ML Security PapersSenseCrypt: Sensitivity-guided Selective Homomorphic Encryption for Joint Federated Learning in Cross-Device Scenarios
Borui Li 1, Li Yan 1, Junhao Han 1, Jianmin Liu 1, Lei Yu 2
Published on arXiv
2508.04100
Model Inversion Attack
OWASP ML Top 10 — ML03
Key Finding
SenseCrypt maintains security against state-of-the-art inversion attacks and achieves normal model accuracy while reducing FL training time by 58.4%–88.7% compared to traditional full homomorphic encryption methods.
SenseCrypt
Novel technique introduced
Homomorphic Encryption (HE) prevails in securing Federated Learning (FL), but suffers from high overhead and adaptation cost. Selective HE methods, which partially encrypt model parameters by a global mask, are expected to protect privacy with reduced overhead and easy adaptation. However, in cross-device scenarios with heterogeneous data and system capabilities, traditional Selective HE methods deteriorate client straggling, and suffer from degraded HE overhead reduction performance. Accordingly, we propose SenseCrypt, a Sensitivity-guided selective Homomorphic EnCryption framework, to adaptively balance security and HE overhead per cross-device FL client. Given the observation that model parameter sensitivity is effective for measuring clients' data distribution similarity, we first design a privacy-preserving method to respectively cluster the clients with similar data distributions. Then, we develop a scoring mechanism to deduce the straggler-free ratio of model parameters that can be encrypted by each client per cluster. Finally, for each client, we formulate and solve a multi-objective model parameter selection optimization problem, which minimizes HE overhead while maximizing model security without causing straggling. Experiments demonstrate that SenseCrypt ensures security against the state-of-the-art inversion attacks, while achieving normal model accuracy as on IID data, and reducing training time by 58.4%-88.7% as compared to traditional HE methods.
Key Contributions
- Privacy-preserving client clustering using model parameter sensitivity as a proxy for data distribution similarity, enabling IID grouping without exposing raw data
- Straggler-aware scoring mechanism that derives per-client encryption budgets based on bandwidth and device processing speed
- Multi-objective parameter selection optimization that minimizes HE overhead while maximizing security coverage per client
🛡️ Threat Analysis
The explicit threat model is inversion attacks where adversaries reconstruct private training data from model parameters/gradients transmitted during FL rounds. SenseCrypt defends against this by selectively encrypting sensitive model parameters with HE, and experiments evaluate security against state-of-the-art inversion attacks.