TAPFed: Threshold Secure Aggregation for Privacy-Preserving Federated Learning

TL;DR

This paper tackles privacy leaks in federated learning when multiple decentralized aggregators may be malicious. It introduces TAPFed, a threshold secure aggregation framework based on a $t$-of-$n$ threshold multi-client functional encryption (TMCFE) that enables secure aggregation without peer-to-peer aggregator communication or trusted hardware, while preserving model quality. The authors provide a formal security analysis under the Decisional Diffie-Hellman (DDH) assumption and demonstrate, through experiments on MNIST and CIFAR-10, that TAPFed achieves comparable accuracy to baselines while reducing transmission overhead by 29%–45% and defending against gradient inference, disaggregation, and related attacks. They also show TAPFed tolerates limited collusion among aggregators and supports both average and personalized fusion, highlighting practical benefits for cross-silo FL and scalable privacy-preserving deployment.

Abstract

Federated learning is a computing paradigm that enhances privacy by enabling multiple parties to collaboratively train a machine learning model without revealing personal data. However, current research indicates that traditional federated learning platforms are unable to ensure privacy due to privacy leaks caused by the interchange of gradients. To achieve privacy-preserving federated learning, integrating secure aggregation mechanisms is essential. Unfortunately, existing solutions are vulnerable to recently demonstrated inference attacks such as the disaggregation attack. This paper proposes TAPFed, an approach for achieving privacy-preserving federated learning in the context of multiple decentralized aggregators with malicious actors. TAPFed uses a proposed threshold functional encryption scheme and allows for a certain number of malicious aggregators while maintaining security and privacy. We provide formal security and privacy analyses of TAPFed and compare it to various baselines through experimental evaluation. Our results show that TAPFed offers equivalent performance in terms of model quality compared to state-of-the-art approaches while reducing transmission overhead by 29%-45% across different model training scenarios. Most importantly, TAPFed can defend against recently demonstrated inference attacks caused by curious aggregators, which the majority of existing approaches are susceptible to.

Figures (8)

• Figure 1: An illustration of TAPFed system with three independent aggregators including one malicious aggregator.
• Figure 2: An overview of threshold secure aggregation in TAPFed FL system. Note that there is NO NEED for aggregators to communicate with one another.
• Figure 3: Comparison of various baseline approaches in model training loss, model test accuracy, total training time and transmission payload on evaluating MNIST dataset. Note that the reported accuracy is the average accuracy of all parties and our TAPFed employs 2 aggregators with the threshold set as 2.
• Figure 4: Comparison of various baseline approaches in model training loss, model test accuracy, total training time and transmission payload on evaluating CIFAR10 dataset. Note that the reported accuracy is the average accuracy of all parties and our TAPFed employs 2 aggregators with the threshold set as 2.
• Figure 5: Comparison of various baseline approaches in model training loss, model test accuracy, total training time and transmission payload on evaluating MNIST dataset in real distributed setting. Note that the reported accuracy is the average accuracy of all parties.

Theorems & Definitions (6)

• Definition 1: Functionality boneh2011functional
• Definition 2: Functional Encryption Scheme boneh2011functional
• Definition 3: Selective Simulation-based Secure FE abdalla2018multi
• Definition 4: Threshold Functional Encryption Scheme (TFE)
• Theorem 1
• proof