Privacy-Preserving ML in 2026 — Federated Learning / Flower / NVIDIA FLARE / Opacus / Zama Concrete / OpenMined PySyft Deep Dive

Prologue — "Move the model, not the data"

In April 2017, a post appeared on the Google AI blog titled "Federated Learning: Collaborative Machine Learning without Centralized Training Data." Brendan McMahan and colleagues announced that they had improved the next-word prediction model in Gboard (the Android keyboard) without sending users' typing data to a server — they only collected model updates trained on each phone, then averaged them. That was the moment the FedAvg (Federated Averaging) algorithm was unveiled to the world.

In June 2024, at Apple WWDC, Craig Federighi showed an even more striking stage. Private Cloud Compute (PCC) — an infrastructure where, when a user's request reaches Apple's cloud servers, those servers can never see the contents. The Secure Enclave, Apple Silicon, verifiable builds, and certificate-transparency verification done on the user's own device. The contradictory thesis "send the data to the server, but make the server unable to see it" had become a shipping product.

In the seven years between those two moments, privacy-preserving machine learning (PPML) grew from academic curiosity into core big-tech infrastructure. As of May 2026, PPML is a combination of five technology stacks.

Federated Learning (FL) — aggregate only model weights, never the data
Differential Privacy (DP) — a mathematical guarantee that one person's removal barely changes the result
Homomorphic Encryption (HE) — compute directly on encrypted data
Secure Multi-Party Computation (MPC) — parties compute a function without revealing their inputs
Trusted Execution Environment (TEE) — run code inside a hardware-isolated region

This post walks through each area as of May 2026 — representative frameworks, real-world deployments, and the regulatory context.

1. Why PPML Emerged — Four Pressures

The EU GDPR, which took effect on 25 May 2018, was the starting gun for the PPML era. Six lawful bases for processing (consent, contract, legal obligation, vital interest, public task, legitimate interest), the right to be forgotten, the data-minimisation principle. Violations risk fines up to the larger of 4% of annual turnover or 20 million EUR.

The EU AI Act passed in 2023-2024 then added data-governance, transparency, human-oversight, and robustness requirements for high-risk AI systems (medical, hiring, credit, law enforcement). General-Purpose AI (GPAI) obligations begin phasing in from August 2026.

US HIPAA (1996), Korea PIPA, Japan APPI, China PIPL, California CCPA/CPRA. Regulators worldwide were tightening simultaneously, which pushed the classic ML workflow — "gather all the data into one place and train on it" — into precarious territory.

1.2 Data Silos and the Hunger for Collaborative Learning

One hospital's MRI corpus alone is too small to train a rare-tumour detection model. But sharing patient images with another hospital is legally and ethically difficult. Banks face the same tension — fraud-detection models grow stronger when several banks combine their data, yet transaction logs cannot be shared.

This "we want to share but cannot" data-silo problem is the single biggest practical driver for PPML, and especially for federated learning.

1.3 Input Privacy at Inference Time

A new problem the LLM era introduced. A user pastes their code, medical records, or financial data into ChatGPT. OpenAI's server sees the plaintext input. Can that be prevented?

TEE-based — Apple PCC, AWS Nitro Enclaves, confidential VMs
FHE-based — Zama Concrete-ML for inference over encrypted input
MPC-based — distributed inference with CrypTen, EzPC

1.4 Model Privacy — Membership Inference Attacks

Carlini et al. (2021) showed that GPT-2 could be coaxed into emitting verbatim training data — email addresses, phone numbers, medical records. A trained model "remembers." The mathematical tool meant to prevent that is Differential Privacy (DP).

2. Federated Learning Concepts — From FedAvg to FedProx

2.1 The FedAvg Algorithm (McMahan et al., 2017)

FedAvg is simple. Every round:

The server distributes the global weights w_t to clients
Each client k trains locally on its data D_k for E epochs, producing w_t^k
The server takes a weighted average: w_(t+1) = sum(n_k / n) * w_t^k
Repeat the next round

+----------+              +----------+              +----------+
| Client 1 |              | Client 2 |              | Client 3 |
| D_1      |              | D_2      |              | D_3      |
+----+-----+              +----+-----+              +----+-----+
     |  w_t^1                   |  w_t^2                  |  w_t^3
     +--------------------+-----+--------------------+----+
                          v
                  +-------+-------+
                  |    Server     |
                  | w_(t+1) =     |
                  |  weighted avg |
                  +---------------+
                          |
                          v
                    (distribute to all clients)

2.2 Cross-Device vs Cross-Silo

Cross-Device FL — millions of mobile phones, only a subset participates each round, unstable connectivity. Examples: Google Gboard, Apple Siri.

Cross-Silo FL — tens of institutions (hospitals, banks). Stable infrastructure, almost always available, large per-node data. Examples: NVIDIA FLARE-based BraTS, MELLODDY (pharma consortium).

Aspect	Cross-Device	Cross-Silo
Number of clients	10k to 100M devices	2 to 100 institutions
Client availability	Intermittent, unreliable	Almost always online
Data size per node	Very small	Very large
Communication cost	Very expensive (cellular)	Relatively cheap (dedicated links)
Threat model	Many honest-but-curious clients	Trusted institutions
Frameworks	TensorFlow Federated, Flower	NVIDIA FLARE, Flower, OpenFL

2.3 The Non-IID Challenge

The biggest difficulty in federated learning is that each client's data distribution is different (non-IID). One hospital sees pediatric patients, another sees the elderly. Plain FedAvg often diverges or loses substantial accuracy in this setting.

