Next Article in Journal
A Hessian-Based Deep Learning Preprocessing Method for Coronary Angiography Image Analysis
Previous Article in Journal
Low-Voltage Water Pump System Based on Permanent Magnet Synchronous Motor
 
 
Search for Articles:
Title / Keyword
Author / Affiliation / Email
Journal
Article Type
 
 
Advanced Search
 
Section
Special Issue
Volume
Issue
Number
Page
 
Journals
Electronics
Volume 13
Issue 18
10.3390/electronics13183675
electronics-logo
Submit to this Journal Review for this Journal Propose a Special Issue
Article Menu

Article Menu

share Share announcement Help format_quote Cite question_answer Discuss in SciProfiles thumb_up
...
Endorse textsms
...
Comment
first_page
settings
Order Article Reprints
Font Type:
Arial Georgia Verdana
Font Size:
Aa Aa Aa
Line Spacing:
Column Width:
Background:
Article

Securing Federated Learning: Approaches, Mechanisms and Opportunities

by
Mohammad Moshawrab
1,*,
Mehdi Adda
1,
Abdenour Bouzouane
2,
Hussein Ibrahim
3 and
Ali Raad
4
1
Département de Mathématiques, Informatique et Génie, Université du Québec à Rimouski, 300 Allée des Ursulines, Rimouski, QC G5L 3A1, Canada
2
Département d’Informatique et de Mathématique, Université du Québec à Chicoutimi, 555 Boulevard de l’Université, Chicoutimi, QC G7H 2B1, Canada
3
Institut Technologique de Maintenance Industrielle, 175 Rue de la Vérendrye, Sept-Îles, QC G4R 5B7, Canada
4
Faculty of Arts & Sciences, Islamic University of Lebanon, Wardaniyeh P.O. Box 30014, Lebanon
*
Author to whom correspondence should be addressed.
Electronics 2024, 13(18), 3675; https://doi.org/10.3390/electronics13183675
Submission received: 22 August 2024 / Revised: 13 September 2024 / Accepted: 14 September 2024 / Published: 16 September 2024
(This article belongs to the Special Issue Research in Secure IoT-Edge-Cloud Computing Continuum)
Browse Figures
Versions Notes

Abstract

:
With the ability to analyze data, artificial intelligence technology and its offshoots have made difficult tasks easier. The tools of these technologies are now used in almost every aspect of life. For example, Machine Learning (ML), an offshoot of artificial intelligence, has become the focus of interest for researchers in industry, education, healthcare and other disciplines and has proven to be as efficient as, and in some cases better than, experts in answering various problems. However, the obstacles to ML’s progress are still being explored, and Federated Learning (FL) has been presented as a solution to the problems of privacy and confidentiality. In the FL approach, users do not disclose their data throughout the learning process, which improves privacy and security. In this article, we look at the security and privacy concepts of FL and the threats and attacks it faces. We also address the security measures used in FL aggregation procedures. In addition, we examine and discuss the use of homomorphic encryption to protect FL data exchange, as well as other security strategies. Finally, we discuss security and privacy concepts in FL and what additional improvements could be made in this context to increase the efficiency of FL algorithms.

1. Introduction

Machine Learning (ML), considered an offshoot of Artificial Intelligence (AI), allows computers to “self-learn” from training data. This allows them to gain information over time without having to be explicitly programmed. ML algorithms are capable of developing their own prediction abilities by recognizing patterns in data and learning from them. Therefore, ML algorithms and models build their knowledge through experience. Later reviews show the various domains in which ML has demonstrated its efficiency and usability, such as healthcare [1,2,3], smart cities [4,5], industry [6], Internet of Things (IoT) [7,8], e-commerce [7,8], Natural Language Processing (NLP) [9] and others [10,11,12]. However, to advance machine learning, there are still plenty of hurdles that must be resolved, many of which are described and discussed in detail in the literature [13,14]. These difficulties can be divided into several groups, including:
  • Data-related challenges [15,16] encompassing problems at the level of data collection stage, including:
    Data availability and right to access: the issue of whether the needed data exist and are reachable;
    Data locality (data islands): the fact that data reside in non-related entities;
    Data readiness: the fact that data may be available and accessible but require pre-treatment such as noise removal and handling heterogeneity;
    Data volume: data volume causes different challenges such as the ‘curse of dimensionality’;
    Feature representation and selection: knowing what are the best features to be selected for a problem.
  • Model-related challenges [17,18,19]: challenges faced at the level of ML model building, including:
    Accuracy and performance: the need to enhance the accuracy of ML models, especially for critical problems such as health, for example;
    Model evaluation: defining the best way to evaluate the model in the context of the problem being studied;
    Variance and bias: directly affects the trust of these models and therefore their usability;
    Explainability: the ability to interpret how a machine learning model builds its prediction/results;
    Model selection: deciding which model fits the best for the case being studied.
  • Implementation-related challenges [17,18,19]: such challenges are faced at the level of implementing ML models in real-life applications, including:
    Real-time processing: the ability to perform in a real-time environment;
    Execution time and complexity: usually, ML models are highly demanding in terms of computation power and time.
  • General challenges [15,18,20]: other issues such as:
    Data privacy and confidentiality: data collection may be restricted with different laws and regulations;
    User technology adoption and engagement: affected by different challenges such as performance, privacy and others;
    Ethical eonstraints: especially when humans are the subjects being studied by those ML models.
The challenges of ML have been intensively studied. Since the workflow of ML usually includes data management, model training, model review and model deployment, the data in ML play a central role. Because the performance of ML models is highly dependent on the availability of data, the collection of real-world data is the most challenging aspect of ML model development for several reasons, particularly with respect to privacy and confidentiality. Privacy and data security protections are being strengthened not only by individuals, but also by society, governments and organizations, leading to the enactment of various regulations. Some of those regulations are the European Union’s General Data Protection Regulation (GDPR) [19], the Chinese People’s Republic of China’s Cybersecurity Law [20], the General Principles of Civil Law of the People’s Republic of China [21], the PDPA in Singapore [22] and others. Although these regulations facilitate the protection of personal data, they pose new difficulties for ML due to the fact that they make data collection more challenging, which affects model training and makes it more difficult to improve the performance accuracy and personalization of these models. For this reason, maintaining data privacy and confidentiality is not a sole obstacle for ML but simultaneously raises issues of data availability, performance, personalization and thus acceptance and trust.

1.1. Federated Learning: A Privacy-Preserving Technology

In an attempt to protect user privacy, Google has recently introduced the idea of “Federated Machine Learning” or “Federated Learning (FL)” [23]. The core idea of Federated Learning (FL) is to prevent the sharing of user data from peripheral devices. FL is thus characterized as a collaborative distributed or decentralized machine learning approach that preserves privacy by training models locally on edge devices without transferring data to a central server. Instead, models are trained on local data at the edges and then sent back to a central server for aggregation, enabling the construction of a global model without accessing the underlying data. Federated Averaging (FedAVG), the first proposed FL model [23], provided a technique for combining locally trained models into a single global model. The process is repeated iteratively until the combined model reaches the desired level of accuracy. Federated machine learning promotes privacy in machine learning by ensuring that sensitive data stay with their original owners, as data are stored locally and the transfer of data between parties is minimized. The architecture of FedAvg is shown in Figure 1 below. In FedAvg, a central sever, called the manager send a machine learning model for clients, where they train it with their data and send it back to the manager. The manager then aggregates all the received models and updates the global model accordingly.

1.1.1. Underlying Architecture

A standard federated machine learning setup (as shown in Figure 1) generally comprises four main components: the central server, the participating parties, the communication infrastructure, and the aggregation algorithm [22,23]. Each of these components plays a unique role in the federated learning workflow and can be described as follows:
  • Central server (manager): the component responsible for overseeing communication between entities in the federated learning environment, which consolidates the knowledge gained from the participating clients;
  • Parties (clients): any computing device capable of contributing data for training the global model. This includes, but is not limited to, personal computers, servers, smartphones, smartwatches and various types of sensor-equipped devices;
  • Communication framework: encompasses the tools and systems used to link servers and parties, which can include internal networks, intranets or even the internet;
  • Aggregation algorithm: the component responsible for combining the knowledge collected from parties after they train on their local data and using this combined knowledge to update the global model.
In the federated learning environment, the traditional learning process is accomplished by iteratively performing the following steps:
  • The central server establishes connections with the clients and provides them with the initial global model.
  • The parties obtain a copy of the model, train it using their local data, and return the trained results to the central server.
  • The central server receives the locally trained models and aggregates them using the appropriate algorithm.
  • Based on the aggregation results, the central server updates the global model and sends the revised version back to the clients.
  • This process is repeated until the model converges or the central server decides to terminate the process.
Figure 2 below illustrates the architecture, entities and procedural steps involved in the federated learning environment, providing a clearer understanding of the system.

1.1.2. Challenges in FedAvg

Despite the progress FL has made in protecting privacy, FL is considered to be in its early stages and prone to many difficulties and challenges. However, FedAVG’s performance is poorly understood and encounters a number of problems, including [24,25,26,27,28,29]:
  • Performance issues:
    Suffering from ‘client-drift’ and convergence;
    Tuning difficulty;
    High communication and computation cost;
    Significant variability in terms of the systems characteristics on each device in the network;
    Non-identically distributed data across the network;
    Heterogeneity of devices, users and network channels;
    Sensitivity to local models;
    Scalability issues.
  • Security and privacy issues: FL is still under the risk of several breaching attacks, such as:
    Poisoning attacks;
    Inference attacks;
    Backdoor attacks.

1.2. Privacy and Security Deficiency in FL

First and foremost, security and data protection should be separated, even though security in the broadest sense is part of data protection. Security refers to the ability to transmit and receive data securely them without being monitored, altered or tampered with. If a plan is secure and communication between participants occurs over a secure channel, it is as secure as a face-to-face conversation. On the other hand, the term “information privacy” in the context of digital data protection refers to the idea that people should be able to control how their digital information is collected and used. In the case of personal data, this is particularly important. Both the idea of privacy and the field of information technology (IT) have evolved over time. The way that information is shared has changed drastically with networking and computers [30,31,32,33]. In this context, security and privacy in federated learning technology are discussed below.

1.2.1. Security and Privacy in FL

The analysis of security and privacy in the federated learning literature leads to the taxonomy proposed below [24,25,26,27,28,29,30,31]:
  • Security: occurs in the communication process to ensure that two individuals communicate with each other within a network in the same way as they would in a face-to-face environment. It can be divided into:
    Confidence: ensures that the adversary is not able to obtain information from the transmitted ciphertext;
    Authentication: guarantees that the recipient of the message is the one intended by the sender of the message;
    Integrity: verifies that the message is not added, removed or modified during transmission.
  • Privacy: refers to the use of the exchanged data, only by the parties authorized to do so, and can be discussed in three categories:
    Consent: to confirm that the shared data are intended only for those users who consent to the sharing of their own data, such as those who sign up to participate in FL;
    Precision: The results of some data activities are shared, but it must be determined which parts of the data are to be shared. For example, in FL, the data are not shared, but the local model trained with local data is;
    Preservative: to ensure the safety of the data against leaks caused by reverse analyses on local models;
  • Robustness: Resistance to various attacks and breaches, discussed in more detail later in Section 2.
FL security and privacy aspects are summarized in Figure 3 below. The proposed taxonomy was derived from available reviews and implementations in the literature [24,25,26,27,28,29,30,31].

1.2.2. Privacy Leakage in FL

FL offers privacy-preserving model training that requires no data transfer and allows users to join or leave the FL system at any time. However, the transmission of model updates during the training process may expose sensitive information [34,35,36] or even cause a deep leak [37], either to third parties or to the central server [38,39], as recent research suggests that FL does not always provide sufficient privacy protection. For example, ref. [40] showed that even a small portion of the original gradient can reveal information about local data. Moreover, a hostile attacker can quickly and completely obtain the training data for the gradient [37]. Such threats pose a major threat to FL and make it important to understand the concepts underlying these attacks. This is necessary because the FL protocol has vulnerabilities against both:
  • Possibly malicious servers that can observe individual updates over time, disrupt training, and manage participants’ views of global parameters;
  • Any participant that can observe the global parameters and manage the parameter uploads. For example, hostile individuals may intentionally change their inputs or introduce covert backdoors into the overall model.

1.3. Article Contributions and Research Objectives

This article delves into the critical realm of federated machine learning, with a focus on addressing paramount concerns surrounding user data privacy and security. Federated learning is an evolving paradigm that allows machine learning models to be trained across decentralized data sources, thereby reducing privacy risks associated with centralized data processing. However, the decentralized nature of federated learning also introduces several security and privacy vulnerabilities, which this research aims to address comprehensively.

1.3.1. Research Objectives

The primary objective of this research is to provide a holistic understanding of federated learning security by systematically analyzing threats, vulnerabilities and security-enhancing techniques. More specifically, this article sets out to achieve the following key objectives:
  • To develop a systematic classification framework that delineates varying levels of data security in federated learning, providing a clear understanding of the security landscape;
  • To critically examine and categorize the different types of threats and attacks that federated learning systems face, identifying potential vulnerabilities and weaknesses;
  • To explore and evaluate federated learning aggregation algorithms, particularly focusing on how these algorithms can enhance privacy, security and robustness in decentralized environments;
  • To investigate privacy-enhancing mechanisms, such as differential privacy and homomorphic encryption, that can be integrated into federated learning systems to defend against malicious exploits;
  • To propose alternative methodologies that augment the security infrastructure of federated learning, expanding the range of tools available to protect against evolving threats.

1.3.2. Research Questions

This study is guided by the following research questions, which will direct the analysis and discussion throughout the article:
  • What are the specific security and privacy vulnerabilities associated with federated learning, and how can they be categorized for better understanding?
  • How do various aggregation algorithms affect the robustness and security of federated learning models?
  • In what ways can cutting-edge technologies like homomorphic encryption enhance the privacy and security of federated learning systems?
  • What alternative methodologies can be introduced to reinforce the security mechanisms within federated learning?
  • What are the future directions and trends in securing federated learning that are emerging from current research?

