Secure Aggregation: A Deep Dive into Threshold Homomorphic Encryption

by

Author: Denis Avetisyan

This review examines how threshold homomorphic encryption is enabling privacy-preserving average aggregation in distributed learning environments.

A protocol enables the private aggregation of data, ensuring confidentiality during the collaborative computation of averages.
A protocol enables the private aggregation of data, ensuring confidentiality during the collaborative computation of averages.

Analyzing the trade-offs of threshold HE schemes – including CKKS – for secure multi-party computation and federated learning applications.

While federated learning offers a pathway to collaborative model training without direct data sharing, ensuring the privacy of individual contributions during aggregation remains a significant challenge. This paper, ‘A Critical Look into Threshold Homomorphic Encryption for Private Average Aggregation’, critically examines the practical security and performance of threshold homomorphic encryption (HE) schemes-particularly those based on the Ring Learning With Errors problem-when applied to this key operation. Our analysis reveals that standard implementations can be vulnerable under realistic threat models, yet judicious use of techniques like smudging noise, alongside careful consideration of scheme variants such as CKKS and BFV, can mitigate these risks and achieve comparable performance. Ultimately, how can we best balance the competing demands of privacy, precision, and efficiency in increasingly complex federated learning deployments?

The Privacy Paradox of Collaborative Intelligence

Federated learning presents a paradigm shift in machine learning, allowing models to be trained across decentralized datasets – such as those residing on individual smartphones or within hospitals – without the explicit exchange of data itself. While this approach drastically reduces privacy concerns associated with centralized data collection, it doesn’t eliminate them entirely. Subtle information about the underlying data can still be inferred from the model updates shared during the training process – a vulnerability known as inference attacks. These attacks exploit the patterns within these updates to reconstruct sensitive attributes, potentially revealing individual-level information. Consequently, despite avoiding direct data sharing, federated learning systems require robust supplementary privacy mechanisms to truly safeguard user data and build trust in this increasingly important collaborative technique.

Current privacy-preserving techniques in collaborative learning often face a fundamental trade-off: strengthening data protection can significantly diminish the usefulness of the resulting model. While methods like differential privacy add noise to safeguard individual contributions, excessive noise obscures crucial patterns, hindering the model’s ability to generalize effectively. Similarly, techniques focusing on secure multi-party computation, though robust against certain attacks, introduce substantial computational overhead, slowing down training and limiting scalability. This delicate balance arises because inference attacks – where adversaries attempt to reconstruct sensitive information from model updates – exploit even subtle correlations within the shared parameters. Consequently, achieving truly robust privacy necessitates innovative approaches that can simultaneously minimize information leakage and preserve the statistical power needed for accurate and reliable machine learning.

The future scalability of federated learning hinges on the development of more nuanced privacy-enhancing technologies. While FL avoids direct data exchange, subtle information leakage through model updates remains a significant concern, leaving systems vulnerable to sophisticated inference attacks that could reveal sensitive details about individual training data. Current cryptographic solutions, such as differential privacy and secure multi-party computation, often present a trade-off between privacy guarantees and model accuracy – a limitation that hinders practical deployment in complex machine learning tasks. Consequently, research is actively focused on techniques that minimize this performance penalty, including advanced encryption schemes, homomorphic encryption variations, and novel methods for perturbing model updates without sacrificing utility, ultimately paving the way for broader adoption and trust in collaborative AI systems.

Despite the promise of federated learning, inherent limitations in current methodologies expose participating data to significant vulnerabilities. While avoiding direct data exchange, the iterative process of sharing model updates can still leak sensitive information through techniques like membership inference and attribute reconstruction. These inference attacks exploit patterns within the exchanged parameters to deduce details about individual data points used in training. Consequently, a growing need exists for advanced cryptographic solutions, including differential privacy, homomorphic encryption, and secure multi-party computation. These technologies aim to obfuscate individual contributions to the model, ensuring that updates reveal minimal information about the underlying data while preserving model utility. Implementing such robust defenses is not merely a technical challenge, but a critical requirement for building trust and fostering widespread adoption of collaborative machine learning systems.

The federated learning protocol enables collaborative model training across decentralized devices without directly exchanging data.
The federated learning protocol enables collaborative model training across decentralized devices without directly exchanging data.

Homomorphic Encryption: Computation in the Shadows

Homomorphic Encryption (HE) is a form of encryption that allows for computations to be performed directly on ciphertext – encrypted data – without requiring prior decryption. This is achieved through encryption schemes designed such that specific mathematical operations performed on the ciphertext yield results that, when decrypted, match the result of performing the same operations on the plaintext. Unlike traditional encryption where data must be decrypted before processing, HE maintains data confidentiality throughout the computation. The functional result of f(E(x), E(y)) = E(f(x,y)) is central to this process, where E denotes the encryption function and f is a function. This capability is fundamental for privacy-preserving data analysis, secure cloud computing, and other applications where data confidentiality is paramount during processing.