Variant algorithms that address this:

FedProx (Li et al., 2018) — adds a proximal term to the local update
SCAFFOLD (Karimireddy et al., 2020) — per-client variance reduction
FedNova (Wang et al., 2020) — normalises across local step counts
FedAdam / FedAdagrad / FedYogi (Reddi et al., 2021) — adaptive server-side optimisers

2.4 Secure Aggregation

One weakness of FedAvg — the server sees each client's w_t^k. Attacks that reverse-engineer training data from model weights (model inversion, gradient leakage) are possible. Secure Aggregation (Bonawitz et al., 2017) was designed to prevent that.

The core idea — each client adds a secret mask to its weights such that the masks of all clients cancel to zero in sum. The server only sees the sum, never an individual contribution.

3. Flower 1.13 — The Most Popular Open-Source FL Framework

3.1 The Rise of Flower

Flower (flower.ai) is an open-source FL framework started in 2020 by Daniel J. Beutel and Taner Topal. It was incorporated as Flower Labs Inc. in 2022 and raised a Series A in 2024-2025. As of May 2026, it sits at roughly 5,500 GitHub stars, making it one of the most active FL frameworks.

Flower's philosophy — framework-agnostic. PyTorch, TensorFlow, JAX, Scikit-learn, Hugging Face Transformers — any ML library can be wrapped as a client.

3.2 The Core Structure of Flower 1.13

Flower 1.13 (released late 2025) is built from three components.

ServerApp — global training logic (which clients to pick, which aggregation algorithm to run)
ClientApp — client-side training/evaluation logic
SuperLink + SuperNode — the communication backbone between server and clients

# Flower 1.13 ClientApp example
from flwr.client import ClientApp, NumPyClient
from flwr.common import Context

class FlowerClient(NumPyClient):
    def __init__(self, net, trainloader, valloader):
        self.net = net
        self.trainloader = trainloader
        self.valloader = valloader

    def get_parameters(self, config):
        return [val.cpu().numpy() for _, val in self.net.state_dict().items()]

    def set_parameters(self, parameters):
        params_dict = zip(self.net.state_dict().keys(), parameters)
        state_dict = {k: torch.tensor(v) for k, v in params_dict}
        self.net.load_state_dict(state_dict, strict=True)

    def fit(self, parameters, config):
        self.set_parameters(parameters)
        train(self.net, self.trainloader, epochs=1)
        return self.get_parameters(config={}), len(self.trainloader.dataset), {}

    def evaluate(self, parameters, config):
        self.set_parameters(parameters)
        loss, acc = test(self.net, self.valloader)
        return float(loss), len(self.valloader.dataset), {"accuracy": float(acc)}

def client_fn(context: Context):
    partition_id = context.node_config["partition-id"]
    net = Net()
    trainloader, valloader = load_data(partition_id)
    return FlowerClient(net, trainloader, valloader).to_client()

app = ClientApp(client_fn=client_fn)

3.3 The Simulation Engine

A powerful Flower feature is its simulation mode. Without any real distributed setup, you can simulate thousands of virtual clients on a single machine. Ray is the backend, distributing GPU resources efficiently.

from flwr.simulation import run_simulation

run_simulation(
    server_app=server_app,
    client_app=client_app,
    num_supernodes=100,  # 100 virtual clients
    backend_config={"client_resources": {"num_cpus": 2, "num_gpus": 0.1}}
)

This is the reason researchers love Flower — they can quickly verify the effect of an algorithm change.

3.4 Flower Strategies

Flower ships more than thirty aggregation strategies out of the box.

FedAvg, FedAdagrad, FedYogi, FedAdam, FedProx
FedAvgM (Momentum), FedTrimmedAvg, FedMedian
Krum, Bulyan (Byzantine-robust)
FedXgbBagging, FedXgbCyclic (XGBoost-specific)
DifferentialPrivacyClientSideAdaptiveClipping (built-in DP)

4. NVIDIA FLARE — The Enterprise FL Standard

4.1 Where FLARE Sits

NVIDIA FLARE (Federated Learning Application Runtime Environment) is the FL framework NVIDIA announced in 2021 alongside its healthcare-AI subsidiary Clara. As of May 2026 it ships as the 2.5.x series under the Apache 2.0 license.

FLARE's target is clear — enterprise, especially healthcare and finance cross-silo FL. If Flower's strength is "flexibility and simulation," FLARE's strength is "operational stability, security, and audit trails."

4.2 Hub-and-Spoke Architecture

FLARE uses a hub-and-spoke communication model between the central FL Server and multiple FL Clients. All communication is mTLS-encrypted, and each site authenticates with PKI-issued certificates.

                +---------------+
                | FL Server     |
                | (Hub)         |
                | Aggregator    |
                +-------+-------+
                        |
        +---------------+---------------+
        |               |               |
    +---+---+       +---+---+       +---+---+
    |Site A |       |Site B |       |Site C |
    |Hospital|     |Hospital|     |Hospital|
    +-------+       +-------+       +-------+

4.3 The BraTS Medical Consortium

FLARE's most famous success story is BraTS (Brain Tumor Segmentation Challenge) Federated. 71 medical institutions across the US, Europe, and Asia jointly trained a brain-tumour segmentation model (Pati et al., Nature Communications, 2022). The accuracy improved on average by 6% over single-institution models, and not one patient image left any institution.

That case marked the moment FL crossed from "theory" into "clinical reality."

