FedGraphHE: A privacy-preserving federated graph neural network framework with dynamic homomorphic encryption and robust aggregation

Aocheng Zuo; Zhanshen Feng; Yuan Ping; Shaohua Tao; Haonan Sun; Yange Chen

doi:10.1371/journal.pone.0339881

Abstract

Federated learning (FL) enables collaborative model training across distributed intelligent devices while preserving data privacy. In smart healthcare networks, medical institutions can jointly learn from distributed patient data using graph neural networks (GNNs). This approach improves diagnostic accuracy without compromising patient confidentiality. However, federated GNNs face substantial challenges. These include gradient privacy vulnerabilities, computational overhead from homomorphic encryption, and susceptibility to Byzantine attacks. This paper presents FedGraphHE, a privacy-preserving federated GNN framework for secure collaborative intelligence. Our methodology integrates three synergistic modules. First, Dynamic Adaptive Partitioned Homomorphic Encryption (DAPHE) optimizes gradient transmission. Second, Hierarchical Multi-scale Adaptive Graph Transformer (HMAGT) enables encryption-aware graph processing. Third, Federated Robust Aggregation via Homomorphic Inner Product (FRAHIP) provides Byzantine-resilient aggregation. Experimental results demonstrate FedGraphHE’s effectiveness across multiple scenarios. The framework consistently outperforms existing privacy-preserving methods on citation network benchmarks (Cora, CiteSeer, PubMed). It achieves 98.18% classification accuracy on medical imaging datasets (ISIC 2020), and reduces communication costs by approximately 25% compared to existing homomorphic encryption baselines. The framework maintains over 95% accuracy under Byzantine attacks, establishing it as an effective solution for privacy-sensitive collaborative learning applications.

Citation: Zuo A, Feng Z, Ping Y, Tao S, Sun H, Chen Y (2026) FedGraphHE: A privacy-preserving federated graph neural network framework with dynamic homomorphic encryption and robust aggregation. PLoS One 21(1): e0339881. https://doi.org/10.1371/journal.pone.0339881

Editor: Muhammad Anwar, University of Education, PAKISTAN

Received: August 19, 2025; Accepted: December 13, 2025; Published: January 5, 2026

Copyright: © 2026 Zuo et al. This is an open access article distributed under the terms of the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original author and source are credited.

Data Availability: The minimal dataset necessary to replicate the findings of this study is permanently available on Figshare (DOI: 10.6084/m9.figshare.30646157). This repository includes the preprocessed graph data and features for all datasets used in the experiments: Cora, CiteSeer, PubMed, and ISIC 2020. The original raw ISIC 2020 dataset is available from Kaggle. The Cora, CiteSeer, and PubMed datasets are standard public benchmarks available from the LINQS data repository (https://linqs.org/datasets/).

Funding: This work was supported by the National Natural Science Foundation of China (Grants 62462018 and U20B2046 to YGC, Grant 62101478 to YP), the Henan Province Science and Technology Research Project (Grant 242102211065 to YP), the Innovation Scientists and Technicians Troop Construction Projects of Henan Province (Grant CXTD2017099 to YP), the Ministry of Education-China University Industry-University-Research Innovation Fund Project (Grant 2022HS063 to YGC), the Key Scientific Research of Colleges and Universities in Henan Province (Grant 25A520037 to SHT, Grant 26A520038 to YGC), and the Natural Science Foundation of Henan Province (Grant 252300420385 to SHT). The funders had no role in study design, data collection and analysis, decision to publish, or preparation of the manuscript.

Competing interests: The authors have declared that no competing interests exist.

1 Introduction

Graph-structured data have become fundamental to modern medical artificial intelligence research, with GNNs demonstrating exceptional performance in pathological image analysis [1], multi-center electronic health records [2], and medication recommendation systems [3]. However, the sensitive nature of medical data and stringent privacy regulations [4] (e.g. the General Data Protection Regulation [GDPR] and the Health Insurance Portability and Accountability Act [HIPAA]) create significant barriers to cross-institutional collaboration. Traditional centralized approaches face inherent limitations, including data silos and high communication costs, making it challenging to simultaneously achieve effective collaboration and privacy preservation [5].

Federated learning provides a promising solution for privacy-preserving training on distributed graph data [6]. However, directly applying federated learning to GNNs presents significant technical challenges. The message passing mechanisms in GNNs cause each node to encode information from its neighbors, making gradient updates particularly vulnerable to privacy attacks that may expose both node features and graph topology [7]. To address these privacy concerns, the Cheon-Kim-Kim-Song (CKKS) homomorphic encryption scheme [8] offers strong privacy guarantees for real-valued computations. However, it introduces substantial computational and communication overhead for high-dimensional graph parameters. Furthermore, existing homomorphic encryption approaches struggle with the complex nonlinear operations inherent in GNNs, often requiring computationally expensive polynomial approximations that compromise both accuracy and efficiency [9]. Moreover, the heterogeneous and non-independent and identically distributed (non-IID) characteristics inherent in graph data render models more vulnerable to poisoning attacks [10], while traditional Byzantine robustness aggregation methods cannot function under encryption constraints as they require plaintext gradient access for similarity computation and outlier detection.

Graph-structured data in healthcare, finance, and collaborative research exhibits three compounding challenges absent in conventional federated learning: recursive neighbor aggregation causes gradients to encode both node features and graph topology, creating privacy risks beyond individual data points; irregular connectivity patterns and power-law degree distributions render homomorphic encryption substantially more expensive than on regular architectures; and non-IID graph characteristics amplify vulnerability to Byzantine attacks through adversarial embedding propagation. Recent advances have addressed individual aspects of these challenges. For instance, SecureGraphFL [11] integrated privacy with robustness for spatiotemporal graphs; cryptographic methods [12,13] provided strong guarantees but incurred substantial computational overhead; and federated frameworks [14–16] improved efficiency but lacked encrypted-domain robustness. However, no existing approach jointly optimizes privacy, efficiency, and robustness for heterogeneous graphs with irregular structures. To address these limitations, this paper introduces FedGraphHE, a privacy-preserving federated graph neural network framework. The primary contributions of this work are as follows:

Dynamic Ring Dimension Optimization. The framework introduces a federation-wide parameter optimization mechanism that dynamically adjusts CKKS encryption parameters based on gradient dimensions across participants. By maximizing slot utilization efficiency and implementing adaptive partitioning strategies, this mechanism reduces communication costs by approximately 25% in federated environments with heterogeneous gradient dimensions.
Encryption-Aware Graph Architecture. The framework employs a multi-scale graph processing architecture that captures multi-hop neighborhood information through parallel single-step aggregation while constraining homomorphic multiplication depth. This encryption-aware design enables practical privacy-preserving training while demonstrating superior performance compared to existing privacy-preserving methods.
Encrypted Domain Robust Aggregation. A scalar-based Byzantine detection mechanism utilizing homomorphic inner product computation identifies malicious participants while preserving gradient privacy. The reputation-weighted secure aggregation maintains robust model performance under Byzantine attacks, achieving accuracy exceeding 95% under f < K/3 malicious participants.

The remainder of this paper is organized as follows. Sect 2 reviews related work. Sect 3 details the design of the FedGraphHE framework, including the system model and three core modules. Sect 4 presents an experimental evaluation that validates the performance and security properties. Sect 5 concludes with a summary of contributions and future research directions. Key notations used throughout this paper are defined in Table 1.

Download:

Table 1. List of symbols.

https://doi.org/10.1371/journal.pone.0339881.t001

2 Related works

Privacy-preserving federated GNNs

Graph Neural Networks (GNNs) demonstrate superior performance through recursive neighbor aggregation [7]. However, this mechanism simultaneously increases privacy exposure because shared gradients may encode both node attributes and structural information. Existing studies in federated graph learning have explored different aspects of this challenge, yet comprehensive solutions that jointly consider privacy, robustness, and computational efficiency remain limited.

