Latest paper notes (24): VCD-FL: Verifiable, Collusion-Resistant, and Dynamic Federated Learning

VCD-FL: Verifiable, Collusion-Resistant, and Dynamic Federated Learning
can be translated as " VCD-FL: Verifiable, Collusion-Resistant, and Dynamic Federated Learning "

Verifiable federated learning is generally understood as the verifiability of aggregation results, that is, the client can verify the correctness of the aggregation results returned by the server. Often the solution is to use homomorphic hashing, commitment or polynomial verification, but there is a common problem that cannot prevent the verification of collusion between the client and the server , that is to say, if a client and server collude, the server can Forging verification conditions, the biggest contribution of this VCD-FL is to propose a verifiable solution against collusion . The following is a little note recorded while watching. There may be misunderstandings. It is recommended to read the original text.

• Original link: VCD-FL: Verifiable, Collusion-Resistant, and Dynamic Federated Learning

1. Background introduction

1.1 Classic FL process

• (1) The server selects a set of clients that download the initial model from the server
• (2) The client uses local data for model training and uploads model parameters (gradients)
• (3) The server aggregates the model parameters of the client and returns the aggregation result to the client
• (4) The client updates the local model according to the aggregation results, and iterates repeatedly until the model converges

1.2 There are problems with FL

• (1) Model privacy issues : attackers can infer original information based on model parameters.
  Example: The least squares loss function is $min{\sum }_{i=1}^{n}l(w,x_i,y_i),wherel(w,x_i,y_i)=\frac{1}{2}(x_i^{T}w-y_i{)}^2$，则随机梯度为:
  $$g_i=\frac{\partial l(w,x_i,y_i)}{\partial w}=(x_i^{T}w-y_i)x_i$$The gradient is to scale (transform) the data and carry all the information of the data.
• (2) Aggregation result verification problem : Malicious servers may intentionally return designed aggregation results to launch privacy attacks. (The purpose is to save computing overhead and steal private information)
• (3) Anti-collusion verification problem : the client may conspire with the server to forge verification parameters.
  Example: In VerSA(TDSC21) ¹ , each client receives $(z,\bar{z})$, parallel arithmetic$z^{{}^{\prime }}=a\circ z+|U_3|\cdot b$， judge$z^{{}^{\prime }}=\stackrel{ˉIs}{z}$ it equal, where$a,b$ is known to all clients. As long as a client colludes with the server, the server can forge authentication conditions.
• (4) Client offline problem : The client is offline due to subjective (early exit) or objective (network abnormality) reasons, resulting in failure to complete model aggregation and result verification.

1.3 Related work

• (1) SA(CCS17) ² proposes double masking and secret sharing to protect gradient privacy and tolerate user disconnection, but cannot verify the aggregation results.
• (3) VerifyNet (TIFS20) ³ is the first proposal to propose verifiable federated learning, using homomorphic hash functions and pseudo-random techniques to provide verifiable functions, as well as secret sharing and key agreement to protect gradient privacy. However, verification overhead is high, and it cannot resist server and client collusion verification.
• (3) VFL (TII22) ⁴ proposed for the first time to use Lagrangian interpolation to achieve verifiability, and use blinding technology to achieve privacy protection against collusion. However, assuming that the server is honest and curious, malicious behavior is not considered, and the calculation and communication overhead of verification is relatively large.
• (4) VeriFL (TIFS21) ⁵ optimizes the secure aggregation protocol in SA (CCS17) [2] by proposing gradient hash commitment and amortized verification mechanism. However, collusion proof and collusion detection are not resistant.
• (5) VFChain (TNS20) ⁶ proposes to choose a blockchain-based effective committee common model aggregation and verifiability. However, the efficiency and scalability of the blockchain are poor and impractical.
  

1.4 Contribution of this article

• (1) Anti-collusion verification : A lightweight commitment scheme with irreversible gradient transformation is proposed to protect privacy, and an efficient verification mechanism based on optimized Lagrangian interpolation is designed to prevent aggregation results from passing verification with overwhelming probability.
• (2) Recognizing malicious behavior : Established malicious behavior detection rules to detect whether the server participates in a collusion attack to pass the verification, or the lazy server returns incorrect aggregation results.
• (3) Support federated dynamic verification : Proposes a combination of verification mechanism and Shamir secret sharing scheme to tolerate user disconnection.
• (4) Low computational and communication overhead : A new method is designed to generate interpolation points for Lagrangian interpolation, thereby reducing computational overhead. Communication overhead is further reduced by gradient compression.

