Jianping Wu,Chunming Wu,Chaochao Chen,Jiahe Jin,Chuan Zhou

DOI: https://doi.org/10.3390/math12162479

IF: 2.4

2024-01-01

Mathematics

Abstract:Federated learning (FL) demonstrates significant potential in Industrial Internet of Things (IIoT) settings, as it allows multiple institutions to jointly construct a shared learning model by exchanging model parameters or gradient updates without the need to transmit raw data. However, FL faces risks related to data poisoning and model poisoning. To address these issues, we propose an efficient verifiable federated learning (EVFL) method, which integrates adaptive gradient sparsification (AdaGS), Boneh–Lynn–Shacham (BLS) signatures, and fully homomorphic encryption (FHE). The combination of BLS signatures and the AdaGS algorithm is used to build a secure aggregation protocol. These protocols verify the integrity of parameters uploaded by industrial agents and the consistency of the server’s aggregation results. Simulation experiments demonstrate that the AdaGS algorithm significantly reduces verification overhead through parameter sparsification and reuse. Our proposed algorithm achieves better verification efficiency compared to existing solutions.

Yanli Ren,Yerong Li,Guorui Feng,Xinpeng Zhang

DOI: https://doi.org/10.1109/jiot.2022.3194930

IF: 10.6

2022-01-01

IEEE Internet of Things Journal

Abstract:Federated learning (FL) is a distributed machine learning framework, which allows multiple users to collaboratively train and obtain a global model with high accuracy. Currently, FL is paid more attention by researchers and a growing number of protocols are proposed. This article first analyzes the security vulnerabilities of the VerifyNet and VeriFL protocols, and proposes a new aggregation protocol for FL. We use additive homomorphic encryption and double masking to simultaneously protect the user’s local model and the aggregated global model while most of the existing protocols only consider the privacy of the local model. Also, linear homomorphic hash and digital signature are used to achieve traceable verification, which means the users can not only verify the aggregation results, but also be able to identify the wrong epoch if the results are wrong. In summary, our protocol can realize the privacy of the local model and global model and achieve verification traceability even if the cloud server colludes with malicious users. The experimental results show that the proposed protocol improves the security of FL without decreasing the efficiency of the users and classification accuracy of the training model.

Ning Li,Ming Zhou,Haiyang Yu,Yuwen Chen,Zhen Yang

DOI: https://doi.org/10.1109/jiot.2023.3330813

IF: 10.6

2023-01-01

IEEE Internet of Things Journal

Abstract:As many countries have promulgated laws to protect users’ data privacy, how to legally use users’ data has become a hot topic. With the emergence of federated learning (also known as collaborative learning), multiple participants can create a common, robust, and secure machine learning model while addressing key issues in data sharing such as privacy, security, accessibility, etc. Unfortunately, existing research shows that federated learning is not as secure as it claims, gradient leakage and the correctness of aggregation results are still key problems. Recently, some scholars try to address these security problems in federated learning by cryptography and verification techniques. However, there are some issues in this scheme that remain unsolved. First, some solutions cannot guarantee the correctness of the aggregation results. Second, existing state-of-the-art federated learning schemes have a costly computational and communication overhead. In this paper, we propose SVFLC, a secure and verifiable federated learning scheme with chain aggregation to solve these problems. We first design a privacy-preserving method that can solve the problem of gradient leakage and defend against collusion attacks by semi-honest users. Then, we create a verifiable method based on a homomorphic hash function, which can ensure the correctness of the weighted aggregation results. Besides, the SVFLC can also track users who encounter calculation errors during the aggregation process. Additionally, the extensive experiment results on real-world datasets demonstrate that the SVFLC is efficient, compared with other solutions.

computer science, information systems,telecommunications,engineering, electrical & electronic