1.3.3. Contributions

By addressing these questions and objectives, this article contributes to the growing body of literature by:
  • Proposing a systematic classification framework delineating the varying levels of data security within federated learning, categorized into three distinct groups;
  • Conducting a thorough review of the myriad threats and attacks prevalent in federated learning environments, illuminating potential vulnerabilities;
  • Providing an exhaustive analysis of federated learning aggregation algorithms, with a specific focus on enhancing privacy, security and robustness;
  • Delving into the intricacies of privacy-enhancing mechanisms integrated within these algorithms, elucidating their efficacy in fortifying federated learning against malicious exploits;
  • Investigating the utilization of cutting-edge technologies such as homomorphic encryption to bolster the security posture of federated learning paradigms;
  • Exploring alternative methodologies poised to augment the security infrastructure of federated learning systems, thereby diversifying the arsenal of defensive measures;
  • Concluding with a forward-looking discussion on the future trajectories and emerging trends in the realm of securing federated learning, offering invaluable insights for further research and development.

2. Federated Learning Threats and Attacks

Federated learning is vulnerable to several types of attacks that are already known in the machine learning domain. A thorough analysis of the literature provides insight into these attacks. However, a deep understanding of attacks in the federated learning domain requires a solid understanding of privacy threats in the digital world in general and in the machine learning domain in particular. In the machine learning context, threats, sometimes referred to as vulnerabilities, refer to potential security flaws or weaknesses that an attacker can exploit. These deficiencies may include inadequate data security, lack of proper authentication systems and insufficient access restrictions. An attack, on the other hand, is the intentional and aggressive exploitation of these threats that results in damage to the ML system or unauthorized access to sensitive data. An example of a threat to a machine learning system is an unsecured database of training data, while an attack is when an unauthorized person attempts to gain access to or even steal those data. Understanding and addressing threats and attacks is critical to maintaining the security and trustworthiness of machine learning systems [29,30,37]. In this context, threats can be classified into the following three groups [29], including but not limited to those discussed in the list below and shown in Figure 4:
  • Insider vs. outsider threat: Since “insiders” are the parties within the FL system and “outsiders” are other parties, “insider attack” is an attack originating from either the FL server or one of the subscribers, while “outsider attack” is defined as an attack initiated by eavesdroppers in the communication channel between subscribers and the FL server or by users of the final FL service. However, due to access restrictions, the insider attack is usually stronger than the outsider attack, so the latter has been less studied in the literature. Therefore, insider attacks can be summarized as follows:
    Single attack [41,42]: a single, malicious, non-colluding individual aims to make the model misclassify a given set of inputs with certainty;
    Sybil attack [42,43]: aims to launch more effective attacks against FL. Attackers can mimic multiple fake subscriber accounts or select already-compromised individuals;
    Byzantine attack [44,45,46,47,48]: a Byzantine attack, or Byzantine failure, is a situation in which one or more individuals experience technical glitches or communication problems and, as a result, submit incomplete information to the parameter server, which can affect the accuracy of the overall model. Such a failure can take the form of an attack, which we refer to as a “Byzantine attack”, in which malicious actors purposefully compromise a FL system by strategically providing dishonest responses. These attacks fall into two categories:
    *
    Gaussian attack [49]: performed by a single worker in a FL system, regardless of local training datasets. The individuals performing this attack draw their responses randomly from a Gaussian distribution;
    *
    Fall of empires attack [50]: designed to overcome strong aggregation algorithms, it requires a minimum number of Byzantine workers (i.e., individuals performing the attack), depending on the strength of the resistant algorithms. It also requires that the Byzantine workers know the answers sent by the truthful employees.
  • Semi-honest vs. malicious: In the semi-honest context, attackers are considered passive or honest-but-curious. They aim to learn the private information of other parties while following the federated learning (FL) protocol. Passive adversaries are assumed to only access the aggregated or averaged gradients without seeing the training data or individual gradients of honest participants. In contrast, in a malicious context, an active or malicious adversary tries to uncover the secret states of honest players and may deviate from the FL protocol by modifying, replaying or deleting messages. This stronger adversarial model allows for particularly severe attacks;
  • Training phase vs. inference phase [51,52]: Attacks in the training phase use data poisoning or model poisoning to learn, influence or corrupt the FL model itself. In the first case, the integrity of the training data collection is compromised, while in the second case, the learning process is compromised. The attacker can also perform a series of inference attacks on the update of a single participant or on the set of updates of all participants. Inference attacks, on the other hand, often do not interfere with the target model but either make it produce false results or gather information about the model’s properties. The success of such attacks depends primarily on how well the attacker understands the model. Moreover, if the target model is provided as a service, the FL model broadcast phase makes the model accessible to any malicious client.

2.1. Poisoning Attacks in Federated Learning

Poisoning attacks can be either random or targeted [53]. Random attacks aim to reduce the accuracy of the model FL, while targeted attacks aim to make the FL model output the target label given by the attacker; the latter being more difficult when the attacker has a specific target. Additionally, poisoning attacks can target either the data or the model, with the goal of altering the target model’s behavior in a detrimental manner. If attackers gain control of the FL server, they can easily execute both targeted and untargeted poisoning attacks on the trained model. Data and poisoning attacks can therefore be explained as follows:
  • Data poisoning: also known as data corruption, occurs in local data collection and is broadly divided into two types: clean label [54] and dirty label [55]. In clean label attacks, it is assumed that the attacker cannot change the label of the training data because there is a mechanism to confirm that the data belong to the correct class, and the poisoning of the data must go unnoticed. In contrast, in dirty label poisoning, the attacker can insert a set of data samples into the training set that he wants to misclassify with the intended target label. In addition, any member of FL can perform data poisoning attacks. Thus, the impact on the FL model depends on how many system members participate in the attacks and how many training data are poisoned;
  • Model poisoning: occurs during local model training and aims to contaminate local model updates before they are sent to the server or implant secret backdoors in the global model [42]. The attacker’s goal in targeted model poisoning is to cause the model FL to misclassify a set of selected inputs with high confidence. Note that these inputs are not modified to cause misclassification at test time, as is the case with attacks by adversarial attackers [56]. Rather, the misclassification is the result of the attacker’s manipulation of the training process. In FL, model poisoning even trumps data poisoning, since attacks via data poisoning eventually affect a portion of the updates that are fed to the model at each iteration [43]. This is essentially equivalent to a centralized poisoning attack that poisons a portion of the entire training data. Model poisoning attacks require strong technological capabilities and a large amount of processing power.

2.2. Inference Attacks in Federated Learning

Sharing gradients during FL training can lead to a significant loss of privacy [36,37,40,57]. Since deep learning models appear to internally recognize numerous features of the data that are not clearly related to the core tasks, model updates may provide additional information about undesirable features of the participants’ training data to hostile participants. The attacker can also store the snapshot of the FL model parameters and perform property inference based on the difference between subsequent snapshots, which corresponds to the aggregate updates of all participants without the attacker. The fundamental problem is that the gradients are derived from the participants’ private data.
The gradients of a given layer in deep learning models are created based on the characteristics of that layer and the error of the layer above it. The gradients of the weights in successive fully connected layers are the inner products of the error of the layer above and the features. Similarly, the gradients of the weights in a convolutional layer are convolutions of the error of the overlying layer and features [36]. As a result, observations can be used to update the model to derive a significant amount of private information, such as class representatives, membership, and attributes associated with a subset of the training data. Worse, an attacker can infer labels from shared gradients and recover the original training samples without knowing anything about the training set [37]. Inference attacks fall into the following categories:
  • Inferring membership: The objective of membership inference attacks is to ascertain whether a specific data element was included in the training dataset of the model [58];
  • Inferring class: takes place when a malicious participant can specifically compromise any other participant. The attack takes advantage of the real-time nature of the FL learning process, which allows the attacker to train a network that generates prototype samples of the targeted training data that should be private. The generated samples appear to be from the same distribution as the training data;
  • Inferring properties: In this type of attack, an adversary can carry out both passive and active property inference attacks to deduce the properties of other participants’ training data, even if those properties are unrelated to the features defining the classes of the federated learning model [36]:
    Property inference attacks require the attacker to have additional training data labeled with the exact property they wish to infer;
    A passive attacker can only monitor updates and make inferences through training a binary property classifier;
    An active adversary can exploit multitask learning to deceive the federated learning model into improving its ability to distinguish between data with and without the targeted property, thereby extracting more information;
    An adversarial participant can even detect when a specific feature appears or disappears in the data during the training process;
    An adversary can reconstruct pixel-perfect original images or retrieve token-matched original texts from the data.
In Figure 5 below, the attacks that are known in the federated learning field are illustrated.

3. Securing FL Aggregation Algorithms

Federated learning technology is known as a privacy-preserving technology that builds machine learning models without collecting users’ private data. The first federated aggregation algorithm, proposed by Google and called FedAvg [23], was originally dedicated to the idea of aggregating multiple locally trained models. However, later reviews have shown that this algorithm is vulnerable to many challenges, including various attacks and violations [24,25,26,27,28,29]. Therefore, many aggregation algorithms were built in the attempt to address these problems. However, not all aggregation algorithms have been developed to address privacy and security concerns. Some were developed to optimize communication and communication costs, such as FedBoost [59], FedProx [60], FedMA [61] and others. Other approaches have been used to improve personalization, such as FedDist [62]. Thus, in this section, we discuss the aggregation algorithms of FL that aim to improve privacy and security in federated learning environments.

3.1. Securing FL Aggregation Against Active Adversaries

The FL algorithm proposed in [23] is vulnerable to poisoning attacks. In [63], the authors proposed a protocol for secure vector summation that has a fixed number of rounds, minimal communication cost, failure robustness, and only one server with limited trust. In this design, the server has two tasks: relaying communication between other parties and computing the final result. Additionally, the authors propose two variants of their protocol. The first is more efficient and can be proven secure against honest-but-curious adversaries within a straightforward model. The second variant guarantees anonymity even against active adversaries (including a malicious server), though it requires an additional communication round and is proven secure in the random oracle model. In both cases, through a simulation-based demonstration, it was shown that the server only learns the users’ inputs in aggregated form [23]. To secure the communication between the involved parties, a cryptographic primitive was implemented in the following phases:
  • Secret sharing: relies on Shamir’s “t-out-of-n" secret sharing [64], which allows a user to divide a secret “s" into “t" shares that can be used to reconstruct the secret without revealing the secret from shares smaller than “t". It does not provide information about the secret “s".
  • Key agreement: consists of three functions, the first of which generates some public parameters, the second of which allows each party to generate a private and public key pair, and the third of which allows each user to combine his private key with the public key to obtain a private shared key.
  • Authenticated encryption: a symmetric encryption scheme that provides both confidentiality and integrity, ensuring that messages exchanged between two parties are encrypted to prevent unauthorized access and are also protected from tampering or alteration.
  • Pseudorandom generator: ensures that, given a uniformly random seed, its output is computationally indistinguishable from a uniformly sampled element of the output space, provided that the seed remains hidden from the discriminator;
  • Signature scheme: to ensure that a signature can prove the origin of a message, it must be impossible for anyone without the secret key to create a valid signature for a message they have not already seen signed. This property is known as Unforgeability under Chosen Message Attack (UF-CMA) security [65];
  • Public key infrastructure: this mechanism enables clients to register their identities and sign messages using those identities, allowing other clients to verify the signature without being able to forge it.
Based on the performance analysis performed by the authors, this approach shows several advantages and disadvantages, which are listed below:
  • Advantages:
    Privacy preservation: by eliminating the need to collect user data, user privacy is preserved.
    Security: achieved by using a cryptographic primitive that prevents communication with unauthorised users;
    Dropped users management: The server receives messages from all users who have not dropped this round and terminates if the number of messages received is less than the desired number.
  • Drawbacks:
    Robustness against active attackers: The security protocol ensures that when the server learns user input, it always merges it with other users’ values, but it does not protect against malicious clients who want to prevent the server from learning any sum at all;
    Forcing well-formed input: The protocol also does not ensure that user input is well-formed or within certain bounds, allowing malicious users to enter arbitrary values of their choosing, resulting in the server’s output also being ill-formed;
    Communication overhead: Users must exchange random vectors, which could require a quadratic communication overhead if naive.

3.2. Robust Federated Aggregation (RFA)

Building on the success of federated learning as a privacy-preserving technology, the authors of [66] introduced robust federated aggregation (RFA): a novel approach designed to enhance the robustness of the aggregation process against potential poisoning of local data or model parameters from participating devices. Since corrupted or poisoned devices can only influence the global model through their updates, the authors focused on refining the aggregation step and proposed an improved aggregation algorithm for federated learning. The proposed method leverages the geometric median, which can be efficiently computed using a Weiszfeld-type algorithm [67]. This approach is resilient to the degree of corruption and aggregates model updates without disclosing the individual contributions of each device. The experimental results demonstrated that RFA performs comparably to traditional aggregation methods under low levels of corruption while exhibiting greater resilience in scenarios with high levels of corruption.
Their model, RFA, is based on the principle of aggregation with the Geometric Median (GM), defined as the minimizer of vectors with an optimal collapse point of 1/2, where at least half of the points must be changed for the geometric median to correspond to any point. Moreover, the RFA algorithm is derived by substituting the mean aggregation used in FedAvg with this geometric median-based robust aggregation method. As a result, RFA is independent of the convexity of the local targets, regardless of the actual amount of corruption in the problem, and the aggregate is robust. However, it is concluded that robustness is incompatible with the two main goals of federated learning, which are communication efficiency and privacy. Therefore, the authors propose two variants of RFA, namely one-step RFA, which aims to reduce communication costs, and personalized RFA, which aims to deal with heterogeneity. In addition, the authors explained the tension between robustness, communication and privacy, concluding the following:
  • Any FL algorithm among existing secure multi-party computation techniques can only exhibit two of the three aspects of privacy, communication and robustness;
  • FedAvg is efficient in terms of communication and privacy, but it is not robust;
  • In general, any linear aggregation scheme is not robust; therefore, any robust aggregation must be non-linear;
  • Only linear functions of inputs are communication-efficient for the secure multiparty computation primitives based on secret sharing, which form the foundation of privacy protection.
Therefore, the presented algorithm, called RFA, is based on the geometric median and the smoothed Weiszfeld approach to aggregate the vectors. The approach proved to be robust to corrupted updates, and the proposed variants also showed optimization of communication overhead.

