Privacy-Preserving Fusion Estimation
- Privacy-preserving fusion estimation (PPFE) is a collaborative framework that integrates data from multiple sources while enforcing diverse privacy constraints.
- It employs methods such as vertical partitioning, local differential privacy, and encryption to safeguard raw data without sacrificing estimation accuracy.
- Adaptive fusion mechanisms and optimization principles like inverse-variance weighting and covariance allocation balance utility and privacy under various threat models.
Searching arXiv for recent and foundational papers on privacy-preserving fusion estimation and adjacent formulations. Privacy-preserving fusion estimation (PPFE) denotes a family of estimation and fusion procedures in which multiple parties, sensors, sites, or models collaborate to produce a single estimate, fused state, or fused model while withholding raw private information. In the literature gathered under this heading, PPFE includes vertically partitioned distributed estimation with perturbed random projections, mixed estimators that combine public and private subgroups under heterogeneous privacy needs, multi-sensor fusion under local differential privacy, encrypted multi-party dynamic state estimation with data and model privacy, vertical federated learning for traffic state estimation, privacy-preserving multimodal pose estimation, and decentralized differentially private model fusion without retraining (Heinze-Deml et al., 2017, Ferrando et al., 2021, Yan et al., 21 Aug 2025, Ni et al., 2021, Wang et al., 2024, Dayarathna et al., 2022, Chen et al., 2023).
1. Problem classes and representational scope
PPFE is not tied to a single data geometry. One recurring setting is the vertically-partitioned design matrix, where “information about each record in the dataset is held by different data owners,” so the classical setup of a single trusted curator does not apply (Heinze-Deml et al., 2017). A second setting partitions data by privacy requirement rather than by feature ownership: public data may have , while private groups carry heterogeneous , and the task is to produce one aggregate estimate over the pooled population (Ferrando et al., 2021). A third setting is dynamic multi-sensor estimation, where a fusion center releases privatized outputs derived from correlated sensor measurements of an underlying process, and a remote estimator uses those releases to estimate the hidden state (Weng et al., 25 Feb 2026). Related formulations include distributed fusion estimation with unknown exogenous inputs, in which the privacy target is the exogenous input sequence rather than the state, and collaborative state estimation in which multiple parties estimate a common physical process while protecting both data and local observation-model parameters (Guo et al., 28 Dec 2025, Ni et al., 2021).
The same umbrella extends beyond conventional sensor fusion. In traffic state estimation, municipal authorities and mobility providers hold complementary, vertically partitioned information and jointly estimate link-level flow and density through vertical federated learning (Wang et al., 2024). In distributed semiparametric modeling, horizontally partitioned sites exchange only aggregated summaries so that component-wise gradient boosting for generalized additive mixed models yields equivalent estimates to pooled-data boosting (Schalk et al., 2022). In healthcare and mobile systems, PPFE also appears as multimodal feature fusion over depth, long-wave infrared, pressure maps, Wi-Fi RSSI, Cellular RSSI, sound, and light, where privacy concerns attach to the sensing modalities themselves as much as to the fusion protocol (Dayarathna et al., 2022, Sadhu et al., 2017). In model-as-a-service scenarios, “model fusion” is treated as a privacy-preserving fusion problem in its own right, with local differential privacy constraints and decentralized federated graph matching (Chen et al., 2023).
2. Privacy models, threat assumptions, and what is protected
The privacy semantics in PPFE are heterogeneous. One strand works with -distributed differential privacy, introduced as an extension of single-party differential privacy to the distributed, vertically partitioned case (Heinze-Deml et al., 2017). Another strand argues that centralized differential privacy is not a good fit for multi-sensor fusion estimation because it is designed for aggregate queries such as sums and averages rather than for protecting individual local state estimates, and because it assumes an architecture unlike the usual fusion-center setting; on that basis, it replaces CDP with -local differential privacy for randomized mechanisms acting on local estimates (Yan et al., 21 Aug 2025). Sequential fusion work adopts Rényi differential privacy, with per-step leakage and a trajectory-level budget constraint
so that the whole adaptive mechanism satisfies -RDP under composition (Weng et al., 25 Feb 2026).