4.4 Key FLARE Features

Job Submission — package a training run, submit to the server, admin approves and runs it
Provisioning — auto-generate per-site certificates, configs, security policies
Privacy Filters — automatically apply DP noise, gradient clipping, etc. before weights leave the client
POC (Proof of Concept) Mode — quickly simulate multi-site behaviour locally
NVFlare Dashboard — visualise training progress, metrics, and security events

# FLARE Controller (server side) example
from nvflare.app_common.workflows.fedavg import FedAvg
from nvflare.job_config.fed_job import FedJob

job = FedJob(name="brats_seg")
controller = FedAvg(num_clients=10, num_rounds=20)
job.to_server(controller)
job.to_clients(executor=BraTSExecutor())
job.export("./jobs/brats_seg")

5. TensorFlow Federated (TFF) — Google's Simulation-First Approach

5.1 TFF's Identity

TensorFlow Federated (TFF) is the FL library Google open-sourced in 2019. It has a different flavour than Flower or FLARE — TFF is closer to a language for expressing the mathematical definition of federated algorithms. The main use case is algorithm simulation and research, not actual distributed deployment.

5.2 Two Layers

Federated Core (FC) — low-level operators such as federated_computation, federated_map, federated_aggregate
Federated Learning (FL) API — high-level APIs like FedAvg, FedSGD

import tensorflow_federated as tff

@tff.federated_computation
def get_average_temperature(client_temperatures):
    return tff.federated_mean(client_temperatures)

Thanks to this declarative form, TFF is well-suited to mathematical analysis of communication cost, convergence, and DP guarantees.

5.3 Limits and Position

TFF is strong on simulation but hard to actually deploy onto mobile devices. Inside Google, a separate production system (Federated Compute, Federated Compute Platform) drives real services like Gboard. As of 2026 TFF is largely used in academic research, and industry adoption has lagged behind Flower and FLARE.

6. PySyft 0.9 and OpenMined — Structured Transparency

6.1 OpenMined's Vision

OpenMined is a non-profit open-source community started by Andrew Trask in 2017. Its slogan is "Answer questions using data you cannot see." That one sentence captures the essence of PPML.

OpenMined's flagship project is PySyft. PySyft is not merely an FL library — it is a "structured transparency" framework.

6.2 Structured Transparency

Classical data analytics — the analyst gets a copy of the data and crunches it on their own server. The data owner cannot control what the analyst does.

PySyft's model — the data stays on the data owner's Domain Server, and the data scientist sends a request that says "may I apply this function to your data?" The owner reviews the function and returns only the result (optionally with DP noise applied).

+----------------+                       +------------------+
| Data Scientist |                       | Data Owner       |
| (Jane)         |  1. submit code +    | (Hospital)       |
|                |     data reference   |                  |
|                | --------------------> | Domain Server    |
|                |                       | (data here)      |
|                |  2. review/run/      |                  |
|                |     return result    |                  |
|                | <-------------------- |                  |
+----------------+                       +------------------+

6.3 Core Concepts of PySyft 0.9

Domain — a server operated by a data owner. Data, policies, and result archive
Code Request — a function submitted by the data scientist. Runs once the owner approves
Privacy Budget — a per-user DP-epsilon allowance
Mock Data — synthetic data sharing the schema of the real data. The analyst writes and debugs code against the mock, never the real data

import syft as sy

# Data owner side
domain = sy.orchestra.launch(name="hospital", port=8081)
client = domain.login(email="admin@hospital.org", password="...")

# Upload real data to the domain, auto-generate mock data
asset = sy.Asset(name="patient_mri", data=real_data, mock=mock_data)
dataset = sy.Dataset(name="MRI Study 2026", asset_list=[asset])
client.upload_dataset(dataset)

# Data scientist side
ds_client = sy.login(url="https://hospital.openmined.org", email="researcher@univ.edu", password="...")
mri_mock = ds_client.datasets[0].assets[0].mock

@sy.syft_function_single_use(mri=mri_mock)
def compute_tumor_volume(mri):
    return mri.mean()  # in real life, a much more complex ML model

ds_client.code.request_code_execution(compute_tumor_volume)
# Once the owner approves, it runs against real data and returns only the result

6.4 The OpenMined Ecosystem

Beyond PySyft, OpenMined ships a range of tools.

PyDP — Python bindings for the Google DP Library
PSI (Private Set Intersection) — computes the intersection of two parties' datasets without revealing anything else
TenSEAL — Python bindings for Microsoft SEAL, FHE tensor operations
HAGrid — deployment tooling for PySyft Domain clusters

7. Differential Privacy Basics — Epsilon and Delta

7.1 The Mathematical Definition of DP

A randomised algorithm M is (eps, delta)-DP if, for any two datasets D and D' that differ in one person's data, and for every output set S:

P[M(D) in S] <= exp(eps) * P[M(D') in S] + delta

Intuitively — the smaller eps, the less one person's data influences the result. The delta term is the probability that the guarantee breaks.

Typical values — eps somewhere between 0.1 and 10, delta around 1/n^1.5 where n is the dataset size.

7.2 The Laplace and Gaussian Mechanisms

The simplest DP mechanism — add noise to the answer.

True query: f(D) = average height (cm)
DP answer:  f(D) + Lap(sensitivity / eps)
            or
            f(D) + N(0, sigma^2)

Sensitivity is the maximum amount the function value can change when one person's data is added or removed. The noise scale is proportional to sensitivity / eps.

7.3 Composition

When several DP queries hit the same dataset, the privacy loss accumulates. Basic composition — sum the eps values. Advanced composition — about sqrt(k * log(1/delta)) * eps. Advanced accounting techniques such as Renyi DP and zCDP yield tighter bounds.

