Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Brave: Byzantine-Resilient and Privacy-Preserving Peer-to-Peer Federated Learning

Zhangchen Xu, Fengqing Jiang, Luyao Niu, Jinyuan Jia, Radha Poovendran

TL;DR

Brave addresses the risk of private data leakage and Byzantine manipulation in fully decentralized P2P FL by introducing a four-stage protocol that combines Pedersen commitments with BFT consensus. It achieves information-theoretic privacy, $\\epsilon$-convergence, and agreement under the resilience condition $N > 3f + 2$, and provides formal proofs and empirical validation on CIFAR10 and MNIST. The results show Brave attains accuracy comparable to adversary-free training even in the presence of sophisticated attacks. This work advances practical, secure P2P FL by enabling decentralized learning with strong privacy and robustness guarantees.

Abstract

Federated learning (FL) enables multiple participants to train a global machine learning model without sharing their private training data. Peer-to-peer (P2P) FL advances existing centralized FL paradigms by eliminating the server that aggregates local models from participants and then updates the global model. However, P2P FL is vulnerable to (i) honest-but-curious participants whose objective is to infer private training data of other participants, and (ii) Byzantine participants who can transmit arbitrarily manipulated local models to corrupt the learning process. P2P FL schemes that simultaneously guarantee Byzantine resilience and preserve privacy have been less studied. In this paper, we develop Brave, a protocol that ensures Byzantine Resilience And privacy-preserving property for P2P FL in the presence of both types of adversaries. We show that Brave preserves privacy by establishing that any honest-but-curious adversary cannot infer other participants' private data by observing their models. We further prove that Brave is Byzantine-resilient, which guarantees that all benign participants converge to an identical model that deviates from a global model trained without Byzantine adversaries by a bounded distance. We evaluate Brave against three state-of-the-art adversaries on a P2P FL for image classification tasks on benchmark datasets CIFAR10 and MNIST. Our results show that the global model learned with Brave in the presence of adversaries achieves comparable classification accuracy to a global model trained in the absence of any adversary.

Brave: Byzantine-Resilient and Privacy-Preserving Peer-to-Peer Federated Learning

TL;DR

Brave addresses the risk of private data leakage and Byzantine manipulation in fully decentralized P2P FL by introducing a four-stage protocol that combines Pedersen commitments with BFT consensus. It achieves information-theoretic privacy, -convergence, and agreement under the resilience condition , and provides formal proofs and empirical validation on CIFAR10 and MNIST. The results show Brave attains accuracy comparable to adversary-free training even in the presence of sophisticated attacks. This work advances practical, secure P2P FL by enabling decentralized learning with strong privacy and robustness guarantees.

Abstract

Federated learning (FL) enables multiple participants to train a global machine learning model without sharing their private training data. Peer-to-peer (P2P) FL advances existing centralized FL paradigms by eliminating the server that aggregates local models from participants and then updates the global model. However, P2P FL is vulnerable to (i) honest-but-curious participants whose objective is to infer private training data of other participants, and (ii) Byzantine participants who can transmit arbitrarily manipulated local models to corrupt the learning process. P2P FL schemes that simultaneously guarantee Byzantine resilience and preserve privacy have been less studied. In this paper, we develop Brave, a protocol that ensures Byzantine Resilience And privacy-preserving property for P2P FL in the presence of both types of adversaries. We show that Brave preserves privacy by establishing that any honest-but-curious adversary cannot infer other participants' private data by observing their models. We further prove that Brave is Byzantine-resilient, which guarantees that all benign participants converge to an identical model that deviates from a global model trained without Byzantine adversaries by a bounded distance. We evaluate Brave against three state-of-the-art adversaries on a P2P FL for image classification tasks on benchmark datasets CIFAR10 and MNIST. Our results show that the global model learned with Brave in the presence of adversaries achieves comparable classification accuracy to a global model trained in the absence of any adversary.
Paper Structure (22 sections, 10 theorems, 12 equations, 4 figures, 2 tables, 5 algorithms)

This paper contains 22 sections, 10 theorems, 12 equations, 4 figures, 2 tables, 5 algorithms.

Table of Contents

  1. Introduction
  2. Related Work
  3. System Model and Problem Formulation
  4. Design of Brave
  5. Stage 1: Commitment
  6. Stage 2: Privacy-Preserving Comparison
  7. Stage 3: Sorting & Trimming
  8. Stage 4: Aggregation & Verification
  9. Privacy and Resilience Guarantees of Brave
  10. Experiments
  11. Experimental Setup
  12. Experimental Results
  13. Conclusion and Future Work
  14. Detailed Algorithms of Brave
  15. BFT Broadcast
  16. ...and 7 more sections

Key Result

Lemma 1

The commitment procedure in Definition def Pedersen commitment is computationally binding and additively homomorphic. Furthermore, it ensures that the local model ${w}_i$ is information-theoretically hiding.

Figures (4)

  • Figure 1: This figure shows the overall workflow of Brave.
  • Figure 2: This figure depicts a P2P FL with six participants $\{P_0,\ldots,P_5\}$ and illustrates the schematic message flow of Brave. In this example, $P_5$ is a Byzantine adversary. In Stage 1, all participants broadcast their commitments of local models to BFT broadcast module. In Stage 2, the participants first exchange messages among themselves using the point-to-point communication network. After that, they send a set of relationships among local models to BFT broadcast. In Stage 3, the participant sorts the local models along each coordinate after receiving the pairwise comparison results. It then trims the largest and smallest $f$ values in each coordinate. In Stage 4, MPC is is performed to aggregate models while preserving privacy.
  • Figure 3: This figure presents the accuracy of 2NN learned using P2P FL with $N=10$ participants at each iteration $t$. When the number of Byzantine adversaries $f$ satisfies $N>3f+2$, i.e., $f\in\{0,1,2\}$, Brave ensures $\epsilon$-convergence property as given in Definition \ref{['def:byzantine resilience']}. When $f$ violates $N>3f+2$, the Byzantine adversaries can corrupt the learned 2NN, and even prevents FL from converging (Fig. \ref{['fig:converge_2nn_label']}, $f=4$).
  • Figure 4: This figure presents how accuracy of the learned 2NN varies with respect to the ratio of Byzantine participants when $N=10$. If $N>3f+2$ holds (the left-hand side of the vertical red line), then Brave guarantees Byzantine resilience as the performance of learned 2NN is comparable to P2P FL-naïve learned without any adversary.

Theorems & Definitions (21)

  • Definition 1: Information-Theoretic Privacy
  • Definition 2: Byzantine Resilience
  • Definition 3: Pedersen Commitment Scheme feigenbaum_non-interactive_1992
  • Lemma 1: feigenbaum_non-interactive_1992
  • Theorem 2: Information-theoretic Privacy
  • proof : Proof Sketch
  • Lemma 3: Local Non-Forgeability
  • proof
  • Lemma 4
  • proof
  • ...and 11 more