Xue Yang,Minjie Ma,Xiaohu Tang

DOI: https://doi.org/10.1016/j.future.2024.06.002

IF: 7.307

2024-06-07

Future Generation Computer Systems

Abstract:As one of the most important methods of privacy computing, federated learning has attracted much attention as it makes data available but invisible (i.e., uploading gradients instead of raw data). However, adversaries may still recover some private information such as tabs, memberships or even training data, from gradients. Additionally, the malicious server may return the incorrect or forged aggregated result to clients for certain illegal interests. To ensure verifiability and privacy-preservation, in this paper, we present a verifiable secure aggregation scheme under the dual-server federated learning framework. Specifically, we combine the learning with error (LWE) cryptosystem with the secret sharing technique to guarantee the privacy of the aggregated result and each client's local gradient. Meanwhile, we skillfully design a double-verification protocol, including the server-side and client-side verification, to efficiently verify the correctness of the aggregated result and ensure data availability. Specifically, two servers mutually verify the correctness of the aggregated result through the linear homomorphic hash technique. After passing the server-side mutual verification, the malicious server may still directly broadcast the forged aggregated result to clients. Our client-side verification protocol can ensure data availability to identify the correct aggregation result sent by the semi-trusted server. To the best of our knowledge, existing solutions do not take data availability into account. Extensive experimental comparisons with the state-of-the-art schemes demonstrate the effectiveness and efficiency of the proposed scheme in terms of accuracy, computational cost and communication overhead.

computer science, theory & methods

Yijian Zhong,Wuzheng Tan,Zhifeng Xu,Shixin Chen,Jiasi Weng,Jian Weng

DOI: https://doi.org/10.1109/jiot.2024.3370938

IF: 10.6

2024-01-01

IEEE Internet of Things Journal

Abstract:Federated learning has shown great potential in Internet of Things (IoTs) for performing intelligent decision making. It allows IoT devices to collaboratively train a neural network upon the data they collect while separately keeping these data staying local. However, several research works have shown that such architecture still faces security challenges that adversaries could raise inference attack to the transferring model parameters to reveal data from devices. Moreover, another security risk in federated learning is that malicious devices may launch model pollution attack to reduce the quality of the aggregated model, or dishonest server may output incorrect aggregated result to the devices. Most existing privacy-preserving federated learning protocols could not deal with both problems. In this paper, we present WVFL, a secure weighted aggregation protocol in which aims to minimize the effect of wrong local models to the aggregated model, meanwhile allowing devices to verify the correctness of the aggregation result. All important intermediate values in the process are in encrypted form so that they would not be revealed to both devices and servers to guarantee privacy. At the end of this paper, we give implementation of our WVFL scheme, showing its efficiency compared with previous work.

computer science, information systems,telecommunications,engineering, electrical & electronic

Xia Feng,Xiaofeng Wang,Haiyang Liu,Haowei Yang,Liangmin Wang

DOI: https://doi.org/10.1109/tvt.2024.3369942

IF: 6.8

2024-01-01

IEEE Transactions on Vehicular Technology

Abstract:Federated Learning (FL) allows the collaborative training of a global model in Vehicular Ad-hoc Networks (VANETs): data is maintained on the owner's device and the local gradient updates to the model are aggregated through a secure protocol. However, despite its many advantages, FL is vulnerable to various attacks from malicious clients. Current defenses have several weaknesses. For example, the server may still select malicious clients for aggregation even after they have been identified in previous rounds. They haven't considered the continual monitoring of clients to resist their possible defection or collusion that occurs throughout the FL training process. In response to the weaknesses, we describe a new aggregation model with continuous authentication suits for VANETs. The authentication implementation relies on a non-interactive zero-knowledge proof which preserves privacy. We also minimize the computation and communication overhead by designing a two-phase aggregation scheme, while introducing the Edge Devices (EDs) to assist the FL procedure. Finally, we introduce an application of such a model for VANETs. We describe the prototype implementation and experimentally confirm that the aggregation overhead of the client grows linearly and achieves training speed up over the prior work.

telecommunications,engineering, electrical & electronic,transportation science & technology