1.5 Lagrange interpolation

Lagrangian interpolation refers to the method of exactly constructing a polynomial through the given data points. Suppose nSet of$n$$\{(x_i,y_i){\}}_{i=1}^n$, among which $x_i$are all different, and can fit an order not greater than $n-1$ -unique polynomial
$$L(x)=\sum _{i=1}^n{y}_i{L}_i\left(x\right)$$ where base polynomial$L_i(x)$定义为
L i ( x ) = ∏ j = 1 , j ≠ i n x − x j x i − x j , i ∈ { 1 , 2 , … , n } L_i (x)=∏_{j=1,j≠i}^n \frac{x-x_j}{x_i-x_j},i∈\{1,2,…,n\} Li​(x)=j = 1 , j=i∏n​xi​−xj​x−xj​​,i∈{ 1,2,…,n}$L_i$The properties of$($$x$$)$
$$L_i(x_j)=\{\begin{array}{ll}1,& i=j\\ 0,& i\ne j\end{array}$$Therefore, the Lagrangian polynomial $L(x)$满足$L(x_i)=y_i$。

2. System model

2.1 Design goals

• (1) Robust result verification : The scheme should ensure the robustness of correctness verification, which can not only support anti-collusion privacy protection, but also resist collusion verification , and ensure the correctness of dynamic FL caused by client disconnection.
• (2) Malicious Behavior Classification : The scheme should discover the root cause of incorrect aggregation results , which helps to take targeted punishment measures. (malicious or lazy)
• (3) Efficient model operations : The scheme should enable clients to efficiently perform model operations (local training and aggregated result verification), as well as reduce communication overhead.
• (4) Lightweight privacy protection : The scheme should protect the client's privacy from inference attacks and collusion attacks , while reducing some computationally intensive operations to improve practicability.
  

2.2 Threat Model

• TA : Responsible for system initialization, assigning parameters with PRG as the client, completely credible;
• Clients : Honest and curious, some corrupt clients may conspire with a malicious AS to pass authentication.
• AS : Responsible for the collection and aggregation of ciphertext, and send the aggregation result to the client for verification in each iteration. It is considered malicious and will launch inference attacks (peeping privacy) and forgery attacks (breaking usability). AS is divided into two categories by function:
  • Weak attack model: AS is lazy, it reduces the number of iterations, or collects partial gradients to save overhead, and it will launch inference attacks.
  • Strong attack model: AS hides the modification of the aggregation result, and will collude with the client to forge the aggregation result to deceive other clients.

3. The specific structure of VCD-FL

In order to realize the anti-collusion verification and collusion attack detection that cannot be achieved by existing schemes , the main steps of VCD-FL include four parts : initialization , local model training , ciphertext aggregation , and aggregation result verification .

3.1 Initialization (Algorithm 1)

In this paper, we improve the VFL scheme by grouping gradients. will each have $d-$ dimensional gradient$g_i$is divided into $\lceil \frac{d}{M}\rceil$ groups, each group contains$M$ gradient elements ($M$ is an integer that determines the degree of the Lagrange interpolation function). If the last set of gradient elements is less than$M$ , filled with 0s. TA generates the following parameters:

• (1) In any two clients $P_i$and $P_j$Generate a pair of seeds $s_{i,j}$Used for gradient masks.
• (2) Generate an additional random seed $r_i$, and $r_i$A share of is allocated to each client (Shamir secret sharing) to handle client dropouts.
• （3）利用$PRG\left({\rho }_i\right)$ to generate a sequence set$A_i$, and normalized to improve interpolation accuracy
  A i ← PRG ( ρ i ) max { ∣ PRG ( ρ i ) ∣ } , i ∈ { 1 , 2 , . . . , N } A_i\leftarrow \frac{PRG(ρ_i )}{max\{|PRG(ρ_i)|\}},i\in \{1,2,...,N\}Ai​←max{ ∣PRG(ρi​)∣}PRG ( ρi​)​,i∈{ 1,2,...,N}
• (4) Generate a random integer sequence Z = { ai ∣ i = 1 , 2 , . . . , ⌈ d M ⌉ ( M + 1 ) } Z=\{a_i|i=1,2,...,⌈ \frac{d}{M}⌉(M+1)\}Z={ ai​∣i=1,2,...,⌈Md​⌉(M+1 )} as the set of interpolated points (public).
• (5) Generate a size of $M\times$The singular square matrix UUof$M$$U$ is used for promise generation (public).
  

