Tazza: Shuffling Neural Network Parameters for Secure and Private Federated Learning

TL;DR

This work tackles dual security goals in federated learning—privacy of client data and integrity of the global model—by exploiting permutation properties of neural networks. It introduces Tazza, a framework that securely shuffles model weights at the client side and validates shuffled outputs at the server, enabling detection of poisoning and data leakage without sacrificing accuracy. Core contributions include a PBFT-based shuffling-rule exchange, layer-wise weight shuffling with Gaussian perturbations, shuffled-model validation, and cluster-aware aggregation to isolate malicious updates; these are supported by theoretical insights on permutation equivariance/invariance and extensive experiments across datasets and embedded platforms. The results show that Tazza delivers strong defense while maintaining high performance, achieving up to $6.7\times$ speedups over prior schemes and demonstrating practicality for mobile and IoT deployments.

Abstract

Federated learning enables decentralized model training without sharing raw data, preserving data privacy. However, its vulnerability towards critical security threats, such as gradient inversion and model poisoning by malicious clients, remain unresolved. Existing solutions often address these issues separately, sacrificing either system robustness or model accuracy. This work introduces Tazza, a secure and efficient federated learning framework that simultaneously addresses both challenges. By leveraging the permutation equivariance and invariance properties of neural networks via weight shuffling and shuffled model validation, Tazza enhances resilience against diverse poisoning attacks, while ensuring data confidentiality and high model accuracy. Comprehensive evaluations on various datasets and embedded platforms show that Tazza achieves robust defense with up to 6.7x improved computational efficiency compared to alternative schemes, without compromising performance.

Figures (16)

• Figure 1: (a) Visualization of the permutation equivariance property of matrix multiplication. The output's column order follows the order of the input columns. (b) Visualization of the permutation invariance property of the average function. Results are not affected by the altered order of input rows. Best viewed in color.
• Figure 2: Visual examples of permutation invariance and equivariance properties. (a) Original network architecture. (b) Row-permuted operations, where input ($x_{1}$, $x_{2}$, $x_{3}$) is rearranged to ($x_{2}$, $x_{3}$, $x_{1}$). (c) Column-permuted operations, where output is reordered.
• Figure 3: (a) Bottom-5 (top green box) and Top-5 (bottom red box) PSNR samples from the MNIST dataset. (b) PSNR distribution between the original and shuffled images from the MNIST dataset (using 60K images).
• Figure 4: Average accuracy of models trained with original data and shuffled data for 10 random seeds.
• Figure 5: Overall workflow of Tazza.