Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Privacy-Preserving Federated Unlearning with Certified Client Removal

Ziyao Liu, Huanyi Ye, Yu Jiang, Jiyuan Shen, Jiale Guo, Ivan Tjuawinata, Kwok-Yan Lam

TL;DR

This paper tackles the right to be forgotten in federated learning by introducing Starfish, a privacy-preserving federated unlearning scheme. Starfish leverages two non-colluding servers and secure two-party computation (2PC) to perform unlearning while protecting clients' gradients, and it uses selective historical rounds coupled with 2PC-friendly approximations to reduce privacy-preserving computation costs. A theoretical bound quantifies the deviation between the Starfish unlearned model and a model retrained from scratch, ensuring certified client removal under reasonable assumptions. Empirical results show that Starfish achieves effective unlearning with privacy guarantees and competitive efficiency, outperforming several baselines in security-sensitive settings. Overall, Starfish offers a practical pathway to RTBF-compliant federated systems with rigorous privacy and performance trade-offs.

Abstract

In recent years, Federated Unlearning (FU) has gained attention for addressing the removal of a client's influence from the global model in Federated Learning (FL) systems, thereby ensuring the ``right to be forgotten" (RTBF). State-of-the-art methods for unlearning use historical data from FL clients, such as gradients or locally trained models. However, studies have revealed significant information leakage in this setting, with the possibility of reconstructing a user's local data from their uploaded information. Addressing this, we propose Starfish, a privacy-preserving federated unlearning scheme using Two-Party Computation (2PC) techniques and shared historical client data between two non-colluding servers. Starfish builds upon existing FU methods to ensure privacy in unlearning processes. To enhance the efficiency of privacy-preserving FU evaluations, we suggest 2PC-friendly alternatives for certain FU algorithm operations. We also implement strategies to reduce costs associated with 2PC operations and lessen cumulative approximation errors. Moreover, we establish a theoretical bound for the difference between the unlearned global model via Starfish and a global model retrained from scratch for certified client removal. Our theoretical and experimental analyses demonstrate that Starfish achieves effective unlearning with reasonable efficiency, maintaining privacy and security in FL systems.

Privacy-Preserving Federated Unlearning with Certified Client Removal

TL;DR

This paper tackles the right to be forgotten in federated learning by introducing Starfish, a privacy-preserving federated unlearning scheme. Starfish leverages two non-colluding servers and secure two-party computation (2PC) to perform unlearning while protecting clients' gradients, and it uses selective historical rounds coupled with 2PC-friendly approximations to reduce privacy-preserving computation costs. A theoretical bound quantifies the deviation between the Starfish unlearned model and a model retrained from scratch, ensuring certified client removal under reasonable assumptions. Empirical results show that Starfish achieves effective unlearning with privacy guarantees and competitive efficiency, outperforming several baselines in security-sensitive settings. Overall, Starfish offers a practical pathway to RTBF-compliant federated systems with rigorous privacy and performance trade-offs.

Abstract

In recent years, Federated Unlearning (FU) has gained attention for addressing the removal of a client's influence from the global model in Federated Learning (FL) systems, thereby ensuring the ``right to be forgotten" (RTBF). State-of-the-art methods for unlearning use historical data from FL clients, such as gradients or locally trained models. However, studies have revealed significant information leakage in this setting, with the possibility of reconstructing a user's local data from their uploaded information. Addressing this, we propose Starfish, a privacy-preserving federated unlearning scheme using Two-Party Computation (2PC) techniques and shared historical client data between two non-colluding servers. Starfish builds upon existing FU methods to ensure privacy in unlearning processes. To enhance the efficiency of privacy-preserving FU evaluations, we suggest 2PC-friendly alternatives for certain FU algorithm operations. We also implement strategies to reduce costs associated with 2PC operations and lessen cumulative approximation errors. Moreover, we establish a theoretical bound for the difference between the unlearned global model via Starfish and a global model retrained from scratch for certified client removal. Our theoretical and experimental analyses demonstrate that Starfish achieves effective unlearning with reasonable efficiency, maintaining privacy and security in FL systems.
Paper Structure (42 sections, 1 theorem, 23 equations, 12 figures, 8 tables, 6 algorithms)

This paper contains 42 sections, 1 theorem, 23 equations, 12 figures, 8 tables, 6 algorithms.

Table of Contents

  1. Introduction
  2. Preliminaries and Notations
  3. Federated Learning & Unlearning
  4. Secure Two-Party Computation
  5. Design Overview
  6. System architecture
  7. Threat model
  8. Design goals
  9. Proposed Protocols
  10. Selecting historical rounds
  11. Round selection
  12. Optimizations on 2PC
  13. Estimating updates
  14. Update estimation
  15. Optimizations on 2PC
  16. ...and 27 more sections

Key Result

Theorem 1

The difference between the unlearned global model obtained through Starfish at $t_i$ and the global model obtained through train-from-scratch at $t=\lceil \frac{1}{\sigma}t_i\rceil$ can be bounded as follows: where $\eta_u$ is the unlearning rate in the unlearning progress, $M_0$ is the initial model used in both Starfish and train-from-scratch, $M^*$ is the optimal solution for the objective fun

Figures (12)

  • Figure 1: An overview of our system architecture. During the FL training process, all clients share their gradients along with some other assistive information to two non-colluding servers. The server stores all global models. Based on stored historical information, the two servers collaborate in evaluating the FU algorithm using 2PC techniques. Consequently, the two non-colluding servers may choose to recover the final unlearned model for verification of whether the data held by the target client has been successfully unlearned.
  • Figure 2: An illustration of the Starfish scheme. The servers store the initial model, historical gradients from all clients, and global models. Upon receiving the unlearning request from a target client, the server selects some historical rounds based on the historical gradients of the target client. Based on the selected rounds, the server obtains historical gradients excluding those from the target client, along with the corresponding global models. Then the server calibrates those selected gradients and global models with estimation and error correction in an iterative style.
  • Figure 3: Comparison of Test Error Rate (TER) on the test dataset, Attack Success Rate over Backdoor Attacks (BA-ASR), Membership Inference Attacks (MIA-ASR), and Average Round-saving Percentage (ARP) across three ML tasks with varying complexity. Smaller TER and ASR indicate better accuracy, while a larger ARP implies enhanced efficiency.
  • Figure 4: Impact of the selection rate $\sigma$ on the unlearning performance of the Starfish scheme.
  • Figure 5: Impact of the buffer size $B$ on the unlearning performance of the Starfish scheme.
  • ...and 7 more figures

Theorems & Definitions (1)

  • Theorem 1: Model difference between Starfish and train-from-scratch