DictPFL: Efficient and Private Federated Learning on Encrypted Gradients

We thank Reviewer 1kTE for the insightful feedback on the clarity of our writing and the quality of our visualizations. We are also pleased that the effectiveness of DictPFL in significantly reducing communication overhead in HE-based federated learning was appreciated.

Q1. The motivation for adopting algorithmic optimization rather than the quantization and packing needs to be further clarified. Is there any advantage brought by algorithmic optimization?

We thank the reviewer for the insightful question. Algorithmic optimization directly reduces gradient redundancy without sacrificing accuracy, whereas quantization and packing often lead to accuracy degradation. Moreover, their improvements are limited and easily saturate [b]. More importantly, these optimization approaches are orthogonal and can be combined—by first reducing gradients through algorithmic optimization and then applying quantization or packing, overall communication cost can be further minimized. Here we perform experiments (3-client ViT on CIFAR-10, $r=4$, $s=0.7$, $\tau=3$, $\beta=0.2$) to compare DictPFL (algorithmic optimization) and AdaptiveBatchHE [a] (packing optimization), as shown in the table below. It reveals that DictPFL outperforms AdaptiveBatchHE in both efficiency and accuracy and combining them will further reduce communication overhead.

Q2. This work appears to be some incremental improvement on FedML-HE. The contributions to the community of HE-based FL are expected to be clarified.

DictPFL is fundamentally different from FedML-HE in both principle and design. While FedML-HE improves efficiency by leaving partial gradients unencrypted—thereby trading privacy for efficiency—DictPFL improves efficiency without compromising privacy, as all shared gradients remain fully encrypted. This core difference enables DictPFL to maintain the strong privacy guarantees of HE that can defense any attacks, while significantly reducing overhead.

Notably, our results demonstrate that DictPFL incurs only a 2× computational overhead compared to plaintext FL, showing for the first time that deploying FHE in FL can be practical at scale. This represents more than an incremental improvement, offering the community a practical solution for achieving both security and efficiency in HE-based FL.

Q3. There is an identical metric for determining which gradients to prune. However, if the data distribution of the clients is different, how to ensure the personality of each client based on this design?

DictPFL preserves the personality of each client based on our HRC mechanism. Specifically, while pruning is guided by the magnitude of global gradients, the HRC mechanism allows each client to upload accumulated local gradients for parameters that are reactivated, even if they were previously pruned due to low global gradient magnitudes. This means that important client-specific significant gradients are not lost: whenever such parameters are reactivated again, clients contribute their accumulated local gradients. In Table 6, we evaluate DictPFL under various degrees of data heterogeneity by adjusting the Dirichlet factor $\alpha$. While greater heterogeneity (lower $\alpha$) increases training time and communication overhead, DictPFL consistently maintains strong performance.

To further demonstrate the effect of HRC's accumulative gradient sharing mechanism, we compare “accumulative gradient sharing” versus “non-accumulative sharing,” measuring the resulting accuracy under comparable training time. Our results (3-client ViT on Diabetic Retinopathy, $r=4$, $s=0.7$, $\tau=3$, $\beta=0.2$) show that omitting accumulated gradients notably reduces accuracy, particularly in more heterogeneous settings—because discarding small but meaningful gradients impairs learning for clients with diverse data. Overall, these results highlight that DictPFL can achieve robust performance across a wide range of data distributions.

Q4. Please provide additional experimental results in terms of the convergence of the training process of DictPFL.

In our main paper, we provided learning curve plots in Figure 9 to demonstrate DictPFL’s convergence. To further address the reviewer’s concern, we will include additional plots in the revision that show the training and test losses over training rounds, across different settings. All experiments in the main paper were repeated over five independent runs, and we report the mean and standard deviation for key metrics such as accuracy, communication cost, and training time (see Figure 6 and Table 1 and 2). The statistical reporting primarily demonstrates the stability and reproducibility of DictPFL’s performance, the consistently low standard deviations across these metrics provide indirect evidence of robust convergence.

[a] Adaptive Batch Homomorphic Encryption for Joint Federated Learning in Cross-Device Scenarios, IOT 2023.

