Homomorphic Encrypted Federated Learning (EDIL)
- EDIL is a federated learning framework where local model updates are encrypted using homomorphic techniques before aggregation.
- The approach leverages cryptographic substrates such as CKKS and LWE along with hybrid transciphering to secure updates while managing computational costs.
- EDIL designs enhance privacy, collusion resistance, and system robustness in cross-silo and edge deployments while addressing trade-offs between encryption overhead and performance.
Homomorphic encrypted federated learning (EDIL; Editor’s term) denotes federated-learning protocols in which local model parameters, gradients, or model shards are encrypted before they leave a participant, aggregated through homomorphic operations, and revealed only to authorized decryptors. In the current literature, this design space includes centralized CKKS-based FedAvg over encrypted model parameters for neuroimaging (Stripelis et al., 2021), hybrid transciphering systems that keep the bulk payload under symmetric encryption and convert it to HE only at the server (Nguyen et al., 20 Jul 2025), quantized and pruned CKKS pipelines (Mia et al., 2024), additive or multi-key constructions for collusion resistance and Byzantine robustness (Rahulamathavan et al., 2023, Zhao, 2022), and application-specific secure-aggregation schemes such as FLASHE (Jiang et al., 2021). Across these variants, the common objective is to eliminate server-side access to plaintext client updates while preserving the optimization semantics of federated training.
1. Architectural definition and scope
Most EDIL systems instantiate a centralized federated topology in which clients hold private datasets, perform local optimization in plaintext, and transmit encrypted updates to a server that performs only ciphertext-domain aggregation. The neuroimaging framework of Stripelis and colleagues is explicitly cross-silo, centralized, with a central controller that broadcasts an encrypted global model, receives encrypted local models, performs encrypted weighted aggregation, and never decrypts any model; decryption occurs only at clients (Stripelis et al., 2021). FLHHE follows the same centralized pattern but changes the cryptographic boundary: clients encrypt local weights with a symmetric stream cipher, while the server holds HE-encrypted copies of client symmetric keys and transciphers the uploads into HE ciphertexts before aggregation (Nguyen et al., 20 Jul 2025).
What is encrypted varies by protocol family. Some systems encrypt model parameters rather than explicit gradients, so the server observes only an encrypted average of updated local weights, not itself; this is the case in the CKKS neuroimaging system and in several selective-HE designs (Stripelis et al., 2021). Other systems encrypt quantized gradients or gradient buckets, as in FLAG’s private-key LWE-based learning-with-gradients construction and QuanCrypt-FL’s CKKS pipeline with pruning and clipping (Yan et al., 2024, Mia et al., 2024). FLSSM further decomposes the encrypted state into model shards so that different edge aggregation nodes can aggregate different slices in parallel before a global node concatenates them (Li et al., 15 Apr 2025).
The dominant deployment assumption is that homomorphic encryption is used for the communication and aggregation layer, not for the full local training loop. Several papers are explicit that local SGD, forward passes, and backpropagation remain plaintext on client hardware, while only the outbound and inbound model states are encrypted (Stripelis et al., 2021, Nguyen et al., 20 Jul 2025). This suggests that contemporary EDIL practice treats HE primarily as an encrypted secure-aggregation substrate rather than as a fully encrypted optimizer.
2. Cryptographic substrates and key management
The most common substrate is CKKS, chosen because federated models are naturally real-valued. The neuroimaging framework emphasizes the CKKS features most useful for FL: approximate arithmetic, packing / SIMD, rescaling, and a shallow multiplicative depth; with PALISADE parameters targeting 128-bit security, multiplicative depth 2, scale factor bits 52, and batch size 8192, the server can perform encrypted weighted aggregation without bootstrapping (Stripelis et al., 2021). CKKS also underlies selective-HE and compression-oriented systems such as QuanCrypt-FL, which uses TenSEAL with polynomial modulus degree $16384$ and coefficient modulus for encrypted aggregation of quantized updates (Mia et al., 2024).
Not all EDIL proposals use standard public-key CKKS. FLAG replaces public-key RLWE-style HE with a private-key, LWE-based additive homomorphic scheme in which ciphertexts have the form
and the randomness of the half-dithered quantizer acts as the LWE noise. The paper’s stated benefit is that the construction avoids error expansion typical in conventional LWE-based homomorphic encryption, while remaining CPA-secure under LWE with uniform errors; it reports ciphertext expansion factors for (Yan et al., 2024). This is a distinct design point within EDIL: additive encrypted aggregation without the depth-management issues of general FHE.