Additive Homomorphic Encryption (AHE) is a primitive form of homomorphic encryption that supports only addition operations on ciphertext without requiring decryption. This functionality stems from the encryption scheme’s algebraic properties; when encrypted data is added, the resulting ciphertext corresponds to the sum of the original plaintexts. Formally, if Enc(x) and Enc(y) represent the encryption of values x and y, respectively, then Enc(x) + Enc(y) = Enc(x + y). While AHE provides a basic level of data privacy during computation, its limited functionality – only supporting addition – restricts its application to scenarios involving solely additive operations and does not protect against more complex computations or data analysis techniques. It serves as a foundational building block for more advanced, fully homomorphic encryption schemes.

Threshold Homomorphic Encryption (HE) enhances security and fault tolerance by distributing the decryption key into multiple shares, requiring a quorum of these shares to reconstruct the original key. This contrasts with traditional HE schemes where a single key holder can decrypt all data. Specifically, a threshold scheme denoted as t-out-of-n requires at least t shares to perform decryption, while tolerating up to n-t compromised or unavailable shares. This distribution mitigates the risk of a single point of failure and protects against malicious actors compromising the entire decryption process, as obtaining fewer than t shares yields no information about the underlying plaintext. The number of shares n and the threshold t are critical parameters, balancing security with availability and computational overhead.

Multiparty Homomorphic Encryption (MPHE) extends the security features of Threshold HE by allowing multiple parties to jointly compute a function on their private inputs without revealing those inputs to each other or to any single party. In Threshold HE, the decryption key is split, requiring a threshold number of parties to cooperate for decryption; MPHE leverages this shared key infrastructure to perform computations directly on encrypted shares. Each party encrypts their input, and computations are performed homomorphically on these ciphertexts. The result remains encrypted and is shared among the parties, who then collaboratively decrypt it using their key shares, yielding the final result without any individual party ever having access to the complete, unencrypted data of others or the intermediate results of the computation. This approach ensures both confidentiality and privacy during collaborative data analysis or processing.

Foundations of Secure Computation: BFV and CKKS

Both the Brakerski/Fan-Vercauteren (BFV) and Cheon-Kim-Kim-Song (CKKS) schemes are implementations of Threshold Homomorphic Encryption (THE) built upon the Ring Learning with Errors (RLWE) problem, but they diverge in their operational capabilities and performance characteristics. BFV is designed for exact integer arithmetic and Boolean operations, making it suitable for applications requiring precise computations with integer data. Conversely, CKKS facilitates approximate arithmetic with real or complex numbers, utilizing fixed-point arithmetic, and is better suited for machine learning and data analysis tasks where a degree of error is acceptable. This functional difference directly impacts performance; CKKS can often achieve comparable or superior speed to BFV when the parameter B_{MP} satisfies the condition B_{MP} > (2ΔB_m - t^2) / (2(t-1)), although the optimal choice depends on the specific application requirements and parameter configuration.

Both the Brakerski/Fan-Vercauteren (BFV) and Cheon-Kim-Kim-Song (CKKS) threshold homomorphic encryption schemes are predicated on the hardness of the Ring Learning with Errors (RLWE) problem. RLWE is a lattice-based cryptographic assumption that posits the difficulty of distinguishing between random ring elements and elements generated by adding error noise to a secret key multiplied by a polynomial. Specifically, given a polynomial x \in R_q^n and a noise vector e \in R_q^n, the RLWE problem involves determining whether the pair (x, a \cdot x + e) is distinguishable from a uniformly random pair. The security of BFV and CKKS directly relies on the computational intractability of solving RLWE for appropriately chosen ring dimension n, modulus q, and noise distribution, providing a quantifiable security basis for these schemes against various attacks.

Formal security proofs for both the BFV and CKKS threshold homomorphic encryption schemes establish their resistance to chosen-plaintext attacks (CPA). Specifically, these schemes have been proven to be indistinguishable under CPA (IND-CPA) and, in a more demanding model, indistinguishable under adaptive chosen-plaintext attacks (IND-CPAD). These proofs rely on the hardness of the underlying Ring Learning with Errors (RLWE) problem; if an attacker could break the IND-CPA or IND-CPAD security of BFV or CKKS, it would also imply a solution to the RLWE problem. The security reductions provide quantifiable bounds on the advantage an attacker might gain, demonstrating a negligible probability of successful attack when appropriately sized parameters are used.

Security in Threshold Homomorphic Encryption (HE) schemes like BFV and CKKS is enhanced through techniques such as Smudging Noise, which obfuscates sensitive data and mitigates potential leakage. Performance analysis reveals that CKKS can achieve comparable or superior performance to BFV when the parameter B_{MP} satisfies the condition B_{MP} > (2ΔB_m - t^2) / (2(t-1)). Ciphertext expansion is directly related to the security parameters λ, L, and the threshold parameter t. Correct decryption necessitates specific parameter constraints; for BFV, B_{MP} < q/2t - t/2 must hold, while for CKKS, the condition is ΔB_m + B_{MP} < q/2, where q represents the modulus.