Early privacy-preserving GNN approaches primarily focused on encrypted inference in centralized or single-party settings. Ran et al. [13] introduced CryptoGCN with an Adjacency Matrix Aware (AMA) representation to support homomorphic GNN inference, while Wang et al. [12] proposed SecGNN to enable encrypted training. While these methods provide strong privacy guarantees, they incur substantial computational overhead, rendering them impractical for the resource-constrained clients typical in large-scale federated deployments.

Subsequent federated graph learning frameworks have made significant strides in distributed optimization. Chen et al. [14] proposed FedGraph with efficient sampling strategies, while Wu et al. [15] introduced FedPerGNN for privacy-preserving personalization through graph expansion, and Liu et al. [16] (ESA-FedGNN) utilized FFT-based secret sharing to optimize aggregation, achieving complexity. Zhang et al. [17] extended these efforts to non-IID graph data. However, these approaches typically rely on the honest-but-curious threat model, failing to address active Byzantine attacks.

To address the need for attack resilience, Chen et al. [11] recently proposed SecureGraphFL, a framework utilizing an actor-critic network for client selection and attention-based aggregation. While SecureGraphFL significantly outperforms standard federated approaches in resilience, it is primarily tailored for spatiotemporal graphs, such as traffic prediction networks, characterized by inherent structural regularity. Its applicability to general, heterogeneous graph structures with irregular connectivity remains a challenge, particularly when balancing high-grade privacy with model utility.

The necessity for a solution capable of handling such structural irregularities is further underscored by recent advances in graph neural architecture search (NAS). Wang et al. [18] proposed ABG-NAS, revealing that real-world graph datasets exhibit extreme diversity in node degree distributions and sparsity-density variations. These findings highlight a critical motivation for our work: standard privacy-preserving techniques designed for grid-like image data perform poorly on graphs. The structural heterogeneity identified by Wang et al. drastically complicates homomorphic encryption, as encrypted operations on irregular topologies are computationally demanding.

Consequently, existing approaches have not fully addressed the challenge of jointly optimizing privacy, efficiency, and robustness for heterogeneous graphs with irregular structures. While methods exist for specific tasks such as medical diagnosis [19] or traffic prediction [11], they rarely provide comprehensive solutions that simultaneously protect node features, secure graph topology, maintain computational efficiency, and defend against Byzantine threats.

Homomorphic encryption optimizations

Building upon the federated GNNs privacy challenges identified above, homomorphic encryption emerges as a promising solution, though it introduces new optimization challenges. The CKKS homomorphic encryption scheme exhibits fundamental limitations regarding noise accumulation and ciphertext packing capacity [20]. While recent advances have substantially improved practical performance, graph-specific optimizations remain underexplored.

Significant progress has been achieved in bootstrapping optimization. Jung et al. [21] demonstrated substantial performance improvements in CKKS bootstrapping. However, recent research by Al Badawi and Polyakov [22] revealed that bootstrapping operations remain the most computationally intensive component in FHE schemes, with CKKS bootstrapping achieving higher throughput than other schemes but still incurs significant latency overhead for applications requiring frequent noise management.

Parameter management and slot utilization have experienced notable advances. Recent work by Cheon et al. [23] introduced Grafting, a novel approach that decoupled scale factors from the modulus in RNS-CKKS. This approach addressed the rigid coupling that previously imposed design constraints and reduced precision flexibility. Pan et al. [24] developed segmented adaptive CKKS encryption specifically for federated learning scenarios. For GNNs, Ran et al. [25] proposed parallel-packed homomorphic encryption optimized for efficient graph convolutional network inference. Additionally, Zhang et al. [26] addressed communication efficiency through BatchCrypt, which batched quantized gradients for single-pass homomorphic encryption. However, the gradient quantization introduces approximation errors that may prove problematic for graph data’s irregular sparsity patterns. Despite these advances, existing homomorphic encryption optimizations were developed independently of federated graph learning requirements. Graph data sparsity, power-law degree distributions, and irregular computation patterns require specialized optimization strategies that current methods fail to adequately address.

Robust aggregation under encryption

The vulnerability of federated learning to Byzantine attacks has motivated extensive research in robust aggregation methods. However, the intersection with privacy preservation, particularly under homomorphic encryption, presents fundamental challenges that extend beyond traditional Byzantine fault tolerance.

Traditional robust aggregation methods operate on plaintext gradients. Blanchard et al. [27] performed gradient selection using nearest neighbor distance analysis, providing Byzantine tolerance through similarity-based selection. Pillutla et al. [28] proposed robust geometric median-based aggregation with theoretical convergence guarantees. However, the inner product manipulation attack proposed by Xie et al. [29] demonstrated a fundamental weakness in robust aggregation based on similarity. These traditional defenses face increasingly sophisticated attack strategies, including enhanced model poisoning attacks [30], data poisoning attacks [31], and gradient inversion attacks [32], which exploit various vulnerabilities in federated learning systems.

Robust aggregation under encryption constraints represents a critical research gap. Recent methods like ELSA [33] provide secure aggregation against malicious actors, but its reliance on secret sharing and distributed trust models constrains deployment flexibility and limits compatibility with homomorphic encryption frameworks. While the RFLPA framework [34] advanced secure aggregation through efficient secret sharing techniques, achieving significant performance improvements over prior work, the fundamental challenge of enabling robust aggregation directly within homomorphic encryption schemes remains unresolved. In the context of GNNs, these challenges are amplified by gradient interdependence, wherein malicious participants can inject adversarial node embeddings that propagate through message passing layers. Existing approaches typically address robustness or privacy individually, creating a need for methods capable of simultaneously handling both requirements under homomorphic encryption constraints.

3 Methodology

Ethics statement

This computational study does not require ethics committee approval as it involves purely algorithmic research without human participants. No informed consent was obtained as no human subjects were involved. All datasets used (ISIC 2020, Cora, CiteSeer, PubMed) are publicly available and were fully anonymized prior to public release. Figure Clarification: All figures in this manuscript (including Figs 1 and 2) use schematic representations or stock illustrations to depict the system architecture and medical scenarios. No real patient images, clinical photographs, or personally identifiable information are included.

Download:

Fig 1. Medical collaboration graph.

https://doi.org/10.1371/journal.pone.0339881.g001

Download:

Fig 2. Overview of the FedGraphHE framework architecture.

https://doi.org/10.1371/journal.pone.0339881.g002

Problem formulation

System architecture.

As illustrated in Fig 1, the proposed framework constructs a federated learning system consisting of a central server (CS), a set of K client nodes , and a third party (TPA). The system operates in multiple training rounds, where the CS broadcasts the current global model, clients perform local computation, and encrypted updates are transmitted back to the server. Through distributed optimization, the framework enables collaborative model training while ensuring that each client’s private data remain strictly local and confidential, thereby collaboratively learning a global model without exposing raw information.

The system entities are defined as follows:

Clients: Each client C_i maintains a private local dataset D_i, where . Their primary responsibility is to receive the global model, perform local training computations and model updates, and transmit encrypted updates to the central server.
CS: Operating under the honest but curious adversarial model, the CS coordinates the federated training process by distributing the global model and aggregating encrypted model updates from participating clients. The CS does not have access to raw data or plaintext model parameters.
TPA: The TPA serves as an independent entity responsible for cryptographic key management. It remains uninvolved in the model training process. Its exclusive role is to manage cryptographic keys for the encryption scheme and execute required decryption operations.

Threat model and security requirements.

