Practical Secure Aggregation for Federated Learning on User-Held Data

Introduction

Secure Aggregation is a class of Secure Multi-Party Computation algorithms wherein a group of mutually distrustful parties $u\in{\cal U}$ each hold a private value $x_{u}$ and collaborate to compute an aggregate value, such as the sum $\sum_{u\in{\cal U}}x_{u}$, without revealing to one another any information about their private value except what is learnable from the aggregate value itself. In this work, we consider training a deep neural network in the Federated Learning model, using distributed gradient descent across user-held training data on mobile devices, using Secure Aggregation to protect the privacy of each user’s model gradient. We identify a combination of efficiency and robustness requirements which, to the best of our knowledge, are unmet by existing algorithms in the literature. We proceed to design a novel, communication-efficient Secure Aggregation protocol for high-dimensional data that tolerates up to $\nicefrac{{1}}{{3}}$ of users failing to complete the protocol. For 16-bit input values, our protocol offers $1.73\times$ communication expansion for $2^{10}$ users and $2^{20}$-dimensional vectors, and $1.98\times$ expansion for $2^{14}$ users and $2^{24}$-dimensional vectors.

Secure Aggregation for Federated Learning

Consider training a deep neural network to predict the next word that a user will type as she composes a text message to improve typing accuracy for a phone’s on-screen keyboard . A modeler may wish to train such a model on all text messages across a large population of users. However, text messages frequently contain sensitive information; users may be reluctant to upload a copy of them to the modeler’s servers. Instead, we consider training such a model in a Federated Learning setting, wherein each user maintains a private database of her text messages securely on her own mobile device, and a shared global model is trained under the coordination of a central server based upon highly processed, minimally scoped, ephemeral updates from users .

In the Federated Learning setting, each user ${u}\in{\cal U}$ holds a private set $D_{u}$ of training examples with $D=\bigcup_{{u}\in{\cal U}}D_{u}$. To run stochastic gradient descent, for each update we select data from a random subset ${\cal U}^{\prime}\subset{\cal U}$ and form a (virtual) minibatch $B=\bigcup_{{u}\in{\cal U}^{\prime}}D_{u}$ (in practice we might have say $|{\cal U}^{\prime}|=10^{4}$ while $|{\cal U}|=10^{7}$; we might only consider a subset of each user’s local dataset). The minibatch loss gradient $\nabla{\cal L}_{f}(B,\Theta)$ can be rewritten as a weighted average across users: $\nabla{\cal L}_{f}(B,\Theta)=\frac{1}{|B|}\sum_{{u}\in{\cal U}^{\prime}}\delta_{u}^{t}$ where $\delta_{u}^{t}=|D_{u}|\nabla{\cal L}_{f}(D_{u},\Theta^{t})$. A user can thus share just $\langle|D_{u}|,\delta_{u}^{t}\rangle$ with the server, from which a gradient descent step $\Theta^{t+1}\leftarrow\Theta^{t}-\eta\frac{\sum_{{u}\in{\cal U}^{\prime}}\delta_{u}^{t}}{\sum_{{u}\in{\cal U}^{\prime}}|D_{u}|}$ may be taken.

Although each update $\langle|D_{u}|,\delta_{u}^{t}\rangle$ is ephemeral and contains less information then the raw $D_{u}$, a user might still wonder what information remains. There is evidence that a trained neural network’s parameters sometimes allow reconstruction of training examples ; might the parameter updates be subject to similar attacks? For example, if the input $x$ is a one-hot vocabulary-length vector encoding the most recently typed word, common neural network architectures will contain at least one parameter $\theta_{w}$ in $\Theta$ for each word $w$ such that $\frac{\partial{\cal L}_{f}}{\partial\theta_{w}}$ is non-zero only when $x$ encodes $w$. Thus, the set of recently typed words in $D_{u}$ would be revealed by inspecting the non-zero entries of $\delta_{u}^{t}$. The server does not need to inspect any individual user’s update, however; it requires only the sums $\sum_{{u}\in{\cal U}}|D_{u}|$ and $\sum_{{u}\in{\cal U}}\delta_{u}^{t}$. Using a Secure Aggregation protocol would ensure that the server learns only that one or more users in ${\cal U}$ wrote the word $w$, but not which users.

