Encrypt What Matters: Selective Model Encryption for More Efficient Secure Federated Learning

Federico Mazzone; Ahmad Al Badawi; Yuriy Polyakov; Maarten Everts; Florian Hahn; Andreas Peter

doi:10.1007/978-3-031-96590-6_6

Encrypt What Matters: Selective Model Encryption for More Efficient Secure Federated Learning

Federico Mazzone^*
, Ahmad Al Badawi
, Yuriy Polyakov
, Maarten Everts
, Florian Hahn
, Andreas Peter

^*Corresponding author for this work

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › Academic › peer-review

1 Citation (Scopus)

3 Downloads (Pure)

Abstract

The notion that federated learning ensures privacy simply by keeping data local is widely acknowledged to be flawed. Cryptographic techniques such as Multi-Party Computation (MPC) and Fully Homomorphic Encryption (FHE) address this issue by concealing the model during the training procedure, but their extreme computational and communication overhead makes them impractical for real-world deployment. However, we argue that such strong guarantees are unnecessary. Even with full-model encryption, black-box attacks remain possible during the prediction phase, since model outputs are eventually revealed to the
querier. This suggests that instead of enforcing perfect privacy during training, it is sufficient to ensure that the leakage during training is no higher than the leakage during prediction. To achieve this, we generalize POSEIDON (NDSS 2021), a state-of-the-art FHE-based federated learning approach, by selectively encrypting only the components of the model necessary to match the privacy level of the prediction phase. Our method identifies the parts of the model that
contribute most to information leakage and prioritizes their encryption,
significantly reducing computational and communication overhead. Our experiments on dense neural networks show that encrypting only the last layer is often sufficient to hinder white-box attacks, improving efficiency by a linear factor in the number of layers. For deeper models, multiple layers may require encryption, but our approach still achieves a substantial speedup compared to full-model encryption.

Original language	English
Title of host publication	Data and Applications Security and Privacy XXXIX
Subtitle of host publication	39th IFIP WG 11.3 Annual Conference on Data and Applications Security and Privacy, DBSec 2025, Gjøvik, Norway, June 23-24, 2025, Proceedings
Editors	Sokratis Katsikas, Basit Shafiq
Place of Publication	Cham (Switzerland)
Publisher	Springer
Pages	96-115
Number of pages	20
ISBN (Electronic)	978-3-031-96590-6
ISBN (Print)	978-3-031-96589-0
DOIs	https://doi.org/10.1007/978-3-031-96590-6_6
Publication status	Published - 2025
Event	39th IFIP WG 11.3 Annual Conference on Data and Applications Security and Privacy, DBSec 2025 - Gjøvik, Norway Duration: 23 Jun 2025 → 24 Jun 2025 Conference number: 39

Publication series

Name	Lecture Notes in Computer Science
Publisher	Springer
Volume	15722
ISSN (Print)	0302-9743
ISSN (Electronic)	1611-3349

Conference

Conference	39th IFIP WG 11.3 Annual Conference on Data and Applications Security and Privacy, DBSec 2025
Abbreviated title	DBSec 2025
Country/Territory	Norway
City	Gjøvik
Period	23/06/25 → 24/06/25

Keywords

2025 OA procedure
Federated learning
Fully homomorphic encryption
Privacy leakage
Privacy-preserving machine learning
Neural network

Access to Document

10.1007/978-3-031-96590-6_6

Book chapterFinal published version, 798 KBLicence: Taverne

Cite this

Mazzone, F., Badawi, A. A., Polyakov, Y., Everts, M., Hahn, F., & Peter, A. (2025). Encrypt What Matters: Selective Model Encryption for More Efficient Secure Federated Learning. In S. Katsikas, & B. Shafiq (Eds.), Data and Applications Security and Privacy XXXIX: 39th IFIP WG 11.3 Annual Conference on Data and Applications Security and Privacy, DBSec 2025, Gjøvik, Norway, June 23-24, 2025, Proceedings (pp. 96-115). (Lecture Notes in Computer Science; Vol. 15722). Springer. https://doi.org/10.1007/978-3-031-96590-6_6

Mazzone, Federico ; Badawi, Ahmad Al ; Polyakov, Yuriy et al. / Encrypt What Matters : Selective Model Encryption for More Efficient Secure Federated Learning. Data and Applications Security and Privacy XXXIX: 39th IFIP WG 11.3 Annual Conference on Data and Applications Security and Privacy, DBSec 2025, Gjøvik, Norway, June 23-24, 2025, Proceedings. editor / Sokratis Katsikas ; Basit Shafiq. Cham (Switzerland) : Springer, 2025. pp. 96-115 (Lecture Notes in Computer Science).

