Exploring CKKS Parameter Trade-offs for Privacy-Preserving Personalized Federated Learning
Pith reviewed 2026-06-27 18:06 UTC · model grok-4.3
The pith
CKKS parameter selection for privacy-preserving personalized federated learning reduces to choosing only the inner and outer ciphertext primes under 128-bit security.
A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.
Core claim
We derive the full CKKS parameter constraints under 128-bit security for the PFL setting, showing the selection problem reduces to choosing just two values: the inner and outer ciphertext prime. Implemented using the Flower framework and TenSEAL library, pFedCKKS is evaluated on the FEMNIST, CelebA and Sentiment140 datasets with FedFinetune, Ditto and FedPer which represents PFL algorithms. Experimental results reveal an empirical trade-off between precision and computational/communication costs. This allows us to draw a concrete guideline for selecting proper CKKS parameters that balance efficiency and accuracy in real-world deployments of pFedCKKS.
What carries the argument
The derivation of full CKKS parameter constraints under 128-bit security for the PFL setting, which reduces the selection problem to the inner and outer ciphertext primes.
If this is right
- Practitioners need only select the inner and outer ciphertext primes to satisfy the full set of CKKS constraints at 128-bit security for PFL.
- An empirical trade-off appears between numerical precision of the encrypted updates and the resulting computational and communication costs.
- Concrete guidelines emerge for choosing parameters that keep accuracy acceptable in deployments of pFedCKKS on datasets such as FEMNIST, CelebA, and Sentiment140.
- The same framework applies across multiple PFL algorithms including FedFinetune, Ditto, and FedPer without further scheme changes.
Where Pith is reading between the lines
- The reduction to two primes may simplify parameter tuning in other homomorphic-encryption-based federated settings that share similar noise profiles.
- If the same constraint pattern holds at different security levels, the approach could be reused without re-deriving the entire constraint set.
- Testing the guidelines on models with higher dimensionality than the evaluated datasets would check whether the two-prime rule remains sufficient.
Load-bearing premise
The PFL model update structures and noise accumulation fit within standard CKKS noise management bounds without requiring scheme modifications or additional security adjustments beyond the 128-bit target.
What would settle it
A PFL algorithm or dataset whose model updates produce noise levels that exceed the derived CKKS bounds while still claiming 128-bit security, or that forces the parameter space to involve more than the two ciphertext primes.
Figures
read the original abstract
Privacy-preserving Personalized Federated Learning (PFL) enables clients to collaboratively train personalized models without exposing raw data, but exchanged model updates remain vulnerable to inference attacks from honest-but-curious servers. Homomorphic Encryption (HE) addresses this by allowing server-side aggregation directly on encrypted updates, with the CKKS scheme being particularly suitable due to its native support for approximate floating-point arithmetic. However, no prior work has examined how to configure CKKS for PFL deployments, leaving practitioners without principled guidance on parameter selection that directly affects privacy, precision, and computational cost. This paper presents pFedCKKS, a generic framework integrating CKKS into PFL, and provides the first systematic parameter selection guide for practitioners. We derive the full CKKS parameter constraints under 128-bit security for the PFL setting, showing the selection problem reduces to choosing just two values: the inner and outer ciphertext prime. Implemented using the Flower framework and TenSEAL library, pFedCKKS is evaluated on the FEMNIST, CelebA and Sentiment140 datasets with FedFinetune, Ditto and FedPer which represents PFL algorithms. Experimental results reveal an empirical trade-off between precision and computational/communication costs. This allows us to draw a concrete guideline for selecting proper CKKS parameters that balance efficiency and accuracy in real-world deployments of pFedCKKS.
Editorial analysis
A structured set of objections, weighed in public.
