Homomorphic Encryption (HE) for Vertical Federated Learning (VFL) is a cryptographic technique that enables mathematical operations to be performed directly on encrypted data. In VFL, where different parties hold different features for the same entities, HE allows a feature owner to encrypt its intermediate outputs or gradients before sending them to the label owner. The label owner can then perform necessary computations, like aggregation or backpropagation, on this ciphertext without decrypting it, preventing exposure of the raw feature data.
Glossary
Homomorphic Encryption for VFL

What is Homomorphic Encryption for VFL?
Homomorphic encryption for VFL is the application of encryption schemes that allow computations to be performed on ciphertext, enabling parties in a vertical FL system to train on encrypted intermediate results or gradients.
This approach provides a strong layer of mathematical privacy by ensuring the computational server never accesses plaintext data. However, it introduces significant computation overhead and communication overhead due to the complexity of homomorphic operations and the increased size of ciphertexts. It is often combined with other secure multi-party computation (MPC) protocols within a vertical training protocol to balance privacy guarantees with practical performance for production VFL systems.
Core Characteristics of Homomorphic Encryption for VFL
Homomorphic Encryption (HE) enables computations on encrypted data, a foundational capability for privacy-preserving Vertical Federated Learning (VFL). These characteristics define its application, performance, and security guarantees within VFL systems.
Computational Homomorphism
Computational homomorphism is the defining property of an encryption scheme that allows specific algebraic operations (e.g., addition, multiplication) to be performed directly on ciphertexts. The result, when decrypted, matches the outcome of performing the same operations on the original plaintexts. In VFL, this enables the label owner to perform critical calculations—like aggregating encrypted intermediate outputs from feature owners or computing loss gradients—without ever decrypting sensitive data. Schemes are categorized by their supported operations:
- Partially Homomorphic Encryption (PHE): Supports only one operation (e.g., addition or multiplication) indefinitely.
- Somewhat Homomorphic Encryption (SHE): Supports both addition and multiplication but for a limited number of operations (limited "circuit depth").
- Fully Homomorphic Encryption (FHE): Supports both operations an unlimited number of times, enabling arbitrary computations.
Ciphertext Expansion & Communication Overhead
Ciphertext expansion refers to the significant increase in data size when plaintext is encrypted using HE schemes. A single floating-point number (plaintext) can become a ciphertext composed of thousands or millions of bits. This directly translates to vertical communication overhead, a major bottleneck in VFL. Transmitting encrypted intermediate outputs and gradients between parties consumes substantially more bandwidth compared to using plaintext or lightweight secure aggregation. The overhead is influenced by:
- Encryption parameters (e.g., polynomial degree, modulus size) which trade off security for size.
- The HE scheme used (FHE typically has larger expansion than PHE).
- Batching techniques, which pack multiple plaintext values into a single ciphertext to amortize costs, are essential for practical VFL.
Computational Intensity & Latency
Homomorphic operations are orders of magnitude slower than their plaintext equivalents. This creates vertical computation overhead for all parties in the VFL pipeline. The label owner, which performs homomorphic operations on aggregated ciphertexts, bears the heaviest load. Key computational costs include:
- Encryption/Decryption: Converting data to/from ciphertext.
- Homomorphic Evaluation: Performing addition or multiplication on ciphertexts, which involves complex polynomial arithmetic.
- Noise Management: In FHE, each multiplication increases "noise" in the ciphertext; bootstrapping—a computationally intensive procedure—is periodically required to reset the noise, allowing further computations. This latency impacts training round time and overall system feasibility, often requiring specialized hardware acceleration.
Security Semantics and Threat Models
HE provides strong, cryptographically proven security under specific threat models, typically formalized as semantic security. This means ciphertexts reveal no information about the plaintext, even to a computationally unbounded adversary, except its length. For VFL, this directly protects the feature owners' raw data and the label owner's model gradients. The security level is parameterized by a security parameter (e.g., 128-bit security). It's crucial to distinguish HE's guarantees:
- Data Confidentiality: HE protects data at rest (as ciphertext) and in process (during computation).
