pith. sign in

arxiv: 2606.08521 · v1 · pith:STMA7GBDnew · submitted 2026-06-07 · 💻 cs.CR

Exploring CKKS Parameter Trade-offs for Privacy-Preserving Personalized Federated Learning

Pith reviewed 2026-06-27 18:06 UTC · model grok-4.3

classification 💻 cs.CR
keywords CKKShomomorphic encryptionpersonalized federated learningparameter selectionprivacy preservationfederated learningtrade-offsencrypted aggregation
0
0 comments X

The pith

CKKS parameter selection for privacy-preserving personalized federated learning reduces to choosing only the inner and outer ciphertext primes under 128-bit security.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper establishes that integrating the CKKS homomorphic encryption scheme into personalized federated learning requires deriving a complete set of parameter constraints to meet 128-bit security while handling model update noise. This matters because prior work offered no guidance, forcing practitioners to guess at settings that affect both privacy and efficiency. By showing the choices collapse to two specific prime values, the work supplies a concrete starting point for deployments. Experiments with standard PFL algorithms on image and text datasets then map out how those choices trade precision against computation and communication overhead.

Core claim

We derive the full CKKS parameter constraints under 128-bit security for the PFL setting, showing the selection problem reduces to choosing just two values: the inner and outer ciphertext prime. Implemented using the Flower framework and TenSEAL library, pFedCKKS is evaluated on the FEMNIST, CelebA and Sentiment140 datasets with FedFinetune, Ditto and FedPer which represents PFL algorithms. Experimental results reveal an empirical trade-off between precision and computational/communication costs. This allows us to draw a concrete guideline for selecting proper CKKS parameters that balance efficiency and accuracy in real-world deployments of pFedCKKS.

What carries the argument

The derivation of full CKKS parameter constraints under 128-bit security for the PFL setting, which reduces the selection problem to the inner and outer ciphertext primes.

If this is right

  • Practitioners need only select the inner and outer ciphertext primes to satisfy the full set of CKKS constraints at 128-bit security for PFL.
  • An empirical trade-off appears between numerical precision of the encrypted updates and the resulting computational and communication costs.
  • Concrete guidelines emerge for choosing parameters that keep accuracy acceptable in deployments of pFedCKKS on datasets such as FEMNIST, CelebA, and Sentiment140.
  • The same framework applies across multiple PFL algorithms including FedFinetune, Ditto, and FedPer without further scheme changes.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

  • The reduction to two primes may simplify parameter tuning in other homomorphic-encryption-based federated settings that share similar noise profiles.
  • If the same constraint pattern holds at different security levels, the approach could be reused without re-deriving the entire constraint set.
  • Testing the guidelines on models with higher dimensionality than the evaluated datasets would check whether the two-prime rule remains sufficient.

Load-bearing premise

The PFL model update structures and noise accumulation fit within standard CKKS noise management bounds without requiring scheme modifications or additional security adjustments beyond the 128-bit target.

What would settle it

A PFL algorithm or dataset whose model updates produce noise levels that exceed the derived CKKS bounds while still claiming 128-bit security, or that forces the parameter space to involve more than the two ciphertext primes.

Figures

Figures reproduced from arXiv: 2606.08521 by Kamolchanok Saengtong, Norrathep Rattanavipanon, Phanwadee Sinthong.

Figure 1
Figure 1. Figure 1: Federated Learning (FL) vs Personalized Federated [PITH_FULL_IMAGE:figures/full_fig_p001_1.png] view at source ↗
Figure 2
Figure 2. Figure 2: The workflow of pFedCKKS We present pFedCKKS, a generic framework that integrates CKKS into PFL to provide privacy protection against an honest-but-curious server. pFedCKKS operates in two main phases: setup and training. In the setup phase, following Section III-B, a leader is selected to generate pk, sk, and evk. The leader then distributes pk, sk, and evk to all clients, while only pk and evk are shared… view at source ↗
Figure 3
Figure 3. Figure 3: pFedCKKS’s bandwidth usage (absolute value on the left y-axis) and its overhead w.r.t. the baseline (percentage on [PITH_FULL_IMAGE:figures/full_fig_p007_3.png] view at source ↗
Figure 4
Figure 4. Figure 4: Runtime usage of pFedCKKS with various inner and outer prime values (in bits). Each line corresponds to a different [PITH_FULL_IMAGE:figures/full_fig_p008_4.png] view at source ↗
Figure 5
Figure 5. Figure 5: L1 error (accuracy deviation) of pFedCKKS under various inner and outer prime bits across FEMNIST, CelebA, and [PITH_FULL_IMAGE:figures/full_fig_p010_5.png] view at source ↗
Figure 6
Figure 6. Figure 6: Model accuracy across different numbers of communication rounds when pFedCKKS is instantiated with a fixed 40-bit [PITH_FULL_IMAGE:figures/full_fig_p012_6.png] view at source ↗
read the original abstract

