HybridAlpha: An Efficient Approach for Privacy-Preserving

Federated Learning
Runhua Xu∗ Nathalie Baracaldo, Yi Zhou, Ali Anwar and
University of Pittsburgh Heiko Ludwig
Pittsburgh, Pennsylvania, United States IBM Almaden Research Center
runhua.xu@pitt.edu San Jose, California, United States
{baracald,hludwig}@us.ibm.com,{yi.zhou,ali.anwar2}@ibm.com

ABSTRACT 1 INTRODUCTION
arXiv:1912.05897v1 [cs.CR] 12 Dec 2019

Federated learning has emerged as a promising approach for collab- Machine learning (ML) has been widely applied in industry and
orative and privacy-preserving learning. Participants in a federated academia to a wide variety of domains [23, 26]. While traditional
learning process cooperatively train a model by exchanging model ML approaches depend on a centrally managed training data set, pri-
parameters instead of the actual training data, which they might vacy considerations drive interest in decentralized learning frame-
want to keep private. However, parameter interaction and the re- works in which multiple participants collaborate to train a ML
sulting model still might disclose information about the training model without sharing their respective training data sets. Feder-
data used. To address these privacy concerns, several approaches ated learning (FL) [25, 28] has been proposed as a decentralized
have been proposed based on differential privacy and secure mul- process that can scale to thousands of participants. Since the train-
tiparty computation (SMC), among others. They often result in ing data does not leave each participant’s domain, FL is suitable for
large communication overhead and slow training time. In this pa- use cases that are sensitive to data sharing. This includes health
per, we propose HybridAlpha, an approach for privacy-preserving care, financial services and other scenarios of particular privacy
federated learning employing an SMC protocol based on functional sensitivity or subject to regulatory mandates.
encryption. This protocol is simple, efficient and resilient to par- In FL, each participant trains a model locally and exchanges
ticipants dropping out. We evaluate our approach regarding the only model parameters with others, instead of the active privacy-
training time and data volume exchanged using a federated learning sensitive training data. An entity called aggregator merges the
process to train a CNN on the MNIST data set. Evaluation against model parameters of different participants. Often, an aggregator is
existing crypto-based SMC solutions shows that HybridAlpha can a central entity that also redistributes the merged model parameters
reduce the training time by 68% and data transfer volume by 92% on to all participants but other topologies have been used as well, e.g.,
average while providing the same model performance and privacy co-locating an aggregator with each participant. However, this
guarantees as the existing solutions. approach still poses privacy risks: inference attacks in the learning
phase have been proposed by [30]; deriving private information
CCS CONCEPTS from a trained model has been demonstrated in [37]; and a model
• Security and privacy → Privacy-preserving protocols; • Com- inversion attack has been presented in [19].
puting methodologies → Distributed artificial intelligence; To address such privacy leakage, differential privacy [15, 17]
Neural networks. has been proposed for a learning framework [1, 31], in which a
trusted aggregator controls the privacy exposure to protect the
KEYWORDS privacy of the model’s output. Similarly, [32] proposes to combine
differential privacy techniques and secure multiparty computation
Federated learning, privacy, functional encryption, neural networks
(SMC) to support privacy-preserving analyses on private data from
ACM Reference Format: different data providers, whereas [6] combines secret sharing and
Runhua Xu and Nathalie Baracaldo, Yi Zhou, Ali Anwar and Heiko Ludwig. authenticated encryption in a failure-robust protocol for secure
2019. HybridAlpha: An Efficient Approach for Privacy-Preserving Feder-
aggregation of high-dimensional data.
ated Learning. In 12th ACM Workshop on Artificial Intelligence and Security
Inspired from the hybrid methodology [32], a recent paper [38]
(AISec’19), November 15, 2019, London, United Kingdom. ACM, New York,
NY, USA, 11 pages. https://doi.org/10.1145/3338501.3357371 also proposed a hybrid solution that provides strong privacy guar-
antees while still enabling good model performance. This hybrid
∗ The work was done while interning at the IBM Research - Almaden. approach combines a noise-reduction differential privacy approach
with protection of SMC protocol, where the underlying security
Permission to make digital or hard copies of all or part of this work for personal or
classroom use is granted without fee provided that copies are not made or distributed cornerstone is additive homomorphic encryption, i.e., threshold
for profit or commercial advantage and that copies bear this notice and the full citation Paillier system [11]. Even though the hybrid approach has good
on the first page. Copyrights for components of this work owned by others than the model performance and privacy guarantees, it comes with long
author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or
republish, to post on servers or to redistribute to lists, requires prior specific permission training time and high data transmission cost and cannot deal with
and/or a fee. Request permissions from permissions@acm.org. participants dropping out during the FL process. In Table 1, we
AISec’19, November 15, 2019, London, United Kingdom summarize existing privacy-preserving approaches from the per-
© 2019 Copyright held by the owner/author(s). Publication rights licensed to ACM.
ACM ISBN 978-1-4503-6833-9/19/11. . . $15.00 spectives of threat model, privacy guarantees, and offered features.
https://doi.org/10.1145/3338501.3357371
We believe a privacy-preserving FL framework should strive for 2.1 Privacy Preserving Federated Learning
strong privacy guarantees, high communication efficiency, and re- The first FL design aimed to protect the data privacy by ensuring
silience to changes. As shown by Table 1, approaches that offer each participant would keep its data locally and uniquely transmit
privacy guarantees incur a large number of communication rounds, model parameters [28]. Although at first glance it may provide
substantially increasing the training time for FL systems. some level of privacy, attacks in the literature have demonstrated
To address the above-mentioned challenges, we propose Hybri- that it is possible to infer private information [19, 30, 37]. To fully
dAlpha, an efficient approach for privacy-preserving FL. HybridAl- protect the privacy of the training data from inference attacks, it is
pha employs functional encryption to perform SMC. Using functional necessary to provide the privacy of the computation and the output.
encryption, we define a simple and efficient privacy-preserving FL Privacy of computation. Malicious participants involved in FL
approach, which also supports a participant group that is changing training may have an incentive to infer private information of
during the course of the learning process. We summarize our key others. Messages exchanged with the aggregator contain model
contributions as follows: updates that leak private information. For instance, if a bag of words
• We propose HybridAlpha, an efficient privacy-preserving FL is used as embedding to train a text-based classifier, inspecting
approach that employs a differential privacy mechanism and gradients can help an adversary identify what words where used
defines a SMC protocol from a multi-input functional encryp- (e.g., non-zero gradients constitute words used). SMC protocols
tion scheme. We adapt such scheme and include additional can be used to protect inference attacks at training time. These
provisions to mitigate the risk that curious aggregators and protocols ensure that individual results cannot be exposed while
colluding participants will infer private information. still allowing the computation of aggregated data.
• We implement and compare - both theoretically and experi- Privacy of output. Machine learning models can also leak private
mentally - a functional encryption scheme to common, tradi- information about the training data [19, 30, 37]. Here, adversaries
tional cryptography schemes such as additive homomorphic can repeatedly query the model to identify if a particular observa-
encryption and its variants, which are typically used for tion was part of the training data. To prevent against these attacks,
SMC. Our benchmark results will guide future adoption of differential privacy has been proposed. In this case, noise is added
these cryptosystems in the selection of adequate SMCs for to the model to protect individual records in the training dataset.
FL. Existing approaches. Table 1 presents an overview of privacy
• We describe an implementation of the HybridAlpha approach preserving approaches (a more thorough description is presented
and apply it to a convolutional neural network. The exper- in §6). Although some of them provide privacy guarantees for
imental results on the MNIST dataset show that our Hy- the computation and output, they lack relevant features for FL
bridAlpha framework has efficiency improvements both in systems. In particular, approaches that increase the number of
training time and communication cost, while providing the communication rounds can hinder the applicability of FL, as they
same model performance and privacy guarantee as other augment the training time and amount of data exchanged. For large
approaches. models such as neural networks, this is a major concern.
• At the same time, we demonstrate a solution to the dynamic Another important feature should be provided by FL frameworks
participant group issue, which indicates that our proposed is the support for dynamic participation. In some scenarios, partici-
framework is robust to participants’ dropout or addition. pants may leave the training process at any time, we refer to these
We also analyze the security and privacy guarantee of the as dropouts. As shown in Table 1, existing approaches cannot grace-
HybridAlpha framework under our defined threat model fully deal with dropouts and require re-doing an overall training
within a trusted TPA, honest-but-curious aggregators, and round with new keys. New participants may also join the training
partially dishonest participants. process at any time. Existing approaches do not provide support
To the best of our knowledge, this is the first approach for privacy- for this dynamic flow and require full-re-keying.
preserving federated learning that demonstrates how to make Our proposed HybridAlpha reduces significantly the training
use of functional encryption to prevent certain inference attacks time by limiting the number of messages exchanged to one by round
that would be possible by naively applying this cryptosystem. We - substantially less than existing approaches that offer privacy of
demonstrate that our approach has better model performance, computation. In what follows, we present in detail some of the basic
stronger privacy guarantee, lower training time and more efficient building blocks that allow us to achieve this result.
communication compared to existing solutions.
Organization. The rest of the paper is organized as follows. In 2.2 Differential Privacy and Multiparty
§2, we introduce background and preliminaries. We propose our Computation
HyrbidAlpha framework and its underlying threat model in §3. Differential privacy (DP) [15, 17] is a rigorous mathematical frame-
The evaluation, as well as the security and privacy analysis are work where an algorithm may be described as differentially private
respectively presented in §4 and §5. We discuss related works in if and only if the inclusion of a single instance in the training dataset
§6 and conclude the paper in §7. causes only statistically insignificant changes to the algorithm’s
output. The formal definition for DP is as follows:
2 BACKGROUND AND PRELIMINARIES
In this section, we introduce the background and explain the un- Definition 2.1. (Differential Privacy [15]). A randomized func-
′
derlying building blocks of our proposed framework. tion K gives (ϵ, δ )-differential privacy if for all data sets D and D
 Table 1: Comparison of privacy-preserving approaches in federated machine learning framework

