HADES: Privacy-Preserving Federated Learning via Selective Feature Encryption and Hybrid Model Fusion
Pith reviewed 2026-06-26 07:58 UTC · model grok-4.3
The pith
HADES uses PCA to encrypt only the most privacy-sensitive features in federated learning, then fuses an encrypted sub-network with a plaintext one to match vanilla accuracy while cutting reconstruction attack success and runtime.
A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.
Core claim
HADES shows that PCA-based selection of features for multiparty homomorphic encryption, combined with simultaneous plaintext training on the unselected features and subsequent model fusion, produces a federated model whose accuracy equals that of vanilla federated learning, whose reconstruction attack vulnerability drops substantially, and whose runtime improves over fully encrypted pipelines.
What carries the argument
The hybrid fusion mechanism that merges an MHE-trained sub-network on PCA-selected features with a plaintext sub-network on the remaining features into one end-to-end model.
If this is right
- Runtime scales with the fraction of features encrypted rather than the full feature set.
- Reconstruction attack success rate falls when only PCA-selected features receive encryption.
- The network-wide packing scheme removes rotations that would otherwise be performed for every layer.
- End-to-end training remains possible without separate post-processing steps after fusion.
Where Pith is reading between the lines
- The same selective-encryption pattern could be tested on tabular medical or financial datasets where only a minority of columns carry sensitive information.
- An adaptive variant might recompute PCA on each round of federated training to track shifting feature importance.
- The fusion step suggests that privacy budgets could be allocated per feature rather than uniformly across the entire input.
Load-bearing premise
PCA reliably ranks features so that encrypting only the highest-ranked ones blocks reconstruction attacks while the fusion step keeps overall accuracy intact.
What would settle it
A reconstruction attack that recovers private data from the selectively encrypted model at the same rate as from a non-encrypted model, or a fused model whose test accuracy falls more than a few percent below the vanilla federated baseline on the same datasets.
Figures
read the original abstract
In this paper, we address the challenge of privacy-preserving training in federated learning (FL) by introducing a novel framework that selectively encrypts only the most privacy-sensitive features while leaving the remaining data and the corresponding model portion unencrypted. We propose HADES, a hybrid system that identifies and encrypts the most critical features, ensuring both privacy protection and computational efficiency. Unlike fully encrypted FL training pipelines, which suffer from high computational overhead, HADES integrates an encrypted and non-encrypted training pipeline via a fusion mechanism, enabling seamless interaction between encrypted and plaintext model representations. To achieve this, we use PCA to identify and encrypt the most privacy-sensitive features, which significantly reduces reconstruction attack success in FL. Building on this insight, we design a hybrid FL system that trains an end-to-end encrypted network via multiparty homomorphic encryption (MHE) on the selected features while simultaneously training a plaintext network on the remaining features. These two networks are then integrated using a fusion mechanism. We also introduce a general packing scheme that eliminates redundant rotations by considering the entire neural network architecture. Finally, we demonstrate that HADES matches the accuracy of vanilla FL while preserving privacy and achieving optimized runtime through selective encryption.
Editorial analysis
A structured set of objections, weighed in public.
Referee Report
Summary. The manuscript proposes HADES, a hybrid federated learning framework for privacy preservation that applies PCA to identify and selectively encrypt the most privacy-sensitive features using multiparty homomorphic encryption (MHE) while training a parallel plaintext network on the remaining features. These are fused via a hybrid mechanism, and a general packing scheme is introduced to reduce redundant rotations across the neural network architecture. The central claim is that this selective approach matches the accuracy of vanilla FL, substantially reduces reconstruction attack success, and yields runtime gains compared to fully encrypted pipelines.
Significance. If the privacy and accuracy claims are substantiated, the selective-encryption-plus-hybrid-fusion design could offer a practical efficiency improvement over full MHE in FL deployments. The packing scheme, if shown to be architecture-aware and general, would be a concrete technical contribution. The work sits within the standard toolkit of FL privacy techniques but does not yet demonstrate falsifiable privacy metrics or ablation evidence that would elevate its impact.
major comments (2)
- [Abstract] Abstract: the claim that PCA identifies the 'most privacy-sensitive features' such that encrypting only those features 'significantly reduces reconstruction attack success' is load-bearing for the privacy guarantee, yet no attack model, quantitative privacy metric (reconstruction MSE, membership-inference AUC, etc.), or ablation against random/gradient-norm selection is supplied to show that high-variance directions coincide with directions exploitable by reconstruction adversaries.