FedGraphHE enables collaborative GNN training on distributed graph data while preserving privacy by avoiding raw data sharing. The following assumptions apply to each entity:

Clients: At most f<K/3 clients are malicious and may submit arbitrary gradients for model poisoning or collusion attacks. Honest clients follow the protocol faithfully and do not collude with the central server.
Semi-honest Central Server: The CS follows the protocol but attempts to infer private information from encrypted gradients and computation patterns. While unable to decrypt ciphertexts, it may analyze encrypted data distributions.
Semi-honest TPA: The TPA correctly executes decryption operations but may attempt to infer information from decrypted scalar values. Information exposure is limited by restricting TPA access to only encrypted scalars per round, with no access to high-dimensional gradients. The TPA does not collude with the CS or malicious clients.

The framework maintains three security requirements: (1) concealing each client’s local graph data and gradients from the server and other clients; (2) ensuring robust aggregation against malicious clients while preserving gradient privacy; and (3) minimizing information leakage through homomorphic computations, including limiting TPA information access. The threat model assumes secure communication channels and considers both privacy attacks targeting gradient information and Byzantine attacks compromising model integrity.

FedGraphHE framework overview

FedGraphHE integrates federated learning with GNNs for collaborative modeling in privacy-sensitive domains. The framework employs three synergistic modules: DAPHE for privacy-preserving gradient transmission, HMAGT for efficient graph representation learning, and FRAHIP for secure aggregation under malicious scenarios. Their interplay forms a unified processing flow: DAPHE establishes a common encrypted computational domain through federation-wide ring-dimension alignment; HMAGT performs multi-scale feature aggregation and produces structured ciphertext gradients with constrained homomorphic depth; FRAHIP operates directly on these ciphertexts to conduct consistency evaluation and Byzantine-resilient aggregation without exposing gradient information. Critically, graph topology remains strictly local—only encrypted node feature representations and gradients are transmitted, ensuring that adjacency matrices and structural connectivity patterns are never exposed. This design ensures that encrypted gradients from heterogeneous clients remain compatible, analyzable, and securely aggregatable throughout the federated pipeline.

FedGraphHE operates through a four-stage protocol per communication round:

Model Distribution. CS broadcasts global model parameters to all clients.
Local Training & Encryption. Each client trains locally using HMAGT, computes gradients, and encrypts them via DAPHE.
Secure Aggregation. CS executes FRAHIP to compute consistency scores, update reputations, and perform weighted aggregation in the encrypted domain.
Global Update. CS updates the global model using aggregated gradients.

The complete algorithmic specification is presented in Algorithm 1, while the overall system architecture is depicted in Fig 2. Technical specifications for each module are detailed in the following sections.

Algorithm 1 FedGraphHE framework execution workflow.

Require: Client set , rounds T

Ensure: Global model

1: Initialize: , client reputations

2: for t = 1 to T do

3: Step 1: CS broadcasts to all clients

4: Step 2: Each client C_i in parallel executes:

5: Initialize local model:

6: Local training using HMAGT architecture:

LocalUpdate()

7: Compute gradients:

8: DAPHE encryption: DAPHE.Encrypt()

9: Send encrypted gradients and to CS

10: Step 3: FRAHIP robust aggregation protocol

11: Compute consensus:

12: Compute homomorphic inner products:

13: Send to TPA for decryption

14: TPA returns decrypted scalars to CS

15: Compute consistency scores:

16: Update Reputations:

17: for i = 1 to K do

18: if then

19:

20: else if then

21:

22: else

23:

24: end if

25: end for

26: Step 4: Compute aggregation weights

27:

28: Step 5: Weighted aggregation in encrypted domain

29:

30: TPA decrypts: Decrypt()

31: Step 6: Update global model

32:

33: end for

34: return

Dynamic adaptive partitioned homomorphic encryption

In federated graph learning, the dimensionality of local gradients differs substantially across clients due to heterogeneous model structures and graph sizes. Existing encrypted federated learning systems typically rely on static CKKS parameterization, where a fixed ring dimension is applied uniformly to all participants. Although straightforward, this configuration forces all clients to operate under the worst-case parameter setting dictated by the largest gradient dimension, leading to severe slot under-utilization for smaller models. When gradients exceed the available ciphertext capacity, static schemes further suffer from excessive padding overhead arising from naive sequential partitioning.

The key insight underlying DAPHE is to maximize slot utilization while minimizing communication overhead. For client i with gradient dimension d_i, slot utilization efficiency under ring dimension N is quantified as:

(1)

The optimization objective maximizes the average slot utilization while controlling the communication overhead induced by excessive partitioning.

To achieve this, DAPHE employs a dynamic ring-dimension selection mechanism that balances capacity requirements with utilization efficiency, as shown in Eq (2). The threshold values (0.7 and 0.6) represent empirically optimized balance points between utilization efficiency and computational costs:

(2)

Once the optimal ring dimension N^* is selected, all ciphertexts reside in the same polynomial ring , ensuring compatibility for homomorphic aggregation without requiring ring conversion. The available slot capacity per ciphertext is .

When a client’s gradient dimension exceeds this capacity (), naive fixed-size partitioning results in significant waste in the final block. To mitigate this, DAPHE adopts an adaptive block-size strategy that evenly distributes gradient elements across ciphertexts:

(3)

This adaptive design substantially reduces padding overhead while maintaining full compatibility with the unified ring-dimension configuration. The complete procedure is summarized in Algorithm 2, which includes federation- wide parameter selection followed by client-side adaptive encryption.

Algorithm 2 DAPHE: Dynamic adaptive partitioned encryption.

Require: Gradient dimensions

1: Compute optimal using Eq (2)

2: Broadcast to all clients

3: for each client i in parallel do

4: Compute using Eq (3)

5: if then

6:

7: else

8: Partition g_i into blocks

9: for j = 1 to m_i do

10:

11: end for

12: end if

13: Send to server

14: end for

15: return

The novelty of DAPHE lies in combining federation-wide coordinated parameter selection with client-specific adaptive partitioning. This joint design avoids the inefficiencies of static CKKS configurations while preventing the ring incompatibility issues that arise from heterogeneous parameter choices. Ultimately, DAPHE provides an efficient encrypted communication mechanism that remains fully compatible with HMAGT and supports the consistency evaluation required in FRAHIP.

Hierarchical multi-scale adaptive graph transformer

Traditional GNN architectures present a structural bottleneck for secure deployment. Although federated learning allows local plaintext training, deep GNNs typically rely on recursive neighborhood aggregation. Despite being efficient for plaintext computation, this recursive structure creates a bottleneck for secure model deployment, where network depth linearly increases the multiplicative depth of homomorphic circuits. For instance, if we strictly execute a 3-layer GCN over encrypted data, the accumulated noise by Layer 3 often exceeds CKKS decryption bounds, requiring expensive bootstrapping or rendering results unusable.

To address this limitation, HMAGT employs a hybrid three-stage architecture that combines encryption-aware graph aggregation with global relationship modeling: (1) Parallel Multi-scale Aggregation for extraction of local structural patterns with constant multiplicative depth; (2) Hierarchical Pooling for informative node selection; and (3) Transformer-based Global Refinement for capturing long-range semantic dependencies. This design justifies the “Graph Transformer” nomenclature by integrating Transformer-based attention with efficient local graph processing.

Parallel multi-scale aggregation. The core innovation lies in the parallel extraction of multi-hop neighborhood information directly from original node features, fundamentally eliminating the sequential depth accumulation inherent in conventional GNN layers. As illustrated in Fig 3, for a center node i, the 1-hop neighbor set and 2-hop neighbor set contribute features through independent aggregation paths:

Download:

Fig 3. Parallel multi-scale aggregation mechanism in HMAGT.

