Ying Lin,Shengfu Ning,Jianpeng Hu,Jiansong Liu,Yifan Cao,Junyuan Zhang,Huan Pi

DOI: https://doi.org/10.1007/978-3-031-10989-8_4

2022-01-01

Abstract:As a distributed machine learning framework, federated learning enables a multitude of participants to train a joint model privately by keeping training data locally. The federated learning is emerging as a promising alternative to solve data privacy protection, but it has been proven that federated learning is vulnerable to attacks from malicious clients, especially Byzantine attackers sending poisoned parameters during the training phase. To address this problem, several aggregation approaches against Byzantine failures have been proposed. However, these existing aggregation methods are only of limited utility in the setting of privacy protection. This paper proposes a privacy-preserving and Byzantine-robust federated learning framework (PPBR-FL) which achieves the objective to satisfy privacy and robustness simultaneously. We use the local differential privacy mechanism to realize privacy protection for the clients and propose a Byzantine-robust aggregation rule named as TPM (Trimmed Padding Mean) to realize robustness. Extensive experiments on two benchmark datasets demonstrate that the TPM outperforms the classical aggregation approaches in terms of robustness and privacy. When less than half of the workers are Byzantine attackers, the final global model not only achieves satisfactory performance against Byzantine attack, but also provide privacy protection on parameters to prevent privacy disclosure.

Yinuo Chen,Wuzheng Tan,Yijian Zhong,Yulin Kang,Anjia Yang,Jian Weng

DOI: https://doi.org/10.1109/jiot.2024.3434660

IF: 10.6

2024-01-01

IEEE Internet of Things Journal

Abstract:Federated learning, as a form of distributed learning, aims to protect local data while utilizing distributed data to train a global model. However, federated learning still faces challenges related to privacy leakage in Internet of Things(IoTs). Researches indicate that server can infer private information from local gradients. Additionally, malicious participants may upload poisoning local models, which contaminate the global model and cause a decline in accuracy. Furthermore, irregular participants with low-quality data in the real world can also impact the performance of the global model. Simultaneously addressing these three issues poses a significant challenge. This is because privacy protection strategies in FL are designed to prevent access to local gradients to avoid information leakage. However, strategies with Byzantine robustness and defense against irregular participants typically require access to local gradients to calculate the reliability of each participant. Therefore, we use secret sharing as the underlying technology to propose a 3PC privacy-preserving federated learning framework BPFL that can resist Byzantine attacks and irregular participants. Compared with previous schemes, our scheme can not only protect data privacy, but also minimize the negative impact of malicious or irregular participants on the global model. We implemented BPFL and compared it with Mkrum and PPFL. Experimental results indicate that our approach maintains high performance when facing malicious attackers and irregular participants.

Chenfei Nie,Qiang Li,Yuxin Yang,Yuede Ji,Binghui Wang

2024-07-29

Abstract:Federated learning (FL) is an emerging distributed learning paradigm without sharing participating clients' private data. However, existing works show that FL is vulnerable to both Byzantine (security) attacks and data reconstruction (privacy) attacks. Almost all the existing FL defenses only address one of the two attacks. A few defenses address the two attacks, but they are not efficient and effective enough. We propose BPFL, an efficient Byzantine-robust and provably privacy-preserving FL method that addresses all the issues. Specifically, we draw on state-of-the-art Byzantine-robust FL methods and use similarity metrics to measure the robustness of each participating client in FL. The validity of clients are formulated as circuit constraints on similarity metrics and verified via a zero-knowledge proof. Moreover, the client models are masked by a shared random vector, which is generated based on homomorphic encryption. In doing so, the server receives the masked client models rather than the true ones, which are proven to be private. BPFL is also efficient due to the usage of non-interactive zero-knowledge proof. Experimental results on various datasets show that our BPFL is efficient, Byzantine-robust, and privacy-preserving.