- [Abstract] Abstract: the hybrid fusion step is asserted to enable 'seamless interaction' and to preserve end-to-end accuracy without loss relative to vanilla FL, but no combined loss function, convergence argument, or derivation for integrating the MHE and plaintext sub-networks is provided; this assumption is load-bearing for the accuracy-matching claim.
minor comments (1)
- The abstract states 'we demonstrate' accuracy parity and runtime gains but supplies no dataset names, baseline comparisons, or result tables; a concise summary of the experimental setup should appear in the abstract or early sections.
Simulated Author's Rebuttal
Thank you for the opportunity to respond to the referee's comments on our manuscript. We address each major comment point by point below and will revise the paper to strengthen the presentation of our claims.
read point-by-point responses
-
Referee: [Abstract] Abstract: the claim that PCA identifies the 'most privacy-sensitive features' such that encrypting only those features 'significantly reduces reconstruction attack success' is load-bearing for the privacy guarantee, yet no attack model, quantitative privacy metric (reconstruction MSE, membership-inference AUC, etc.), or ablation against random/gradient-norm selection is supplied to show that high-variance directions coincide with directions exploitable by reconstruction adversaries.
Authors: We thank the referee for this observation. The manuscript reports experimental results indicating that selective encryption of PCA-identified features reduces reconstruction attack success relative to plaintext baselines. However, we agree that an explicit attack model, specific quantitative metrics (e.g., reconstruction MSE), and ablations versus random or gradient-norm feature selection are not provided. We will revise the manuscript to add a dedicated threat-model section, report the requested quantitative privacy metrics, and include the suggested ablation studies. revision: yes
-
Referee: [Abstract] Abstract: the hybrid fusion step is asserted to enable 'seamless interaction' and to preserve end-to-end accuracy without loss relative to vanilla FL, but no combined loss function, convergence argument, or derivation for integrating the MHE and plaintext sub-networks is provided; this assumption is load-bearing for the accuracy-matching claim.
Authors: We acknowledge that the hybrid fusion mechanism is described at a high level without the formal details requested. The current version does not supply the combined loss function, a derivation for integrating the encrypted and plaintext sub-networks, or a convergence argument. We will revise the paper to include these elements, providing the explicit loss formulation and either a theoretical sketch or expanded empirical analysis confirming accuracy preservation. revision: yes
Circularity Check
No significant circularity; claims rely on standard techniques without self-referential definitions or reductions.
full rationale
The paper presents HADES as a design that applies PCA for feature selection, MHE for the encrypted sub-network, and a fusion step for the hybrid model. None of these steps reduce by the paper's own equations or definitions to tautological inputs; PCA is invoked as an off-the-shelf variance-ranking tool, the fusion is described as an integration mechanism, and performance matching vanilla FL is asserted as an empirical outcome rather than a fitted quantity renamed as a prediction. No self-citation chains, uniqueness theorems, or ansatzes smuggled via prior work appear in the provided text. The central premises are therefore independent design choices whose validity can be checked against external benchmarks (attack success rates, accuracy deltas) without internal circularity.
