Table of Contents
Fetching ...

Preserving Privacy and Security in Federated Learning

Truc Nguyen, My T. Thai

TL;DR

This work tackles the dual challenge of protecting user privacy and defending against poisoning in federated learning by proposing a framework that couples secure aggregation with a zero-knowledge proof (ZKP) protocol. The approach moves attack detection to users via ZKPs, enabling the central server to verify that only attack-free updates contribute to the global model without learning any individual updates. It introduces a robust secure aggregation protocol based on threshold, additively homomorphic cryptosystems (Damgård–Jurik) and Pedersen commitments, with two-phase encryption/decryption and dropout tolerance, along with a KEM-DEM alternative for efficient encoding. A concrete use-case for backdoor defenses demonstrates the feasibility of attesting non-poisoned models while preserving privacy, and the authors provide detailed performance benchmarks and proofs of security. Overall, the framework advances privacy-preserving FL by enabling poisoning defense under realistic threat models, with practical implications for scalable, secure distributed learning.

Abstract

Federated learning is known to be vulnerable to both security and privacy issues. Existing research has focused either on preventing poisoning attacks from users or on concealing the local model updates from the server, but not both. However, integrating these two lines of research remains a crucial challenge since they often conflict with one another with respect to the threat model. In this work, we develop a principle framework that offers both privacy guarantees for users and detection against poisoning attacks from them. With a new threat model that includes both an honest-but-curious server and malicious users, we first propose a secure aggregation protocol using homomorphic encryption for the server to combine local model updates in a private manner. Then, a zero-knowledge proof protocol is leveraged to shift the task of detecting attacks in the local models from the server to the users. The key observation here is that the server no longer needs access to the local models for attack detection. Therefore, our framework enables the central server to identify poisoned model updates without violating the privacy guarantees of secure aggregation.

Preserving Privacy and Security in Federated Learning

TL;DR

This work tackles the dual challenge of protecting user privacy and defending against poisoning in federated learning by proposing a framework that couples secure aggregation with a zero-knowledge proof (ZKP) protocol. The approach moves attack detection to users via ZKPs, enabling the central server to verify that only attack-free updates contribute to the global model without learning any individual updates. It introduces a robust secure aggregation protocol based on threshold, additively homomorphic cryptosystems (Damgård–Jurik) and Pedersen commitments, with two-phase encryption/decryption and dropout tolerance, along with a KEM-DEM alternative for efficient encoding. A concrete use-case for backdoor defenses demonstrates the feasibility of attesting non-poisoned models while preserving privacy, and the authors provide detailed performance benchmarks and proofs of security. Overall, the framework advances privacy-preserving FL by enabling poisoning defense under realistic threat models, with practical implications for scalable, secure distributed learning.

Abstract

Federated learning is known to be vulnerable to both security and privacy issues. Existing research has focused either on preventing poisoning attacks from users or on concealing the local model updates from the server, but not both. However, integrating these two lines of research remains a crucial challenge since they often conflict with one another with respect to the threat model. In this work, we develop a principle framework that offers both privacy guarantees for users and detection against poisoning attacks from them. With a new threat model that includes both an honest-but-curious server and malicious users, we first propose a secure aggregation protocol using homomorphic encryption for the server to combine local model updates in a private manner. Then, a zero-knowledge proof protocol is leveraged to shift the task of detecting attacks in the local models from the server to the users. The key observation here is that the server no longer needs access to the local models for attack detection. Therefore, our framework enables the central server to identify poisoned model updates without violating the privacy guarantees of secure aggregation.
Paper Structure (25 sections, 5 theorems, 7 equations, 9 figures, 3 algorithms)

This paper contains 25 sections, 5 theorems, 7 equations, 9 figures, 3 algorithms.

Key Result

Theorem 1

There exists a PPT simulator $\mathcal{S}$ such that for ${Adv} \subseteq \mathcal{U} \cup S$, the output of the simulator $\mathcal{S}$ is computationally indistinguishable from the output of $Adv$

Figures (9)

  • Figure 1: Secure framework for FL. Each user $u\in {\cal U}$ trains a local model $x_u$ that is used as an input to (1) User aggregation and (2) ZKP of attack-free model. The User aggregation component returns $\Bar{c} = E_{pk}(\sum_{u\in {\cal U}'} x_u)$ which is the encryption of the sum over the local models of honest users. The ZKP of attack-free model component returns the proof $\pi_u$ and the commitment $C(x_u)$ for each $x_u$. The outputs of these two component are then used by the central server as inputs to the Computing global model component. This component validates $\{\pi_u\}_{u\in{\cal U}}$, obtains the global model $\Bar{x}$ from $\Bar{c}$, checks if $C(\Bar{x})$ is consistent with $\{C(x_u)\}_{u\in{\cal U}}$, and then returns $\Bar{x}$.
  • Figure 2: User aggregation component
  • Figure 3: Zero-knowledge proof component
  • Figure 4: Computing global model component
  • Figure 5: KEM-DEM for PHE. $\oplus$ denotes a bitwise XOR operation.
  • ...and 4 more figures

Theorems & Definitions (9)

  • Theorem 1
  • proof
  • Lemma 1
  • proof
  • Theorem 2
  • Theorem 3
  • proof
  • Theorem 4
  • proof