Federated learning promised to keep data private by design: train models locally, share only gradients. But gradients leak information. Reconstruction attacks can recover training data from shared model updates with alarming fidelity. The logical next step—encrypting gradients so that even the aggregation server cannot read them—requires performing mathematical operations on encrypted data. This is precisely what fully homomorphic encryption (FHE) enables, and a recent line of work culminating in the Lancelot framework demonstrates that the approach is becoming computationally tractable.
The Privacy Gap in Standard Federated Learning
Federated learning (FL) distributes model training across clients that hold local data. Each client trains on its own partition and sends model updates—typically gradients or weight differences—to a central server for aggregation. The raw data never leaves the client. This architecture, introduced by McMahan et al. (2017), offered an appealing privacy narrative.
However, subsequent research revealed serious vulnerabilities. Gradient inversion attacks can reconstruct training samples from shared updates. Membership inference attacks can determine whether a specific record was in a client's training set. Model poisoning attacks allow malicious clients to corrupt the global model. Standard FL, without additional cryptographic protection, is vulnerable on all three fronts.
Differential privacy (DP) addresses some of these concerns by adding calibrated noise to gradients, but this introduces a fundamental accuracy-privacy tradeoff. Secure multi-party computation (SMPC) provides stronger guarantees but requires complex interaction protocols among participants. FHE occupies a distinct position: it allows the server to perform meaningful computation—specifically, aggregation—on encrypted gradients without ever decrypting them.
How FHE-Based Federated Learning Works
In an FHE-based FL system, clients encrypt their local model updates using a homomorphic encryption scheme (typically CKKS for approximate arithmetic on real-valued gradients). The server receives these ciphertexts and performs aggregation operations—weighted averaging, for example—directly in the encrypted domain. The result is an encrypted global model update that clients can decrypt locally to update their models.
The critical property is that the server never sees plaintext gradients. Even a fully compromised aggregation server learns nothing about individual client contributions beyond what can be inferred from the final aggregated model.
Xie et al. (2024) provide a comprehensive survey of efficiency optimization techniques for HE-based FL in IEEE Internet of Things Journal. They categorize approaches into algorithmic optimizations (batching, quantization-aware encryption, sparsification before encryption), hardware accelerations (GPU and FPGA-based polynomial arithmetic), and hybrid strategies combining multiple techniques. Their taxonomy reveals that computational overhead remains the primary bottleneck: FHE operations on neural network gradients can be 100-1000x slower than plaintext equivalents.
The Lancelot Contribution
Jiang et al. (2025), published in Nature Machine Intelligence, present Lancelot—a framework that addresses both privacy and Byzantine robustness within FHE. The key insight is that verifying whether a client's contribution is malicious (a requirement for Byzantine robustness) and keeping that contribution private (a requirement for confidentiality) are inherently conflicting goals. Lancelot resolves this tension through a carefully designed protocol that performs robustness checks in the encrypted domain.
The reported performance improvement is substantial: Lancelot achieves more than a 20-fold speedup over prior FHE-based Byzantine-robust FL methods. The framework was tested on medical imaging diagnostics and standard image classification benchmarks, demonstrating that accuracy remains comparable to non-encrypted baselines while providing formal privacy guarantees.
The architectural innovation involves restructuring the aggregation pipeline so that Byzantine detection—identifying and excluding poisoned updates—can be performed on ciphertexts without requiring decryption at any intermediate step. This avoids the common workaround of decrypting for verification and re-encrypting, which introduces both latency and a potential privacy leak at the verification point.
Practical Limitations and Open Challenges
Despite the 20x improvement, the absolute computational overhead of FHE-based FL remains significant. For large models (e.g., transformers with billions of parameters), encrypting and homomorphically aggregating gradient tensors generates ciphertext sizes and computation times that may exceed practical network and time budgets. Current FHE-based FL systems work best with smaller models or compressed gradient representations.
Key size and ciphertext expansion remain problematic. CKKS ciphertexts can be 10-100x larger than the plaintext data they encode, multiplying communication costs in FL systems where bandwidth is often the binding constraint.
Multi-key scenarios introduce additional complexity. When different clients use different encryption keys (a natural requirement in cross-organizational settings), the server must perform multi-key homomorphic operations, which are substantially more expensive than single-key variants.
The trust model requires scrutiny. FHE-based FL eliminates the need to trust the server with gradient privacy, but clients must still trust the encryption scheme, the key generation protocol, and the correctness of the aggregation. Side-channel attacks on client-side encryption remain relevant.
Where This Matters Most
The healthcare and financial sectors represent the most compelling use cases. In healthcare, multi-hospital ML collaborations face strict regulatory constraints (HIPAA, GDPR) that make even standard FL legally complex. FHE provides a defense-in-depth layer that could simplify compliance arguments. In finance, anti-money-laundering models trained across institutions could benefit from encrypted gradient aggregation to avoid sharing customer transaction patterns.
The convergence of hardware acceleration (dedicated FHE chips from companies like Intel, DARPA-funded DPRIVE program) with algorithmic improvements like Lancelot suggests that the computational gap will narrow over the next several years. Whether it narrows enough for production deployment with large language models remains an open question.
Open Questions
- Can FHE-based FL scale to modern LLM fine-tuning, where gradient tensors contain billions of parameters?
- How does the accuracy-computation tradeoff compare quantitatively between FHE-based FL and differential-privacy-based FL across different threat models?
- Will hardware-accelerated FHE (e.g., custom ASICs) close the performance gap enough for real-time applications?
Closing Reflection
Fully homomorphic encryption in federated learning transforms a soft privacy promise into a cryptographic guarantee. The Lancelot framework represents a meaningful step toward making this practical by dramatically reducing computational overhead while simultaneously addressing Byzantine threats. Yet the field remains in a phase where theoretical elegance outpaces deployment readiness. The gap is closing, but it has not yet closed.