Threat models are equally varied. Some papers assume honest-but-curious participants that follow the protocol but may try to infer private data from exchanged messages, as in vertical federated learning for traffic state estimation (Wang et al., 2024). Others assume a full eavesdropper that observes all transmissions to the fusion center and knows the system parameters, or a wiretap channel with its own packet-success probabilities (Guo et al., 28 Dec 2025, Huang et al., 17 Jul 2025). Collaborative localization distinguishes requester privacy and provider privacy: onion routing hides request paths through hierarchical Phone Masters, while perturbation and randomization obscure provider-side label distributions (Sadhu et al., 2017). Multi-party dynamic state estimation further separates data privacy from model privacy, the latter covering sensitive parameters such as and (Ni et al., 2021).
A recurring technical principle is post-processing. In the local-DP multi-sensor setting, once local state estimates satisfy LDP, fusion at the center does not weaken privacy by the post-processing lemma (Yan et al., 21 Aug 2025). The same logic is used in distributed fusion with exogenous-input protection: after the center computes a fused estimate from already DP-sanitized local estimates, broadcasting that fused estimate for feedback refinement does not consume extra privacy budget (Guo et al., 28 Dec 2025). This undercuts a common assumption that every additional fusion or refinement stage necessarily incurs a new privacy cost.
3. Fusion mechanisms and estimator architectures
One of the cleanest PPFE constructions is the mixed estimator for heterogeneous privacy groups. For the mean, each group 0 privatizes its sum 1 with Laplace noise 2 and contributes the private mean 3. The fused estimator is
4
with inverse-variance weights chosen to minimize total variance; the same estimate-first-then-fuse philosophy is extended to medians by applying the exponential mechanism independently to each subgroup and then combining the subgroup releases with the same variance-based weights (Ferrando et al., 2021). In a different vertically partitioned formulation, PriDE asks each party to communicate perturbed random projections of locally held features, yielding a scalable framework for 5-penalized supervised learning with bounded estimation error relative to the non-private, non-distributed optimum (Heinze-Deml et al., 2017).
Multi-sensor state-estimation papers typically privatize at the level of local state estimates. Under LDP with system intrinsic randomness, each sensor computes a steady-state Kalman local state estimate, and the fusion center forms the distributed fusion estimate
6
with linear minimum-variance weights derived from the local and cross-covariances; if intrinsic randomness is insufficient, Gaussian perturbation is added to each local estimate and the weights are recomputed using the perturbed covariance matrix (Yan et al., 21 Aug 2025). In exogenous-input protection, local unbiased unknown-input filters produce 7 and 8, sensors inject mutually independent Gaussian noises with block-diagonal covariance, and the fusion center uses covariance intersection on the perturbed quantities 9 and 0 (Guo et al., 28 Dec 2025). Wireless-sensor-network work replaces additive noise by an encoding-based privacy-preserving mechanism in which each sensor encodes measurements relative to a previously decoded reference packet and a growth factor 1; the legitimate user decodes and feeds a centralized fusion filter, whereas an eavesdropper that misses a critical packet loses synchronization (Huang et al., 17 Jul 2025).
Other PPFE architectures move privacy into the communication or representation layer. In encrypted multi-party dynamic state estimation, each party computes a local intermediate estimate
2
encrypts it with an additively homomorphic scheme, the cloud sums ciphertexts, and a security module decrypts only the aggregate average
3
which then synchronizes all parties’ estimates (Ni et al., 2021). In vertical federated learning for traffic state estimation, each mobility provider computes a private embedding 4 and sends only the embedding to the municipal authority, which computes the final estimate 5 from its own features and the received embeddings (Wang et al., 2024). Distributed GAMM estimation similarly avoids raw-record exchange by communicating only crossproduct matrices, response crossproducts, site-level SSE values, selected learner indices, and fitted parameter vectors, which is sufficient to reproduce pooled-data component-wise gradient boosting exactly (Schalk et al., 2022). In multimodal in-bed pose estimation, the fusion objects are intermediate HRNet features, combined by addition, concatenation, learned modal weights, or an end-to-end fully trainable approach; a conditional GAN reconstructs a visible-like modality from LWIR when raw visible images are unavailable (Dayarathna et al., 2022). In privacy-preserving model fusion, PrivFusion uses a graph-based structure, hybrid local differential privacy, decentralized federated graph matching, and a perturbation filter adapter so that models from multiple parties can be fused without retraining (Chen et al., 2023).
