Per-element Secure Aggregation against Data Reconstruction Attacks in Federated Learning

TL;DR

This paper introduces a per-element masking enhancement to secure aggregation in federated learning, preventing data reconstruction attacks on sparse model updates while maintaining efficiency and compatibility with existing protocols.

Contribution

We propose a novel per-element masking mechanism that limits information leakage in secure aggregation, compatible with current cryptographic protocols, and integrated into Flamingo for improved security.

Findings

The mechanism effectively prevents data reconstruction attacks on sparse updates.

The added overhead remains acceptable for practical deployment.

Experimental results confirm robustness and efficiency of the proposed method.

Abstract

Federated learning (FL) enables collaborative model training without sharing raw data, but individual model updates may still leak sensitive information. Secure aggregation (SecAgg) mitigates this risk by allowing the server to access only the sum of client updates, thereby concealing individual contributions. However, a significant vulnerability has recently attracted increasing attention: when model updates are sparse vectors, a non-zero value contributed by a single client at a given index can be directly revealed in the aggregate, enabling precise data reconstruction attacks. In this paper, we propose a novel enhancement to SecAgg that reveals aggregated values only at indices with at least $t$ non-zero contributions. Our mechanism introduces a per-element masking strategy to prevent the exposure of under-contributed elements, while maintaining modularity and compatibility with many existing SecAgg implementations by relying solely on cryptographic primitives already employed in a typical setup. We integrate this mechanism into Flamingo, a low-round SecAgg protocol, to provide a robust defense against such attacks. Our analysis and experimental results indicate that the additional computational and communication overhead introduced by our mechanism remains within an acceptable range, supporting the practicality of our approach.