Privacy-Preserving Vertical FL integrates cryptographic and algorithmic techniques into the Vertical Federated Learning (VFL) framework to prevent data leakage during training. It addresses the core risk of VFL where exchanging intermediate outputs and gradients could allow malicious participants to reconstruct private features. Core privacy technologies include Secure Multi-Party Computation (MPC), Homomorphic Encryption (HE), and Differential Privacy (DP), applied to operations like entity alignment and gradient computation.
Glossary
Privacy-Preserving Vertical FL

What is Privacy-Preserving Vertical FL?
Privacy-Preserving Vertical Federated Learning (PP-VFL) is a secure machine learning paradigm where multiple organizations, each holding different features about the same entities, collaboratively train a model without exposing their raw, sensitive data.
The system operates via a split neural network, where each feature owner computes a partial forward pass. Their results are then protected—either encrypted or noised—before being sent to the label owner for aggregation and loss calculation. This ensures the final model benefits from a comprehensive feature space while providing formal guarantees that no party learns another's underlying data records, making it essential for finance, healthcare, and cross-enterprise collaborations.
Core Privacy-Preserving Techniques in VFL
Vertical Federated Learning (VFL) relies on a suite of advanced techniques to prevent data leakage during collaborative training on vertically partitioned data. These methods provide cryptographic security or statistical privacy guarantees.
Secure Multi-Party Computation (MPC)
Secure Multi-Party Computation (MPC) is a cryptographic framework that allows multiple parties to jointly compute a function over their private inputs while revealing only the final output. In VFL, MPC protocols enable collaborative gradient calculation and model updates without exposing raw features or intermediate results.
- Core Mechanism: Data is secret-shared or garbled, allowing computations to be performed on these disguised values.
- VFL Application: Used for secure entity alignment via Private Set Intersection (PSI) and for privacy-preserving forward/backward propagation in split neural networks.
- Guarantee: Provides information-theoretic or computational security, meaning privacy is guaranteed even against computationally unbounded or bounded adversaries, respectively.
Homomorphic Encryption (HE)
Homomorphic Encryption (HE) is an encryption scheme that allows specific algebraic operations (e.g., addition, multiplication) to be performed directly on ciphertext. The decrypted result matches the result of the operations as if they had been performed on the plaintext.
- Core Mechanism: A feature owner encrypts its intermediate outputs (e.g., activations from the cut layer) before sending them to the label owner. The label owner can perform further model computations on these ciphertexts.
- VFL Application: Enables the label owner to compute loss and gradients without ever decrypting the feature owners' data. Partial or fully homomorphic schemes are used depending on the required operations.
- Trade-off: Provides strong cryptographic security but introduces significant computation and communication overhead due to ciphertext size and complexity of homomorphic operations.
Differential Privacy (DP)
Differential Privacy (DP) is a rigorous, mathematical framework that guarantees the output of a computation (e.g., a model update) does not reveal whether any single individual's data was included in the input dataset.
- Core Mechanism: Carefully calibrated random noise (e.g., Gaussian, Laplacian) is added to the shared information, such as gradients or intermediate outputs. The noise scale is determined by a privacy budget (epsilon, δ).
- VFL Application: Applied to the outputs shared by feature owners (e.g., embeddings) or to the aggregated updates to prevent reconstruction attacks and membership inference.
- Guarantee: Provides a statistical privacy guarantee that holds even if the adversary has arbitrary auxiliary information. It directly trades off privacy (epsilon) with model utility.
Functional Encryption & Secret Sharing
These are specialized cryptographic primitives for controlled information disclosure in distributed computations.
- Functional Encryption: Allows a party to decrypt a ciphertext to reveal only the result of a specific function on the underlying plaintext, and nothing else. In VFL, it could allow a label owner to learn only the aggregated gradient for a batch, not individual contributions.
- Secret Sharing: Splits a data secret into multiple shares distributed among parties. The original secret can only be reconstructed if a sufficient number of shares are combined. Threshold secret sharing is used in secure aggregation protocols to combine model updates without a central aggregator seeing any individual update in plaintext.
- Use Case: Forms the backbone of many vertical secure aggregation protocols, preventing the label owner or any single party from learning a feature owner's precise update.
