilon_k$9–$\rho$0 of the ideal VFL and $\rho$1–$\rho$2 speedup over HE (Wang et al., 2020).

7. Strengths, Limitations, and Practical Considerations

Strengths:

• Flexibility to match privacy, utility, and efficiency requirements by configuring client policy, parameter partitioning, or scheduling (Negoya et al., 8 Nov 2025, Li et al., 6 Aug 2025, Wang et al., 5 Mar 2026).
• Empirical results confirm mild to negligible accuracy loss versus non-private or HE-only baselines, with significant reduction in time and bandwidth (Negoya et al., 8 Nov 2025, Wang et al., 2020).
• Multi-level privacy: HE protects confidentiality from server/eavesdropper, DP protects against both intermediate and model-level attacks, including from clients and white-box/black-box queries (Sébert et al., 2022, Wang et al., 2020).

Limitations:

• Mask-based and parameter-sensitivity approaches may expose coarse information about local data distribution or customization (Li et al., 6 Aug 2025).
• Protocols with additional servers (e.g., two-server KDS/aggregation) introduce new trusted parties and potentially single points of failure (Li et al., 6 Aug 2025).
• The aggregated privacy depends on the weakest link, i.e., the least private clients or parameters (Negoya et al., 8 Nov 2025).
• Scalability of HE encryption may still present issues in extremely large models or client pools, though partitioning mitigates this (Li et al., 6 Aug 2025, Wang et al., 5 Mar 2026).

Practical Guidelines:

• For high privacy and accuracy needs, round-based interleaving or sensitivity-driven partitioning are preferred (Wang et al., 5 Mar 2026, Li et al., 6 Aug 2025).
• DP-only suffices for minimal communication/compute budgets at relaxed privacy requirements (Negoya et al., 8 Nov 2025, Wang et al., 5 Mar 2026).
• Parameter or resource thresholds and mask negotiation can be tuned to application and system constraints, or even adapted dynamically (Li et al., 6 Aug 2025, Negoya et al., 8 Nov 2025).

• "A Privacy-Preserving Federated Learning Method with Homomorphic Encryption in Omics Data" (Negoya et al., 8 Nov 2025)
• "Protecting Data from all Parties: Combining FHE and DP in Federated Learning" (Sébert et al., 2022)
• "Hybrid Differentially Private Federated Learning on Vertically Partitioned Data" (Wang et al., 2020)
• "SelectiveShield: Lightweight Hybrid Defense Against Gradient Leakage in Federated Learning" (Li et al., 6 Aug 2025)
• "Balancing Privacy-Quality-Efficiency in Federated Learning through Round-Based Interleaving of Protection Techniques" (Wang et al., 5 Mar 2026)