A Stealthy Communication Model for Protecting Aggregated Results Integrity in Federated Learning

Abstract

Given how quickly artificial intelligence technology is developing, federated learning (FL) has emerged to enable effective model training while protecting data privacy. However, when using homomorphic encryption (HE) techniques for privacy protection, FL faces challenges related to the integrity of HE ciphertexts. In the HE-based privacy-preserving FL framework, the public disclosure of the public key and the homomorphic additive property of the HE algorithm pose serious threats to the integrity of the ciphertext of FL’s aggregated results. For the first time, this paper employs covert communication by embedding the hash value of the aggregated result ciphertext received by the client into the ciphertext of local model parameters using the lossless homomorphic additive property of the Paillier algorithm. When the server receives the ciphertext of the local model parameters, it can extract and verify the hash value to determine whether the ciphertext of the FL’s aggregated results has been tampered with. We also used chaotic sequences to select the embedding positions, further enhancing the concealment of the scheme. The experimental findings demonstrate that the suggested plan passed the Welch’s t-test, the K–L divergence test, and the K–S test. These findings confirm that ciphertexts containing covert information are statistically indistinguishable from normal ciphertexts, thereby affirming the proposed scheme’s effectiveness in safeguarding the integrity of the FL’s aggregated ciphertext results. The channel capacity of this scheme can reach up to 512 bits per round, which is higher compared to other FL-based covert channels.

1. Introduction

Traditional machine learning relies on the core working idea of training models using massive volumes of data gathered from many sources. Sharing data between devices or organizations, however, may result in privacy violations for the data owners. To balance privacy protection with effective model training, the concept of federated learning (FL) [1,2] has been introduced. FL allows model training without direct data sharing by requiring end devices to train local models and upload local model updates, such as gradients or weights, to a central server. Since FL can effectively utilize data while protecting privacy, it has extensive application prospects in many scenarios, such as vehicular networks [3], medical devices [4], smart grids [5], and smart cities [6].

Existing research shows that FL still has privacy leakage problems [7,8]. However, even though disclosed gradients are meant to prevent sensitive information about the training data from being obtained by attacks, such as model inversion attacks [9] or gradient inference attacks [10]. According to recent research, a user’s local data may be recovered by an untrusted server from model gradients or weights that have been uploaded [11,12,13]. Using adversarial tactics, the untrusted server can view changes in gradients or training labels, as well as the model structure and starting parameters exposing participants’ private information [14,15]. To protect client gradients during training, various privacy-preserving frameworks based on cryptographic techniques have been proposed. Homomorphic encryption (HE) has attracted considerable attention for its ability to aggregate model parameters while keeping them encrypted [16,17].

However, the complex cryptographic operations involved in HE introduce substantial overhead to FL frameworks that employ this technology. Additionally, the asymmetric encryption mode used by HE allows malicious attackers to easily obtain the public key used for encryption. For instance, attackers can encrypt malicious data with the public key and homomorphically add it to the aggregated results, thereby compromising their integrity [18,19,20]. As a result, efficiency and the integrity of the aggregated findings must both be taken into account in HE-based privacy-preserving FL systems.

The motivation behind this study is to address the issue of ensuring the integrity of aggregated results in HE-based privacy-preserving FL frameworks through the use of covert communication methods. The core idea of covert communication [21,22,23] is to embed secret information within innocuous public communications, making it difficult to detect and tamper with. The proposed framework first applies HE to sensitive data during transmission, ensuring that the data remains encrypted throughout the process, thereby protecting its privacy and security. Then, using covert communication techniques, the hash value of the aggregated result’s ciphertext is embedded within the FL communication channel. Additionally, we employ chaos sequence [24,25,26] technology to further enhance the anti-detection capability of the covert channel. This approach makes it difficult for attackers to detect our secret information, thereby enhancing data integrity while minimizing the impact on the efficiency of the FL framework.