Cryptography and Security

Zikai Zhang,Rui Hu

DOI: https://doi.org/10.48550/arXiv.2309.03437

IF: 5.414

2023-09-07

Machine Learning

Abstract:Federated learning (FL) is designed to preserve data privacy during model training, where the data remains on the client side (i.e., IoT devices), and only model updates of clients are shared iteratively for collaborative learning. However, this process is vulnerable to privacy attacks and Byzantine attacks: the local model updates shared throughout the FL network will leak private information about the local training data, and they can also be maliciously crafted by Byzantine attackers to disturb the learning. In this paper, we propose a new FL scheme that guarantees rigorous privacy and simultaneously enhances system robustness against Byzantine attacks. Our approach introduces sparsification- and momentum-driven variance reduction into the client-level differential privacy (DP) mechanism, to defend against Byzantine attackers. The security design does not violate the privacy guarantee of the client-level DP mechanism; hence, our approach achieves the same client-level DP guarantee as the state-of-the-art. We conduct extensive experiments on both IID and non-IID datasets and different tasks and evaluate the performance of our approach against different Byzantine attacks by comparing it with state-of-the-art defense methods. The results of our experiments show the efficacy of our framework and demonstrate its ability to improve system robustness against Byzantine attacks while achieving a strong privacy guarantee.

Zhi Lu,Songfeng Lu,Yongquan Cui,Junjun Wu,Hewang Nie,Jue Xiao,Zepu Yi

DOI: https://doi.org/10.1007/978-3-031-69766-1_19

2024-01-01

Abstract:Federated learning (FL) is a distributed machine learning approach that reduces data transfer by aggregating gradients from multiple users. However, this process raises concerns about user privacy, leading to the emergence of privacy preserving FL. Unfortunately, this development poses new Byzantine-robustness challenges as poisoning attacks become difficult to detect. Existing byzantine-robust algorithms operate primarily in plaintext, and crucially, current byzantine-robust privacy FL methods fail to concurrently defend against adaptive attacks. In response, we propose a lightweight, byzantine-robust, and privacy-preserving federated learning framework (LRFL), employing shuffle functions and encryption masks to ensure privacy. In addition, we comprehensively calculate the similarity of the direction and magnitude of each gradient vector to ensure byzantine-robustness. To the best of our knowledge, LRFL is the first byzantine-robust privacy preserving FL capable of identifying malicious users based on gradient angles and magnitudes. What's more, the theoretical complexity of LRFL is O(dN + dN logN), comparable to byzantine-robust FL with user number N and gradient dimension d. Experimental results demonstrate that LRFL achieves similar accuracy to state-of-the-art methods under multiple attack scenarios.

Tao Chen,Xiaofen Wang,Hong-Ning Dai

DOI: https://doi.org/10.1007/978-981-97-5101-3_9

2024-01-01

Abstract:Federated Learning (FL), as an emerging distributed machine learning framework, which shares model gradients instead of raw data, can properly coordinate the contradiction between data sharing and data security under the guidance of laws and regulations and overcome the problem of “Data Silo”. However, the state-of-art federated learning schemes are still facing security challenges, such as single point of failure (SPOF), gradient privacy leakage, and byzantine attacks. To address the above issues, this paper proposes a robustness and privacy-preserving decentralized federated learning system (R-PPDFL). Specifically, a decentralized privacy-preserving federated learning framework based on the blockchain is designed and an improved multi-client functional encryption is proposed, which resolves the issues of SPOF and privacy leakage. Then based on functional encryption and cosine similarity we present a dense model detection method, which can properly defend the byzantine attacks in FL. Ultimately, it evaluates the proposed scheme by providing a theoretical analysis and conducting preliminary experiments on real datasets.

Meng Hao,Hongwei Li,Guowen Xu,Hanxiao Chen,Tianwei Zhang

DOI: https://doi.org/10.1145/3485832.3488014

2021-12-06

Abstract:Federated learning (FL) has demonstrated tremendous success in various mission-critical large-scale scenarios. However, such promising distributed learning paradigm is still vulnerable to privacy inference and byzantine attacks. The former aims to infer the privacy of target participants involved in training, while the latter focuses on destroying the integrity of the constructed model. To mitigate the above two issues, a few works recently explored unified solutions by utilizing generic secure computation techniques and common byzantine-robust aggregation rules, but there are two major limitations: 1) they suffer from impracticality due to efficiency bottlenecks, and 2) they are still vulnerable to various types of attacks because of model incomprehensiveness. To approach the above problems, in this paper, we present SecureFL, an efficient, private and byzantine-robust FL framework. SecureFL follows the state-of-the-art byzantine-robust FL method (FLTrust NDSS’21), which performs comprehensive byzantine defense by normalizing the updates’ magnitude and measuring directional similarity, adapting it to the privacy-preserving context. More importantly, we carefully customize a series of cryptographic components. First, we design a crypto-friendly validity checking protocol that functionally replaces the normalization operation in FLTrust, and further devise tailored cryptographic protocols on top of it. Benefiting from the above optimizations, the communication and computation costs are reduced by half without sacrificing the robustness and privacy protection. Second, we develop a novel preprocessing technique for costly matrix multiplication. With this technique, the directional similarity measurement can be evaluated securely with negligible computation overhead and zero communication cost. Extensive evaluations conducted on three real-world datasets and various neural network architectures demonstrate that SecureFL outperforms prior art up to two orders of magnitude in efficiency with state-of-the-art byzantine robustness.