Federated Learning systems face several practical challenges. Mobile devices have only sporadic access to power and network connectivity, so the set ${\cal U}$ participating in each update step is unpredictable and the system must be robust to users dropping out. Because $\Theta$ may contain millions of parameters, updates $\delta_{u}^{t}$ may be large, representing a direct cost to users on metered network plans. Mobile devices also generally cannot establish direct communications channels with other mobile devices (relying on a server or service provider to mediate such communication) nor can they natively authenticate other mobile devices. Thus, Federated Learning motivates a need for a Secure Aggregation protocol that: (1) operates on high-dimensional vectors, (2) is communication efficient, even with a novel set of users on each instantiation, (3) is robust to users dropping out, and (4) provides the strongest possible security under the constraints of a server-mediated, unauthenticated network model.

A Practical Secure Aggregation Protocol

The server is honest-but-curious, that is it follows the protocol honestly, but tries to learn as much as possible from messages it receives from users.

The server can lie to users about which other users have dropped out, including reporting dropouts inconsistently among different users.

The server can lie about who dropped out (as in T2) and also access the private memory of some limited number of users (who are following the protocol honestly themselves). (In this, the privacy requirement applies only to the inputs of the remaining users.)

We develop our protocol in a series of refinements. We begin by assuming that all parties complete the protocol and possess pair-wise secure communication channels with ample bandwidth. Each pair of users first agree on a matched pair of input perturbations. That is, user ${u}$ samples a vector $s_{{u},{v}}$ uniformly from $[0,R)^{k}$ for each other user ${v}$. Users ${u}$ and ${v}$ exchange $s_{{u},{v}}$ and $s_{{v},{u}}$ over their secure channel and compute perturbations $p_{{u},{v}}=s_{{u},{v}}-s_{{v},{u}}\pmod{R}$, noting that $p_{{u},{v}}=-p_{{v},{u}}\pmod{R}$ and taking $p_{{u},{v}}=0$ when ${u}={v}$. Each user sends to the server: $y_{{u}}=x_{{u}}+\sum_{{v}\in{\cal U}}p_{{u},{v}}\pmod{R}$. The server simply sums the perturbed values: $\bar{x}=\sum_{{u}\in{\cal U}}y_{{u}}\pmod{R}$. Correctness is guaranteed because the paired perturbations in $y_{{u}}$ cancel:

Protocol 0 guarantees perfect privacy for the users; because the $s_{{u},{v}}$ factors that users add are uniformly sampled, the $y_{u}$ values appear uniformly random to the server, subject to the constraint that $\bar{x}=\sum_{{u}\in{\cal U}}y_{{u}}\pmod{R}$. In fact, even if the server can access the memory of some users, privacy holds for those remaining. A more complete and formal argument is deferred to the full version of this paper.

Protocol 1: Dropped User Recovery using Secret Sharing

Unfortunately, Protocol 0 fails several of our design criteria, including robustness: if any user ${u}$ fails to complete the protocol by sending her $y_{{u}}$ to the server, the resulting sum will be masked by the perturbations that $y_{u}$ would have cancelled. To achieve robustness, we first add an initial round to the protocol in which user ${u}$ generates a public/private keypair, and broadcasts the public key over the pairwise channels. All future messages from ${u}$ to ${v}$ will be intermediated by the server but encrypted with ${v}$’s public key, and signed by ${u}$, simulating a secure authenticated channel. This allows the server to maintain a consistent view of which users have successfully passed each round of the protocol. (We assume here, temporarily, that the server faithfully delivers all messages between users.)

We also add a secret-sharing round between users after $s_{{u},{v}}$ values have been selected. In this round, each user computes $n$ shares of each perturbation $p_{{u},{v}}$ using a $(t,n)$-threshold scheme A $(t,n)$ secret-sharing scheme allows splitting a secret into $n$ shares, such that any subset of $t$ shares is sufficient to recover the secret, but given any subset of fewer than $t$ shares the secret remains completely hidden., such as Shamir’s Secret Sharing , for some $t>\frac{n}{2}$. For each secret user ${u}$ holds, she encrypts one share with each user ${v}$’s public key, then delivers all of these shares to the server. The server gathers shares from a subset of the users ${\cal U}_{1}\subseteq{\cal U}$ of size at least $t$ (e.g. by waiting a for a fixed period), then considers all other users dropped. The server delivers to each user ${v}\in{\cal U}_{1}$ the secret shares that were encrypted for that user; all the users in ${\cal U}_{1}$ now infer a consistent view of the surviving user set ${\cal U}_{1}$ from the set of received shares. When a user computes $y_{{u}}$, she only includes those perturbations related to surviving users; that is, $y_{{u}}=x_{{u}}+\sum_{{v}\in{\cal U}_{1}}p_{{u},{v}}\pmod{R}$.

