Skip to main content

4 docs tagged with "federated learning"

View all tags

Secure aggregation: let the server see only "the sum of everyone's updates," never any single update

In one sentence use secure multiparty computation so the server can compute only "the sum of all clients' updates," never any single update — the single point is hidden, and inversion loses what it stands on. It's communication-efficient and robust to client dropout, and is already used in Google's production FL (Bonawitz et al., MLSys 2019 secure aggregation downgrades "the server is trusted" to "the server only sees the aggregate sum"; but it's not a cure-all — it defends against "seeing a single update," not "the aggregate sum itself leaking" or "parties colluding," so still pair it with DP.

Split learning leakage: splitting the model in two so "raw data stays local" doesn't stop the server reconstructing your inputs from intermediate activations

In one sentence this is not private. The Feature-Space Hijacking Attack (Pasquini et al., CCS 2021) shows a malicious server can actively steer the split model into an insecure state and reconstruct the client's private training inputs from the intermediate activations (reconstructing images on MNIST / Omniglot / CelebA); UnSplit (Erdoğan et al., WPES @ CCS 2022) shows that even an honest-but-curious server — knowing only the client architecture, with no active interference — can invert (reconstruction MSE ≈ 0.08–0.15 on MNIST / Fashion-MNIST / CIFAR-10). Don't read "didn't send raw pixels" as privacy.