Referee Report
Summary. The paper introduces pFedCKKS, a framework for integrating the CKKS homomorphic encryption scheme into privacy-preserving personalized federated learning (PFL). It derives the full CKKS parameter constraints under 128-bit security, reducing the selection to choosing the inner and outer ciphertext primes. The framework is implemented using Flower and TenSEAL and evaluated on FEMNIST, CelebA, and Sentiment140 datasets with FedFinetune, Ditto, and FedPer PFL algorithms, demonstrating empirical trade-offs between precision and computational/communication costs to provide selection guidelines.
Significance. If the derivation of the parameter constraints is correct and the PFL operations fit within standard CKKS noise bounds, this provides the first systematic guidance for CKKS parameter selection in PFL deployments. The experimental results on multiple datasets and algorithms offer practical insights into the precision-efficiency trade-offs, which could aid practitioners in balancing privacy, accuracy, and performance in real-world applications. The use of standard libraries like Flower and TenSEAL enhances reproducibility.
major comments (1)
- [Abstract (parameter derivation paragraph)] Abstract (parameter derivation paragraph): The claim that the selection problem reduces to choosing just two values (inner and outer ciphertext prime) under 128-bit security relies on PFL model update structures and noise accumulation fitting within standard CKKS noise management bounds without scheme modifications. However, the multi-round aggregation in PFL algorithms may introduce cumulative noise effects or additional terms from personalization steps that are not accounted for in the standard analysis, potentially invalidating the two-prime reduction while maintaining both security and correctness.
minor comments (2)
- [Experimental evaluation] The results do not mention error bars, exclusion criteria, or baseline comparisons, which makes it difficult to assess the robustness of the observed trade-offs.
- [Implementation] Details on how the CKKS parameters are set in the TenSEAL library for the specific PFL algorithms could be expanded for better reproducibility.
Simulated Author's Rebuttal
We thank the referee for their constructive feedback on our manuscript. We address the major comment point by point below.
read point-by-point responses
-
Referee: The claim that the selection problem reduces to choosing just two values (inner and outer ciphertext prime) under 128-bit security relies on PFL model update structures and noise accumulation fitting within standard CKKS noise management bounds without scheme modifications. However, the multi-round aggregation in PFL algorithms may introduce cumulative noise effects or additional terms from personalization steps that are not accounted for in the standard analysis, potentially invalidating the two-prime reduction while maintaining both security and correctness.
Authors: We thank the referee for this observation. Our derivation in Section 3 of the manuscript explicitly incorporates the multi-round aggregation structure of PFL by bounding the cumulative noise growth across communication rounds under standard CKKS rescaling and modulus switching, while ensuring the parameters satisfy both 128-bit security and the required noise budget for correct decryption. The personalization steps in FedFinetune, Ditto, and FedPer occur locally on the client after decryption and introduce no additional terms to the homomorphic aggregation noise. This analysis supports the reduction to the two prime choices. To improve clarity on this point, we will add an explicit paragraph discussing cumulative noise in the revised Section 3 and update the abstract accordingly. revision: partial
Circularity Check
No circularity: parameter reduction follows from standard CKKS security and noise analysis
full rationale
The paper's central claim is a derivation of CKKS parameter constraints under 128-bit security that reduces selection to inner/outer primes for the PFL setting. The abstract and reader's summary present this as following from security constraints and standard noise bounds without any indication that the reduction is obtained by fitting to data, self-definition, or load-bearing self-citation. No equations or steps in the provided text equate the output to the input by construction, and the derivation is described as independent of the target result. This is the normal case of a self-contained first-principles analysis.