@inproceedings{6ad3523803f14b589845b0cec219ad1c,

title = "Encrypt What Matters: Selective Model Encryption for More Efficient Secure Federated Learning",

abstract = "The notion that federated learning ensures privacy simply by keeping data local is widely acknowledged to be flawed. Cryptographic techniques such as Multi-Party Computation (MPC) and Fully Homomorphic Encryption (FHE) address this issue by concealing the model during the training procedure, but their extreme computational and communication overhead makes them impractical for real-world deployment. However, we argue that such strong guarantees are unnecessary. Even with full-model encryption, black-box attacks remain possible during the prediction phase, since model outputs are eventually revealed to the querier. This suggests that instead of enforcing perfect privacy during training, it is sufficient to ensure that the leakage during training is no higher than the leakage during prediction. To achieve this, we generalize POSEIDON (NDSS 2021), a state-of-the-art FHE-based federated learning approach, by selectively encrypting only the components of the model necessary to match the privacy level of the prediction phase. Our method identifies the parts of the model that contribute most to information leakage and prioritizes their encryption, significantly reducing computational and communication overhead. Our experiments on dense neural networks show that encrypting only the last layer is often sufficient to hinder white-box attacks, improving efficiency by a linear factor in the number of layers. For deeper models, multiple layers may require encryption, but our approach still achieves a substantial speedup compared to full-model encryption.",

keywords = "2025 OA procedure, Federated learning, Fully homomorphic encryption, Privacy leakage, Privacy-preserving machine learning, Neural network",

author = "Federico Mazzone and Badawi, \{Ahmad Al\} and Yuriy Polyakov and Maarten Everts and Florian Hahn and Andreas Peter",

note = "Copyright: IFIP International Federation for Information Processing 2025 ; 39th IFIP WG 11.3 Annual Conference on Data and Applications Security and Privacy, DBSec 2025, DBSec 2025 ; Conference date: 23-06-2025 Through 24-06-2025",

year = "2025",

doi = "10.1007/978-3-031-96590-6\_6",

language = "English",

isbn = "978-3-031-96589-0",

series = "Lecture Notes in Computer Science",

publisher = "Springer",

pages = "96--115",

editor = "Sokratis Katsikas and Basit Shafiq",

booktitle = "Data and Applications Security and Privacy XXXIX",

address = "Germany",

}

Mazzone, F, Badawi, AA, Polyakov, Y, Everts, M , Hahn, F & Peter, A 2025, Encrypt What Matters: Selective Model Encryption for More Efficient Secure Federated Learning. in S Katsikas & B Shafiq (eds), Data and Applications Security and Privacy XXXIX: 39th IFIP WG 11.3 Annual Conference on Data and Applications Security and Privacy, DBSec 2025, Gjøvik, Norway, June 23-24, 2025, Proceedings. Lecture Notes in Computer Science, vol. 15722, Springer, Cham (Switzerland), pp. 96-115, 39th IFIP WG 11.3 Annual Conference on Data and Applications Security and Privacy, DBSec 2025, Gjøvik, Norway, 23/06/25. https://doi.org/10.1007/978-3-031-96590-6_6

Encrypt What Matters: Selective Model Encryption for More Efficient Secure Federated Learning. / Mazzone, Federico; Badawi, Ahmad Al; Polyakov, Yuriy et al.
Data and Applications Security and Privacy XXXIX: 39th IFIP WG 11.3 Annual Conference on Data and Applications Security and Privacy, DBSec 2025, Gjøvik, Norway, June 23-24, 2025, Proceedings. ed. / Sokratis Katsikas; Basit Shafiq. Cham (Switzerland): Springer, 2025. p. 96-115 (Lecture Notes in Computer Science; Vol. 15722).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › Academic › peer-review