4. Optimization principles, utility criteria, and theoretical guarantees
A central design principle in PPFE is that privacy calibration and fusion weighting can be separated. In the mixed mean estimator, the optimal linear combination of independent unbiased subgroup estimators is obtained by inverse-variance weighting, yielding a minimum-variance unbiased estimator; the argument is explicitly contrasted with personalized differential privacy mechanisms that subsample points and thereby entangle privacy with effective sample size (Ferrando et al., 2021). This principle reappears in linear minimum-variance fusion for perturbed local state estimates and in covariance intersection for unknown inter-sensor correlations, where the privacy perturbation alters the covariance structure but not the estimator class (Yan et al., 21 Aug 2025, Guo et al., 28 Dec 2025).
Sequential PPFE introduces a different optimization geometry. The RDP-constrained fusion problem is posed as a finite-horizon constrained optimization over both the fusion policy 6 and the estimator policy 7:
8
The resulting constrained Bellman equations show that the optimal fusion policy depends on the current measurements, the remaining privacy budget, and a belief state over the latent process and private measurements; the paper emphasizes that the optimal policy allocates privacy budget in a closed loop rather than by a fixed uniform split 9 (Weng et al., 25 Feb 2026). To make the problem tractable, the fusion policy is parameterized as a structured conditional Gaussian with a closed-form RDP leakage, and the numerical method alternates between joint optimization of the filtering function and estimator and a PPO-based update of the adaptive fusion vector (Weng et al., 25 Feb 2026).
Several papers recast privacy design as a constrained covariance-allocation problem. For exogenous-input protection, the injected Gaussian covariances 0 are chosen by minimizing 1 subject to an 2-DP constraint; the original non-convex problem is relaxed to a semidefinite program with the sufficient condition 3, and the relaxation is conservative but “does not weaken privacy” because any feasible SDP solution satisfies the original privacy condition (Guo et al., 28 Dec 2025). In multi-party dynamic state estimation, stabilization and asymptotic MMSE design are both converted into convex SDPs and then implemented distributively through carefully structured two-block ADMM, so that estimator gains can be designed collaboratively without directly revealing 4 or 5 (Ni et al., 2021). In packet-dropout PPFE, boundedness of the legitimate user’s covariance is analyzed through a modified algebraic Riccati equation, and a useful sufficient condition is that the total channel capacity 6 exceeds the system’s topological entropy 7 (Huang et al., 17 Jul 2025).
A distinct theoretical endpoint appears in distributed semiparametric learning. For generalized additive mixed models fitted by component-wise gradient boosting, the distributed algorithm is explicitly claimed to be lossless: because row-wise partitioning makes pooled crossproducts decomposable into sums of sitewise crossproducts, each boosting step and therefore the entire boosting trajectory coincide with pooled-data CWB (Schalk et al., 2022). This is an important limiting case in which privacy preservation is achieved without any estimation loss beyond the communication of aggregated summaries.
5. Applications and empirical evidence
Traffic estimation is one of the most fully developed PPFE application domains in the present literature. In FedTSE, real-world validation on the pNEUMA corridor shows that privacy-preserving vertical federated learning can yield accuracy close to the oracle method without privacy protection: at 8 mobility-provider penetration, reported density RMSE values are 9 for Oracle and 0 for FedTSE, while flow RMSE values are 1 for Oracle and 2 for FedTSE (Wang et al., 2024). The communication-efficiency study reports that to reach density RMSE 3, FedTSE requires 4 communication rounds for 5, 6 for 7, and 8 for 9 (Wang et al., 2024). In the scarce-label setting, FedTSE-PI combines a Cell Transmission Model with privacy-preserving gradient computation via inner-product encryption and remains close to Oracle-PI; at 0 penetration, the reported density RMSE values are 1 for FedTSE-PI, 2 for Oracle-PI, 3 for UKF, 4 for QEST-f, and 5 for TSE-PI-p (Wang et al., 2024).
Sequential sensor fusion under RDP is validated on a traffic density estimation case study using the US Highway 101 dataset with a 400-meter road segment, sampling interval 6 s, horizon 7, and up to 8 simultaneously transmitting vehicles (Weng et al., 25 Feb 2026). The reported finding is that, for the same total privacy budget 9, adaptive privacy-aware fusion achieves lower estimation error than a classical DP mechanism with uniform budget allocation, and with 0 the adaptive policy allocates more budget in the 1–2 s interval and tracks the true traffic density more closely (Weng et al., 25 Feb 2026). In wireless multi-sensor systems with packet dropouts, simulations on an Internet-based three-tank system show that the legitimate user’s MSE is essentially unchanged across groups while the eavesdropper’s MSE diverges whenever at least one privacy channel has 3; finer quantization, implemented by smaller 4, improves the legitimate user’s MSE (Huang et al., 17 Jul 2025). In exogenous-input protection, a two-sensor 4D example reports that feedback CI refinement reduces average MSE from about 5 for the base algorithm to 6 for the feedback version, with the same 7-DP budget (Guo et al., 28 Dec 2025).