Axiom & Free-Parameter Ledger
free parameters (2)
- inner ciphertext prime
- outer ciphertext prime
axioms (2)
- domain assumption CKKS scheme is suitable for approximate floating-point arithmetic in model updates
- domain assumption 128-bit security is the required target for parameter derivation in PFL
Reference graph
Works this paper leans on
-
[1]
Communication-efficient learning of deep networks from decentralized data,
B. McMahan, E. Moore, D. Ramage, S. Hampson, and B. A. y Arcas, “Communication-efficient learning of deep networks from decentralized data,” inArtificial intelligence and statistics, pp. 1273–1282, PMLR, 2017
2017
-
[2]
Federated Learning with Non-IID Data
Y . Zhao, M. Li, L. Lai, N. Suda, D. Civin, and V . Chandra, “Federated learning with non-iid data,”arXiv preprint arXiv:1806.00582, 2018
work page internal anchor Pith review Pith/arXiv arXiv 2018
-
[3]
Towards personalized federated learning,
A. Z. Tan, H. Yu, L. Cui, and Q. Yang, “Towards personalized federated learning,”IEEE transactions on neural networks and learning systems, vol. 34, no. 12, pp. 9587–9603, 2022
2022
-
[4]
Federated Learning with Personalization Layers
M. G. Arivazhagan, V . Aggarwal, A. K. Singh, and S. Choud- hary, “Federated learning with personalization layers,”arXiv preprint arXiv:1912.00818, 2019
work page internal anchor Pith review Pith/arXiv arXiv 1912
-
[5]
Ditto: Fair and robust federated learning through personalization,
T. Li, S. Hu, A. Beirami, and V . Smith, “Ditto: Fair and robust federated learning through personalization,” inInternational conference on machine learning, pp. 6357–6368, PMLR, 2021. 13
2021
-
[6]
Fedavg with fine tuning: Local updates lead to representation learning,
L. Collins, H. Hassani, A. Mokhtari, and S. Shakkottai, “Fedavg with fine tuning: Local updates lead to representation learning,”Advances in Neural Information Processing Systems, vol. 35, pp. 10572–10586, 2022
2022
-
[7]
Federated learning with non-iid data: A survey,
Z. Lu, H. Pan, Y . Dai, X. Si, and Y . Zhang, “Federated learning with non-iid data: A survey,”IEEE Internet of Things Journal, vol. 11, no. 11, pp. 19188–19209, 2024
2024
-
[8]
Personalized federated learning: A meta-learning approach,
A. Fallah, A. Mokhtari, and A. Ozdaglar, “Personalized federated learning: A meta-learning approach,”arXiv preprint arXiv:2002.07948, 2020
-
[9]
Federated learning of a mixture of global and local models,
F. Hanzely and P. Richt ´arik, “Federated learning of a mixture of global and local models,”arXiv preprint arXiv:2002.05516, 2020
-
[10]
Deep leakage from gradients,
L. Zhu, Z. Liu, and S. Han, “Deep leakage from gradients,”Advances in neural information processing systems, vol. 32, 2019
2019
-
[11]
Beyond inferring class representatives: User-level privacy leakage from federated learning,
Z. Wang, M. Song, Z. Zhang, Y . Song, Q. Wang, and H. Qi, “Beyond inferring class representatives: User-level privacy leakage from federated learning,” inIEEE INFOCOM 2019-IEEE conference on computer communications, pp. 2512–2520, IEEE, 2019
2019
-
[12]
Exploiting unintended feature leakage in collaborative learning,
L. Melis, C. Song, E. De Cristofaro, and V . Shmatikov, “Exploiting unintended feature leakage in collaborative learning,” in2019 IEEE symposium on security and privacy (SP), pp. 691–706, IEEE, 2019
2019
-
[13]
Feature inference attack on model predictions in vertical federated learning,
X. Luo, Y . Wu, X. Xiao, and B. C. Ooi, “Feature inference attack on model predictions in vertical federated learning,” in2021 IEEE 37th international conference on data engineering (ICDE), pp. 181–192, IEEE, 2021
2021
-
[14]
