Preserving Privacy and Security in Federated Learning
Truc Nguyen, My T. Thai
TL;DR
This work tackles the dual challenge of protecting user privacy and defending against poisoning in federated learning by proposing a framework that couples secure aggregation with a zero-knowledge proof (ZKP) protocol. The approach moves attack detection to users via ZKPs, enabling the central server to verify that only attack-free updates contribute to the global model without learning any individual updates. It introduces a robust secure aggregation protocol based on threshold, additively homomorphic cryptosystems (Damgård–Jurik) and Pedersen commitments, with two-phase encryption/decryption and dropout tolerance, along with a KEM-DEM alternative for efficient encoding. A concrete use-case for backdoor defenses demonstrates the feasibility of attesting non-poisoned models while preserving privacy, and the authors provide detailed performance benchmarks and proofs of security. Overall, the framework advances privacy-preserving FL by enabling poisoning defense under realistic threat models, with practical implications for scalable, secure distributed learning.
Abstract
Federated learning is known to be vulnerable to both security and privacy issues. Existing research has focused either on preventing poisoning attacks from users or on concealing the local model updates from the server, but not both. However, integrating these two lines of research remains a crucial challenge since they often conflict with one another with respect to the threat model. In this work, we develop a principle framework that offers both privacy guarantees for users and detection against poisoning attacks from them. With a new threat model that includes both an honest-but-curious server and malicious users, we first propose a secure aggregation protocol using homomorphic encryption for the server to combine local model updates in a private manner. Then, a zero-knowledge proof protocol is leveraged to shift the task of detecting attacks in the local models from the server to the users. The key observation here is that the server no longer needs access to the local models for attack detection. Therefore, our framework enables the central server to identify poisoned model updates without violating the privacy guarantees of secure aggregation.