3.3. Layerwise Gradient Aggregation (LEGATO)

Furthermore, in [68], the authors discussed the need for robust aggregation algorithms that can survive Byzantine attacks. In Byzantine attacks, workers are defined as individuals that send malicious gradients to corrupt the global model. The approach proposed by the authors was triggered by the increasing challenges in FL aggregation, where:
  • Several known robust aggregation techniques, especially in non-IID environments, are unable to defend against Byzantine attacks;
  • There is a need to develop aggregation algorithms that:
    intelligently detect whether a worker sending a “different” response is a malicious worker;
    can train a global model with reasonable performance given a local data distribution without an IID;
    uses all information collected from workers to diagnose worker behavior.
Given that existing robust aggregation algorithms are often very computationally intensive, the authors justified the development of their model by the need for robust yet communication-efficient methods. Therefore, they introduced Layerwise Gradient Aggregation (LEGATO), a scalable and generalizable FL aggregation algorithm. LEGATO uses a dynamic gradient reweighting approach that is novel in its treatment of gradients based on layer-specific resilience and is beneficial for the convergence of gradient descents in the absence of an attack. The authors secured their algorithm via the layer-by-layer approach, which works on each layer of the model. Therefore, it is worth noting that their approach is limited in implementing ML models built from layers, such as deep learning and neural network models. Consequently, the new steps of LEGATO begin when the server receives gradients from all workers, where:
  • First, the gradient log is updated by the server to include the latest gradients collected from workers;
  • Then, it assignsa robustness factor to each slice, standardized over all slices, which is the inverse of the standard deviation of those norms over all recorded rounds;
  • Finally, all these reweighted gradients are averaged over all workers, and the resulting aggregated gradient is used as the round gradient.
The proposed approach has thus been shown to be robust to Byzantine attacks while also being considered communication-efficient. However, it suffers from several drawbacks, which can be summarized as follows:
  • Its limitation to neural networks;
  • Its weakness against Gaussian variance attacks;
  • Its lack of a definition for “extreme outliers”.

3.4. Privacy-Preserving Decentralized Aggregation (SecureD-FL)

So far, it has been discussed that federated learning aggregation algorithms are vulnerable to various poisoning attacks. This being said, secure multiparty computation [63,69,70], differential privacy [71,72] and combinations of both [73,74,75] are techniques to address these privacy issues. However, these techniques involve significant computational overhead, require the use of a trusted third party to provide the secret key or compromise the quality of the trained models due to the noise introduced. Most importantly, these systems require the use of a central aggregation server that acts as a single point of failure and poses a privacy risk in the event of a hacking attack. Therefore, in [76], the authors developed a privacy-preserving decentralized aggregation protocol for federated learning called “SecureD- FL”. Their proposed aggregation algorithm is based on an improved version of the alternating direction method of multiplier (ADMM) [77]. The proposed algorithm manages the communication between participants during each aggregation round to minimize privacy loss and ensure protection against honest-but-curious adversaries. This communication pattern is inspired by combinatorial block design theory.
The algorithm in [76] was proposed as a novel communication pattern between FL system participants inspired by the theory of combinatorial block design [78]. The basic idea is that the algorithm determines which group of participants (called a group) should interact in each aggregation round to minimize privacy loss. The grouping algorithm is explained with an example:
  • “assume having a set of partitions of the nine users 1, …, 9 in groups (of size s = 3) with a gap constraint. Each of the partitions corresponds to a communication scheme in an ADMM iteration. The members of a group (triangles) are free to communicate their parameters among themselves in one iteration. These partitions create a communication gap across the ADMM aggregation. Therefore, users do not disclose private information when the aggregation converges in less than twice the number of partitions at least” [76].
In Figure 6, the communication protocol is shown for a group of nine users divided into three groups. In the figure, parts a, b and c represent communication with gaps between individuals with unequal distances. In this case, two adjacent individuals can communicate more than once in a full communication cycle (eight iterations), unlike part d, where the connection between the same two individuals occurs only after eight iterations. This reduction in the repetition of communication between individuals contributes to less leakage of private information.
Following the classical federated learning algorithm, the proposed architecture consists of multiple rounds. Since no central server is required, the steps are as follows:
  • Each individual trains the global model using its local data and updates the model parameters;
  • The individuals synchronize the locally trained models;
  • The individuals work together to compute the summed model via the ADMM-based secure aggregation algorithm without having to send it to a central server;
  • Repeat the above steps until the model converges.
However, by using the communication control protocol, the communication between individuals proceeds as follows:
  • In each iteration, each individual performs its minimization and shares its parameters with other individuals in the same group to calculate the partial sum of the group;
  • Different groups exchange their partial sums to calculate the final sum of the model;
  • Individuals update their parameters at each iteration with the final sum.
As a result, individuals from FL are able to build an aggregate model with fewer repeated communications, which increases robustness to a loss of privacy.

3.5. Secure and Efficient Aggregation for Byzantine-Robust Federated Learning (SEAR)

Byzantine attackers are not the only problem that federated learning technology can suffer from. For example, the server is able to infer private content from the client’s data. It can recover these data using generative adversarial networks (GANs) [79] or pixel-wise accurate images by using gradients [37]. Furthermore, implementing cryptographic primitives such as homomorphic encryption (HE) and secure multi-party computation (MPC) involves significant communication and computation costs [80]. To address this, the authors of [80] introduced a new private and secure aggregation algorithm called SEAR. This algorithm employs a hardware-based trusted execution environment as an alternative to cryptographic methods that are often time-consuming.
First, SEAR utilizes the Intel SGX [81] Trusted Execution Environment (TEE) to securely aggregate locally trained models within a trusted hardware setting. A trusted execution environment is a secure section of the central processor designed to protect the confidentiality and integrity of the code and data it handles. Two main TEEs are based on different processor architectures: ARM TrustZone [82] and Intel Software Guard Extensions (SGX) [81]. In Intel SGX, the secure component is known as the enclave, while the protected memory area is called the Processor Reserved Memory (PRM), which is inaccessible to code outside the enclave. Since local models are encrypted and only the enclave has the decryption key, sensitive information remains protected during aggregation.
However, the physical memory size of PRM is limited to 128 MB on current Intel CPUs, which limits the number of locally trained models that can be aggregated simultaneously. This poses a major challenge, since thousands or even more individuals may be involved in aggregation simultaneously in the FL environment. Therefore, the authors proposed two data storage modes that can be used within the enclave:
  • Row major data storage mode: The parameters uploaded by a client are stored in a contiguous storage area that is suitable for the aggregation algorithm, which operates by accessing each client’s vector just once.
  • Column major data storage mode: The parameters are stored in a contiguous array with consistent dimensions.
Since the row-oriented data storage mode is time-consuming due to the time required for EPC paging, the column-oriented mode is proposed as a solution to this drawback. In this mode, PRM is able to shop more dimensions without changing the total memory consumption. In addition, in [80], the authors considered preventing information leakage through side channels, such as power consumption [83], rollback attacks [84] or other timing attacks [85].

3.6. Efficient Privacy-Preserving Data Aggregation (EPPDA)

FL is vulnerable to data poisoning attacks and also to reverse attacks that can analyze users’ models and expose their private data. For example, the aggregation server, as a legal FL participant, can decrypt individuals’ locally trained models. Additionally, the instability of the communication network impacts the federated learning system. To address this, the authors of [86] proposed an efficient, fault-tolerant, privacy-preserving data aggregation scheme that minimizes communication and computation requirements. Their model, called efficient privacy-preserving data aggregation (EPPDA), leverages the homomorphisms of secret exchange [87] to reduce the number of iterations needed for secret exchanges, thereby decreasing the consumption of communication, computation and storage resources. In this context, minimizing communication, computation and memory usage enhances system efficiency, particularly as the number of training iterations grows. Additionally, secret sharing helps protect users’ confidential data, mitigating the impact of malicious users, which makes EPPDA a privacy-preserving and fault-tolerant algorithm. The cryptographic primitives employed in EPPDA can be summarized in the following steps:
  • Secret sharing: based on Shamir secret sharing [64], discussed in Section 3.1;
  • Key exchange protocol: helps both communication parties generate a session key in a public channel;
  • Authenticated encryption: allows both communication parties to communicate with a shared secret in a public channel;
  • Signature scheme: verifies the source of the message.

3.7. Secure Aggregation with Heterogeneous Quantization (HeteroSAg)

FL offers many advantages but also suffers from challenges like communication bottlenecks, system failures, malicious users and Byzantine faults. Therefore, the authors of [88] proposed Secure Aggregation with Heterogeneous Quantization (HeteroSAg), a privacy-friendly and heterogeneous efficient FL aggregation algorithm. HeteroSAg, as demonstrated by the authors, achieves the following:
  • Ensures the privacy of each user’s local model updates by masking the updates in such a way that the mutual information between the masked model and the original model is zero;
  • Facilitates the use of heterogeneous quantization, enabling edge users to adjust their quantization levels according to their available communication resources. This approach improves the trade-off between training accuracy and communication time;
  • Achieves resilience against Byzantine attacks by adding distance-based defenses;
  • Reduces bandwidth expansion.
HeteroSAg facilitates secure aggregation with heterogeneous quantization. Its efficiency and resilience against Byzantine attacks are rooted in the FL system cycle that utilizes the segment grouping strategy. This strategy involves dividing edge users into groups and segmenting their local model updates. The segmentation helps with the following:
  • Computation on segments with specified user cooperation so that segments can be quantized by different quantizers instead of applying the safe aggregation procedure to all local model update vectors;
  • Enabling secure model aggregation with heterogeneous quantization while preventing the server from reconstructing the full average model from a subset of users.
In summary, HeteroSAg has been shown to be an efficient aggregation algorithm that provides a much better tradeoff between training accuracy and communication time. Moreover, the proposed HeteroSAg method can be used to mitigate Byzantine attacks and drastically reduce the bandwidth growth of the secure state-of-the-art aggregation protocol.

3.8. FLDetector: Securing FL by Detecting Malicious Clients

In federated learning, existing defenses have largely concentrated on Byzantine-robust or provably robust methods, even in the presence of malicious clients. A significant limitation of these defenses is their ability to handle only a limited number of malicious clients. To address this challenge, ref. [89] introduces FLDetector, a method specifically designed to defend against model poisoning attacks involving a large number of malicious clients. FLDetector takes a distinctive approach by focusing on the detection of these malicious clients. The methodology is based on a key observation: in model poisoning attacks, model updates from a client across multiple iterations often show inconsistencies. FLDetector identifies potentially malicious clients by evaluating the consistency of their model updates. Specifically, the server uses historical model updates to predict each client’s model update for subsequent iterations. If a client’s update deviates significantly from the predicted updates across several iterations, the server flags the client as potentially malicious. This innovative approach enables FLDetector to tackle the difficult scenario of combating model poisoning attacks orchestrated by a variety of malicious clients. By assessing the consistency of model updates, FLDetector not only provides a robust defense mechanism but also provides insight into the limitations and opportunities for mitigating such threats within the federated learning landscape. However, it is important to recognize that FLDetector, like any defense strategy, has its own benefits and limitations, which are explored below:
  • Benefits:
    Improved defense against large-scale attacks: offers a defense mechanism against model poisoning attacks involving a substantial number of malicious clients, addressing a critical challenge in the FL domain;
    Unique detection approach: The method’s unique approach, focusing on the consistency of model updates across iterations, sets it apart from existing defenses that rely on Byzantine-robust or provably robust methods;
    Predictive model update analysis: By utilizing historical model updates to predict a client’s model update for each iteration, FLDetector demonstrates the ability to proactively identify potentially malicious clients;
    Early detection: The system raises a red flag and designates a client as malicious if inconsistencies persist across multiple iterations, enabling early detection and mitigation of threats.
  • Limitations:
    Detection sensitivity: FLDetector can identify fraudulent clients based on inconsistent model updates, but it may also raise false alarms in cases of benign inconsistencies like communication problems or system noise;
    Complexity and resource requirements: Predictive model update analysis and consistency testing may increase server-side computational complexity and resource overhead, impacting FL system performance;
    Effectiveness under evolving attacks: The method’s effectiveness could be limited if adversaries adapt their strategies to introduce more subtle and harder-to-detect inconsistencies in their model updates;
    Trade-off between false positives and false negatives: Fine-tuning the balance between false positives (flagging innocent clients as malicious) and false negatives (failing to detect true dangerous clients) may be difficult.

3.9. FLCert: Security by Client Grouping Strategy

Similarly, the authors of [90] proposed FLCert, whose main concept is to categorize customers into groups and facilitate the learning of a global model for each client group using established FL methods. Then, the system uses a majority voting mechanism between these global models to classify test inputs. The approach considers two different methods for grouping clients, resulting in two variants: FLCert-P, in which clients are randomly grouped, and FLCert-D, in which clients are deterministically divided into disjoint groups. Through extensive experimentation on multiple datasets, the results show that the labels predicted by FLCert for test inputs are demonstrably not affected by the influence of a limited number of malicious clients, regardless of the specific poisoning attack strategies. This breakthrough in providing provable security guarantees positions FLCert as a robust and promising defense-in-depth strategy in the FL landscape that addresses critical vulnerabilities and advances security standards in the field. However, as with any approach, it is important to recognize the potential benefits and limitations, which are listed below:
  • Benefits:
    Provable security: offers a solid security guarantee against poisoning attacks;
    Ensemble approach: leverages client grouping and majority voting among global models;
    Two variants: presents flexibility with FLCert-P and FLCert-D, catering to various use cases.
  • Limitations:
    Assumed malicious clients: FLCert assumes a known upper limit on malicious clients, limiting its applicability in scenarios with uncertain adversarial activity.
    Complexity: Implementing client grouping and ensemble learning introduces computational complexity and resource demands, impacting efficiency.
    Grouping methods: The effectiveness of client grouping methods may vary depending on the data distribution, necessitating careful selection.
    False positives: Like any defense mechanism, finding the right balance between false positives and false negatives in identifying malicious clients may pose a challenge.