Comprehensive privacy analysis of deep learning: Passive and active white-box inference attacks against centralized and federated learning,
M. Nasr, R. Shokri, and A. Houmansadr, “Comprehensive privacy analysis of deep learning: Passive and active white-box inference attacks against centralized and federated learning,” in2019 IEEE symposium on security and privacy (SP), pp. 739–753, IEEE, 2019
2019
-
[15]
Membership inference attacks against machine learning models,
R. Shokri, M. Stronati, C. Song, and V . Shmatikov, “Membership inference attacks against machine learning models,” in2017 IEEE symposium on security and privacy (SP), pp. 3–18, IEEE, 2017
2017
-
[16]
Homomorphic encryption for arithmetic of approximate numbers,
J. H. Cheon, A. Kim, M. Kim, and Y . Song, “Homomorphic encryption for arithmetic of approximate numbers,” inInternational conference on the theory and application of cryptology and information security, pp. 409–437, Springer, 2017
2017
-
[17]
A full rns variant of approximate homomorphic encryption,
J. H. Cheon, K. Han, A. Kim, M. Kim, and Y . Song, “A full rns variant of approximate homomorphic encryption,” inInternational Conference on Selected Areas in Cryptography, pp. 347–368, Springer, 2018
2018
-
[18]
Fed- she: privacy preserving and efficient federated learning with adaptive segmented ckks homomorphic encryption,
Y . Pan, Z. Chao, W. He, Y . Jing, L. Hongjia, and W. Liming, “Fed- she: privacy preserving and efficient federated learning with adaptive segmented ckks homomorphic encryption,”Cybersecurity, vol. 7, no. 1, p. 40, 2024
2024
-
[19]
Efficient federated learning aggregation protocol using approximate homomorphic encryp- tion,
P. Yao, H. Wang, C. Zheng, J. Yang, and L. Wang, “Efficient federated learning aggregation protocol using approximate homomorphic encryp- tion,” in2023 26th international conference on computer supported cooperative work in design (CSCWD), pp. 1884–1889, IEEE, 2023
2023
-
[20]
Privacy preserving federated learning using ckks homomorphic encryption,
F. Qiu, H. Yang, L. Zhou, C. Ma, and L. Fang, “Privacy preserving federated learning using ckks homomorphic encryption,” inInternational conference on wireless algorithms, systems, and applications, pp. 427– 440, Springer, 2022
2022
-
[21]
Lightweight secure aggregation for personalized federated learning with backdoor resistance,
T. Fan, X. Chen, Y . Dong, X. Chen, Y . Xuan, and W. Jing, “Lightweight secure aggregation for personalized federated learning with backdoor resistance,” in2024 Annual Computer Security Applications Conference (ACSAC), pp. 810–825, IEEE, 2024
2024
-
[22]
On ideal lattices and learning with errors over rings,
V . Lyubashevsky, C. Peikert, and O. Regev, “On ideal lattices and learning with errors over rings,” inAnnual international conference on the theory and applications of cryptographic techniques, pp. 1–23, Springer, 2010
2010
-
[23]
{BatchCrypt}: Efficient homomorphic encryption for{Cross-Silo}federated learning,
C. Zhang, S. Li, J. Xia, W. Wang, F. Yan, and Y . Liu, “{BatchCrypt}: Efficient homomorphic encryption for{Cross-Silo}federated learning,” in2020 USENIX annual technical conference (USENIX ATC 20), pp. 493–506, 2020
2020
-
[24]
Federated learn- ing: An approach with hybrid homomorphic encryption,
P. Correia, I. Costa, I. Amorim, E. Maia, and I. Prac ¸a, “Federated learn- ing: An approach with hybrid homomorphic encryption,” inEuropean Symposium on Research in Computer Security, pp. 254–273, Springer, 2025
2025
-
[25]
Tenseal: A library for encrypted tensor operations using homomorphic encryption,
A. Benaissa, B. Retiat, B. Cebere, and A. E. Belfedhal, “Tenseal: A library for encrypted tensor operations using homomorphic encryption,” arXiv preprint arXiv:2104.03152, 2021