Our contributions are as follows:

• We designed a covert communication scheme based on FL, applying covert communication to FL for the first time, which enhance the integrity of aggregated results in privacy-preserving FL frameworks based on HE.
• We introduce chaotic sequence technology to enhance the anti-detection ability of covert communication. This technology improves the concealment of the communication channel, making it more difficult for attackers to detect embedded information.
• The embedding approach suggested in this study provides strong concealment and large channel capacity, as demonstrated by our experimental results.

This paper is organized as follows: Section 2 provides background on FL and covert communication. The proposed FL-based covert communication scheme and its design objectives are described in Section 3. The model and algorithm specifics are expanded upon in Section 4. The application and experimental outcomes of the suggested strategy are covered in Section 5. Section 6 reviews related FL-based covert communication research. Section 7 provides a final analysis and outlook for the future of the work.

2. Preliminaries

This section presents the fundamentals of privacy-preserving FL.

2.1. Federated Learning

To address the issues of data silos and data confidentiality in traditional centralized machine learning, Bonawitz [27] introduced the notion of FL initially. A distributed machine learning technique called FL seeks to train models locally on each device and sends the locally modified model parameters to a central server for further processing. This method avoids the central sharing of raw data, thus protecting individual privacy. Figure 1 illustrates the FL system framework.

In the above FL framework, the cloud server first distributes the global model parameters $W^{\left(t\right)}$ to clients $C_i$ $\left(i=1,2,\dots ,k\right)$. After receiving the global model parameters, the clients independently train their models on local data and update the model parameters $W_i^{\left(t\right)}$. These local model parameters are then uploaded to the cloud server. The cloud server aggregates all clients’ model parameters through weighted averaging to calculate new global model parameters $W^{\left(t+1\right)}$ and broadcasts them back to the clients. Upon receiving the new global model parameters, the clients continue to train their models on local data. This iterative process repeats until the global model converges or a predefined stopping criterion is met. The upload transmission is represented by solid arrows, while the broadcast transmission is represented by dashed arrows. However, there may be attackers who tamper with the aggregation results in the broadcast channel of the global model. This is the issue that the proposed solution in this paper aims to address.

2.2. Paillier Encryption Algorithm

The Paillier encryption algorithm, introduced by Pascal Paillier in 1999 [28], is a HE method rooted in number theory. This algorithm exhibits additive homomorphism, meaning that the product of two ciphertexts corresponds to the ciphertext of the sum of the plaintexts. The following is a description of the specifics of the Paillier encryption algorithm:

• Key Generation: To generate keys for the Paillier encryption algorithm, select two large prime numbers, $p$ and $q$, and compute $n=p \cdot q$. Calculate $\mathsf{\lambda } =\mathrm{l} \mathrm{cm} \left(p-1,q-1\right)$, where l cm denotes the least common multiple. Choose an integer $g,$ such that $g$ $\in Z_{n^2}^{*},$ensuring that $g$ has an order multiple of $n.$ Compute $\mathsf{\mu }={\left(L\left(g^{\mathsf{\lambda }}mod n^2\right)\right)}^{-1}mod n,$ where $L\left(x\right)={\displaystyle \frac{x-1}{n}}$. The public key is $\left(n,g\right)$, and the private key is $\left(\mathsf{\lambda },\mathsf{\mu }\right)$.
• Encryption: Given a plaintext $m$, where $(0 \le m<n$), choose a random integer $r,$where $(0<r<n$). Compute the ciphertext $c$ using the formula $c=g^m\cdot r^n mod n^2$.
• Decryption: Given a ciphertext $c$, compute the plaintext$m$using the formula $m=L\left(c^{\mathsf{\lambda }} mod n^2\right)\cdot \mathsf{\mu } mod n$.