Privacy-preserving Personalized Federated Learning (PFL) enables clients to collaboratively train personalized models without exposing raw data, but exchanged model updates remain vulnerable to inference attacks from honest-but-curious servers. Homomorphic Encryption (HE) addresses this by allowing server-side aggregation directly on encrypted updates, with the CKKS scheme being particularly suitable due to its native support for approximate floating-point arithmetic. However, no prior work has examined how to configure CKKS for PFL deployments, leaving practitioners without principled guidance on parameter selection that directly affects privacy, precision, and computational cost. This paper presents pFedCKKS, a generic framework integrating CKKS into PFL, and provides the first systematic parameter selection guide for practitioners. We derive the full CKKS parameter constraints under 128-bit security for the PFL setting, showing the selection problem reduces to choosing just two values: the inner and outer ciphertext prime. Implemented using the Flower framework and TenSEAL library, pFedCKKS is evaluated on the FEMNIST, CelebA and Sentiment140 datasets with FedFinetune, Ditto and FedPer which represents PFL algorithms. Experimental results reveal an empirical trade-off between precision and computational/communication costs. This allows us to draw a concrete guideline for selecting proper CKKS parameters that balance efficiency and accuracy in real-world deployments of pFedCKKS.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

1 major / 2 minor

Summary. The paper introduces pFedCKKS, a framework for integrating the CKKS homomorphic encryption scheme into privacy-preserving personalized federated learning (PFL). It derives the full CKKS parameter constraints under 128-bit security, reducing the selection to choosing the inner and outer ciphertext primes. The framework is implemented using Flower and TenSEAL and evaluated on FEMNIST, CelebA, and Sentiment140 datasets with FedFinetune, Ditto, and FedPer PFL algorithms, demonstrating empirical trade-offs between precision and computational/communication costs to provide selection guidelines.

Significance. If the derivation of the parameter constraints is correct and the PFL operations fit within standard CKKS noise bounds, this provides the first systematic guidance for CKKS parameter selection in PFL deployments. The experimental results on multiple datasets and algorithms offer practical insights into the precision-efficiency trade-offs, which could aid practitioners in balancing privacy, accuracy, and performance in real-world applications. The use of standard libraries like Flower and TenSEAL enhances reproducibility.

major comments (1)
  1. [Abstract (parameter derivation paragraph)] Abstract (parameter derivation paragraph): The claim that the selection problem reduces to choosing just two values (inner and outer ciphertext prime) under 128-bit security relies on PFL model update structures and noise accumulation fitting within standard CKKS noise management bounds without scheme modifications. However, the multi-round aggregation in PFL algorithms may introduce cumulative noise effects or additional terms from personalization steps that are not accounted for in the standard analysis, potentially invalidating the two-prime reduction while maintaining both security and correctness.
minor comments (2)
  1. [Experimental evaluation] The results do not mention error bars, exclusion criteria, or baseline comparisons, which makes it difficult to assess the robustness of the observed trade-offs.
  2. [Implementation] Details on how the CKKS parameters are set in the TenSEAL library for the specific PFL algorithms could be expanded for better reproducibility.

Simulated Author's Rebuttal

1 responses · 0 unresolved

We thank the referee for their constructive feedback on our manuscript. We address the major comment point by point below.

read point-by-point responses
  1. Referee: The claim that the selection problem reduces to choosing just two values (inner and outer ciphertext prime) under 128-bit security relies on PFL model update structures and noise accumulation fitting within standard CKKS noise management bounds without scheme modifications. However, the multi-round aggregation in PFL algorithms may introduce cumulative noise effects or additional terms from personalization steps that are not accounted for in the standard analysis, potentially invalidating the two-prime reduction while maintaining both security and correctness.

