Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Camel: Communication-Efficient and Maliciously Secure Federated Learning in the Shuffle Model of Differential Privacy

Shuangqing Xu, Yifeng Zheng, Zhongyun Hua

TL;DR

Camel delivers a practical, maliciously secure federated learning framework in the shuffle model of differential privacy by combining gradient perturbation under local DP with a lossless, seed-based gradient compression and a secret-shared shuffle across three non-colluding servers. It strengthens security through integrity checks against online selective failure attacks and fusing shuffle amplification with subsampling, yielding tighter per-iteration and overall privacy bounds via Rényi DP composition. The approach achieves substantial communication and runtime efficiency while improving privacy-utility trade-offs over prior shuffle-model FL methods, demonstrated on MNIST and FMNIST. These advances enable scalable, privacy-preserving FL in adversarial environments with rigorous formal guarantees. The work also outlines possible extensions to broader server settings and multi-message shuffles for further privacy gains.

Abstract

Federated learning (FL) has rapidly become a compelling paradigm that enables multiple clients to jointly train a model by sharing only gradient updates for aggregation, without revealing their local private data. In order to protect the gradient updates which could also be privacy-sensitive, there has been a line of work studying local differential privacy (LDP) mechanisms to provide a formal privacy guarantee. With LDP mechanisms, clients locally perturb their gradient updates before sharing them out for aggregation. However, such approaches are known for greatly degrading the model utility, due to heavy noise addition. To enable a better privacy-utility tradeoff, a recently emerging trend is to apply the shuffle model of DP in FL, which relies on an intermediate shuffling operation on the perturbed gradient updates to achieve privacy amplification. Following this trend, in this paper, we present Camel, a new communication-efficient and maliciously secure FL framework in the shuffle model of DP. Camel first departs from existing works by ambitiously supporting integrity check for the shuffle computation, achieving security against malicious adversary. Specifically, Camel builds on the trending cryptographic primitive of secret-shared shuffle, with custom techniques we develop for optimizing system-wide communication efficiency, and for lightweight integrity checks to harden the security of server-side computation. In addition, we also derive a significantly tighter bound on the privacy loss through analyzing the Renyi differential privacy (RDP) of the overall FL process. Extensive experiments demonstrate that Camel achieves better privacy-utility trade-offs than the state-of-the-art work, with promising performance.

Camel: Communication-Efficient and Maliciously Secure Federated Learning in the Shuffle Model of Differential Privacy

TL;DR

Camel delivers a practical, maliciously secure federated learning framework in the shuffle model of differential privacy by combining gradient perturbation under local DP with a lossless, seed-based gradient compression and a secret-shared shuffle across three non-colluding servers. It strengthens security through integrity checks against online selective failure attacks and fusing shuffle amplification with subsampling, yielding tighter per-iteration and overall privacy bounds via Rényi DP composition. The approach achieves substantial communication and runtime efficiency while improving privacy-utility trade-offs over prior shuffle-model FL methods, demonstrated on MNIST and FMNIST. These advances enable scalable, privacy-preserving FL in adversarial environments with rigorous formal guarantees. The work also outlines possible extensions to broader server settings and multi-message shuffles for further privacy gains.

Abstract

Federated learning (FL) has rapidly become a compelling paradigm that enables multiple clients to jointly train a model by sharing only gradient updates for aggregation, without revealing their local private data. In order to protect the gradient updates which could also be privacy-sensitive, there has been a line of work studying local differential privacy (LDP) mechanisms to provide a formal privacy guarantee. With LDP mechanisms, clients locally perturb their gradient updates before sharing them out for aggregation. However, such approaches are known for greatly degrading the model utility, due to heavy noise addition. To enable a better privacy-utility tradeoff, a recently emerging trend is to apply the shuffle model of DP in FL, which relies on an intermediate shuffling operation on the perturbed gradient updates to achieve privacy amplification. Following this trend, in this paper, we present Camel, a new communication-efficient and maliciously secure FL framework in the shuffle model of DP. Camel first departs from existing works by ambitiously supporting integrity check for the shuffle computation, achieving security against malicious adversary. Specifically, Camel builds on the trending cryptographic primitive of secret-shared shuffle, with custom techniques we develop for optimizing system-wide communication efficiency, and for lightweight integrity checks to harden the security of server-side computation. In addition, we also derive a significantly tighter bound on the privacy loss through analyzing the Renyi differential privacy (RDP) of the overall FL process. Extensive experiments demonstrate that Camel achieves better privacy-utility trade-offs than the state-of-the-art work, with promising performance.
Paper Structure (31 sections, 8 theorems, 15 equations, 10 figures, 4 tables, 3 algorithms)

This paper contains 31 sections, 8 theorems, 15 equations, 10 figures, 4 tables, 3 algorithms.

Table of Contents

  1. Introduction
  2. Related Work
  3. Preliminaries
  4. Notations
  5. Differential Privacy
  6. Additive Secret Sharing
  7. Problem Statement
  8. System Model
  9. Threat Model and Security Guarantees
  10. The Design of Camel
  11. Overview
  12. Noisy Gradient Compression under LDP
  13. Communication-Efficient FL in the Shuffle Model of DP with Semi-Honest Security
  14. Achieving Malicious Security
  15. Maliciously Secure Secret-Shared Shuffle
  16. ...and 16 more sections

Key Result

Lemma 1

(Adaptive Composition of RDP RDP). Let $\mathcal{M}_1: \mathcal{D}\rightarrow\mathcal{R}_1$ be a mechanism satisfying ($\lambda,\varepsilon_1(\lambda)$)-RDP and $\mathcal{M}_2: \mathcal{D}\times\mathcal{R}_1\rightarrow\mathcal{R}_2$ be a mechanism satisfying ($\lambda,\varepsilon_2(\lambda)$)-RDP. D

Figures (10)

  • Figure 1: The system model of Camel.
  • Figure 2: The integrity check for $\boldsymbol{z}_2$ sent from $\mathcal{S}_2$.
  • Figure 3: The integrity check for $\boldsymbol{z}_1$ sent from $\mathcal{S}_1$.
  • Figure 4: Comparison of different bounds on the Approximate ($\varepsilon,\delta$)-DP with fixed $\delta=10^{-5}$: (1) Approximate DP obtained from our derived bound in Theorem \ref{['thm:analysis_overview']} (converted from RDP to ($\varepsilon,\delta$)-DP) (red); (2) Approximate DP obtained from the bound given in AISTATS21 (cyan); and (3) Approximate DP obtained from the bound given in Erlingsson20 (magenta).
  • Figure 5: Utility performance of Camel, by fixing $\varepsilon_0=1.9$ for the MNIST dataset, $\varepsilon_0=2.0$ for the FMNIST dataset, and varying $T\in[2000]$ and $B\in\{3200,6400,12800\}$.
  • ...and 5 more figures

Theorems & Definitions (12)

  • Definition 1
  • Definition 2
  • Definition 3
  • Lemma 1
  • Lemma 2
  • Lemma 3
  • Theorem 4
  • Definition 4
  • Theorem 5
  • Theorem 6
  • ...and 2 more