3.10. ELSA: Security by Distribution of Trust

FL cannot consider malicious actors within the system, which is a major obstacle to making FL an ideal solution for privacy-preserving machine learning applications. As a solution, the authors of [91] proposed ELSA: a breakthrough secure aggregation protocol to overcome these challenges. ELSA not only ensures efficiency but also combats the presence of malicious actors at its core. ELSA introduces a novel secure aggregation protocol based on distributed trust between two servers that keeps individual client updates secret as long as the server remains honest. This design not only protects against malicious clients but also ensures end-to-end efficiency. What distinguishes ELSA from previous protocols is its innovative approach. Instead of relying on servers to interactively generate cryptographic correlations, ELSA allows clients to act as untrusted traders of these correlations without compromising the protocol’s security. This innovation results in a significantly faster protocol that offers enhanced security compared to previous methods. Additionally, ELSA introduces novel techniques that preserve privacy even if a server is malicious, with only a minor increase in runtime and negligible communication overhead compared to scenarios with reasonably honest servers. This groundbreaking approach notably improves end-to-end runtime relative to earlier methods with similar security guarantees. The following list outlines the benefits and limitations of ELSA:
  • Benefits:
    Efficiency: The protocol offers a much faster secure aggregation protocol compared to previous approaches, making it suitable for real-world FL scenarios.
    Malicious actor resilience: The protocol addresses the presence of malicious actors at its core, ensuring robust security even in the face of adversarial clients or servers.
    Distributed trust: ELSA leverages distributed trust across two servers, keeping client updates private as long as one server remains honest, enhancing privacy and security.
    Improved security: ELSA achieves stronger security at a high efficiency compared to prior work, making it a noteworthy advancement in secure aggregation techniques.
    Negligible communication overhead compared to semi-honest server scenarios.
  • Limitations:
    Assumed trust: The security of ELSA relies on the assumption of at least one honest server. In cases where both servers are compromised, the protocol’s security guarantees may be compromised.
    Additional runtime cost: While ELSA maintains privacy when a server is malicious, it does come with a runtime cost of 7–25%, which may impact the speed of federated learning processes.
    Specific model consideration: The performance improvements mentioned in the text may be contingent on the specific ML models used, and the results could vary with different model architectures or dataset sizes.

3.11. Multi-RoundSecAgg: Securing via Random User Selection Strategy

In [92], the authors demonstrated that the traditional approach of randomly selecting users in federated learning (FL) can result in the leakage of users’ individual models after a number of rounds proportional to the total number of users. To tackle this issue, they introduced a novel secure aggregation framework called Multi-RoundSecAgg, which offers privacy guarantees across multiple rounds. This framework extends beyond the single-round privacy model and introduces a new metric to assess privacy guarantees throughout successive training rounds. They also developed a systematic user selection strategy to ensure the long-term privacy of each user, independent of the number of training rounds. Additionally, their framework incorporates fairness considerations and maintains an average number of participating users per round. Experiments conducted on datasets demonstrate the effectiveness and practicality of Multi-RoundSecAgg. This advancement represents a significant step forward in addressing the privacy challenges in multi-round FL scenarios, providing enhanced privacy guarantees for federated learning systems.
  • Benefits:
    Enhanced privacy over multiple rounds: recognizes and mitigates privacy vulnerabilities that may arise from partial user participation over time;
    Novel privacy metric: introduces a new metric to quantify privacy guarantees across multiple training rounds, enhancing the assessment and understanding of long-term privacy preservation in federated learning;
    Structured user selection: ensures the sustained privacy of each user, irrespective of the number of training rounds, addressing a critical concern in federated learning;
    Fairness and participation: takes into account considerations of fairness and maintains an average number of participating users at each round, promoting equitable involvement and balanced contributions in the learning process.
  • Limitations:
    Complexity: The introduction of multi-round privacy guarantees and structured user selection strategies may increase the computational and operational complexity of FL systems.
    Resource demands: Implementation could require additional computational and storage resources, which may pose challenges in resource-constrained environments.
    Generalization: The framework’s effectiveness and privacy guarantees may depend on specific use cases and data distributions, and its generalization to all scenarios may require further exploration.
    Fairness considerations: While the framework accounts for fairness in user participation, achieving perfect fairness in all practical scenarios may still be a challenge.
    Scalability: The scalability of Multi-RoundSecAgg to large-scale federated learning scenarios with numerous participants and data sources remains an area of consideration and potential limitation.

4. Securing Federated Learning Using Homomorphic Encryption

The challenges of federated learning require the implementation of various solutions, especially to improve security and privacy. In this context, encryption algorithms have been used to provide additional security for transactions between different FL individuals. Encryption techniques are classified into two main types: secret key algorithms and public key algorithms. All modern encryption algorithms fall into one of these categories. Secret key encryption, also known as symmetric encryption, uses the same key, referred to as the secret key, for both encrypting and decrypting a message. In contrast, public key encryption, or asymmetric encryption, involves two distinct keys: a public key for encrypting the message and a private key for decrypting it [93,94,95,96,97,98].
Homomorphic encryption (HE) in this context is a type of encryption that makes it possible to perform certain types of calculations with the ciphertext and obtain an encrypted result that, when decrypted, matches the result of operations with the plaintext. In the development of current communication systems, this is a desired property [93,94,95,96,97]. RSA [95] is known as the first public-key encryption algorithm with a homomorphic scheme. Moreover, the debate on homomorphic encryption schemes can be summarized in the list below [93,94,95,96,97,98]:
  • Benefits:
    Elimination of the need for trusted third parties, keeping data secure and confidential in untrusted contexts such as public clouds or third parties. Data are encrypted at all times, reducing the possibility that sensitive information could ever be hacked;
    Elimination of the tradeoff between data usability and data privacy, where there will be no need to obfuscate or remove elements to ensure data protection;
    Resistance to quantum attacks.
  • Limitations:
    Poor performance: due to issues such as slow computational speed and accuracy, fully homomorphic encryption remains commercially impractical for computationally intensive applications. The research community generally agrees that fully homomorphic encryption still has a considerable distance to go before reaching its full potential. However, it is currently valuable when used in conjunction with other privacy-enhancing technologies, such as secure multiparty computation.
In addition, the authors of [80] confirm the poor performance of HE for heavy computation. In particular, they discuss the use of HE in federated learning aggregation algorithms, noting that HE supports simple operations with encrypted data and typically incurs expensive computation and communication costs for complex problems. Since defending against existing attacks requires repeated comparison operations and distance calculations, securing FL with HE is time consuming, making it impractical for known attacks such as the Byzantine attack. However, several attempts have been made to secure FL algorithms with homomorphic encryption. These implementations are discussed in this section. It should be noted, however, that these implementations are not FL aggregation algorithms but are used only to secure communications in the FL system, which is the main reason these implementations were not mentioned in the previous section.

4.1. Securing FL Communications with HE: State-of-the Art

Homomorphic encryption has been a hot research topic in recent years. Research institutions, whether individuals, laboratories or companies, have used this technique in various digital domains. Federated learning, for example, has played a part in this interest, as HE is used to secure communication across FL individuals.

4.1.1. Using HE as a Standalone Securing Solution

For example, the authors of [99] were pioneers in using homomorphic encryption (HE) to secure federated learning (FL) systems. They initially described their solution as a three-party end-to-end system that is secure against an honest-but-curious adversary. Their approach involved two phases, privacy-preserving entity resolution and federated logistic regression, using messages encrypted with an additive homomorphic method. Given that HE operates over integers, the authors developed an encoding technique to convert floating-point numbers into modular integers while preserving addition and multiplication operations necessary for implementing algorithms over floating-point numbers. They employed an encoding scheme similar to floating-point representation, where numbers are encoded as pairs of encoded significands and unencoded exponents. This method allows the FL model to be trained without sharing users’ data and achieves an accuracy comparable to a naive, non-private solution that consolidates all data in one place. It is scalable to millions of entities, each with hundreds of features. However, the authors did not provide an analysis of the time and computational complexity of their system. Similarly, the authors of [100] used HE to secure the messages exchanged between the aggregation server and clients, protecting the FL system against inference attacks. They demonstrated the efficiency of their solution through experiments with two private financial datasets.
Likewise, the authors of [101] also proposed POSEIDON, which is an extension for SPINDLE [102]. POSEIDON, as defined by the authors, is a new system that enables neural network training and evaluation in a federated learning environment. The proposed solution secures the exchanged messages with multiparty lattice-based homomorphic encryption [103]. They evaluated their model using several datasets, including the Breast Cancer Wisconsin (BCW) dataset [104], EMNIST dataset [105], the Epileptic Seizure Recognition (ESR) dataset [106], the default of credit card clients (CREDIT) dataset [107], the street view house numbers (SVHN) dataset [108], and the CIFAR-10 and CIFAR-100 [109].
Therefore, in [110], the authors proposed a privacy-friendly FL (PEFL) architecture that uses HE as the underlying technology and provides a way to penalize poisoners through effective gradient data extraction of the logarithmic function. PEFL, as proposed by the authors, is the first attempt to detect poisoning behavior in FL using ciphertext. PEFL was evaluated using the EMNIST [105] and CIFAR [109] datasets. Similarly, in [111], the authors proposed their federated learning security mechanism based on additive homomorphic encryption (DTAHE) techniques. The proposed model allows the aggregation server to multiply the individual inputs by arbitrary coefficients and aggregate them to build a complete contiguous layer or on the individual inputs. Similarly, in [112], the authors proposed a federated learning (FL) security framework utilizing fully homomorphic encryption. They specifically employed an approximate floating-point compatible scheme that leverages packing and scaling of ciphertexts. The authors evaluated the solution using the UK Biobank (UKBB) neuroimaging dataset [113], and the results proved the improved learning performance while maintaining the security of the FL transactions. Moreover, in [114], the authors proposed a security scheme for federated learning based on homomorphic encryption. The proposed model was introduced to secure collaborative deep learning models in an internet of things-based healthcare system. The proposed model was evaluated on the Human vs. Machine with 10,000 Training Images (HAM10000) dataset [115] and obtained promising privacy preserving results. Moreover, in [116,117,118], the authors also proposed the use of homomorphic encryption to build a federated learning security system. Their models built on homomorphic encryption succeeded in creating a secure and trustworthy data exchange environment for federated learning systems. The discussed implementations are summarized in Table 1 below.

4.1.2. Combining HE with Other Security Technologies

Moreover, in [73], the authors proposed to secure the aggregation algorithms of FL using homomorphic encryption. Since they did not propose a new aggregation algorithm, their proposed solution is an alternative method using differential privacy, homomorphic encryption and Secure Multiparty Computation (SMC) to balance the tradeoff between accuracy and privacy. This combination allows for a reduction in the increase in noise injection as the number of participants increases while maintaining a predefined trust rate. The concept of transaction assurance in the proposed FL solution lies in the role played by differential privacy and HE. The former is used by the participants to add a certain amount of noise, which is calculated based on various metrics. Then, the cryptosystem HE is used to encrypt the noisy message, which is then sent to the aggregator, which uses it to sum the global model. By combining the different security approaches, the authors presented their model as a scalable approach that defends against inference attacks while generating highly accurate models. These results were verified by several experiments that proved their model to be superior to the state-of-the art. However, the complexity of time computation was not considered in this study.
Similarly, the authors of [119] combined homomorphic encryption and Verifiable Computing (VC), a cryptographic method used to ensure the integrity of computations on authenticated data, to secure federated learning communications. The proposed model was tested on the federated extended EMNIST dataset [105]. However, the proposed solution was developed only for neural networks, and compatibility with other types of machine learning models was not discussed.
On the other hand, in [120], the authors proposed an algorithm based on blockchain federated learning. They secured the data exchange with differential privacy and homomorphic encryption. They applied different models, securing distributed random forests with differential privacy and distributed AdaBoost with HE, which provided multiple privacy in data and model sharing. Finally, they integrated the methods with Blockchain and federated learning and applied extensive experimental results that proved that their working mechanism had a better performance on the selected indicators. These implementations are summarized in Table 2.

4.1.3. HE with Reduced Communication and Computation Cost

In contrast, the increase in computing and communication costs due to HE was studied by the authors of [121]. In their study, they proposed BatchCrypt: a system solution for cross-silo federated learning. Their model was designed to secure communications in a FL system while reducing the overhead caused by HE. To achieve this, rather than encoding individual quantized gradients with full precision, they encoded a batch of quantized gradients into a long integer and encoded them all at once. They also developed new quantization and encryption strategies as well as a unique gradient truncation mechanism to enable gradient-by-gradient aggregation of ciphertexts of encrypted batches. They then integrated BatchCrypt as a plugin module in FATE [122], a cross-silo industrial FL framework. Evaluations in geographically distributed data centers show that BatchCrypt achieves significant training acceleration, ranging from 23 to 93 times, while reducing communication costs from 66 to 101 times. Moreover, the loss of accuracy of the model due to quantization errors was less than 1%.
In addition, the authors in [123] proposed Dubhe: a customizable, adaptable, and resilient FL fuse mechanism with low encryption and communication overhead. Dubhe improves training performance while posing no security risks by using homomorphic encryption. The authors evaluated their method on the EMNIST [105] and CIFAR [109] datasets, and the results showed that it outperformed other approaches in terms of unbiasedness. Similarly, the authors of [124] presented FLASHE, a HE scheme suitable for cross-silo FL that is able to capture the bare minimum of security and functionality by eliminating asymmetric key design and using only modular addition operations with random integers. They also evaluated their model against the EMNIST [105] and CIFAR [109] datasets, and the results showed a 63-fold and 48-fold reduction in computational and communication costs, respectively. Similarly, the authors of [125] proposed PFMLP: a security mechanism for federated learning that ensures that all FL individuals transmit their encrypted gradients through homomorphic encryption. They evaluated their model against the EMNIST dataset [105] and demonstrated a computational cost reduction of up to 25–28%.
In addition, a similar solution was also proposed in [126], where they proposed PCFL, a privacy-preserving and communication-efficient method for federated learning in the internet of things. PCFL consists of three key components: spatial sparsification with gradients, bidirectional compression, and a privacy-preserving protocol based on homomorphic encryption to protect data privacy and be resilient to various collusion scenarios. They evaluated their model using the EMNIST dataset [105] and the results showed that PCFL outperformed state-of-the-art methods by more than doubling the communication reduction while maintaining high model accuracy and slightly reducing the convergence rate. The above implementations are summarized in Table 3 below.