The center node i aggregates features from 1-hop neighbors (blue) and 2-hop neighbors (green) in parallel using only the original features , avoiding the depth accumulation found in sequential GNN layers.

https://doi.org/10.1371/journal.pone.0339881.g003

(4)

where denotes the original node feature vector. Critically, because both and are derived from the same source via independent linear transformations, the homomorphic multiplicative depth remains constant at one, regardless of the neighborhood radius k. This parallel formulation captures multi-scale structural patterns—local connectivity through 1-hop and broader context through 2-hop aggregation—while eliminating the sequential dependency that would otherwise magnify ciphertext noise. Furthermore, we employ additive aggregation rather than mean aggregation to avoid the additional multiplicative depth and noise accumulation associated with normalization scaling.

Since multi-scale features capture complementary neighborhood patterns, they are fused via linear projection while maintaining dimensional compatibility with DAPHE’s adaptive ring selection:

(5)

where projects concatenated multi-scale features back to dimension d.

Hierarchical pooling and transformer-based refinement. While parallel aggregation efficiently captures local structural patterns within a fixed k-hop radius, it inherently cannot model semantic dependencies between topologically distant nodes. To address this limitation while managing computational complexity, HMAGT incorporates optimization strategies akin to pruning. Specifically, hierarchical pooling scores nodes based on fused representations, selecting only the top-K most informative nodes (). This effectively prunes redundant or less relevant nodes, reducing the computational complexity of the subsequent attention mechanism from to O(K²).

On the pooled node set, HMAGT applies a Transformer encoder layer to enable adaptive cross-node interaction. Let denote the stacked representations of selected nodes. The refinement proceeds as:

(6)

(7)

where computes multi-head self-attention via , and is a two-layer feed-forward network with residual connections. This architecture allows each node to attend to all other selected nodes, capturing global contextual information that local aggregation alone cannot provide. Critically, all nonlinear operations—including softmax in attention computation and LayerNorm—are executed locally in plaintext at clients before encryption, introducing zero additional homomorphic computation burden.

Graph-level representation. For graph classification tasks, the refined node representations are aggregated into a fixed-dimensional graph embedding through homomorphic-efficient global sum pooling:

(8)

where global summation introduces no additional noise under homomorphic encryption. Similar to the attention layer, the final classification projection and softmax computation occur locally at clients, ensuring that only gradients are encrypted and transmitted.

Through this end-to-end pipeline—parallel multi-scale aggregation, hierarchical pooling, and Transformer refinement—HMAGT achieves expressive graph representation learning while maintaining a homomorphic multiplicative depth of exactly one (the single matrix multiplication in Eq 4). This design makes privacy-preserving federated GNN training practically feasible without requiring expensive bootstrapping operations.

Federated robust aggregation via homomorphic inner product

Byzantine-robust aggregation relies on the ability to evaluate the behavioral consistency of participating clients, a task traditionally performed by analyzing gradient similarity in the plaintext domain. Methods such as Krum [27] and geometric median aggregation [28] require access to unencrypted model updates to compute pairwise distances or centralized deviation measures, thereby exposing gradients to reconstruction attacks [32]. Cryptography-oriented approaches mitigate this risk but introduce their own limitations: ELSA [33] depends on an honest-majority assumption across non-colluding servers, whereas RFLPA [34] incorporates reputation information but reveals partial gradient statistics during verification. These designs do not support fully encrypted Byzantine detection, and thus cannot provide privacy-preserving robustness in heterogeneous federated environments.

FRAHIP overcomes these limitations through an encrypted-domain mechanism that reduces high-dimensional similarity computation to scalar-level consistency assessment while preserving the confidentiality of all model updates. The framework begins by computing an encrypted consensus gradient,

(9)

and evaluates each participant’s contribution using a homomorphic inner product,

(10)

This process compresses each d-dimensional gradient into a single encrypted scalar representing directional consistency. The server then transmits only the encrypted values to the TPA for decryption, where [s₀] denotes the encrypted consensus norm. Since no gradient ciphertexts are ever exposed, information leakage is reduced by several orders of magnitude compared to plaintext similarity evaluation.

Upon receiving the decrypted scalar values, the server computes normalized consistency scores,

(11)

which quantify the alignment of each client’s update with the aggregated optimization direction. These instantaneous scores are incorporated into a temporal reputation mechanism that differentiates persistent adversarial behavior from benign stochastic variations:

(12)

As illustrated in Fig 4, as reputation evolves over rounds, honest participants naturally gain increasing influence, whereas adversarial clients become marginalized. Final aggregation is performed entirely within the encrypted domain using reputation-weighted averaging:

Download:

Fig 4. FRAHIP reputation mechanism dynamics.

Clients with consistently aligned gradients accumulate reputation, while adversarial or inconsistent behavior results in monotonic decay.

https://doi.org/10.1371/journal.pone.0339881.g004

(13)

where controls the sharpness of the weighting distribution. This mechanism guarantees that adversarial influence decreases exponentially over training rounds.

The complete protocol integrating encrypted similarity evaluation, scalar communication, reputation update, and encrypted aggregation is summarized in Algorithm 3. The design ensures that the entire robustness pipeline operates without accessing plaintext gradients, while the TPA observes only scalar values per round.

Algorithm 3 FRAHIP: Federated robust aggregation via homomorphic inner product.

Require: Client set , rounds T, parameters

Ensure: Global model

1: Initialize:

2: for t = 1 to T do

3: Phase 1: Local Training and Encryption

4: for each client C_i do

5:

6:

7: Send and to CS

8: end for

9: Phase 2: Homomorphic Consensus and Similarity

10:

11:

12: Phase 3: Reputation Update and Aggregation

13: TPA decrypts and returns scalars

14: Update based on consistency scores

15:

16:

17: end for

18: return

FRAHIP achieves Byzantine resilience under f<K/3 adversarial clients while preserving full gradient privacy, with malicious influence decaying as . Experimental results in the Experimental Results section verify that FRAHIP maintains high prediction accuracy despite the presence of Byzantine participants.

Security analysis

The security analysis of FedGraphHE establishes privacy and robustness guarantees against the defined threat model. The security analysis first defines key parameters used in the evaluation: consistency threshold , reputation adjustment step size , and temperature parameter for softmax weighting in the aggregation process.

Theorem 1 (DAPHE Semantic Security). Under Ring-LWE hardness assumption, DAPHE maintains IND-CPA security against polynomial-time adversaries with semi-honest servers and up to f<K/3 malicious clients.

Proof Sketch: Security follows from: (1) Dynamic parameter selection operates deterministically on gradient dimensions without accessing values; (2) CKKS encryption with independent keys maintains IND-CPA security; (3) Adaptive partitioning preserves semantic security.

Theorem 2 (HMAGT Privacy Preservation). HMAGT preserves semantic security of DAPHE-encrypted inputs against semi-honest adversaries.

Proof Sketch: All homomorphic operations (linear aggregation and multiplication) maintain IND-CPA security guarantees while keeping noise within decryption bounds through HMAGT’s controlled multiplication depth design.

Theorem 3 (FRAHIP Byzantine robustness). Under f<K/3 malicious clients, FRAHIP ensures exponential decay of malicious influence and gradient privacy through scalar exposure to TPA.

Proof Sketch: Honest clients achieve higher consistency scores than malicious clients, enabling reputation-based weight decay. TPA access to scalars prevents gradient reconstruction from underdetermined systems with .

Theorem 4 (End-to-End Security). FedGraphHE achieves computational security under the ideal-real paradigm against semi-honest servers, semi-honest TPA, and malicious clients.

Proof Sketch: Security under composition follows from DAPHE’s IND-CPA encryption, HMAGT’s privacy preservation, and FRAHIP’s bounded information exposure, with privacy loss limited to inherent federated learning leakage.

