Chenkai Zeng,Debiao He,Qi Feng,Xiaolin Yang,Qingcai Luo

DOI: https://doi.org/10.1109/tifs.2024.3461408

IF: 7.231

2024-10-15

IEEE Transactions on Information Forensics and Security

Abstract:Generative Pretrained Transformer (GPT) is an advanced natural language processing (NLP) model and is excellent at understanding and generating human language. As GPT is increasingly utilized, more and more cloud inference services for pre-trained generative models are being offered. However, when users upload their data to cloud servers to experience cloud inference services, ensuring the privacy and security of their data becomes a challenge. Thus, in this work, we present SecureGPT, a framework for multi-party privacy-preserving transformer inference in GPT and design a series of building blocks which include M2A (conversion of multiplicative share to additive share), truncation, division, softmax and GELU protocols for our framework. Specifically, we follow the work of SecureNLP and further explore the M2A protocol for non-linear functions such as GELU and softmax. We also design multi-party private protocols for GPT's transformer sub-layers. Finally we prove the security of our framework in the semi-honest adversary model with all-but-one corruptions. we evaluate the runtime of our framework under different parties settings and our implementation leads to up to improvement compared to state-of-the-art works.

computer science, theory & methods,engineering, electrical & electronic

Jianping Wu,Chunming Wu,Chaochao Chen,Jiahe Jin,Chuan Zhou

DOI: https://doi.org/10.3390/math12162479

IF: 2.4

2024-01-01

Mathematics

Abstract:Federated learning (FL) demonstrates significant potential in Industrial Internet of Things (IIoT) settings, as it allows multiple institutions to jointly construct a shared learning model by exchanging model parameters or gradient updates without the need to transmit raw data. However, FL faces risks related to data poisoning and model poisoning. To address these issues, we propose an efficient verifiable federated learning (EVFL) method, which integrates adaptive gradient sparsification (AdaGS), Boneh–Lynn–Shacham (BLS) signatures, and fully homomorphic encryption (FHE). The combination of BLS signatures and the AdaGS algorithm is used to build a secure aggregation protocol. These protocols verify the integrity of parameters uploaded by industrial agents and the consistency of the server’s aggregation results. Simulation experiments demonstrate that the AdaGS algorithm significantly reduces verification overhead through parameter sparsification and reuse. Our proposed algorithm achieves better verification efficiency compared to existing solutions.

Benxin Yin,Hanlin Zhang,Jie Lin,Fanyu Kong,Leyun Yu

DOI: https://doi.org/10.1016/j.cose.2024.103700

IF: 5.105

2024-01-11

Computers & Security

Abstract:Machine learning has been applied in a wide range of various fields. To train more effective control models, it is a trend for organizations holding their private data to collaborate with others, which raises privacy problems. Federated learning allows multiple participants to train learning models collaboratively without sharing their private training data but only the gradient. Nonetheless, recent researches show that sharing the gradient can also cause the original data leakage. To eliminate the data leakage of federated learning, in this paper, we propose a secure multiparty federated learning control system, including a secure training process and a secure prediction process. In the training process, data providers train the learning model collaboratively without disclosing local data. The trained model can be verified by participants. The data providers can then provide users with prediction services based on the trained model. In the prediction process, data providers cannot access the user data, and users cannot obtain the model. Also, the prediction result can be verified by users. We carry out comprehensive experiments to demonstrate the effectiveness of our proposed scheme.

computer science, information systems

Prajwal Panzade,Daniel Takabi,Zhipeng Cai

2024-02-14

Abstract:In today's machine learning landscape, fine-tuning pretrained transformer models has emerged as an essential technique, particularly in scenarios where access to task-aligned training data is limited. However, challenges surface when data sharing encounters obstacles due to stringent privacy regulations or user apprehension regarding personal information disclosure. Earlier works based on secure multiparty computation (SMC) and fully homomorphic encryption (FHE) for privacy-preserving machine learning (PPML) focused more on privacy-preserving inference than privacy-preserving training. In response, we introduce BlindTuner, a privacy-preserving fine-tuning system that enables transformer training exclusively on homomorphically encrypted data for image classification. Our extensive experimentation validates BlindTuner's effectiveness by demonstrating comparable accuracy to non-encrypted models. Notably, our findings highlight a substantial speed enhancement of 1.5x to 600x over previous work in this domain.