Threat Model Privacy Guarantee SMC Features

Proposed Approach participant aggregator computation output type ∗ communication † dynamic participants
Shokri and Shmatikov[36] honest honest ✗ ✓ − 1 round ✓
PATE [31] honest honest ✗ ✓ − 1 round −
PySyft [34] honest HbC⋄ ✓ ✓ HE 2 rounds‡ −
Bonawitz et al. [6] dishonest HbC⋄ ✓ ✓ SS+AE 3 rounds‡ dropout
Truex et al. [38] dishonest HbC⋄ ✓ ✓ TP 3 rounds‡ ✗
HybridAlpha (our work) dishonest HbC⋄ ✓ ✓ FE 1 round‡ dropout + addition
∗ “SS+AE”represents secret sharing techniques with key agreement protocol and authenticated encryption scheme; “HE” is homomorphic encryption scheme; “TP” is
Threshold-Paillier system, a partially additive homomorphic encryption scheme; “FE” indicates functional encryption scheme; symbol − indicates non-comparative option.
⋄ HbC is the abbreviation of Honest but Curious.
† The count is based on one epoch at the training phase between the aggregator and the participant.
‡ The key distribution communication is not covered here.

differing on at most one element, and all S ⊆ Range(K), to derive multiple public keys to one or more parties who intend
′ to encrypt their data. Given a function f (·), a functional private
Pr[K(D) ∈ S] ≤ exp (ϵ) · Pr[K(D ) ∈ S] + δ .
key skf will be generated by the TPA who holds a master secret
The probability is taken over the coin tosses of K. key. By processing the function related key skf a decryptor can
compute f skf (x) from the encrypted data, enc(x), without revealing
Note that ϵ-differential privacy can be treated as a special case
the plaintext x.
of (ϵ, δ )-differential privacy where δ = 0. To achieve DP, multi-
To satisfy the distributed setting, a variant of functional encryp-
ple mechanisms designed to inject noise to the algorithm’s out-
tion, i.e., Multi-Input Functional Encryption (MIFE) is proposed in
put have been proposed. These mechanisms add noise propor-
[20], where a functional secret key skf can correspond to an n-ary
tional to the sensitivity of the output, a measure of the maximum
function f (·) that takes multiple ciphertexts as input. In our feder-
change of the output resulting by the inclusion of a single data
ated machine learning framework, we adopt with modifications the
point. Popular mechanisms include Laplacian and Gaussian mecha-
MIFE scheme for inner-product proposed in [2, §4.4] due to its com-
nisms, where the Gaussian mechanism for a dataset D is defined
putational efficiency. Unlike other FE schemes, this construction
as M(D) = f (D) + N (0, S f2 σ 2 ), where N (0, S f2 σ 2 ) is the normal dis-
provides a construction that does not require performance intensive
tribution with mean 0 and standard deviation S f σ . By applying pairing operations, and hence reduces the overall run-time.
the Gaussian mechanism to function f with sensitivity S f satisfies We now present our construction of a MIFE scheme for federated
(ϵ, δ )-differential privacy [16]. learning, which derived from the construction in [2, §4.4] whose
Noise Reduction through SMC. SMC allows multiple parties security relies on the Decisional Diffie-Hellman (DDH) assumption.
to compute a function over their inputs, without revealing their This MIFE scheme relies on five algorithms, Setup, PKDistribute,
individual inputs [5, 10]. SMC can be achieved using different tech- SKGenerate, Encrypt, Decrypt, and three roles: the third party author-
niques such as garbled circuit with oblivious transfer, fully or par- ity (TPA), participants and aggregators. Algorithms Setup, PKDis-
tially homomorphic encryption, and functional encryption. tribute, SKGenerate are run by TPA. Each participant runs Encrypt
Prior work has shown that it is possible to maintain the same algorithm to encrypt their model parameters and the aggregator
DP guarantee achieved by local differential privacy [24, 33], i.e., runs Decrypt algorithm to acquires the average sum of encrypted
each party adds its own noise independently, and uses SMC to model parameters. Notice that comparing to the MIFE construction
hide individual inputs. Concretely, using the Gaussian mechanism in [2], we add an additional algorithm, i.e., PKDistribute, to help
defined above, local differential privacy requires each participant deliver the public keys pk to participants. As a result, each partici-
to independently add N (0, S f2 σ 2 ). Considering n parties, the total pant will encrypt their data using its own pk rather than using the
noise adds up to n. However, when applying SMC each participant master key msk as described in [2]. This modification is beneficial
can add a fraction of the noise N (0, n1 S 2 σ 2 ) and then use a SMC because different parties do not need to share a single master key.
technique to share the value for aggregation. As shown in [38], this Suppose the inner-product functionality is defined as follows:
ensures the same DP guarantee while reducing the amount of total ηi
n Õ n
noise injected by a factor of n.
Õ Õ
f ((x1 , x2 , ..., xn ), y) = (x i j yÍi −1 ηk +j ) s.t .|y| = ηi ,
k =1
i=1 j=1 i=1
2.3 Functional Encryption
where n denotes the total number of input sources, ηi is the length
HybridAlpha relies on Functional Encryption (FE), a public-key
of each input vector xi , and dimension(y) = ni=1 dimension(xi )
Í
cryptosystem that allows parties to encrypt their data, meanwhile,
The specific construction of MIFE is defined follows:
an external entity can compute a specific function on the ciphertext
η®
without learning anything additional from the underlying plaintext • Setup(1λ , Fn ): The algorithm first generates secure parame-
data [8]. For this purpose, a trusted third party (TPA) is used to set ters as G := (G, p, д) ← GroupGen(1λ ), and then generates
up a master private key and a master public key that will be used several samples as a ←R Zp , a := (1, a)⊺ , ∀i ∈ {1, ..., n} :
 η ×2 η
Wi ←R Zp i , ui ←R Zp i . Then, it generates the master • Honest-but-curious aggregator: We assume that the aggrega-
public key and master private key as tor correctly follows the algorithm and protocols, but may
try to learn private information inspecting the model updates
mpk := (G, [a]1 , [Wa]), msk := (W, (ui )i ∈ {1, ...,n } ). sent by the participants in the process. This is a common
• PKDistribute(mpk, msk, idi ): It looks up the existing keys assumption [6, 38].
via idi and returns the public key as pki := (G, [a], (Wa)i , ui ). • Curious and colluding participants: We assume that partici-
• SKGenerate(mpk, msk, y): The algorithm first partitions y pants may collude to try to acquire private information from
into (y1 ||y2 ||...||yn ), where |yi | is equal to ηi . Then it gen- other participants by inspecting the messages exchanged
erates the function derived key as with the aggregator or the final model.
• Trusted TPA: This entity is an independent agency which
⊺ ⊺
Õ ⊺
skf ,y := ((di ) ← (yi Wi ), z ← (yi ui )). is widely trusted by the participants and the aggregator. In
real scenarios, different sectors of the economy already have
• Encrypt(pki , xi ): The algorithm first generates a random entities that can take such role. For instance, in the banking
nonce r i ←R Zp , and then computes the ciphertext as industry, central banks often play a fully trusted role, and in
cti := ([ti ] ← [ar i ], [ci ] ← [xi + ui + Wai r i ]). other sectors, a third company such as a service or consultant
firm can embody the TPA. We also note that assuming such
• Decrypt(ct, skf ,y ): The algorithm first calculates as follows: trusted and independent agency is a common assumption
Î ⊺ ⊺ in existing cryptosystems that have employed the TPA as
i ∈[n] ([yi ci ]/[di ti ]) the underlying infrastructure [7, 8, 21]. The TPA is in charge
C := ,
z of holding the master private and public key. The TPA is
and then recovers the function result as f ((x1 , x2 , ..., xn ), y) = also trusted to perform public key distribution and function
logд (C). derived secret key generation. Similarly, Inference Prevention
Module is fully trusted.
Note that in the federated learning setting, the aggregator holds the
vector y, and each ηi is set as 1, which indicates the input from each We assume that secure channels are used in all communications,
participant is a single element instead of the vector as described in thus, man-in-the-middle and trivial snooping attacks are prevented.
the MIFE scheme. We also assume a secure key-provisioning procedure such as Diffie-
Hellman is in place to protect key confidentiality. Finally, attacks
3 HYBRID-ALPHA FRAMEWORK that aim to create denial of service attacks or inject malicious model
updates are beyond the scope of this paper.
In this section, we present the specific construction of our Hybri-
Based on the threat model above, our proposed privacy-preserving
dAlpha framework for privacy-preserving federated learning. Our
framework can ensure that (i) the semi-honest aggregator cannot
framework prevents inference attacks from curious aggregators
learn additional information except for the expected output by the
and limits the inference power of colluding participants, as detailed
differential privacy mechanism, and (ii) the malicious colluding par-
later in the threat model.
ticipants cannot learn the parameters of other honest participants.
Figure 1 presents an overview of HybridAlpha. Participants want
The specific security and privacy analysis are presented in §5.
to collaboratively learn a machine learning model without sharing
their local data with any other entity in the system. They agree on 3.2 HybridAlpha Detailed Operations
sharing only model updates with an aggregator. This entity is in
charge of receiving model updates from multiple participants to We now describe in detail the operations of HybridAlpha and begin
build a common machine learning model. by introducing the notation used. Let A be the aggregator and S P
Participants want to protect their data against any inference be a set of n participants, where each participant Pi holds its own
attack during the FL process and from the final model. For this pur- dataset Di . We denote as L F L the learning algorithm to be trained.
pose, they join a HybridAlpha, which has a Third Party Authority In this section, we first introduce the operations of the frame-
(TPA). This entity provides a key management service that initiates work for non-adversarial settings, and then explain how additional
the cryptosystem and provides functional encryption keys to all features are used to protect against the inference attacks defined in
parties. To prevent potential leakage of information, HybridAlpha the threat model section.
also includes an Inference Prevention Module that limits what type of 3.2.1 Non-adversarial setting. HybridAlpha’s operations under non-
functional encryption keys are provided. This module is designed adversarial settings are indicated in Algorithm 1. As input, Hybri-
to ensure that decryption keys cannot be obtained by curious ag- dAlpha takes the set of participants, the algorithm used for training,
gregators and to limit potential collusion attacks. We detail this and the differential privacy parameter ϵ.
module in §3.2.2. HybridAlpha initiates via the TPA setting up keys in the system.
In particular, the TPA runs the Setup and PKDistribute algorithms
3.1 Threat Model presented in §2.3, so that each participant Pi has its own public key
We consider the following threat model: pki (lines 1-5). We note that HybridAlpha allows new participants
to join the training process even if it has already started. To achieve
1 Notethat [x ] = д x . Here we implicitly adopt the bracket notation from [18], which this, the TPA provisions a larger number of keys than the initial
is somewhat standard in the crypto community. set of participants (line 2). In this way, when new participants join
Figure 1: Framework overview of our proposed efficient approach for privacy-preserving federated learning. Note that we only
present one epoch here. Each participant does the local training based on their owned dataset, and then sends out the model
parameters using our proposed efficient privacy-preserving approach.