Other proposals prioritize minimal functionality over generality. FLASHE discards asymmetric-key structure and multiplicative homomorphism entirely, using a symmetric PRF-based additive masking construction tailored to cross-silo FL; the stated security goal is semantic security / IND-CPA for model updates under honest-but-curious assumptions, while communication remains the same as plaintext training (Jiang et al., 2021). CHEM stays within standard BFV/CKKS semantics but changes the encoding path: tensor ciphertexts are constructed from cached encryptions of radix powers and cached encryptions of zero, with a proof that the resulting scheme remains IND-CPA if the underlying HE is IND-CPA secure (Zhao, 2022).
Key management is a major differentiator. The neuroimaging CKKS design is effectively single-key, with a public key available to encryptors and the secret key held by clients but not by the server (Stripelis et al., 2021). FLHHE introduces a trusted key dealer that generates both HE keys and per-client symmetric keys, sending HE-encrypted symmetric keys to the server for transciphering (Nguyen et al., 20 Jul 2025). By contrast, DAEQ-FL and Skefl are explicit rejections of trusted-third-party key generation: DAEQ-FL collaboratively generates keys and uses threshold secret sharing so that no one holds the global private key (Zhu et al., 2020), whereas Skefl keeps a single HE key pair but secret-shares ciphertexts among clients so that collusion between the server and compromised clients cannot reveal any local model when $2f
3. Protocol families and systems engineering
The literature now contains several recurring EDIL protocol families.
| Family | Representative systems | Characteristic design |
|---|---|---|
| Single-key encrypted FedAvg | Neuroimaging CKKS (Stripelis et al., 2021) | Clients decrypt global model; server aggregates only ciphertexts |
| Hybrid transciphering | FLHHE (Nguyen et al., 20 Jul 2025) | Clients use symmetric encryption; server converts to HE and aggregates |
| Robust or collusion-resistant HE-FL | FheFL (Rahulamathavan et al., 2023), Skefl (Zhao, 2022) | Encrypted-domain weighting or ciphertext secret sharing |
| Compression-aware HE-FL | QuanCrypt-FL (Mia et al., 2024), FAS (Korkmaz et al., 22 Jan 2025), optimized selective HE (Yang, 3 Apr 2025) | Quantization, pruning, clipping, or selective parameter encryption |
| Specialized secure aggregation | FLASHE (Jiang et al., 2021), modified ElGamal secure aggregation (Yang et al., 2023), DAEQ-FL (Zhu et al., 2020) | Additive-only or threshold designs tailored to FL |
| Infrastructure optimizations | CHEM (Zhao, 2022), FLSSM (Li et al., 15 Apr 2025), encrypted search (Zhao, 2023) | Cached ciphertext construction, hierarchical aggregation, searchable encrypted model archives |
Single-key CKKS FedAvg remains the clearest baseline. In this pattern, the controller distributes an encrypted global model, each client decrypts locally, trains for epochs, re-encrypts the updated model, and the server performs encrypted weighted FedAvg. The attraction is architectural simplicity and low multiplicative depth, but the security assumption is strong: if a client that holds the secret key colludes with the server, single-key ciphertext forwarding can reveal another client’s update. Skefl addresses exactly this point by applying Asymmetric Threshold Secret Sharing to ciphertexts generated under the same key pair, thereby preserving single-key performance while making collusion with up to clients insufficient to reconstruct another client’s local model (Zhao, 2022).
Several systems are explicitly engineered to move cost away from edge participants. FLHHE makes clients perform only symmetric encryption of local models, while the server bears the expensive transciphering path using the Rubato + RtF framework and then aggregates in CKKS (Nguyen et al., 20 Jul 2025). FLSSM instead reduces server bottlenecks by slicing models into shards and assigning different edge aggregation nodes to different shards; the global node only concatenates the partial encrypted aggregates (Li et al., 15 Apr 2025). CHEM attacks a different bottleneck—ciphertext construction—by replacing repeated calls to expensive HE encryption with homomorphic additions over a cache of radix ciphertexts and zero ciphertexts (Zhao, 2022).
A separate engineering axis is selectivity. The optimized BFV-based framework encrypts only parameters above a sensitivity threshold, leaving low-sensitivity parameters plaintext or lightly protected and adding differential privacy noise before aggregation (Yang, 3 Apr 2025). FAS simplifies the selection policy further: a fixed percentage of weights, often $16384$0 or $16384$1, is homomorphically encrypted, while the remainder receives DP noise and bitwise scrambling (Korkmaz et al., 22 Jan 2025). QuanCrypt-FL keeps all updates under CKKS but reduces payload and arithmetic cost through 8-bit quantization, unstructured pruning, and mean-based clipping (Mia et al., 2024). This suggests that contemporary EDIL design is increasingly hybrid: HE is retained as the strongest confidentiality layer, but compression, transciphering, caching, and selection determine whether the system is deployable.