7.4 Apple's DP Adoption (2017)

Starting with iOS 10 (2016), Apple applied Local DP to keyboard usage statistics, emoji frequencies, and Safari crash reports. Local DP adds noise on the user device before the data leaves. Apple's epsilon settings are relatively loose (around 4-8), but the guarantee is that no plaintext data ever reaches the server.

This was one of the first cases of DP moving from academic concept to big-tech operations tool.

7.5 US Census 2020

The US Census Bureau applied (eps=19.61) Central DP to its 2020 census release. The guarantee that one household swap barely changes any statistic. There was loud academic debate (the accuracy-vs-privacy tradeoff), but it cemented DP as a standard for official statistics.

8. Opacus 1.5 — Meta's PyTorch DP Library

8.1 The DP-SGD Algorithm

The canonical way to apply DP to ML training is DP-SGD (Differentially Private Stochastic Gradient Descent) (Abadi et al., 2016). Two key differences from vanilla SGD — per-sample gradient clipping and added noise.

For each minibatch:
  for each sample x_i in batch:
    g_i = compute gradient of L(theta, x_i)
    g_i = g_i * min(1, C / ||g_i||)   # per-sample clipping
  g_bar = (sum g_i + N(0, sigma^2 * C^2 * I)) / batch_size
  theta = theta - lr * g_bar

This way, the influence of any single sample on the final model is masked by the sigma noise.

8.2 Opacus Arrives

Opacus is the PyTorch DP library that Meta (then Facebook) AI Research released in 2020. Its core value proposition was turning any standard PyTorch optimiser into DP-SGD with one line of code.

import torch
from opacus import PrivacyEngine

model = MyModel()
optimizer = torch.optim.SGD(model.parameters(), lr=0.05)
data_loader = torch.utils.data.DataLoader(...)

privacy_engine = PrivacyEngine()
model, optimizer, data_loader = privacy_engine.make_private_with_epsilon(
    module=model,
    optimizer=optimizer,
    data_loader=data_loader,
    target_epsilon=2.0,
    target_delta=1e-5,
    epochs=20,
    max_grad_norm=1.0,
)

# Train as usual from here
for epoch in range(20):
    for x, y in data_loader:
        optimizer.zero_grad()
        loss = criterion(model(x), y)
        loss.backward()
        optimizer.step()

print(f"Final eps: {privacy_engine.get_epsilon(delta=1e-5)}")

8.3 Opacus 1.5 Improvements (2025-2026)

GPU-efficient per-sample gradients — GhostClip, Functorch integration
LLM fine-tuning support — LoRA-based DP fine-tuning
Distributed DP-SGD — correct privacy accounting across multi-GPU/multi-node training
RDP/zCDP accountants — tighter epsilon calculations

8.4 The Accuracy Cost of DP-SGD

DP-SGD is not free. Hitting a strong privacy budget like eps=1-3 typically drops accuracy by 1-5 percentage points. More data, larger batches, and longer training are the key prescriptions for reducing that cost.

9. OpenDP 0.10 — Harvard's Rust-Backed DP Core

9.1 What Makes OpenDP Different

OpenDP is a joint project from Harvard University and Microsoft that aims for a mathematically verified DP-mechanism library. While Opacus focuses on "applying DP to ML training," OpenDP focuses on "applying DP to statistical queries, analytics, and data releases."

At the core of OpenDP is a Rust-implemented set of mechanisms with Python/R bindings. It tries to grab memory safety and mathematical correctness at the same time.

9.2 The OpenDP Builder Pattern

import opendp.prelude as dp
dp.enable_features("contrib")

# Compute a mean under eps=1.0
input_domain = dp.vector_domain(dp.atom_domain(T=float, bounds=(0.0, 200.0)))
input_metric = dp.symmetric_distance()

trans_mean = (
    input_domain >> input_metric >>
    dp.t.then_clamp((0.0, 200.0)) >>
    dp.t.then_sum() >>
    dp.t.then_division_with_size(n=1000)
)
meas = trans_mean >> dp.m.then_laplace(scale=0.2)

heights = [165.0, 170.5]  # user height list
private_mean = meas(heights)
print(f"DP mean height: {private_mean}, eps spent: {meas.map(d_in=1)}")

OpenDP objects split into Transformations and Measurements, each of which carries a mathematically proven privacy/stability boundary.

9.3 PSI Integration and SmartNoise

OpenDP also acts as the backend for Microsoft's SmartNoise SDK. SmartNoise applies DP automatically to SQL queries — analysing WHERE / GROUP BY / JOIN to compute sensitivity and add noise correctly.

10. Google DP Library and JAX-Privacy

10.1 Google DP Library

In 2019 Google open-sourced its own C++ Differential Privacy Library. Core primitives include the Laplace and Gaussian mechanisms, BoundedSum, BoundedMean, Count, Quantile, and so on. There are Go, Java, C++, and Python bindings, and PipelineDP — an Apache Beam-based distributed DP processor.

import pipeline_dp

# DP statistics inside an Apache Beam pipeline
dp_engine = pipeline_dp.DPEngine(
    pipeline_dp.NaiveBudgetAccountant(total_epsilon=1.0, total_delta=1e-7),
    pipeline_dp.BeamBackend(),
)
params = pipeline_dp.AggregateParams(
    metrics=[pipeline_dp.Metrics.COUNT, pipeline_dp.Metrics.MEAN],
    max_partitions_contributed=3,
    max_contributions_per_partition=2,
)
dp_result = dp_engine.aggregate(pcollection, params, data_extractors)

10.2 JAX-Privacy

DeepMind's JAX-based DP library. For training large models (especially LLMs), its vectorisation is more efficient than Opacus. In 2024-2025 DeepMind published multiple DP language-model results trained with JAX-Privacy.

