Enabling Privacy-Preserving and Publicly Auditable Federated Learning

TL;DR

This paper introduces a federated learning scheme that ensures privacy, resists malicious participants, and allows public auditing of the training process, combining robust aggregation, blockchain, and zero sharing techniques.

Contribution

It presents a novel federated learning framework that simultaneously achieves privacy preservation, robustness against malicious inputs, and public verifiability of the training process.

Findings

Model accuracy comparable to standard FL.

Effective detection of malicious gradient uploads.

Successful implementation of public auditability using blockchain.

Abstract

Federated learning (FL) has attracted widespread attention because it supports the joint training of models by multiple participants without moving private dataset. However, there are still many security issues in FL that deserve discussion. In this paper, we consider three major issues: 1) how to ensure that the training process can be publicly audited by any third party; 2) how to avoid the influence of malicious participants on training; 3) how to ensure that private gradients and models are not leaked to third parties. Many solutions have been proposed to address these issues, while solving the above three problems simultaneously is seldom considered. In this paper, we propose a publicly auditable and privacy-preserving federated learning scheme that is resistant to malicious participants uploading gradients with wrong directions and enables anyone to audit and verify the correctness of the training process. In particular, we design a robust aggregation algorithm capable of detecting gradients with wrong directions from malicious participants. Then, we design a random vector generation algorithm and combine it with zero sharing and blockchain technologies to make the joint training process publicly auditable, meaning anyone can verify the correctness of the training. Finally, we conduct a series of experiments, and the experimental results show that the model generated by the protocol is comparable in accuracy to the original FL approach while keeping security advantages.