Shisong Yang,Yuwen Chen,Zhen Yang,Bowen Li,Huan Liu

DOI: https://doi.org/10.1109/tgcn.2023.3277251

2023-01-01

IEEE Transactions on Green Communications and Networking

Abstract:Federated learning has been a paradigm for privacy-preserving machine learning, but recently gradient leakage attacks threaten privacy in federated learning. Secure aggregation for federated learning is an approach to protect users’ privacy from these attacks. Especially in federated learning with large-scale mobile devices, e.g., smartphones, secure aggregation should be dropout-resilient and have low communication overhead in addition to protecting privacy. However, existing studies still suffer from performance degradation and security risk, since the number of the dropped users increases. To address these problems, we propose an effective and high dropout-resilience secure aggregation protocol based on homomorphic Pseudorandom Generator and Paillier, which can guarantee privacy while tolerating up to almost 50% of users dropping out in both the honest but curious and actively malicious settings, and the performance of aggregation in computation and communication is independent to the dropped users. To further improve performance, we reduce the number of the ciphertexts through a homomorphic Pseudorandom Generator in the multiplicative group of integers, and decrease the running time of the server-side aggregation by computing discrete logarithms fast in Paillier. Experimental evaluation shows that the proposed protocol reduces the communication overhead by $3\times $ while achieving $2\times $ computation speedup over the prior dropout-resilience scheme.

Xue Yang,Zifeng Liu,Xiaohu Tang,Rongxing Lu,Bo Liu

2024-05-31

Abstract:With the emergence of privacy leaks in federated learning, secure aggregation protocols that mainly adopt either homomorphic encryption or threshold secret sharing have been widely developed for federated learning to protect the privacy of the local training data of each client. However, these existing protocols suffer from many shortcomings, such as the dependence on a trusted third party, the vulnerability to clients being corrupted, low efficiency, the trade-off between security and fault tolerance, etc. To solve these disadvantages, we propose an efficient and multi-private key secure aggregation scheme for federated learning. Specifically, we skillfully modify the variant ElGamal encryption technique to achieve homomorphic addition operation, which has two important advantages: 1) The server and each client can freely select public and private keys without introducing a trust third party and 2) Compared to the variant ElGamal encryption, the plaintext space is relatively large, which is more suitable for the deep model. Besides, for the high dimensional deep model parameter, we introduce a super-increasing sequence to compress multi-dimensional data into 1-D, which can greatly reduce encryption and decryption times as well as communication for ciphertext transmission. Detailed security analyses show that our proposed scheme achieves the semantic security of both individual local gradients and the aggregated result while achieving optimal robustness in tolerating both client collusion and dropped clients. Extensive simulations demonstrate that the accuracy of our scheme is almost the same as the non-private approach, while the efficiency of our scheme is much better than the state-of-the-art homomorphic encryption-based secure aggregation schemes. More importantly, the efficiency advantages of our scheme will become increasingly prominent as the number of model parameters increases.

Cryptography and Security,Artificial Intelligence,Computer Vision and Pattern Recognition,Machine Learning

Xue Yang,Zifeng Liu,Xiaohu Tang,Rongxing Lu,Bo Liu

DOI: https://doi.org/10.1109/tsc.2024.3451165

IF: 11.019

2024-10-11

IEEE Transactions on Services Computing

Abstract:In light of the emergence of privacy breaches in federated learning, secure aggregation protocols, which mainly adopt either homomorphic encryption or threshold secret sharing techniques, have been extensively developed to preserve the privacy of each client's local gradient. Nevertheless, many existing schemes suffer from either poor capability of privacy protection or expensive computational and communication overheads. Accordingly, in this paper, we propose an efficient and multi-private key secure aggregation scheme for federated learning. Specifically, we skillfully design a multi-private key secure aggregation algorithm that achieves homomorphic addition operation, with two important benefits: 1) both the server and each client can freely select public and private keys without introducing a trusted third party, and 2) the plaintext space is relatively large, making it more suitable for deep models. Besides, for dealing with the high dimensional deep model parameter, we introduce a super-increasing sequence to compress multi-dimensional data into one dimension, which greatly reduces encryption and decryption times as well as communication for ciphertext transmission. Detailed security analyses show that our proposed scheme can achieve semantic security of both individual local gradients and the aggregated result while achieving optimal robustness in tolerating client collusion. Extensive simulations demonstrate that the accuracy of our scheme is almost the same as the non-private approach, while the efficiency of our scheme is much better than the state-of-the-art baselines. More importantly, the efficiency advantages of our scheme will become increasingly prominent as the number of model parameters increases.

