BlindFL: Segmented Federated Learning with Fully Homomorphic Encryption

TL;DR

BlindFL introduces a flexible, encrypted federated learning framework that reduces communication costs, enhances security against server and client-side attacks, and maintains model accuracy using subset encryption with fully homomorphic encryption.

Contribution

The paper presents BlindFL, a novel FL scheme that encrypts only a subset of local updates, reducing costs and improving security against malicious clients, while preserving model accuracy.

Findings

BlindFL reduces transmission costs compared to standard FHE-based FL.

BlindFL effectively impedes client-side model poisoning attacks.

BlindFL maintains high global model accuracy with lower computational overhead.

Abstract

Federated learning (FL) is a popular privacy-preserving edge-to-cloud technique used for training and deploying artificial intelligence (AI) models on edge devices. FL aims to secure local client data while also collaboratively training a global model. Under standard FL, clients within the federation send model updates, derived from local data, to a central server for aggregation into a global model. However, extensive research has demonstrated that private data can be reliably reconstructed from these model updates using gradient inversion attacks (GIAs). To protect client data from server-side GIAs, previous FL schemes have employed fully homomorphic encryption (FHE) to secure model updates while still enabling popular aggregation methods. However, current FHE-based FL schemes either incur substantial computational overhead or trade security and/or model accuracy for efficiency. We introduce BlindFL, a framework for global model aggregation in which clients encrypt and send a subset of their local model update. With choice over the subset size, BlindFL offers flexible efficiency gains while preserving full encryption of aggregated updates. Moreover, we demonstrate that implementing BlindFL can substantially lower space and time transmission costs per client, compared with plain FL with FHE, while maintaining global model accuracy. BlindFL also offers additional depth of security. While current single-key, FHE-based FL schemes explicitly defend against server-side adversaries, they do not address the realistic threat of malicious clients within the federation. By contrast, we theoretically and experimentally demonstrate that BlindFL significantly impedes client-side model poisoning attacks, a first for single-key, FHE-based FL schemes.