Skip to main content
Writing
·Paper Review·14 min read

Federated Learning Architecture: Data Privacy and System Security Approaches

A dual-layer defense framework that integrates CKKS Homomorphic Encryption (HE) with Differentially Private Stochastic Gradient Descent (DP-SGD) to protect both transit-level gradients and end-model o

AI Security
Contents

Federated Learning Architecture: Data Privacy and System Security Approaches Image generated by AI

TLDR

  • What: A dual-layer defense framework that integrates CKKS Homomorphic Encryption (HE) with Differentially Private Stochastic Gradient Descent (DP-SGD) to protect both transit-level gradients and end-model outputs in Federated Learning.
  • Who's at risk: Distributed medical networks, collaborative financial fraud detectors, and cross-organization tabular classification pipelines utilizing Federated Averaging (FedAvg).
  • Key number: Implementing differential privacy on small, distributed datasets triggers a catastrophic utility tax, dropping the clinical Recall of a diabetes classification model by 40.43% (from 0.7447 to an unusable 0.3404) when split across 10 clients.

Evaluating Dual-Layer Defenses in Federated Learning: CKKS Encryption and DP-SGD Trade-offs Under Reconstruction Threats

As organizations face mounting regulatory hurdles (such as GDPR and HIPAA) when pooling data, Federated Learning (FL) has been widely adopted as a privacy-preserving alternative. High-profile deployments, from Google’s Gboard next-word prediction to collaborative clinical diagnostics, rely on the premise that keeping data local mitigates leakage risks.

However, security researchers have repeatedly demonstrated that raw gradient updates are highly vulnerable to reconstruction and membership inference attacks. While combining cryptographic defenses like Homomorphic Encryption (HE) with statistical guarantees like Differential Privacy (DP) sounds ideal on paper, a critical look at the underlying empirical performance reveals that this defense-in-depth approach can completely destroy model utility in sensitive domains.


Threat Model

Element Description
Attacker Honest-but-curious server or passive network eavesdropper monitoring parameter exchanges during FL rounds; potential active adversary executing membership inference or data reconstruction attacks.
Victim Decentralized collaborative ML networks (e.g., hospitals, banks) using Federated Averaging (FedAvg) over highly sensitive tabular datasets.
Goal Extract private, individual patient or client attributes (e.g., diabetes status, coronary heart disease factors) from plaintext model gradients during transit or reconstruct training samples from the global model.
Budget Passive interception of model parameters (zero-compute for ciphertext, black-box/grey-box API or white-box access to global model weights for inference/reconstruction attacks).

Background / Problem Setup

The core vulnerability in standard FedAvg (McMahan et al. [16]) lies in the transparency of gradient updates. Even when aggregated, individual client contributions can often be reverse-engineered. Cryptographic frameworks like Homomorphic Encryption prevent transit-level eavesdropping but do not stop an adversary from querying the final, trained model to determine if a specific individual’s data was used in training. Conversely, Differential Privacy protects against output-based inference but leaves local updates exposed to a compromised coordinating server if not applied locally.

To address this, the analyzed paper explores a unified architecture where client gradients are privatized via DP-SGD locally and then encrypted via CKKS before transmission.

Below is a comparative look at how this methodology positions itself against existing works in the literature:

System / Approach Core Mechanism Primary Finding / Contribution Weakness / Gaps Addressed
FedAvg (McMahan et al. [16]) Plaintext parameter averaging. Foundation of decentralized ML; highly communication efficient. Vulnerable to model inversion and gradient reconstruction attacks [15].
PFMLP (Fang & Qian [20]) Secure gradients via partial homomorphic encryption. Achieved 99% accuracy on secure gradients with minimal deviation (<1%). Does not prevent membership inference from aggregated global outputs (lacks DP).
HETAL (Lee et al. [21]) Transfer learning encrypted via CKKS scheme. Sub-hour training on encrypted client data with validation-based early stopping. Heavy computational overhead; lacks robust statistical privacy guarantees (differential privacy).
FheFL (Rahulamathavan et al. [22]) Fully Homomorphic Encryption (FHE) with weighted aggregation. Protects against model poisoning and adversarial parameter manipulation. High computational cost limits practical real-world scalability.
Dual-Layer Framework (Karatas et al.) CKKS Homomorphic Encryption + DP-SGD (via Opacus). Evaluates joint cryptographic and statistical defense on tabular health & financial data. Significant utility drop (particularly Recall) on smaller, heterogeneous client datasets.

Methodology

The authors evaluate their dual-layer defense using a multi-layer artificial neural network (ANN) for binary classification, trained over three real-world tabular datasets: Framingham (cardiovascular disease prediction), Pima Indians Diabetes (PID), and the Bank Marketing dataset.

The architecture comprises the following phases:

1. Data Preprocessing and Heterogeneity Simulation

The datasets were split into training (90%) and testing (10%) partitions. To simulate real-world non-IID settings, the training datasets were distributed equally among NN clients (N=3,5,10N = 3, 5, 10).

