Inferensys

Glossary

Homomorphic Encryption for VFL

Homomorphic encryption for VFL is a cryptographic technique that allows computations to be performed directly on encrypted intermediate results or gradients in vertical federated learning, enabling collaborative model training without exposing raw feature data.
Data scientist building training data pipeline on laptop, data preprocessing visible, technical workspace.
PRIVACY-PRESERVING MACHINE LEARNING

What is Homomorphic Encryption for VFL?

Homomorphic encryption for VFL is the application of encryption schemes that allow computations to be performed on ciphertext, enabling parties in a vertical FL system to train on encrypted intermediate results or gradients.

Homomorphic Encryption (HE) for Vertical Federated Learning (VFL) is a cryptographic technique that enables mathematical operations to be performed directly on encrypted data. In VFL, where different parties hold different features for the same entities, HE allows a feature owner to encrypt its intermediate outputs or gradients before sending them to the label owner. The label owner can then perform necessary computations, like aggregation or backpropagation, on this ciphertext without decrypting it, preventing exposure of the raw feature data.

This approach provides a strong layer of mathematical privacy by ensuring the computational server never accesses plaintext data. However, it introduces significant computation overhead and communication overhead due to the complexity of homomorphic operations and the increased size of ciphertexts. It is often combined with other secure multi-party computation (MPC) protocols within a vertical training protocol to balance privacy guarantees with practical performance for production VFL systems.

CRYPTOGRAPHIC PRIMITIVES

Core Characteristics of Homomorphic Encryption for VFL

Homomorphic Encryption (HE) enables computations on encrypted data, a foundational capability for privacy-preserving Vertical Federated Learning (VFL). These characteristics define its application, performance, and security guarantees within VFL systems.

01

Computational Homomorphism

Computational homomorphism is the defining property of an encryption scheme that allows specific algebraic operations (e.g., addition, multiplication) to be performed directly on ciphertexts. The result, when decrypted, matches the outcome of performing the same operations on the original plaintexts. In VFL, this enables the label owner to perform critical calculations—like aggregating encrypted intermediate outputs from feature owners or computing loss gradients—without ever decrypting sensitive data. Schemes are categorized by their supported operations:

  • Partially Homomorphic Encryption (PHE): Supports only one operation (e.g., addition or multiplication) indefinitely.
  • Somewhat Homomorphic Encryption (SHE): Supports both addition and multiplication but for a limited number of operations (limited "circuit depth").
  • Fully Homomorphic Encryption (FHE): Supports both operations an unlimited number of times, enabling arbitrary computations.
02

Ciphertext Expansion & Communication Overhead

Ciphertext expansion refers to the significant increase in data size when plaintext is encrypted using HE schemes. A single floating-point number (plaintext) can become a ciphertext composed of thousands or millions of bits. This directly translates to vertical communication overhead, a major bottleneck in VFL. Transmitting encrypted intermediate outputs and gradients between parties consumes substantially more bandwidth compared to using plaintext or lightweight secure aggregation. The overhead is influenced by:

  • Encryption parameters (e.g., polynomial degree, modulus size) which trade off security for size.
  • The HE scheme used (FHE typically has larger expansion than PHE).
  • Batching techniques, which pack multiple plaintext values into a single ciphertext to amortize costs, are essential for practical VFL.
03

Computational Intensity & Latency

Homomorphic operations are orders of magnitude slower than their plaintext equivalents. This creates vertical computation overhead for all parties in the VFL pipeline. The label owner, which performs homomorphic operations on aggregated ciphertexts, bears the heaviest load. Key computational costs include:

  • Encryption/Decryption: Converting data to/from ciphertext.
  • Homomorphic Evaluation: Performing addition or multiplication on ciphertexts, which involves complex polynomial arithmetic.
  • Noise Management: In FHE, each multiplication increases "noise" in the ciphertext; bootstrapping—a computationally intensive procedure—is periodically required to reset the noise, allowing further computations. This latency impacts training round time and overall system feasibility, often requiring specialized hardware acceleration.
04

Security Semantics and Threat Models

HE provides strong, cryptographically proven security under specific threat models, typically formalized as semantic security. This means ciphertexts reveal no information about the plaintext, even to a computationally unbounded adversary, except its length. For VFL, this directly protects the feature owners' raw data and the label owner's model gradients. The security level is parameterized by a security parameter (e.g., 128-bit security). It's crucial to distinguish HE's guarantees:

  • Data Confidentiality: HE protects data at rest (as ciphertext) and in process (during computation).
  • Complementary to Other Techniques: HE does not inherently provide differential privacy (which limits inference from the model output) or protect against all protocol-level leaks (e.g., from the magnitude of updates). It is often combined with these techniques for a layered defense.
05

Arithmetic vs. Boolean Circuit Support

HE schemes operate over different algebraic structures, determining the type of computations they can natively support. This dictates how VFL algorithms must be designed and implemented.

