Verifiability and Privacy in Federated Learning through Context-Hiding Multi-Key Homomorphic Authenticators

TL;DR

The paper tackles the risk of a dishonest aggregator in federated learning by proposing a verifiable FL protocol that preserves client privacy. It combines a masking-based secure aggregation scheme with a Context-Hiding Identity-based Multi-Key Linearly Homomorphic Authenticator, enabling clients to verify the aggregated result without exposing their updates. The approach demonstrates scalability to models with millions of parameters and reports low overhead for authenticators: around $2.8$ seconds for authenticator generation per client on a 1M-parameter model, roughly $10$ ms for per-client verification, and a few milliseconds for server-side aggregation even with thousands of clients, alongside modest communication costs. The work offers a practical, open-source solution to ensure aggregator integrity in FL, with potential extensions to handle dropout clients and broader deployments.

Abstract

Federated Learning has rapidly expanded from its original inception to now have a large body of research, several frameworks, and sold in a variety of commercial offerings. Thus, its security and robustness is of significant importance. There are many algorithms that provide robustness in the case of malicious clients. However, the aggregator itself may behave maliciously, for example, by biasing the model or tampering with the weights to weaken the models privacy. In this work, we introduce a verifiable federated learning protocol that enables clients to verify the correctness of the aggregators computation without compromising the confidentiality of their updates. Our protocol uses a standard secure aggregation technique to protect individual model updates with a linearly homomorphic authenticator scheme that enables efficient, privacy-preserving verification of the aggregated result. Our construction ensures that clients can detect manipulation by the aggregator while maintaining low computational overhead. We demonstrate that our approach scales to large models, enabling verification over large neural networks with millions of parameters.

Figures (4)

• Figure 1: Overview of the protocol phases. In the Initialization phase, clients agree on shared secrets, generate key pairs, and publish verification keys to the Bulletin Board. During the Clients' Computation phase, each client masks and computes authenticators over its local model update. In the Aggregation phase, the server aggregates the masked updates and the corresponding authenticators. Finally, in the Client's Verification phase, each client verifies the correctness of the aggregated result using the returned authenticators. For simplicity, the illustration shows a single protocol round, assuming that all participants follow the same procedure.
• Figure 2: Computation overhead in the Clients' Computation phase. The plot reports the average time a single client requires to generate authenticators over model updates of varying sizes. Results are averaged over 10 runs.
• Figure 3: Computation overhead in the Aggregation phase. The plot reports the average time required by the server to aggregate authenticators from different numbers of clients. Results are averaged over 10 runs.
• Figure 4: Computation overhead in the Client’s Verification phase. The plot shows the average time required by a single client to verify the aggregated authenticator for model updates of varying sizes. Results are averaged over 10 runs.