As shown in Table 2 of the paper, the authors applied several preprocessing pipelines:

Feature Framingham PID Bank
Missing data handling ×
Outlier handling ×
Standardization ×
One-hot encoding ×
SMOTE ×

2. Local DP-SGD (Statistical Defense)

To prevent membership inference, the authors integrated PrivacyEngine into the local training loops. Prior to gradient computation, local gradients were clipped and Gaussian noise was added. The DP parameters were kept constant across all experiments:

  • Noise multiplier (σ\sigma): 5.0
  • Max gradient norm: 0.5
  • Target δ\delta: $10^{-5}$

The cumulative privacy budget ϵ\epsilon was tracked across 10 global rounds of training.

3. CKKS Homomorphic Encryption (Cryptographic Defense)

To protect local updates during transit, local model parameters (wkw_k) were encrypted using the CKKS (Cheon-Kim-Kim-Song) scheme before being sent to the central server.

Encryption is performed in polynomial rings: R=Z[X]/(XN+1)R = \mathbb{Z}[X]/(X^N + 1)

Real numbers zz are encoded with quantization parameter Δ\Delta: Encode(z)=Δz\text{Encode}(z) = \lfloor\Delta \cdot z\rfloor

The encryption process produces ciphertexts: Enc(m)=(c0,c1)=(m+Δe,a)\text{Enc}(m) = (c_0, c_1) = (m + \Delta \cdot e, a)

These ciphertexts support homomorphic addition, allowing the central server to execute Federated Averaging directly on the encrypted weights without decryption: Enc(m1)+Enc(m2)Enc(m1+m2)\text{Enc}(m_1) + \text{Enc}(m_2) \Rightarrow \text{Enc}(m_1 + m_2)

4. The Integrated Training Loop

The entire combined training process is outlined in Algorithm 1:

# Conceptual execution flow of Algorithm 1 (CKKS + DP-SGD)
def federated_round(global_model, clients, HEctx):
    encrypted_updates_list = []
    
    for client_id, client_data in clients:
        # 1. Pull global weights
        client_model = copy_weights(global_model)
        
        # 2. Bind DP-SGD engine to client model
        client_model, optimizer, dataloader = PrivacyEngine.make_private(
            model=client_model,
            noise_multiplier=5.0,
            max_grad_norm=0.5,
            delta=1e-5
        )
        
        # 3. Train locally for E epochs
        for epoch in range(E):
            for x_batch, y_batch in dataloader:
                loss = compute_loss(client_model(x_batch), y_batch)
                loss.backward()
                optimizer.step()
                optimizer.zero_grad()
        
        # 4. Encrypt parameters under CKKS
        encrypted_weights = Enc_HEctx(client_model.weights)
        encrypted_updates_list.append(encrypted_weights)
        
    # 5. Server-side Homomorphic Aggregation
    encrypted_global_update = homomorphic_avg(encrypted_updates_list)
    
    # 6. Decrypt and update Global Model
    global_model.weights = Dec_HEctx(encrypted_global_update)
    return evaluate(global_model)

Key Results

When we analyze the experimental data presented in Table 3 and Table 4 of the paper, the claims of "enhanced privacy without significantly compromising model accuracy" require serious scrutiny.

The introduction of differential privacy causes a clear and consistent drop in classification performance across all client distributions.

Table 3: Global Model Accuracy Comparison (With vs. Without DP)

Dataset Clients Accuracy (With DP) Accuracy (Without DP) Accuracy Loss (Absolute) Final Epsilon (ϵ\epsilon) at Round 10
Bank Marketing 3 0.8185 0.8620 -4.35% 0.3566
5 0.7836 0.8639 -8.03% 0.4700
10 0.8034 0.8554 -5.20% 0.6785
Diabetes (PID) 3 0.7200 0.7500 -3.00% 1.2719
5 0.7300 0.7300 0.00% 1.6000
10 0.6700 0.7100 -4.00% 2.4189
Framingham 3 0.6992 0.7147 -1.55% 0.4789
5 0.6496 0.7116 -6.20% 0.6200
10 0.6822 0.6961 -1.39% 0.8900

Table 4: The Severe Drop in Clinical Recall (True Positive Rate)

While basic accuracy metrics hide the damage, looking at the Recall rates in Table 4 reveals a critical failure point for deployments in healthcare:

Dataset Clients Metric Value (With DP) Value (Without DP) Absolute Drop
Diabetes (PID) 10 Recall 0.3404 0.7447 -40.43%
Framingham 5 Recall 0.5892 0.8121 -22.29%
Bank Marketing 5 Recall 0.7572 0.9011 -14.39%

As Section 4 shows, as the client pool scales from 3 to 10, the volume of data per client decreases. Consequently, the local models must train on fewer samples, causing the DP noise injection to overwhelm the actual feature gradients.