-
[26]
Homomorphic encryption standard,
M. Albrecht, M. Chase, H. Chen, J. Ding, S. Goldwasser, S. Gorbunov, S. Halevi, J. Hoffstein, K. Laine, K. Lauter,et al., “Homomorphic encryption standard,” inProtecting privacy through homomorphic en- cryption, pp. 31–62, Springer, 2022
2022
-
[27]
Guidelines for secure process control: Harnessing the power of homomorphic encryption and state feedback control,
M. Furka, M. Kal ´uz, M. Fikar, and M. Klau ˇco, “Guidelines for secure process control: Harnessing the power of homomorphic encryption and state feedback control,”IEEE Access, vol. 11, pp. 110328–110341, 2023
2023
-
[28]
Privacy-preserving similarity calculation of speaker features using fully homomorphic encryption,
Y . Rahulamathavan, “Privacy-preserving similarity calculation of speaker features using fully homomorphic encryption,”arXiv preprint arXiv:2202.07994, 2022
-
[29]
Security guidelines for implementing homomorphic encryption,
J.-P. Bossuat, R. Cammarota, I. Chillotti, B. R. Curtis, W. Dai, H. Gong, E. Hales, D. Kim, B. Kumara, C. Lee,et al., “Security guidelines for implementing homomorphic encryption,”Cryptology ePrint Archive, 2024
2024
-
[30]
Flower: A Friendly Federated Learning Research Framework
D. J. Beutel, T. Topal, A. Mathur, X. Qiu, J. Fernandez-Marques, Y . Gao, L. Sani, K. H. Li, T. Parcollet, P. P. B. De Gusm ˜ao,et al., “Flower: A friendly federated learning research framework,”arXiv preprint arXiv:2007.14390, 2020
work page internal anchor Pith review Pith/arXiv arXiv 2007
-
[31]
Leaf: A benchmark for federated settings,
S. Caldas, S. M. K. Duddu, P. Wu, T. Li, J. Kone ˇcn`y, H. B. McMahan, V . Smith, and A. Talwalkar, “Leaf: A benchmark for federated settings,” arXiv preprint arXiv:1812.01097, 2018
-
[32]
Convolutional neural networks for sentence classification,
Y . Kim, “Convolutional neural networks for sentence classification,” in Proceedings of the 2014 conference on empirical methods in natural language processing (EMNLP), pp. 1746–1751, 2014
2014
-
[33]
Fhebench: Benchmarking fully homomorphic encryption schemes,
L. Jiang and L. Ju, “Fhebench: Benchmarking fully homomorphic encryption schemes,”arXiv preprint arXiv:2203.00728, 2022
-
[34]
Achieve efficient and privacy-preserving disease risk assessment over multi-outsourced verti- cal datasets,
F. Wang, H. Zhu, R. Lu, Y . Zheng, and H. Li, “Achieve efficient and privacy-preserving disease risk assessment over multi-outsourced verti- cal datasets,”IEEE Transactions on Dependable and Secure Computing, vol. 19, no. 3, pp. 1492–1504, 2020
2020
-
[35]
Privacy-enhanced federated learning against poisoning adversaries,
X. Liu, H. Li, G. Xu, Z. Chen, X. Huang, and R. Lu, “Privacy-enhanced federated learning against poisoning adversaries,”IEEE Transactions on Information Forensics and Security, vol. 16, pp. 4574–4588, 2021
2021
-
[36]
Practical secure aggregation for privacy-preserving machine learning,
A. Segal, A. Marcedone, B. Kreuter, D. Ramage, H. B. McMahan, K. Seth, K. Bonawitz, S. Patel, and V . Ivanov, “Practical secure aggregation for privacy-preserving machine learning,”CCS, 2017
2017
-
[37]
Flamingo: Multi-round single-server secure aggregation with applications to private federated learning,
Y . Ma, J. Woods, S. Angel, A. Polychroniadou, and T. Rabin, “Flamingo: Multi-round single-server secure aggregation with applications to private federated learning,” in2023 IEEE Symposium on Security and Privacy (SP), pp. 477–496, IEEE, 2023
2023
-
[38]
Make landscape flatter in differentially private federated learning,