After the server has received $y_{{u}}$ from at least $t$ users ${\cal U}_{2}\subseteq{\cal U}_{1}$, it proceeds to a new unmasking round, considering all other users to be dropped. From the remaining users in ${\cal U}_{2}$, the server requests all shares of secrets generated by the dropped users in ${\cal U}_{1}\setminus{\cal U}_{2}$. As long as $|{\cal U}_{2}|>t$, each user will respond with those shares. Once the server receives shares from at least $t$ users, it reconstructs the perturbations for ${\cal U}_{1}\setminus{\cal U}_{2}$ and computes the aggregate value: $\bar{x}=\sum_{{u}\in{\cal U}_{2}}y_{{u}}-\sum_{{u}\in{\cal U}_{2}}\sum_{{v}\in{\cal U}_{1}\setminus{\cal U}_{2}}p_{{u},{v}}\pmod{R}$. Correctness is guaranteed for $\bar{{\cal U}}={\cal U}_{2}$ as long as at least $t$ users complete the protocol. In this case, the sum $\bar{x}$ includes the values of at least $t>\frac{n}{2}$ users, and all perturbations cancel out:

However, security has been lost: if a server incorrectly omits ${u}$ from ${\cal U}_{2}$, either inadvertently (e.g. $y_{{u}}$ arrives slightly too late) or by malicious intent, the honest users in ${\cal U}_{2}$ will supply the server with all the secret shares needed to remove all the perturbations that masked $x_{{u}}$ in $y_{{u}}$. This means we cannot guarantee security even against honest-but-curious servers (Threat Model T1).

Protocol 2: Double-Masking to Thwart a Malicious Server

To guarantee security, we introduce a double-masking structure that protects $x_{{u}}$ even when the server can reconstruct ${u}$’s perturbations. First, each user ${u}$ samples an additional random value $b_{{u}}$ uniformly from $[0,R)^{k}$ during the same round as the generation of the $s_{{u},{v}}$ values. During the secret sharing round, the user also generates and distributes shares of $b_{{u}}$ to each of the other users. When generating $y_{{u}}$, users also add this secondary mask: $y_{{u}}=x_{{u}}+b_{{u}}+\sum_{{v}\in{\cal U}_{1}}p_{{u},{v}}\pmod{R}$. During the unmasking round, the server must make an explicit choice with respect to each user ${u}\in{\cal U}_{1}$: from each surviving member ${v}\in{\cal U}_{2}$, the server can request either a share of the $p_{{u},{v}}$ perturbations associated with ${u}$ or a share of the $b_{{u}}$ for ${u}$; an honest user ${v}$ will only respond if $|{\cal U}_{2}|>t$, and will never reveal both kinds of shares for the same user. After gathering at least $t$ shares of $p_{{u},{v}}$ for all ${u}\in{\cal U}_{1}\setminus{\cal U}_{2}$ and $t$ shares of $b_{u}$ for all ${u}\in{\cal U}_{2}$, the server reconstructs the secrets and computes the aggregate value: $\bar{x}=\sum_{{u}\in{\cal U}_{2}}y_{{u}}-\sum_{{u}\in{\cal U}_{2}}b_{{u}}-\sum_{{u}\in{\cal U}_{2}}\sum_{{v}\in{\cal U}_{1}\setminus{\cal U}_{2}}p_{{u},{v}}\pmod{R}$.

We can now guarantee security in Threat Model T1 for $t>\frac{n}{2}$, since $x_{u}$ always remains masked by either $p_{{u},{v}}$s or by $b_{u}$s. It can be shown that in Threat Models T2 and T3 the thresholds must be raised to $\frac{2n}{3}$ and $\frac{4n}{5}$ correspondingly. We defer the detailed analysis, as well as the case of arbitrarily malicious and colluding servers and users, to the full versionThe security argument involves bounding the number of shares the server can recover by forging dropouts..