Healthcare and human-centric sensing provide a second large empirical cluster. In in-bed pose monitoring with privacy-preserving modalities, unimodal HRNet results are reported as 8 for LWIR, 9 for depth, 0 for pressure maps, and 1 for visible images, while end-to-end trainable fusion reaches average [email protected] values around 2–3; cGAN-based synthetic visible plus LWIR yields 4 total [email protected] without square bounding-box cropping (Dayarathna et al., 2022). In collaborative localization, utility-based weighted fusion of provider label distributions improves accuracy by about 5–6 relative to uniform weighting in some noisy settings, and the reported optimum for the returned top-7 labels lies roughly around 8–9 (Sadhu et al., 2017). In distributed GAMM estimation on a four-site heart-disease dataset, the distributed and pooled CWB fits have a perfect overlap of partial effects and identical empirical risk 0, compared with 1 for a pooled mgcv fit; the model stops after 2 iterations, of which 3 select shared effects and 4 site-specific effects (Schalk et al., 2022). In heterogeneous-privacy aggregate estimation, the proposed weighted estimator usually has lower variance than the personalized-DP Sample baseline in mean experiments over 5 trials, and the weighted median is competitive with or better than the 6 mechanism in RMSE over 7 trials (Ferrando et al., 2021).
6. Interpretive issues, misconceptions, and open directions
A recurrent misconception is that PPFE is simply differential privacy plus additive noise at a central server. The surveyed literature does not support that reduction. One paper explicitly states that the classical trusted-curator setup does not apply in vertically partitioned estimation (Heinze-Deml et al., 2017); another argues that centralized differential privacy is not a good fit for multi-sensor fusion estimation and replaces it with local differential privacy grounded in local state estimates and covariance-based sensitivity (Yan et al., 21 Aug 2025). Other works protect privacy through homomorphic encryption, inner-product encryption, covariance-intersection over perturbed local estimates, distributed encoding over lossy channels, or onion routing combined with perturbation and weighted collaboration (Ni et al., 2021, Wang et al., 2024, Guo et al., 28 Dec 2025, Huang et al., 17 Jul 2025, Sadhu et al., 2017). This suggests that PPFE is better understood as a design space organized by what is private, where fusion occurs, and which adversary is modeled, rather than by a single privacy formalism.
Another misconception is that privacy necessarily implies severe utility loss. Several papers report the opposite in restricted regimes. Intrinsic process and measurement randomness may already suffice for 8-LDP, in which case “no extra noise is needed” and the optimal privacy-preserving distributed fusion estimate equals the original distributed fusion estimate (Yan et al., 21 Aug 2025). Distributed GAMM estimation can be lossless in the precise sense of reproducing pooled-data boosting exactly (Schalk et al., 2022). FedTSE and FedTSE-PI are reported to achieve similar or near-oracle accuracy while protecting raw cross-silo data (Wang et al., 2024). The mixed estimator for heterogeneous privacy groups is presented as usually preferable to subsampling-based PDP baselines because it avoids discarding information and decouples per-group privatization from fusion weighting (Ferrando et al., 2021). At the same time, utility costs remain explicit in many formulations: added Gaussian noise inflates fusion error covariance, end-to-end multimodal fusion is computationally more expensive, and reconstructed visible images from LWIR do not fully match the performance of real visible images (Guo et al., 28 Dec 2025, Dayarathna et al., 2022).
Open directions are also visible in the current record. Vertical federated traffic estimation notes that stronger privacy mechanisms such as differential privacy or secure multiparty computation could be added, and that malicious or strategic data forgery is not fully addressed (Wang et al., 2024). Multi-party dynamic state estimation remarks that a more formal privacy analysis of what can be inferred from products such as 9 or 0 is future work (Ni et al., 2021). Multimodal pose monitoring points to extensions beyond two-modality fusion and better reconstruction, while privacy-preserving model fusion highlights decentralized graph matching and perturbation filtering as an emerging model-level variant of the PPFE problem (Dayarathna et al., 2022, Chen et al., 2023). The overall trajectory suggests continued convergence between privacy theory, estimation theory, and communication-constrained fusion, with application domains ranging from cyber-physical systems and intelligent transportation to healthcare sensing and model-as-a-service.