Qun Zhou,Wenting Shen

DOI: https://doi.org/10.1007/s10586-024-04558-5

2024-06-17

Cluster Computing

Abstract:Federated learning, as an emerging framework for distributed machine learning, has received widespread attention. In federated learning, the cloud server and the users cooperatively train a model by sharing gradients rather than local private data. However, the users' private data may still be exposed by the shared gradients. Furthermore, the cloud server may perform incorrect aggregation operations on the gradients sent by users and send a forged or previous aggregated gradient to the users. In this paper, we propose PPFLV, a privacy-preserving federated learning scheme with verifiability. Specifically, to protect the users' privacy, we design an efficient double gradient blinding and encryption method to blind and encrypt the users' local gradients. Furthermore, we propose a novel double gradient verification method that can achieve secure verification while resisting replay attacks in the verification phase. With the proposed verification method, the users only require to perform lightweight operations to verify the correctness of the aggregated encrypted gradients and recover the aggregated gradient from the aggregated encrypted gradients. The experimental results show that PPFLV achieves comparable classification accuracy to the basic federated learning scheme while providing privacy protection and verifiability. Furthermore, PPFLV exhibits lower computation and communication overhead compared to related schemes.

computer science, information systems, theory & methods

Zhi Lu,SongFeng Lu,YongQuan Cui,XueMing Tang,JunJun Wu

DOI: https://doi.org/10.1109/tifs.2024.3402993

IF: 7.231

2024-05-25

IEEE Transactions on Information Forensics and Security

Abstract:Federated Learning (FL), a distributed learning paradigm optimizing communication costs and enhancing privacy by uploading gradients instead of raw data, now confronts security challenges. It is particularly vulnerable to Byzantine poisoning attacks and potential privacy breaches via inference attacks. While homomorphic encryption and secure multi-party computation have been employed to design robust FL mechanisms, these predominantly rely on Euclidean distance or median-based metrics and often fall short in comprehensively defending against advanced poisoning attacks, such as adaptive attacks. Addressing this issue, our study introduces "Split-Aggregation", a lightweight privacy-preserving FL solution capable of withstanding adaptive attacks. This method maintains a computational complexity of and a communication overhead of , performing comparably to FedAvg when . Here, d represents the gradient dimension, N the number of users, and k the rank chosen during random singular value decomposition. Additionally, we utilize adaptive weight coefficients to mitigate gradient descent issues in honest users caused by non-independent and identically distributed (Non-IID) data. The proposed method's security and robustness are theoretically proven, with its complexity thoroughly analyzed. Experimental results demonstrate that at , this method surpasses the top-1 accuracy of current state-of-the-art robust privacy-preserving FL approaches. Moreover, opting for a smaller k significantly boosts efficiency with only marginal compromises in accuracy.

computer science, theory & methods,engineering, electrical & electronic

Fucai Luo,Saif Al-Kuwari,Haiyan Wang,Xingfu Yan

2023-05-22

Abstract:Federated learning (FL) allows a large number of clients to collaboratively train machine learning (ML) models by sending only their local gradients to a central server for aggregation in each training iteration, without sending their raw training data. Unfortunately, recent attacks on FL demonstrate that local gradients may leak information about local training data. In response to such attacks, Bonawitz \textit{et al.} (CCS 2017) proposed a secure aggregation protocol that allows a server to compute the sum of clients' local gradients in a secure manner. However, their secure aggregation protocol requires at least 4 rounds of communication between each client and the server in each training iteration. The number of communication rounds is closely related not only to the total communication cost but also the ML model accuracy, as the number of communication rounds affects client dropouts. In this paper, we propose FSSA, a 3-round secure aggregation protocol, that is efficient in terms of computation and communication, and resilient to client dropouts. We prove the security of FSSA in honest-but-curious setting and show that the security can be maintained even if an arbitrarily chosen subset of clients drop out at any time. We evaluate the performance of FSSA and show that its computation and communication overhead remains low even on large datasets. Furthermore, we conduct an experimental comparison between FSSA and Bonawitz \textit{et al.}'s protocol. The comparison results show that, in addition to reducing the number of communication rounds, FSSA achieves a significant improvement in computational efficiency.