Y . Shi, Y . Liu, K. Wei, L. Shen, X. Wang, and D. Tao, “Make landscape flatter in differentially private federated learning,” inProceedings of the IEEE/CVF conference on computer vision and pattern recognition, pp. 24552–24562, 2023
2023
-
[39]
A hybrid approach to privacy-preserving federated learning,
S. Truex, N. Baracaldo, A. Anwar, T. Steinke, H. Ludwig, R. Zhang, and Y . Zhou, “A hybrid approach to privacy-preserving federated learning,” inProceedings of the 12th ACM workshop on artificial intelligence and security, pp. 1–11, 2019
2019
-
[40]
Privacy-preserved federated learning for autonomous driving,
Y . Li, X. Tao, X. Zhang, J. Liu, and J. Xu, “Privacy-preserved federated learning for autonomous driving,”IEEE Transactions on Intelligent Transportation Systems, vol. 23, no. 7, pp. 8423–8434, 2021
2021
-
[41]
When feder- ated learning meets privacy-preserving computation,
J. Chen, H. Yan, Z. Liu, M. Zhang, H. Xiong, and S. Yu, “When feder- ated learning meets privacy-preserving computation,”ACM Computing Surveys, vol. 56, no. 12, pp. 1–36, 2024
2024
-
[42]
Secureboost: A lossless federated learning framework,
K. Cheng, T. Fan, Y . Jin, Y . Liu, T. Chen, D. Papadopoulos, and Q. Yang, “Secureboost: A lossless federated learning framework,”IEEE intelligent systems, vol. 36, no. 6, pp. 87–98, 2021
2021
-
[43]
Privacy-preserving deep learning via additively homomorphic encryption,
Y . Aono, T. Hayashi, L. Wang, S. Moriai,et al., “Privacy-preserving deep learning via additively homomorphic encryption,”IEEE transac- tions on information forensics and security, vol. 13, no. 5, pp. 1333– 1345, 2017
2017
-
[44]
Secure model fusion for distributed learning using partial homomorphic encryption,
C. Liu, S. Chakraborty, and D. Verma, “Secure model fusion for distributed learning using partial homomorphic encryption,” inPolicy- Based Autonomic Data Governance, pp. 154–179, Springer, 2019
2019
-
[45]
Public-key cryptosystems based on composite degree residu- osity classes,
P. Paillier, “Public-key cryptosystems based on composite degree residu- osity classes,” inInternational conference on the theory and applications of cryptographic techniques, pp. 223–238, Springer, 1999
1999
-
[46]
Fedphe: A secure and efficient federated learning via packed homo- morphic encryption,
Y . Li, N. Yan, J. Chen, X. Wang, J. Hong, K. He, W. Wang, and B. Li, “Fedphe: A secure and efficient federated learning via packed homo- morphic encryption,”IEEE Transactions on Dependable and Secure Computing, 2025
2025
-
[47]
Ckks and local differential privacy based model parameters encryption for personalized federated learning,
F. Shen, L. Hui, Q. Liang, J. Zhang, C. Xu, Y . Chen, and Y . He, “Ckks and local differential privacy based model parameters encryption for personalized federated learning,” in2024 6th International Conference on System Reliability and Safety Engineering (SRSE), pp. 135–143, IEEE, 2024
2024
-
[48]
Personalized federated learning on non-iid data via group-based meta-learning,
L. Yang, J. Huang, W. Lin, and J. Cao, “Personalized federated learning on non-iid data via group-based meta-learning,”ACM Transactions on Knowledge Discovery from Data, vol. 17, no. 4, pp. 1–20, 2023
2023
-
[49]
On the security of homomorphic encryption on approximate numbers,
B. Li and D. Micciancio, “On the security of homomorphic encryption on approximate numbers,” inAnnual International Conference on the Theory and Applications of Cryptographic Techniques, pp. 648–677, Springer, 2021. 14 APPENDIXA PROOF OF PFEDCKKSSECURITY LetLdenote the protocol leakage visible to the server, including the number of participating clients, ...
2021
discussion (0)
Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.