4. Security properties, threat surfaces, and common misconceptions
A recurrent motivation across the literature is that plaintext model updates enable membership inference, gradient inversion, and related leakage attacks. The neuroimaging study explicitly cites prior work showing 60–80% success at inferring whether a specific MRI scan was used to train a brain-age model, and positions encrypted aggregation as a way to prevent the server from seeing local model parameters at all (Stripelis et al., 2021). FLHHE makes the same point for server-side attacks: because the server never sees plaintext gradients or weights, it cannot run DLG-style inversion on individual client updates; under the paper’s semi-honest threat model, the server’s view is restricted to symmetric ciphertexts, HE-encrypted keys, and transciphered HE ciphertexts (Nguyen et al., 20 Jul 2025).
A common misconception is that HE by itself solves all FL privacy problems. The papers are explicit that it does not. In the CKKS neuroimaging system, clients still decrypt the global model, so a malicious client could analyze the sequence of global models; metadata leakage, timing, message sizes, and implementation side channels are also left unaddressed (Stripelis et al., 2021). QuanCrypt-FL formalizes this distinction as two scenarios: in the strongest case, the adversary sees only encrypted traffic; in a more realistic case, some decrypted parameters leak through compromise or trusted decryption. Its response is to combine CKKS with pruning, quantization, and clipping so that even a leaked decrypted model is less informative; the paper cites prior work that pruning $16384$2 of gradients makes reconstructions essentially unrecognizable and reports a CIFAR-10 ResNet18 reconstruction experiment in which inversion from pruned gradients fails (Mia et al., 2024).
Another misconception is that secure aggregation and collusion resistance are equivalent. They are not. Single-key HE systems are efficient but can fail under server–client collusion; Skefl introduces ciphertext-level secret sharing to eliminate this assumption under honest majority (Zhao, 2022). FheFL uses a distributed multi-key additive HE layer and encrypted-domain non-poisoning rates to preserve privacy while down-weighting anomalous updates, with the stated assumption that at least two benign users do not collude with the server (Rahulamathavan et al., 2023). DAEQ-FL similarly avoids a trusted third party by collaborative key generation and threshold decryption, so no single entity holds the global private key even when some clients are offline (Zhu et al., 2020).
The threat model also matters for accountability. FLSSM deliberately weakens the “never decrypt” ideal by adding trusted supervise nodes and ABE-protected Shamir shares of HE secret keys, so that local encrypted models can be decrypted only when attacks are suspected (Li et al., 15 Apr 2025). This does not preserve the same trust model as purely cryptographic single-server EDIL, but it addresses a different problem—attack tracing—that pure ciphertext-only aggregation otherwise leaves unresolved.
5. Applications and reported empirical performance
The empirical record shows that EDIL is no longer confined to toy secure-aggregation demonstrations. Representative reported results are summarized below.
| Source | Setting | Reported outcome |
|---|---|---|
| (Stripelis et al., 2021) | UK Biobank brain-age prediction, 8 learners | No degradation in learning performance between encrypted and non-encrypted federated models |
| (Nguyen et al., 20 Jul 2025) | FLHHE on MNIST-style FCNN | Test accuracies identical at 65.92%, 73.15%, 54.35%, 58.43%; client symmetric encryption 0.008 s vs HE encryption 0.21 s; upload 1.048 MB vs 16.8 MB |
| (Mia et al., 2024) | QuanCrypt-FL on MNIST, CIFAR-10, CIFAR-100 | Up to 9x faster encryption, 16x faster decryption, 1.5x faster inference, and training time reduced by up to 3x |
| (Jiang et al., 2021) | FLASHE on cross-silo tasks | Training time increase $16384$3 with no communication overhead |
| (Zhao, 2022) | CHEM for encrypted local models in FL | Sub-second overhead and 67%–87% reduction in encryption cost for encoding local models |
| (Korkmaz et al., 22 Jan 2025) | FAS on medical imaging and CIFAR-10 | Up to 90% faster than applying FHE on model weights; up to 1.5x faster than FedML-HE and MaskCrypt |
| (Li et al., 15 Apr 2025) | FLSSM on CIFAR-10 and Fashion-MNIST | Parallel edge-node aggregation improves aggregation efficiency while maintaining similar test accuracy |
The neuroimaging case is significant because it is a nontrivial cross-silo medical workload: the task is brain-age prediction from structural MRI using a 2D CNN with attention and approximately 1 million parameters over UK Biobank data, and the authors report essentially identical convergence behavior for encrypted and plaintext federated training (Stripelis et al., 2021). The 2022 COVID-19 detection study makes the same point from a different application angle: a CNN trained on a medical X-ray dataset with BFV-based encrypted aggregation achieved accuracies around 0.83–0.85 across 2, 3, 5, 7 clients, close to both centralized and plaintext federated baselines, although runtime rose substantially with stronger ciphertext parameters and more clients (Wibawa et al., 2022).