Honghong Zeng,Jie Li,Jiong Lou,Shijing Yuan,Chentao Wu,Wei Zhao,Sijin Wu,Zhiwen Wang

DOI: https://doi.org/10.1109/tc.2024.3404102

IF: 3.183

2024-01-01

IEEE Transactions on Computers

Abstract:Federated learning (FL) is a technique that enables clients to collaboratively train a model by sharing local models instead of raw private data. However, existing reconstruction attacks can recover the sensitive training samples from the shared models. Additionally, the emerging poisoning attacks also pose severe threats to the security of FL. However, most existing Byzantine-robust privacy-preserving federated learning solutions either reduce the accuracy of aggregated models or introduce significant computation and communication overheads. In this paper, we propose a novel B lockchain-based S ecure and R obust F ederated L earning (BSR-FL) framework to mitigate reconstruction attacks and poisoning attacks. BSR-FL avoids accuracy loss while ensuring efficient privacy protection and Byzantine robustness. Specifically, we first construct a lightweight non-interactive functional encryption (NIFE) scheme to protect the privacy of local models while maintaining high communication performance. Then, we propose a privacy-preserving defensive aggregation strategy based on NIFE, which can resist encrypted poisoning attacks without compromising model privacy through secure cosine similarity and incentive-based Byzantine-tolerance aggregation. Finally, we utilize the blockchain system to assist in facilitating the processes of federated learning and the implementation of protocols. Extensive theoretical analysis and experiments demonstrate that our new BSR-FL has enhanced privacy security, robustness, and high efficiency.

Zihang Xiang,Tianhao Wang,Wanyu Lin,Di Wang

DOI: https://doi.org/10.1145/3589264

2023-04-16

Abstract:Privacy and Byzantine resilience are two indispensable requirements for a federated learning (FL) system. Although there have been extensive studies on privacy and Byzantine security in their own track, solutions that consider both remain sparse. This is due to difficulties in reconciling privacy-preserving and Byzantine-resilient algorithms. In this work, we propose a solution to such a two-fold issue. We use our version of differentially private stochastic gradient descent (DP-SGD) algorithm to preserve privacy and then apply our Byzantine-resilient algorithms. We note that while existing works follow this general approach, an in-depth analysis on the interplay between DP and Byzantine resilience has been ignored, leading to unsatisfactory performance. Specifically, for the random noise introduced by DP, previous works strive to reduce its impact on the Byzantine aggregation. In contrast, we leverage the random noise to construct an aggregation that effectively rejects many existing Byzantine attacks. We provide both theoretical proof and empirical experiments to show our protocol is effective: retaining high accuracy while preserving the DP guarantee and Byzantine resilience. Compared with the previous work, our protocol 1) achieves significantly higher accuracy even in a high privacy regime; 2) works well even when up to 90% of distributive workers are Byzantine.

Machine Learning,Artificial Intelligence,Cryptography and Security

Xu Ma,Xiaoqian Sun,Yuduo Wu,Zheli Liu,Xiaofeng Chen,Changyu Dong

DOI: https://doi.org/10.1109/tpds.2022.3167434

IF: 5.3

2022-01-01

IEEE Transactions on Parallel and Distributed Systems

Abstract:Federated learning is a collaborative machine learning framework where a global model is trained by different organizations under the privacy restrictions. Promising as it is, privacy and robustness issues emerge when an adversary attempts to infer the private information from the exchanged parameters or compromise the global model. Various protocols have been proposed to counter the security risks, however, it becomes challenging when one wants to make federated learning protocols robust against Byzantine adversaries while preserving the privacy of the individual participant. In this article, we propose a differentially private Byzantine-robust federated learning scheme (DPBFL) with high computation and communication efficiency. The proposed scheme is effective in preventing adversarial attacks launched by the Byzantine participants and achieves differential privacy through a novel aggregation protocol in the shuffle model. The theoretical analysis indicates that the proposed scheme converges to the approximate optimal solution with the learning error dependent on the differential privacy budget and the number of Byzantine participants. Experimental results on MNIST, FashionMNIST and CIFAR10 demonstrate that the proposed scheme is effective and efficient.