[b] HEQuant: Marrying Homomorphic Encryption and Quantization for Communication-Efficient Private Inference

We sincerely thank Reviewer JGjf for recognizing the practical value of our work. We are glad that the efficiency gains and preserved privacy guarantees of our method were found meaningful and conducive to real-world deployment.

Q1. Can the two strategies proposed in the paper, DePE and PrME, be applied to other non-HE-based federated learning methods?

Thanks for the reviewer's insightful question. The proposed DePE and PrME strategies are general and applicable to non-HE-based FL, especially in communication-sensitive settings. By reducing the volume of gradient information transmitted, they help lower communication overhead regardless of encryption. DictPFL shows greater benefits in HE-based FL, where communication and computation overhead introduced by HE becomes the bottleneck (see Figure 2).

In summary, while DePE and PrME are effective in non-HE scenarios, their advantages are most significant in HE-based FL, which is the focus of this work.

Q2. The paper contains redundant expressions, with an overly verbose abstract and introduction.

Thanks for the reviewer's constructive feedback. We will revise the abstract and introduction to make the motivation and contributions more concise.

Q3. The comparative methods are relatively few in number and outdated. For instance, FedHE-Full (2022), FedHE-Finetune (2023), and FedML-HE (2023) were all published before 2023.

We found that most new HE-FL approaches still use our main baselines (FedHE-Full, FedHE-Finetune, and FedML-HE) as fundamental frameworks. Many recent works (2024–2025) either build directly on these methods (e.g., [a, b], which extend FedML-HE and retain its partial encryption strategy) or explore orthogonal optimizations such as quantization and packing [c], which are compatible with our DictPFL.

Our DictPFL builds upon and enhances these widely adopted baselines, ensuring a fair and representative evaluation. We will also update the Related Work section to cite and briefly discuss these recent developments [a,b,c].

[a] A Selective Homomorphic Encryption Approach for Faster Privacy-Preserving Federated Learning, Arxiv 2025

[b] Privacy-Preserving Federated Learning for SkinCancer Detection Using Homomorphic Encryption and Advanced Deep Learning Techniques, IJCS 2025

[c] Efficient and Straggler-Resistant Homomorphic Encryption for Heterogeneous Federated Learning, INFOCOM 2025

Thank you for your positive and helpful feedback.

To addressing the Q2, we will revise the paper to improve clarity and structure. Specifically, we plan the following adjustments:

• Merge the first two paragraphs of the Introduction into a single concise paragraph that introduces FL privacy challenges and sets up the HE-based FL context, avoiding repetition with the Abstract.

• Summarize prior work limitations at a high level in the Introduction and move detailed analysis into a new Section 3 Motivation, making the Introduction more focused and readable. And follow Reviewer oqcz's suggestion, using Figure 7 to illustrate the motivation.

• Reorganize sections by clearly separating Related Work, Motivation, and Methodology, to enhance logical flow.

We sincerely appreciate your constructive suggestions, which will guide us in refining the final version. We would be truly grateful for your support during the reviewer discussion phase.

We sincerely thank Reviewer oqcz for the constructive and insightful feedback. We appreciate the recognition of our clear motivation, as well as the effectiveness and efficiency of the proposed techniques.

Q1: Not rigorous claims: Lines 51–58 claim FedML-HE has limited privacy since [2] shows 30% of gradients suffice for reconstruction. However, [2] uses magnitude-based pruning, which differs from FedML-HE’s approach of encrypting top-k sensitive parameters.

Lines 51-58 were originally used to claim FedML-HE is insecure because the unencrypted gradients can leak information exploitable by attackers. Figure 7 demonstrates that when 30% of the gradients are shared unencrypted (selected by FedML-HE), the image reconstructed by attack [47] achieves a 23% similarity score. Thanks to the reviewer’s feedback, we recognize that Figure 7, rather than citation [2], should be used to support this claim. We will revise the manuscript accordingly to avoid any misunderstanding.