computer science, information systems, software engineering

Yiwei Zhang,Rouzbeh Behnia,Attila A. Yavuz,Reza Ebrahimi,Elisa Bertino

2024-10-18

Abstract:Federated learning enables the collaborative learning of a global model on diverse data, preserving data locality and eliminating the need to transfer user data to a central server. However, data privacy remains vulnerable, as attacks can target user training data by exploiting the updates sent by users during each learning iteration. Secure aggregation protocols are designed to mask/encrypt user updates and enable a central server to aggregate the masked information. MicroSecAgg (PoPETS 2024) proposes a single server secure aggregation protocol that aims to mitigate the high communication complexity of the existing approaches by enabling a one-time setup of the secret to be re-used in multiple training iterations. In this paper, we identify a security flaw in the MicroSecAgg that undermines its privacy guarantees. We detail the security flaw and our attack, demonstrating how an adversary can exploit predictable masking values to compromise user privacy. Our findings highlight the critical need for enhanced security measures in secure aggregation protocols, particularly the implementation of dynamic and unpredictable masking strategies. We propose potential countermeasures to mitigate these vulnerabilities and ensure robust privacy protection in the secure aggregation frameworks.

Cryptography and Security,Machine Learning

Xianyu Mu,Youliang Tian,Zhou,Jinbo Xiong

DOI: https://doi.org/10.1109/nana63151.2024.00079

2024-01-01

Abstract:With the increasing awareness of user privacy protection and the improvement of domestic and international privacy protection laws, coalitional learning has become the current machine learning framework to protect user privacy. However, there are still specific security threats in coalitional learning, i.e., semi-honest servers obtain the corresponding privacy information by launching reverse inference attacks on the user’s local model gradient. Although effective against the attacks of semi-honest adversaries, previous research schemes resulted in huge computational costs and poor robustness. Therefore, in this paper, we propose a federated learning security aggregation protocol based on lightweight cryptography algorithms, which can significantly reduce the computational costs at the user’s end and is robust to users offline. First, this paper constructs an efficient secure aggregation protocol based on lightweight cryptographic algorithms, which significantly reduces the computational costs required on the user side. Second, an effective reconfiguration algorithm is designed in order to prevent the aggregation failure caused by the auxiliary computing nodes going offline. Finally, this paper demonstrates the security of the protocol through security analysis. In addition, this paper shows through experimental results that the scheme achieves a significant efficiency improvement, and the number of required communication rounds is reduced to two.

Jiqiang Gao,Baolei Zhang,Xiaojie Guo,Thar Baker,Min Li,Zheli Liu

DOI: https://doi.org/10.1109/tii.2022.3145837

IF: 12.3

2022-01-01

IEEE Transactions on Industrial Informatics

Abstract:Big data, due to its promotion for industrial intelligence, has become the cornerstone of the Industry 4.0 era. Federated learning, proposed by Google, can effectively integrate data from different devices and different domains to train models under the premise of privacy preservation. Unfortunately, this new training paradigm faces security risks both on the client side and server side. This article proposes a new federated learning scheme to defend from client-side malicious uploads (e.g., backdoor attacks). In addition, we use cryptography techniques to prevent server-side privacy attacks (e.g., membership inference). The secure partial aggregation protocol we designed improves the privacy and robustness of federated learning. The experiments show that models can achieve high accuracy of over 90% with a proper upload proportion, while the accuracy of the backdoor attack decreased from 99.5% to 0% with the best result. Meanwhile, we prove that our protocol can disable privacy attacks.