Machine Learning,Artificial Intelligence,Cryptography and Security

Yifeng Zheng,Shuangqing Xu,Songlei Wang,Yansong Gao,Zhongyun Hua

2023-06-03

Abstract:Vertical federated learning (VFL) has recently emerged as an appealing distributed paradigm empowering multi-party collaboration for training high-quality models over vertically partitioned datasets. Gradient boosting has been popularly adopted in VFL, which builds an ensemble of weak learners (typically decision trees) to achieve promising prediction performance. Recently there have been growing interests in using decision table as an intriguing alternative weak learner in gradient boosting, due to its simpler structure, good interpretability, and promising performance. In the literature, there have been works on privacy-preserving VFL for gradient boosted decision trees, but no prior work has been devoted to the emerging case of decision tables. Training and inference on decision tables are different from that the case of generic decision trees, not to mention gradient boosting with decision tables in VFL. In light of this, we design, implement, and evaluate Privet, the first system framework enabling privacy-preserving VFL service for gradient boosted decision tables. Privet delicately builds on lightweight cryptography and allows an arbitrary number of participants holding vertically partitioned datasets to securely train gradient boosted decision tables. Extensive experiments over several real-world datasets and synthetic datasets demonstrate that Privet achieves promising performance, with utility comparable to plaintext centralized learning.

Cryptography and Security

Qun Zhou,Wenting Shen

DOI: https://doi.org/10.1007/s10586-024-04558-5

2024-06-17

Cluster Computing

Abstract:Federated learning, as an emerging framework for distributed machine learning, has received widespread attention. In federated learning, the cloud server and the users cooperatively train a model by sharing gradients rather than local private data. However, the users' private data may still be exposed by the shared gradients. Furthermore, the cloud server may perform incorrect aggregation operations on the gradients sent by users and send a forged or previous aggregated gradient to the users. In this paper, we propose PPFLV, a privacy-preserving federated learning scheme with verifiability. Specifically, to protect the users' privacy, we design an efficient double gradient blinding and encryption method to blind and encrypt the users' local gradients. Furthermore, we propose a novel double gradient verification method that can achieve secure verification while resisting replay attacks in the verification phase. With the proposed verification method, the users only require to perform lightweight operations to verify the correctness of the aggregated encrypted gradients and recover the aggregated gradient from the aggregated encrypted gradients. The experimental results show that PPFLV achieves comparable classification accuracy to the basic federated learning scheme while providing privacy protection and verifiability. Furthermore, PPFLV exhibits lower computation and communication overhead compared to related schemes.

computer science, information systems, theory & methods

Jianyi Zhang,Saeed Vahidian,Martin Kuo,Chunyuan Li,Ruiyi Zhang,Tong Yu,Yufan Zhou,Guoyin Wang,Yiran Chen

2024-01-30

Abstract:While "instruction-tuned" generative large language models (LLMs) have demonstrated an impressive ability to generalize to new tasks, the training phases heavily rely on large amounts of diverse and high-quality instruction data (such as ChatGPT and GPT-4). Unfortunately, acquiring high-quality data, especially when it comes to human-written data, can pose significant challenges both in terms of cost and accessibility. Moreover, concerns related to privacy can further limit access to such data, making the process of obtaining it a complex and nuanced undertaking. Consequently, this hinders the generality of the tuned models and may restrict their effectiveness in certain contexts. To tackle this issue, our study introduces a new approach called Federated Instruction Tuning (FedIT), which leverages federated learning (FL) as the learning framework for the instruction tuning of LLMs. This marks the first exploration of FL-based instruction tuning for LLMs. This is especially important since text data is predominantly generated by end users. Therefore, it is imperative to design and adapt FL approaches to effectively leverage these users' diverse instructions stored on local devices, while preserving privacy and ensuring data security. In the current paper, by conducting widely used GPT-4 auto-evaluation, we demonstrate that by exploiting the heterogeneous and diverse sets of instructions on the client's end with the proposed framework FedIT, we improved the performance of LLMs compared to centralized training with only limited local instructions. Further, in this paper, we developed a Github repository named Shepherd. This repository offers a foundational framework for exploring federated fine-tuning of LLMs using heterogeneous instructions across diverse categories.