  • Arithmetic Circuit Schemes (e.g., BFV, CKKS): Operate natively on integers or fixed-point/approximate numbers. They efficiently support addition and multiplication, making them suitable for the linear algebra operations (matrix multiplications, additions) that dominate neural network training in VFL. CKKS is particularly popular for VFL as it supports approximate arithmetic on real numbers.
  • Boolean Circuit Schemes (e.g., BGV, TFHE): Operate on binary bits. They can perform logical gates (AND, XOR, NOT) homomorphically. While they can emulate arithmetic, it is less efficient. They are more suited for non-linear comparison operations (e.g., secure evaluation of a ReLU activation function) which may be required in certain VFL architectures.
06

Integration with Split Neural Networks

In VFL, HE is not applied to the entire training process but is strategically integrated into the split neural network architecture. The primary use case is securing the transmission across the cut layer. Common integration patterns include:

  • Encrypting Intermediate Outputs: The feature owner encrypts its local intermediate output before sending it to the label owner. The label owner then performs homomorphic operations (e.g., multiplying by its model weights) on this ciphertext.
  • Encrypting Gradients: During vertical backpropagation, the label owner may encrypt gradient messages sent back to feature owners for local model updates.
  • Hybrid Cryptographic Protocols: HE is often used in conjunction with Multi-Party Computation (MPC) or Secure Aggregation protocols. For example, HE can be used for the heavy computation of a global sum, while lighter-weight MPC handles secure comparisons or non-linearities, optimizing the overall system performance.
MECHANISM

How Homomorphic Encryption Works in a VFL Training Round

Homomorphic encryption (HE) is a cryptographic technique that enables computations to be performed directly on encrypted data. In a Vertical Federated Learning (VFL) training round, HE allows feature owners to encrypt their intermediate outputs, enabling the label owner to compute gradients and continue training without ever decrypting the sensitive data.

During vertical forward propagation, each feature owner computes its local model segment on its raw features. Instead of sending the plaintext intermediate output to the label owner, it encrypts this value using a homomorphic encryption scheme. The label owner receives this ciphertext and, due to the homomorphic properties, can perform the necessary mathematical operations (e.g., addition, multiplication) for the next network layer or loss calculation without decrypting it. This ensures the feature data remains confidential throughout the computation.

For vertical backpropagation, the label owner computes encrypted gradients based on the loss and propagates them back to the feature owners. Using homomorphic operations, these encrypted gradients are used to update the encrypted model parameters held by each party. A final, coordinated secure decryption step—often requiring collaboration among parties—yields the updated plaintext model. This process prevents any single party from accessing another's raw features or intermediate results, providing a strong cryptographic privacy guarantee for the VFL workflow.

PRIVACY TECHNIQUE COMPARISON

Homomorphic Encryption vs. Other VFL Privacy Techniques

A comparison of core privacy-preserving techniques used to secure intermediate data exchanges in Vertical Federated Learning (VFL).

Feature / MetricHomomorphic Encryption (HE)Secure Multi-Party Computation (MPC)Differential Privacy (DP)

Core Privacy Guarantee

Computational security via encryption

Information-theoretic or computational security via secret sharing

Statistical privacy via noise addition

Data Leakage Prevention

Prevents exposure of plaintext intermediate values and gradients

Prevents exposure of individual private inputs during joint computation

Prevents inference about individual records in the training dataset

Primary Use Case in VFL

Secure computation on encrypted intermediate outputs/gradients

Secure entity alignment (PSI) and joint gradient computation

Adding noise to final model updates or shared outputs

Computational Overhead

High (complex cryptographic operations)

Moderate to High (depends on protocol and number of parties)

Low (primarily noise generation and addition)

Communication Overhead

Low to Moderate (encrypted values are transmitted)

High (multiple rounds of communication between parties)

Low (noise parameters or noisy aggregates are shared)

Supports Complex Non-Linear Operations

Limited (e.g., addition, multiplication; non-linear via approximations)

Yes (any computable function, but with high cost)

Yes (applied post-computation, so no inherent limitation)

Formal Privacy Proof

Yes (based on cryptographic hardness assumptions)

Yes (based on simulation-based security definitions)

Yes (based on epsilon-delta (ε,δ) guarantees)

Typical Threat Model

Semi-honest (honest-but-curious) adversaries

Semi-honest or Malicious (with additional protocols)

Curious aggregator or data analyst

HOMOMORPHIC ENCRYPTION FOR VFL

Frequently Asked Questions

Homomorphic encryption (HE) is a foundational cryptographic technology for privacy-preserving Vertical Federated Learning (VFL), enabling computations on encrypted data. This FAQ addresses its core mechanisms, trade-offs, and role in secure multi-party machine learning.

Homomorphic encryption (HE) is a form of encryption that allows specific types of computations to be performed directly on ciphertext, producing an encrypted result which, when decrypted, matches the result of the same operations performed on the plaintext. In Vertical Federated Learning (VFL), HE is applied to protect intermediate outputs or gradients exchanged between parties during training. For example, a feature owner can encrypt the output of its local model segment (the activations from the cut layer) and send it to the label owner. The label owner can then perform operations like addition or multiplication on this encrypted data alongside other encrypted inputs to compute loss and gradients, all without ever decrypting the sensitive intermediate values. This creates a privacy-preserving training loop where the raw feature data and the labels never leave their respective owners in plaintext.

Prasad Kumkar

About the author

Prasad Kumkar

CEO & MD, Inference Systems

Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.

His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.