Peihua Mai,Ran Yan,Yan Pang

2024-10-26

Abstract:Federated learning (FL) allows multiple devices to train a model collaboratively without sharing their data. Despite its benefits, FL is vulnerable to privacy leakage and poisoning attacks. To address the privacy concern, secure aggregation (SecAgg) is often used to obtain the aggregation of gradients on sever without inspecting individual user updates. Unfortunately, existing defense strategies against poisoning attacks rely on the analysis of local updates in plaintext, making them incompatible with SecAgg. To reconcile the conflicts, we propose a robust federated learning framework against poisoning attacks (RFLPA) based on SecAgg protocol. Our framework computes the cosine similarity between local updates and server updates to conduct robust aggregation. Furthermore, we leverage verifiable packed Shamir secret sharing to achieve reduced communication cost of $O(M+N)$ per user, and design a novel dot product aggregation algorithm to resolve the issue of increased information leakage. Our experimental results show that RFLPA significantly reduces communication and computation overhead by over $75\%$ compared to the state-of-the-art secret sharing method, BREA, while maintaining competitive accuracy.

Cryptography and Security,Artificial Intelligence

Hongyang Yan,Li Hu,Xiaoyu Xiang,Zheli Liu,Xu Yuan

DOI: https://doi.org/10.1016/j.ins.2020.09.064

IF: 8.1

2021-02-01

Information Sciences

Abstract:<p>Collaborative learning and related techniques such as federated learning, allow multiple clients to train a model jointly while keeping their datasets at local. <em>Secure Aggregation</em> in most existing works focus on protecting model gradients from the server. However, an dishonest user could still easily get the privacy information from the other users. It remains a challenge to propose an effective solution to prevent information leakage against dishonest users.</p><p>To tackle this challenge, we propose a novel and effective privacy-preserving collaborative machine learning scheme, targeting at preventing information leakage agains adversaries. Specifically, we first propose a privacy-preserving network transformation method by utilizing Random-Permutation in Software Guard Extensions(SGX), which protects the model parameters from being inferred by a curious server and dishonest clients. Then, we apply Partial-Random Uploading mechanism to mitigate the information inference through visualizations. To further enhance the efficiency, we introduce network pruning operation and employ it to accelerate the convergence of training. We present the formal security analysis to demonstrate that our proposed scheme can preserve privacy while ensuring the convergence and accuracy of secure aggregation. We conduct experiments to show the performance of our solution in terms of accuracy and efficiency. The experimental results show that the proposed scheme is practical.</p>

computer science, information systems

Siqing Zhang,Yong Liao,Pengyuan Zhou

DOI: https://doi.org/10.48550/arXiv.2312.04937

2023-12-11

Abstract:Leveraging federated learning (FL) to enable cross-domain privacy-sensitive data mining represents a vital breakthrough to accomplish privacy-preserving learning. However, attackers can infer the original user data by analyzing the uploaded intermediate parameters during the aggregation process. Therefore, secure aggregation has become a critical issue in the field of FL. Many secure aggregation protocols face the problem of high computation costs, which severely limits their applicability. To this end, we propose AHSecAgg, a lightweight secure aggregation protocol using additive homomorphic masks. AHSecAgg significantly reduces computation overhead without compromising the dropout handling capability or model accuracy. We prove the security of AHSecAgg in semi-honest and active adversary settings. In addition, in cross-silo scenarios where the group of participants is relatively fixed during each round, we propose TSKG, a lightweight Threshold Signature based masking key generation method. TSKG can generate different temporary secrets and shares for different aggregation rounds using the initial key and thus effectively eliminates the cost of secret sharing and key agreement. We prove TSKG does not sacrifice security. Extensive experiments show that AHSecAgg significantly outperforms state-of-the-art mask-based secure aggregation protocols in terms of computational efficiency, and TSKG effectively reduces the computation and communication costs for existing secure aggregation protocols.

Cryptography and Security

Shisong Yang,Yuwen Chen,Shanshan Tu,Zhen Yang

DOI: https://doi.org/10.1145/3586102.3586120

2022-01-01

Abstract:Federated learning is a privacy-preserving machine learning paradigm consisting of local model training, global model aggregation, and global model distribution. Recent research found that model aggregation can reveal the participants’ privacy. To preserve the participants’ privacy, multi-party computation-based secure aggregation is used in federated learning with mobile device participants. The character of the mobile device requires that secure aggregation can be efficient in computation and robust to the dropout. However, prior works need multi rounds, increase computation cost related to the dropped participants, and fails to resist quantum attacks. To solve these issues, we propose a 3-round post-quantum secure protocol for federated learning. In the proposed protocol, single-masking generated by homomorphic Pseudorandom Generator based on learning with round encrypts single user's model. After all the encrypted models are aggregated fast, additively homomorphic decryption based on Shamir secret share guarantee the robustness and performance induced by the dropped participants. All message exchange is based on a post-quantum secure channel constructed with the first post-quantum cryptography standard, Kyber KEM. In post-quantum security, security analysis demonstrates that the proposed protocol can preserve privacy under the sem-honest adversaries setting, and the experimental results show higher running time efficiency.