Limitations & Open Questions

1. The Tabular Preprocessing Mystery

According to Table 2, the Bank Marketing dataset completely bypassed missing data handling, outlier clipping, standardization, one-hot encoding, and SMOTE. Tabular ANNs are highly sensitive to unstandardized numeric ranges (e.g., age vs. account balance). Passing raw, unnormalized values directly to a PyTorch ANN should yield terrible results, yet the model managed ~81% accuracy with DP. This lack of rigorous standard preprocessing for the Bank dataset raises questions about baseline reproducibility.

2. The False Negative Catastrophe

In clinical settings, Recall is the most critical metric; missing a diabetic or coronary heart disease patient (a false negative) can be fatal. Under the 10-client Pima Indians Diabetes setup with DP, the model's recall collapsed to 0.3404. This means the model failed to detect 65.96% of positive cases. Claiming this system is "securely applied in sensitive domains such as healthcare" (Abstract) overlooks this massive clinical safety risk.

3. Extremely Small Model & Dataset Scale

The evaluations used a simple three-layer MLP on small datasets (PID has only 768 total records; at 10 clients, that is a mere ~76 records per client shard). Deep learning models used in modern production environments (e.g., ResNet-50, BERT, or clinical LLMs) require massive scale. Combining CKKS and DP-SGD on actual production-grade models typically leads to either memory exhaustion due to CKKS ciphertext expansion, or complete accuracy failure.

4. Lack of Active Adversary Validation

The paper relies entirely on mathematical assumptions of security. There are no actual simulations of modern reconstruction attacks (e.g., Deep Leakage from Gradients) or membership inference attacks to demonstrate the empirical defense bounds.


What Practitioners Should Do

If you are tasked with deploying secure federated learning architectures for tabular or clinical data, do not copy-paste the paper's default configs. Instead, implement these changes:

  1. Avoid Static High-Noise Multipliers on Small Shards: Do not use a static σ=5.0\sigma = 5.0 on tiny client datasets (N100N \le 100). It completely drowns out your gradients. Scale up your client batch sizes (B64B \ge 64 or 128128) to reduce the relative footprint of DP noise.

  2. Implement TenSEAL for CKKS Integration: If you are building in PyTorch, leverage TenSEAL (a library for doing homomorphic encryption operations on PyTorch tensors built on top of Microsoft SEAL). Secure your tensors using the following configuration snippet:

    import tenseal as ts
    context = ts.context(
        ts.SCHEME_TYPE.CKKS,
        poly_modulus_degree=8192,
        coeff_mod_bit_sizes=[60, 40, 40, 60]
    )
    context.global_scale = 2**40
    context.generate_galois_keys()
    
  3. Deploy Adaptive Gradient Clipping: Using a static max_grad_norm = 0.5 on heterogeneous client data often leads to clipping useful gradients too aggressively. Use an adaptive clipping threshold (e.g., tracking the geometric median of gradient norms) to preserve signal in non-IID distributions.

  4. Monitor Metric-Specific DP Impact: Always track Recall, Precision, and F1-score alongside basic Accuracy during your DP-SGD sweeps. If your training targets rare classes (like disease states or fraud), apply weighted loss functions prior to DP noise injection to prevent the minority class signal from being erased.


The Takeaway

Integrating Homomorphic Encryption (CKKS) and Differential Privacy (DP-SGD) provides a theoretically robust, dual-layer defense against both network-level and output-level data reconstruction. However, as this paper demonstrates, applying these defenses blindly to small or highly distributed client shards comes with a severe utility penalty. When clinical Recall collapses by over 40%, the resulting system may be mathematically secure, but it is practically useless for real-world deployment.


Den's Take

While combining CKKS Homomorphic Encryption and DP-SGD sounds like a bulletproof defense-in-depth strategy for federated learning, this paper exposes a harsh reality that practitioners know all too well: the devastating utility tax of differential privacy.

Seeing a diabetes classification model's clinical recall plummet by 40.43%—collapsing from 0.7447 to an absolutely unusable 0.3404 when distributed across just 10 clients—is a massive red flag. In collaborative clinical diagnostics, a false negative rate of over 65% is a non-starter. This utility collapse highlights a recurring theme in how rigorous mathematical privacy guarantees can completely destroy model performance in practice, a trade-off commonly observed in other privacy-preserving machine learning contexts.

As a practitioner, I appreciate the paper's intellectual honesty in reporting these dismal numbers rather than hiding behind sanitized synthetic benchmarks. Secure transit via CKKS is great, but if the underlying model is rendered useless by local DP-SGD noise, the deployment is dead on arrival. If we want to secure distributed medical networks, we desperately need more research focused on mitigating this utility collapse for small-sample, tabular environments.

Share

Comments

Page views are tracked via Google Analytics for content improvement.