Axiom & Free-Parameter Ledger
axioms (2)
- domain assumption PCA identifies the most privacy-sensitive features for encryption
- domain assumption The fusion mechanism integrates encrypted and plaintext representations without information leakage or accuracy loss
invented entities (1)
-
general packing scheme for neural network architecture
no independent evidence
Reference graph
Works this paper leans on
-
[1]
Federated Optimization: Distributed Machine Learning for On-Device Intelligence
J. Kone ˇcn`y, H. B. McMahan, D. Ramage, and P. Richt ´arik, “Federated optimization: Distributed machine learning for on-device intelligence,” CoRR, vol. abs:1610.02527, 2016
work page internal anchor Pith review Pith/arXiv arXiv 2016
-
[2]
Federated learning of deep networks using model averaging,
H. B. McMahan, E. Moore, D. Ramage, and B. A. y Arcas, “Federated learning of deep networks using model averaging,”CoRR, vol. abs/1602.05629, 2016. [Online]. Available: http://arxiv.org/abs/ 1602.05629
-
[3]
How to backdoor federated learning,
E. Bagdasaryan, A. Veit, Y . Hua, D. Estrin, and V . Shmatikov, “How to backdoor federated learning,”CoRR, vol. abs/1807.00459, 2018. [Online]. Available: http://arxiv.org/abs/1807.00459
-
[4]
Deep models under the GAN: Information leakage from collaborative deep learning,
B. Hitaj, G. Ateniese, and F. Perez-Cruz, “Deep models under the GAN: Information leakage from collaborative deep learning,” inACM CCS, 2017
2017
-
[5]
Beyond inferring class representatives: User-level privacy leakage from federated learning,
Z. Wang, M. Song, Z. Zhang, Y . Song, Q. Wang, and H. Qi, “Beyond inferring class representatives: User-level privacy leakage from federated learning,” inIEEE INFOCOM 2019 - IEEE Conference on Computer Communications, 2019, pp. 2512–2520. JOURNAL OF LATEX CLASS FILES, VOL. 14, NO. 8, AUGUST 2021 13
2019
-
[6]
Exploiting unintended feature leakage in collaborative learning,
L. Melis, C. Song, E. De Cristofaro, and V . Shmatikov, “Exploiting unintended feature leakage in collaborative learning,” in2019 IEEE Symposium on Security and Privacy (SP), 2019, pp. 691–706
2019
-
[7]
Comprehensive privacy analysis of deep learning: Passive and active white-box inference attacks against centralized and federated learning,
M. Nasr, R. Shokri, and A. Houmansadr, “Comprehensive privacy analysis of deep learning: Passive and active white-box inference attacks against centralized and federated learning,” inIEEE S&P, 2019
2019
-
[8]
Gan enhanced membership inference: A passive local attack in federated learning,
J. Zhang, J. Zhang, J. Chen, and S. Yu, “Gan enhanced membership inference: A passive local attack in federated learning,” inIEEE Inter- national Conference on Communications (ICC). IEEE, 2020, pp. 1–6
2020
-
[9]
Privacy-preserving deep learning,
R. Shokri and V . Shmatikov, “Privacy-preserving deep learning,” inACM Conference on Computer and Communications Security (CCS), 2015
2015
-
[10]
Learning differentially private recurrent language models,
H. B. McMahan, D. Ramage, K. Talwar, and L. Zhang, “Learning differentially private recurrent language models,” inInternational Conference on Learning Representations, 2018. [Online]. Available: https://openreview.net/forum?id=BJ0hF1Z0b
2018
-
[11]
Ldp-fed: Federated learning with local differential privacy,
S. Truex, L. Liu, K.-H. Chow, M. E. Gursoy, and W. Wei, “Ldp-fed: Federated learning with local differential privacy,” inProceedings of the third ACM international workshop on edge systems, analytics and networking, 2020, pp. 61–66
2020
-
[12]
Local differential privacy is not enough: A sample reconstruction attack against federated learning with local differential privacy,
Z. You, X. Dong, S. Li, S. Ma, and Y . Shen, “Local differential privacy is not enough: A sample reconstruction attack against federated learning with local differential privacy,”IEEE Transactions on Information Forensics and Security, 2024
2024
-
[13]
Sok: Secure aggregation based on cryptographic schemes for federated learning,
M. Mansouri, M. ¨Onen, W. B. Jaballah, and M. Conti, “Sok: Secure aggregation based on cryptographic schemes for federated learning,” PoPETs, 2023
2023
-
[14]
Secure aggregation in federated learning via multiparty homomorphic encryption,
E. Hosseini and A. Khisti, “Secure aggregation in federated learning via multiparty homomorphic encryption,” in2021 IEEE Globecom Workshops (GC Wkshps). IEEE, 2021, pp. 1–6
2021
-
[15]
{BatchCrypt}: Efficient homomorphic encryption for{Cross-Silo}federated learning,
C. Zhang, S. Li, J. Xia, W. Wang, F. Yan, and Y . Liu, “{BatchCrypt}: Efficient homomorphic encryption for{Cross-Silo}federated learning,” in2020 USENIX annual technical conference (ATC 20), 2020
2020
-
[16]
Brendan and Patel, Sarvar and Ramage, Daniel and Segal, Aaron and Seth, Karn , title =
K. Bonawitz, V . Ivanov, B. Kreuter, A. Marcedone, H. B. McMahan, S. Patel, D. Ramage, A. Segal, and K. Seth, “Practical secure aggregation for privacy-preserving machine learning,” inProceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, ser. CCS ’17. New York, NY , USA: Association for Computing Machinery, 2017, p. 1175–1...