10.3 Google RAPPOR

The first large-scale industrial deployment of Local DP. Chrome wanted to collect statistics on which homepage users set as default, while adding bit-level noise so the server could never learn any individual answer. Published in 2014.

11. Homomorphic Encryption Concepts — CKKS, BFV, TFHE

11.1 The FHE Promise

Fully Homomorphic Encryption (FHE) is a cryptosystem with the property that performing computations directly on ciphertexts, then decrypting the result, yields the same value as if the computation had been performed on the plaintext. The possibility was raised by Rivest et al. in 1978, and the first concrete construction was published by Craig Gentry in 2009.

The FHE promise — the client encrypts its data and sends it to the server, the server runs the computation without ever seeing the data, and returns an encrypted result. Only the client can decrypt. The ultimate computation outsourcing.

11.2 The Major Schemes

Scheme	Trait	Suitable workloads
BGV (2012)	Integer plaintext	Integer arithmetic, SQL aggregates
BFV (2012)	Integer plaintext, polynomial slots	SIMD integer ops
CKKS (2017)	Approximate floating point	ML inference, statistics
TFHE (2016)	Bit-level, fast bootstrapping	Arbitrary circuits, comparisons, branches
FHEW (2014)	Predecessor of TFHE	Single-bit operations

ML inference typically uses CKKS (floating-point, approximate) or TFHE (arbitrary circuits).

11.3 Bootstrapping

The core FHE challenge — noise accumulates with every operation until the ciphertext can no longer be decrypted. Bootstrapping is the magical trick of passing a ciphertext through the circuit that decrypts itself, resetting the noise. Very expensive (milliseconds to seconds), but enables arbitrary-depth circuits.

TFHE bootstraps fast (milliseconds) and uses "Programmable Bootstrapping (PBS)" — bootstrapping after every gate. That is the core of Zama Concrete.

12. Zama Concrete — A New Era for FHE Compilers

12.1 Zama and Concrete

Zama is an FHE-focused company founded in Paris in 2020. CEO Rand Hindi, CTO Pascal Paillier (yes, the Paillier of Paillier encryption). They raised 73 million USD in a Series A in 2024. The flagship product is the Concrete FHE compiler.

Traditional FHE libraries (SEAL, OpenFHE) offered low-level APIs in the spirit of "please rewrite this function as FHE primitives by hand." Zama Concrete's revolution — automatically compile regular Python/Rust code to FHE.

12.2 Concrete Python

from concrete import fhe

@fhe.compiler({"x": "encrypted", "y": "encrypted"})
def add_mul(x, y):
    return (x + y) * 2

inputset = [(i, i) for i in range(10)]
circuit = add_mul.compile(inputset)

# Generate keys
circuit.keygen()

# Client side — encrypt input
encrypted_input = circuit.encrypt(5, 7)

# Server side — run on ciphertext
encrypted_result = circuit.run(encrypted_input)

# Client side — decrypt
decrypted = circuit.decrypt(encrypted_result)
print(decrypted)  # 24

This simplicity is Zama's strength. Developers do not need to understand the FHE maths.

12.3 Concrete-ML

The high-level library that compiles ML models to FHE. It exposes a scikit-learn-compatible API.

from concrete.ml.sklearn import LogisticRegression as ConcreteLogReg
from sklearn.datasets import load_iris

X, y = load_iris(return_X_y=True)
model = ConcreteLogReg(n_bits=8)
model.fit(X, y)

# Compile into an FHE circuit
model.compile(X)

# Inference in plaintext
y_pred = model.predict(X)

# Inference in FHE
y_pred_fhe = model.predict(X, fhe="execute")

Supported models — Linear and Logistic Regression, Random Forest, XGBoost, Decision Trees, small neural networks. In 2025-2026 partial FHE inference for transformer models like ViT (especially the attention layers) appeared as demos.

12.4 TFHE-rs

TFHE-rs, Concrete's backend, is a Rust implementation of TFHE. GPU acceleration was added in 2025, and it supports both boolean and integer arithmetic.

use tfhe::{ConfigBuilder, generate_keys, FheUint8, prelude::*};

let config = ConfigBuilder::default().build();
let (client_key, server_key) = generate_keys(config);
set_server_key(server_key);

let a = FheUint8::encrypt(150u8, &client_key);
let b = FheUint8::encrypt(100u8, &client_key);

let sum = &a + &b;
let decrypted: u8 = sum.decrypt(&client_key);

12.5 fhEVM — FHE on a Blockchain

Another interesting Zama project is fhEVM — an Ethereum-compatible EVM extended with FHE datatypes (euint8, ebool, etc.). Confidential transactions, confidential voting, and confidential DeFi become possible inside smart contracts.

13. Microsoft SEAL, IBM HElib, OpenFHE, Lattigo

13.1 Microsoft SEAL 4.1

A C++ HE library from Microsoft Research. Supports BFV and CKKS. Version 4.1 shipped in 2024, and it has been one of the long-standing academic and industrial standards. The popular Python binding is OpenMined's TenSEAL.

13.2 IBM HElib

A BGV/CKKS library that IBM Research has developed since 2013. Famous for its bootstrapping optimisations. Shai Halevi and Victor Shoup are the driving forces.

