Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Little is Enough: Boosting Privacy by Sharing Only Hard Labels in Federated Semi-Supervised Learning

Amr Abourayya, Jens Kleesiek, Kanishka Rao, Erman Ayday, Bharat Rao, Geoff Webb, Michael Kamp

TL;DR

This work tackles privacy in federated learning by moving beyond parameter and soft-label sharing to a federated co-training approach that exchanges only hard labels on a public unlabeled dataset. FedCT builds a consensus pseudo-labels mechanism (majority vote) enabling local models—potentially non-gradient-based like decision trees or random forests—to train collaboratively without exposing private data. Theoretical results establish convergence and provide a DP-ready bound via an XOR-based mechanism, yielding strong privacy with minimal utility loss, and empirical results show competitive accuracy across benchmarks, improvements for LLM fine-tuning, reduced communication, and applicability to interpretable models. Overall, FedCT offers a practical, privacy-preserving alternative for distributed sensitive domains (e.g., healthcare) where centralization or gradient-based aggregation is undesirable or impractical.

Abstract

In many critical applications, sensitive data is inherently distributed and cannot be centralized due to privacy concerns. A wide range of federated learning approaches have been proposed to train models locally at each client without sharing their sensitive data, typically by exchanging model parameters, or probabilistic predictions (soft labels) on a public dataset or a combination of both. However, these methods still disclose private information and restrict local models to those that can be trained using gradient-based methods. We propose a federated co-training (FedCT) approach that improves privacy by sharing only definitive (hard) labels on a public unlabeled dataset. Clients use a consensus of these shared labels as pseudo-labels for local training. This federated co-training approach empirically enhances privacy without compromising model quality. In addition, it allows the use of local models that are not suitable for parameter aggregation in traditional federated learning, such as gradient-boosted decision trees, rule ensembles, and random forests. Furthermore, we observe that FedCT performs effectively in federated fine-tuning of large language models, where its pseudo-labeling mechanism is particularly beneficial. Empirical evaluations and theoretical analyses suggest its applicability across a range of federated learning scenarios.

Little is Enough: Boosting Privacy by Sharing Only Hard Labels in Federated Semi-Supervised Learning

TL;DR

This work tackles privacy in federated learning by moving beyond parameter and soft-label sharing to a federated co-training approach that exchanges only hard labels on a public unlabeled dataset. FedCT builds a consensus pseudo-labels mechanism (majority vote) enabling local models—potentially non-gradient-based like decision trees or random forests—to train collaboratively without exposing private data. Theoretical results establish convergence and provide a DP-ready bound via an XOR-based mechanism, yielding strong privacy with minimal utility loss, and empirical results show competitive accuracy across benchmarks, improvements for LLM fine-tuning, reduced communication, and applicability to interpretable models. Overall, FedCT offers a practical, privacy-preserving alternative for distributed sensitive domains (e.g., healthcare) where centralization or gradient-based aggregation is undesirable or impractical.

Abstract

In many critical applications, sensitive data is inherently distributed and cannot be centralized due to privacy concerns. A wide range of federated learning approaches have been proposed to train models locally at each client without sharing their sensitive data, typically by exchanging model parameters, or probabilistic predictions (soft labels) on a public dataset or a combination of both. However, these methods still disclose private information and restrict local models to those that can be trained using gradient-based methods. We propose a federated co-training (FedCT) approach that improves privacy by sharing only definitive (hard) labels on a public unlabeled dataset. Clients use a consensus of these shared labels as pseudo-labels for local training. This federated co-training approach empirically enhances privacy without compromising model quality. In addition, it allows the use of local models that are not suitable for parameter aggregation in traditional federated learning, such as gradient-boosted decision trees, rule ensembles, and random forests. Furthermore, we observe that FedCT performs effectively in federated fine-tuning of large language models, where its pseudo-labeling mechanism is particularly beneficial. Empirical evaluations and theoretical analyses suggest its applicability across a range of federated learning scenarios.
Paper Structure (37 sections, 5 theorems, 13 equations, 12 figures, 17 tables, 1 algorithm)

This paper contains 37 sections, 5 theorems, 13 equations, 12 figures, 17 tables, 1 algorithm.

Table of Contents

  1. Introduction
  2. Related Work
  3. Federated Semi-Supervised Learning
  4. Preliminaries:
  5. A Federated Co-Training Approach:
  6. Convergence Analysis:
  7. Communication Complexity:
  8. Differential Privacy for FedCT
  9. Empirical Evaluation
  10. Experimental Setup
  11. Privacy-Utility-Trade-Off:
  12. Privacy-Utility Trade-Off With Differential Privacy:
  13. Heterogeneous Data Distributions:
  14. Effect of Unlabeled Dataset Distribution
  15. Interpretable Models:
  16. ...and 22 more sections

Key Result

Proposition 1

For $m\geq 3$ clients with local datasets $D^1,\dots,D^m$ and unlabeled dataset $U$, let $\mathcal{A}^i$ for $i\in [m]$ be a set of learning algorithms that all achieve a linearly increasing training accuracy $a_t$ for all labelings of $U$, i.e., there exists $c\in\mathbb{R}_+$ such that $a_t\geq1-c

Figures (12)

  • Figure 1: Vulnerability (VUL) to membership inference attacks on the communication of $5$ clients and their test accuracy (avg and std over $5$ datasets). VUL is measured empirically as the success probability of infering membership correctly, $\text{VUL}=0.5$ implies optimal privacy.
  • Figure 2: Top: Test ac. (ACC) over time on CIFAR10 of FL, and FedCT's local models and their mean. Bottom: Standard deviation of test accuracy of local models in FedCT.
  • Figure 3: Top: Test acc- (ACC) over time of FedCT on non-iid distribution on FashionMNIST. Bottom: Standard deviation of test accuracy of local models in FedCT.
  • Figure 4: Accuracy (ACC) of DP-FedCT on the FashionMNIST dataset under different levels of privacy $\epsilon$.
  • Figure 5: Numerical evaluation of Prop. \ref{['prop:convergence']} for $|U|=10^4$.
  • ...and 7 more figures

Theorems & Definitions (9)

  • Proposition 1
  • proof
  • Proposition 2
  • Corollary 1
  • Proposition 2
  • proof
  • Definition 1: shalev2014understanding
  • Proposition 2
  • proof