The framework provides computational privacy under Ring-LWE assumptions, privacy protection against TPA with scalar access, and Byzantine robustness against f<K/3 malicious clients. For 128-bit security, the framework requires ring dimension and appropriate reputation parameters ensuring convergence. Smaller dimensions (e.g., N = 8192) may be acceptable for applications with reduced security requirements.

4 Experimental results

Experimental setup

The experimental setup is summarized in Table 2. The evaluation employs a 70/15/15 stratified split for the ISIC 2020 dataset to preserve balanced class distribution. For citation networks (Cora, CiteSeer, PubMed), standard splits are adapted to our federated setting while maintaining proportional data distribution across participating clients. Detailed parameter settings are provided in Table 3.

Download:

Table 2. Experimental setup configuration.

https://doi.org/10.1371/journal.pone.0339881.t002

Download:

Table 3. Core parameters settings.

https://doi.org/10.1371/journal.pone.0339881.t003

The method is evaluated on four real-world datasets, as presented in Table 4. For the ISIC 2020 dataset, dermoscopic images are segmented into patches using a sliding window approach, with node features extracted through pre-trained encoders. For the citation networks (Cora, CiteSeer, and PubMed), TF-IDF vectorization of paper abstracts serves as node features.

Download:

Table 4. Dataset description.

https://doi.org/10.1371/journal.pone.0339881.t004

Accuracy evaluation

The effectiveness of FedGraphHE is evaluated across two complementary experimental settings: medical image classification to assess applicability in privacy-sensitive healthcare scenarios, and standard graph node classification benchmarks to evaluate generalization across heterogeneous graph structures. All experiments employ a federated setup with 10 clients over extended training periods. Performance metrics are reported as mean standard deviation across five independent runs to ensure statistical reliability.

Medical image classification.

FedGraphHE is first evaluated on the ISIC 2020 skin cancer dataset, simulating collaborative training among ten medical institutions under strict privacy constraints. The optimization process exhibits stable convergence, with test accuracy reaching 98.18% and remaining stable thereafter. Table 5 summarizes the classification performance in multiple evaluation metrics, compared with representative federated GNN methods that preserve privacy. A comprehensive comparison across six representative baselines and multiple datasets is provided in Table 6.

Download:

Table 5. Classification performance on the ISIC 2020 dataset (10 clients, 5 runs).

https://doi.org/10.1371/journal.pone.0339881.t005

Download:

Table 6. Accuracy comparison across all datasets (10 clients, 5 runs).

https://doi.org/10.1371/journal.pone.0339881.t006

FedGraphHE achieves the highest performance across all metrics. In particular, the high recall (98.09%) is valuable for clinical applicability, as it reduces the risk of missing malignant lesions. The balanced precision and recall further indicate that FedGraphHE maintains robust classification performance without bias toward either class.

Comparative performance analysis.

To comprehensively address baseline coverage and incorporate the latest advances in federated learning, we evaluated FedGraphHE against six representative privacy-preserving federated GNN frameworks spanning from 2022 to 2024. These baselines covered diverse privacy mechanisms and aggregation strategies, ensuring a thorough comparison with current research frontiers: SecGNN [12] and CryptoGCN [13] relied on secure multi-party computation and cryptographic protocols for gradient protection; FedSHE [24] used static homomorphic encryption; FedPerGNN [15] leveraged public subgraph sharing; ESA-FedGNN [16] included adaptive edge sampling; and RFLPA [34], a state-of-the-art framework from NeurIPS 2024, integrated reputation-based client filtering for robustness.

Table 6 presents a comprehensive accuracy comparison across all four datasets. FedGraphHE consistently achieves the highest accuracy on every dataset: 98.18% on ISIC 2020 (medical imaging), 82.5% on Cora, 81.3% on CiteSeer, and 81.2% on PubMed (citation networks). The improvements over the second-best method (FedSHE) are particularly pronounced on Cora and CiteSeer (1.3%–1.7%), where the hierarchical multi-scale aggregation in HMAGT effectively captures multi-hop structural information even under encryption constraints.

The consistent superiority across diverse datasets demonstrates FedGraphHE’s strong generalization capability. Compared with cryptographic baselines (SecGNN, CryptoGCN), FedGraphHE benefits from graph-aware aggregation that better preserves structural information under encryption. Compared with the static encryption baseline (FedSHE), FedGraphHE achieves higher accuracy while maintaining competitive efficiency through dynamic ciphertext parameter selection in DAPHE.

Node classification performance.

FedGraphHE demonstrates competitive performance on standard graph learning benchmarks (Cora, CiteSeer, and PubMed) compared to existing privacy-preserving methods. As illustrated in Fig 5, FedGraphHE achieves faster convergence and higher final accuracy, with particularly notable improvements in the early training phases across all citation network datasets.

Download:

Fig 5. Node classification accuracy across three benchmark datasets over training epochs.

FedGraphHE achieves faster convergence and higher accuracy compared to baselines.

https://doi.org/10.1371/journal.pone.0339881.g005

Ablation study

To systematically assess the contribution of each component, we conduct ablation experiments across four datasets under both benign and adversarial settings. We evaluate five variants: the full FedGraphHE framework and four ablated versions removing (i) DAPHE (using a fixed ring dimension N = 16384), (ii) HMAGT (using a standard 2-layer GCN), (iii) FRAHIP (replacing the aggregation with simple FedAvg), or (iv) only the reputation mechanism (retaining homomorphic inner-product aggregation but disabling adaptive client weighting). Table 7 reports clean accuracy for all datasets and robustness metrics under Byzantine attacks on ISIC 2020 with f = 3 malicious clients.

Download:

Table 7. Ablation study results across four datasets (10 clients, 5 runs).

https://doi.org/10.1371/journal.pone.0339881.t007

The ablation results demonstrate the distinct role of each module. Removing HMAGT causes the largest drop in clean accuracy (p < 0.01), which confirms that the multi-scale aggregation is essential for learning complex structural features, especially in citation networks. This shows that standard GCN layers are insufficient for capturing multi-hop dependencies under the constraints of encrypted training.

Regarding robustness, disabling FRAHIP results in a sharp increase in attack success rate (up to 11.28%), validating it as the primary defense against Byzantine attacks. It is worth noting that the “without Reputation” variant shows a slight decrease in clean accuracy compared to the full model. This suggests that without the smoothing effect of historical reputation, the raw consistency scores can fluctuate, occasionally penalizing benign updates. The reputation mechanism therefore acts as a stabilizer, ensuring that only truly malicious gradients are suppressed while preserving normal training dynamics.

Finally, removing DAPHE leads to a statistically significant drop in accuracy (p < 0.05). This indicates that the benefit of DAPHE extends beyond communication efficiency. By adapting the ring dimension to the data, it avoids the quantization noise often caused by suboptimal fixed parameters, thereby maintaining higher gradient precision across heterogeneous clients.

Robustness evaluation

We evaluate the Byzantine robustness of FRAHIP under the standard constraint f<K/3 with K = 10 clients, allowing up to f = 3 malicious participants. To ensure comprehensive comparison spanning both classical and state-of-the-art approaches, FRAHIP is compared against three representative robust aggregation methods: Krum [27] (NIPS 2017, a classical distance-based method), FLTrust [35] (NDSS 2021, a trust-score approach), and RFLPA [34] (NeurIPS 2024, the current state-of-the-art incorporating reputation mechanisms similar to our approach). The evaluation is conducted on the ISIC 2020 dataset using a federated configuration with enhanced adversarial challenges.

Attack configuration. We consider two Byzantine attack types: (i) model poisoning via gradient sign flipping with , and (ii) data poisoning via label manipulation. The attack success rate (ASR) is defined as:

(14)

As reported in Table 8, FRAHIP maintains accuracy above 95% with ASR below 2.5% under the strongest threat (f = 3), consistently outperforming Krum, FLTrust, and RFLPA across all Byzantine settings. The robustness gains originate from encrypted gradient consistency evaluation through homomorphic inner products and adaptive reputation weighting, which jointly suppress malicious updates and stabilize aggregation over time.

