Although federated learning prevents direct exposure of user data during training, numerous studies have demonstrated its vulnerability to security threats. Federated learning faces even greater risks due to its wide distribution, large number of users, and uncontrollable local data. Attackers can launch inference attacks to deduce users’ information from local model gradients. Furthermore, some malicious participants may launch poisoning attacks by tampering with local data or model updates. How to identify poisoning attacks while preserving user privacy in federated learning remains a major challenge, especially when the proportion of Byzantine clients is greater than or equal to 50%, which makes defense strategies harder to design. To address these challenges, we propose a robust federated learning aggregation scheme TCFL based on two-trapdoor homomorphic encryption. TCFL can preserve update privacy and prevent key leakage, and it can identify encrypted malicious gradients using a maximum clique filtering mechanism based on Euclidean distance. We provide convergence and security analyses of the scheme, and conduct extensive experiments on three benchmark image-classification datasets under multiple data and model poisoning attacks with attacker ratios ranging from 0% to 90%. The results show that, under these evaluated settings, TCFL maintains higher test accuracy and robustness than existing aggregation rules while retaining acceptable computational overhead.
Shen et al. (Thu,) studied this question.