3.2 Local model training

Client $P_i\in P$ downloads the global model to initialize the local model, uses the mini-batch gradient descent method for model training, and calculates the gradient$g_i$为
$$g_i={\nabla }_{w}l(w;D_i^{{}^{\prime }})$$ After$P_i$Gradient encryption, grouping, and commitment are performed sequentially.

3.2.1 Gradient Encryption

• (1) First use the single masking protocol to blind the gradient ( $s_{i,j}$由TA直接分配）
  $$g_i^{{}^{\prime }}=g_i+\sum _{P_j\in P,i<j}PRG(s_{i,j})-\sum _{P_j\in P,i>j}PRG\left(s_{i,j}\right)$$
• (2) Use Lagrange interpolation to process the blinded gradient. For blinding gradient $g_i^{{}^{\prime }}$To group, each client $P_i$Both generate the $Lagrange\; interpolation\; set\; of\; k$ groups, wherek ∈ { 1 , 2 , … , ⌈ d / M ⌉ } k ∈ \{1,2,…,⌈d/M⌉\}k∈{ 1,2,…,⌈ d / M ⌉} , ex$M$ points are$\{(a_{(k-a)(M+1)+j},g_i^{{}^{\prime }}((k-1)M+j))|j=1,2,...,M\}$ , the first$M+1$ point is$(a_{k(M+1)},A_i(k))$。
  
• (3) Function $f_{i,[k]}$is the kkthThe Lagrange interpolation set of group$k$
  $$f_{i,\left[k\right]}(x)=\sum _{j=(k-1)M+1}^{kM}[L_{j,[k]}(x)g_i^{{}^{\prime }}(j)]+[A_i(k)\prod _{h=(k-1)(M+1)+1}^{k(M+1)-1}\frac{x-a_h}{a_{k(M+1)}-a_h}]$$
  其中
  $$L_{j,[k]}(x)=\prod _{h=(k-1)(M+1)+1,h\ne j+k-1}^{k(M+1)-1}\frac{x-a_h}{a_{j+k-1}-a_h}$$
• （4）$P_i$Will combine the coefficient vector $B_i$Upload to AS as gradient ciphertext
  $$B_i=(B_{i,[1]},B_{i,[2]},...,B_{i,[\lceil d/M\rceil ]})$$
  of which$B_{i,[k]}$means from $f_{i,\left[k\right]}$M+1extracted from$($$x$$)\; M+1$$M+1$ factor, according to$The\; degree\; of\; x$ from small to large is$$B_{i,[k]}=(b_{0,<i,[k]>},b_{1,<i,[k]>},...,b_{M,<i,[k]>})$$
  Obviously, the secrecy of the Lagrange interpolation set can enhance the secrecy of the gradient. Even leaked, as long as at least two clients do not collude with AS. (The number of Lagrange basis polynomials in this article is about$(M+1)\lceil d/M\rceil$ units, while in the VFL scheme it is$(M+1)d$ )

3.2.2 Promise generation (Algorithm 2)

To prevent spoofing by corrupt clients during aggregation result verification, a lightweight commitment scheme using irreversible gradient transformations is proposed.
-(1) First, the gradient $g_i$Divided into $\lceil d/M\rceil$ group, each group contains$M$ gradient elements can be written as$g_i=(g_{i,[1]},g_{i,[2]},...,g_{i,[\lceil d/M\rceil ]})$ ,for$g_{i,[k]}=(g_i((k-1)M+1),g_i((k-1)M+2),...,g_i(kM){)}^T$

• (2) Client $P_i$For $g_{i,\left[k\right]}$Make a commitment $$C_{i,[k]}=U\cdot g_{i,\left[k\right]}$$Among them $U$ size is$M\times M$ irreversible singular square matrix guarantees gradient privacy,$g_{i,\left[k\right]}$is the kkthMM$of\; k$ gradient groups$M-$ dimensional column vector. This multiplication calculation is lightweight and can be processed in parallel for efficiency.
• (3) after, $P_i$广播$C_i=(C_{i,\left[k\right]}{)}_{k=1}^{\lceil d/M\rceil ]}$, in $B_i$Got promises ( public ) from other clients before uploading to AS.
  

