FuSeFL: Fully Secure and Scalable Federated Learning

TL;DR

FuSeFL tackles the critical need for fully secure and scalable federated learning by decentralizing training across client pairs and confining server work to lightweight secure aggregation and routing. It achieves end-to-end confidentiality of data, model, and updates through MPC-based secret sharing between client pairs and two non-colluding aggregation servers, with a trusted mix node facilitating anonymous pairing. The framework introduces risk-aware dynamic client grouping and two training modes (Serial and Parallel) to balance accuracy, latency, and memory, yielding up to 13× training speedups and roughly 50% server memory savings over baselines while maintaining competitive accuracy on MNIST. This approach significantly improves practicality for large-scale, regulated cross-silo deployments by mitigating server bottlenecks and reducing resource demands without sacrificing privacy guarantees.

Abstract

Federated Learning (FL) enables collaborative model training without centralizing client data, making it attractive for privacy-sensitive domains. While existing approaches employ cryptographic techniques such as homomorphic encryption, differential privacy, or secure multiparty computation to mitigate inference attacks, including model inversion, membership inference, and gradient leakage, they often suffer from high computational and memory overheads. Moreover, many methods overlook the confidentiality of the global model itself, which may be proprietary and sensitive. These challenges limit the practicality of secure FL, especially in settings that involve large datasets and strict compliance requirements. We present FuSeFL, a Fully Secure and scalable FL scheme, which decentralizes training across client pairs using lightweight MPC, while confining the server's role to secure aggregation, client pairing, and routing. This design eliminates server bottlenecks, avoids full data offloading, and preserves full confidentiality of data, model, and updates throughout training. Based on our experiment, FuSeFL defends against unauthorized observation, reconstruction attacks, and inference attacks such as gradient leakage, membership inference, and inversion attacks, while achieving up to $13 \times$ speedup in training time and 50% lower server memory usage compared to our baseline.

Figures (12)

• Figure 1: AriaNN-FL vs. FuSeFL, (Left vertical axis) in terms of secure training time for one epoch and (Right vertical axis) in terms of the number of model instances stored in one aggregator.
• Figure 2: Overview of the threat model. Each party retains plaintext within its trusted boundary. Adversaries attempt to infer private information outside the untrusted boundary.
• Figure 3: FL overview. (1) The server sends the global model to the clients. (2) The clients then train the model locally and (3) send back their trained models to the server. (4) The server updates the global model for the next round of training.
• Figure 4: Examples of MPC schemes. (a) Additive sharing splits data into random shares for secure multi-party computation. (b) Function secret sharing splits the function itself across parties for privacy-preserving evaluation.
• Figure 5: AriaNN-FL overview. (2) Each client collaboratively trains its local model with the server. The server holds a share of the model and the data, while the remaining shares are securely stored on the client side. (4) $C_A$, i.e., client aggregator, aggregates the client-side shares of the local models.