TY - GEN

T1 - Encrypt What Matters

T2 - 39th IFIP WG 11.3 Annual Conference on Data and Applications Security and Privacy, DBSec 2025

AU - Mazzone, Federico

AU - Badawi, Ahmad Al

AU - Polyakov, Yuriy

AU - Everts, Maarten

AU - Hahn, Florian

AU - Peter, Andreas

N1 - Conference code: 39

PY - 2025

Y1 - 2025

N2 - The notion that federated learning ensures privacy simply by keeping data local is widely acknowledged to be flawed. Cryptographic techniques such as Multi-Party Computation (MPC) and Fully Homomorphic Encryption (FHE) address this issue by concealing the model during the training procedure, but their extreme computational and communication overhead makes them impractical for real-world deployment. However, we argue that such strong guarantees are unnecessary. Even with full-model encryption, black-box attacks remain possible during the prediction phase, since model outputs are eventually revealed to the querier. This suggests that instead of enforcing perfect privacy during training, it is sufficient to ensure that the leakage during training is no higher than the leakage during prediction. To achieve this, we generalize POSEIDON (NDSS 2021), a state-of-the-art FHE-based federated learning approach, by selectively encrypting only the components of the model necessary to match the privacy level of the prediction phase. Our method identifies the parts of the model that contribute most to information leakage and prioritizes their encryption, significantly reducing computational and communication overhead. Our experiments on dense neural networks show that encrypting only the last layer is often sufficient to hinder white-box attacks, improving efficiency by a linear factor in the number of layers. For deeper models, multiple layers may require encryption, but our approach still achieves a substantial speedup compared to full-model encryption.

AB - The notion that federated learning ensures privacy simply by keeping data local is widely acknowledged to be flawed. Cryptographic techniques such as Multi-Party Computation (MPC) and Fully Homomorphic Encryption (FHE) address this issue by concealing the model during the training procedure, but their extreme computational and communication overhead makes them impractical for real-world deployment. However, we argue that such strong guarantees are unnecessary. Even with full-model encryption, black-box attacks remain possible during the prediction phase, since model outputs are eventually revealed to the querier. This suggests that instead of enforcing perfect privacy during training, it is sufficient to ensure that the leakage during training is no higher than the leakage during prediction. To achieve this, we generalize POSEIDON (NDSS 2021), a state-of-the-art FHE-based federated learning approach, by selectively encrypting only the components of the model necessary to match the privacy level of the prediction phase. Our method identifies the parts of the model that contribute most to information leakage and prioritizes their encryption, significantly reducing computational and communication overhead. Our experiments on dense neural networks show that encrypting only the last layer is often sufficient to hinder white-box attacks, improving efficiency by a linear factor in the number of layers. For deeper models, multiple layers may require encryption, but our approach still achieves a substantial speedup compared to full-model encryption.

KW - 2025 OA procedure

KW - Federated learning

KW - Fully homomorphic encryption

KW - Privacy leakage

KW - Privacy-preserving machine learning

KW - Neural network

UR - https://www.scopus.com/pages/publications/105010204609

U2 - 10.1007/978-3-031-96590-6_6

DO - 10.1007/978-3-031-96590-6_6

M3 - Conference contribution

SN - 978-3-031-96589-0

T3 - Lecture Notes in Computer Science

SP - 96

EP - 115

BT - Data and Applications Security and Privacy XXXIX

A2 - Katsikas, Sokratis

A2 - Shafiq, Basit

PB - Springer

CY - Cham (Switzerland)

Y2 - 23 June 2025 through 24 June 2025

ER -

Mazzone F, Badawi AA, Polyakov Y, Everts M , Hahn F , Peter A. Encrypt What Matters: Selective Model Encryption for More Efficient Secure Federated Learning. In Katsikas S, Shafiq B, editors, Data and Applications Security and Privacy XXXIX: 39th IFIP WG 11.3 Annual Conference on Data and Applications Security and Privacy, DBSec 2025, Gjøvik, Norway, June 23-24, 2025, Proceedings. Cham (Switzerland): Springer. 2025. p. 96-115. (Lecture Notes in Computer Science). Epub 2025 Jun 24. doi: 10.1007/978-3-031-96590-6_6