Yinbin Miao,Ziteng Liu,Hongwei Li,Kim-Kwang Raymond Choo,Robert H. Deng

DOI: https://doi.org/10.1109/tifs.2022.3196274

IF: 7.231

2022-01-01

IEEE Transactions on Information Forensics and Security

Abstract:Federated learning enables clients to train a machine learning model jointly without sharing their local data. However, due to the centrality of federated learning framework and the untrustworthiness of clients, traditional federated learning solutions are vulnerable to poisoning attacks from malicious clients and servers. In this paper, we aim to mitigate the impact of the central server and malicious clients by designing a Privacy-preserving Byzantine-robust Federated Learning (PBFL) scheme based on blockchain. Specifically, we use cosine similarity to judge the malicious gradients uploaded by malicious clients. Then, we adopt fully homomorphic encryption to provide secure aggregation. Finally, we use blockchain system to facilitate transparent processes and implementation of regulations. Our formal analysis proves that our scheme achieves convergence and provides privacy protection. Our extensive experiments on different datasets demonstrate that our scheme is robust and efficient. Even if the root dataset is small, our scheme can achieve the same efficiency as FedSGD.

Yuping Yan,Mohammed B. M. Kamel,Marcell Zoltay,Marcell Gál,Roland Hollós,Yaochu Jin,Ligeti Péter,Ákos Tényi

DOI: https://doi.org/10.1007/s40747-023-01184-3

IF: 6.7

2023-01-01

Complex & Intelligent Systems

Abstract:Federated learning (FL) draws attention in academia and industry due to its privacy-preserving capability in training machine learning models. However, there are still some critical security attacks and vulnerabilities, including gradients leakage and interference attacks. Meanwhile, communication is another bottleneck in basic FL schemes since large-scale FL parameter transmission leads to inefficient communication, latency, and slower learning processes. To overcome these shortcomings, different communication efficiency strategies and privacy-preserving cryptographic techniques have been proposed. However, a single method can only partially resist privacy attacks. This paper presents a practical, privacy-preserving scheme combining cryptographic techniques and communication networking solutions. We implement Kafka for message distribution, the Diffie–Hellman scheme for secure server aggregation, and gradient differential privacy for interference attack prevention. The proposed approach maintains training efficiency while being able to addressing gradients leakage problems and interference attacks. Meanwhile, the implementation of Kafka and Zookeeper provides asynchronous communication and anonymous authenticated computation with role-based access controls. Finally, we prove the privacy-preserving properties of the proposed solution via security analysis and empirically demonstrate its efficiency and practicality.

Tao Chen,Xiao-Fen Wang,Hong-Ning Dai,Hao-Miao Yang,Rang Zhou,Xiao-Song Zhang

DOI: https://doi.org/10.1109/globecom54140.2023.10437934

2023-01-01

Abstract:Federated Learning (FL) enables participants to collaboratively train a global model by sharing their gradients without the need for uploading privacy-sensitive data. Despite certain privacy preservation of FL, local gradients in plaintext may reveal data privacy when gradient-leakage attacks are launched. To further protect local gradients, privacy-preserving FL schemes have been proposed. However, these existing schemes that require a fully trusted central server are vulnerable to a single point of failure and malicious attacks. Although more robust privacy-preserving decentralized FL schemes have recently been proposed on multiple servers, they will fail to aggregate the local gradients with message transmission errors or data packet dropping out due to the instability of the communication network. To address these challenges, we propose a novel privacy-preserving decentralized FL scheme system based on the blockchain and a modified identity-based homomorphic broadcast encryption algorithm. This scheme achieves both privacy protection and error/dropout tolerance. Security analysis shows that the proposed scheme can protect the privacy of the local gradients against both internal and external adversaries, and protect the privacy of the global gradients against external adversaries. Moreover, it ensures the correctness of local gradients' aggregation even when transmission error or data packet dropout happens. Extensive experiments demonstrate that the proposed scheme guarantees model accuracy and achieves performance efficiency.