4.2. Other Approaches to Secure FL

Despite the feasibility that homomorphic encryption has shown in securing federated learning, other technologies have been used in this context. For example, in [127], the authors proposed to secure FL systems using the Covert Communication-Based Federated Learning (CCFL) approach. Their method relies on the emerging communication security technique of covert communication, which disguises the existence of wireless communication activities. CCFL can reduce the ability of attackers to extract useful information from the federated learning network training (FLN) training protocol, which is a crucial process in most existing attacks, thus holistically improving FLN privacy. The authors extensively tested CCFL under real-world conditions, optimizing the latency of FL under certain security criteria.
In contrast, the authors of [128] advocated for protecting FL frameworks from attackers by detecting and minimizing their influence on the model, especially in the context of bidirectional label flipping threats with cooperation. Exploiting correlations between local models, they presented “two-graph theoretic algorithms” based on the minimum spanning tree and the k-densest graph. Their method can minimize the impact of attackers, even when they account for up to 70% of all FL individuals, whereas previous efforts could only allow 50% of these individuals to be attackers. Based on experiments employing the EMNIST dataset, the efficiency of this approach is demonstrated in [105].
Finally, several implementations were performed to secure FL algorithms using blockchain technology. Thus, in [129,130,131], the authors proposed several blockchain solutions aimed at securing federated learning algorithms. Based on the results obtained in these studies, blockchain as a decentralized technology has demonstrated its ability to improve the performance of FL without the need for a centralized server and to solve several problems and challenges such as communication costs, disclosure of private information, the irregularity of uploading model parameters to the aggregator and others.

5. Discussing Security in FL Aggregation Algorithms

Federated learning technology is emerging as an efficient, robust, and viable machine learning technology while maintaining privacy. The interest in improving the aggregation algorithms and securing the data sharing mechanisms of federated learning has increasingly attracted the attention of researchers worldwide. Attempts to improve the security, privacy and robustness of these aggregation algorithms may lead to greater confidence in this technology, which in turn will encourage the adoption of FL in various areas of life.

5.1. Evaluation Criteria

In the rapidly evolving landscape of Federated Learning (FL), evaluating the effectiveness and robustness of various security mechanisms is crucial for understanding their practical utility. To ensure that FL systems are both secure and efficient, a comprehensive assessment framework is necessary. This section outlines the key criteria and metrics used to evaluate different security mechanisms and aggregation algorithms. By examining robustness against attacks, privacy preservation, communication efficiency, computational complexity, scalability, fault tolerance and accuracy, we can gain a deeper insight into the strengths and limitations of each approach. This evaluation not only provides a structured methodology for comparing these mechanisms but also highlights their suitability for various application scenarios, thereby enhancing the overall understanding of their performance and effectiveness in securing federated learning systems. Therefore, the below metrics are used to evaluate FL security approaches:
  • Robustness against attacks:
    • Byzantine robustness: assess how well the algorithm handles Byzantine attacks. Metrics might include the algorithm’s ability to prevent the global model from being corrupted by malicious updates;
    • Poisoning resistance: evaluate how the algorithm performs in the presence of poisoning attacks where malicious clients inject harmful data;
    • Inference attack resistance: Evaluate how the algorithm withstands against inference attacks.
  • Privacy preservation:
    • Differential privacy: measure the level of differential privacy the algorithm provides. This can include evaluating the amount of noise added and the impact on model performance;
    • Secure multi-party computation (MPC) efficiency: analyze the computational and communication overhead associated with cryptographic techniques used to preserve privacy.
  • Communication efficiency:
    • Bandwidth consumption: quantify the amount of communication required between clients and the server. Metrics might include the total data sent per iteration and overall bandwidth usage;
    • Communication latency: measure the time taken for communication between participants and the server.
  • Computational complexity:
    • Time complexity: evaluate the time complexity of the aggregation algorithm, particularly how it scales with the number of participants and the size of the model;
    • Space complexity: assess the memory requirements of the algorithm, including data storage and processing needs.
  • Scalability:
    • Participant scalability: determine how well the algorithm scales with an increasing number of participants. Metrics might include the impact on convergence time and model accuracy as more participants are added;
    • Model scalability: evaluate how the algorithm performs with different sizes and types of models, such as deep learning models with many layers.
  • Fault tolerance:
    • Handling dropouts: assess the algorithm’s ability to handle client dropouts or unavailability without significantly affecting the training process;
    • Error recovery: measure how the algorithm recovers from errors or failures in the communication or aggregation process.
  • Accuracy and convergence:
    • Model accuracy: compare the accuracy of the global model produced by the algorithm against a baseline or other algorithms. Metrics might include precision, recall, F1-score, and overall accuracy;
    • Convergence speed: measure how quickly the algorithm converges to a stable model. This could be assessed by the number of iterations required to reach a certain accuracy level.

5.2. Advantages and Drawbacks

To facilitate a comprehensive comparison of the various privacy-preserving and secure aggregation methods in Federated Learning (FL), the key advantages and shortcomings of each approach are summarized in Table 4. This overview highlights the unique strengths and potential limitations of different strategies, ranging from robust defense mechanisms against Byzantine attacks to efficient privacy-preserving techniques. By examining these methods through the lens of their benefits and drawbacks, we aim to provide a clearer understanding of their practical implications and effectiveness in addressing the diverse security challenges faced by federated learning systems.

5.3. Securing Aggregation Algorithms

Federated learning aggregation algorithms are of great interest in terms of security and privacy, especially because they are vulnerable to poisoning attacks, inference attacks and other breaches. Therefore, researchers are looking for various ways to secure these algorithms, as described in detail in Section 3. However, it was found that most of the proposed algorithms focused either on robustness against attacks, especially the Byzantine attack, or on the security branches of trust, authentication and integrity. Of the seven algorithms discussed, only SecureD FL [76] addressed securing the FL aggregation algorithms against the inference attacks within the proposed communication model, and none of the algorithms proposed solutions for both class and membership inference. This conclusion sparks interest in working on new algorithms that can help solve these challenges.
Table 5 below summarizes the various aggregation algorithms intended to solve security challenges. The roles played by these algorithms are presented in three categories, security, privacy, and robustness, based on the taxonomy mentioned in Section 1.2.1.
The reasons for ignoring inference attacks were not discussed for these algorithms. As shown in the table below, four of the implementations discussed poisoning attacks, particularly the Byzantine attack, while neglecting the severity of inference attacks where at least some information about the individual’s data could be extracted from the exchanged local model.
Moreover, none of these aggregation algorithms considered the use of homomorphic encryption as a solution to security threats. HE has been widely considered as a solution in federated learning, but it has never been embedded in an aggregation algorithm. As mentioned earlier, the authors of [80], who proposed the aggregation algorithm SEAR, confirmed that HE has a high communication and computation overhead and is limited to complex problems. Therefore, we can conclude with the following summary regarding security approaches in FL aggregation algorithms (in the lists below, the acronym RF is used as an abbreviation for a research finding):
  • RF1: There is a need to improve the privacy of aggregation algorithms by leveraging resistance to inference attacks, which can occur at the communication channel level or even through the central aggregation server itself.

5.4. Securing Communication Among FL Individuals

The federated learning system usually consists of individuals and an aggregation server. In some studies, the aggregation algorithm has been moved to the individuals themselves, eliminating the need for a central server. Securing this communication is discussed in detail in Section 4. Homomorphic encryption, secure multiparty computation (SMC), verifiable computing, and blockchain are examples of tools that have been considered for developing systems to secure communications in FL environments. Given the high communication and computational costs associated with using HE, several implementations have considered reducing these costs to improve performance and increase the usability of FL algorithms.
However, these proposed solutions work as a security layer or as an add-on component to the FL system. In this context, the ability to generalize and adapt to different aggregation algorithms is not guaranteed. This is also evidenced by the fact that some, or rather most, of the proposed mechanisms were developed only for neural network models. Therefore, they have not been tested using linear models such as Support Vector Machines (SVMs), which are of great interest in machine learning.
In addition, the reduction in communication and computational costs has been studied using certain datasets, and it is not known if the performance improvement occurs when other datasets are used, especially when the analyzed databases are heterogeneous.
Furthermore, outsourcing encryption algorithms, communication control, and other security techniques may require adding a new individual to the FL system to control or manage these mechanisms, such as an encryption server or communication controller. This point in turn raises other debates about the integrity of these added individuals and their vulnerability to attacks or threats, which also require additional security.
Consequently, we can conclude with the summary below regarding security mechanisms in FL systems:
  • RF2: Most security schemes are focused on neural networks. Other types of ML models have rarely been considered, if at all;
  • RF3: Compatibility of the schema with different machine learning models is not guaranteed;
  • RF4: Communication/computational cost has been evaluated using a limited number of datasets. This improvement is not guaranteed with other datasets, especially heterogeneous datasets, which are a major concern in FL systems;
  • RF5: Adding individuals to control security managers such as encryption managers or communication controllers will raises debate about the security of those individuals and their vulnerability to breaches and attacks.

5.5. Unrevealed Secrets: Techniques Yet Unseen in FL Security

Federated learning research is on the rise. This is a fact that can be observed when analyzing the implementations carried out in the last few years. Although it is still in its infancy, the number of studies published in this field gives hope for significant development in the near future, which will promote and facilitate its application in different areas of life. However, in securing the FL system, various technologies have not been considered. They were not considered feasible or were impractical in this field, and as far as we know, they have not been used in any of the implementations of FL. Among these technologies, Polymorphic Encryption (PE) is highlighted as a viable method for exchanging encrypted data with strong privacy assurances, as discussed in [132,133]. The PE technique can be used to protect the FL system against inference attacks that may occur at the level of communication between the individuals themselves or between the individuals and the aggregation server. However, the communication and computational costs as well as the resistance to poisoning attacks when using PE are interesting areas worth investigating further. Therefore, we can summarize this idea with the following research results:
  • RF6: There are other security technologies that have not been considered to secure the FL system, with polymorphic encryption given as an example.
In Figure 7 below, the research findings, which are the results obtained after analyzing the privacy and security approaches in federated learning, are presented.

5.6. Future Perspectives

Given the information presented in this article and the discussion in this section, it can be concluded that federated learning has been extensively studied in terms of resilience to malicious individuals and robustness to poisoning attacks such as Byzantine attacks. However, there are a number of aspects that can be considered to improve the privacy of federated learning and increase its feasibility and usability. These aspects are summarized in the following list (the acronym FP used in the list below is short for future perspective):
  • FP1: Consider applying privacy mechanisms to improve the robustness of existing or new FL aggregation algorithms against inference attacks;
  • FP2: Generalize the security mechanisms to cover ML models other than neural networks, such as SVMs and others;
  • FP3: Ensure that the improvements in communication and computation time reduction achieved by the available studies are maintained for datasets other than those commonly used in these studies (mainly EMNIST and CIFAR);
  • FP4: Demonstrate that third-party security managers (i.e., communication control unit, homomorphic encryption controller, etc.) are secure enough to be embedded in a federated learning system;
  • FP5: Incorporate embedding-efficient security mechanisms, such as polymorphic encryption, into FL systems and compare their performance with available implementations.

6. Conclusions

Federated learning is rapidly emerging as a potential technique to increase the confidence and adoption of machine learning in various aspects of life. The privacy and security techniques used in federated learning algorithms have been discussed in detail in this article. It has been shown that the available FL aggregation algorithms perform well in terms of security and robustness but poorly in terms of privacy and resistance to inference attacks. In this context, security approaches such as homomorphic encryption, polymorphic encryption and other tools can be considered as secure ways to improve the performance, privacy and security of federated learning, increasing its use in real-world applications.

Author Contributions

Conceptualization: M.M. and M.A.; formal analysis: M.M.; investigation: M.M.; methodology: M.M. and M.A.; supervision: M.A., A.B., H.I. and A.R.; visualization: M.M.; writing—original draft: M.M.; writing—review and editing: M.A., A.B., H.I. and A.R. All authors have read and agreed to the published version of the manuscript.

Funding

This research was funded by the Natural Sciences and Engineering Research Council of Canada (NSERC), grant number 06351.

Data Availability Statement

No new data were created or analyzed in this study. Data sharing is not applicable to this article.

Acknowledgments

We acknowledge the support of Centre d’Entrepreneuriat et de Valorisation des Innovations (CEVI).

Conflicts of Interest

The authors declare no conflicts of interest.

