A Game-theoretic Framework for Privacy-preserving Federated Learning

TL;DR

The paper tackles preemptive privacy in federated learning by formulating the Federated Learning Privacy Game (FLPG), where defenders and a semi-honest attacker operate under incomplete payoff information provided by an oracle. It introduces protection and attacking extents ($\Delta_k$ and $C_a$), a novel privacy-leakage metric $V_p$, and payoff structures that blend model utility, privacy leakage, and costs. The main contributions include analytic payoff bounds, conditions for 0- and $\tau$-equilibria, and robust/correlated equilibrium results facilitated by an oracle-based correlation device, plus a special-case solution showing when attackers should relinquish attacks. This framework offers a principled, preemptive lens for defense planning in FL and lays a foundation for designing protection schemes that minimize attackers’ incentives to act. Overall, FLPG advances understanding of defender-attacker dynamics under uncertainty and provides practical guidance for reducing privacy risks in collaborative learning.

Abstract

In federated learning, benign participants aim to optimize a global model collaboratively. However, the risk of \textit{privacy leakage} cannot be ignored in the presence of \textit{semi-honest} adversaries. Existing research has focused either on designing protection mechanisms or on inventing attacking mechanisms. While the battle between defenders and attackers seems never-ending, we are concerned with one critical question: is it possible to prevent potential attacks in advance? To address this, we propose the first game-theoretic framework that considers both FL defenders and attackers in terms of their respective payoffs, which include computational costs, FL model utilities, and privacy leakage risks. We name this game the federated learning privacy game (FLPG), in which neither defenders nor attackers are aware of all participants' payoffs. To handle the \textit{incomplete information} inherent in this situation, we propose associating the FLPG with an \textit{oracle} that has two primary responsibilities. First, the oracle provides lower and upper bounds of the payoffs for the players. Second, the oracle acts as a correlation device, privately providing suggested actions to each player. With this novel framework, we analyze the optimal strategies of defenders and attackers. Furthermore, we derive and demonstrate conditions under which the attacker, as a rational decision-maker, should always follow the oracle's suggestion \textit{not to attack}.

Figures (1)

• Figure 1: Let $\epsilon = 0.0001$. $C_a(\in [0, 1/\epsilon] = [0,10,000])$ represents the number of rounds used by the attacker for inferring the private data of each defender using the optimization algorithm, $\Delta_d(\in [0,D] = [0,1])$ represents the distance between the exposed parameter information and the original information of the defender. The red area, yellow area and green area represent the region in which the payoff of the attacker is positive, zero and negative separately. fig:a: Note that $x = 0.5\in (0,1)$ corresponds to protection mechanism with low efficiency such as HE. If $\Delta_d$ is rather large, then $\underline U_a(C_a, \Delta_d) <0$ for any $C_a\ge 1$. Therefore, the optimal attacking extent is $C_a^* = 0$, achieving the $0$-equilibrium in FLPG from our definition. fig:b: $\underline U_a(C_a, \Delta_d)<0$ for any $C_a\ge 1$ and $\Delta_d\in [0,1]$. The robust equilibrium is a $0$-equilibrium in FLPG. It implies that the optimal strategy for the attacker is not to attack.

Theorems & Definitions (29)

• Definition 3.1: Privacy Leakage
• Definition 3.2: Payoff of the defender
• Definition 3.3: Payoff of the attacker
• Definition 3.4: FLPG
• Definition 3.5: Oracle
• Definition 3.6: Robust Equilibrium in FLPG
• Definition 3.7: Robust and Correlated Equilibrium in FLPG
• Definition 3.8: $0$-equilibrium and $\tau$-equilibrium ($\tau\ge 1$) in FLPG
• Theorem 3.1
• Lemma 4.1