Trusted Execution Environments (TEEs)
A Trusted Execution Environment (TEE) is a secure, isolated area within a main processor (e.g., Intel SGX, AMD SEV) that guarantees the confidentiality and integrity of code and data executing inside it, even from the host operating system.
- Core Mechanism: Sensitive VFL computations (e.g., aggregation, activation computation) are performed within the TEE's encrypted memory enclave. Data is only decrypted inside this hardware-protected environment.
- VFL Application: Can be used by a central coordinator or by individual parties to handle plaintext intermediate results securely, simplifying protocol design compared to pure cryptography.
- Trade-off: Offers high performance relative to cryptographic techniques but relies on specific hardware and requires trust in the hardware vendor's implementation and attestation mechanisms.
Hybrid Privacy Approaches
In practice, VFL systems often combine multiple techniques in a hybrid approach to balance privacy, utility, and efficiency.
- MPC + DP: MPC provides secure computation, while DP adds a layer of statistical protection against potential protocol vulnerabilities or information leakage from the final model.
- HE + TEEs: Homomorphic encryption secures data in transit and during remote computation, while TEEs can be used for efficient decryption and final aggregation in a trusted zone.
- Design Principle: The choice of hybrid technique depends on the threat model (semi-honest vs. malicious adversaries), performance requirements, and the type of potential leakage (feature, label, or membership inference) being mitigated. For example, DP is particularly effective against reconstruction attacks on the label owner's data.
How Does Privacy-Preserving Vertical FL Work?
Privacy-Preserving Vertical Federated Learning (PP-VFL) is a collaborative machine learning paradigm where multiple organizations, each holding different features about the same entities, jointly train a model without exposing their raw data. It achieves this by integrating cryptographic protocols and privacy-enhancing technologies directly into the VFL training process.
The core mechanism is a split neural network partitioned between a label owner and multiple feature owners. During vertical forward propagation, each feature owner computes an intermediate output from its local features up to a cut layer and transmits this encrypted or obfuscated result to the label owner. The label owner completes the forward pass, computes the loss, and initiates vertical backpropagation by sending back encrypted gradients. Each party then updates its respective model segment using vertical gradient computation.
Privacy is enforced via a layered defense. Private Set Intersection (PSI) first aligns entities across parties without revealing non-intersecting records. During training, homomorphic encryption or secure multi-party computation (MPC) allows computations on encrypted intermediate values. For formal guarantees, differential privacy adds calibrated noise to gradients or outputs. Finally, vertical secure aggregation protocols prevent the label owner from isolating any single feature owner's contribution, ensuring collaborative learning without data leakage.
Key Use Cases and Applications
Privacy-Preserving Vertical Federated Learning (VFL) enables collaborative model training across organizations that hold different data features about the same entities, such as customers or patients, without sharing the raw data. Its core applications are in highly regulated industries where data privacy is paramount and joint analysis unlocks significant value.
Cross-Bank Credit Scoring
Multiple financial institutions (e.g., a bank and a credit card company) collaborate to build a more accurate credit risk model. Each holds different features—transaction history, loan repayment data, credit line usage—for the same customers. Using Private Set Intersection (PSI) for entity alignment and homomorphic encryption for secure gradient computation, they train a model that predicts default risk without any bank exposing its proprietary customer data.
Healthcare Diagnostics & Research
A hospital, a genomics lab, and an insurance provider collaborate to improve disease prediction. The hospital holds medical images and lab results, the lab holds genomic sequences, and the insurer holds longitudinal treatment and outcome data. Privacy-preserving VFL allows training a multimodal diagnostic model. Techniques like differential privacy are applied to gradients to prevent leakage of rare genetic markers or specific patient outcomes, ensuring compliance with HIPAA and GDPR.
Personalized Retail & Marketing
An e-commerce platform, a social media company, and a payment processor aim to build a unified customer preference model. Each possesses a vertical slice of user behavior: purchase history, social engagement, and spending patterns. Through secure entity resolution and a split neural network, they generate personalized product recommendations. The cut layer outputs are encrypted, ensuring the social media company cannot infer specific purchases, and the payment processor cannot learn browsing habits.