Marshall Ball,James Bell-Clark,Adria Gascon,Peter Kairouz,Sewoong Oh,Zhiye Xie

2024-10-15

Abstract:Recent advances in differentially private federated learning (DPFL) algorithms have found that using correlated noise across the rounds of federated learning (DP-FTRL) yields provably and empirically better accuracy than using independent noise (DP-SGD). While DP-SGD is well-suited to federated learning with a single untrusted central server using lightweight secure aggregation protocols, secure aggregation is not conducive to implementing modern DP-FTRL techniques without assuming a trusted central server. DP-FTRL based approaches have already seen widespread deployment in industry, albeit with a trusted central curator who provides and applies the correlated noise. To realize a fully private, single untrusted server DP-FTRL federated learning protocol, we introduce secure stateful aggregation: a simple append-only data structure that allows for the private storage of aggregate values and reading linear functions of the aggregates. Assuming Ring Learning with Errors, we provide a lightweight and scalable realization of this protocol for high-dimensional data in a new security/resource model, Federated MPC : where a powerful persistent server interacts with weak, ephemeral clients. We observe that secure stateful aggregation suffices for realizing DP-FTRL-based private federated learning: improving DPFL utility guarantees over the state of the art while maintaining privacy with an untrusted central party. Our approach has minimal overhead relative to existing techniques which do not yield comparable utility. The secure stateful aggregation primitive and the federated MPC paradigm may be of interest for other practical applications.

Cryptography and Security

Fucai Luo,Saif Al-Kuwari,Haiyan Wang,Xingfu Yan

2023-05-22

Abstract:Federated learning (FL) allows a large number of clients to collaboratively train machine learning (ML) models by sending only their local gradients to a central server for aggregation in each training iteration, without sending their raw training data. Unfortunately, recent attacks on FL demonstrate that local gradients may leak information about local training data. In response to such attacks, Bonawitz \textit{et al.} (CCS 2017) proposed a secure aggregation protocol that allows a server to compute the sum of clients' local gradients in a secure manner. However, their secure aggregation protocol requires at least 4 rounds of communication between each client and the server in each training iteration. The number of communication rounds is closely related not only to the total communication cost but also the ML model accuracy, as the number of communication rounds affects client dropouts. In this paper, we propose FSSA, a 3-round secure aggregation protocol, that is efficient in terms of computation and communication, and resilient to client dropouts. We prove the security of FSSA in honest-but-curious setting and show that the security can be maintained even if an arbitrarily chosen subset of clients drop out at any time. We evaluate the performance of FSSA and show that its computation and communication overhead remains low even on large datasets. Furthermore, we conduct an experimental comparison between FSSA and Bonawitz \textit{et al.}'s protocol. The comparison results show that, in addition to reducing the number of communication rounds, FSSA achieves a significant improvement in computational efficiency.

Cryptography and Security

Qi Gao,Yi Sun,Xingyuan Chen,Fan Yang,Youhe Wang

DOI: https://doi.org/10.3390/electronics13040671

IF: 2.9

2024-02-07

Electronics

Abstract:The federated learning on large-scale mobile terminals and Internet of Things (IoT) devices faces the issues of privacy leakage, resource limitation, and frequent user dropouts. This paper proposes an efficient secure aggregation method based on multi-homomorphic attributes to realize the privacy-preserving aggregation of local models while ensuring low overhead and tolerating user dropouts. First, based on EC-ElGamal, the homomorphic pseudorandom generator, and the Chinese remainder theorem, an efficient random mask secure aggregation method is proposed, which can efficiently aggregate random masks and protect the privacy of the masks while introducing secret sharing to achieve tolerance of user dropout. Then, an efficient federated learning secure aggregation method is proposed, which guarantees that the computation and communication overheads of users are only O(L); also, the method only performs two rounds of communication to complete the aggregation and allows user dropout, and the aggregation time does not increase with the dropout rate, so it is suitable for resource-limited devices. Finally, the correctness, security, and performance of the proposed method are analyzed and evaluated. The experimental results indicate that the aggregation time of the proposed method is linearly related to the number of users and the model size, and it decreases as the number of dropped out users increases. Compared to other schemes, the proposed method significantly improves the aggregation efficiency and has stronger dropout tolerance, and it improves the efficiency by about 24 times when the number of users is 500 and the dropout rate is 30%.