    Authors: We thank the referee for this observation. Our derivation in Section 3 of the manuscript explicitly incorporates the multi-round aggregation structure of PFL by bounding the cumulative noise growth across communication rounds under standard CKKS rescaling and modulus switching, while ensuring the parameters satisfy both 128-bit security and the required noise budget for correct decryption. The personalization steps in FedFinetune, Ditto, and FedPer occur locally on the client after decryption and introduce no additional terms to the homomorphic aggregation noise. This analysis supports the reduction to the two prime choices. To improve clarity on this point, we will add an explicit paragraph discussing cumulative noise in the revised Section 3 and update the abstract accordingly. revision: partial

Circularity Check

0 steps flagged

No circularity: parameter reduction follows from standard CKKS security and noise analysis

full rationale

The paper's central claim is a derivation of CKKS parameter constraints under 128-bit security that reduces selection to inner/outer primes for the PFL setting. The abstract and reader's summary present this as following from security constraints and standard noise bounds without any indication that the reduction is obtained by fitting to data, self-definition, or load-bearing self-citation. No equations or steps in the provided text equate the output to the input by construction, and the derivation is described as independent of the target result. This is the normal case of a self-contained first-principles analysis.

Axiom & Free-Parameter Ledger

2 free parameters · 2 axioms · 0 invented entities

Based solely on abstract, the ledger captures the two remaining free choices after derivation plus standard domain assumptions about CKKS suitability and security level; no invented entities are described.

free parameters (2)
  • inner ciphertext prime
    One of the two values to which the full parameter selection reduces under 128-bit security constraints for PFL.
  • outer ciphertext prime
    One of the two values to which the full parameter selection reduces under 128-bit security constraints for PFL.
axioms (2)
  • domain assumption CKKS scheme is suitable for approximate floating-point arithmetic in model updates
    Stated directly in abstract as the reason for choosing CKKS.
  • domain assumption 128-bit security is the required target for parameter derivation in PFL
    Used as the security level for deriving the full constraints.

pith-pipeline@v0.9.1-grok · 5783 in / 1431 out tokens · 31363 ms · 2026-06-27T18:06:28.118868+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Reference graph

Works this paper leans on

49 extracted references · 9 canonical work pages · 3 internal anchors

  1. [1]

    Communication-efficient learning of deep networks from decentralized data,

    B. McMahan, E. Moore, D. Ramage, S. Hampson, and B. A. y Arcas, “Communication-efficient learning of deep networks from decentralized data,” inArtificial intelligence and statistics, pp. 1273–1282, PMLR, 2017

  2. [2]

    Federated Learning with Non-IID Data

    Y . Zhao, M. Li, L. Lai, N. Suda, D. Civin, and V . Chandra, “Federated learning with non-iid data,”arXiv preprint arXiv:1806.00582, 2018

  3. [3]

    Towards personalized federated learning,

    A. Z. Tan, H. Yu, L. Cui, and Q. Yang, “Towards personalized federated learning,”IEEE transactions on neural networks and learning systems, vol. 34, no. 12, pp. 9587–9603, 2022

  4. [4]

    Federated Learning with Personalization Layers

    M. G. Arivazhagan, V . Aggarwal, A. K. Singh, and S. Choud- hary, “Federated learning with personalization layers,”arXiv preprint arXiv:1912.00818, 2019

  5. [5]

    Ditto: Fair and robust federated learning through personalization,

    T. Li, S. Hu, A. Beirami, and V . Smith, “Ditto: Fair and robust federated learning through personalization,” inInternational conference on machine learning, pp. 6357–6368, PMLR, 2021. 13

  6. [6]

    Fedavg with fine tuning: Local updates lead to representation learning,

    L. Collins, H. Hassani, A. Mokhtari, and S. Shakkottai, “Fedavg with fine tuning: Local updates lead to representation learning,”Advances in Neural Information Processing Systems, vol. 35, pp. 10572–10586, 2022

  7. [7]

    Federated learning with non-iid data: A survey,

    Z. Lu, H. Pan, Y . Dai, X. Si, and Y . Zhang, “Federated learning with non-iid data: A survey,”IEEE Internet of Things Journal, vol. 11, no. 11, pp. 19188–19209, 2024

  8. [8]

    Personalized federated learning: A meta-learning approach,

    A. Fallah, A. Mokhtari, and A. Ozdaglar, “Personalized federated learning: A meta-learning approach,”arXiv preprint arXiv:2002.07948, 2020

  9. [9]

    Federated learning of a mixture of global and local models,

    F. Hanzely and P. Richt ´arik, “Federated learning of a mixture of global and local models,”arXiv preprint arXiv:2002.05516, 2020

  10. [10]