Protocol 3: Exchanging Secrets Efficiently

While Protocol 2 is robust and secure with the right choice of $t$, it requires $O(kn^{2})$ communication, which we address in this refinement of the protocol. Observe that a single secret value may be expanded to a vector of pseudorandom values by using it to seed a cryptographically secure pseudorandom generator (PRG) . Thus we can generate just scalar seeds $s_{{u},{v}}$ and $b_{u}$ and expand them to $k$-element vectors. Still, each user has $(n-1)$ secrets $s_{{u},{v}}$ with other users and must publish shares of all these secrets. We use key agreement to establish these secrets more efficiently. Each user generates a Diffie-Hellman secret key $s^{SK}$ and public key $s^{PK}$. Users send their public keys to the server (authenticated as per Protocol 1); the server then broadcasts all public keys to all users, retaining a copy for itself. Each pair of users ${u},{v}$ can now agree on a secret $s_{{u},{v}}=s_{{v},{u}}=\operatorname{\textsc{Agree}}(s^{SK}_{u},s^{PK}_{v})=\operatorname{\textsc{Agree}}(s^{SK}_{v},s^{PK}_{u})$. To construct perturbations, we assume a total ordering on ${\cal U}$ and take $p_{{u},{v}}=\operatorname{\textsc{PRG}}(s_{{u},{v}})$ for ${u}<{v}$, $p_{{u},{v}}=-\operatorname{\textsc{PRG}}(s_{{u},{v}})$ for ${u}>{v}$, and $p_{{u},{v}}=0$ for ${u}={v}$ (as before). The server now only needs to learn $s^{SK}_{u}$ to reconstruct all of ${u}$’s perturbations; therefore ${u}$ need only distribute shares of $s^{SK}_{u}$ and $b_{u}$ during the secret sharing round. The security of Protocol 3 can be shown to be essentially identical to that of Protocol 2 in each of the different threat models.

Protocol 4: Minimizing Trust in Practice

Protocol 3 is not practically deployable for mobile devices because they lack pairwise secure communication and authentication. We propose to bootstrap the communication protocol by replacing the exchange of public/private keys described in Protocol 1 with a server-mediated key agreement, where each user generates a Diffie-Hellman secret key $c^{SK}$ and public key $c^{PK}$ and advertises the latter together with $s^{PK}$This can be viewed as bootstrapping a SSL/TLS connection between each pair of users. We note immediately that the server may now conduct man-in-the-middle attacks, but argue that this is tolerable for several reasons. First, it is essentially inevitable for users that lack authentication mechanisms or a pre-existing public-key infrastructure. Relying only on the non-maliciousness of the bootstrapping round also constitutes minimization of trust: the code implementing this stage is small and could be publicly audited, outsourced to a trusted third party, or implemented via a trusted compute platform offering a remote attestation capability . Moreover, the protocol meaningfully increases security (by protecting against anything less than an actively malicious attack by the server) and provides forward secrecy (compromising the server at any time after the key exchange provides no benefit to the attacker, even if all data and communications had been fully logged).

We summarize the protocol’s performance in Table 3. Taking that key agreement public keys and encrypted secret shares are 256 bits and that users’ inputs are all on the same rangeTaking $R=n(R_{U}-1)+1$ to ensure no overflow $[0,R_{U}-1]$, each user transfers $\frac{256(7n-4)+k\left\lceil\log_{2}\left(n(R_{U}-1)+1\right)\right\rceil+n}{k\left\lceil\log_{2}R_{U}\right\rceil}$ more data than if she sent a raw vector.

Related work

The restricted case of secure aggregation in which all users but one have an input 0 can be expressed as a dining cryptographers network (DC-net), which provide anonymity by using pairwise blinding of inputs , allowing to untraceably learn each user’s input. Recent research has examined the communication efficiencly and operation in the presence of malicious users . However, if even one user aborts too early, existing protocols must restart from scratch, which can be very expensive . Pairwise blinding in a modulo addition-based encryption scheme has been explored, but existing schemes are neither efficient for vectors nor robust to even single failure . Other schemes (e.g. based on Paillier cryptosystem ) are very computationally expensive.

References