References

  1. Ramkumar, P.N.; Haeberle, H.S.; Bloomfield, M.R.; Schaffer, J.L.; Kamath, A.F.; Patterson, B.M.; Krebs, V.E. Artificial intelligence and arthroplasty at a single institution: Real-world applications of Machine Learning to big data, value-based care, mobile health, and remote patient monitoring. J. Ofarthroplasty 2019, 34, 2204–2209. [Google Scholar] [CrossRef] [PubMed]
  2. Erickson, B.J.; Korfiatis, P.; Akkus, Z.; Kline, T.L. Machine Learning for medical imaging. Radiographics 2017, 37, 505. [Google Scholar] [CrossRef]
  3. Bhardwaj, R.; Nambiar, A.R.; Dutta, D. A study of Machine Learning in healthcare. In Proceedings of the 2017 IEEE 41st Annual Computer Software and Applications Conference (COMPSAC), Turin, Italy, 4–8 July 2017; IEEE: Piscataway, NJ, USA, 2017; Volume 2, pp. 236–241. [Google Scholar]
  4. Ghazal, T.M.; Hasan, M.K.; Alshurideh, M.T.; Alzoubi, H.M.; Ahmad, M.; Akbar, S.S.; Al Kurdi, B.; Akour, I.A. IoT for smart cities: Machine Learning approaches in smart healthcare—A review. Future Internet 2021, 13, 218. [Google Scholar] [CrossRef]
  5. Zantalis, F.; Koulouras, G.; Karabetsos, S.; Kandris, D. A review of Machine Learning and IoT in smart transportation. Future Internet 2019, 11, 94. [Google Scholar] [CrossRef]
  6. Larrañaga, P.; Atienza, D.; Diaz-Rozo, J.; Ogbechie, A.; Puerto-Santana, C.; Bielza, C. Industrial Applications of Machine Learning; CRC Press: Boca Raton, FL, USA, 2018. [Google Scholar]
  7. Sarker, I.H. Machine Learning: Algorithms, real-world applications and research directions. SN Comput. Sci. 2021, 2, 160. [Google Scholar] [CrossRef]
  8. Sharma, N.; Sharma, R.; Jindal, N. Machine Learning and deep learning applications-a vision. Glob. Transit. Proc. 2021, 2, 24–28. [Google Scholar] [CrossRef]
  9. Nagarhalli, T.P.; Vaze, V.; Rana, N.K. Impact of Machine Learning in natural language processing: A review. In Proceedings of the 2021 Third International Conference on Intelligent Communication Technologies and Virtual Mobile Networks (ICICV), Tirunelveli, India, 4–6 February 2021; IEEE: Piscataway, NJ, USA, 2021; pp. 1529–1534. [Google Scholar]
  10. Pallathadka, H.; Mustafa, M.; Sanchez, D.T.; Sajja, G.S.; Gour, S.; Naved, M. Impact of Machine Learning on management, healthcare and agriculture. Mater. Today Proc. 2023, 80, 2803–2806. [Google Scholar] [CrossRef]
  11. Liakos, K.G.; Busato, P.; Moshou, D.; Pearson, S.; Bochtis, D. Machine Learning in agriculture: Areview. Sensors 2018, 18, 2674. [Google Scholar] [CrossRef]
  12. Xin, Y.; Kong, L.; Liu, Z.; Chen, Y.; Li, Y.; Zhu, H.; Gao, M.; Hou, H.; Wang, C. Machine Learning and deep learning methods for cybersecurity. IEEE Access 2018, 6, 35365–35381. [Google Scholar] [CrossRef]
  13. L’heureux, A.; Grolinger, K.; Elyamany, H.F.; Capretz, M.A. Machine Learning with big data: Challenges and approaches. IEEE Access 2017, 5, 7776–7797. [Google Scholar] [CrossRef]
  14. Paleyes, A.; Urma, R.G.; Lawrence, N.D. Challenges in deploying Machine Learning: A survey ofcase studies. ACM Comput. Surv. (CSUR) 2022, 55, 1–29. [Google Scholar] [CrossRef]
  15. Zhou, L.; Pan, S.; Wang, J.; Vasilakos, A.V. Machine Learning on big data: Opportunities andchallenges. Neurocomputing 2017, 237, 350–361. [Google Scholar] [CrossRef]
  16. Wuest, T.; Weimer, D.; Irgens, C.; Thoben, K.D. Machine Learning in manufacturing: Advantages, challenges, and applications. Prod. Manuf. Res. 2016, 4, 23–45. [Google Scholar] [CrossRef]
  17. Injadat, M.; Moubayed, A.; Nassif, A.B.; Shami, A. Machine Learning towards intelligent systems: Applications, challenges, and opportunities. Artif. Intell. Rev. 2021, 54, 3299–3348. [Google Scholar] [CrossRef]
  18. Char, D.S.; Shah, N.H.; Magnus, D. Implementing Machine Learning in health care—Addressingethical challenges. N. Engl. J. Med. 2018, 378, 981. [Google Scholar] [CrossRef]
  19. Albrecht, J.P. How the GDPR will change the world. Eur. Data Prot. L. Rev. 2016, 2, 287. [Google Scholar] [CrossRef]
  20. Parasol, M. The impact of China’s 2016 Cyber Security Law on foreign technology firms, and on China’s big data and Smart City dreams. Comput. Law Secur. Rev. 2018, 34, 67–98. [Google Scholar] [CrossRef]
  21. Gray, W.; Zheng, H.R. General Principles of Civil Law of the People’s Republic of China. Am. J. Comp. Law 1986, 34, 715–743. [Google Scholar] [CrossRef]
  22. Zhang, C.; Xie, Y.; Bai, H.; Yu, B.; Li, W.; Gao, Y. A survey on Federated Learning. Knowl.-Based Syst. 2021, 216, 106775. [Google Scholar] [CrossRef]
  23. McMahan, B.; Moore, E.; Ramage, D.; Hampson, S.; y Arcas, B.A. Communication-efficientlearning of deep networks from decentralized data. In Proceedings of the Artificial Intelligence and Statistics, Lauderdale, FL, USA, 20–22 April 2017; pp. 1273–1282, PMLR. [Google Scholar]
  24. Li, T.; Sahu, A.K.; Talwalkar, A.; Smith, V. Federated Learning: Challenges, methods, and futuredirections. IEEE Signal Process. Mag. 2020, 37, 50–60. [Google Scholar] [CrossRef]
  25. Kairouz, P.; McMahan, H.B.; Avent, B.; Bellet, A.; Bennis, M.; Bhagoji, A.N.; Bonawitz, K.; Charles, Z.; Cormode, G.; Cummings, R.; et al. Advancesand open problems in Federated Learning. Found. Trends Mach. Learn. 2021, 14, 1–210. [Google Scholar] [CrossRef]
  26. Ding, J.; Tramel, E.; Sahu, A.K.; Wu, S.; Avestimehr, S.; Zhang, T. Federated Learningchallenges and opportunities: An outlook. In Proceedings of the ICASSP 2022–2022 IEEE International Conference on Acoustics, Speech and Signal Processing (ICASSP), Virtual, 7–13 May 2022; IEEE: Piscataway, NJ, USA, 2022; pp. 8752–8756. [Google Scholar]
  27. Yang, Q.; Liu, Y.; Chen, T.; Tong, Y. Federated Machine Learning: Concept and applications. ACM Trans. Intell. Syst. Technol. (TIST) 2019, 10, 1–19. [Google Scholar] [CrossRef]
  28. Rahman, K.J.; Ahmed, F.; Akhter, N.; Hasan, M.; Amin, R.; Aziz, K.E.; Muzahidul Islam, A.K.M.; Hossain Mukta, M.S.; Najmul Islam, A.K.M. Challenges, applications and design aspects of Federated Learning: A survey. IEEE Access 2021, 9, 124682–124700. [Google Scholar] [CrossRef]
  29. Lyu, L.; Yu, H.; Yang, Q. Threats to Federated Learning: A survey. arXiv 2020, arXiv:2003.02133. [Google Scholar]
  30. Bambauer, D.E. Privacy versus security. J. Crim. L. Criminol. 2013, 103, 667. [Google Scholar]
  31. Acquisti, A. Privacy and security of personal information. In Economics of Information Security; Springer: Boston, MA, USA, 2004; pp. 179–186. [Google Scholar]
  32. Regan, P.M. Privacy as a common good in the digital world. Inf. Commun. Soc. 2002, 5, 382–405. [Google Scholar] [CrossRef]
  33. Kernighan, B.W. Understanding the Digital World: What You Need to Know about Computers, Theinternet, Privacy, and Security; Princeton University Press: Princeton, NJ, USA, 2021. [Google Scholar]
  34. Bhowmick, A.; Duchi, J.; Freudiger, J.; Kapoor, G.; Rogers, R. Protection against reconstructionand its applications in private Federated Learning. arXiv 2018, arXiv:1812.00984. [Google Scholar]
  35. Fredrikson, M.; Jha, S.; Ristenpart, T. Model inversion attacks that exploit confidenceinformation and basic countermeasures. In Proceedings of the 22nd ACM SIGSAC Conference on Computerand Communications Security, Denver, CO, USA, 12–16 October 2015; pp. 1322–1333. [Google Scholar]
  36. Melis, L.; Song, C.; De Cristofaro, E.; Shmatikov, V. Exploiting unintended feature leakage incollaborative learning. In Proceedings of the 2019 IEEE Symposium on Security and Privacy (SP), San Francisco, CA, USA, 19–23 May 2019; IEEE: Piscataway, NJ, USA, 2019; pp. 691–706. [Google Scholar]
  37. Zhu, L.; Liu, Z.; Han, S. Deep leakage from gradients. In Proceedings of the Advances in Neural Information Processing Systems, Vancouver, BC, Canada, 8–14 December 2019; Volume 32. [Google Scholar]
  38. McMahan, H.B.; Ramage, D.; Talwar, K.; Zhang, L. Learning differentially private recurrentlanguage models. arXiv 2017, arXiv:1710.06963. [Google Scholar]
  39. Agarwal, N.; Suresh, A.T.; Yu, F.X.X.; Kumar, S.; McMahan, B. cpSGD: Communication-efficientand differentially-private distributed SGD. In Proceedings of the Advances in Neural Information Processing Systems, Montreal, QC, Canada, 3–8 December 2018; Volume 31. [Google Scholar]
  40. Aono, Y.; Hayashi, T.; Wang, L.; Moriai, S. Privacy-preserving deep learning via additively homomorphicencryption. IEEE Trans. Inf. Forensics Secur. 2017, 13, 1333–1345. [Google Scholar]
  41. Bhagoji, A.N.; Chakraborty, S.; Mittal, P.; Calo, S. Analyzing Federated Learning through anadversarial lens. In Proceedings of the International Conference on Machine Learning, Long Beach, CA, USA, 9–15 June 2019; pp. 634–643, PMLR. [Google Scholar]
  42. Bagdasaryan, E.; Veit, A.; Hua, Y.; Estrin, D.; Shmatikov, V. How to backdoor federatedlearning. In Proceedings of the International Conference on Artificial Intelligence and Statistics, Online, 26–28 August 2020; pp. 2938–2948, PMLR. [Google Scholar]
  43. Fung, C.; Yoon, C.J.; Beschastnikh, I. Mitigating sybils in Federated Learning poisoning. arXiv 2018, arXiv:1808.04866. [Google Scholar]
  44. Blanchard, P.; El Mhamdi, E.M.; Guerraoui, R.; Stainer, J. Machine Learning with adversaries:Byzantine tolerant gradient descent. In Proceedings of the Advances in Neural Information Processing Systems, Long Beach, CA, USA, 4–9 December 2017; Volume 30. [Google Scholar]
  45. Chen, Y.; Su, L.; Xu, J. Distributed statistical Machine Learning in adversarial settings: Byzantine gradient descent. Proc. ACM Meas. Anal. Comput. Syst. 2017, 1, 1–25. [Google Scholar] [CrossRef]
  46. Chen, L.; Wang, H.; Charles, Z.; Papailiopoulos, D. Draco: Byzantine-resilient distributedtraining via redundant gradients. In Proceedings of the International Conference on Machine Learning, Stockholm, Sweden, 10–15 July 2018; pp. 903–912, PMLR. [Google Scholar]
  47. Yin, D.; Chen, Y.; Kannan, R.; Bartlett, P. Byzantine-robust distributed learning: Towardsoptimal statistical rates. In Proceedings of the International Conference on Machine Learning, Stockholm, Sweden, 10–15 July 2018; pp. 5650–5659, PMLR. [Google Scholar]
  48. Lamport, L.; Shostak, R.; Pease, M. The Byzantine generals problem. In Concurrency: The Worksof Leslie Lamport; Association for Computing Machinery: New York, NY, USA, 2019; pp. 203–226. [Google Scholar]
  49. Xie, C.; Koyejo, O.; Gupta, I. Generalized byzantine-tolerant sgd. arXiv 2018, arXiv:1802.10116. [Google Scholar]
  50. Xie, C.; Koyejo, O.; Gupta, I. Fall of empires: Breaking byzantine-tolerant sgd by innerproduct manipulation. In Proceedings of the Uncertainty in Artificial Intelligence, Tel Aviv, Israel, 22–25 July 2020; pp. 261–270, PMLR. [Google Scholar]
  51. Biggio, B.; Nelson, B.; Laskov, P. Support vector machines under adversarial label noise. In Proceedings of the Asian conference on Machine Learning, Taoyuan, Taiwain, 14–15 November 2011; pp. 97–112, PMLR. [Google Scholar]
  52. Barreno, M.; Nelson, B.; Sears, R.; Joseph, A.D.; Tygar, J.D. Can Machine Learning besecure? In Proceedings of the 2006 ACM Symposium on Information, Computer and Communications Security, Taipei, Taiwan, 21–24 March 2006; pp. 16–25. [Google Scholar]
  53. Huang, L.; Joseph, A.D.; Nelson, B.; Rubinstein, B.I.; Tygar, J.D. Adversarial machinelearning. In Proceedings of the 4th ACM workshop on Security and Artificial Intelligence, Chicago, IL, USA, 21 October 2011; pp. 43–58. [Google Scholar]
  54. Shafahi, A.; Huang, W.R.; Najibi, M.; Suciu, O.; Studer, C.; Dumitras, T.; Goldstein, T. Poisonfrogs! targeted clean-label poisoning attacks on neural networks. In Proceedings of the Advances in Neural Information Processing Systems, Montreal, QC, Canada, 3–8 December 2018; Volume 31. [Google Scholar]
  55. Gu, T.; Dolan-Gavitt, B.; Garg, S. Badnets: Identifying vulnerabilities in the Machine Learningmodel supply chain. arXiv 2017, arXiv:1708.06733. [Google Scholar]
  56. Szegedy, C.; Zaremba, W.; Sutskever, I.; Bruna, J.; Erhan, D.; Goodfellow, I.; Fergus, R. Intriguingproperties of neural networks. arXiv 2013, arXiv:1312.6199. [Google Scholar]
  57. Su, L.; Xu, J. Securing distributed gradient descent in high dimensional statistical learning. Proc. ACM Meas. Anal. Comput. Syst. 2019, 3, 1–41. [Google Scholar] [CrossRef]
  58. Shokri, R.; Stronati, M.; Song, C.; Shmatikov, V. Membership inference attacks againstMachine Learning models. In Proceedings of the 2017 IEEE Symposium on Security and Privacy (SP), San Jose, CA, USA, 22–26 May 2017; IEEE: Piscataway, NJ, USA, 2017; pp. 3–18. [Google Scholar]
  59. Hamer, J.; Mohri, M.; Suresh, A.T. Fedboost: A communication-efficient algorithm forFederated Learning. In Proceedings of the International Conference on Machine Learning, Virtual Event, 13–18 July 2020; pp. 3973–3983, PMLR. [Google Scholar]
  60. Li, T.; Sahu, A.K.; Zaheer, M.; Sanjabi, M.; Talwalkar, A.; Smith, V. Federated optimization inheterogeneous networks. In Proceedings of the Machine Learning and Systems, Santa Clara Convention Center, Santa Clara, CA, USA, 12–15 May 2020; Volume 2, pp. 429–450. [Google Scholar]