Computation and Language,Distributed, Parallel, and Cluster Computing,Systems and Control

Boxin Wang,Weixin Chen,Hengzhi Pei,Chulin Xie,Mintong Kang,Chenhui Zhang,Chejian Xu,Zidi Xiong,Ritik Dutta,Rylan Schaeffer,Sang T. Truong,Simran Arora,Mantas Mazeika,Dan Hendrycks,Zinan Lin,Yu Cheng,Sanmi Koyejo,Dawn Song,Bo Li

2024-02-27

Abstract:Generative Pre-trained Transformer (GPT) models have exhibited exciting progress in their capabilities, capturing the interest of practitioners and the public alike. Yet, while the literature on the trustworthiness of GPT models remains limited, practitioners have proposed employing capable GPT models for sensitive applications such as healthcare and finance -- where mistakes can be costly. To this end, this work proposes a comprehensive trustworthiness evaluation for large language models with a focus on GPT-4 and GPT-3.5, considering diverse perspectives -- including toxicity, stereotype bias, adversarial robustness, out-of-distribution robustness, robustness on adversarial demonstrations, privacy, machine ethics, and fairness. Based on our evaluations, we discover previously unpublished vulnerabilities to trustworthiness threats. For instance, we find that GPT models can be easily misled to generate toxic and biased outputs and leak private information in both training data and conversation history. We also find that although GPT-4 is usually more trustworthy than GPT-3.5 on standard benchmarks, GPT-4 is more vulnerable given jailbreaking system or user prompts, potentially because GPT-4 follows (misleading) instructions more precisely. Our work illustrates a comprehensive trustworthiness evaluation of GPT models and sheds light on the trustworthiness gaps. Our benchmark is publicly available at <a class="link-external link-https" href="https://decodingtrust.github.io/" rel="external noopener nofollow">this https URL</a> ; our dataset can be previewed at <a class="link-external link-https" href="https://huggingface.co/datasets/AI-Secure/DecodingTrust" rel="external noopener nofollow">this https URL</a> ; a concise version of this work is at <a class="link-external link-https" href="https://openreview.net/pdf?id=kaHpo8OZw2" rel="external noopener nofollow">this https URL</a> .

Computation and Language,Artificial Intelligence,Cryptography and Security

Yuezhou Wu,Yan Kang,Jiahuan Luo,Yuanqin He,Qiang Yang

DOI: https://doi.org/10.24963/ijcai.2022/324

2024-07-07

Abstract:Federated learning (FL) aims to protect data privacy by enabling clients to build machine learning models collaboratively without sharing their private data. Recent works demonstrate that information exchanged during FL is subject to gradient-based privacy attacks, and consequently, a variety of privacy-preserving methods have been adopted to thwart such attacks. However, these defensive methods either introduce orders of magnitude more computational and communication overheads (e.g., with homomorphic encryption) or incur substantial model performance losses in terms of prediction accuracy (e.g., with differential privacy). In this work, we propose $\textsc{FedCG}$, a novel federated learning method that leverages conditional generative adversarial networks to achieve high-level privacy protection while still maintaining competitive model performance. $\textsc{FedCG}$ decomposes each client's local network into a private extractor and a public classifier and keeps the extractor local to protect privacy. Instead of exposing extractors, $\textsc{FedCG}$ shares clients' generators with the server for aggregating clients' shared knowledge, aiming to enhance the performance of each client's local networks. Extensive experiments demonstrate that $\textsc{FedCG}$ can achieve competitive model performance compared with FL baselines, and privacy analysis shows that $\textsc{FedCG}$ has a high-level privacy-preserving capability. Code is available at <a class="link-external link-https" href="https://github.com/yankang18/FedCG" rel="external noopener nofollow">this https URL</a>