- Complementary to Other Techniques: HE does not inherently provide differential privacy (which limits inference from the model output) or protect against all protocol-level leaks (e.g., from the magnitude of updates). It is often combined with these techniques for a layered defense.
Arithmetic vs. Boolean Circuit Support
HE schemes operate over different algebraic structures, determining the type of computations they can natively support. This dictates how VFL algorithms must be designed and implemented.
- Arithmetic Circuit Schemes (e.g., BFV, CKKS): Operate natively on integers or fixed-point/approximate numbers. They efficiently support addition and multiplication, making them suitable for the linear algebra operations (matrix multiplications, additions) that dominate neural network training in VFL. CKKS is particularly popular for VFL as it supports approximate arithmetic on real numbers.
- Boolean Circuit Schemes (e.g., BGV, TFHE): Operate on binary bits. They can perform logical gates (AND, XOR, NOT) homomorphically. While they can emulate arithmetic, it is less efficient. They are more suited for non-linear comparison operations (e.g., secure evaluation of a ReLU activation function) which may be required in certain VFL architectures.
Integration with Split Neural Networks
In VFL, HE is not applied to the entire training process but is strategically integrated into the split neural network architecture. The primary use case is securing the transmission across the cut layer. Common integration patterns include:
- Encrypting Intermediate Outputs: The feature owner encrypts its local intermediate output before sending it to the label owner. The label owner then performs homomorphic operations (e.g., multiplying by its model weights) on this ciphertext.
- Encrypting Gradients: During vertical backpropagation, the label owner may encrypt gradient messages sent back to feature owners for local model updates.
- Hybrid Cryptographic Protocols: HE is often used in conjunction with Multi-Party Computation (MPC) or Secure Aggregation protocols. For example, HE can be used for the heavy computation of a global sum, while lighter-weight MPC handles secure comparisons or non-linearities, optimizing the overall system performance.
How Homomorphic Encryption Works in a VFL Training Round
Homomorphic encryption (HE) is a cryptographic technique that enables computations to be performed directly on encrypted data. In a Vertical Federated Learning (VFL) training round, HE allows feature owners to encrypt their intermediate outputs, enabling the label owner to compute gradients and continue training without ever decrypting the sensitive data.
During vertical forward propagation, each feature owner computes its local model segment on its raw features. Instead of sending the plaintext intermediate output to the label owner, it encrypts this value using a homomorphic encryption scheme. The label owner receives this ciphertext and, due to the homomorphic properties, can perform the necessary mathematical operations (e.g., addition, multiplication) for the next network layer or loss calculation without decrypting it. This ensures the feature data remains confidential throughout the computation.
For vertical backpropagation, the label owner computes encrypted gradients based on the loss and propagates them back to the feature owners. Using homomorphic operations, these encrypted gradients are used to update the encrypted model parameters held by each party. A final, coordinated secure decryption step—often requiring collaboration among parties—yields the updated plaintext model. This process prevents any single party from accessing another's raw features or intermediate results, providing a strong cryptographic privacy guarantee for the VFL workflow.
Homomorphic Encryption vs. Other VFL Privacy Techniques
A comparison of core privacy-preserving techniques used to secure intermediate data exchanges in Vertical Federated Learning (VFL).
| Feature / Metric | Homomorphic Encryption (HE) | Secure Multi-Party Computation (MPC) | Differential Privacy (DP) |
|---|---|---|---|
Core Privacy Guarantee | Computational security via encryption | Information-theoretic or computational security via secret sharing | Statistical privacy via noise addition |
Data Leakage Prevention | Prevents exposure of plaintext intermediate values and gradients | Prevents exposure of individual private inputs during joint computation | Prevents inference about individual records in the training dataset |
Primary Use Case in VFL | Secure computation on encrypted intermediate outputs/gradients | Secure entity alignment (PSI) and joint gradient computation | Adding noise to final model updates or shared outputs |
Computational Overhead | High (complex cryptographic operations) | Moderate to High (depends on protocol and number of parties) | Low (primarily noise generation and addition) |
Communication Overhead | Low to Moderate (encrypted values are transmitted) | High (multiple rounds of communication between parties) | Low (noise parameters or noisy aggregates are shared) |
Supports Complex Non-Linear Operations | Limited (e.g., addition, multiplication; non-linear via approximations) | Yes (any computable function, but with high cost) | Yes (applied post-computation, so no inherent limitation) |
Formal Privacy Proof | Yes (based on cryptographic hardness assumptions) | Yes (based on simulation-based security definitions) | Yes (based on epsilon-delta (ε,δ) guarantees) |
Typical Threat Model | Semi-honest (honest-but-curious) adversaries | Semi-honest or Malicious (with additional protocols) | Curious aggregator or data analyst |
Frequently Asked Questions
Homomorphic encryption (HE) is a foundational cryptographic technology for privacy-preserving Vertical Federated Learning (VFL), enabling computations on encrypted data. This FAQ addresses its core mechanisms, trade-offs, and role in secure multi-party machine learning.
