Asynchronous Secure Federated Learning with Byzantine aggregators
Antonella Del Pozzo, Achille Desreumaux, Mathieu Gestin, Alexandre Rapetti, Sara Tucci-Piergiovanni
TL;DR
This work tackles privacy-preserving federated learning in asynchronous networks with potentially fully Byzantine aggregators. It introduces aggregator replication, cluster-based two-stage aggregation, LWE-based masking, secret sharing, and differential privacy, all without requiring consensus among aggregators. A verifiable shuffling mechanism and an inclusion scheme ensure fair client participation and mitigate bias, while certification via PVAHSS and threshold signatures validates the aggregation. Empirical results on MNIST show convergence under strong heterogeneity and privacy constraints, with the inclusion mechanism reducing DP noise and improving utility, albeit with a trade-off between the number of aggregators and privacy overhead.
Abstract
Privacy-preserving federated averaging is a central approach for protecting client privacy in federated learning. In this paper, we study this problem in an asynchronous communications setting with malicious aggregators. We propose a new solution to provide federated averaging in this model while protecting the client's data privacy through secure aggregation and differential privacy. Our solution maintains the same performance as the state of the art across all metrics. The main contributions of this paper are threefold. First, unlike existing single- or multi-server solutions, we consider malicious aggregation servers that may manipulate the model to leak clients' data or halt computation. To tolerate this threat, we replicate the aggregators, allowing a fraction of them to be corrupted. Second, we propose a new privacy preservation protocol for protocols in asynchronous communication models with Byzantine aggregators. In this protocol, clients mask their values and add Gaussian noise to their models. In contrast with previous works, we use the replicated servers to unmask the models, while ensuring the liveness of training even if aggregators misbehave. Third, the asynchronous communication model introduces new challenges not present in existing approaches. In such a setting, faster clients may contribute more frequently, potentially reducing their privacy and biasing the training. To address this, we introduce an inclusion mechanism that ensures uniform client participation and balanced privacy budgets. Interestingly, the solution presented in this paper does not rely on agreement between aggregators. Thus, we circumvent the known impossibility of consensus in asynchronous settings where processes might crash. Additionally, this feature increases availability, as a consensus-based algorithm only progresses in periods of low latency.