    Deep leakage from gradients,

    L. Zhu, Z. Liu, and S. Han, “Deep leakage from gradients,”Advances in neural information processing systems, vol. 32, 2019

  11. [11]

    Beyond inferring class representatives: User-level privacy leakage from federated learning,

    Z. Wang, M. Song, Z. Zhang, Y . Song, Q. Wang, and H. Qi, “Beyond inferring class representatives: User-level privacy leakage from federated learning,” inIEEE INFOCOM 2019-IEEE conference on computer communications, pp. 2512–2520, IEEE, 2019

  12. [12]

    Exploiting unintended feature leakage in collaborative learning,

    L. Melis, C. Song, E. De Cristofaro, and V . Shmatikov, “Exploiting unintended feature leakage in collaborative learning,” in2019 IEEE symposium on security and privacy (SP), pp. 691–706, IEEE, 2019

  13. [13]

    Feature inference attack on model predictions in vertical federated learning,

    X. Luo, Y . Wu, X. Xiao, and B. C. Ooi, “Feature inference attack on model predictions in vertical federated learning,” in2021 IEEE 37th international conference on data engineering (ICDE), pp. 181–192, IEEE, 2021

  14. [14]

    Comprehensive privacy analysis of deep learning: Passive and active white-box inference attacks against centralized and federated learning,

    M. Nasr, R. Shokri, and A. Houmansadr, “Comprehensive privacy analysis of deep learning: Passive and active white-box inference attacks against centralized and federated learning,” in2019 IEEE symposium on security and privacy (SP), pp. 739–753, IEEE, 2019

  15. [15]

    Membership inference attacks against machine learning models,

    R. Shokri, M. Stronati, C. Song, and V . Shmatikov, “Membership inference attacks against machine learning models,” in2017 IEEE symposium on security and privacy (SP), pp. 3–18, IEEE, 2017

  16. [16]

    Homomorphic encryption for arithmetic of approximate numbers,

    J. H. Cheon, A. Kim, M. Kim, and Y . Song, “Homomorphic encryption for arithmetic of approximate numbers,” inInternational conference on the theory and application of cryptology and information security, pp. 409–437, Springer, 2017

  17. [17]

    A full rns variant of approximate homomorphic encryption,

    J. H. Cheon, K. Han, A. Kim, M. Kim, and Y . Song, “A full rns variant of approximate homomorphic encryption,” inInternational Conference on Selected Areas in Cryptography, pp. 347–368, Springer, 2018

  18. [18]

    Fed- she: privacy preserving and efficient federated learning with adaptive segmented ckks homomorphic encryption,

    Y . Pan, Z. Chao, W. He, Y . Jing, L. Hongjia, and W. Liming, “Fed- she: privacy preserving and efficient federated learning with adaptive segmented ckks homomorphic encryption,”Cybersecurity, vol. 7, no. 1, p. 40, 2024

  19. [19]

    Efficient federated learning aggregation protocol using approximate homomorphic encryp- tion,

    P. Yao, H. Wang, C. Zheng, J. Yang, and L. Wang, “Efficient federated learning aggregation protocol using approximate homomorphic encryp- tion,” in2023 26th international conference on computer supported cooperative work in design (CSCWD), pp. 1884–1889, IEEE, 2023

  20. [20]

    Privacy preserving federated learning using ckks homomorphic encryption,

    F. Qiu, H. Yang, L. Zhou, C. Ma, and L. Fang, “Privacy preserving federated learning using ckks homomorphic encryption,” inInternational conference on wireless algorithms, systems, and applications, pp. 427– 440, Springer, 2022

  21. [21]

    Lightweight secure aggregation for personalized federated learning with backdoor resistance,

    T. Fan, X. Chen, Y . Dong, X. Chen, Y . Xuan, and W. Jing, “Lightweight secure aggregation for personalized federated learning with backdoor resistance,” in2024 Annual Computer Security Applications Conference (ACSAC), pp. 810–825, IEEE, 2024

  22. [22]

    On ideal lattices and learning with errors over rings,

    V . Lyubashevsky, C. Peikert, and O. Regev, “On ideal lattices and learning with errors over rings,” inAnnual international conference on the theory and applications of cryptographic techniques, pp. 1–23, Springer, 2010

  23. [23]

    {BatchCrypt}: Efficient homomorphic encryption for{Cross-Silo}federated learning,

    C. Zhang, S. Li, J. Xia, W. Wang, F. Yan, and Y . Liu, “{BatchCrypt}: Efficient homomorphic encryption for{Cross-Silo}federated learning,” in2020 USENIX annual technical conference (USENIX ATC 20), pp. 493–506, 2020