Machine Learning

Qian Chen,Zilong Wang,Wenjing Zhang,Xiaodong Lin

DOI: https://doi.org/10.1016/j.cose.2022.102966

2022-10-24

Abstract:The concept of Federated Learning (FL), which is vital to the development of machine learning, has emerged as a convergence of machine learning, information, and communication technology. However, general FL settings cannot meet requirements in decentralized environments, especially in peer-to-peer (P2P) networks, where a fully connected central server is unavailable due to limited communication ranges. In this paper, to satisfy the requirements of security, privacy preservation, and robustness in the context of FL in P2P networks, we propose a decentralized global model training protocol, named PPT. Particularly, PPT aggregates local model update parameters in a single-hop manner and uses the symmetric cryptosystem to ensure secure communications between network nodes where an enhanced Eschenauer-Gligor (E-G) scheme is proposed for secure key distribution. Further, PPT generates random noise for privacy preservation without reducing the model accuracy since the noise is eliminated ultimately. PPT also adopts game theory to resist collusion attacks. In addition, PPT has elaborate designs in terms of communication efficiency and dropout-robustness. Through extensive analysis, we demonstrate that PPT can resist various security threats and preserve user privacy. Ingenious experiments on Trec05, Trec06p, Trec07, and SMS Spam Collection v.1 confirm the 20 × and 12 × improvement of computation efficiency that PPT achieves compared to Google's Secure Aggregation and Local Differential Privacy (LDP)-based FL methods. More importantly, the global model trained by PPT is better than that trained by LDP-based FL methods in terms of prediction performance (about 14% and 1% improvement in convergence rate and accuracy).

computer science, information systems

Zhidong Gao,Yu Zhang,Zhenxiao Zhang,Yanmin Gong,Yuanxiong Guo

2024-10-01

Abstract:Despite demonstrating superior performance across a variety of linguistic tasks, pre-trained large language models (LMs) often require fine-tuning on specific datasets to effectively address different downstream tasks. However, fine-tuning these LMs for downstream tasks necessitates collecting data from individuals, which raises significant privacy concerns. Federated learning (FL) has emerged as the de facto solution, enabling collaborative model training without sharing raw data. While promising, federated fine-tuning of large LMs faces significant challenges, including restricted access to model parameters and high computation, communication, and memory overhead. To address these challenges, this paper introduces \textbf{Fed}erated \textbf{P}roxy-\textbf{T}uning (FedPT), a novel framework for federated fine-tuning of black-box large LMs, requiring access only to their predictions over the output vocabulary instead of their parameters. Specifically, devices in FedPT first collaboratively tune a smaller LM, and then the server combines the knowledge learned by the tuned small LM with the knowledge learned by the larger pre-trained LM to construct a large proxy-tuned LM that can reach the performance of directly tuned large LMs. The experimental results demonstrate that FedPT can significantly reduce computation, communication, and memory overhead while maintaining competitive performance compared to directly federated fine-tuning of large LMs. FedPT offers a promising solution for efficient, privacy-preserving fine-tuning of large LMs on resource-constrained devices, broadening the accessibility and applicability of state-of-the-art large LMs.

Computation and Language,Artificial Intelligence

Meng Tong,Kejiang Chen,Jie Zhang,Yuang Qi,Weiming Zhang,Nenghai Yu,Tianwei Zhang,Zhikun Zhang