Algorithm 1: HybridAlpha When all responses are received, assuming there is quorum, A
Input: L F L := Machine learning algorithms to be trained; needs to request a key from the TPA corresponding to the weighted
ϵ := privacy guarantee; S P := set of participants, where vector wp that will be used to compute the inner product. That is,
Pi ∈ S P holds its own dataset Di ; N := maximum number of the aggregator requests private key skf ,wp from the TPA based on
expected participants; t := minimum number of aggregated wp . For computation of average cumulative sum of each partici-
replies pant’s model, wp can be set as wp = ( n1 , n1 , ..., n1 ) s.t . |wp | = n,
Output: Trained global model M where n is the number of received responses. Then, A updates the
λ
1 function TPA-initialization(1 , N , S P ) global model M by applying the decryption algorithm of the MIFE
2 mpk, msk ← MIFE.Setup(1λ , FN1 ) s.t. N ≫ |S P |; cryptosystem on collected ciphertext set Smsgrecv and skf ,wp . Note
3 foreach Pi ∈ S P do that here we assume the aggregator A will get all responses from
4 pki ← MIFE.PKDistribute(mpk, msk, Pi ); every participant. In the case of dropouts, n can be changed so that
it reflects the number of participants that are being aggregated. In
5 end
the next subsection, we show how HybridAlpha provides recom-
6 function aggregate(L F L , S P , t)
mendations to set up t so that the number of allowed dropouts are
7 foreach Pi ∈ S P do
limited for security reasons.
8 asynchronously query Pi with msgq,i = (L F L , |S P |) ;
At the participant side, when a query for training is received
9 end by participant Pi , it trains a local model Mi using its dataset Di .
10 do During the training process2 , the participant adds differential pri-
11 Smsgrecv ← collect participant response msgr,i ; vacy noise to the model parameters according to the procedure
12 while |Smsgrecv | ≥ t and still in max waiting time; presented in §2.2. Finally, Pi encrypts the resulting noisy model
13 if |Smsgrecv | ≥ t then using the MIFE encryption algorithm and sends it to the aggregator
14 specify w P vector; request the skf ,w P from TPA; (lines 18-22).
15 M ← MIFE.Decrypt(skf ,w P , w P , Smsgrecv );
3.2.2 Inference Prevention Module. In our threat model, we assume
16 end an honest-but-curious aggregator that tries to infer private infor-
17 return M mation during the training process. We consider multiple potential
18 function participant-train(ϵ, t, msgq,i , Di , pki ) attacks where the aggregator manipulates the weighted vector to
19 Mi ← L F L (Di ); perform inference.
20 MiDP ← DP(ϵ, Mi , t); In particular, suppose that A wants to infer the model of Pi . A
21 msgr,i ← MIFE.Encrypt(MiDP , pki ); can try to launch an inference attack to obtain the model updates
22 sends msgr,i to aggregator; of participant k by setting the weighted vector as follow:
wpk = 1, if k = i
 