  24. [24]

    Federated learn- ing: An approach with hybrid homomorphic encryption,

    P. Correia, I. Costa, I. Amorim, E. Maia, and I. Prac ¸a, “Federated learn- ing: An approach with hybrid homomorphic encryption,” inEuropean Symposium on Research in Computer Security, pp. 254–273, Springer, 2025

  25. [25]

    Tenseal: A library for encrypted tensor operations using homomorphic encryption,

    A. Benaissa, B. Retiat, B. Cebere, and A. E. Belfedhal, “Tenseal: A library for encrypted tensor operations using homomorphic encryption,” arXiv preprint arXiv:2104.03152, 2021

  26. [26]

    Homomorphic encryption standard,

    M. Albrecht, M. Chase, H. Chen, J. Ding, S. Goldwasser, S. Gorbunov, S. Halevi, J. Hoffstein, K. Laine, K. Lauter,et al., “Homomorphic encryption standard,” inProtecting privacy through homomorphic en- cryption, pp. 31–62, Springer, 2022

  27. [27]

    Guidelines for secure process control: Harnessing the power of homomorphic encryption and state feedback control,

    M. Furka, M. Kal ´uz, M. Fikar, and M. Klau ˇco, “Guidelines for secure process control: Harnessing the power of homomorphic encryption and state feedback control,”IEEE Access, vol. 11, pp. 110328–110341, 2023

  28. [28]

    Privacy-preserving similarity calculation of speaker features using fully homomorphic encryption,

    Y . Rahulamathavan, “Privacy-preserving similarity calculation of speaker features using fully homomorphic encryption,”arXiv preprint arXiv:2202.07994, 2022

  29. [29]

    Security guidelines for implementing homomorphic encryption,

    J.-P. Bossuat, R. Cammarota, I. Chillotti, B. R. Curtis, W. Dai, H. Gong, E. Hales, D. Kim, B. Kumara, C. Lee,et al., “Security guidelines for implementing homomorphic encryption,”Cryptology ePrint Archive, 2024

  30. [30]

    Flower: A Friendly Federated Learning Research Framework

    D. J. Beutel, T. Topal, A. Mathur, X. Qiu, J. Fernandez-Marques, Y . Gao, L. Sani, K. H. Li, T. Parcollet, P. P. B. De Gusm ˜ao,et al., “Flower: A friendly federated learning research framework,”arXiv preprint arXiv:2007.14390, 2020

  31. [31]

    Leaf: A benchmark for federated settings,

    S. Caldas, S. M. K. Duddu, P. Wu, T. Li, J. Kone ˇcn`y, H. B. McMahan, V . Smith, and A. Talwalkar, “Leaf: A benchmark for federated settings,” arXiv preprint arXiv:1812.01097, 2018

  32. [32]

    Convolutional neural networks for sentence classification,

    Y . Kim, “Convolutional neural networks for sentence classification,” in Proceedings of the 2014 conference on empirical methods in natural language processing (EMNLP), pp. 1746–1751, 2014

  33. [33]

    Fhebench: Benchmarking fully homomorphic encryption schemes,

    L. Jiang and L. Ju, “Fhebench: Benchmarking fully homomorphic encryption schemes,”arXiv preprint arXiv:2203.00728, 2022

  34. [34]

    Achieve efficient and privacy-preserving disease risk assessment over multi-outsourced verti- cal datasets,

    F. Wang, H. Zhu, R. Lu, Y . Zheng, and H. Li, “Achieve efficient and privacy-preserving disease risk assessment over multi-outsourced verti- cal datasets,”IEEE Transactions on Dependable and Secure Computing, vol. 19, no. 3, pp. 1492–1504, 2020

  35. [35]

    Privacy-enhanced federated learning against poisoning adversaries,

    X. Liu, H. Li, G. Xu, Z. Chen, X. Huang, and R. Lu, “Privacy-enhanced federated learning against poisoning adversaries,”IEEE Transactions on Information Forensics and Security, vol. 16, pp. 4574–4588, 2021

  36. [36]

    Practical secure aggregation for privacy-preserving machine learning,

    A. Segal, A. Marcedone, B. Kreuter, D. Ramage, H. B. McMahan, K. Seth, K. Bonawitz, S. Patel, and V . Ivanov, “Practical secure aggregation for privacy-preserving machine learning,”CCS, 2017