3.2.3 Interpolation optimization (Algorithm 3)

In order to reduce the interpolation frequency without affecting the model accuracy, deep gradient compression7 ^is introduced to optimize the gradient.

• (1) Usually use momentum factor 0.5 to calculate $G_i$，$G_i$The initial value of $$G_i=g_i+0.5\cdot G_i$$
• (2) from $G_i$Select $The\; p$ elements with the largest absolute value are used as the optimization gradient, and put them into$g_i$at the same position and set $g_i$The remaining elements are 0.
  
• To avoid loss of information, $G_i$Unselected elements in are accumulated locally until the absolute value is sufficiently large.
• Optimized gradient $g_i$Will greatly reduce the interpolation calculation overhead, because $g_i^{{}^{\prime }}(j)=0$ interpolation point pair$B_i$No effect, $P_i$Just calculate $g_i^{{}^{\prime }}\left(j\right)\ne 0$ L$L_{j,[k]}(x)$。

3.3 Ciphertext Aggregation

• (1) AS performs the aggregation until it gets P_i from each client $P_i$Received ciphertext $B_i$So far, and calculate $B$$$B=\sum _{i=1}^N{B}_i=(\sum _{i=1}^N{B}_{i,[1]},...,\sum _{i=1}^N{B}_{i,[\lceil d/M\rceil ]})$$
• （2）AS将$B$ distributed to each client$P_i$. Since the ciphertext $B_i$is according to $g_i^{{}^{\prime }}$Sum $A_i$Calculated, which guarantees the original gradient $g_i$will not be inferred. Even if AS colludes with N-2 clients, it is difficult to obtain s_(i,j) of the other two clients, which prevents AS from obtaining gradients.

3.4 Aggregation result verification

Each client $P_i$Use received $B$ to get the gradient aggregation result and verify it with the previous commitment. details as follows:

3.4.1 Gradient decryption

• （1）$P_i$First use $B_{[k]}$to reconstruct the kkthAggregate interpolation functionf [ k ] ( x ) f_{[k]}(x)$of\; group\; k$$f_{\left[k\right]}(x)$$$f_{\left[k\right]}(x)=\sum _{m+1}^{M+1}{B}_{[k]}(m)x^{M-m+1}$$ of which$B_{\left[k\right]}\left(m\right)$ means$B_{\left[k\right]}$mm in$m$ elements,k ∈ { 1 , 2 , . . . , ⌈ d / M ⌉ } k\in\{1,2,...,⌈d/M⌉\}k∈{ 1,2,...,⌈d/M⌉}。
  
• （2）$P_i$in integer sequence $Z$ is the input, use$f_{\left[k\right]}\left(x\right)$ The aggregation result of the reconstructed gradient$g$ , and remove the inserted sequence$A_i$and $\lceil d/M\rceil$个组，用0填充，即$$g=\sum _{i=1}^N{g}_i=\sum _{i=1}^{N}g{{}^{\prime }}_i=(f_{[k]}(a_{(k-1)M+k}),...,f_{\left[k\right]}(a_{k(M+1)-1}){)}^T$$

3.4.2 Result verification

In order to protect the gradient privacy and verify the correctness of the aggregation result g, the basic idea is to judge whether the following formula is true $$R\cdot g=\sum _{i=1}^{N}R\cdot g_i$$where $R$ is for$d-$ dimensional vector. If$g\ne {\sum }_{i=1}^N{g}_i$, obviously the above formula is not satisfied. ( but does not satisfy collusion-resistant verification )
Further, an effective verification mechanism is designed on the basis of the previous commitment .