′
∀k ∈ {1, ..., n} : wp =
wpk = 0, if k , i
If a malicious aggregator is allowed a key to perform the inner
the training process, they need to acquire the individual public key product of this vector with the model updates, the model updates
′
from the TPA, and then participate in the learning protocol; all this of target user k would become visible; this follows because wp
without requiring any changes for other participants. zeros-out the model updates of all other participants except for the
To begin the learning process, the aggregator A asynchronously
2 The differential privacy mechanism depends on the machine learning model being
queries each participant Pi with a query to train the specified
trained. For simplicity, in Algorithm 1 we show the noise added after the training
learning algorithm L F L and the number of participant. Then, the process takes place. However, we note that some DP mechanisms add noise during
aggregator collects the responses of each party Pi (lines 7-12). the training process e.g., to train a neural network with the DP mechanism in [1]
ones sent by target participant k. If this is not avoided, A would Algorithm 2: Inference prevention filter
acquire w i + n1 N (0, S 2 σ 2 ) as the decryption result of the MIFE cryp- Input: wp :=A weighted vector to be inspected for inference
tosystem. Here, the reduced noise n1 N (0, S 2 σ 2 ) does not provide attacks; t:= threshold of minimum number of dropouts
the expected privacy guarantee to protect Mi of Pi because each and expected number of non-colluding participants
honest participant is injecting noise, assuming its model update is 1 function inference-prevention-filter(wp , t)
aggregated privately with other n participants. 2 c nz ← count the non-zero element in wp ;
An honest but curious aggregator may also try to create a smaller 3 if c nz < t then return "invalid wp " ;
weighted vector to exclude a subset of participants from the aggre- 4 foreach non-zero wpi ∈ wp do
gation process. In the worst case, the malicious aggregator would 1 then return "invalid w ";
if wpi , c nz
5 p
try to shrink the weighted vector to include one single participant
6 end
to uniquely “aggregate” the model updates of that participant.
Following this same attack vector, a malicious aggregator collud- 7 forward wp to the TPA;
ing with dishonest participants may try to build a wp vector such
that: (i) a target participant model update is included in the vectors;
(ii) all other honest participants model updates are not aggregated, (SGD)-based algorithm can be trained via our proposed HybridAl-
and (iii) updates of dishonest participants are included in the aggre- pha; models in this pool include SVMs, logistic regression, linear
gation process. Since the aggregator is colluding with the dishonest regression, Lasso, and neural networks, among others. Other models
participants included in the aggregation process and only the target such as decision trees and random forests which require aggregat-
participant is included in the aggregation, the model update of the ing counts from each participant can also be trained by considering
target participant is easily reconstructed (its the single unknown the counts sent to the aggregator as a vector.
variable in the average equation).
To prevent such inference attacks, we propose an additional 4 EVALUATION
component called Inference Prevention Module collocated with the In this section we perform a detailed evaluation of our proposed
TPA. This module intercepts and inspects requests for private keys approach to answer the following questions:
for given weighted vectors to prevent a curious aggregator from • How does HybridAlpha perform theoretically when com-
obtaining a key that will allow for an inference-enabling inner pared to existing techniques that have similar threat models?
product. More specifically, how many crypto-related operations can
To this end, the Inference Prevention Module takes as input a pa- be reduced by using HybridAlpha?
rameter t that defines a threshold on the number of non-colluding • How does our proposed SMC perform under benchmarking?
participants, where t ≥ n2 + 1, that is more than half of the par- How does precision setting impact computation time com-
ticipants should not be colluding. By running Algorithm 2 and pared with existing techniques? What impact do different
using parameter t, it is possible to prevent the attacks previously numbers of participants have?
described. In particular, the Inference Module enforces that keys • How does HybridAlpha compare to existing techniques in
are only provided to weighted vectors that have at least t non-zero terms of performance efficiency?
elements and that the weight for each included model update is the
same. 4.1 Baselines and Theoretical Analysis
Threshold t has an impact on the number of dropouts allowed
We compare the proposed HybridAlpha with two state of the art
by the system. Mainly, it helps set up the minimum quorum of
private-federated learning approaches: [38] and [34], which use
participants replying to the system. HybridAlpha allows a limited
different SMC techniques. A graphical overview and comparison
number of participants to dropout without requiring any re-keying;
of these baselines can be found in Figure 2, the steps performed by
only the weighted vector sent by the aggregator needs to be updated
each approach are defined in this figure. We will use this notation
by uniquely including the weights of model updates received.
to report our results. Additionally, we provide a brief description
We also note that t has an impact on how much differential
of our baselines:
privacy noise is added by each participant to achieve a pre-defined
ϵ. Concretely, the number of aggregated replies is always at least t, • We refer to the first baseline as TP-SMC [38]. This FL ap-
so as explain in §2.2, the noise can be adapted to always account proach uses a threshold-based homomorphic cryptosystem
for t non-colluding participants contributing to the average, e.g., that allows for a trusted parameter t that specifies the num-
N (0, t1 S 2 σ 2 ). For this purpose, t needs to be communicated among ber of participants that are trusted not to collude.
all participants and the aggregator. • We refer as P-SMC to our second baseline which is inspired
Underlying ML models of HybridAlpha. For simplicity we only by PySyft [34], an opensource system that uses SPDZ pro-
use the neural networks as the underlying ML model in our FL tocol [12, 13]. This construct supports homomorphic addi-
framework for illustration and evaluation, however, the our Hybri- tion and multiplication. Because the SGD aggregation only
dAlpha supports various ML algorithms. As functional encryption requires addition, we opted for a additive homomorphic ap-
enables the computation of any inner-product based operation, any proach for the comparison, thus, the results reported for this
model that can be trained through a stochastic gradient descent baseline are representative yet faster than PySyft.
We note that the contrasted approaches follows a similar threat
model to [38] with a honest-but-curious aggregator, and potentially
 Figure 2: Illustration of aggregation via different crypto-based SMC solutions.
Table 2: The number of crypto-related operations required of the Charm framework [4]. Charm uses a hybrid design, where
for each solution. the underlying performance-intensive mathematical operations are
implemented in native C modules, i.e., the GMP library 3 , while
Communication TP-SMC P-SMC HybridAlpha ∗ cryptosystems themselves can be written in a readable, high-level
Step (1) n n n +m language. Even though there exists Paillier implementation includ-
Step (3) n ×m n ×m n ×m ing its threshold variant using other programming languages, we
Step (5) m ×t n ×m - re-implement them in a unified platform to allow for fair bench-
Step (7) t ×m - - marking and to enable easy integration with python-based machine
TOTAL 2mt + mn + n 2mn + n mn + m + n learning frameworks such as Keras and Tensorflow.
In our implementation, we incorporated the following acceler-
colluding and malicious participants. However, they differ in the ating techniques. In HybridAlpha, as presented in §2.3, the final
assumption of a TPA. We therefore, show how making use of a TPA, step of MIFE decryption is to compute the discrete logarithm of an
HybridAlpha can significantly reduce the training time of machine integer, which is a performance intensive computation. An example
learning models. would be how to compute f in h = дf , where h, д are big integers,
while f is a small integer. To accelerate the decryption, we use a
Theoretical Comparison. We now theoretically compare the crypto- hybrid approach to solve the discrete logarithm problem. Specifi-
related communication steps associated with the contrasted ap- cally, we setup a hash table Th,д,b to store (h, f ) with a specified
proaches. Suppose that there are n participants and m aggregators д and a bound b, where −b ≤ f ≤ b, when the system initializes.
in the FL framework, and the threshold for decryption of Threshold- When computing discrete logarithms, the algorithm first looks up
Paillier cryptosystem is t. As shown in Table 2, In total, HybridAlpha Th,д,b to find f , where the complexity is O(1). If there is no result
reduces m(n − 1) and m(2t − 1) operations compared to P-SMC and in Th,д,b , the algorithm employs the traditional baby-step giant-step
TP-SMC solutions, respectively. This is achieved because Hybri- 1
algorithm [35] to compute f , where the complexity is O(n 2 ) .