13.3 OpenFHE 1.2 (the former PALISADE)

In 2022, the PALISADE project relaunched as a broader collaboration. It covers BFV, BGV, CKKS, FHEW, and TFHE — the most comprehensive library available. Duality Technologies, Intel, Samsung, NJIT, and others are contributors. As of May 2026, 1.2.x is the stable line.

13.4 Lattigo — A Go Library from Tune Insight, Switzerland

A Go-based HE library from Tune Insight, an EPFL spinoff. Supports BFV, CKKS, and Multiparty HE (multi-party keys). It performs well in the Go ecosystem.

13.5 Library Comparison

Library	Language	Main schemes	Strengths
Microsoft SEAL	C++	BFV, CKKS	Maturity, documentation, de-facto standard
OpenFHE	C++	Nearly every scheme	Coverage, academic collaboration
HElib	C++	BGV, CKKS	Bootstrapping optimisations
TFHE-rs	Rust	TFHE	Concrete backend, GPU support
Lattigo	Go	BFV, CKKS, MHE	Go ecosystem, multi-party
TenSEAL	Python	CKKS, BFV	SEAL bindings, OpenMined

14. Secure Multi-Party Computation Concepts

14.1 Yao's Garbled Circuits (1986)

Andrew Yao's millionaires' problem — "two millionaires want to know which of them is richer, without revealing their actual fortunes." Yao proposed a 2-party protocol in which one party turns a boolean circuit into a "garbled" form, the other party evaluates the circuit, and inputs flow through oblivious transfer.

14.2 The GMW Protocol (1987)

Goldreich, Micali, and Wigderson proposed a secret-sharing MPC that works for any number of parties (n-party). Each bit is split as an XOR-based secret share, and AND/XOR gates are computed on those shares.

14.3 SPDZ (2012) and Its Descendants

SPDZ (Damgard et al., 2012) is an MPC protocol robust against malicious adversaries. A preprocessing phase generates correlated randomness like Beaver triples, allowing fast online computation. Variants like SPDZ2, MASCOT, and Overdrive followed.

14.4 Threat Models

Semi-honest (honest-but-curious) — parties follow the protocol but try to extract information from messages. The weakest model.
Malicious — parties can deviate arbitrarily. The strongest requirement.
Covert — a deviator is detected with some probability, which is good enough.

15. CrypTen, MP-SPDZ, EzPC — MPC Frameworks for PPML

15.1 CrypTen (Meta / Facebook)

A PyTorch-based MPC library released by Facebook AI Research in 2020. It wraps PyTorch tensors as secret-shared tensors so that ML workloads can be run almost unchanged over MPC.

import crypten
import torch

crypten.init()

# Each party builds its own tensor
x_party0 = torch.tensor([1.0, 2.0, 3.0])

# Convert to a CrypTen tensor (auto secret-shared)
x_enc = crypten.cryptensor(x_party0, src=0)
y_enc = crypten.cryptensor([4.0, 5.0, 6.0], src=1)

# Compute over MPC
z_enc = x_enc + y_enc

# Reveal the result (both sides must agree)
z = z_enc.get_plain_text()
print(z)  # tensor([5., 7., 9.])

CrypTen intentionally only supports semi-honest security. Fast and easy in exchange for assuming nobody lies.

15.2 MP-SPDZ

An MPC framework led by Marcel Keller at the University of Bristol. It supports over thirty protocols (semi-honest, malicious, dishonest majority, honest majority) and is effectively an MPC encyclopaedia. Widely used as the academic benchmark.

15.3 EzPC (Microsoft Research India)

EzPC stands for "Easy Secure Multi-party Computation." It compiles C-style code into secure 2-party protocols. CrypTFlow is the ML compiler built on top, translating TensorFlow models into MPC. In 2023-2025, follow-ups like SIGMA and BumbleBee — MPC inference for transformers like BERT — appeared.

15.4 MPC's Communication-Cost Problem

The biggest MPC cost is communication, not compute. Each AND gate needs an oblivious-transfer round, which accumulates millisecond RTTs. As a result, MPC ML inference can be 100x to 10,000x slower than plaintext inference on the same model.

16. TEE — The Path of Hardware Isolation

16.1 Intel SGX and Its Crisis

Intel Software Guard Extensions (SGX) is an x86 instruction-set extension introduced in 2015. It creates an isolated enclave inside the CPU that protects code and data from the host OS, the hypervisor, and even BIOS. For a while it was the standard for confidential computing.

But after 2018 a string of side-channel vulnerabilities (Foreshadow, Spectre, Plundervolt, AEPIC Leak) chipped away at SGX's security model. Intel began removing SGX from client CPUs in 2021, while strengthening remote attestation in server CPUs via SGX-DCAP.

16.2 AMD SEV-SNP

AMD's Secure Encrypted Virtualization-Secure Nested Paging encrypts whole VMs. Where SGX is enclave-granular, SEV is VM-granular. The confidential-VM offerings on AWS, Azure, and GCP are built on SEV-SNP.

16.3 Apple Private Cloud Compute (2024)

PCC, which Apple announced at WWDC 2024, is one of the most ambitious TEE systems ever attempted. Key ideas —

Custom Apple Silicon servers — the Secure Enclave manages keys
Stateless nodes — all data is discarded after a request; nothing is persisted
Code transparency — the hash of every line of code running on the nodes is published to a public transparency log
End-to-end attestation — the user's device verifies measurements from the PCC node
No privileged access — not even Apple employees can read data inside a node

From 2025, certain large-model Apple Intelligence requests are routed through PCC. User data can travel to Apple's servers — but Apple cannot see it.