• （1）$P_i$先将 A i = { A i ( k ) } k = 1 ⌈ d / M ⌉ A_i=\{A_i(k)\}^{⌈d/M⌉}_{k=1} Ai​={ Ai​(k)}k=1⌈d/M⌉​and a random row vector $R_i=(r_{i,1},r_{i,2},...,r_{i,M\cdot \lceil d/M\rceil })$ Division and other customer calculations$$R=\sum _{i=1}^N{R}_i=(\sum _{i=1}^N{r}_{i,1},\sum _{i=1}^N{r}_{i,2},...,\sum _{i=1}^N{r}_{i,M\cdot \lceil d/M\rceil })$$ Each semi-real client simultaneously broadcasts$R_i$and does not participate in the conspiracy, then $R$ is unpredictable.
• (2) To prevent corrupt clients from helping malicious ASs pass the verification. $P_i$RRs are grouped in the same way$R$ performs grouping and computes a random group row vector$S$ as the verification coefficient vector$$S=(S_{[1]},S_{[2]},...,S_{[\lceil d/M\rceil ]})$$ Among them, the$k$ group vectors$S_{[k]}$Calculated as $S_{[k]}=R_{\left[k\right]}\cdot U$。
  
• (3) In order to achieve effective verification, $P_i$Compute the checksum $v_{i,k}$. for the $k$ pairs,$v_{i,k}$计算为 v i , k = R [ k ] ⋅ C i , [ k ] , k ∈ { 1 , 2 , . . . , ⌈ d / M ⌉ } v_{i,k}=R_{[k]}·C_{i,[k]},k\in \{1,2,...,⌈d/M⌉\} vi,k​=R[k]​⋅Ci,[k]​,k∈{ 1,2,...,⌈d/M⌉}
• (4) After that, $P_i$Calculation $V_i={\sum }_{k=1}^{\lceil d/M\rceil }{v}_{i,k}$和 A i = { A i ( k ) } k = 1 ⌈ d / M ⌉ A_i=\{A_i(k)\}^{⌈d/M⌉}_{k=1} Ai​={ Ai​(k)}k=1⌈d/M⌉​authenticating. (The following are malicious behavior detection rules)
  Specifically, $P_i$Check the following two equations f [ k ] ( ak ( M + 1 ) ) = ? ∑ i = 1 NA i ( k ) , k ∈ { 1 , 2 , . . . , ⌈ d / M ⌉ } ——( 1 ) f_{[k]}(a_{k(M+1)})=?\sum^N_{i=1}A_i(k),k\in\{1,2,...,⌈d/ M⌉\} —— (1)f[k]​(ak(M+1)​)=?i=1∑N​Ai​(k),k∈{ 1,2,...,⌈d/M⌉}——（1）$$\sum _{m=1}^{d}S(m)g(m)=?\sum _{i=1}^N{V}_i——\left(2\right)$$ Among them$f_{[k]}(a_{k(M+1)})$和$g(m)=f_{[\lceil m/M\rceil ]}(a_{m+\lceil m/M\rceil -1})$ from the returned ciphertext$B$ calculates and defines the rule as:
• 1) Rule 1: If the above formula (1) and formula (2) are both established, the AS is considered trustworthy.
• 2) Rule 2: If neither formula (1) nor formula (2) holds true, then AS is considered as a weak attacker.
• 3) Rule 3: If the above formula (1) is true, but formula (2) is not true, then AS is considered as a strong attacker.

3.4.3 Support dynamic verification

Due to network abnormalities, some clients may be disconnected during the training process. There are already schemes solved using double masking ( provided that no client reveals the same client's online or offline secret share ). But the client may collude with the AS.
The following demonstrates how the verification process of this article handles the verification problem of client disconnection:

• （1）$f_{[k]}(a_{k(M+1)})$和$g(m)=f_{[\lceil m/M\rceil ]}\left(a_{m+\lceil m/M\rceil -1}\right)$ The ciphertext BBreturned by AS$B$ calculation, not affected by dropped clients.
• (2) Gradient commitment $C_i$Has been published before the aggregation, R can use the random vector R i R_i of the online client$R_i$calculation, does not affect $S$ sum$V_i$calculation process.
• (3) Take Shamir $(T,N)$ Share P i P_iin a secret sharing manner$P_i$的$r_i$, even if $P_i$Exit, and can also maintain with the remaining clients (satisfied that the number is not less than $T$ ) verification process without affecting$A_i$calculation.
  • As long as there are clients that do not participate in the collusion, falsified aggregation results can be detected.
  • Due to the unpredictable R generated S is random, even if $N-It\; is\; also\; difficult\; for\; a$ client to conspire with the AS to forge the aggregation result.