dAlpha doesn’t require sending back encrypted aggregated model
The second acceleration method we implemented modifies the
updates to the participants for decryption
encryption and decryption algorithms to allow for a one-shot en-
In the following, we also provide the details of experimental
cryption call of a tensor. Here, each generated random nonce is
results in §4.3. The experimental results are consistent with the
applied to the whole tensor instead of a single element. We note
theoretical analysis.
that a further performance enhancement technique that could be
used is parallelizing the encryption/decryption implementation,
4.2 Experimental Setup
however, we did not include this enhancement.
To benchmark the performance of HybridAlpha, we train a con- Experimental Setup. All the experiments are performed on a 2
volutional neural network (CNN) with the same topology as the socket, 44 core (2 hyperthreads/core) Intel Xeon E5-2699 v4 platform
one used in [38] to classify the publicly available MNIST dataset with 384 GB of RAM. Note that the FL framework is simulated (not
of handwritten digits [27]. The CNN has two internal layers of run on the real distributed environment), hence the network latency
ReLU units, and a softmax layer of ten classes with cross-entropy issues are not considered in our experiment. However, we report a
loss. The first layer contains 60 neurons and the second layer con- comparison of data transfer by contrasted approaches.
tains 1000 neurons. The total number of parameters of this CNN is
118110. We also use the same hyperparameters reported in previous 4.3 Experimental Results
work: a learning rate of 0.1, a batch rate of 0.01. and for differential
Here, we first present the benchmark result of three contrasted ap-
privacy we use a norm clipping of 4.0, and an epsilon of 0.5. We
proaches, and then show the experimental efficiency improvement.
used noise-reduction method as in [38] as differential private mech-
Impact of Floating Point Precision. The parameters of a neural
anism. We run experiments for 10 participants, and each participant
network (weights) are represented as floating point numbers. How-
was randomly assigned 6,000 data points from the MNIST dataset.
ever, cryptosystems take them as input integers. Hence, the floating
For model quality, we used the pre-defined MNIST test set. Our
point parameters should be represented and encoded into integers.
implementation uses Keras with a Tensorflow backend.
The precision number denotes the number of bits used after the
Cryptosystems Implementation We implement the contrasted
cryptosystems in python based on the opensource integer group 3 The GNU Multiple Precision Arithmetic Library (https://gmplib.org/).
decimal point of a floating point number. In Table 3 we present the DP”. For privacy-preserving approaches we use an ϵ = 0.5. Finally,
impact of the precision on the computation time of each crypto- our experiments used t = 5 for HybridAlpha and TP-SMC. This
based SMC. Based on our experimental results, the precision setting experiment was run with 10 participants.
has no significant impact on operation time of each cryptosystem. To measure quality of model performance, we report the F1-
To be specific, the time cost of encryption, decryption, and other ci- score (a measure that combines precision and recall) of the resulting
phertext computations in each cryptosystem is stable, respectively, models. The results are presented in Figure 3(a).
of length of the integer. We see different trends depending on whether a particular ap-
For encryption, the average time cost of 10 participants on 118110 proach protects privacy of the computation and of the output. As
gradients for HybridAlpha is around 4 seconds, while the time expected, approaches that do not protect the privacy of the final
cost of P-SMC and TP-SMC under the same setting is about 35 model - those that don’t inject differential privacy noise- result in a
seconds. For decryption, under the same setting, the cost time of in higher F1-score. In contrast, “Local DP” provides the lowest F1-
HybridAlpha is about 30 seconds, while the time cost of P-SMC score due to the high amount of noise injected by each participant.
and TP-SMC are 31 and 88 seconds, respectively. Note that the For approaches that use SMC to uniquely protect the privacy of the
decryption time of TP-SMC includes the share decryption by part of computation, “TP-SMC no DP”, “P-SMC no DP” and “HybridAlpha
participants and the final combination decryption by the aggregator, no DP”, we see higher F1-scores than for those that protect the
without considering network latency of transmitting the partial privacy of the output. This shows the price of protecting against
decrypted ciphertext. We can conclude that our proposed approach the risk of inference on the model. Finally, we see that approaches
has significant advantages on both encryption/decryption time cost that combine differential privacy with SMC are capable of achiev-
comparing to P-SMC and TP-SMC solutions. ing higher F1-scores while protecting the privacy of the input and
Finally, the number of decimal points used in the conversion output.
impacts the overall accuracy of the trained model. In the remaining We now analyze these approaches from the perspective of to-
of the experiments, we used 6-digits which allows for good model tal training time presented in Figure 3(b). As it can be seen, our
and training time performance. proposed HybridAlpha has very similar training time to “FL-no-
Impact of Number of Participants. We also measure the impact privacy”. In other words, the training time added by ensuring pri-
of the number of participants on the time cost for each crypto vacy of the input and output is negligent. In contrast, we see that
operation. The experimental results are shown in Table 4. We see the slowest approach is TP-SMC even though we set up t to a con-
two different trends on the participant and on the aggregator side. servative 50% of the entire number of participants in the system.
At the participant side, the encryption and decryption runtime This result is due to the fact that TP-SMC requires more rounds of
stays the same for all of the evaluated approaches as the number of communication per global step. The high training time makes TP-
participants increases. In contrast, on the aggregator side, the time SMC suitable for models that require limited number of interactions
cost of ciphertext multiplication increases almost linearly with the with the aggregator during training.
increase in the number of participants (shown in italicized numbers Beside the efficiency in training time, we also evaluate the ef-
in Table 4). However, we note a significant difference between ficiency of network transmission by measuring the volume of en-
HybridAlpha and TP-SMC. For HybridAlpha the decryption time crypted parameters transmitted over the network. In Figure 4, we
increases approximately linearly with the increase of participants, present the total transmitted cipertext size under different crypto-
while for TP-SMC, the decryption time increases exponentially as based SMC approaches for one epoch. The green bar represents
the number of participants increases. initial ciphertext size of model parameters, while the spotted orange
Focusing on the TP-SMC, we also evaluate the impact of thresh- bar indicates the size of subsequent ciphertext, including multiplied
old t, which indicates the minimum number of participants who cipher, and partially decrypted ciphers. We can see that HybridAl-
are required to do partial decryption. As shown in Table 5, only pha provides the lowest transmission rate because it only performs
the final decryption has significant relationship with threshold t. one round of communication on encrypted data without any sub-
For the same number of participants, the cost time of decryption sequent ciphertext transmission. Also, our proposed approach has
increases linearly as the threshold number increase. smaller ciphertext size of initial parameters compared to contrasted
Model Quality, Training Time and Data Transmission . In this approaches.
experiment, we evaluate the performance of HybridAlpha with re-
spect to multiple techniques to perform FL. In particular, we assess 5 SECURITY AND PRIVACY ANALYSIS
the quality of models produced and the total training time. The
We analyze the security and privacy of our proposed framework
contrasted approaches for this experiment include the following
from three different perspectives: security offered by MIFE scheme,
additional baselines: (i) “FL-no-privacy”, where the neural network
privacy guarantees of the framework, and prevention for different
is trained without privacy considerations. This method provides
types of inference attacks.
a baseline for maximum possible performance in terms of model
quality; (ii) “Local DP”, where each participant applies differen-
tial privacy locally according to [24]; (iii) for “TP-SMC”, “P-SMC” 5.1 Security of the Cryptographic Approach
and “HybridAlpha”, we report the results for two cases: adding The security of MIFE is critical to HybridAlpha, since it is the under-
differential privacy to protect privacy of the output and without lying infrastructure of SMC protocol that supports secure aggrega-
adding differential privacy. When no differential privacy is added, tion in HybridAlpha. In our adoption of MIFE, we add a public key
we use “TP-SMC no DP”, “P-SMC no DP” and “HybridAlpha no distribution algorithm run by the TPA as a beneficial supplement
 Table 3: The impact of precision on computation time (s) of three SMC approaches.