-
[17]
Poseidon: Privacy-preserving federated neural network learning,
S. Sav, A. Pyrgelis, J. R. Troncoso-Pastoriza, D. Froelicher, J.-P. Bossuat, J. S. Sousa, and J.-P. Hubaux, “Poseidon: Privacy-preserving federated neural network learning,” inNDSS, 2021
2021
-
[18]
Privacy- preserving federated recurrent neural networks,
S. Sav, A. Diaa, A. Pyrgelis, J.-P. Bossuat, and J.-P. Hubaux, “Privacy- preserving federated recurrent neural networks,”PoPETs, vol. 2023, pp. 500–521. [Online]. Available: https://api.semanticscholar.org/CorpusID: 251135050
2023
-
[19]
Hercules: Boosting the performance of privacy-preserving federated learning,
G. Xu, X. Han, S. Xu, T. Zhang, H. Li, X. Huang, and R. H. Deng, “Hercules: Boosting the performance of privacy-preserving federated learning,”IEEE Transactions on Dependable and Secure Computing, vol. 20, no. 5, pp. 4418–4433, 2023
2023
-
[20]
Sphinx: Enabling privacy-preserving online learning over the cloud,
H. Tian, C. Zeng, Z. Ren, D. Chai, J. Zhang, K. Chen, and Q. Yang, “Sphinx: Enabling privacy-preserving online learning over the cloud,” in IEEE Symposium on Security and Privacy (SP), 2022, pp. 2487–2501
2022
-
[21]
idlg: Improved deep leakage from gradients,
B. Zhao, K. R. Mopuri, and H. Bilen, “idlg: Improved deep leakage from gradients,” 2020. [Online]. Available: https://arxiv.org/abs/2001.02610
-
[22]
Privacy-preserving federated learning using homo- morphic encryption,
J. Park and H. Lim, “Privacy-preserving federated learning using homo- morphic encryption,”Applied Sciences, vol. 12, no. 2, p. 734, 2022
2022
-
[23]
Blindfl: Segmented federated learning with fully homomorphic encryption,
E. Gronberg, L. d’Aliberti, M. Saebo, and A. Hook, “Blindfl: Segmented federated learning with fully homomorphic encryption,”arXiv preprint arXiv:2501.11659, 2025
-
[24]
Privacy-preserving decentralized federated learning over time-varying communication graph,
Y . Lu, Z. Yu, and N. Suri, “Privacy-preserving decentralized federated learning over time-varying communication graph,”ACM Trans. Priv. Secur., vol. 26, no. 3, Jun. 2023. [Online]. Available: https://doi.org/10.1145/3591354
-
[25]
Maskcrypt: Federated learning with selective ho- momorphic encryption,
C. Hu and B. Li, “Maskcrypt: Federated learning with selective ho- momorphic encryption,”IEEE Transactions on Dependable and Secure Computing, vol. 22, no. 1, pp. 221–233, 2025
2025
-
[26]
Cryptonets: Applying neural networks to encrypted data with high throughput and accuracy,
R. Gilad-Bachrach, N. Dowlin, K. Laine, K. Lauter, M. Naehrig, and J. Wernsing, “Cryptonets: Applying neural networks to encrypted data with high throughput and accuracy,” inProceedings of The 33rd International Conference on Machine Learning, ser. Proceedings of Machine Learning Research, M. F. Balcan and K. Q. Weinberger, Eds., vol. 48. New York, New Yo...
