BlindFL: Segmented Federated Learning with Fully Homomorphic Encryption

TL;DR

BlindFL addresses privacy risks in federated learning by combining client model segmentation (CMS) with single-key fully homomorphic encryption (FHE) to enable secure aggregation. CMS reduces encrypted data and computation by requesting only a subset of each client’s parameter matrices, while FHE preserves end-to-end encryption during aggregation; a key distributor manages per-round keys to preserve privacy. The approach demonstrates near-parity in accuracy with full-data baselines on MNIST and CIFAR-10, lowers server-side processing time, and provides resilience against malicious clients by limiting gradient exposure. These results imply practical gains in privacy-preserving FL, especially for edge deployments with limited bandwidth and compute, and establish a foundation for stronger intra-federation security in FHE-based PPFL.

Abstract

Federated learning (FL) is a popular privacy-preserving edge-to-cloud technique used for training and deploying artificial intelligence (AI) models on edge devices. FL aims to secure local client data while also collaboratively training a global model. Under standard FL, clients within the federation send model updates, derived from local data, to a central server for aggregation into a global model. However, extensive research has demonstrated that private data can be reliably reconstructed from these model updates using gradient inversion attacks (GIAs). To protect client data from server-side GIAs, previous FL schemes have employed fully homomorphic encryption (FHE) to secure model updates while still enabling popular aggregation methods. However, current FHE-based FL schemes either incur substantial computational overhead or trade security and/or model accuracy for efficiency. We introduce BlindFL, a framework for global model aggregation in which clients encrypt and send a subset of their local model update. With choice over the subset size, BlindFL offers flexible efficiency gains while preserving full encryption of aggregated updates. Moreover, we demonstrate that implementing BlindFL can substantially lower space and time transmission costs per client, compared with plain FL with FHE, while maintaining global model accuracy. BlindFL also offers additional depth of security. While current single-key, FHE-based FL schemes explicitly defend against server-side adversaries, they do not address the realistic threat of malicious clients within the federation. By contrast, we theoretically and experimentally demonstrate that BlindFL significantly impedes client-side model poisoning attacks, a first for single-key, FHE-based FL schemes.

Figures (14)

• Figure 1: Basic diagram of standard, centralized FL.
• Figure 2: Diagram displaying the security relationship between client and central server within FHE-based FL. FHE ensures secure aggregation by the central server, but does not defend against malicious clients.
• Figure 3: Full diagram of BlindFL.
• Figure 4: Example of the impact of a GIA on a attacked gradient with a varying number of model layers represented from a ConvNet model trained on MNIST.
• Figure 5: Accuracy averaged over 5 runs, varying client counts and rounds, for a LeNet-5 model trained on the MNIST dataset in a BlindFL federation.