TP-SMC ▷ P-SMC HybridAlpha

precision encavg ctfuse decshare,avg deccombine encavg ctfuse dec encavg dec
2 35.120 2.586 61.080 28.465 35.752 2.269 32.042 4.157 30.075
3 35.675 2.604 61.929 28.202 35.725 2.369 31.574 4.158 30.512
4 35.841 2.571 60.832 28.324 35.821 2.387 31.856 4.110 29.865
5 35.767 2.635 60.369 28.816 35.857 2.493 31.625 4.075 30.149
6 35.724 2.578 60.326 28.286 35.985 2.532 31.587 4.095 30.803
▷The threshold parameter of Threshold-Paillier encryption system is set to half the number of
participants.
Table 4: The impact of participant # on computation time (s) of three SMC approaches.

TP-SMC ▷ P-SMC HybridAlpha

participants encavg ctfuse decshare,avg deccombine encavg ctfuse dec encavg dec
6 35.968 1.375 60.555 22.184 35.934 1.332 31.616 4.241 20.246
8 35.375 1.843 60.820 23.980 36.039 1.859 31.611 4.092 25.349
10 35.693 2.358 60.988 28.401 36.847 2.611 32.197 4.077 31.782
12 35.685 2.759 60.947 34.684 36.142 2.959 31.588 4.091 36.884
14 35.688 3.215 60.965 39.838 35.932 3.330 31.503 4.126 42.683
16 35.721 3.694 60.917 46.849 36.533 4.481 32.020 4.059 47.435
18 35.683 4.170 60.879 53.441 36.628 5.368 32.996 4.594 56.519
20 35.697 4.764 60.816 97.224 36.743 5.765 31.923 4.147 59.823
▷ The threshold parameter of TP-SMC is set to half the number of participants.

(a) F1 score of different approaches as epoch increases (b) training time of different approaches as epoch increases
Figure 3: Model quality and time efficiency comparison for multiple FL approaches.

of the original MIFE scheme proposed in [2] to make it applicable of MIFE does not change the security construction in the original
to our FL framework. MIFE scheme in [2]. It is then as secure as proved in [2]. To avoid
Specifically, the additional algorithm is only responsible for dis- redundancy, we do not present the correctness and security proofs
tributing each participant’s respective unique public key pki . Un- to MIFE here, and readers can refer to [2] for more details.
like the original design of encryption algorithms where each par-
ticipant encrypts the data using the master secret key msk, our 5.2 Privacy of FL Framework
encryption algorithm uses pki that is derived from the master Our proposed FL framework can ensure the privacy of the output
keys mpk and msk. However, the core method in the encryption model and the aggregation computation.
algorithm remains intact, and our design has no impact on other al-
gorithms, e.g., SKGenerate, Decrypt. As a consequence, our adoption 5.2.1 Privacy of the Output Model. We provide ϵ-differential pri-
vacy guarantee via existing methods presented in previous works,
Table 5: Impact of threshold t for TP-SMC on computation successful. In particular, suppose that there exits a malicious partic-
′
time (s). ipant Pi with its own public key pk P ′ , collected encrypted data
i
′
threshold† encavg ctfuse decshare,avg deccombine c j = EncpkP (m j ) from Pj , and its own original data set S . Here
j, j,i
′ ′
2 35.577 2.602 60.736 12.700 m j is the corresponding plaintext of c j , and m j and any m ∈ S
4 35.697 2.592 60.420 23.293 belong to a same integer group. The semantic security of the under-
6 35.713 2.625 60.238 34.427 lying MIFE scheme in our SMC protocol ensures that the adversary
′
8 36.054 2.623 60.767 46.462 Pj does not have a non-negligible advantage to infer the original
10 35.880 2.626 60.650 58.293 data m j compared to the random guess. Furthermore, as we assume
† the existence of at least t honest participants where each participant
The total participants number is set to 10 and the does not share the same public key for encryption, the colluding
precision number is set to 6. participants cannot infer/identify private information using the
output of the aggregator with their local models.
Note that based on the threat model defined in §3.1, we do not
consider the DDoS attack on the aggregator where a malicious ag-
gregator or a outside attacker will interrupt the network or replace
a valid update from an honest participant.