2016
-
[27]
Private machine learning classification based on fully homomorphic encryption,
X. Sun, P. Zhang, J. K. Liu, J. Yu, and W. Xie, “Private machine learning classification based on fully homomorphic encryption,”IEEE Transactions on Emerging Topics in Computing, vol. 8, no. 2, pp. 352– 364, 2020
2020
-
[28]
Towards the alexnet moment for homomorphic encryption: Hcnn, the first homomorphic cnn on encrypted data with gpus,
A. Al Badawi, C. Jin, J. Lin, C. F. Mun, S. J. Jie, B. H. M. Tan, X. Nan, K. M. M. Aung, and V . R. Chandrasekhar, “Towards the alexnet moment for homomorphic encryption: Hcnn, the first homomorphic cnn on encrypted data with gpus,”IEEE Transactions on Emerging Topics in Computing, vol. 9, no. 3, pp. 1330–1343, 2021
2021
-
[29]
Towards deep neural network training on encrypted data,
K. Nandakumar, N. Ratha, S. Pankanti, and S. Halevi, “Towards deep neural network training on encrypted data,” inProceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR) Workshops, June 2019
2019
-
[30]
Neural networks and principal component analysis: Learning from examples without local minima,
P. Baldi and K. Hornik, “Neural networks and principal component analysis: Learning from examples without local minima,”Neural Networks, vol. 2, no. 1, pp. 53–58, 1989. [Online]. Available: https://www.sciencedirect.com/science/article/pii/0893608089900142
-
[31]
Big data privacy preservation using principal component analysis and random projection in healthcare,
R. Ratra, P. Gulia, N. S. Gill, and J. M. Chatterjee, “Big data privacy preservation using principal component analysis and random projection in healthcare,”Mathematical Problems in Engineering, vol. 2022, no. 1, p. 6402274, 2022
2022
-
[32]
Multiparty homomorphic encryption from ring-learning-with-errors,
C. Mouchet, J. Troncoso-Pastoriza, J.-P. Bossuat, and J.-P. Hubaux, “Multiparty homomorphic encryption from ring-learning-with-errors,” PoPETs, vol. 2021, no. 4, pp. 291–311, 2021
2021
-
[33]
Multiparty homomorphic encryption: From theory to practice,
C. V . Mouchet, “Multiparty homomorphic encryption: From theory to practice,” Ph.D. dissertation, EPFL, 2023
2023
-
[34]
Attention in a Family of Boltzmann Machines Emerging From Modern Hopfield Networks
J. Gao, P. Li, Z. Chen, and J. Zhang, “A survey on deep learning for multimodal data fusion,”Neural Computation, vol. 32, no. 5, pp. 829– 864, 05 2020. [Online]. Available: https://doi.org/10.1162/neco a 01273
-
[35]
Privacy preserving pca for multiparty modeling,
Y . Liu, C. Chen, L. Zheng, L. xilinx Wang, J. Zhou, and G.-J. Liu, “Privacy preserving pca for multiparty modeling,”ArXiv, vol. abs/2002.02091, 2020. [Online]. Available: https://api.semanticscholar. org/CorpusID:211043587
-
[36]
Scalable and privacy-preserving federated principal component analysis,
D. Froelicher, H. Cho, M. Edupalli, J. Sa Sousa, J.-P. Bossuat, A. Pyrge- lis, J. R. Troncoso-Pastoriza, B. Berger, and J.-P. Hubaux, “Scalable and privacy-preserving federated principal component analysis,” in2023 IEEE Symposium on Security and Privacy (SP), 2023, pp. 1908–1925
2023
-
[37]
OpenFHE: Open-source fully homomorphic encryption library,
A. A. Badawi, A. Alexandru, J. Bates, F. Bergamaschi, D. B. Cousins, S. Erabelli, N. Genise, S. Halevi, H. Hunt, A. Kim, Y . Lee, Z. Liu, D. Micciancio, C. Pascoe, Y . Polyakov, I. Quah, S. R.V ., K. Rohloff, J. Saylor, D. Suponitsky, M. Triplett, V . Vaikuntanathan, and V . Zucca, “OpenFHE: Open-source fully homomorphic encryption library,” Cryptology eP...