Cryptography and Security

Dario Pasquini,Danilo Francati,Giuseppe Ateniese

DOI: https://doi.org/10.48550/arXiv.2111.07380

2022-09-06

Abstract:Secure aggregation is a cryptographic protocol that securely computes the aggregation of its inputs. It is pivotal in keeping model updates private in federated learning. Indeed, the use of secure aggregation prevents the server from learning the value and the source of the individual model updates provided by the users, hampering inference and data attribution attacks. In this work, we show that a malicious server can easily elude secure aggregation as if the latter were not in place. We devise two different attacks capable of inferring information on individual private training datasets, independently of the number of users participating in the secure aggregation. This makes them concrete threats in large-scale, real-world federated learning applications. The attacks are generic and equally effective regardless of the secure aggregation protocol used. They exploit a vulnerability of the federated learning protocol caused by incorrect usage of secure aggregation and lack of parameter validation. Our work demonstrates that current implementations of federated learning with secure aggregation offer only a "false sense of security".

Machine Learning,Cryptography and Security

Xinchi Qiu,Heng Pan,Wanru Zhao,Chenyang Ma,Pedro Porto Buarque de Gusmão,Nicholas D. Lane

2023-05-19

Abstract:The majority of work in privacy-preserving federated learning (FL) has been focusing on horizontally partitioned datasets where clients share the same sets of features and can train complete models independently. However, in many interesting problems, such as financial fraud detection and disease detection, individual data points are scattered across different clients/organizations in vertical federated learning. Solutions for this type of FL require the exchange of gradients between participants and rarely consider privacy and security concerns, posing a potential risk of privacy leakage. In this work, we present a novel design for training vertical FL securely and efficiently using state-of-the-art security modules for secure aggregation. We demonstrate empirically that our method does not impact training performance whilst obtaining 9.1e2 ~3.8e4 speedup compared to homomorphic encryption (HE).

Machine Learning,Artificial Intelligence,Cryptography and Security

Runmeng Du,Xuru Li,Daojing He,Kim-Kwang Raymond Choo

DOI: https://doi.org/10.1109/tifs.2024.3357288

IF: 7.231

2024-02-02

IEEE Transactions on Information Forensics and Security

Abstract:Reducing computation cost and ensuring update integrity, are key challenges in federated learning (FL). In this paper, we present a secure and verifiable hybrid FL system for training, namely SVHFL. SVHFL enables training models on both plaintext and encrypted data simultaneously. Furthermore, we propose a mutual verification scheme for the integrity of updates in FL. It is a general and efficient scheme that can eliminate malformed updates from clients and enforce the integrity checks of the aggregation results from the server. The training and verification schemes of SVHFL have reduced the computation cost from a quadratic cost to a linear cost. The experimental results demonstrate the practicality of SVHFL.

computer science, theory & methods,engineering, electrical & electronic

Jinhyun So,Ramy E. Ali,Basak Guler,Jiantao Jiao,Salman Avestimehr

2023-07-27

Abstract:Secure aggregation is a critical component in federated learning (FL), which enables the server to learn the aggregate model of the users without observing their local models. Conventionally, secure aggregation algorithms focus only on ensuring the privacy of individual users in a single training round. We contend that such designs can lead to significant privacy leakages over multiple training rounds, due to partial user selection/participation at each round of FL. In fact, we show that the conventional random user selection strategies in FL lead to leaking users' individual models within number of rounds that is linear in the number of users. To address this challenge, we introduce a secure aggregation framework, Multi-RoundSecAgg, with multi-round privacy guarantees. In particular, we introduce a new metric to quantify the privacy guarantees of FL over multiple training rounds, and develop a structured user selection strategy that guarantees the long-term privacy of each user (over any number of training rounds). Our framework also carefully accounts for the fairness and the average number of participating users at each round. Our experiments on MNIST and CIFAR-10 datasets in the IID and the non-IID settings demonstrate the performance improvement over the baselines, both in terms of privacy protection and test accuracy.

