DP-BREM: Differentially-Private and Byzantine-Robust Federated Learning with Client Momentum

TL;DR

This paper introduces DP-BREM and DP-BREM+ protocols that combine differential privacy and Byzantine robustness in federated learning by leveraging client momentum and secure aggregation, improving privacy-utility tradeoff and robustness.

Contribution

It proposes the first federated learning protocols that simultaneously ensure differential privacy and Byzantine robustness using client momentum and secure aggregation techniques.

Findings

DP-BREM achieves better privacy-utility tradeoff.

DP-BREM+ maintains privacy and robustness without a trusted server.

Protocols outperform baselines under various attack and privacy settings.

Abstract

Federated Learning (FL) allows multiple participating clients to train machine learning models collaboratively while keeping their datasets local and only exchanging the gradient or model updates with a coordinating server. Existing FL protocols are vulnerable to attacks that aim to compromise data privacy and/or model robustness. Recently proposed defenses focused on ensuring either privacy or robustness, but not both. In this paper, we focus on simultaneously achieving differential privacy (DP) and Byzantine robustness for cross-silo FL, based on the idea of learning from history. The robustness is achieved via client momentum, which averages the updates of each client over time, thus reducing the variance of the honest clients and exposing the small malicious perturbations of Byzantine clients that are undetectable in a single round but accumulate over time. In our initial solution DP-BREM, DP is achieved by adding noise to the aggregated momentum, and we account for the privacy cost from the momentum, which is different from the conventional DP-SGD that accounts for the privacy cost from the gradient. Since DP-BREM assumes a trusted server (who can obtain clients' local models or updates), we further develop the final solution called DP-BREM+, which achieves the same DP and robustness properties as DP-BREM without a trusted server by utilizing secure aggregation techniques, where DP noise is securely and jointly generated by the clients. Both theoretical analysis and experimental results demonstrate that our proposed protocols achieve better privacy-utility tradeoff and stronger Byzantine robustness than several baseline methods, under different DP budgets and attack settings.