FedLAP-DP: Federated Learning by Sharing Differentially Private Loss Approximations

TL;DR

This work proposes FedLAP-DP, a novel privacy-preserving approach for federated learning that presents a faster convergence speed compared to typical gradient-sharing methods and opens up the possibility of trading communication costs for better performance by sending a larger set of synthetic images.

Abstract

Conventional gradient-sharing approaches for federated learning (FL), such as FedAvg, rely on aggregation of local models and often face performance degradation under differential privacy (DP) mechanisms or data heterogeneity, which can be attributed to the inconsistency between the local and global objectives. To address this issue, we propose FedLAP-DP, a novel privacy-preserving approach for FL. Our formulation involves clients synthesizing a small set of samples that approximate local loss landscapes by simulating the gradients of real images within a local region. Acting as loss surrogates, these synthetic samples are aggregated on the server side to uncover the global loss landscape and enable global optimization. Building upon these insights, we offer a new perspective to enforce record-level differential privacy in FL. A formal privacy analysis demonstrates that FedLAP-DP incurs the same privacy costs as typical gradient-sharing schemes while achieving an improved trade-off between privacy and utility. Extensive experiments validate the superiority of our approach across various datasets with highly skewed distributions in both DP and non-DP settings. Beyond the promising performance, our approach presents a faster convergence speed compared to typical gradient-sharing methods and opens up the possibility of trading communication costs for better performance by sending a larger set of synthetic images. The source is available at \url{https://github.com/hui-po-wang/FedLAP-DP}.

Figures (16)

• Figure 1: An overview of FedLAP-DP. FedLAP-DP addresses the limitations of methods like FedAvg, which aggregate locally optimized gradients (blue) to meet a global objective. Such methods often lead to sub-optimal results (red) due to goal misalignment. This problem further intensifies with increasing client data heterogeneity. FedLAP-DP approximates local neighborhoods with synthetic images on the clients (local approximation, Sec. \ref{['ssec:local_approx']}) and optimizes the model according to the reconstructed loss landscape on the server (global optimization, Sec. \ref{['ssec:global_opt']}). Differential privacy is integrated to introduce privacy barriers (Sec. \ref{['ssec:method-dp']}).
• Figure 2: $r_k$ selection. The loss on private real and synthetic data decreases initially but deviates later. $r_k$ is defined as the turning points with the smallest real loss.
• Figure 3: Accuracy over communication rounds with extremely non-IID data.
• Figure 4: Privacy-utility trade-off with $\delta=10^{-5}$. A smaller value of $\varepsilon$ (x-axis) indicates a stronger privacy guarantee. Evaluation is conducted at each communication round.
• Figure 5: Ablation study on the number of images per class (#ipc).

Theorems & Definitions (12)

• Definition 3.1: Differential Privacy dwork2014algorithmic
• Definition 3.2: Record-level DP
• Definition 3.3: Gaussian Mechanism dwork2014algorithmic
• Theorem 3.4: Post-processing dwork2014algorithmic
• Definition 5.1: Rényi divergence
• Definition 5.2: Rényi differential privacy (RDP) mironov2017renyi
• Definition 5.3: Sampled Gaussian Mechanism (SGM) abadi2016deepmironov2019r
• Theorem 5.4
• Theorem 5.5
• Theorem 5.6: Composability mironov2017renyi