6 RELATED WORK
Federated learning was proposed in [25, 28] to jointly learn a global
model without sharing their data. Although this provides a basic
privacy guarantee because privacy-sensitive data is not transmitted,
it still suffers from inference attacks that use the final model or the
Figure 4: Total transmitted ciphertext size of different ap-
model updates exchanged during the FL training to infer private
proaches for one epoch.
information; examples of such attacks include [19, 29, 30, 37].
e.g., [1, 32, 38]. These papers have shown via theoretical analysis To thwart inference attacks, previous work has proposed to add
and experimental results that such a mechanism can achieve target differential privacy during the learning process e.g., [1]. However,
privacy along with acceptable performance for the final trained directly applying such approaches in the FL setting results in poor
model. As a consequence, our proposed framework can also achieve model performance because each party trains its own model. For
the same privacy guarantee for the output model as demonstrated this reason, new approaches tailored to FL have been proposed.
in [32, 38]. Table 1 shows the threat model of existing approaches and the
privacy guarantees they provide. Solutions proposed in [31, 36] rely
5.2.2 Privacy of Computation. We exploit multi-input functional
on trusted aggregators and honest participants. PATE [31] proposes
encryption as the underlying infrastructure for SMC protocol to
a “teacher-student” architecture where teachers train their models
compute the average of the weights of the participants’ local trained
over their local datasets. Subsequently, a fully trusted aggregator is
models. As stated in §5.1, the MIFE scheme is secure so that any
used to build a collective model. All these approaches differ from
plaintext under its protection cannot be compromised by malicious
HybridAlpha in that they rely on a trusted aggregator.
attackers. The MIFE scheme also guarantees that the decryptor, the
A number of approaches propose to use SMC [6, 34, 38]. Among
aggregator in our FL framework, can only acquire the function re-
them, different SMC protocols are used to aggregate the global
sults, i.e., the average weight, but not the original data, i.e., weights
model (see Table 1). PySyft [34] employs the SPDZ protocol [12, 13].
of the participants’ local models.
Truex et al. [38] uses a threshold-based partially additive homomor-
5.2.3 Inference Attack Prevention. Next, we consider inference at- phic encryption [11]. Bonawitz et al. [6] makes use of secret sharing
tacks for two adversaries: (i) a curious aggregator, and (ii) malicious that enables authenticated encryption. These approaches [6, 34, 38]
or colluding participants. also prevent or can be extended to prevent inference attacks on
In §3.2.2, we have shown that a curious aggregator can launch the final model by adding differential privacy. The main advantage
an inference attack targeting a specific participant by manipulating HybridAlpha has over these approaches is the communication effi-
the weighted vector wp and subsequently requesting the function ciency (see Table 1). While existing approaches need more than one
private key. To prevent such inference attacks, we add an addi- round of communication between the aggregator and participants
tional module in TPA to filter requests for weighted vectors that (excluding the key setup phase), HybridAlpha only incurs a single
are maliciously defined to isolate the reply of a single participant. round. Hence HybridAlpha can be used to train machine learning
Algorithm 2 verifies that at least t replies are used for aggregation, models faster as demonstrated in the experimental section.
because there are at least t > (n/2) + 1 non-colluding parties; even Most of the existing federated learning frameworks only work
if the aggregator colludes with dishonest participants he cannot on the scenario of horizontally partitioned data. To tackle the issues
isolate the reply of a target participant. and challenges in the case of vertically partitioned data, several
Even if an adversary manages to collect other participants’ en- methods are proposed in [9, 14, 22], which focus on entity resolution
crypted data for a possible brute-force attack, this attack is not and simple machine learning models, like logistic regression. Such
vertically partitioned data cases beyond the research scope in this [16] Cynthia Dwork, Aaron Roth, et al. 2014. The algorithmic foundations of differ-
paper, and will be deferred to future work. ential privacy. Foundations and Trends® in Theoretical Computer Science 9, 3–4
(2014), 211–407.
[17] Cynthia Dwork, Guy N Rothblum, and Salil Vadhan. 2010. Boosting and differ-
7 CONCLUSION ential privacy. In 2010 IEEE 51st Annual Symposium on Foundations of Computer
Science. IEEE, IEEE, 51–60.
Federated learning promises to address privacy concerns and regu- [18] Alex Escala, Gottfried Herold, Eike Kiltz, Carla Rafols, and Jorge Villar. 2017. An
latory compliance such as for GDPR [39] and HIPAA [3]. However, algebraic framework for Diffie–Hellman assumptions. Journal of Cryptology 30,
1 (2017), 242–288.
extant approaches addressing privacy concerns in federated learn- [19] Matt Fredrikson, Somesh Jha, and Thomas Ristenpart. 2015. Model inversion
ing provide strong privacy guarantees and good model performance attacks that exploit confidence information and basic countermeasures. In Pro-
ceedings of the 22nd ACM SIGSAC Conference on Computer and Communications
at the cost of higher training time and high network transmission. Security. ACM, ACM, 1322–1333.
We propose HybridAlpha, a novel federated learning framework [20] Shafi Goldwasser, S Dov Gordon, Vipul Goyal, Abhishek Jain, Jonathan Katz,
to address these issues. Our theoretical and experimental analysis Feng-Hao Liu, Amit Sahai, Elaine Shi, and Hong-Sheng Zhou. 2014. Multi-input
functional encryption. In Annual International Conference on the Theory and
shows that, compared to existing techniques, on average, HybridAl- Applications of Cryptographic Techniques. Springer, Springer, 578–602.
pha can reduce the training time by 68% and data transfer volume [21] Vipul Goyal, Omkant Pandey, Amit Sahai, and Brent Waters. 2006. Attribute-
by 92% without sacrificing privacy guarantees or model perfor- based encryption for fine-grained access control of encrypted data. In Proceedings
of the 13th ACM conference on Computer and communications security. Acm,
mance. Using HybridAlpha, federated learning with strong privacy 89–98.
guarantees can be applied to use cases sensitive to training time [22] Stephen Hardy, Wilko Henecka, Hamish Ivey-Law, Richard Nock, Giorgio Patrini,
Guillaume Smith, and Brian Thorne. 2017. Private federated learning on vertically