Performance comparisons reveal that <span class="katex-eq" data-katex-display="false">\mathsf{MBFV}</span> consistently outperforms <span class="katex-eq" data-katex-display="false">\mathsf{MCKKS}</span> across a range of <span class="katex-eq" data-katex-display="false">LL</span> values.
Performance comparisons reveal that \mathsf{MBFV} consistently outperforms \mathsf{MCKKS} across a range of LL values.

The Dawn of Collaborative Trust: Applications and Future Directions

Multiparty Homomorphic Encryption (HE) represents a significant advancement in Cross-Silo Federated Learning, directly addressing concerns about data privacy during the crucial aggregation phase. This technique allows multiple parties to collaboratively compute a function – in this case, a global model update – on their private data without ever revealing the data itself. Each participant encrypts their local model updates using HE, and a central server aggregates these encrypted updates. The result remains encrypted, ensuring that no single entity can access individual contributions. Only the final, aggregated model is decrypted, providing a secure and privacy-preserving mechanism for collaborative machine learning. This approach is particularly valuable when dealing with sensitive datasets, as it minimizes the risk of data breaches and maintains the confidentiality of each participant’s information while still enabling the benefits of collective learning.

The synergistic combination of Multiparty Homomorphic Encryption (HE) and Differential Privacy represents a significant leap forward in safeguarding data privacy within federated learning systems. While Multiparty HE enables computations on encrypted data, preventing direct access to individual participant contributions, it doesn’t entirely eliminate the risk of information leakage through subtle patterns in the aggregated results. Differential Privacy addresses this by intentionally adding carefully calibrated noise to the computation, obscuring the influence of any single data point. This combined approach doesn’t simply add layers of security; it creates a robust defense where the strengths of each technique compensate for the limitations of the other, providing quantifiable and provable privacy guarantees. The resulting system ensures that even with access to the final aggregated outcome, it remains statistically impossible to infer sensitive information about any individual participant’s data, bolstering trust and encouraging broader participation in collaborative data analysis.

The foundation of trust in secure multiparty computation, particularly within federated learning environments, rests upon the establishment of a Common Reference String (CRS). This CRS is not merely a shared secret, but a publicly known string generated through a robust and verifiable process, ensuring no single participant can manipulate the computation. It acts as a binding commitment, allowing all parties to confidently engage in secure aggregation without revealing their individual data. The integrity of the CRS is paramount; any compromise would invalidate the security guarantees. Therefore, sophisticated cryptographic protocols, often involving secure multiparty computation itself, are employed to generate and distribute this string, establishing a shared, verifiable basis for trust and enabling accurate, private computation across distributed datasets.

The convergence of secure multi-party computation and federated learning holds significant promise for traditionally risk-averse sectors like healthcare and finance. Previously hampered by data privacy regulations and the need to maintain confidentiality, these industries can now leverage the power of collaborative machine learning without directly sharing sensitive patient records or financial details. This shift enables the development of more accurate diagnostic tools, personalized treatment plans, and fraud detection systems, all while upholding the highest standards of data security and regulatory compliance. Consequently, institutions are increasingly poised to explore and implement federated learning solutions, fostering innovation and delivering enhanced services previously unattainable due to privacy concerns.

The pursuit of secure aggregation, as detailed in the study of threshold homomorphic encryption, inherently demands a reduction of complexity. The core challenge lies in balancing cryptographic rigor with practical efficiency. This mirrors a fundamental design principle: eliminate extraneous layers to reveal the essential function. Vinton Cerf aptly stated, “The Internet treats everyone the same, and that’s its strength.” Similarly, approximate homomorphic encryption schemes, such as CKKS, represent a simplification – a conscious removal of absolute precision to achieve a functional, scalable solution for private federated learning. The elegance resides not in unattainable perfection, but in the clarity of a purposefully restrained system.

What’s Next?

The pursuit of privately aggregated data, as examined within this work, continually reveals the brittleness of idealized solutions. Current threshold homomorphic encryption schemes, while conceptually elegant, remain burdened by computational overhead. The observed trade-offs between precision and efficiency are not merely engineering challenges; they represent fundamental limits imposed by the mathematics itself. Future inquiry must prioritize the systematic reduction of these limits, perhaps through novel algorithmic constructions or a re-evaluation of acceptable error bounds.

The increasing adoption of approximate homomorphic encryption, exemplified by CKKS, suggests a pragmatic shift. However, this acceptance necessitates a rigorous understanding of accumulated error propagation. A comprehensive framework for quantifying and controlling this error-not merely as a statistical artifact, but as an intrinsic property of the computation-is critical. Unnecessary precision is violence against attention; the field must embrace calibrated approximations.

Ultimately, the long-term trajectory of this research will depend on a willingness to abandon the notion of ‘perfect’ privacy. Density of meaning is the new minimalism. The goal is not to achieve absolute secrecy, but to minimize information leakage to the point of practical irrelevance. This requires a shift in focus from theoretical guarantees to empirical risk assessments, acknowledging that security is not a binary state, but a continuously negotiated compromise.

Original article: https://arxiv.org/pdf/2602.22037.pdf

Contact the author: https://www.linkedin.com/in/avetisyan/

See also:

2026-02-27 06:07