  61. Wang, H.; Yurochkin, M.; Sun, Y.; Papailiopoulos, D.; Khazaeni, Y. Federated Learning with matchedaveraging. arXiv 2020, arXiv:2002.06440. [Google Scholar]
  62. Sannara, E.K.; Portet, F.; Lalanda, P.; German, V.E.G.A. A Federated Learning aggregation algorithm for pervasive computing: Evaluation and comparison. In Proceedings of the 2021 IEEE International Conference on Pervasive Computing and Communications (PerCom), Kassel, Germany, 22–26 March 2021; pp. 1–10. [Google Scholar]
  63. Bonawitz, K.; Ivanov, V.; Kreuter, B.; Marcedone, A.; McMahan, H.B.; Patel, S.; Ramage, D.; Segal, A.; Seth, K. Practical secure aggregation for privacy-preserving Machine Learning. In Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, Dallas, TX, USA, 30 October–3 November 2017; pp. 1175–1191. [Google Scholar]
  64. Shamir, A. How to share a secret. Commun. ACM 1979, 22, 612–613. [Google Scholar] [CrossRef]
  65. Yu, H.; Wang, Z.; Li, J.; Gao, X. Identity-based proxy signcryption protocol with universal composability. Secur. Commun. Networks 2018, 2018, 9531784. [Google Scholar] [CrossRef]
  66. Pillutla, K.; Kakade, S.M.; Harchaoui, Z. Robust aggregation for Federated Learning. arXiv 2019, arXiv:1912.13445. [Google Scholar] [CrossRef]
  67. Weiszfeld, E.; Plastria, F. On the point for which the sum of the distances to n given points isminimum. Ann. Oper. Res. 2009, 167, 7–41. [Google Scholar] [CrossRef]
  68. Varma, K.; Zhou, Y.; Baracaldo, N.; Anwar, A. LEGATO: A LayerwisE Gradient AggregaTiOnAlgorithm for Mitigating Byzantine Attacks in Federated Learning. In Proceedings of the 2021 IEEE 14th International Conference on Cloud Computing (CLOUD), Chicago, IL, USA, 5–10 September 2021; IEEE: Piscataway, NJ, USA, 2021; pp. 272–277. [Google Scholar]
  69. Chen, V.; Pastro, V.; Raykova, M. Secure computation for Machine Learning with SPDZ. arXiv 2019, arXiv:1901.00329. [Google Scholar]
  70. Agrawal, N.; Shahin Shamsabadi, A.; Kusner, M.J.; Gascon, A. QUOTIENT: Twopartysecure neural network training and prediction. In Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security, London, UK, 11–15 November 2019; pp. 1231–1247. [Google Scholar]
  71. Shokri, R.; Shmatikov, V. Privacy-preserving deep learning. In Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, Denver, CO, USA, 12–16 October 2015; pp. 1310–1321. [Google Scholar]
  72. Abadi, M.; Chu, A.; Goodfellow, I.; McMahan, H.B.; Mironov, I.; Talwar, K.; Zhang, L. Deep learning with differential privacy. In Proceedings of the 2016 ACM SIGSAC Conference on Computer Andcommunications Security, Vienna, Austria, 24–28 October 2016; pp. 308–318. [Google Scholar]
  73. Truex, S.; Baracaldo, N.; Anwar, A.; Steinke, T.; Ludwig, H.; Zhang, R.; Zhou, Y. A hybrid approach to privacy-preserving Federated Learning. In Proceedings of the 12th ACM Workshop Onartificial Intelligence and Security, London, UK, 15 November 2019; pp. 1–11. [Google Scholar]
  74. Xu, R.; Baracaldo, N.; Zhou, Y.; Anwar, A.; Ludwig, H. Hybridalpha: An efficientapproach for privacy-preserving Federated Learning. In Proceedings of the 12th ACM Workshop on ArtificialIntelligence and Security, London, UK, 15 November 2019; pp. 13–23. [Google Scholar]
  75. Ryffel, T.; Trask, A.; Dahl, M.; Wagner, B.; Mancuso, J.; Rueckert, D.; Passerat-Palmbach, J. Ageneric framework for privacy preserving deep learning. arXiv 2018, arXiv:1811.04017. [Google Scholar]
  76. Jeon, B.; Ferdous, S.M.; Rahman, M.R.; Walid, A. Privacy-preserving decentralized aggregationfor Federated Learning. In Proceedings of the IEEE INFOCOM 2021-IEEE Conference on Computer CommunicationsWorkshops (INFOCOM WKSHPS), Virtual, 10–13 May 2021; IEEE: Piscataway, NJ, USA, 2021; pp. 1–6. [Google Scholar]
  77. Boyd, S.; Parikh, N.; Chu, E.; Peleato, B.; Eckstein, J. Distributed optimization and statistical learning via the alternating direction method of multipliers. Found. Trends Mach. Learn. 2011, 3, 1–122. [Google Scholar] [CrossRef]
  78. Stinson, D.R. Combinatorial designs: Constructions and analysis. ACM SIGACT News 2008, 39, 17–21. [Google Scholar] [CrossRef]
  79. Hitaj, B.; Ateniese, G.; Perez-Cruz, F. Deep models under the GAN: Information leakagefrom collaborative deep learning. In Proceedings of the 2017 ACM SIGSAC Conference on Computer Andcommunications Security, Dallas, TX, USA, 30 October–3 November 2017; pp. 603–618. [Google Scholar]
  80. Zhao, L.; Jiang, J.; Feng, B.; Wang, Q.; Shen, C.; Li, Q. Sear: Secure and efficient aggregationfor byzantine-robust Federated Learning. IEEE Trans. Dependable Secur. Comput. 2021, 19, 3329–3342. [Google Scholar] [CrossRef]
  81. McKeen, F.; Alexandrovich, I.; Berenzon, A.; Rozas, C.V.; Shafi, H.; Shanbhogue, V.; Savagaonkar, U.R. Innovative Instructions and Software Model for Isolated Execution. Hasp@ isca 2013. Volume 10. Available online: https://www.intel.com/content/dam/develop/external/us/en/documents/hasp-2013-innovative-instructions-and-software-model-for-isolated-execution.pdf (accessed on 2 September 2024).
  82. Li, W.; Xia, Y.; Chen, H. Research on arm trustzone. GetMobile Mob. Comput. Commun. 2019, 22, 17–22. [Google Scholar] [CrossRef]
  83. Brasser, F.; Muller, U.; Dmitrienko, A.; Kostiainen, K.; Capkun, S.; Sadeghi, A.R. Software grandexposure:SGX cache attacks are practical. In Proceedings of the 11th USENIX Workshop on Offensive Technologies (WOOT 17), Vancouver, BC, Canada, 14–15 August 2017. [Google Scholar]
  84. Moghimi, A.; Irazoqui, G.; Eisenbarth, T. Cachezoom: How SGX amplifies the power ofcache attacks. In Proceedings of the International Conference on Cryptographic Hardware and Embedded Systems, Taipei, Taiwan, 25–28 September 2017; Springer: Cham, Switzerland, 2017; pp. 69–90. [Google Scholar]
  85. Schwarz, M.; Weiser, S.; Gruss, D.; Maurice, C.; Mangard, S. Malware guard extension:Using SGX to conceal cache attacks. In Proceedings of the International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment, Lausanne, Switzerland, 17–19 July 2017; Springer: Cham, Switzerland, 2017; pp. 3–24. [Google Scholar]
  86. Song, J.; Wang, W.; Gadekallu, T.R.; Cao, J.; Liu, Y. Eppda: An efficient privacy-preserving dataaggregation Federated Learning scheme. IEEE Trans. Netw. Sci. Eng. 2022, 10, 3047–3057. [Google Scholar] [CrossRef]
  87. Benaloh, J.C. Secret sharing homomorphisms: Keeping shares of a secret secret. In Proceedings of the Conference on the Theory and Application of Cryptographic Techniques, Santa Barbara, CA, USA, 11–15 August 1986; Springer: Berlin/Heidelberg, Germany, 1986; pp. 251–260. [Google Scholar]
  88. Elkordy, A.R.; Avestimehr, A.S. Heterosag: Secure aggregation with heterogeneous quantization in Federated Learning. IEEE Trans. Commun. 2022, 70, 2372–2386. [Google Scholar] [CrossRef]
  89. Zhang, Z.; Cao, X.; Jia, J.; Zhen, N.; Gong, Q. FLDetector: Defending Federated Learning against model poisoning attacks via detecting malicious clients. In Proceedings of the 28th ACM SIGKDD Conference on Knowledge Discovery and Data Mining, Washington, DC, USA, 14–18 August 2022; pp. 2545–2555. [Google Scholar]
  90. Cao, X.; Zhang, Z.; Jia, J.; Zhen, N.; Gong, Q. Flcert: Provably secure Federated Learning against poisoning attacks. IEEE Trans. Inf. Forensics Secur. 2022, 17, 3691–3705. [Google Scholar] [CrossRef]
  91. Rathee, M.; Shen, C.; Wagh, S.; Popa, R.A. Elsa: Secure aggregation for Federated Learning with malicious actors. In Proceedings of the 2023 IEEE Symposium on Security and Privacy (SP), San Francisco, CA, USA, 21–25 May 2023; IEEE: Piscataway, NJ, USA, 2023; pp. 1961–1979. [Google Scholar]
  92. So, J.; Ali, R.E.; Guler, B.; Jiao, J.; Avestimehr, A.S. Securing secure aggregation: Mitigating multi-round privacy leakage in Federated Learning. In Proceedings of the AAAI Conference on Artificial Intelligence, Washington, DC, USA, 7–14 February 2023; Volume 37, pp. 9864–9873. [Google Scholar]
  93. Paillier, P. Public-key cryptosystems based on composite degree residuosity classes. In Proceedings of the International Conference on the Theory and Applications of Cryptographic Techniques, Prague, Czech Republic, 2–6 May 1999; Springer: Berlin/Heidelberg, Germany, 1999; pp. 223–238. [Google Scholar]
  94. Yi, X.; Paulet, R.; Bertino, E. Homomorphic encryption. In Homomorphic Encryption and Applications; Springer: Cham, Switzerland, 2014; pp. 27–46. [Google Scholar]
  95. Rivest, R.L.; Shamir, A.; Adleman, L. A method for obtaining digital signatures and public-keycryptosystems. Commun. ACM 1978, 21, 120–126. [Google Scholar] [CrossRef]
  96. Rothblum, R. Homomorphic encryption: From private-key to public-key. In Theory of cryptographyconference; Springer: Berlin/Heidelberg, Germany, 2011; pp. 219–234. [Google Scholar]
  97. Li, B.; Micciancio, D. On the security of homomorphic encryption on approximate numbers. In Proceedings of the Annual International Conference on the Theory and Applications of Cryptographic Techniques, Zagreb, Croatia, 17–21 October 2021; Springer: Cham, Switzerland, 2021; pp. 648–677. [Google Scholar]
  98. Fontaine, C.; Galand, F. A survey of homomorphic encryption for nonspecialists. EURASIP J. Inf. Secur. 2007, 2007, 13801. [Google Scholar] [CrossRef]
  99. Hardy, S.; Henecka, W.; Ivey-Law, H.; Nock, R.; Patrini, G.; Smith, G.; Thorne, B. Private federatedlearning on vertically partitioned data via entity resolution and additively homomorphic encryption. arXiv 2017, arXiv:1711.10677. [Google Scholar]
  100. Ou, W.; Zeng, J.; Guo, Z.; Yan, W.; Liu, D.; Fuentes, S. A homomorphic-encryption-based verticalFederated Learning scheme for rick management. Comput. Sci. Inf. Syst. 2020, 17, 819–834. [Google Scholar] [CrossRef]
  101. Sav, S.; Pyrgelis, A.; Troncoso-Pastoriza, J.R.; Froelicher, D.; Bossuat, J.P.; Sousa, J.S.; Hubaux, J.P. POSEIDON: Privacy-preserving federated neural network learning. arXiv 2020, arXiv:2009.00349. [Google Scholar]
  102. Froelicher, D.; Troncoso-Pastoriza, J.R.; Pyrgelis, A.; Sav, S.; Sousa, J.S.; Bossuat, J.P.; Hubaux, J.P. Scalable privacy-preserving distributed learning. Proc. Priv. Enhancing Technol. 2021, 2021, 323–347. [Google Scholar] [CrossRef]
  103. Mouchet, C.; Troncoso-Pastoriza, J.; Bossuat, J.P.; Hubaux, J.P. Multiparty Homomorphic Encryption from Ring-Learning-with-Errors. Cryptology ePrint Archive. 2020. Available online: https://eprint.iacr.org/2020/304.pdf (accessed on 2 September 2024).
  104. UCI Machine Learning Repository: Data Set. Available online: https://archive.ics.uci.edu/ml/datasets/breast+cancer+wisconsin+(original) (accessed on 10 October 2022).
  105. Cohen, G.; Afshar, S.; Tapson, J.; van Schaik, A. EMNIST: An extension of MNIST to handwritten letters. arXiv 2017. [Google Scholar] [CrossRef]
  106. Harun-Ur-Rashid. Epileptic Seizure Recognition. Kaggle. Available online: https://www.kaggle.com/datasets/harunshimanto/epileptic-seizure-recognition (accessed on 11 October 2018).
  107. Yeh, I.C.; Lien, C.H. The comparisons of data mining techniques for the predictive accuracy ofprobability of default of credit card clients. Expert Syst. Appl. 2009, 36, 2473–2480. [Google Scholar] [CrossRef]
  108. Netzer, Y.; Wang, T.; Coates, A.; Bissacco, A.; Wu, B.; Ng, A.Y. Reading Digits in Natural Images with Unsupervised Feature Learning. 2011. Available online: https://static.googleusercontent.com/media/research.google.com/en//pubs/archive/37648.pdf (accessed on 3 September 2024).
  109. Krizhevsky, A.; Hinton, G. Learning Multiple Layers of Features from Tiny Images. 2009. Available online: https://www.cs.toronto.edu/~kriz/learning-features-2009-TR.pdf (accessed on 3 September 2024).
  110. Liu, X.; Li, H.; Xu, G.; Chen, Z.; Huang, X.; Lu, R. Privacy-enhanced Federated Learning againstpoisoning adversaries. IEEE Trans. Inf. Forensics Secur. 2021, 16, 4574–4588. [Google Scholar] [CrossRef]
  111. Tian, H.; Zhang, F.; Shao, Y.; Li, B. Secure linear aggregation using decentralized thresholdadditive homomorphic encryption for Federated Learning. arXiv 2021, arXiv:2111.10753. [Google Scholar]
  112. Stripelis, D.; Saleem, H.; Ghai, T.; Dhinagar, N.; Gupta, U.; Anastasiou, C.; Ver Steeg, G.; Ravi, S.; Naveed, M.; Thompson, P.M.; et al. Secure neuroimaging analysis using Federated Learning with homomorphic encryption. In Proceedings of the 17th International Symposium on Medical Information Processing and Analysis, Campinas, Brazil, 17–19 December 2021; SPIE: Bellingham, WA, USA, 2021; Volume 12088, pp. 351–359. [Google Scholar]
  113. Miller, K.L.; Alfaro-Almagro, F.; Bangerter, N.K.; Thomas, D.L.; Yacoub, E.; Xu, J.; Bartsch, A.J.; Jbabdi, S.; Sotiropoulos, S.N.; Andersson, J.L.R.; et al. Multimodal population brain imaging in the UK Biobank prospective epidemiological study. Nat. Neurosci. 2016, 19, 1523–1536. [Google Scholar] [CrossRef]
