Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Repurposing Backdoors for Good: Ephemeral Intrinsic Proofs for Verifiable Aggregation in Cross-silo Federated Learning

Xian Qin, Xue Yang, Xiaohu Tang

TL;DR

A randomized, single-verifier auditing framework compatible with SA is designed, ensuring client anonymity and preventing signal collision without trusted third parties, and achieves over $1000\times speedup on ResNet-18 compared to cryptographic baselines, effectively scaling to large models.

Abstract

While Secure Aggregation (SA) protects update confidentiality in Cross-silo Federated Learning, it fails to guarantee aggregation integrity, allowing malicious servers to silently omit or tamper with updates. Existing verifiable aggregation schemes rely on heavyweight cryptography (e.g., ZKPs, HE), incurring computational costs that scale poorly with model size. In this paper, we propose a lightweight architecture that shifts from extrinsic cryptographic proofs to \textit{Intrinsic Proofs}. We repurpose backdoor injection to embed verification signals directly into model parameters. By harnessing Catastrophic Forgetting, these signals are robust for immediate verification yet ephemeral, naturally decaying to preserve final model utility. We design a randomized, single-verifier auditing framework compatible with SA, ensuring client anonymity and preventing signal collision without trusted third parties. Experiments on SVHN, CIFAR-10, and CIFAR-100 demonstrate high detection probabilities against malicious servers. Notably, our approach achieves over $1000\times$ speedup on ResNet-18 compared to cryptographic baselines, effectively scaling to large models.

Repurposing Backdoors for Good: Ephemeral Intrinsic Proofs for Verifiable Aggregation in Cross-silo Federated Learning

TL;DR

A randomized, single-verifier auditing framework compatible with SA is designed, ensuring client anonymity and preventing signal collision without trusted third parties, and achieves over $1000\times speedup on ResNet-18 compared to cryptographic baselines, effectively scaling to large models.

Abstract

While Secure Aggregation (SA) protects update confidentiality in Cross-silo Federated Learning, it fails to guarantee aggregation integrity, allowing malicious servers to silently omit or tamper with updates. Existing verifiable aggregation schemes rely on heavyweight cryptography (e.g., ZKPs, HE), incurring computational costs that scale poorly with model size. In this paper, we propose a lightweight architecture that shifts from extrinsic cryptographic proofs to \textit{Intrinsic Proofs}. We repurpose backdoor injection to embed verification signals directly into model parameters. By harnessing Catastrophic Forgetting, these signals are robust for immediate verification yet ephemeral, naturally decaying to preserve final model utility. We design a randomized, single-verifier auditing framework compatible with SA, ensuring client anonymity and preventing signal collision without trusted third parties. Experiments on SVHN, CIFAR-10, and CIFAR-100 demonstrate high detection probabilities against malicious servers. Notably, our approach achieves over speedup on ResNet-18 compared to cryptographic baselines, effectively scaling to large models.
Paper Structure (18 sections, 5 equations, 7 figures, 1 table)

This paper contains 18 sections, 5 equations, 7 figures, 1 table.

Table of Contents

  1. Introduction
  2. Related Work
  3. Verifiable Aggregation
  4. Backdoor-based Ownership Verification in FL.
  5. Proposed Method
  6. Initialization
  7. Standard FL Backbone
  8. Verifier-Specific Modules
  9. Module 1: Intrinsic Proof Injection
  10. Module 2: Intrinsic Proof Verification
  11. Final Fine-tuning
  12. Security Analysis
  13. Probabilistic Detection Guarantee
  14. Privacy Preservation and Compatibility
  15. Experiments
  16. ...and 3 more sections

Figures (7)

  • Figure 1: Overview of the proposed verifiable aggregation scheme. In each round, a randomized client is secretly designated as the verifier to embed a Intrinsic Proof into its local update. After aggregation, this verifier checks for the corresponding behavioral response in the global model to confirm honest aggregation.
  • Figure 2: Clean accuracy comparison.
  • Figure 3: ASR under honest aggregation.
  • Figure 4: ASR when the server omits the verifier's gradient every 10 rounds; yellow lines mark omissions.
  • Figure 5: ASR when the server omits the verifier's gradient in 50 random rounds (with $\rho=0.1$, $T=100$).
  • ...and 2 more figures