Homomorphic encryption (HE) is a form of encryption that allows specific types of computations to be performed directly on ciphertext, producing an encrypted result which, when decrypted, matches the result of the same operations performed on the plaintext. In Vertical Federated Learning (VFL), HE is applied to protect intermediate outputs or gradients exchanged between parties during training. For example, a feature owner can encrypt the output of its local model segment (the activations from the cut layer) and send it to the label owner. The label owner can then perform operations like addition or multiplication on this encrypted data alongside other encrypted inputs to compute loss and gradients, all without ever decrypting the sensitive intermediate values. This creates a privacy-preserving training loop where the raw feature data and the labels never leave their respective owners in plaintext.
Enabling Efficiency, Speed & Accuracy
Intelligent Analysis, Decision & Execution
We build AI systems for teams that need search across company data, workflow automation across tools, or AI features inside products and internal software.
Talk to Us
Search across company data
Give teams answers from docs, tickets, runbooks, and product data with sources and permissions.
Useful when people spend too long searching or get different answers from different systems.

Automate internal workflows
Use AI to route work, draft outputs, trigger actions, and keep approvals and logs in place.
Useful when repetitive work moves across multiple tools and teams.

Add AI to products and internal tools
Build assistants, guided actions, or decision support into the software your team or customers already use.
Useful when AI needs to be part of the product, not a separate tool.
Related Terms
Homomorphic Encryption (HE) is a cornerstone of privacy-preserving computation in Vertical Federated Learning (VFL). These related concepts form the cryptographic and architectural toolkit for secure, collaborative model training on vertically partitioned data.
Functional Encryption
Functional Encryption (FE) is an advanced cryptographic scheme where decrypting a ciphertext yields the result of a specific function on the underlying plaintext, rather than the plaintext itself.
- Core Mechanism: A secret key is tied to a specific function
f. Decryption with this key reveals onlyf(data), not the originaldata. - VFL Application: Potentially allows a feature owner to send encrypted data to the label owner, who can then compute a specific gradient function on it using a functional key, learning only the gradient result.
- Advantage over HE: Can provide more granular control over what information is revealed by the computation.
Gradient Encryption
Gradient Encryption is the specific application of cryptographic techniques (often HE or MPC) to protect the model gradients exchanged during VFL training.
- Purpose: Prevents the label owner from inferring raw feature values from the gradients sent by feature owners.
- Common Scheme: Feature owners encrypt their local gradient contributions using an additive HE scheme (like Paillier). The label owner aggregates these encrypted gradients, and the resulting ciphertext is decrypted (often via threshold decryption) to obtain the global gradient update.
- Critical for VFL: A primary defense against model inversion and membership inference attacks in the vertical setting.

About the author
Prasad Kumkar
CEO & MD, Inference Systems
Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.
His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.
Partnered with leading AI, data, and software stack.
How We Work
Custom AI workflows for your Business
One-fit-all AI don't work for modern businesses. At Inferensys, we aim to understand your business & custom requirements; which we use to define most efficient agentic workflows, the data, and the tools for your business.
01
Review the use case
We understand the task, the users, and where AI can actually help.
Read more02
Pick the right approach
We define what needs search, automation, or product integration.
Read more03
Build the first useful version
We implement the part that proves the value first.
Read more04
Improve from there
We add the checks and visibility needed to keep it useful.
Read moreThe first call is a practical review of your use case and the right next step.
Talk to Us