2024-03-27

Abstract:Large language models (LLMs), like ChatGPT, have greatly simplified text generation tasks. However, they have also raised concerns about privacy risks such as data leakage and unauthorized data collection. Existing solutions for privacy-preserving inference face practical challenges related to computation time and communication costs. In this paper, we propose InferDPT, the first practical framework for the privacy-preserving Inference of black-box LLMs, implementing Differential Privacy in Text generation. InferDPT comprises two key modules: the "perturbation module" utilizes the exponential mechanism to generate a perturbed prompt, facilitating privacy-preserving inference with black-box LLMs, and the "extraction module", inspired by knowledge distillation and retrieval-augmented generation, extracts coherent and consistent text from the perturbed generation result, ensuring successful text generation completion. To address privacy concerns related to previous exponential mechanisms' susceptibility to embedding revision attacks, we introduce RANTEXT, a novel differential privacy mechanism integrated into the perturbation module of InferDPT, which introduces the concept of "RANdom adjacency" for TEXT perturbation within the prompt. Experimental results across three datasets demonstrate that the text generation quality of InferDPT is comparable to that of non-private GPT-4, and RANTEXT surpasses existing state-of-the-art mechanisms, namely, SANTEXT+ and CUSTEXT+ in the trade-off between privacy and utility. Even with an privacy parameter epsilon value of 6.0, RANTEXT achieves an average privacy protection rate exceeding 90% against embedding revision attacks, which is 0.58 times higher than that of SANTEXT+ and 3.35 times higher than that of CUSTEXT+.

Cryptography and Security

Hanieh Hashemi,Yongqin Wang,Chuan Guo,Murali Annavaram

DOI: https://doi.org/10.48550/arXiv.2105.02295

2021-05-06

Abstract:Federated learning has emerged as a popular paradigm for collaboratively training a model from data distributed among a set of clients. This learning setting presents, among others, two unique challenges: how to protect privacy of the clients' data during training, and how to ensure integrity of the trained model. We propose a two-pronged solution that aims to address both challenges under a single framework. First, we propose to create secure enclaves using a trusted execution environment (TEE) within the server. Each client can then encrypt their gradients and send them to verifiable enclaves. The gradients are decrypted within the enclave without the fear of privacy breaches. However, robustness check computations in a TEE are computationally prohibitive. Hence, in the second step, we perform a novel gradient encoding that enables TEEs to encode the gradients and then offloading Byzantine check computations to accelerators such as GPUs. Our proposed approach provides theoretical bounds on information leakage and offers a significant speed-up over the baseline in empirical evaluation.

Cryptography and Security,Hardware Architecture,Machine Learning

Zhi Lu,Songfeng Lu,Xueming Tang,Junjun Wu

DOI: https://doi.org/10.1109/tai.2023.3309273

2023-01-01

IEEE Transactions on Artificial Intelligence

Abstract:Federated Learning (FL) safeguards user privacy by uploading gradients instead of raw data. However, inference attacks can reconstruct raw data using gradients uploaded by users in FL. To mitigate this issue, researchers have combined privacy computing techniques with FL. However, these tech-niques may not ensure the Byzantine robustness of aggregation or the integrity of the aggregated outcomes. Most current robust privacy FL methods assess differences between gradients and benchmarks in the direction, allowing adversaries to poison the aggregation against the magnitude. Furthermore, these methods cannot ensure the integrity of the aggregation results. To over-come these challenges, this study proposes a novel algorithm, Robust and Verifiable Privacy Federated Learning(RVPFL), which can more effectively eliminate the poisoning attack of the opponent by measuring the direction and magnitude of the gradient in the ciphertext state. The proposed algorithm guarantees the integrity of server aggregation results while safe-guarding user privacy. In this study, comprehensive theoretical analysis and experimental validation of RVPFL are conducted to demonstrate its superiority. The proposed RVPFL algorithm solves the Byzantine robustness problem of aggregation and the integrity problem of aggregation results, which helps to research and develop more robust and effective privacy-preserving federal learning techniques.

Sixing Yu,J. Pablo Muñoz,Ali Jannesari

2024-03-20

Abstract:Foundation Models (FMs), such as LLaMA, BERT, GPT, ViT, and CLIP, have demonstrated remarkable success in a wide range of applications, driven by their ability to leverage vast amounts of data for pre-training. However, optimizing FMs often requires access to sensitive data, raising privacy concerns and limiting their applicability in many domains. In this paper, we propose the Federated Foundation Models (FFMs) paradigm, which combines the benefits of FMs and Federated Learning (FL) to enable privacy-preserving and collaborative learning across multiple end-users. We discuss the potential benefits and challenges of integrating FL into the lifespan of FMs, covering pre-training, fine-tuning, and application. We further outline potential future research avenues in FFM, including FFM pre-training, FFM fine-tuning, and federated prompt tuning, which allow the development of more personalized and context-aware models while ensuring data privacy. Moreover, we explore the possibility of continual/lifelong learning in FFMs, as increased computational power at the edge may unlock the potential for optimizing FMs using newly generated private data close to the data source. The proposed FFM concepts offer a flexible and scalable framework for training large language models in a privacy-preserving manner, setting the stage for subsequent advancements in both FM training and federated learning.