2022
-
[38]
Mangasarian Olvi, W., S.: Breast Cancer Wisconsin (Diagnostic)
W. et al., “Breast Cancer Wisconsin (Diagnostic),” UCI Machine Learn- ing Repository, 1993, DOI: https://doi.org/10.24432/C5DW2B
-
[39]
MNIST handwritten digit database,
Y . LeCun and C. Cortes, “MNIST handwritten digit database,” 2010. [Online]. Available: http://yann.lecun.com/exdb/mnist/
2010
-
[40]
Reading digits in natural images with unsupervised feature learning,
Y . Netzer, T. Wang, A. Coates, A. Bissacco, B. Wu, and A. Ng, “Reading digits in natural images with unsupervised feature learning,” 2011. [Online]. Available: https://api.semanticscholar.org/CorpusID:16852518
2011
-
[41]
C. R. Harris, K. J. Millman, S. J. van der Walt, R. Gommers, P. Virtanen, D. Cournapeau, E. Wieser, J. Taylor, S. Berg, N. J. Smith, R. Kern, M. Picus, S. Hoyer, M. H. van Kerkwijk, M. Brett, A. Haldane, J. F. del R ´ıo, M. Wiebe, P. Peterson, P. G ´erard-Marchant, K. Sheppard, T. Reddy, W. Weckesser, H. Abbasi, C. Gohlke, and T. E. Oliphant, “Array progr...
-
[42]
R.,Practical Methods of Optimization
F. R.,Practical Methods of Optimization. Wiley, 2000
2000
-
[43]
SciPy 1.0: Fundamental Algorithms for Scientific Computing in Python,
P. Virtanen, R. Gommers, T. E. Oliphant, M. Haberland, T. Reddy, D. Cournapeau, E. Burovski, P. Peterson, W. Weckesser, J. Bright, S. J. van der Walt, M. Brett, J. Wilson, K. J. Millman, N. Mayorov, A. R. J. Nelson, E. Jones, R. Kern, E. Larson, C. J. Carey,˙I. Polat, Y . Feng, E. W. Moore, J. VanderPlas, D. Laxalde, J. Perktold, R. Cimrman, I. Henrik- se...
2020
-
[44]
Image quality assess- ment: from error visibility to structural similarity,
Z. Wang, A. Bovik, H. Sheikh, and E. Simoncelli, “Image quality assess- ment: from error visibility to structural similarity,”IEEE Transactions on Image Processing, vol. 13, no. 4, pp. 600–612, 2004
2004
-
[45]
The unreasonable effectiveness of deep features as a perceptual metric,
R. Zhang, P. Isola, A. A. Efros, E. Shechtman, and O. Wang, “The unreasonable effectiveness of deep features as a perceptual metric,” in 2018 IEEE/CVF Conference on Computer Vision and Pattern Recogni- tion, 2018, pp. 586–595. JOURNAL OF LATEX CLASS FILES, VOL. 14, NO. 8, AUGUST 2021 14 SUPPLEMENTARY MATERIAL A. Glossary We provide the frequently used not...
2018
-
[46]
a11 a12 a21 a22 # πrow(A) − − − − − →[a11, a12, a21, a22] B=
Matrix Representation via Packing and Padding Strate- gies:One key challenge in implementing HE-based neural networks is efficiently encoding (packing) matrix representa- tions and operations while adhering to constraints imposed by HE. In this section, we provide the mathematical details of HE operations that enable neural network training under encrypti...
2021
-
[47]
For neural networks with multiple layers, additional challenges arise
Dynamic Packing for Deep Networks.:The previous representation example was given with a local scope. For neural networks with multiple layers, additional challenges arise. For example, if the amount of free slots required in the ciphertext is not calculated with a global view, there could be misalignment in further layers. Additionally, the representation...
2021
discussion (0)
Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.