Download:

Table 8. Robustness under Byzantine attacks (ISIC 2020, 10 clients).

https://doi.org/10.1371/journal.pone.0339881.t008

Efficiency and communication analysis

Communication overhead in federated learning primarily arises from encrypted parameter transmission between clients and the central server. The optimization effectiveness of the DAPHE module is evaluated by comparing FedGraphHE with FedAvg (the non-encrypted baseline) and FedSHE (the homomorphic encryption baseline) across multiple datasets.

The DAPHE module addresses a fundamental challenge in homomorphic encryption schemes: static ring dimension selection often leads to suboptimal slot utilization when client gradients have heterogeneous dimensions. By dynamically adapting ring dimensions based on federation-wide gradient characteristics, DAPHE significantly reduces communication volume while maintaining cryptographic security [23].

Fig 6 demonstrates the communication cost comparison results. FedGraphHE consistently achieves substantial reductions in communication volume compared to FedSHE across all evaluated datasets, with improvements ranging from 20–30%. This reduction primarily stems from improved slot utilization efficiency and adaptive partitioning strategies that minimize padding overhead.

Download:

Fig 6. Communication cost comparison.

https://doi.org/10.1371/journal.pone.0339881.g006

Tables 9 and 10 present the temporal analysis of training efficiency. The results indicate that FedGraphHE’s efficiency advantage becomes more pronounced as training progresses, with communication time reductions typically exceeding 50% compared to FedSHE in later rounds. The training time analysis demonstrates similar trends, confirming the practical benefits of the DAPHE optimization.

Download:

Table 9. Communication time (seconds).

https://doi.org/10.1371/journal.pone.0339881.t009

Download:

Table 10. Training Time (seconds).

https://doi.org/10.1371/journal.pone.0339881.t010

While homomorphic encryption inevitably introduces computational overhead compared to plaintext transmission, FedGraphHE demonstrates that careful parameter optimization can significantly mitigate these costs. The experimental validation confirms that DAPHE effectively balances privacy preservation with practical efficiency, making privacy-preserving federated graph learning more viable for real-world deployment.

5 Conclusion and future work

This paper presents FedGraphHE, a privacy-preserving federated graph neural network framework that addresses the critical challenges facing collaborative intelligence in distributed environments, particularly in smart healthcare networks where medical institutions require secure joint learning from distributed patient data. The framework integrates three synergistic modules: DAPHE provides dynamic encryption optimization to reduce computational overhead from homomorphic encryption, HMAGT enables encryption-aware graph processing to address gradient privacy vulnerabilities, and FRAHIP delivers Byzantine-resilient aggregation to counter malicious participants, maintaining over 95% accuracy under f<K/3 Byzantine attacks.

Experimental results demonstrate FedGraphHE’s effectiveness across diverse application scenarios. On medical image classification tasks (ISIC 2020), the framework achieves 98.18% accuracy, while on citation network datasets, it delivers accuracy equivalent to centralized methods and significantly outperforms existing privacy-preserving approaches. However, several limitations warrant acknowledgment. The framework incurs a 27–31 computational overhead compared to plaintext methods, which can restrict the deployment on devices limited by resources. Additionally, the dependence on a TPA for scalar decryption makes the framework incompatible with fully decentralized scenarios. The current design is also specific to static graph structures, requiring adaptation for dynamic topologies.

Future research directions should address these limitations through multiple avenues. Investigating threshold cryptography could eliminate TPA dependencies, while developing lightweight implementations would enable edge deployment. Extending the framework support to dynamic graph learning scenarios would broaden its applicability and enhance its practical utility for secure collaborative learning in privacy-sensitive applications.