Fraud Detection in FinTech
A digital wallet app, a cryptocurrency exchange, and a traditional bank collaborate to detect sophisticated, cross-platform fraud schemes. Each entity observes different signals—login device history, crypto transaction graphs, and wire transfer patterns. A vertical training protocol using Secure Multi-Party Computation (MPC) enables the joint training of an anomaly detection model. This identifies complex fraud patterns invisible to any single party, while cryptographic guarantees prevent leakage of legitimate user transaction graphs.
Smart City & IoT Sensor Analytics
Different municipal departments or utility companies hold sensor data from vertically partitioned sources—traffic cameras (transport department), air quality sensors (environment agency), and smart meter readings (energy utility)—all relating to the same city zones and time periods. Privacy-preserving VFL enables training models for urban planning, congestion prediction, or energy demand forecasting. The intermediate outputs from each party's model segment are aggregated without revealing raw sensor feeds, which may contain sensitive locational data.
Supply Chain Optimization
A manufacturer, a logistics provider, and a retailer collaborate to optimize inventory and delivery routes. They hold different features for the same products or shipments: production quality data, real-time GPS logistics data, and point-of-sale demand data. Using a vertical inference protocol, they can run predictive models for delivery delays or stock-outs. Vertical secure aggregation ensures the manufacturer cannot deduce the retailer's profit margins, and the logistics provider cannot access proprietary production specifications.
Comparing Privacy Techniques in VFL
A technical comparison of cryptographic and statistical methods used to prevent data leakage during Vertical Federated Learning training.
| Privacy Mechanism | Homomorphic Encryption (HE) | Secure Multi-Party Computation (MPC) | Differential Privacy (DP) |
|---|---|---|---|
Core Privacy Guarantee | Computational security on encrypted data | Information-theoretic or computational security for joint computation | Mathematical guarantee against membership inference |
Primary Protection Target | Intermediate outputs & gradients in transit/computation | Raw feature values during entity alignment & computation | Final trained model parameters & outputs |
Communication Overhead | High (ciphertext expansion 10-100x) | Moderate to High (multiple rounds of interaction) | Low (noise addition only) |
Computation Overhead | Very High (encrypted arithmetic operations) | High (secret sharing & interactive protocols) | Negligible (noise generation & addition) |
Model Accuracy Impact | None (exact computation) | None (exact computation) | Yes (controlled accuracy/privacy trade-off via ε) |
Resilience to Collusion | Yes (non-interactive, server-only computation) | Configurable (e.g., t-out-of-n threshold) | Yes (local or central DP mechanisms) |
Typical Use Case in VFL | Encrypting embeddings sent to label owner | Secure entity alignment (PSI) & gradient computation | Adding noise to final aggregated gradients or outputs |
Formal Proofs Available | Yes (based on lattice problems) | Yes (simulation-based security proofs) | Yes (ε, δ)-differential privacy proofs |
Frequently Asked Questions
Privacy-Preserving Vertical Federated Learning (PP-VFL) combines cryptographic and statistical techniques to enable collaborative model training across organizations that hold different features about the same entities, without exposing the raw, underlying data. This FAQ addresses the core mechanisms, guarantees, and trade-offs of these privacy-enhancing methods.
Privacy-Preserving Vertical Federated Learning (PP-VFL) is a decentralized machine learning paradigm where multiple organizations, each holding different features (columns) about overlapping entities (rows), collaboratively train a model using cryptographic and statistical techniques to prevent leakage of their raw data. It works by splitting a neural network architecture so each party computes on its local features. The key privacy mechanism is the secure exchange of only encrypted intermediate outputs or noise-infused gradients at a designated cut layer, rather than raw features or labels. For example, a bank (holding credit history) and an e-commerce platform (holding purchase history) can train a fraud detection model. The bank computes initial embeddings from its data, encrypts them using homomorphic encryption or adds differential privacy noise, and sends them to the e-commerce platform, which continues the forward pass using its features and the label. Gradients are then propagated back securely to update each party's model segment, ensuring neither sees the other's raw input data.
Enabling Efficiency, Speed & Accuracy
Intelligent Analysis, Decision & Execution
We build AI systems for teams that need search across company data, workflow automation across tools, or AI features inside products and internal software.
Talk to Us
Search across company data
Give teams answers from docs, tickets, runbooks, and product data with sources and permissions.
