PILE: Robust Privacy-Preserving Federated Learning via Verifiable Perturbations

Federated learning (FL) protects training data in clients by collaboratively training local machine learning models of clients for a global model, instead of directly feeding the training data to the server. However, existing studies show that FL is vulnerable to various attacks, resulting in training data leakage or interfering with the model training. Specifically, an adversary can analyze local gradients and the global model to infer clients’ data, and poison local gradients to generate an inaccurate global model. It is extremely challenging to guarantee strong privacy protection of training data while ensuring the robustness of model training. None of the existing studies can achieve the goal. In this paper, we propose a robust privacy-preserving federated learning framework (PILE), which protects the privacy of local gradients and global models, while ensuring their correctness by gradient verification where the server verifies the computation process of local gradients. In PILE, we develop a verifiable perturbation scheme that makes confidential local gradients verifiable for gradient verification. In particular, we build two building blocks of zero-knowledge proofs for the gradient verification without revealing both local gradients and global models. We perform rigorous theoretical analysis that proves the security of PILE and evaluate PILE on both passive and active membership inference attacks. The experiment results show that the attack accuracy under PILE is between $[50.3\%,50.9\%]$[50.3%,50.9%], which is close to the random guesses. Particularly, compared to prior defenses that incur the accuracy losses ranging from 2% to 13%, the accuracy loss of PILE is negligible, i.e., only $\pm 0.3\%$±0.3% accuracy loss.