Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Differential Privacy as a Perk: Federated Learning over Multiple-Access Fading Channels with a Multi-Antenna Base Station

Hao Liang, Haifeng Wen, Kaishun Wu, Hong Xing

TL;DR

This work studies AirFL with a multi‑antenna base station under user‑level differential privacy, showing that channel noise can provide DP without artificial noise in many scenarios. It derives a convergent DP bound for general smooth, non‑convex losses under bounded parameter domains and formulates an optimization over receive beamforming and power to balance convergence and privacy. The authors prove that zero artificial noise is optimal in many cases and identify explicit conditions where DP is gained as a perk, then validate these results with Fashion‑MNIST experiments demonstrating privacy‑convergence trade‑offs and DP‑for‑free in low‑SNR settings. The findings offer a practical, scalable pathway to privacy‑preserving wireless FL that leverages physical layer randomness to achieve strong guarantees without sacrificing training performance, with broad implications for edge learning in wireless networks.

Abstract

Federated Learning (FL) is a distributed learning paradigm that preserves privacy by eliminating the need to exchange raw data during training. In its prototypical edge instantiation with underlying wireless transmissions enabled by analog over-the-air computing (AirComp), referred to as \emph{over-the-air FL (AirFL)}, the inherent channel noise plays a unique role of \emph{frenemy} in the sense that it degrades training due to noisy global aggregation while providing a natural source of randomness for privacy-preserving mechanisms, formally quantified by \emph{differential privacy (DP)}. It remains, nevertheless, challenging to effectively harness such channel impairments, as prior arts, under assumptions of either simple channel models or restricted types of loss functions, mostly considering (local) DP enhancement with a single-round or non-convergent bound on privacy loss. In this paper, we study AirFL over multiple-access fading channels with a multi-antenna base station (BS) subject to user-level DP requirements. Despite a recent study, which claimed in similar settings that artificial noise (AN) must be injected to ensure DP in general, we demonstrate, on the contrary, that DP can be gained as a \emph{perk} even \emph{without} employing any AN. Specifically, we derive a novel bound on DP that converges under general bounded-domain assumptions on model parameters, along with a convergence bound with general smooth and non-convex loss functions. Next, we optimize over receive beamforming and power allocations to characterize the optimal convergence-privacy trade-offs, which also reveal explicit conditions in which DP is achievable without compromising training. Finally, our theoretical findings are validated by extensive numerical results.

Differential Privacy as a Perk: Federated Learning over Multiple-Access Fading Channels with a Multi-Antenna Base Station

TL;DR

This work studies AirFL with a multi‑antenna base station under user‑level differential privacy, showing that channel noise can provide DP without artificial noise in many scenarios. It derives a convergent DP bound for general smooth, non‑convex losses under bounded parameter domains and formulates an optimization over receive beamforming and power to balance convergence and privacy. The authors prove that zero artificial noise is optimal in many cases and identify explicit conditions where DP is gained as a perk, then validate these results with Fashion‑MNIST experiments demonstrating privacy‑convergence trade‑offs and DP‑for‑free in low‑SNR settings. The findings offer a practical, scalable pathway to privacy‑preserving wireless FL that leverages physical layer randomness to achieve strong guarantees without sacrificing training performance, with broad implications for edge learning in wireless networks.