References

1. Zhang L, Zhao Y, Che T, Li S, Wang X. Graph neural networks for image-guided disease diagnosis: a review. iRADIOLOGY. 2023;1(2):151–66.
- View Article
- Google Scholar
2. Oss Boll H, Amirahmadi A, Ghazani MM, Morais WO de, Freitas EP de, Soliman A, et al. Graph neural networks for clinical risk prediction based on electronic health records: a survey. J Biomed Inform. 2024;151:104616. pmid:38423267
- View Article
- PubMed/NCBI
- Google Scholar
3. Mishra R, Shridevi S. Knowledge graph driven medicine recommendation system using graph neural networks on longitudinal medical records. Sci Rep. 2024;14(1):25449. pmid:39455647
- View Article
- PubMed/NCBI
- Google Scholar
4. Tschider C, Compagnucci MC, Minssen T. The new EU-US data protection framework’s implications for healthcare. J Law Biosci. 2024;11(2):lsae022. pmid:39346780
- View Article
- PubMed/NCBI
- Google Scholar
5. McMahan B, Moore E, Ramage D, Hampson S, Arcas BA. Communication-efficient learning of deep networks from decentralized data. In: Artificial Intelligence and Statistics. 2017. p. 1273–82.
6. Sun Z, Zhao Z, Shao R, Zou Y, Li C, Wei N. Survey on privacy-preserving techniques for graph neural networks in federated learning paradigm. In: 2024 IEEE International Conference on High Performance Computing and Communications (HPCC). 2024. p. 713–20. https://doi.org/10.1109/hpcc64274.2024.00099
7. Zhang Y, Zhao Y, Li Z, Cheng X, Wang Y, Kotevska O, et al. A survey on privacy in graph neural networks: attacks, preservation, and applications. IEEE Trans Knowl Data Eng. 2024;36(12):7497–515.
- View Article
- Google Scholar
8. Cheon JH, Kim A, Kim M, Song Y. Homomorphic encryption for arithmetic of approximate numbers. In: International Conference on the Theory and Application of Cryptology and Information Security. Springer; 2017. p. 409–37.
9. Nguyen DTK, Duong DH, Susilo W, Chow Y-W, Ta TA. HeFUN: homomorphic encryption for unconstrained secure neural network inference. Future Internet. 2023;15(12):407.
- View Article
- Google Scholar
10. Alebouyeh Z, Bidgoly AJ. Privacy-preserving federated learning compatible with robust aggregators. Engineering Applications of Artificial Intelligence. 2025;143:110078.
- View Article
- Google Scholar
11. Chen G, Tong M, Yin J, Wang M, Cao J, Wang H. SecureGraphFL: a privacy-preserving and attack-resilient federated learning framework for traffic prediction. IEEE Internet Things J. 2025: p. 1.
- View Article
- Google Scholar
12. Wang S, Zheng Y, Jia X. SecGNN: privacy-preserving graph neural network training and inference as a cloud service. IEEE Trans Serv Comput. 2023;16(4):2923–38.
- View Article
- Google Scholar
13. Ran R, Wang W, Gang Q, Yin J, Xu N, Wen W. CryptoGCN: Fast and scalable homomorphically encrypted graph convolutional network inference. Advances in Neural Information Processing Systems. 2022;35:37676–89.
- View Article
- Google Scholar
14. Chen F, Li P, Miyazaki T, Wu C. FedGraph: federated graph learning with intelligent sampling. IEEE Trans Parallel Distrib Syst. 2022;33(8):1775–86.
- View Article
- Google Scholar
15. Wu C, Wu F, Lyu L, Qi T, Huang Y, Xie X. A federated graph neural network framework for privacy-preserving personalization. Nat Commun. 2022;13(1):3091. pmid:35654792
- View Article
- PubMed/NCBI
- Google Scholar
16. Liu Y, Li H, Qian X, Hao M. ESA-FedGNN: efficient secure aggregation for federated graph neural networks. Peer Peer Netw Appl. 2023;16(2):1257–69. pmid:37152768
- View Article
- PubMed/NCBI
- Google Scholar
17. Zhang K, Cai Z, Seo D. Privacy-preserving federated graph neural network learning on non-IID graph data. Wireless Communications and Mobile Computing. 2023;2023:1–13.
- View Article
- Google Scholar
18. Wang S, Yin J, Cao J, Tang M, Wang H, Zhang Y. ABG-NAS: adaptive bayesian genetic neural architecture search for graph representation learning. Knowledge-Based Systems. 2025;328:114235.
- View Article
- Google Scholar
19. Chen Y, Mao Q, Wang B, Duan P, Zhang B, Hong Z. Privacy-preserving multi-class support vector machine model on medical diagnosis. IEEE J Biomed Health Inform. 2022;26(7):3342–53. pmid:35259122
- View Article
- PubMed/NCBI
- Google Scholar
20. Cheon JH, Cho W, Kim J, Stehlé D. Homomorphic multiple precision multiplication for CKKS and reduced modulus consumption. In: Proceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security. 2023. p. 696–710. https://doi.org/10.1145/3576915.3623086
21. Jung W, Kim S, Ahn JH, Cheon JH, Lee Y. Over 100x faster bootstrapping in fully homomorphic encryption through memory-centric optimization with GPUs. TCHES. 2021; p. 114–48.
- View Article
- Google Scholar
22. Badawi AA, Polyakov Y. Demystifying Bootstrapping in Fully Homomorphic Encryption. Cryptology ePrint Archive, Paper 2023 /149; 2023. https://eprint.iacr.org/2023/149
23. Cheon JH, Choe H, Kang M, Kim J, Kim S, Mono J, et al.. Grafting: Decoupled Scale Factors and Modulus in RNS-CKKS; 2024 . Cryptology ePrint Archive, Paper 2024/1014. 2024. https://eprint.iacr.org/2024/1014
24. Pan Y, Chao Z, He W, Jing Y, Hongjia L, Liming W. FedSHE: privacy preserving and efficient federated learning with adaptive segmented CKKS homomorphic encryption. Cybersecurity. 2024;7(1):40.
- View Article
- Google Scholar
25. Ran R, Xu N, Liu T, Wang W, Quan G, Wen W. Penguin: parallel-packed homomorphic encryption for fast graph convolutional network inference. Advances in Neural Information Processing Systems. 2023;36:19104–16.
- View Article
- Google Scholar
26. Zhang C, Li S, Xia J, Wang W, Yan F, Liu Y. {BatchCrypt}: Efficient homomorphic encryption for {Cross-Silo} federated learning. In: 2020 USENIX annual technical conference (USENIX ATC 20); 2020. p. 493–506.
27. Blanchard P, El Mhamdi EM, Guerraoui R, Stainer J. Machine learning with adversaries: byzantine tolerant gradient descent. In: Proceedings of the 31st International Conference on Neural Information Processing Systems. 2017. p. 118–28.
28. Pillutla K, Kakade SM, Harchaoui Z. Robust aggregation for federated learning. IEEE Trans Signal Process. 2022;70:1142–54.
- View Article
- Google Scholar
29. Xie C, Koyejo O, Gupta I. Fall of empires: breaking byzantine-tolerant SGD by inner product manipulation. In: Uncertainty in Artificial Intelligence, 2020. p. 261–70.
30. Yan G, Wang H, Yuan X, Li J. Enhancing model poisoning attacks to byzantine-robust federated learning via critical learning periods. In: The 27th International Symposium on Research in Attacks, Intrusions and Defenses. 2024. p. 496–512. https://doi.org/10.1145/3678890.3678915
31. Tolpegin V, Truex S, Gursoy ME, Liu L. Data poisoning attacks against federated learning systems. In: European symposium on research in computer security. Springer; 2020. p. 480–501.
32. Geiping J, Bauermeister H, Droge H, Moeller M. Inverting gradients–how easy is it to break privacy in federated learning?. Advances in Neural Information Processing Systems. 2020;33:16937–47.
- View Article
- Google Scholar
33. Rathee M, Shen C, Wagh S, Popa RA. ELSA: secure aggregation for federated learning with malicious actors. In: 2023 IEEE Symposium on Security and Privacy (SP). 2023. https://doi.org/10.1109/sp46215.2023.10179468
34. Mai P, Pang Y, Yan R. RFLPA: a robust federated learning framework against poisoning attacks with secure aggregation. In: Advances in Neural Information Processing Systems 37. 2024. p. 104329–56. https://doi.org/10.52202/079017-3314
35. Cao X, Fang M, Liu J, Gong NZ. FLTrust: Byzantine-robust federated learning via trust bootstrapping. In: Proceedings of the Network and Distributed System Security Symposium (NDSS). Internet Society; 2021.

[ref1] 1. Zhang L, Zhao Y, Che T, Li S, Wang X. Graph neural networks for image-guided disease diagnosis: a review. iRADIOLOGY. 2023;1(2):151–66.
View Article
Google Scholar

[2] View Article

[3] Google Scholar

[ref2] 2. Oss Boll H, Amirahmadi A, Ghazani MM, Morais WO de, Freitas EP de, Soliman A, et al. Graph neural networks for clinical risk prediction based on electronic health records: a survey. J Biomed Inform. 2024;151:104616. pmid:38423267
View Article
PubMed/NCBI
Google Scholar

[5] View Article

[6] PubMed/NCBI

[7] Google Scholar

[ref3] 3. Mishra R, Shridevi S. Knowledge graph driven medicine recommendation system using graph neural networks on longitudinal medical records. Sci Rep. 2024;14(1):25449. pmid:39455647
View Article
PubMed/NCBI
Google Scholar

[9] View Article

[10] PubMed/NCBI

[11] Google Scholar

[ref4] 4. Tschider C, Compagnucci MC, Minssen T. The new EU-US data protection framework’s implications for healthcare. J Law Biosci. 2024;11(2):lsae022. pmid:39346780
View Article
PubMed/NCBI
Google Scholar

[13] View Article

[14] PubMed/NCBI

[15] Google Scholar

[ref5] 5. McMahan B, Moore E, Ramage D, Hampson S, Arcas BA. Communication-efficient learning of deep networks from decentralized data. In: Artificial Intelligence and Statistics. 2017. p. 1273–82.

[ref6] 6. Sun Z, Zhao Z, Shao R, Zou Y, Li C, Wei N. Survey on privacy-preserving techniques for graph neural networks in federated learning paradigm. In: 2024 IEEE International Conference on High Performance Computing and Communications (HPCC). 2024. p. 713–20. https://doi.org/10.1109/hpcc64274.2024.00099

[ref7] 7. Zhang Y, Zhao Y, Li Z, Cheng X, Wang Y, Kotevska O, et al. A survey on privacy in graph neural networks: attacks, preservation, and applications. IEEE Trans Knowl Data Eng. 2024;36(12):7497–515.
View Article
Google Scholar

[19] View Article

[20] Google Scholar

[ref8] 8. Cheon JH, Kim A, Kim M, Song Y. Homomorphic encryption for arithmetic of approximate numbers. In: International Conference on the Theory and Application of Cryptology and Information Security. Springer; 2017. p. 409–37.