Machine Learning,Artificial Intelligence,Cryptography and Security

Guangsheng Zhang,Bo Liu,Tianqing Zhu,Ming Ding,Wanlei Zhou

DOI: https://doi.org/10.1109/jiot.2024.3360153

IF: 10.6

2024-01-01

IEEE Internet of Things Journal

Abstract:Federated learning is a distributed learning paradigm where a global model is trained using data samples from multiple clients but without the necessity of sharing raw data samples. However, it comes with several significant challenges in system designs, data quality, and communications. Recent research highlights a significant concern related to data privacy leakage through reserve-engineering model gradients at a malicious server. Moreover, a global model cannot provide good utility performance for individual clients when the local training data is heterogeneous in terms of quantity, quality, and distribution. Hence, personalized federated learning is highly desirable in practice to tailor the trained model for local usage. In this paper, we propose PPFed, a unified federated learning framework to simultaneously address privacy preservation and personalization. The intuition of our framework is to learn part of the model gradients at the server and the rest of the gradients at the local clients. To evaluate the effectiveness of the proposed framework, we conduct extensive experiments across four image classification datasets to show that our framework yields better privacy and personalization performance compared to the existing methods. We also claim that privacy preservation and personalization are essentially two facets of deep learning models, offering a unique perspective on their intrinsic interrelation.

computer science, information systems,telecommunications,engineering, electrical & electronic

Jingwei Sun,Ziyue Xu,Hongxu Yin,Dong Yang,Daguang Xu,Yiran Chen,Holger R. Roth

2023-10-03

Abstract:Pre-trained language models (PLM) have revolutionized the NLP landscape, achieving stellar performances across diverse tasks. These models, while benefiting from vast training data, often require fine-tuning on specific data to cater to distinct downstream tasks. However, this data adaptation process has inherent security and privacy concerns, primarily when leveraging user-generated, device-residing data. Federated learning (FL) provides a solution, allowing collaborative model fine-tuning without centralized data collection. However, applying FL to finetune PLMs is hampered by challenges, including restricted model parameter access, high computational requirements, and communication overheads. This paper introduces Federated Black-box Prompt Tuning (FedBPT), a framework designed to address these challenges. FedBPT does not require the clients to access the model parameters. By focusing on training optimal prompts and utilizing gradient-free optimization methods, FedBPT reduces the number of exchanged variables, boosts communication efficiency, and minimizes computational and storage costs. Experiments highlight the framework's ability to drastically cut communication and memory costs while maintaining competitive performance. Ultimately, FedBPT presents a promising solution for efficient, privacy-preserving fine-tuning of PLM in the age of large language models.

Computation and Language,Artificial Intelligence

Anran Li,Jiahui Huang,Ju Jia,Hongyi Peng,Lan Zhang,Luu Anh Tuan,Han Yu,Xiang-Yang Li

