Federated learning in the shuffle model of differential privacy : a communication-efficient and maliciously secure realization

Abstract

Federated learning (FL) is a compelling privacy-friendly paradigm that allows multiple clients to jointly train a model by sharing only gradient updates instead of their local datasets. Since gradient updates may still expose sensitive information, a line of research has explored the use of local differential privacy (LDP) mechanisms to formally safeguard these updates. Under LDP, each client perturbs its gradients locally prior to sharing. However, LDP often leads to a significant degradation in model utility due to the addition of large noises. To enable a better balance between privacy and utility, an increasing trend is to leverage the shuffle model of differential privacy (DP) in FL, which introduces an intermediate shuffling operation on the perturbed gradients, enabling privacy amplification. Following this trend, we present Camel, a communication-efficient and maliciously secure FL framework operating under the shuffle model of DP. A key difference of Camel from existing works is its new support for integrity checks on the shuffle computation, providing security against a malicious adversary. To achieve this, Camel builds on a trending cryptographic technique called secret-shared shuffle, and augments it by our custom methods for system-wide communication optimization and lightweight server-side integrity verification. Furthermore, we provide a formal analysis of privacy loss by employing Rényi differential privacy (RDP) for the entire FL process, which allows a tighter privacy bound. Our comprehensive experimental results show that Camel outperforms current state-of-the-art approaches in achieving better privacy-utility trade-offs, while maintaining promising performance.