Machine Learning,Cryptography and Security,Distributed, Parallel, and Cluster Computing,Information Theory

Yuqi Zhang,Xiangyang Li,Qingcai Luo,Yang Wang,Yanzhao Shen

DOI: https://doi.org/10.1145/3625343.3625344

2023-01-01

Abstract:In recent years, Federal Learning has received much attention becourse it can train models by updating gradients without contacting users’ true data. However, adversaries also can track users’ privacy from the shared gradient. In this paper, we aim to solve three major issues during the process of federated learning: 1) how to protect users’ privacy during training; 2) How to verify the correctness of the aggregation results returned from the server; 3) How to reduce communication costs while ensuring training security. So we propose a verifiable aggregation scheme that can effectively verify the results of server aggregation. Specifically, we follow the classic double mask aggregation scheme, and use Paillier homomorphic encryption algorithm to implement the message authentication code with additive homomorphic property. Users can compare their local codes with server’s aggregation results to verify the correctness of the aggregation results and improve model’s accuracy. In our framework, we adopt a Top-k gradient selection scheme to reduce models’ communication and computing overhead. Experimental results indicate that our training framework is feasible and efficient.

Yiwei Zhang,Rouzbeh Behnia,Attila A. Yavuz,Reza Ebrahimi,Elisa Bertino

2024-10-18

Abstract:Federated learning enables the collaborative learning of a global model on diverse data, preserving data locality and eliminating the need to transfer user data to a central server. However, data privacy remains vulnerable, as attacks can target user training data by exploiting the updates sent by users during each learning iteration. Secure aggregation protocols are designed to mask/encrypt user updates and enable a central server to aggregate the masked information. MicroSecAgg (PoPETS 2024) proposes a single server secure aggregation protocol that aims to mitigate the high communication complexity of the existing approaches by enabling a one-time setup of the secret to be re-used in multiple training iterations. In this paper, we identify a security flaw in the MicroSecAgg that undermines its privacy guarantees. We detail the security flaw and our attack, demonstrating how an adversary can exploit predictable masking values to compromise user privacy. Our findings highlight the critical need for enhanced security measures in secure aggregation protocols, particularly the implementation of dynamic and unpredictable masking strategies. We propose potential countermeasures to mitigate these vulnerabilities and ensure robust privacy protection in the secure aggregation frameworks.

Cryptography and Security,Machine Learning

Sizai Hou,Songze Li,Tayyebeh Jahani-Nezhad,Giuseppe Caire

2024-07-12

Abstract:Federated learning (FL) has recently gained significant momentum due to its potential to leverage large-scale distributed user data while preserving user privacy. However, the typical paradigm of FL faces challenges of both privacy and robustness: the transmitted model updates can potentially leak sensitive user information, and the lack of central control of the local training process leaves the global model susceptible to malicious manipulations on model updates. Current solutions attempting to address both problems under the one-server FL setting fall short in the following aspects: 1) designed for simple validity checks that are insufficient against advanced attacks (e.g., checking norm of individual update); and 2) partial privacy leakage for more complicated robust aggregation algorithms (e.g., distances between model updates are leaked for multi-Krum). In this work, we formalize a novel security notion of aggregated privacy that characterizes the minimum amount of user information, in the form of some aggregated statistics of users' updates, that is necessary to be revealed to accomplish more advanced robust aggregation. We develop a general framework PriRoAgg, utilizing Lagrange coded computing and distributed zero-knowledge proof, to execute a wide range of robust aggregation algorithms while satisfying aggregated privacy. As concrete instantiations of PriRoAgg, we construct two secure and robust protocols based on state-of-the-art robust algorithms, for which we provide full theoretical analyses on security and complexity. Extensive experiments are conducted for these protocols, demonstrating their robustness against various model integrity attacks, and their efficiency advantages over baselines.

Cryptography and Security

Khac-Hoang Ngo,Johan Östman,Giuseppe Durisi,Alexandre Graell i Amat

2024-07-15

Abstract:Secure aggregation (SecAgg) is a commonly-used privacy-enhancing mechanism in federated learning, affording the server access only to the aggregate of model updates while safeguarding the confidentiality of individual updates. Despite widespread claims regarding SecAgg's privacy-preserving capabilities, a formal analysis of its privacy is lacking, making such presumptions unjustified. In this paper, we delve into the privacy implications of SecAgg by treating it as a local differential privacy (LDP) mechanism for each local update. We design a simple attack wherein an adversarial server seeks to discern which update vector a client submitted, out of two possible ones, in a single training round of federated learning under SecAgg. By conducting privacy auditing, we assess the success probability of this attack and quantify the LDP guarantees provided by SecAgg. Our numerical results unveil that, contrary to prevailing claims, SecAgg offers weak privacy against membership inference attacks even in a single training round. Indeed, it is difficult to hide a local update by adding other independent local updates when the updates are of high dimension. Our findings underscore the imperative for additional privacy-enhancing mechanisms, such as noise injection, in federated learning.

