Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Comments on "Privacy-Enhanced Federated Learning Against Poisoning Adversaries"

Thomas Schneider, Ajith Suresh, Hossein Yalame

TL;DR

This paper challenges the privacy claims of the PEFL framework for federated learning by showing that its SecMed, SecPear, and SecAgg protocols leak gradient information to the cloud platform even under semi-honest assumptions. By analyzing gradient calculation and masking, it shows that shared padding and masked products enable reconstruction of the full gradient matrix $\mathbf{G}_{\mathsf{m}\times\mathsf{n}}$, exposing per-coordinate and cross-coordinate relationships. It also presents practical attacks, such as CP impersonation, that can extract all gradients, undermining PEFL's privacy goals. The work cautions researchers against relying on Liu et al.'s constructions and stresses the need for rigorous privacy guarantees before deploying privacy-preserving FL protocols in practice.

Abstract

In August 2021, Liu et al. (IEEE TIFS'21) proposed a privacy-enhanced framework named PEFL to efficiently detect poisoning behaviours in Federated Learning (FL) using homomorphic encryption. In this article, we show that PEFL does not preserve privacy. In particular, we illustrate that PEFL reveals the entire gradient vector of all users in clear to one of the participating entities, thereby violating privacy. Furthermore, we clearly show that an immediate fix for this issue is still insufficient to achieve privacy by pointing out multiple flaws in the proposed system. Note: Although our privacy issues mentioned in Section II have been published in January 2023 (Schneider et. al., IEEE TIFS'23), several subsequent papers continued to reference Liu et al. (IEEE TIFS'21) as a potential solution for private federated learning. While a few works have acknowledged the privacy concerns we raised, several of subsequent works either propagate these errors or adopt the constructions from Liu et al. (IEEE TIFS'21), thereby unintentionally inheriting the same privacy vulnerabilities. We believe this oversight is partly due to the limited visibility of our comments paper at TIFS'23 (Schneider et. al., IEEE TIFS'23). Consequently, to prevent the continued propagation of the flawed algorithms in Liu et al. (IEEE TIFS'21) into future research, we also put this article to an ePrint.

Comments on "Privacy-Enhanced Federated Learning Against Poisoning Adversaries"

TL;DR

This paper challenges the privacy claims of the PEFL framework for federated learning by showing that its SecMed, SecPear, and SecAgg protocols leak gradient information to the cloud platform even under semi-honest assumptions. By analyzing gradient calculation and masking, it shows that shared padding and masked products enable reconstruction of the full gradient matrix , exposing per-coordinate and cross-coordinate relationships. It also presents practical attacks, such as CP impersonation, that can extract all gradients, undermining PEFL's privacy goals. The work cautions researchers against relying on Liu et al.'s constructions and stresses the need for rigorous privacy guarantees before deploying privacy-preserving FL protocols in practice.

Abstract

In August 2021, Liu et al. (IEEE TIFS'21) proposed a privacy-enhanced framework named PEFL to efficiently detect poisoning behaviours in Federated Learning (FL) using homomorphic encryption. In this article, we show that PEFL does not preserve privacy. In particular, we illustrate that PEFL reveals the entire gradient vector of all users in clear to one of the participating entities, thereby violating privacy. Furthermore, we clearly show that an immediate fix for this issue is still insufficient to achieve privacy by pointing out multiple flaws in the proposed system. Note: Although our privacy issues mentioned in Section II have been published in January 2023 (Schneider et. al., IEEE TIFS'23), several subsequent papers continued to reference Liu et al. (IEEE TIFS'21) as a potential solution for private federated learning. While a few works have acknowledged the privacy concerns we raised, several of subsequent works either propagate these errors or adopt the constructions from Liu et al. (IEEE TIFS'21), thereby unintentionally inheriting the same privacy vulnerabilities. We believe this oversight is partly due to the limited visibility of our comments paper at TIFS'23 (Schneider et. al., IEEE TIFS'23). Consequently, to prevent the continued propagation of the flawed algorithms in Liu et al. (IEEE TIFS'21) into future research, we also put this article to an ePrint.
Paper Structure (7 sections, 5 equations)

This paper contains 7 sections, 5 equations.

Table of Contents

  1. Introduction
  2. Liu et al.’s protocols are not private
  3. Calculation of Gradients
  4. Median Computation using SecMed
  5. Computing Pearson correlation coefficient using SecPear
  6. Aggregating the gradients using SecAgg
  7. Practical and probabilistic attacks