Q2. Missing related works such as analytic attacks [50] and optimization-based attacks [51-53], as well as defenses such as [54]. It would be better to evaluate against different kinds of attacks, such as [51-53].

Thanks for the reviewer's feedback, and we would like to clarify any misunderstanding. DictPFL is robust to all existing attacks because all shared data is encrypted. In contrast, previous method partially shares unencrypted gradients, making them vulnerable to attacks. In our paper, we use [47] as a representative attack to validate this distinction. Regarding the mentioned defense [54], the server can get the final aggregated model, whereas DictPFL prevents the server from accessing it by encrypting gradients throughout the entire process. We will clarify this point in the paper and cite all the relevant attack and defense methods accordingly.

Q3. Presenting attack performance and model accuracy together would better clarify trade-offs.

We would like to clarify any misunderstanding. DictPFL ensures security by encrypting all data shared with the server, resulting in a 0% attack success rate across all hyperparameter settings. Therefore, there is no trade-off between accuracy and security in our approach. The only trade-offs between accuracy and efficiency are presented in Figure 6.

Q4. What if FedML-HE dynamically calculates sensitivity scores to encrypt? It would be better first to check this possibility and then discuss the limitations, to provide better and clarity in supporting the motivations.

Thanks for reviewer's insightful suggestion. FedML-HE trades security for efficiency, and this trade-off persists regardless of whether sensitivity is dynamically recalculated. While dynamic recalculation can enhance security, it incurs substantial computational overhead to achieve an empirical 0% attack success rate. Because recalculating sensitivity scores requires each client to perform a forward pass on the training dataset and share encrypted sensitivity values for secure aggregation—introducing overhead comparable to original training round and HE aggregation step. Our experiments (3-client ViT on CIFAR-10, encrypt 10%) with varying recalculation frequencies (i.e., recalculating every k-round) show that more frequent updates do improve privacy, but at the cost of significantly reduced efficiency. Even under these settings, FedML-HE still cannot achieve the strong privacy guarantees or efficiency of DictPFL.

Q5. Since the dictionary may reflect the coarse distribution of training data, could this make it easier for adversaries to infer gradients if the dictionary is compromised?

Under our threat model, the dictionary is never shared with the server. Even if the server somehow obtains the dictionary, it provides no advantage in inferring gradients. This is because only the lookup table is updated using private data, while the dictionary itself contains no information about gradients or client training data. The only way for the server to access gradient information would be to break the HE and decrypt the gradients, which is assumed to be computationally infeasible.

Q6. Regarding the reactivation probability scale $\beta$, how does the method perform when $\beta=0$? From Table 4, it appears that the impact of reactivation is not significant and unnecessary.

The reactivation mechanism HRC is significant and necessary. Without HRC ($\beta=0$), certain important parameters pruned in early rounds may never participate in training again, which may hinder the model's ability to achieve optimal accuracy. As shown in Figure 9, disabling HRC ($\beta=0$) results in noticeably lower accuracy with pruning 70%, i.e., 71.5%, under comparable training overhead. We will add this result in Table 4 and further analyze a range of $\beta$ values between 0 and 0.2 to present a more comprehensive ablation study.

Q7. It is recommended to further discuss the impact of non-iid data distribution.

Thank you for the insightful suggestion. As shown in Table 6, we already evaluated DictPFL under various degrees of data heterogeneity by adjusting the Dirichlet factor $\alpha$. While greater heterogeneity (lower $\alpha$) increases training time and communication overhead, DictPFL consistently maintains strong performance. This robustness is largely due to our HRC reactivation mechanism, which allows clients to share accumulated local gradients for reactivated parameters.

To further demonstrate the effect, we compare “accumulative gradient sharing” versus “non-accumulative sharing,” measuring the resulting accuracy under similar training time. Our results (3-client ViT on Diabetic Retinopathy, $r=4$, $s=0.7$, $\tau=3$, $\beta=0.2$) show that omitting accumulated gradients notably reduces accuracy, particularly in more heterogeneous settings—because discarding small but meaningful gradients impairs learning for clients with diverse data. Overall, these results highlight that DictPFL can achieve robust performance across a wide range of data distributions.