4. Experimental evaluation

4.1 Experimental environment

Implemented using Python 3.8, PyTorch1.8.1 and Numpy, the classification task is performed on the MNIST dataset, and the multi-layer perceptron (MLP) and convolutional neural network (CNN) are used as the training model of VCD-FL respectively. The accuracy, loss, encryption overhead, decryption overhead, and communication overhead are mainly compared .

• (1) Accuracy : When MLP and CNN are used as training models respectively, the accuracy of VCD-FL has advantages over the VFL scheme.
  • MLP: After 300 iterations, the VCD-FL accuracy is about 90.92%, and the VFL accuracy is about 88.9%.
  • CNN: After 500 iterations, the accuracy of VCD-FL is about 94.83%, and the accuracy of VFL is about 93.38%.
    
• (2) Loss : Also under MLP and CNN as training models, the loss of VCD-FL is smaller than that of the VFL scheme.
  
• (3) Encryption overhead : (a) When $M^{{}^{\prime }}=4,d=100,000$ , VCD-FL encryption time is about 20.44s, VFL is about 96.91s, only 1/5 times. After introducing the gradient compression algorithm, with the compression ratiopp%The cost of increasing$p\; is\; reduced.$(b) When given$d=10000$ , with$M{}^{\text{'}}$ , VFL encryption time increases almost exponentially, while VCD-FL only increases linearly.
  
• (4) Decryption overhead : (a) With $With\; the\; increase\; of\; d$ , the decryption time increases linearly. When$M^{{}^{\prime }}=4,d=100,000$ , VCD-F decryption time is about 1.63s, VFL is about 8.7s. (b) Similarly, fixed$d$ , with$M{}^{\text{'}}$ , the decryption time of VFL increases linearly, while that of VCD-FL decreases linearly. The reason is that the decryption overhead depends on the calculation of the aggregation result, that is, depends on the number of interpolation points, and VFL is about$(M^{{}^{\prime }}+1)d$ , while VCD-FL is about$d+\lceil d/M^{{}^{\prime }}\rceil$.
  
  -(5)Communication overhead: the size of the uploaded information between the client and the AS, mainly depends on$d$ and$M^{{}^{\text{'}}}$ . Generally speaking, the communication overhead of VCD-FL is smaller than that of VFL.
  

references

[1] Hahn C, Kim H, Kim M, et al. Versa: Verifiable secure aggregation for cross-device federated learning[J]. IEEE Transactions on Dependable and Secure Computing, 2021.
[2] K. Bonawitz et al., “Practical secure aggregation for privacy-preserving machine learning,” in Proc. ACM SIGSAC Conf. Comput. Commun. Secur., Oct. 2017, pp. 1175–1191.
[3] G. Xu, H. Li, S. Liu, K. Yang, and X. Lin, “VerifyNet: Secure and verifiable federated learning,” IEEE Trans. Inf. Forensics Security, vol. 15, pp. 911–926, 2020.
[4] A. Fu, X. Zhang, N. Xiong, Y. Gao, H. Wang, and J. Zhang, “VFL: A verifiable federated learning with privacy-preserving for big data in industrial IoT,” IEEE Trans. Ind. Informat., vol. 18, no. 5, pp. 3316–3326, May 2022.
[5] X. Guo et al., “VeriFL: Communication-efficient and fast verifiable aggregation for federated learning,” IEEE Trans. Inf. Forensics Security, vol. 16, pp. 1736–1751, 2021.
[6] Z. Peng et al., “VFChain: Enabling verifiable and auditable federated learning via blockchain systems,” IEEE Trans. Netw. Sci., vol. 9, no. 1, pp. 173–186, Jan. 2020.
[7] Y. Lin et al., “Deep gradient compression: Reducing the communication bandwidth for distributed training,” in Proc. 6th Int. Conf. Learn. Represent., Vancouver, BC, Canada, 2018, pp. 1–14.

---

1. 1 ↩︎

2. 2 ↩︎

3. 3 ↩︎

4. 4 ↩︎

5. 5 ↩︎

6. 6 ↩︎

7. 7 ↩︎