Several newer papers quantify the cost-shifting strategies that now define practical EDIL engineering. FLHHE shows that when clients use only symmetric encryption and the server absorbs transciphering, client online cost drops to 2.808 s per round while the server’s online per-client cost rises to approximately 6.75 s, dominated by transciphering (Nguyen et al., 20 Jul 2025). CHEM shows that even without changing the underlying HE scheme, caching can cut the cost of model encryption in FL by 67%–87% with only sub-second cache construction overhead (Zhao, 2022). FLASHE demonstrates a more radical point: if the protocol is tailored strictly to additive secure aggregation in cross-silo FL, HE-style protection can approach plaintext training cost, with no communication overhead and at most a small training-time increase (Jiang et al., 2021).
The edge-deployment literature reinforces the deployment constraints behind these optimizations. The Jetson TX2 proof of concept reports that a MacBook M3 Pro required about 30 seconds for a local training iteration of a small CNN on CIFAR-10, whereas a Jetson TX2 required about 5 minutes for the same workload, implying that heavyweight per-parameter HE at the edge is often the wrong place to spend the computational budget (Harenčák et al., 8 Jan 2026). This suggests that hybrid designs, partial encryption, or server-side transciphering are not merely algorithmic variations but responses to concrete hardware asymmetries.
6. Limitations, contested design choices, and open directions
Despite substantial progress, several limitations recur across the literature. First, server-side cost remains a major bottleneck once client-side HE is reduced. FLHHE reports online server cost of approximately 6.75 s per client per round, compared with 0.004 s for pure HE aggregation and approximately 0.00005 s for plaintext FL aggregation; the bottleneck is transciphering, not aggregation (Nguyen et al., 20 Jul 2025). Second, many evaluation settings remain small relative to production FL: FLHHE uses 3 clients, FLAG evaluates on MNIST/LeNet-5 with $16384$4, and several selective-HE systems do not study transformers or very deep models (Nguyen et al., 20 Jul 2025, Yan et al., 2024, Korkmaz et al., 22 Jan 2025). This suggests that claims of practicality must still be interpreted relative to moderate model scales.
Second, trusted setup assumptions are still contested. HHE relies on a trusted key dealer (Nguyen et al., 20 Jul 2025). FLSSM relies on trusted supervise nodes and a trusted timestamp authority (Li et al., 15 Apr 2025). Many single-key CKKS systems assume clients holding the secret key will not collude with the server (Stripelis et al., 2021). The literature responds in multiple ways—multi-key additive HE (Rahulamathavan et al., 2023), ciphertext secret sharing (Zhao, 2022), collaborative key generation and threshold decryption (Zhu et al., 2020)—but none has yet emerged as a dominant general-purpose replacement for the simplicity of single-key aggregation.
Third, the relationship between compression and privacy remains nuanced. Quantization, pruning, clipping, and selective encryption all reduce overhead, but their privacy contribution depends on the attack model. QuanCrypt-FL argues that sparsity itself reduces inversion risk even if decrypted parameters leak (Mia et al., 2024). FAS argues that encrypting as little as 10–20% of weights plus DP noise and scrambling can empirically approach full-HE protection against reconstruction, with little marginal benefit beyond that range (Korkmaz et al., 22 Jan 2025). These findings are empirical rather than universal. A plausible implication is that future EDIL systems will increasingly expose the encryption fraction, pruning rate, and clipping threshold as first-class operating parameters rather than fixed privacy toggles.
Finally, several directions broaden EDIL beyond secure averaging. The encrypted-search work shows that a server can search over stored CKKS-encrypted model states with only a logarithmic number of network interactions, which is directly relevant to provenance, auditing, and large archives of intermediate encrypted models (Zhao, 2023). The FLSSM architecture suggests one path toward accountable HE-FL through supervised inspection and stake-based sanctions (Li et al., 15 Apr 2025). FLAG points toward post-quantum, LWE-based additive aggregation without error expansion (Yan et al., 2024). Across the surveyed work, the recurring open problems are asynchronous or semi-synchronous HE-FL, dynamic client participation and dropout, larger-scale consortia, deeper models, better packing and layer-wise selection, stronger malicious-client robustness, and tighter integration of cryptographic confidentiality with statistical privacy mechanisms such as differential privacy (Stripelis et al., 2021, Mia et al., 2024, Nguyen et al., 20 Jul 2025).
In aggregate, the literature supports a clear characterization of EDIL: it is no longer a single protocol template but a family of federated-learning systems organized around encrypted update visibility, with architectures ranging from single-key CKKS FedAvg to hybrid transciphering, collusion-resistant secret sharing, quantized and pruned CKKS, symmetric additive secure aggregation, and searchable encrypted model repositories. The central unresolved question is no longer whether encrypted FL is possible, but which combination of trust assumptions, cryptographic primitives, compression, and systems engineering yields the most appropriate privacy–efficiency–accountability trade-off for a given deployment.