16.4 AWS Nitro Enclaves

Isolated virtual machines built on top of the AWS Nitro hypervisor. A subset of an EC2 instance's vCPUs and memory is carved off as the enclave, communicating with the parent EC2 only through vsock. The Nitro Security Module integrates with KMS to release keys based on attestation. Popular for confidential workloads in healthcare and finance.

16.5 NVIDIA H100/H200 Confidential Compute

From 2023, NVIDIA GPUs gained confidential-computing features. On H100/H200, the CPU side runs in SEV-SNP/TDX and the GPU runs in its own confidential mode with encrypted GPU memory. This is the first generation of GPUs on which you can run LLM inference inside a TEE.

17. Real Deployments — From Big Tech to Korean and Japanese Banks

17.1 Google Gboard

The most famous FL case. The Android Gboard keyboard improves its next-word prediction, emoji suggestion, and speech-recognition models without sending typing data to a server. Every day millions of devices participate in training during overnight charging. Secure Aggregation also protects individual gradients.

17.2 Apple

FL for Siri speech recognition improvements
Local DP for emoji suggestion
From 2024, Apple Intelligence and PCC

17.3 BraTS Federated and Healthcare

The NVIDIA FLARE-based BraTS Federated trained a brain-tumour segmentation model across 71 medical institutions (Pati et al., 2022). NVIDIA Clara FL went on to produce a string of collaborative-learning cases — chest X-ray, pathology, COVID diagnosis.

17.4 MELLODDY

A federated-learning project that ran from 2019 to 2022 among ten global pharma companies (Janssen, Bayer, GSK, Novartis, AstraZeneca, and others), funded by the Innovative Medicines Initiative (IMI). They jointly trained drug-target activity prediction models without sharing chemical-compound data. Final model accuracy exceeded single-company models, and not a single byte of data left any company.

17.5 FL/MPC in Korean Banking

Between 2023 and 2025 in Korea, the pseudonymous-information-combining system and the "specialised data-combination institution" regime became operational, and FL and MPC entered the financial sector in practice.

Shinhan, Kookmin, and Woori Bank collaborate on credit-scoring models through specialised institutions (KFTC, NICE) that perform pseudonymised data combination.
Naver Cloud offers an FL platform for financial institutions.
Telcos (SKT, KT, LGU+) and card companies use PSI-based ad-effect measurement.

17.6 Japan's NTT R&D and Finance

NTT Research has explored BFV-based HE for collaborative fraud detection across Japanese banks in PoC. Under APPI, joint analysis using pseudonymised data is permitted, but adding HE/MPC on top creates an additional protection layer. In 2024-2025, NTT Data, Mitsubishi UFJ, Mizuho, and others have run various PoCs.

GDPR Article 25 (data protection by design and by default) effectively endorses PPML techniques. Read together with Article 32 (security), it becomes an obligation to "apply pseudonymisation, encryption, and anonymisation where appropriate."

Recital 26 — "anonymised data is not subject to GDPR" — matters even more. Well-applied DP or FHE could meaningfully reduce GDPR obligations (the legal reading depends on the case).

18.2 HIPAA Safe Harbor and Expert Determination

US HIPAA defines two paths for de-identifying healthcare data. (1) Safe Harbor — remove 18 identifiers. (2) Expert Determination — a statistical expert's risk assessment. DP-based de-identification is increasingly accepted via the Expert Determination route.

18.3 The EU AI Act and PPML

The EU AI Act, in force since 2024, imposes data-governance (Article 10), robustness and accuracy (Article 15), and human-oversight (Article 14) requirements on high-risk AI (healthcare, hiring, credit, law enforcement, education). The data-governance requirements create a strong incentive to adopt PPML techniques.

18.4 Korea's PIPA and Pseudonymised Information

The 2020 revision of Korea's Personal Information Protection Act (PIPA) introduced the concept of pseudonymised information — data processed so that no individual can be identified without additional information. It can be used for statistical reporting, scientific research, and public-interest archiving without consent. PIPC (the Personal Information Protection Commission) publishes the standards, and techniques like k-anonymity, l-diversity, and t-closeness are used. DP began appearing among recommended techniques in 2023.

18.5 Japan's APPI

Japan's APPI, in its 2022 revision, clarified two concepts — anonymised processed information and pseudonymised processed information. Anonymised processed information may be shared with third parties without consent; pseudonymised processed information may only be used internally. PPC (the Personal Information Protection Commission) publishes the guidelines.

18.6 Side-by-Side

Regulation	Region	Key PPML-relevant articles
GDPR	EU	Art 25 (by design), Recital 26 (anonymisation)
HIPAA	US	Safe Harbor, Expert Determination
EU AI Act	EU	Art 10 (data governance), high-risk AI
CCPA/CPRA	California	Sensitive Personal Information category
PIPA	Korea	Pseudonymised information, combination institutions
APPI	Japan	Anonymised / pseudonymised processed information
PIPL	China	Separate consent, cross-border security assessment

19. A PPML Adoption Checklist — Where to Start

19.1 Define the Threat Model

First, decide who you are protecting what from.

Training data versus external attackers — DP is central
Your own data versus other collaborating institutions — FL + Secure Aggregation
All data/models versus the cloud provider — TEE or FHE
Raw data versus the analyst — structured transparency like PySyft

19.2 The Accuracy / Privacy / Efficiency Triangle

PPML techniques are inherently tradeoffs.