DOI: https://doi.org/10.1109/tmc.2023.3333879

IF: 6.075

2023-01-01

IEEE Transactions on Mobile Computing

Abstract:Vertical Federated Learning (VFL) enables multiple data owners, each holding a different subset of features about a largely overlapping set of data samples, to collaboratively train a global model. The quality of data owners&#x27; local features affects the performance of the VFL model, which makes feature selection vitally important. However, existing feature selection methods for VFL either assume the availability of prior knowledge on the number of noisy features or prior knowledge on the post-training threshold of useful features to be selected, making them unsuitable for practical applications. To bridge this gap, we propose the Federated Stochastic Dual-Gate based Feature Selection (FedSDG-FS) approach. It consists of a Gaussian stochastic dual-gate to efficiently approximate the probability of a feature being selected. FedSDG-FS further designs a local embedding perturbation approach to achieve differential privacy for local training data. To reduce overhead, we propose a feature importance initialization method based on Gini impurity, which can accomplish its goals with only two parameter transmissions between the server and the clients. The enhanced version, FedSDG-FS++, protects the privacy for both the clients&#x27; training data and the server&#x27;s labels through Partially Homomorphic Encryption (PHE) without relying on a trusted third-party. Theoretically, we analyze the convergence rate, privacy guarantees and security analysis of our methods. Extensive experiments on both synthetic and real-world datasets show that FedSDG-FS and FedSDG-FS++ significantly outperform existing approaches in terms of achieving more accurate selection of high-quality features as well as improving VFL performance in a privacy-preserving manner.

computer science, information systems,telecommunications

Jiaqi Zhao,Hui Zhu,Fengwei Wang,Rongxing Lu,Zhe Liu,Hui Li

DOI: https://doi.org/10.1109/tifs.2022.3176191

IF: 7.231

2022-06-29

IEEE Transactions on Information Forensics and Security

Abstract:Over the past years, the increasingly severe data island problem has spawned an emerging distributed deep learning framework—federated learning, in which the global model can be constructed over multiple participants without directly sharing their raw data. Despite its promising prospect, there are still many security challenges in federated learning, such as privacy preservation and integrity verification. Furthermore, federated learning is usually performed with the assistance of a center, which is prone to cause trust worries and communicational bottlenecks. To tackle these challenges, in this paper, we propose a privacy-preserving and verifiable decentralized federated learning framework, named PVD-FL, which can achieve secure deep learning model training under a decentralized architecture. Specifically, we first design an efficient and verifiable cipher-based matrix multiplication (EVCM) algorithm to execute the most basic calculation in deep learning. Then, by employing EVCM, we design a suite of decentralized algorithms to construct the PVD-FL framework, which ensures the confidentiality of both global model and local update and the verification of every training step. Detailed security analysis shows that PVD-FL can well protect privacy against various inference attacks and guarantee training integrity. In addition, the extensive experiments on real-world datasets also demonstrate that PVD-FL can achieve lossless accuracy and practical performance.

computer science, theory & methods,engineering, electrical & electronic

Da Yu,Saurabh Naik,Arturs Backurs,Sivakanth Gopi,Huseyin A. Inan,Gautam Kamath,Janardhan Kulkarni,Yin Tat Lee,Andre Manoel,Lukas Wutschitz,Sergey Yekhanin,Huishuai Zhang

DOI: https://doi.org/10.48550/arXiv.2110.06500

IF: 5.414

2021-10-13

Machine Learning

Abstract:We give simpler, sparser, and faster algorithms for differentially private fine-tuning of large-scale pre-trained language models, which achieve the state-of-the-art privacy versus utility tradeoffs on many standard NLP tasks. We propose a meta-framework for this problem, inspired by the recent success of highly parameter-efficient methods for fine-tuning. Our experiments show that differentially private adaptations of these approaches outperform previous private algorithms in three important dimensions: utility, privacy, and the computational and memory cost of private training. On many commonly studied datasets, the utility of private models approaches that of non-private models. For example, on the MNLI dataset we achieve an accuracy of $87.8\%$ using RoBERTa-Large and $83.5\%$ using RoBERTa-Base with a privacy budget of $\epsilon = 6.7$. In comparison, absent privacy constraints, RoBERTa-Large achieves an accuracy of $90.2\%$. Our findings are similar for natural language generation tasks. Privately fine-tuning with DART, GPT-2-Small, GPT-2-Medium, GPT-2-Large, and GPT-2-XL achieve BLEU scores of 38.5, 42.0, 43.1, and 43.8 respectively (privacy budget of $\epsilon = 6.8,\delta=$ 1e-5) whereas the non-private baseline is $48.1$. All our experiments suggest that larger models are better suited for private fine-tuning: while they are well known to achieve superior accuracy non-privately, we find that they also better maintain their accuracy when privacy is introduced.