Machine Learning,Cryptography and Security

Huang Zeng,Anjia Yang,Jian Weng,Min-Rong Chen,Fengjun Xiao,Yi Liu,Ye Yao

2024-05-07

Abstract:Federated learning (FL) has attracted widespread attention because it supports the joint training of models by multiple participants without moving private dataset. However, there are still many security issues in FL that deserve discussion. In this paper, we consider three major issues: 1) how to ensure that the training process can be publicly audited by any third party; 2) how to avoid the influence of malicious participants on training; 3) how to ensure that private gradients and models are not leaked to third parties. Many solutions have been proposed to address these issues, while solving the above three problems simultaneously is seldom considered. In this paper, we propose a publicly auditable and privacy-preserving federated learning scheme that is resistant to malicious participants uploading gradients with wrong directions and enables anyone to audit and verify the correctness of the training process. In particular, we design a robust aggregation algorithm capable of detecting gradients with wrong directions from malicious participants. Then, we design a random vector generation algorithm and combine it with zero sharing and blockchain technologies to make the joint training process publicly auditable, meaning anyone can verify the correctness of the training. Finally, we conduct a series of experiments, and the experimental results show that the model generated by the protocol is comparable in accuracy to the original FL approach while keeping security advantages.

Cryptography and Security

Zhibo Wang,Zhiwei Chang,Jiahui Hu,Xiaoyi Pang,Jiacheng Du,Yongle Chen,Kui Ren

2024-06-22

Abstract:Federated Learning (FL) exhibits privacy vulnerabilities under gradient inversion attacks (GIAs), which can extract private information from individual gradients. To enhance privacy, FL incorporates Secure Aggregation (SA) to prevent the server from obtaining individual gradients, thus effectively resisting GIAs. In this paper, we propose a stealthy label inference attack to bypass SA and recover individual clients' private labels. Specifically, we conduct a theoretical analysis of label inference from the aggregated gradients that are exclusively obtained after implementing SA. The analysis results reveal that the inputs (embeddings) and outputs (logits) of the final fully connected layer (FCL) contribute to gradient disaggregation and label restoration. To preset the embeddings and logits of FCL, we craft a fishing model by solely modifying the parameters of a single batch normalization (BN) layer in the original model. Distributing client-specific fishing models, the server can derive the individual gradients regarding the bias of FCL by resolving a linear system with expected embeddings and the aggregated gradients as coefficients. Then the labels of each client can be precisely computed based on preset logits and gradients of FCL's bias. Extensive experiments show that our attack achieves large-scale label recovery with 100\% accuracy on various datasets and model architectures.

Cryptography and Security,Artificial Intelligence

Zhibo Xing,Zijian Zhang,Zi'ang Zhang,Jiamou Liu,Liehuang Zhu,Giovanni Russello

2024-06-03

Abstract:Federated learning allows several clients to train one machine learning model jointly without sharing private data, providing privacy protection. However, traditional federated learning is vulnerable to poisoning attacks, which can not only decrease the model performance, but also implant malicious backdoors. In addition, direct submission of local model parameters can also lead to the privacy leakage of the training dataset. In this paper, we aim to build a privacy-preserving and Byzantine-robust federated learning scheme to provide an environment with no vandalism (NoV) against attacks from malicious participants. Specifically, we construct a model filter for poisoned local models, protecting the global model from data and model poisoning attacks. This model filter combines zero-knowledge proofs to provide further privacy protection. Then, we adopt secret sharing to provide verifiable secure aggregation, removing malicious clients that disrupting the aggregation process. Our formal analysis proves that NoV can protect data privacy and weed out Byzantine attackers. Our experiments illustrate that NoV can effectively address data and model poisoning attacks, including PGD, and outperforms other related schemes.

Cryptography and Security,Machine Learning