  114. Zhang, L.; Xu, J.; Vijayakumar, P.; Sharma, P.K.; Ghosh, U. Homomorphic Encryption-based Privacy-preserving Federated Learning in IoT-enabled Healthcare System. IEEE Trans. Netw. Sci. Eng. 2022, 10, 2864–2880. [Google Scholar] [CrossRef]
  115. Tschandl, P.; Rosendahl, C.; Kittler, H. The HAM10000 dataset, a large collection of multi-sourcedermatoscopic images of common pigmented skin lesions. Sci. Data 2018, 5, 180161. [Google Scholar] [CrossRef]
  116. Fan, C.I.; Hsu, Y.W.; Shie, C.H.; Tseng, Y.F. ID-Based Multi-Receiver Homomorphic ProxyRe-Encryption in Federated Learning. ACM Transactions on Sensor Networks (TOSN). ACM Trans. Sens. Netw. 2022, 18, 1–25. [Google Scholar] [CrossRef]
  117. Ku, H.; Susilo, W.; Zhang, Y.; Liu, W.; Zhang, M. Privacy-Preserving Federated Learning in medicaldiagnosis with homomorphic re-Encryption. Comput. Stand. Interfaces 2022, 80, 103583. [Google Scholar] [CrossRef]
  118. Park, J.; Lim, H. Privacy-Preserving Federated Learning Using Homomorphic Encryption. Appl. Sci. 2022, 12, 734. [Google Scholar] [CrossRef]
  119. Madi, A.; Stan, O.; Mayoue, A.; Grivet-Sebert, A.; Gouy-Pailler, C.; Sirdey, R. A secureFederated Learning framework using homomorphic encryption and verifiable computing. In Proceedings of the 2021 Reconciling Data Analytics, Automation, Privacy, and Security: A Big Data Challenge (RDAAPS), Hamilton, ON, Canada, 18–19 May 2021; IEEE: Piscataway, NJ, USA, 2021; pp. 1–8. [Google Scholar]
  120. Jia, B.; Zhang, X.; Liu, J.; Zhang, Y.; Huang, K.; Liang, Y. Blockchain-enabled Federated Learningdata protection aggregation scheme with differential privacy and homomorphic encryption in IIoT. IEEE Trans. Ind. Inform. 2021, 18, 4049–4058. [Google Scholar] [CrossRef]
  121. Zhang, C.; Li, S.; Xia, J.; Wang, W.; Yan, F.; Liu, Y. BatchCrypt: Efficient homomorphicencryption for Cross-Silo Federated Learning. In Proceedings of the 2020 USENIX Annual Technical Conference (USENIX ATC 20), Online, 15–17 July 2020; pp. 493–506. [Google Scholar]
  122. FATE. 31 October 2019. Available online: https://fate.fedai.org/ (accessed on 15 October 2022).
  123. Zhang, S.; Li, Z.; Chen, Q.; Zheng, W.; Leng, J.; Guo, M. Dubhe: Towards data unbiasednesswith homomorphic encryption in Federated Learning client selection. In Proceedings of the 50th International Conference on Parallel Processing, Lemont, IL, USA, 9–12 August 2021; pp. 1–10. [Google Scholar]
  124. Jiang, Z.; Wang, W.; Liu, Y. Flashe: Additively symmetric homomorphic encryption for cross-siloFederated Learning. arXiv 2021, arXiv:2109.00675. [Google Scholar]
  125. Fang, H.; Qian, Q. Privacy preserving Machine Learning with homomorphic encryption and federatedlearning. Future Internet 2021, 13, 94. [Google Scholar] [CrossRef]
  126. Fang, C.; Guo, Y.; Hu, Y.; Ma, B.; Feng, L.; Yin, A. Privacy-preserving and communication-efficientFederated Learning in Internet of Things. Comput. Secur. 2021, 103, 102199. [Google Scholar] [CrossRef]
  127. Xie, Y.A.; Kang, J.; Niyato, D.; Van, N.T.T.; Luong, N.C.; Liu, Z.; Yu, H. Securing federated learning: A covert communication-based approach. IEEE Netw. 2022, 37, 118–124. [Google Scholar] [CrossRef]
  128. Ranjan, P.; Gupta, A.; Cor’o, F.; Das, S.K. Securing Federated Learning against OverwhelmingCollusive Attackers. arXiv 2022, arXiv:2209.14093. [Google Scholar]
  129. Li, Z.; Yu, H.; Zhou, T.; Luo, L.; Fan, M.; Xu, Z.; Sun, G. Byzantine resistant secure blockchainedFederated Learning at the edge. IEEE Netw. 2021, 35, 295–301. [Google Scholar] [CrossRef]
  130. Yuan, S.; Cao, B.; Peng, M.; Sun, Y. ChainsFL: Blockchain-driven Federated Learningfrom Design to Realization. In Proceedings of the 2021 IEEE Wireless Communications and Networking Conference (WCNC), Nanjing, China, 29 March–1 April 2021; IEEE: Piscataway, NJ, USA, 2021; pp. 1–6. [Google Scholar]
  131. Li, Y.; Chen, C.; Liu, N.; Huang, H.; Zheng, Z.; Yan, Q. A blockchain-based decentralized federatedlearning framework with committee consensus. IEEE Netw. 2020, 35, 234–241. [Google Scholar] [CrossRef]
  132. Rajput, A.S.; Raman, B. Privacy-Preserving Distribution and Access Control of PersonalizedHealthcare Data. IEEE Trans. Ind. Inform. 2021, 18, 5584–5591. [Google Scholar] [CrossRef]
  133. Booher, D.D.; Cambou, B.; Carlson, A.H.; Philabaum, C. Dynamic key generation forpolymorphic encryption. In Proceedings of the 2019 IEEE 9th Annual Computing and Communication Workshop and Conference(CCWC), Las Vegas, NV, USA, 7–9 January 2019; IEEE: Piscataway, NJ, USA, 2019; pp. 0482–0487. [Google Scholar]
Electronics 13 03675 g001
Figure 1. FedAvg architecture and dataflow.
Figure 1. FedAvg architecture and dataflow.
Electronics 13 03675 g001
Electronics 13 03675 g002
Figure 2. Federated learning process, environment and flow of information.
Figure 2. Federated learning process, environment and flow of information.
Electronics 13 03675 g002
Electronics 13 03675 g003
Figure 3. Security, privacy and robustness taxonomy.
Figure 3. Security, privacy and robustness taxonomy.
Electronics 13 03675 g003
Electronics 13 03675 g004
Figure 4. Known threats in federated learning field.
Figure 4. Known threats in federated learning field.
Electronics 13 03675 g004
Electronics 13 03675 g005
Figure 5. Known attacks in federated learning field.
Figure 5. Known attacks in federated learning field.
Electronics 13 03675 g005
Electronics 13 03675 g006
Figure 6. Communication control explained for a set of 9 users (Arrows resemble methods of communication).
Figure 6. Communication control explained for a set of 9 users (Arrows resemble methods of communication).
Electronics 13 03675 g006
Electronics 13 03675 g007
Figure 7. Research findings for analyzing privacy and security in federated learning.
Figure 7. Research findings for analyzing privacy and security in federated learning.
Electronics 13 03675 g007
Table 1. HE as a standalone solution: implementations to secure FL algorithms.
Table 1. HE as a standalone solution: implementations to secure FL algorithms.
Ref.Securing SchemeDataset Used
[99]-
[100] -
[101]Homomorphic encryption to secure data exchange in FL systemBreast Cancer Wisconsin (BCW) dataset [104]
EMNIST dataset [105]
Epileptic seizure recognition (ESR) dataset [106]
Default of credit card clients (CREDIT) dataset [107]
Street View House Numbers (SVHN) dataset [108]
CIFAR-10 and CIFAR-100 [109]
[110] EMNIST [105], CIFAR [109]
[111] -
[112] UK Biobank (UKBB) neuroimaging dataset [113]
[114] Human Against Machine with 10,000 Training Images (HAM10000) dataset [115]
Table 2. HE combined with other solutions to secure FL algorithms.
Table 2. HE combined with other solutions to secure FL algorithms.
Ref.Combined WithDataset Used
[73]Secure Multiparty Computation (SMC)-
[119]Verifiable Computing (VC)EMNIST dataset [105]
[120]Blockchain-
Table 3. HE with communication and computation cost reduction.
Table 3. HE with communication and computation cost reduction.
Ref.Enhancement RatioDataset Used
[121]Training: 23x–93x; communication: 66x–101xEMNIST [105] and CIFAR [109]
[123]Negligible encryption and communication overheadEMNIST [105] and CIFAR [109]
[120]Computation: 63x; communication: 48x-
[125]Computation: 25? 28%EMNIST [105]
[126]Communication: 2xEMNIST [105]
Table 4. Drawbacks and advantages of security-oriented FL algorithms.
Table 4. Drawbacks and advantages of security-oriented FL algorithms.
MethodAdvantagesShortcomings
Layerwise Gradient Aggregation (LEGATO)Robust to Byzantine attacks
Communication efficient
Scalable and generalizable		Limited to neural networks
Weak against Gaussian variance attacks
Lacks definition for “extreme outliers”
Privacy-preserving decentralized aggregation (SecureDFL)Reduces privacy loss
No central server needed
Communication pattern inspired by combinatorial block design		Computational overhead from privacy techniques
Complexity in implementation
Assumes honest participants
Secure and Efficient Aggregation for Byzantine Robust Federated Learning (SEAR)Uses Intel SGX for secure aggregation
Avoids cryptographic time-consuming tools
Column major data storage mode improves efficiency		Limited PRM size
May face sidechannel attacks
Only applicable to models fitting within PRM constraints
Efficient Privacy-Preserving Data Aggregation (EPPDA)Minimizes communication, computation and storage
Utilizes secret sharing and key exchange
Fault tolerant		Complexity in cryptographic primitives
Potential for increased latency
May be less effective against sophisticated attacks
Secure Aggregation with Heterogeneous Quantization (HeteroSAg)Protects privacy with masked updates
Heterogeneous quantization improves tradeoff
Resilient to Byzantine attacks
Reduces bandwidth expansion		Complexity in segment grouping
Effectiveness depends on quantization and segmentation strategies
May require fine tuning
FLDetector: Securing FL by detecting malicious clientsEffective against large-scale poisoning attacks
Unique consistency-based detection
Early detection of malicious clients		Sensitivity to benign inconsistencies
Increased computational complexity
Potential for false positives/negatives
May struggle with evolving attack strategies
FLCert: Security through client grouping strategiesProvable security guarantees
Utilizes client grouping and majority voting
Two variants for flexibility		Assumes a known upper limit of malicious clients
Introduces computational complexity
Effectiveness varies with client grouping methods
ELSA: Security by distribution of trustFast, secure aggregation protocol
Resilient against malicious actors
Distributed trust enhances privacy
Negligible communication overhead		Relies on at least one honest server
7–25% runtime cost increase
Performance may vary with different models
Multi-RoundSecAgg: Security via random user selection strategyEnhanced privacy over multiple rounds
Novel privacy metric
Structured user selection ensures privacy
Accounts for fairness and participation		Increased complexity and resource demands
Generalization to all scenarios may vary
Potential challenges in achieving perfect fairness
Scalability concerns for largescale scenarios
Table 5. FL aggregation algorithms designed for security issues.
Table 5. FL aggregation algorithms designed for security issues.
Ref.NameSummarySecurityPrivacyRobustness
ConfidenceAuthenticationIntegrityConsentPrecisionPreserve
[63]-Used Shamir’s secret sharing [64] to split the secret into multiple shares
[66]RFABuilt on the principle of aggregation with the Geometric Median (GM), which is computed using a Weiszfeld-type algorithm [67]
[68]LEGATOUses a dynamic gradient reweighing approach that treats gradients based on layer-specific resilience
[76]SecureD-FLDetermines which set of participants (group) should interact in each round of aggregation in order to minimize privacy leakage
[80]SEARUses a hardware-based trusted execution environment instead of cryptographic computationally time-consuming tools
[86]EPPDABenefits from the homomorphisms of secret sharing [87] to minimize the secret sharing iterations and therefore reduce communication, calculation and storage resources usage
[88]HeteroSAgUses a segment grouping strategy that is based on dividing individuals into groups and segmenting local model updates for these users
[89]FLDetectorInnovatively detects malicious clients using model update consistency, bolstering security in federated learning
[90]FLCertProvides provable security against poisoning attacks, featuring ensemble learning with resource efficiency and privacy
[91]ELSARevolutionizes secure aggregation, offering efficiency and resilience and surpassing other approaches in runtime
[92]Multi-RoundSecAggBoosts FL privacy over multiple rounds
Disclaimer/Publisher’s Note: The statements, opinions and data contained in all publications are solely those of the individual author(s) and contributor(s) and not of MDPI and/or the editor(s). MDPI and/or the editor(s) disclaim responsibility for any injury to people or property resulting from any ideas, methods, instructions or products referred to in the content.

Share and Cite

MDPI and ACS Style

Moshawrab, M.; Adda, M.; Bouzouane, A.; Ibrahim, H.; Raad, A. Securing Federated Learning: Approaches, Mechanisms and Opportunities. Electronics 2024, 13, 3675. https://doi.org/10.3390/electronics13183675

AMA Style

Moshawrab M, Adda M, Bouzouane A, Ibrahim H, Raad A. Securing Federated Learning: Approaches, Mechanisms and Opportunities. Electronics. 2024; 13(18):3675. https://doi.org/10.3390/electronics13183675

Chicago/Turabian Style

Moshawrab, Mohammad, Mehdi Adda, Abdenour Bouzouane, Hussein Ibrahim, and Ali Raad. 2024. "Securing Federated Learning: Approaches, Mechanisms and Opportunities" Electronics 13, no. 18: 3675. https://doi.org/10.3390/electronics13183675

Note that from the first issue of 2016, this journal uses article numbers instead of page numbers. See further details here.

Article Metrics

Back to TopTop