PriRoAgg: Achieving Robust Model Aggregation with Minimum Privacy Leakage for Federated Learning
Sizai Hou, Songze Li, Tayyebeh Jahani-Nezhad, Giuseppe Caire
TL;DR
PriRoAgg formalizes aggregated privacy and integrates it with robust aggregation in single-server federated learning via Lagrange coded computing, secret-sharing, and verifiable SNIP proofs. It defines ${SRA}_{\Omega}$ to ensure that only aggregated statistics $\sum_{i} \phi_{\Omega}(\mathbf{x}_i)$ are revealed, even under Byzantine-server collusion, and instantiates the framework with two protocols: PriRoAgg with RLR for backdoor defense and PriRoAgg with RFA for model poisoning defense. The authors provide security proofs, complexity analyses, and extensive experiments showing robust performance against diverse attacks with improved efficiency over baselines. The work advances practical secure and robust federated learning by enabling powerful aggregation algorithms to run with provable privacy guarantees in the presence of adversaries. The approach is poised to impact real-world FL deployments where privacy and integrity are both critical.
Abstract
Federated learning (FL) has recently gained significant momentum due to its potential to leverage large-scale distributed user data while preserving user privacy. However, the typical paradigm of FL faces challenges of both privacy and robustness: the transmitted model updates can potentially leak sensitive user information, and the lack of central control of the local training process leaves the global model susceptible to malicious manipulations on model updates. Current solutions attempting to address both problems under the one-server FL setting fall short in the following aspects: 1) designed for simple validity checks that are insufficient against advanced attacks (e.g., checking norm of individual update); and 2) partial privacy leakage for more complicated robust aggregation algorithms (e.g., distances between model updates are leaked for multi-Krum). In this work, we formalize a novel security notion of aggregated privacy that characterizes the minimum amount of user information, in the form of some aggregated statistics of users' updates, that is necessary to be revealed to accomplish more advanced robust aggregation. We develop a general framework PriRoAgg, utilizing Lagrange coded computing and distributed zero-knowledge proof, to execute a wide range of robust aggregation algorithms while satisfying aggregated privacy. As concrete instantiations of PriRoAgg, we construct two secure and robust protocols based on state-of-the-art robust algorithms, for which we provide full theoretical analyses on security and complexity. Extensive experiments are conducted for these protocols, demonstrating their robustness against various model integrity attacks, and their efficiency advantages over baselines.