engineering, electrical & electronic,computer science, information systems,physics, applied

Jien Kim,Gunryeong Park,Miseung Kim,Soyoung Park

DOI: https://doi.org/10.3390/electronics12040870

IF: 2.9

2023-02-09

Electronics

Abstract:In order to protect each node's local learning parameters from model inversion attacks, secure aggregation has become the essential technique for federated learning so that the federated learning server knows only the combined result of all local parameters. In this paper, we introduced a novel cluster-based secure aggregation model that effectively deals with dropout nodes while reducing communicational and computational overheads. Specifically, we considered a federated learning environment with heterogeneous devices deployed across the country. The computing power of each node and the amount of training data can be heterogeneous. Because of this, each node had a different local processing time, and the response time to the server is also different. To clearly determine the dropout nodes in this environment, our model clusters nodes with similar response times based on each node's local processing time and location and then performs the aggregation on a pre-cluster basis. In addition, we propose a new practical additive sharing-based masking protocol to hide the actual local updates of nodes during aggregation. The new masking protocol makes it easy to remove the share of dropout nodes from the aggregation without using a (t, n) threshold scheme, and updates from dropout nodes are still secure even if they are delivered to the server after the dropout shares have been revealed. In addition, our model provides mask verification for reliable aggregation. Nodes can publicly verify the correctness and integrity of the masks received from others using a discrete logarithm problem before the aggregation. As a result, the proposed aggregation model is robust to dropout nodes and ensures the privacy of local updates if at least three honest nodes are alive in each cluster. Since the masking process is performed on a cluster basis, our model effectively reduces the overhead of generating and sharing the masking value. For an average cluster size C and a total number of nodes N, the computation and communication cost of each node is O(C), the computation cost of the server is O(N), and the communication cost is O(NC). We analyzed the security and efficiency of our protocol by simulating diverse dropout scenarios. The simulated results showed that our cluster-based secure aggregation outputs about a 91% learning accuracy regardless of dropout rate with four clusters for one hundred nodes.

engineering, electrical & electronic,computer science, information systems,physics, applied

Yuqi Zhang,Xiangyang Li,Qingcai Luo,Yang Wang,Yanzhao Shen

DOI: https://doi.org/10.1145/3625343.3625344

2023-01-01

Abstract:In recent years, Federal Learning has received much attention becourse it can train models by updating gradients without contacting users’ true data. However, adversaries also can track users’ privacy from the shared gradient. In this paper, we aim to solve three major issues during the process of federated learning: 1) how to protect users’ privacy during training; 2) How to verify the correctness of the aggregation results returned from the server; 3) How to reduce communication costs while ensuring training security. So we propose a verifiable aggregation scheme that can effectively verify the results of server aggregation. Specifically, we follow the classic double mask aggregation scheme, and use Paillier homomorphic encryption algorithm to implement the message authentication code with additive homomorphic property. Users can compare their local codes with server’s aggregation results to verify the correctness of the aggregation results and improve model’s accuracy. In our framework, we adopt a Top-k gradient selection scheme to reduce models’ communication and computing overhead. Experimental results indicate that our training framework is feasible and efficient.