Dong Chen,Hongyuan Qu,Guangwu Xu

2024-01-01

Abstract:Privacy attacks and poisoning attacks are two of the thorniest problems in federation learning (FL). Homomorphic encryption (HE), which allows certain mathematical operations to be done in the ciphertext state, provides a way to solve these two problems simultaneously. However, existing Paillier-based and CKKS-based privacy-preserving byzantine-robust FL (PBFL) solutions not only suffer from low efficiency but also expose the final model to the server. Additionally, these methods are limited to one robust aggregation algorithm (AGR) and are therefore vulnerable to AGR-tailored poisoning attacks. In this paper, we present AegisFL, an efficient PBLF system that provides the flexibility to change the AGR. We first observe that the core of the existing advanced AGRs is to calculate the inner products, $L_2$ norms and mean values for vectors. Based on this observation, we tailor a packing scheme for PBFL, which fits perfectly with RLWE-based fully homomorphic encryption. Under this packing scheme, the server only needs to perform one ciphertext multiplication to construct any required AGR, while the global model only belongs to honest clients. Finally, we conduct extensive experiments on different datasets and adversary settings, which also confirm the effectiveness and efficiency of our scheme.

Zheng Yuan,Youliang Tian,Jinbo Xiong,Linjie Wang

DOI: https://doi.org/10.1109/nana63151.2024.00009

2024-01-01

Abstract:Federated learning has garnered considerable attention for its capacity to aggregate efficient and accurate models while preserving user’s data privacy. Nonetheless, conventional federated learning frameworks remain susceptible to malicious threats like collusion and inference attacks. We design a robust and resilient enhancing privacy-preserving federated learning framework based on blockchain (EPFL) to address these threats. Initially, we meticulously design a two-round encryption scheme that allows users to upload encryption gradients while the server can still perform aggregation. Subsequently, a secure communication protocol termed the “server-blockchain-user” is devised based on blockchain architecture. This protocol guarantees the openness, transparency, and traceability of the entire training process, while also offering resilience in users’ drop-out and joining that may arise during the aggregation process. Finally, experimental assessments are conducted to appraise the robustness and accuracy of EPFL. The empirical findings demonstrate that EPFL not only demonstrates robustness against collusion and inference attacks, but also adeptly handles user exits and entries without compromising the confidentiality of user keys. Moreover, EPFL attains model accuracy commensurate with the FedAvg.

Yanbin Li,Xuemei Wang,Runkang Sun,Xiaojun Xie,Shijia Ying,Shougang Ren

DOI: https://doi.org/10.1016/j.knosys.2023.110763

2023-01-01

Abstract:Federated Learning (FL) breaks the “data island” and lets clients cooperate in training a shared model with private data locally. And hierarchical framework is used in FL to alleviate the problem of excessive communication overhead. FL provides a certain degree of privacy, but privacy inference and Byzantine attacks still affect the existing FL methods. Moreover, the parameter server brings new security troubles, and the group size limits the model’s robustness. Thus, this paper presents a new decentralized FL framework called Trustiness-based Hierarchical Decentralized Federated Learning (TH-DFL) via a Security Robust Aggregation (SRA) rule, which introduces a trust mechanism. This study provides privacy protection and robustness even if there are malicious nodes. Besides, it somewhat reduces communication overhead. A series of comparative studies are also implemented to evaluate the performance of the model. In this process, the Gaussian, the bit-flipping, and other attacks are launched in the simulated federated learning. The results show that on the basis of ensuring privacy and robustness, TH-DFL seeks a better balance between privacy and robustness when the size of the group changes.