[ref9] 9. Nguyen DTK, Duong DH, Susilo W, Chow Y-W, Ta TA. HeFUN: homomorphic encryption for unconstrained secure neural network inference. Future Internet. 2023;15(12):407.
View Article
Google Scholar

[23] View Article

[24] Google Scholar

[ref10] 10. Alebouyeh Z, Bidgoly AJ. Privacy-preserving federated learning compatible with robust aggregators. Engineering Applications of Artificial Intelligence. 2025;143:110078.
View Article
Google Scholar

[26] View Article

[27] Google Scholar

[ref11] 11. Chen G, Tong M, Yin J, Wang M, Cao J, Wang H. SecureGraphFL: a privacy-preserving and attack-resilient federated learning framework for traffic prediction. IEEE Internet Things J. 2025: p. 1.
View Article
Google Scholar

[29] View Article

[30] Google Scholar

[ref12] 12. Wang S, Zheng Y, Jia X. SecGNN: privacy-preserving graph neural network training and inference as a cloud service. IEEE Trans Serv Comput. 2023;16(4):2923–38.
View Article
Google Scholar

[32] View Article

[33] Google Scholar

[ref13] 13. Ran R, Wang W, Gang Q, Yin J, Xu N, Wen W. CryptoGCN: Fast and scalable homomorphically encrypted graph convolutional network inference. Advances in Neural Information Processing Systems. 2022;35:37676–89.
View Article
Google Scholar

[35] View Article

[36] Google Scholar

[ref14] 14. Chen F, Li P, Miyazaki T, Wu C. FedGraph: federated graph learning with intelligent sampling. IEEE Trans Parallel Distrib Syst. 2022;33(8):1775–86.
View Article
Google Scholar

[38] View Article

[39] Google Scholar

[ref15] 15. Wu C, Wu F, Lyu L, Qi T, Huang Y, Xie X. A federated graph neural network framework for privacy-preserving personalization. Nat Commun. 2022;13(1):3091. pmid:35654792
View Article
PubMed/NCBI
Google Scholar

[41] View Article

[42] PubMed/NCBI

[43] Google Scholar

[ref16] 16. Liu Y, Li H, Qian X, Hao M. ESA-FedGNN: efficient secure aggregation for federated graph neural networks. Peer Peer Netw Appl. 2023;16(2):1257–69. pmid:37152768
View Article
PubMed/NCBI
Google Scholar

[45] View Article

[46] PubMed/NCBI

[47] Google Scholar

[ref17] 17. Zhang K, Cai Z, Seo D. Privacy-preserving federated graph neural network learning on non-IID graph data. Wireless Communications and Mobile Computing. 2023;2023:1–13.
View Article
Google Scholar

[49] View Article

[50] Google Scholar

[ref18] 18. Wang S, Yin J, Cao J, Tang M, Wang H, Zhang Y. ABG-NAS: adaptive bayesian genetic neural architecture search for graph representation learning. Knowledge-Based Systems. 2025;328:114235.
View Article
Google Scholar

[52] View Article

[53] Google Scholar

[ref19] 19. Chen Y, Mao Q, Wang B, Duan P, Zhang B, Hong Z. Privacy-preserving multi-class support vector machine model on medical diagnosis. IEEE J Biomed Health Inform. 2022;26(7):3342–53. pmid:35259122
View Article
PubMed/NCBI
Google Scholar

[55] View Article

[56] PubMed/NCBI

[57] Google Scholar

[ref20] 20. Cheon JH, Cho W, Kim J, Stehlé D. Homomorphic multiple precision multiplication for CKKS and reduced modulus consumption. In: Proceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security. 2023. p. 696–710. https://doi.org/10.1145/3576915.3623086

[ref21] 21. Jung W, Kim S, Ahn JH, Cheon JH, Lee Y. Over 100x faster bootstrapping in fully homomorphic encryption through memory-centric optimization with GPUs. TCHES. 2021; p. 114–48.
View Article
Google Scholar

[60] View Article

[61] Google Scholar

[ref22] 22. Badawi AA, Polyakov Y. Demystifying Bootstrapping in Fully Homomorphic Encryption. Cryptology ePrint Archive, Paper 2023 /149; 2023. https://eprint.iacr.org/2023/149

[ref23] 23. Cheon JH, Choe H, Kang M, Kim J, Kim S, Mono J, et al.. Grafting: Decoupled Scale Factors and Modulus in RNS-CKKS; 2024 . Cryptology ePrint Archive, Paper 2024/1014. 2024. https://eprint.iacr.org/2024/1014

[ref24] 24. Pan Y, Chao Z, He W, Jing Y, Hongjia L, Liming W. FedSHE: privacy preserving and efficient federated learning with adaptive segmented CKKS homomorphic encryption. Cybersecurity. 2024;7(1):40.
View Article
Google Scholar

[65] View Article

[66] Google Scholar

[ref25] 25. Ran R, Xu N, Liu T, Wang W, Quan G, Wen W. Penguin: parallel-packed homomorphic encryption for fast graph convolutional network inference. Advances in Neural Information Processing Systems. 2023;36:19104–16.
View Article
Google Scholar

[68] View Article

[69] Google Scholar

[ref26] 26. Zhang C, Li S, Xia J, Wang W, Yan F, Liu Y. {BatchCrypt}: Efficient homomorphic encryption for {Cross-Silo} federated learning. In: 2020 USENIX annual technical conference (USENIX ATC 20); 2020. p. 493–506.

[ref27] 27. Blanchard P, El Mhamdi EM, Guerraoui R, Stainer J. Machine learning with adversaries: byzantine tolerant gradient descent. In: Proceedings of the 31st International Conference on Neural Information Processing Systems. 2017. p. 118–28.

[ref28] 28. Pillutla K, Kakade SM, Harchaoui Z. Robust aggregation for federated learning. IEEE Trans Signal Process. 2022;70:1142–54.
View Article
Google Scholar

[73] View Article

[74] Google Scholar

[ref29] 29. Xie C, Koyejo O, Gupta I. Fall of empires: breaking byzantine-tolerant SGD by inner product manipulation. In: Uncertainty in Artificial Intelligence, 2020. p. 261–70.

[ref30] 30. Yan G, Wang H, Yuan X, Li J. Enhancing model poisoning attacks to byzantine-robust federated learning via critical learning periods. In: The 27th International Symposium on Research in Attacks, Intrusions and Defenses. 2024. p. 496–512. https://doi.org/10.1145/3678890.3678915

[ref31] 31. Tolpegin V, Truex S, Gursoy ME, Liu L. Data poisoning attacks against federated learning systems. In: European symposium on research in computer security. Springer; 2020. p. 480–501.

[ref32] 32. Geiping J, Bauermeister H, Droge H, Moeller M. Inverting gradients–how easy is it to break privacy in federated learning?. Advances in Neural Information Processing Systems. 2020;33:16937–47.
View Article
Google Scholar

[79] View Article

[80] Google Scholar

[ref33] 33. Rathee M, Shen C, Wagh S, Popa RA. ELSA: secure aggregation for federated learning with malicious actors. In: 2023 IEEE Symposium on Security and Privacy (SP). 2023. https://doi.org/10.1109/sp46215.2023.10179468

[ref34] 34. Mai P, Pang Y, Yan R. RFLPA: a robust federated learning framework against poisoning attacks with secure aggregation. In: Advances in Neural Information Processing Systems 37. 2024. p. 104329–56. https://doi.org/10.52202/079017-3314

[ref35] 35. Cao X, Fang M, Liu J, Gong NZ. FLTrust: Byzantine-robust federated learning via trust bootstrapping. In: Proceedings of the Network and Distributed System Security Symposium (NDSS). Internet Society; 2021.

Figures

Abstract

1 Introduction

2 Related works

Privacy-preserving federated GNNs

Homomorphic encryption optimizations

Robust aggregation under encryption

3 Methodology

Ethics statement

Problem formulation

System architecture.

Threat model and security requirements.

FedGraphHE framework overview

Dynamic adaptive partitioned homomorphic encryption

Hierarchical multi-scale adaptive graph transformer

Federated robust aggregation via homomorphic inner product

Security analysis

4 Experimental results

Experimental setup

Accuracy evaluation

Medical image classification.

Comparative performance analysis.

Node classification performance.

Ablation study

Robustness evaluation

Efficiency and communication analysis

5 Conclusion and future work

References