Useful when people spend too long searching or get different answers from different systems.

Automate internal workflows
Use AI to route work, draft outputs, trigger actions, and keep approvals and logs in place.
Useful when repetitive work moves across multiple tools and teams.

Add AI to products and internal tools
Build assistants, guided actions, or decision support into the software your team or customers already use.
Useful when AI needs to be part of the product, not a separate tool.
Related Terms
Privacy-preserving techniques are the essential safeguards that enable Vertical Federated Learning. These related concepts form the toolkit for building collaborative models without exposing raw, vertically partitioned data.
Homomorphic Encryption
A cryptographic scheme that allows computations to be performed directly on encrypted data. In VFL, it enables the label owner to compute gradients and losses on encrypted intermediate outputs from feature owners, ensuring raw features are never decrypted during training.
- Key Property: The result of computations on ciphertext, when decrypted, matches the result of operations on the plaintext.
- VFL Application: Often used to secure the forward and backward passes between parties, particularly for calculations involving the cut layer outputs and gradients.
Secure Multi-Party Computation (MPC)
A cryptographic protocol that enables a group of distributed parties to jointly compute a function over their private inputs while revealing only the final output. In VFL, MPC protocols coordinate the training of the split neural network.
- Core Principle: No single party learns anything about another's private data beyond what can be inferred from the final model.
- VFL Role: Manages the secure exchange and computation of intermediate results and gradients across feature and label owners, forming the backbone of many vertical training protocols.
Differential Privacy (DP)
A rigorous mathematical framework that guarantees the output of a computation (e.g., a model update) does not reveal whether any specific individual's data was included in the input. In VFL, DP is applied to shared information like gradients or intermediate outputs.
- Mechanism: Achieved by adding carefully calibrated statistical noise (e.g., Gaussian, Laplacian) to the values being shared.
- VFL Application: Provides a quantifiable, worst-case privacy guarantee against inference attacks, often used in conjunction with cryptographic methods like secure aggregation.
Private Set Intersection (PSI)
A foundational cryptographic protocol for the entity alignment phase of VFL. It allows two or more parties holding private sets of entity identifiers (e.g., user IDs) to compute the intersection of their sets without revealing any identifiers not in the common set.
- Critical Prerequisite: Enables parties to discover their overlapping samples to form the training cohort without leaking their full customer lists.
- Efficiency: Modern PSI protocols (e.g., based on Oblivious Transfer) are highly optimized for large datasets, making practical VFL initialization possible.
Secure Aggregation
A protocol for combining multiple private values (e.g., model updates from clients) into an aggregate sum without revealing any individual value. In horizontal FL, it's used for gradient aggregation; in VFL, it can secure the combination of updates from multiple feature owners.
- Key Technique: Often employs masking with secret sharing, where clients add a secret mask to their update that cancels out when all masked updates are summed.
- VFL Benefit: Prevents the label owner or any feature owner from learning the specific contribution of another participant, protecting feature data patterns.
Trusted Execution Environment (TEE)
A secure, isolated area within a main processor (CPU) that guarantees code and data loaded inside are protected with respect to confidentiality and integrity. In VFL, TEEs can act as a neutral, hardware-based arbiter.
- VFL Application: The split model's cut layer logic or aggregation functions can be executed inside a TEE. Feature owners send encrypted intermediate outputs to the TEE, which decrypts, computes, and re-encrypts results, shielding data from the host system (including the label owner).
- Trade-off: Reduces complex cryptographic overhead but relies on specific hardware (e.g., Intel SGX, AMD SEV).

About the author
Prasad Kumkar
CEO & MD, Inference Systems
Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.
His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.
Partnered with leading AI, data, and software stack.
How We Work
Custom AI workflows for your Business
One-fit-all AI don't work for modern businesses. At Inferensys, we aim to understand your business & custom requirements; which we use to define most efficient agentic workflows, the data, and the tools for your business.
01
Review the use case
We understand the task, the users, and where AI can actually help.
Read more02
Pick the right approach
We define what needs search, automation, or product integration.
Read more03
Build the first useful version
We implement the part that proves the value first.
Read more04
Improve from there
We add the checks and visibility needed to keep it useful.
Read moreThe first call is a practical review of your use case and the right next step.
Talk to Us