SVAFD: A Secure and Verifiable Co-Aggregation Protocol for Federated Distillation
Tian Wen, Sheng Sun, Yuwei Wang, Peiyan Chen, Zhiyuan Wu, Min Liu, Bo Gao
TL;DR
The paper tackles secure aggregation for Federated Distillation in heterogeneous, potentially adversarial settings. It introduces SVAFD, a verifiable co-aggregation protocol built on MM-LCC that separates knowledge filtration, aggregation, and verification, ensuring privacy, integrity, and verifiability even under a malicious server and colluding clients. The approach leverages CAL-based filtration, LCC encoding, bilinear pairing proofs, and a multi-party aggregation scheme to resist poisoning and inference attacks while maintaining efficiency. Experimental results across four FD architectures and standard datasets show improved accuracy and robust defense with acceptable system overhead, highlighting SVAFD's practical impact for secure federated, heterogeneous learning.
Abstract
Secure Aggregation (SA) is an indispensable component of Federated Learning (FL) that concentrates on privacy preservation while allowing for robust aggregation. However, most SA designs rely heavily on the unrealistic assumption of homogeneous model architectures. Federated Distillation (FD), which aggregates locally computed logits instead of model parameters, introduces a promising alternative for cooperative training in heterogeneous model settings. Nevertheless, we recognize two major challenges in implementing SA for FD. (i) Prior SA designs encourage a dominant server, who is solely responsible for collecting, aggregating and distributing. Such central authority facilitates server to forge aggregation proofs or collude to bypass the claimed security guarantees; (ii) Existing SA, tailored for FL models, overlook the intrinsic properties of logits, making them unsuitable for FD. To address these challenges, we propose SVAFD, the first SA protocol that is specifically designed for FD. At a high level, SVAFD incorporates two innovations: (i) a multilateral co-aggregation method tha redefines the responsibilities of clients and server. Clients autonomously evaluate and aggregate logits shares locally with a lightweight coding scheme, while the server handles ciphertext decoding and performs the task of generating verification proofs; (ii) a quality-aware knowledge filtration method that facilitates biased logits exclusion against poisoning attacks. Moreover, SVAFD is resilient to stragglers and colluding clients, making it well-suited for dynamic networks in real-world applications. We have implemented the SVAFD prototype over four emerging FD architectures and evaluated it against poisoning and inference attacks. Results demonstrate that SVAFD improves model accuracy, making it a significant step forward in secure and verifiable aggregation for heterogeneous FL systems.
