To address the challenge of jointly ensuring privacy preservation and communication reliability in wireless federated learning (WFL), this paper proposes, for the first time, a channel-native bit-flip differential privacy (DP) mechanism. It models the inherent wireless channel noise together with controllable bit flips at the transmitter as a natural (λ, ε)-Rényi DP source, eliminating the need for additional noise injection. To prevent catastrophic errors caused by bit flips in IEEE 754 floating-point sign or exponent fields, we design a lightweight floating-point-to-fixed-point parameter encoding scheme that transmits only the mantissa bits. We theoretically prove that the proposed mechanism satisfies Rényi DP while preserving WFL convergence guarantees. Experiments on CIFAR-10 and CIFAR-100 demonstrate that our approach achieves significantly stronger privacy (lower ε) and higher model accuracy compared to the Gaussian mechanism.

Inherent communication noises have the potential to preserve privacy for wireless federated learning (WFL) but have been overlooked in digital communication systems predominantly using floating-point number standards, e.g., IEEE 754, for data storage and transmission. This is due to the potentially catastrophic consequences of bit errors in floating-point numbers, e.g., on the sign or exponent bits. This paper presents a novel channel-native bit-flipping differential privacy (DP) mechanism tailored for WFL, where transmit bits are randomly flipped and communication noises are leveraged, to collectively preserve the privacy of WFL in digital communication systems. The key idea is to interpret the bit perturbation at the transmitter and bit errors caused by communication noises as a bit-flipping DP process. This is achieved by designing a new floating-point-to-fixed-point conversion method that only transmits the bits in the fraction part of model parameters, hence eliminating the need for transmitting the sign and exponent bits and preventing the catastrophic consequence of bit errors. We analyze a new metric to measure the bit-level distance of the model parameters and prove that the proposed mechanism satisfies (lambda,epsilon)-R'enyi DP and does not violate the WFL convergence. Experiments validate privacy and convergence analysis of the proposed mechanism and demonstrate its superiority to the state-of-the-art Gaussian mechanisms that are channel-agnostic and add Gaussian noise for privacy protection.