  37. [37]

    Flamingo: Multi-round single-server secure aggregation with applications to private federated learning,

    Y . Ma, J. Woods, S. Angel, A. Polychroniadou, and T. Rabin, “Flamingo: Multi-round single-server secure aggregation with applications to private federated learning,” in2023 IEEE Symposium on Security and Privacy (SP), pp. 477–496, IEEE, 2023

  38. [38]

    Make landscape flatter in differentially private federated learning,

    Y . Shi, Y . Liu, K. Wei, L. Shen, X. Wang, and D. Tao, “Make landscape flatter in differentially private federated learning,” inProceedings of the IEEE/CVF conference on computer vision and pattern recognition, pp. 24552–24562, 2023

  39. [39]

    A hybrid approach to privacy-preserving federated learning,

    S. Truex, N. Baracaldo, A. Anwar, T. Steinke, H. Ludwig, R. Zhang, and Y . Zhou, “A hybrid approach to privacy-preserving federated learning,” inProceedings of the 12th ACM workshop on artificial intelligence and security, pp. 1–11, 2019

  40. [40]

    Privacy-preserved federated learning for autonomous driving,

    Y . Li, X. Tao, X. Zhang, J. Liu, and J. Xu, “Privacy-preserved federated learning for autonomous driving,”IEEE Transactions on Intelligent Transportation Systems, vol. 23, no. 7, pp. 8423–8434, 2021

  41. [41]

    When feder- ated learning meets privacy-preserving computation,

    J. Chen, H. Yan, Z. Liu, M. Zhang, H. Xiong, and S. Yu, “When feder- ated learning meets privacy-preserving computation,”ACM Computing Surveys, vol. 56, no. 12, pp. 1–36, 2024

  42. [42]

    Secureboost: A lossless federated learning framework,

    K. Cheng, T. Fan, Y . Jin, Y . Liu, T. Chen, D. Papadopoulos, and Q. Yang, “Secureboost: A lossless federated learning framework,”IEEE intelligent systems, vol. 36, no. 6, pp. 87–98, 2021

  43. [43]

    Privacy-preserving deep learning via additively homomorphic encryption,

    Y . Aono, T. Hayashi, L. Wang, S. Moriai,et al., “Privacy-preserving deep learning via additively homomorphic encryption,”IEEE transac- tions on information forensics and security, vol. 13, no. 5, pp. 1333– 1345, 2017

  44. [44]

    Secure model fusion for distributed learning using partial homomorphic encryption,

    C. Liu, S. Chakraborty, and D. Verma, “Secure model fusion for distributed learning using partial homomorphic encryption,” inPolicy- Based Autonomic Data Governance, pp. 154–179, Springer, 2019

  45. [45]

    Public-key cryptosystems based on composite degree residu- osity classes,

    P. Paillier, “Public-key cryptosystems based on composite degree residu- osity classes,” inInternational conference on the theory and applications of cryptographic techniques, pp. 223–238, Springer, 1999

  46. [46]

    Fedphe: A secure and efficient federated learning via packed homo- morphic encryption,

    Y . Li, N. Yan, J. Chen, X. Wang, J. Hong, K. He, W. Wang, and B. Li, “Fedphe: A secure and efficient federated learning via packed homo- morphic encryption,”IEEE Transactions on Dependable and Secure Computing, 2025

  47. [47]

    Ckks and local differential privacy based model parameters encryption for personalized federated learning,

    F. Shen, L. Hui, Q. Liang, J. Zhang, C. Xu, Y . Chen, and Y . He, “Ckks and local differential privacy based model parameters encryption for personalized federated learning,” in2024 6th International Conference on System Reliability and Safety Engineering (SRSE), pp. 135–143, IEEE, 2024

  48. [48]

    Personalized federated learning on non-iid data via group-based meta-learning,

    L. Yang, J. Huang, W. Lin, and J. Cao, “Personalized federated learning on non-iid data via group-based meta-learning,”ACM Transactions on Knowledge Discovery from Data, vol. 17, no. 4, pp. 1–20, 2023

  49. [49]

    On the security of homomorphic encryption on approximate numbers,

    B. Li and D. Micciancio, “On the security of homomorphic encryption on approximate numbers,” inAnnual International Conference on the Theory and Applications of Cryptographic Techniques, pp. 648–677, Springer, 2021. 14 APPENDIXA PROOF OF PFEDCKKSSECURITY LetLdenote the protocol leakage visible to the server, including the number of participating clients, ...