Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

FheFL: Fully Homomorphic Encryption Friendly Privacy-Preserving Federated Learning with Byzantine Users

Yogachandran Rahulamathavan, Charuka Herath, Xiaolan Liu, Sangarapillai Lambotharan, Carsten Maple

TL;DR

The paper tackles privacy leakage and data-poisoning threats in federated learning by introducing FheFL, a fully homomorphic encryption (FHE) based single-server framework. It develops a distributed multi-key CKKS HE scheme and a non-poisoning rate-based aggregation that operates entirely in the encrypted domain, enabling robust, private model updates without plaintext exposure. The work provides formal privacy, security, and convergence analyses, and demonstrates empirical effectiveness on MNIST, CIFAR-10, and CIFAR-100 with realistic attacker scenarios, showing competitive accuracy with feasible computational and communication overhead. This approach eliminates privacy leakage while mitigating poisoning attacks, offering a practical path toward secure and robust privacy-preserving federated learning on a single server.

Abstract

The federated learning (FL) technique was developed to mitigate data privacy issues in the traditional machine learning paradigm. While FL ensures that a user's data always remain with the user, the gradients are shared with the centralized server to build the global model. This results in privacy leakage, where the server can infer private information from the shared gradients. To mitigate this flaw, the next-generation FL architectures proposed encryption and anonymization techniques to protect the model updates from the server. However, this approach creates other challenges, such as malicious users sharing false gradients. Since the gradients are encrypted, the server is unable to identify rogue users. To mitigate both attacks, this paper proposes a novel FL algorithm based on a fully homomorphic encryption (FHE) scheme. We develop a distributed multi-key additive homomorphic encryption scheme that supports model aggregation in FL. We also develop a novel aggregation scheme within the encrypted domain, utilizing users' non-poisoning rates, to effectively address data poisoning attacks while ensuring privacy is preserved by the proposed encryption scheme. Rigorous security, privacy, convergence, and experimental analyses have been provided to show that FheFL is novel, secure, and private, and achieves comparable accuracy at reasonable computational cost.

FheFL: Fully Homomorphic Encryption Friendly Privacy-Preserving Federated Learning with Byzantine Users

TL;DR

The paper tackles privacy leakage and data-poisoning threats in federated learning by introducing FheFL, a fully homomorphic encryption (FHE) based single-server framework. It develops a distributed multi-key CKKS HE scheme and a non-poisoning rate-based aggregation that operates entirely in the encrypted domain, enabling robust, private model updates without plaintext exposure. The work provides formal privacy, security, and convergence analyses, and demonstrates empirical effectiveness on MNIST, CIFAR-10, and CIFAR-100 with realistic attacker scenarios, showing competitive accuracy with feasible computational and communication overhead. This approach eliminates privacy leakage while mitigating poisoning attacks, offering a practical path toward secure and robust privacy-preserving federated learning on a single server.

Abstract

The federated learning (FL) technique was developed to mitigate data privacy issues in the traditional machine learning paradigm. While FL ensures that a user's data always remain with the user, the gradients are shared with the centralized server to build the global model. This results in privacy leakage, where the server can infer private information from the shared gradients. To mitigate this flaw, the next-generation FL architectures proposed encryption and anonymization techniques to protect the model updates from the server. However, this approach creates other challenges, such as malicious users sharing false gradients. Since the gradients are encrypted, the server is unable to identify rogue users. To mitigate both attacks, this paper proposes a novel FL algorithm based on a fully homomorphic encryption (FHE) scheme. We develop a distributed multi-key additive homomorphic encryption scheme that supports model aggregation in FL. We also develop a novel aggregation scheme within the encrypted domain, utilizing users' non-poisoning rates, to effectively address data poisoning attacks while ensuring privacy is preserved by the proposed encryption scheme. Rigorous security, privacy, convergence, and experimental analyses have been provided to show that FheFL is novel, secure, and private, and achieves comparable accuracy at reasonable computational cost.
Paper Structure (30 sections, 29 equations, 7 figures, 5 tables, 3 algorithms)

This paper contains 30 sections, 29 equations, 7 figures, 5 tables, 3 algorithms.

Table of Contents

  1. Introduction
  2. Notation
  3. Related Works
  4. Security Focused Approaches
  5. Privacy Focused Approaches
  6. Security and Privacy Focused Approaches
  7. Background Information
  8. Attack Models
  9. CKKS Fully Homomorphic Encryption
  10. Homomorphic Addition
  11. Homomorphic Multiplication
  12. FheFL: The Proposed Scheme
  13. Non-poisoning rate based aggregation scheme
  14. Distributed Key Sharing
  15. Multi-key homomorphic encryption scheme
  16. ...and 15 more sections

Figures (7)

  • Figure 1: Reconstruction results of the Deep Leakage from Gradients (DLG) attack on CIFAR100 dataset. The first row shows the raw images from the CIFAR100 dataset. The second row displays reconstructed images when no gradient protection is applied. The third row shows the reconstructions when the gradients of the output layer are encrypted using the proposed scheme. The final row presents the reconstructed images when the gradients of the first hidden layer are protected with the proposed method.
  • Figure 2: Convergence of model updates when all the users are benign (solid arrows) or malicious (dotted arrows).
  • Figure 3: This shows the accuracy of each aggregation algorithm when $5\%, 15\%$ and $20\%$ of the users are malicious for MNIST, CIFAR-10 and CIFAR-100 datasets
  • Figure 4: Attacker Success rate for MNIST, CIFAR-10 and CIFAR-100 datasets, against, 5%, 15% and 20% attackers
  • Figure 5: This shows the processing required by the server when the number of users is increasing.
  • ...and 2 more figures