Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

A Critical Look into Threshold Homomorphic Encryption for Private Average Aggregation

Miguel Morona-Mínguez, Alberto Pedrouzo-Ulloa, Fernando Pérez-González

TL;DR

This work surveys the use of threshold RLWE-based HE for federated average aggregation and examines the performance impact of using smudging noise with a large variance as a countermeasure and provides a detailed comparison of threshold variants of BFV and CKKS, finding that CKKS-based aggregations perform comparably to BFV-based solutions.

Abstract

Threshold Homomorphic Encryption (Threshold HE) is a good fit for implementing private federated average aggregation, a key operation in Federated Learning (FL). Despite its potential, recent studies have shown that threshold schemes available in mainstream HE libraries can introduce unexpected security vulnerabilities if an adversary has access to a restricted decryption oracle. This oracle reflects the FL clients' capacity to collaboratively decrypt the aggregated result without knowing the secret key. This work surveys the use of threshold RLWE-based HE for federated average aggregation and examines the performance impact of using smudging noise with a large variance as a countermeasure. We provide a detailed comparison of threshold variants of BFV and CKKS, finding that CKKS-based aggregations perform comparably to BFV-based solutions.

A Critical Look into Threshold Homomorphic Encryption for Private Average Aggregation

TL;DR

This work surveys the use of threshold RLWE-based HE for federated average aggregation and examines the performance impact of using smudging noise with a large variance as a countermeasure and provides a detailed comparison of threshold variants of BFV and CKKS, finding that CKKS-based aggregations perform comparably to BFV-based solutions.

Abstract

Threshold Homomorphic Encryption (Threshold HE) is a good fit for implementing private federated average aggregation, a key operation in Federated Learning (FL). Despite its potential, recent studies have shown that threshold schemes available in mainstream HE libraries can introduce unexpected security vulnerabilities if an adversary has access to a restricted decryption oracle. This oracle reflects the FL clients' capacity to collaboratively decrypt the aggregated result without knowing the secret key. This work surveys the use of threshold RLWE-based HE for federated average aggregation and examines the performance impact of using smudging noise with a large variance as a countermeasure. We provide a detailed comparison of threshold variants of BFV and CKKS, finding that CKKS-based aggregations perform comparably to BFV-based solutions.
Paper Structure (13 sections, 2 theorems, 8 equations, 4 figures, 4 tables)

This paper contains 13 sections, 2 theorems, 8 equations, 4 figures, 4 tables.

Table of Contents

  1. Introduction
  2. Main contributions
  3. Notation and structure
  4. Preliminaries: State of the art for HE
  5. Limitations for FL deployment with HE
  6. Security models for HE: From $\mathsf{IND}$-$\mathsf{CPA}$ to $\mathsf{IND}$-$\mathsf{CPA}^\mathsf{D}$
  7. An analysis of Private Aggregation with HE
  8. Background: Single-Key HE
  9. A Protocol for Private Aggregation with Multiparty HE
  10. Multiparty HE with Countermeasures for $\mathsf{IND}$-$\mathsf{CPA}^\mathsf{D}$
  11. Impact of the smudging noise
  12. Comparison analysis between $\mathsf{BFV}$ and $\mathsf{CKKS}$
  13. Conclusions and future work

Key Result

Lemma 1

We follow the notation for $\mathsf{BFV}$ indicated in Table tab:bfv-ckks, and assume that any $e \leftarrow \chi$ satisfies $||e|| \leq B$. For a fresh ciphertext $\mathsf{ct} = (c_0, c_1)$, we have $[c_0 + c_1 \cdot s]_q = \Delta m + e_{\mathsf{ct}}$ with $||e_{\mathsf{ct}}||$$\leq$$(2n+1)B$. This

Figures (4)

  • Figure 1: High-level description of the FL protocol.
  • Figure 2: Protocol for private average aggregation.
  • Figure 3: Comparison of $q$ for $\mathsf{MBFV}$ and $\mathsf{MCKKS}$ varying $\lambda$.
  • Figure 4: Comparison of $q$ for $\mathsf{MBFV}$ and $\mathsf{MCKKS}$ varying $L$.

Theorems & Definitions (7)

  • Definition 1: Additive Homomorphic Encryption
  • Definition 2: Adapted from Def. $1$ in MTH19 to our FL setting
  • Definition 3: Multiparty Additive HE
  • Lemma 1
  • proof
  • Proposition 1
  • proof