Abstract

Federated Learning (FL) is a distributed learning paradigm that preserves privacy by eliminating the need to exchange raw data during training. In its prototypical edge instantiation with underlying wireless transmissions enabled by analog over-the-air computing (AirComp), referred to as \emph{over-the-air FL (AirFL)}, the inherent channel noise plays a unique role of \emph{frenemy} in the sense that it degrades training due to noisy global aggregation while providing a natural source of randomness for privacy-preserving mechanisms, formally quantified by \emph{differential privacy (DP)}. It remains, nevertheless, challenging to effectively harness such channel impairments, as prior arts, under assumptions of either simple channel models or restricted types of loss functions, mostly considering (local) DP enhancement with a single-round or non-convergent bound on privacy loss. In this paper, we study AirFL over multiple-access fading channels with a multi-antenna base station (BS) subject to user-level DP requirements. Despite a recent study, which claimed in similar settings that artificial noise (AN) must be injected to ensure DP in general, we demonstrate, on the contrary, that DP can be gained as a \emph{perk} even \emph{without} employing any AN. Specifically, we derive a novel bound on DP that converges under general bounded-domain assumptions on model parameters, along with a convergence bound with general smooth and non-convex loss functions. Next, we optimize over receive beamforming and power allocations to characterize the optimal convergence-privacy trade-offs, which also reveal explicit conditions in which DP is achievable without compromising training. Finally, our theoretical findings are validated by extensive numerical results.

Paper Structure

This paper contains 22 sections, 19 theorems, 97 equations, 5 figures, 1 algorithm.

Table of Contents

  1. Introduction
  2. System Model and Problem Formulation
  3. Learning Protocol (Vanilla FL)
  4. Communication Model
  5. Privacy Model
  6. Privacy Analysis
  7. Preliminaries
  8. User-level Privacy Guarantee
  9. Optimal Receive Beamforming for Free-DP AirFL
  10. Convergence Analysis
  11. Problem Formulation
  12. Optimal Solution
  13. Experiments
  14. Experimental Setting
  15. Experimental Analysis
  16. ...and 7 more sections

Key Result

Lemma 3.1

If $\mathcal{M}$ is an $(\alpha,\epsilon^{\prime})$-RDP mechanism, it also satisfies $(\epsilon^{\prime}+\frac{\log1/\delta}{\alpha-1},\delta)$-DP for any $0<\delta<1$.

Figures (5)

  • Figure 1: An overview of the federated learning framework under the considered threat model.
  • Figure 2: An illustration of the RDP privacy loss $\epsilon^{\prime}$ as a function of the total number of communication rounds $T$. For ease of exposition, this plot sets a constant $\phi_t=\phi$ for all $t$. The full analysis and parameter settings used in our experiments are specified in Section \ref{['sec:ex-setting']}.
  • Figure 3: The evolution of the (a) testing accuracy and (b) training loss versus the global communication rounds $T$ with different privacy budgets $\tilde{\epsilon}$.
  • Figure 4: The evolution of the (a) testing accuracy and (b) training loss versus the privacy budget $\tilde{\epsilon}$. Note that benchmarks relate to the case of $\tilde{\epsilon} \to \infty$ and are drawn in the same figure for illustration purposes only.
  • Figure 5: The evolution of the (a) testing accuracy and (b) training loss versus the worst-case SNR, $P \Lambda_{\min}/ \sigma^2$, where $\Lambda_{\min}=(c_l\mathord{\left/\right.\nulldelimiterspace}(4\pi f_c r_{\max}))^2$ and $r_{\max}=1000$. The SNR is varied by adjusting the transmit power $P$.

Theorems & Definitions (26)

  • Definition 2.1: User-Adjacent Datasets mcmahan2017learning
  • Definition 2.2: Differential Privacy dwork2006our
  • Definition 3.1: User-Level Rényi Differential Privacy mironov2017renyi
  • Lemma 3.1: From $(\alpha,\epsilon^{\prime})$-RDP to $(\epsilon,\delta)$-DP mironov2017renyi
  • Definition 3.2: Shifted Rényi Divergence feldman2018privacy
  • Lemma 3.2: Shift-Reduction feldman2018privacy
  • Lemma 3.3: Noisy Smooth-Reduction
  • Proposition 3.1: $(\alpha,\epsilon^{\prime})$-RDP Guarantee for AirFL-DP
  • Corollary 3.1: $(\epsilon,\delta)$-DP Guarantee for AirFL-DP
  • Lemma 4.1: Theorem 4.1 in wen2023convergence
  • ...and 16 more