Kang Wei,Jun Li,Ming Ding,Chuan Ma,Hang Su,Bo Zhang,H. Vincent Poor

2020-01-01

Abstract:As a means of decentralized machine learning, federated learning (FL) has recently drawn considerable attentions. One of the prominent advantages of FL is its capability of preventing clients' data from being directly exposed to external adversaries. Nevertheless, via a viewpoint of information theory, it is still possible for an attacker to steal private information from eavesdropping upon the shared models uploaded by FL clients. In order to address this problem, we develop a novel privacy preserving FL framework based on the concept of differential privacy (DP). To be specific, we first borrow the concept of local DP and introduce a client-level DP (CDP) by adding artificial noises to the shared models before uploading them to servers. Then, we prove that our proposed CDP algorithm can satisfy the DP guarantee with adjustable privacy protection levels by varying the variances of the artificial noises. More importantly, we derive a theoretical convergence upper-bound of the CDP algorithm. Our derived upper-bound reveals that there exists an optimal number of communication rounds to achieve the best convergence performance in terms of loss function values for a given privacy protection level. Furthermore, to obtain this optimal number of communication rounds, which cannot be derived in a closed-form expression, we propose a communication rounds discounting (CRD) method. Compared with the heuristic searching method, our proposed CRD can achieve a much better trade-off between the computational complexity of searching for the optimal number and the convergence performance. Extensive experiments indicate that our CDP algorithm with an optimization on the number of communication rounds using the proposed CRD can effectively improve both the FL training efficiency and FL model quality for a given privacy protection level.

Yisheng Zhong,Li-Ping Wang

2023-12-02

Abstract:Federated Learning (FL) faces two major issues: privacy leakage and poisoning attacks, which may seriously undermine the reliability and security of the system. Overcoming them simultaneously poses a great challenge. This is because privacy protection policies prohibit access to users' local gradients to avoid privacy leakage, while Byzantine-robust methods necessitate access to these gradients to defend against poisoning attacks. To address these problems, we propose a novel privacy-preserving Byzantine-robust FL framework PROFL. PROFL is based on the two-trapdoor additional homomorphic encryption algorithm and blinding techniques to ensure the data privacy of the entire FL process. During the defense process, PROFL first utilize secure Multi-Krum algorithm to remove malicious gradients at the user level. Then, according to the Pauta criterion, we innovatively propose a statistic-based privacy-preserving defense algorithm to eliminate outlier interference at the feature level and resist impersonation poisoning attacks with stronger concealment. Detailed theoretical analysis proves the security and efficiency of the proposed method. We conducted extensive experiments on two benchmark datasets, and PROFL improved accuracy by 39% to 75% across different attack settings compared to similar privacy-preserving robust methods, demonstrating its significant advantage in robustness.

Cryptography and Security,Artificial Intelligence,Machine Learning

Xun Liu,Jiangming Li,Siyang Chen,Xiaofeng Jiang,Feng Yang,Jian Yang

DOI: https://doi.org/10.1145/3661725.3661726

2024-01-01

Abstract:Federated Learning (FL) is a learning architecture in which multiple clients use local data to train gradients and submit them to a server for global aggregation. However, achieving reliable federated learning in untrusted environments is challenging. Malicious users and servers can perform Byzantine attacks to manipulate the global model, and curious servers can also extract user privacy from update gradients. Privacy-preserving methods usually consume many communication and computing resources and are difficult to combine with robust aggregation mechanisms. In this paper, we propose an anomaly gradient detection approach based on cosine distance detection using Shamir secret sharing, which can detect anomalous gradients without exposing the real gradients. Furthermore, we use the blockchain to build a decentralized hierarchical FL framework, eliminating the risk of malicious servers and reducing communication overhead. The experimental results show that our approach can protect user privacy and the reliability of aggregation results simultaneously, and the layered framework can effectively reduce communication overhead.

Kang Wei,Jun Li,Chuan Ma,Ming Ding,H. Vincent Poor

DOI: https://doi.org/10.1007/978-3-030-70604-3_3

2021-01-01

Abstract:Federated learning (FL), a type of collaborative machine learning framework, is capable of helping protect users’ private data while training the data into useful models. Nevertheless, privacy leakage may still happen by analyzing the exchanged parameters, e.g., weights and biases in deep neural networks, between the central server and clients. In this chapter, to effectively prevent information leakage, we investigate a differential privacy mechanism in which, at the clients’ side, artificial noises are added to parameters before uploading. Moreover, we propose a K-client random scheduling policy, in which K clients are randomly selected from a total of N clients to participate in each communication round. Furthermore, a theoretical convergence bound is derived from the loss function of the trained FL model. In detail, considering a fixed privacy level, the theoretical bound reveals that there exists an optimal number of clients K that can achieve the best convergence performance due to the tradeoff between the volume of user data and the variances of aggregated artificial noises. To optimize this tradeoff, we further provide a differentially private FL based client selection (DP-FedCS) algorithm, which can dynamically select the number of training clients. Our experimental results validate our theoretical conclusions and also show that the proposed algorithm can effectively improve both the FL training efficiency and FL model quality for a given privacy protection level.