The main feature of the Paillier algorithm is its homomorphic property. Specifically, it supports homomorphic addition and scalar multiplication operations:

• Homomorphic Addition: For two ciphertexts, $c_1$ and $c_2$, the decryption of their product corresponds to the sum of their respective plaintexts. The formula is given by Formula (1):

  $$D\left(E\left(m_1\right)\times E\left(m_2\right) mod n^2\right)=m_1+m_2$$

  (1)
• Homomorphic Addition (encrypted message and plaintext integer): Encrypt a message $m$ and then multiply this encrypted result with $g^k mod n^2$. Decrypting this product will yield the sum of $m$ and $k$. The formula is given by Formula (2):

  $$D\left(E\left(m\right)\times g^k mod n^2\right)=m+k mod n$$

  (2)
• Homomorphic Scalar Multiplication: For a ciphertext $c$ and a plaintext number $k$, the decryption of the ciphertext raised to the power of $k$corresponds to the plaintext multiplied by $k$. The formula is given by Formula (3):

  $$D\left(E{\left(m\right)}^k mod n^2\right)=k\times m$$

  (3)

2.3. Chaotic Sequences

Chaotic sequences are a type of deterministic sequence characterized by complex and seemingly random behavior, commonly found in nonlinear dynamical systems [29]. They represent irregular motion within deterministic systems. Chaotic sequences, despite being produced by deterministic equations, show behavior that is extremely sensitive to initial conditions, meaning that slight modifications to these parameters can produce radically different results. There are two names for this phenomenon, “chaotic behavior” and the “butterfly effect”. In discrete cases, chaos often manifests as chaotic sequences. These sequences, produced by chaotic models, inherently contain rich dynamical information about the system. They serve as a bridge connecting chaos theory to practical applications in the real world, making them a significant field of application within chaos theory. In areas such as secure communications, encryption algorithms, random number generation, and image processing, chaotic sequences enhance system security and robustness due to their unpredictability and complexity.

The logistic map is a common example of a chaotic sequence represented by a simple nonlinear recursive relation used to describe the chaotic behavior of certain dynamical systems. The formula is given by Formula (4):

$$x_{n+1}=r{x}_n\left(1-x_n\right)$$

(4)

where $x_n$ is the value at the$n$-th iteration, with a range of $0\le x_n\le 1$; $r$is the control parameter of the system, typically ranging from 0 to 4; and $x_{n+1}$ is the value at the $n+1$-th iteration. This formula demonstrates how an initial value $x_0$ evolves with each iteration. Depending on the value of $r$, the system can exhibit a range of behaviors from stability to periodicity and chaos.

2.4. Covert Channel

Lampson developed the idea of covert channels for the first time in 1973. It immediately garnered significant attention from the U.S. Department of Defense, leading to the publication of guidelines for covert channel analysis in trusted systems in 1993. Covert channels refer to a type of communication channel that transmits secret information through unconventional means, designed to bypass predefined security levels and achieve hidden communication. Compared to traditional communication channels, where both the sender and receiver need explicit roles, in covert channels, the sender only requires permission to modify the covert channel carrier, while the receiver only needs permission to read the covert channel carrier. This results in covert channels being resistant to interception and detection and highly flexible.

Additionally, to enhance the robustness of covert channel schemes in complex environments and prevent message leakage if detected by adversaries, covert channel technology often integrates cryptography, machine learning, steganography, and other techniques to achieve secure hidden communication. Figure 2 presents an example of covert channel.

Figure 2 presents an example of a covert channel under the Bell–LaPadula (BLP) model [30]. The simple security property of the BLP model states that the security level of the information receiver must not be lower than the sensitivity level of the information. The *-property of the BLP model indicates that writing the contents of one sensitive object to another requires the latter’s sensitivity level to be at least as high as the former’s. These two properties can be summarized as “no read up, no write down”. The BLP model prevents low-level subjects from accessing high-classified information and also prevents high-level subjects from leaking information to low-level subjects through write operations. Even under a mandatory access control model, communication parties can still construct covert channels to transmit information from high-security-level subjects to low-security-level subjects. This transmission is achieved by modifying and perceiving the values or attributes of shared variables between high- and low-security-level users.