and communication overhead, in particular for models with a large partitioned data via entity resolution and additively homomorphic encryption.
number of parameters. arXiv preprint arXiv:1711.10677 (2017).
[23] Michael I Jordan and Tom M Mitchell. 2015. Machine learning: Trends, perspec-
tives, and prospects. Science 349, 6245 (2015), 255–260.
REFERENCES [24] Peter Kairouz, Sewoong Oh, and Pramod Viswanath. 2014. Extremal mechanisms
[1] Martin Abadi, Andy Chu, Ian Goodfellow, H Brendan McMahan, Ilya Mironov, for local differential privacy. In Advances in neural information processing systems.
Kunal Talwar, and Li Zhang. 2016. Deep learning with differential privacy. In 2879–2887.
Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications [25] Jakub Konečnỳ, H Brendan McMahan, Felix X Yu, Peter Richtárik,
Security. ACM, ACM, Vienna, Austria, 308–318. Ananda Theertha Suresh, and Dave Bacon. 2016. Federated learning: Strategies
[2] Michel Abdalla, Dario Catalano, Dario Fiore, Romain Gay, and Bogdan Ursu. for improving communication efficiency. arXiv preprint arXiv:1610.05492 (2016).
2018. Multi-input functional encryption for inner products: function-hiding real- [26] Yann LeCun, Yoshua Bengio, and Geoffrey Hinton. 2015. Deep learning. nature
izations and constructions without pairings. In Annual International Cryptology 521, 7553 (2015), 436.
Conference. Springer, Springer, 597–627. [27] Yann LeCun, Corinna Cortes, and Burges Christopher J.C. 2010. MNIST hand-
[3] Accountability Act. 1996. Health insurance portability and accountability act of written digit database. (2010). http://yann.lecun.com/exdb/mnist/
1996. Public law 104 (1996), 191. [28] H Brendan McMahan, Eider Moore, Daniel Ramage, Seth Hampson, et al. 2016.
[4] Joseph A. Akinyele, Christina Garman, Ian Miers, Matthew W. Pagano, Michael Communication-efficient learning of deep networks from decentralized data.
Rushanan, Matthew Green, and Aviel D. Rubin. 2013. Charm: a framework for arXiv preprint arXiv:1602.05629 (2016).
rapidly prototyping cryptosystems. Journal of Cryptographic Engineering 3, 2 [29] Milad Nasr, Reza Shokri, and Amir Houmansadr. 2018. Machine learning with
(2013), 111–128. https://doi.org/10.1007/s13389-013-0057-3 membership privacy using adversarial regularization. In Proceedings of the 2018
[5] Peter Bogetoft, Dan Lund Christensen, Ivan Damgård, Martin Geisler, Thomas ACM SIGSAC Conference on Computer and Communications Security. ACM, ACM,
Jakobsen, Mikkel Krøigaard, Janus Dam Nielsen, Jesper Buus Nielsen, Kurt 634–646.
Nielsen, Jakob Pagter, et al. 2009. Secure multiparty computation goes live. In [30] Milad Nasr, Reza Shokri, and Amir Houmansadr. 2019. Comprehensive Privacy
International Conference on Financial Cryptography and Data Security. Springer, Analysis of Deep Learning: Stand-alone and Federated Learning under Passive
325–343. and Active White-box Inference Attacks. In 2019 IEEE Symposium on Security
[6] Keith Bonawitz, Vladimir Ivanov, Ben Kreuter, Antonio Marcedone, H Brendan and Privacy (SP). IEEE, ACM.
McMahan, Sarvar Patel, Daniel Ramage, Aaron Segal, and Karn Seth. 2017. Prac- [31] Nicolas Papernot, Shuang Song, Ilya Mironov, Ananth Raghunathan, Kunal Tal-
tical secure aggregation for privacy-preserving machine learning. In Proceedings war, and Úlfar Erlingsson. 2018. Scalable private learning with PATE, In Proceed-
of the 2017 ACM SIGSAC Conference on Computer and Communications Security. ings of the 2018 Sixth International Conference on Learning Representations.
ACM, ACM, 1175–1191. arXiv preprint arXiv:1802.08908.
[7] Dan Boneh and Matt Franklin. 2001. Identity-based encryption from the Weil [32] Martin Pettai and Peeter Laud. 2015. Combining differential privacy and secure
pairing. In Annual international cryptology conference. Springer, 213–229. multiparty computation. In Proceedings of the 31st Annual Computer Security
[8] Dan Boneh, Amit Sahai, and Brent Waters. 2011. Functional encryption: Defini- Applications Conference. ACM, ACM, 421–430.
tions and challenges. In Theory of Cryptography Conference. Springer, Springer, [33] Zhan Qin, Yin Yang, Ting Yu, Issa Khalil, Xiaokui Xiao, and Kui Ren. 2016.
253–273. Heavy hitter estimation over set-valued data with local differential privacy. In
[9] Kewei Cheng, Tao Fan, Yilun Jin, Yang Liu, Tianjian Chen, and Qiang Yang. Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications
2019. SecureBoost: A Lossless Federated Learning Framework. arXiv preprint Security. ACM, 192–203.
arXiv:1901.08755 (2019). [34] Theo Ryffel, Andrew Trask, Morten Dahl, Bobby Wagner, Jason Mancuso, Daniel
[10] Ronald Cramer, Ivan Bjerre Damgård, and Jesper Buus Nielsen. 2015. Secure Rueckert, and Jonathan Passerat-Palmbach. 2018. A generic framework for
multiparty computation. Cambridge University Press. privacy preserving deep learning. In Proceedings of Privacy Preserving Machine
[11] Ivan Damgård and Mads Jurik. 2001. A generalisation, a simpli. cation and Learning Workshop with NeurIPS 2018.
some applications of paillier’s probabilistic public-key system. In International [35] Daniel Shanks. 1971. Class number, a theory of factorization, and genera. In Proc.
Workshop on Public Key Cryptography. Springer, Springer, 119–136. of Symp. Math. Soc., 1971, Vol. 20. 41–440.
[12] Ivan Damgård, Marcel Keller, Enrique Larraia, Valerio Pastro, Peter Scholl, and [36] Reza Shokri and Vitaly Shmatikov. 2015. Privacy-preserving deep learning. In
Nigel P Smart. 2013. Practical covertly secure MPC for dishonest majority– Proceedings of the 22nd ACM SIGSAC conference on computer and communications
or: breaking the SPDZ limits. In European Symposium on Research in Computer security. ACM, ACM, 1310–1321.
Security. Springer, 1–18. [37] Reza Shokri, Marco Stronati, Congzheng Song, and Vitaly Shmatikov. 2017. Mem-
[13] Ivan Damgård, Valerio Pastro, Nigel Smart, and Sarah Zakarias. 2012. Multiparty bership inference attacks against machine learning models. In 2017 IEEE Sympo-
computation from somewhat homomorphic encryption. In Annual Cryptology sium on Security and Privacy (SP). IEEE, 3–18.
Conference. Springer, 643–662. [38] Stacey Truex, Nathalie Baracaldo, Ali Anwar, Thomas Steinke, Heiko Ludwig, and
[14] Mentari Djatmiko, Stephen Hardy, Wilko Henecka, Hamish Ivey-Law, Maximilian Rui Zhang. 2018. A Hybrid Approach to Privacy-Preserving Federated Learning.
Ott, Giorgio Patrini, Guillaume Smith, Brian Thorne, and Dongyao Wu. 2017. arXiv preprint arXiv:1812.03224 (2018).
Privacy-preserving entity resolution and logistic regression on encrypted data. [39] Paul Voigt and Axel von dem Bussche. 2017. The EU General Data Protection
Private and Secure Machine Learning (PSML) (2017). Regulation (GDPR): A Practical Guide (1st ed.). Springer Publishing Company,
[15] Cynthia Dwork and Jing Lei. 2009. Differential privacy and robust statistics.. In Incorporated.
STOC, Vol. 9. ACM, 371–380.