Technique	Accuracy impact	Communication/compute cost	Security strength
Plain FL (no SecAgg)	Negligible	Medium	Low
FL + SecAgg	Negligible	Medium	Medium
FL + DP	1-5pp loss	Medium	High
MPC inference	Negligible	Very high	Very high
FHE inference	Negligible (CKKS approximates)	Extremely high	Very high
TEE	None	Almost none	Hardware-trust assumption

19.3 Recommended Starting Points

Small collaborations — Flower (simulation then deployment)
Healthcare / finance consortia — NVIDIA FLARE
DP training — Opacus (if you are already in PyTorch)
DP statistical releases — OpenDP / SmartNoise / PipelineDP
Cloud LLM-inference protection — TEE (Apple PCC pattern), confidential VMs
Encrypted inference — Concrete-ML (easy) or SEAL/OpenFHE (advanced)

19.4 Operational Concerns

The DP accountant must accumulate across runs. Per-dataset epsilon-budget policy is mandatory.
Make sure model serialisation does not leak client-identifying metadata.
Keep attestation logs — when you use a TEE, you must be able to audit which code and firmware version ran.
Delegate key management to KMS or HSM. If an FHE secret key leaks, the entire system collapses.

20. The 2026 Outlook — Will PPML Become the Default?

20.1 LLMs Redefine PPML

ChatGPT, Claude, Gemini, and the problem of "the model sees your input" rekindled mainstream attention on PPML in 2024-2026. Apple PCC is the first large-scale operational example, and other big-tech players are building similar confidential AI infrastructure. As of May 2026 —

Microsoft Azure Confidential AI — SEV-SNP plus GPU TEE
Google Cloud Confidential GKE — AMD SEV / Intel TDX
AWS Nitro Enclaves plus EC2 H100 confidential instances
Anthropic Constellation (Confidential Workloads)

20.2 FHE Acceleration Hardware

ASICs are emerging to close the 100x-10,000x FHE performance gap.

Optalysys (UK) — optical FHE accelerator
Cornami — FHE-specific chip
Niobium Microsystems — DARPA DPRIVE programme ASIC
Intel Centaurus (DARPA DPRIVE)

If these mature into production, FHE cost could drop by 10x to 100x.

20.3 ZK + FHE + MPC Converge

zk-SNARK technology matured rapidly thanks to blockchain. Systems combining it with FHE and MPC are appearing — zkML, FHE on chain (fhEVM), MPC with attested integrity. The line between PPML and web3 is blurring.

20.4 Standardisation Efforts

IEEE P3652.1 — FL standard
ISO/IEC 27559 — de-identification guidance
ISO/IEC 4922 — Secure Multi-Party Computation
IETF PPM (Privacy Preserving Measurement) — Prio3 and related LSPS standards

20.5 Market Size

Markets and Markets, Gartner, and IDC estimate that the combined PPML/Confidential Computing market will reach roughly USD 10 billion by 2026, growing at a CAGR above 50%. The biggest driver is input-privacy demand from the LLM era.

20.6 Closing — An Era When Data Does Not Move

A decade ago, the "big data" mantra was "collect the data." In 2026, the PPML mantra is the opposite — "leave the data in place, and bring only the answer." Federated Learning moves the model, Differential Privacy adds safety to the answer, Homomorphic Encryption produces answers in cipher, MPC makes parties collaborate, and TEEs use hardware isolation to enforce all of it.

These five techniques are not mutually exclusive. Real systems usually combine two or three — FL + DP + Secure Aggregation, TEE + FHE, MPC + DP. Which mix is correct depends on the threat model, accuracy requirements, communication budget, and regulatory environment.

What is clear — an era in which we collaborate, train, and infer without moving data has already begun.

References

Flower Labs - https://flower.ai/
Flower 1.13 Documentation - https://flower.ai/docs/framework/
NVIDIA FLARE GitHub - https://github.com/NVIDIA/NVFlare
NVIDIA FLARE Documentation - https://nvflare.readthedocs.io/
TensorFlow Federated - https://www.tensorflow.org/federated
OpenMined PySyft - https://github.com/OpenMined/PySyft
OpenMined.org - https://www.openmined.org/
Opacus (PyTorch DP) - https://opacus.ai/
OpenDP - https://opendp.org/
Google DP Library - https://github.com/google/differential-privacy
Microsoft SmartNoise - https://smartnoise.org/
Zama Concrete - https://www.zama.ai/concrete
Concrete-ML - https://docs.zama.ai/concrete-ml
TFHE-rs - https://github.com/zama-ai/tfhe-rs
Microsoft SEAL - https://github.com/microsoft/SEAL
OpenFHE - https://www.openfhe.org/
IBM HElib - https://github.com/homenc/HElib
Lattigo - https://github.com/tuneinsight/lattigo
CrypTen (Facebook) - https://crypten.ai/
MP-SPDZ - https://github.com/data61/MP-SPDZ
EzPC (Microsoft Research) - https://github.com/mpc-msri/EzPC
Apple Private Cloud Compute - https://security.apple.com/blog/private-cloud-compute/
AWS Nitro Enclaves - https://aws.amazon.com/ec2/nitro/nitro-enclaves/
Confidential Computing Consortium - https://confidentialcomputing.io/
McMahan et al., FedAvg (2017) - https://arxiv.org/abs/1602.05629
Abadi et al., DP-SGD (2016) - https://arxiv.org/abs/1607.00133
Pati et al., BraTS Federated (Nature Communications 2022) - https://www.nature.com/articles/s41467-022-33407-5
EU AI Act - https://artificialintelligenceact.eu/
Korea PIPA - https://www.pipc.go.kr/
Japan APPI / PPC - https://www.ppc.go.jp/