Sizai Hou,Songze Li,Tayyebeh Jahani-Nezhad,Giuseppe Caire

2024-07-12

Abstract:Federated learning (FL) has recently gained significant momentum due to its potential to leverage large-scale distributed user data while preserving user privacy. However, the typical paradigm of FL faces challenges of both privacy and robustness: the transmitted model updates can potentially leak sensitive user information, and the lack of central control of the local training process leaves the global model susceptible to malicious manipulations on model updates. Current solutions attempting to address both problems under the one-server FL setting fall short in the following aspects: 1) designed for simple validity checks that are insufficient against advanced attacks (e.g., checking norm of individual update); and 2) partial privacy leakage for more complicated robust aggregation algorithms (e.g., distances between model updates are leaked for multi-Krum). In this work, we formalize a novel security notion of aggregated privacy that characterizes the minimum amount of user information, in the form of some aggregated statistics of users' updates, that is necessary to be revealed to accomplish more advanced robust aggregation. We develop a general framework PriRoAgg, utilizing Lagrange coded computing and distributed zero-knowledge proof, to execute a wide range of robust aggregation algorithms while satisfying aggregated privacy. As concrete instantiations of PriRoAgg, we construct two secure and robust protocols based on state-of-the-art robust algorithms, for which we provide full theoretical analyses on security and complexity. Extensive experiments are conducted for these protocols, demonstrating their robustness against various model integrity attacks, and their efficiency advantages over baselines.

Cryptography and Security

Rouzbeh Behnia,Mohammadreza Ebrahimi,Arman Riasi,Sherman S. M. Chow,Balaji Padmanabhan,Thang Hoang

2023-08-31

Abstract:Secure aggregation protocols ensure the privacy of users' data in the federated learning settings by preventing the disclosure of users' local gradients. Despite their merits, existing aggregation protocols often incur high communication and computation overheads on the participants and might not be optimized to handle the large update vectors for machine learning models efficiently. This paper presents e-SeaFL, an efficient, verifiable secure aggregation protocol taking one communication round in aggregation. e-SeaFL allows the aggregation server to generate proof of honest aggregation for the participants. Our core idea is to employ a set of assisting nodes to help the aggregation server, under similar trust assumptions existing works placed upon the participating users. For verifiability, e-SeaFL uses authenticated homomorphic vector commitments. Our experiments show that the user enjoys five orders of magnitude higher efficiency than the state of the art (PPML 2022) for a gradient vector of a high dimension up to $100,000$.

Cryptography and Security

Zhuosheng Zhang,Jiarui Li,Shucheng Yu,Christian Makaya

DOI: https://doi.org/10.1109/TIFS.2023.3280032

2021-09-03

Abstract:For model privacy, local model parameters in federated learning shall be obfuscated before sent to the remote aggregator. This technique is referred to as \emph{secure aggregation}. However, secure aggregation makes model poisoning attacks such backdooring more convenient considering that existing anomaly detection methods mostly require access to plaintext local models. This paper proposes SAFELearning which supports backdoor detection for secure aggregation. We achieve this through two new primitives - \emph{oblivious random grouping (ORG)} and \emph{partial parameter disclosure (PPD)}. ORG partitions participants into one-time random subgroups with group configurations oblivious to participants; PPD allows secure partial disclosure of aggregated subgroup models for anomaly detection without leaking individual model privacy. SAFELearning can significantly reduce backdoor model accuracy without jeopardizing the main task accuracy under common backdoor strategies. Extensive experiments show SAFELearning is robust against malicious and faulty participants, whilst being more efficient than the state-of-art secure aggregation protocol in terms of both communication and computation costs.

Cryptography and Security,Artificial Intelligence,Distributed, Parallel, and Cluster Computing

Irem Ergun,Hasin Us Sami,Basak Guler

DOI: https://doi.org/10.48550/arXiv.2112.12872

2021-12-24

Abstract:Secure aggregation is a popular protocol in privacy-preserving federated learning, which allows model aggregation without revealing the individual models in the clear. On the other hand, conventional secure aggregation protocols incur a significant communication overhead, which can become a major bottleneck in real-world bandwidth-limited applications. Towards addressing this challenge, in this work we propose a lightweight gradient sparsification framework for secure aggregation, in which the server learns the aggregate of the sparsified local model updates from a large number of users, but without learning the individual parameters. Our theoretical analysis demonstrates that the proposed framework can significantly reduce the communication overhead of secure aggregation while ensuring comparable computational complexity. We further identify a trade-off between privacy and communication efficiency due to sparsification. Our experiments demonstrate that our framework reduces the communication overhead by up to 7.8x, while also speeding up the wall clock training time by 1.13x, when compared to conventional secure aggregation benchmarks.

Machine Learning,Cryptography and Security,Distributed, Parallel, and Cluster Computing,Information Theory