VFEFL: Privacy-Preserving Federated Learning against Malicious Clients via Verifiable Functional Encryption
Nina Cai, Jinguang Han, Weizhi Meng
TL;DR
This work tackles privacy and security in federated learning by eliminating the need for two non-colluding servers and trusted third parties. It introduces a decentralized verifiable functional encryption (DVFE) scheme and a robust aggregation framework (VFEFL) that enables verifiable, privacy-preserving training against malicious clients in a single-server setting. The authors provide formal constructions, security proofs under standard hardness assumptions, and comprehensive experiments showing maintained fidelity under attack-free conditions and strong robustness against a range of Byzantine attacks. The proposed approach offers a practical, provably secure pathway to trustworthy federated learning with verifiable encrypted aggregation and no reliance on trusted third parties.
Abstract
Federated learning is a promising distributed learning paradigm that enables collaborative model training without exposing local client data, thereby protect data privacy. However, it also brings new threats and challenges. The advancement of model inversion attacks has rendered the plaintext transmission of local models insecure, while the distributed nature of federated learning makes it particularly vulnerable to attacks raised by malicious clients. To protect data privacy and prevent malicious client attacks, this paper proposes a privacy-preserving federated learning framework based on verifiable functional encryption, without a non-colluding dual-server setup or additional trusted third-party. Specifically, we propose a novel decentralized verifiable functional encryption (DVFE) scheme that enables the verification of specific relationships over multi-dimensional ciphertexts. This scheme is formally treated, in terms of definition, security model and security proof. Furthermore, based on the proposed DVFE scheme, we design a privacy-preserving federated learning framework VFEFL that incorporates a novel robust aggregation rule to detect malicious clients, enabling the effective training of high-accuracy models under adversarial settings. Finally, we provide formal analysis and empirical evaluation of the proposed schemes. The results demonstrate that our approach achieves the desired privacy protection, robustness, verifiability and fidelity, while eliminating the reliance on non-colluding dual-server settings or trusted third parties required by existing methods.