Lancelot: Towards Efficient and Privacy-Preserving Byzantine-Robust Federated Learning within Fully Homomorphic Encryption

TL;DR

Lancelot is proposed, an innovative and computationally efficient BRFL framework that employs fully homomorphic encryption (FHE) to safeguard against malicious client activities while preserving data privacy.

Abstract

In sectors such as finance and healthcare, where data governance is subject to rigorous regulatory requirements, the exchange and utilization of data are particularly challenging. Federated Learning (FL) has risen as a pioneering distributed machine learning paradigm that enables collaborative model training across multiple institutions while maintaining data decentralization. Despite its advantages, FL is vulnerable to adversarial threats, particularly poisoning attacks during model aggregation, a process typically managed by a central server. However, in these systems, neural network models still possess the capacity to inadvertently memorize and potentially expose individual training instances. This presents a significant privacy risk, as attackers could reconstruct private data by leveraging the information contained in the model itself. Existing solutions fall short of providing a viable, privacy-preserving BRFL system that is both completely secure against information leakage and computationally efficient. To address these concerns, we propose Lancelot, an innovative and computationally efficient BRFL framework that employs fully homomorphic encryption (FHE) to safeguard against malicious client activities while preserving data privacy. Our extensive testing, which includes medical imaging diagnostics and widely-used public image datasets, demonstrates that Lancelot significantly outperforms existing methods, offering more than a twenty-fold increase in processing speed, all while maintaining data privacy.

Figures (11)

• Figure 1: A workflow of Lancelot. At the beginning of Lancelot, the Key Generation Center generates the cryptographic keys: the secret key $\mathbf{sk}$ is used for decryption of ciphertexts, and the public key $\mathbf{pk}$ is used for data encryption; the evaluation keys $\mathbf{evk}$ are used for homomorphic computations (e.g., ciphertext-ciphertext multiplications or ciphertext rotations). The $\mathbf{pk}$ is transmitted securely to the Clients, and the $\mathbf{evk}$ is transmitted securely to the Server. The Key Generation Center needs to generate the keys, process the robust aggregation rules, and decrypt the aggregated model. The Clients encrypted models from plaintext and then transmitted to the Server. The models in Server is processed in encrypted form, so it can only access the $\mathbf{evk}$ for homomorphic computation. The intermediate mask selects the Clients according to the byzantine-robust aggregation rules in the cipher space.
• Figure 2: Performance analysis of Lancelot under targeted and untarget attack among Krum, Multi-Krum, Median and FedAvg across MNIST, FMNIST, CIFAR-10 and SVHN datasets.
• Figure 3: FHE Packing Size $N$ Analysis. We deploy the LeNet-5, ResNet-18, ResNet-34, and ResNet-50 models on the MNIST, FMNIST CIFAR-10, and SVHN datasets, respectively.
• Figure 4: Performance analysis of Lancelot under internal attack. We present the learning curves for the Krum, Median, and Multi-Krum algorithms across three datasets e.g., Bloodmnist, Pathmnist, Dermamnist in ciphertext within Lancelot. The horizontal lines depict the convergence outcomes of the three methods when applied to plaintext data.
• Figure 5: Performance analysis of Lancelot under external attack. Ten pictures of the reconstruction of 32 × 32 CIFAR-10 images over the first 100 images from the validation set using the LeNet-5 as the backbone model and conservatively executing the DLG and IDLG attack for 100 iterations.