3. System Design

This section covers the system model, threat model, and design goals of our recommended course of action.

3.1. System Model

The stealthy communication model for the HE-based privacy-preserving FL framework that is suggested in this paper is presented in this section. The proposed scheme’s system model is depicted in Figure 3.

The following components make up the entire covert communication process, as shown in Figure 3:

• Off-channel negotiation: In this approach, pre-chain negotiations are carried out off-channel by the sender and the recipient using email, in-person meetings, or other means of contact. The pre-negotiation content includes coding rules for hidden information, embedding location (chaotic sequence $x$) and mode $n$ selection.
• Obtaining the global model (aggregated results): Obtain the ciphertext of the global model $W^{\left(t\right)}$ from the FL communication channel in the$t$-th round. The obtained ciphertext may have been tampered with by an attacker but can still be decrypted normally.
• Training local model: The sender (client) will use the local dataset and global model $W^{\left(t\right)}$ for local model $W_k^{\left(t\right)}$ training.
• Paillier encrypting: The sender (client) will use the Paillier HE algorithm to encrypt the local model $W_k^{\left(t\right)}$ parameters to be uploaded, resulting in encrypted ciphertext $C_k$.
• Hashing: The sender (client) will perform a hash signature operation on the ciphertext to obtain a hash value $h_k$ of the global model $W^{\left(t\right)}$, which is also the covert information to be transmitted.
• Embedding: The sender (client) will select the insertion position using chaos sequence and embed the binary sequence corresponding to the hash value $h_k$ into the ciphertext through the homomorphic additive property of the HE ciphertext $C_k$. This results in a ciphertext $C_k^{’}$ that contains the embedded secret information, which is then transmitted through the FL communication channel. Figure 4 illustrates how each covert information bit is embedded into the parameter ciphertext.
• Extracting: When the receiver (cloud server) obtains the ciphertext $C_k^{’}$ with the embedded secret information from the FL communication channel, it extracts the covert information $h_k$ based on the embedding location generated by the chaotic sequence $seed$ and retrieves the original ciphertext $C_k$.
• Checking: The receiver (cloud server) uses the obtained covert information $h_k$ to verify the global model $W^{\left(t\right)}$ and check whether its integrity has been compromised.
• Participate in aggregation operation: If the global model $W^{\left(t\right)}$received by the sender passes verification and proves it has not been tampered with, the cloud server will include it in the normal aggregation operations; if the global model fails verification, it will not be included in the normal aggregation operations.

3.2. Threat Model

We assume the adversary has the following capabilities and limitations:

Adversary Capabilities:

• The adversary has sophisticated capabilities for data processing and surveillance. The adversary can examine every bit of data sent in order to identify the hidden channel. The adversary possesses the public key used for HE and can perform homomorphic addition operations on the ciphertext of the transmitted aggregated results, thereby tampering with the data and compromising its integrity.
• The adversary knows all the implementation details of our proposed scheme.
• When the adversary detects the presence of hidden information in the upload channel through monitoring and analysis (only detection is required, without needing to know the specific content of the secret information), they will forcibly shut down the upload channel, thereby disrupting the covert channel.

Adversary Limitations:

• The adversary is able to observe and examine the upload channel of the local model, but it is unable to impede it. The adversary cannot know the pre-agreed content in the scheme.

3.3. Design Goals

The design objectives of the proposed HE-based stealthy communication model for the privacy-preserving FL framework are described in this section, with a focus on high concealment and channel capacity.

• High concealment: Concealment makes the covert channel untraceable by ensuring an attacker cannot tell hidden information from regular data. High concealment in the proposed framework refers to the inability of the threat model to distinguish between plain text and ciphertext carrying hidden information. This ensures that covert communications remain undetected by adversaries.
• High channel capacity: The amount of covert information sent via a covert channel in a given amount of time is referred to as its channel capacity. Massive volumes of clandestine data transmission require a high channel capacity. In the proposed model, it means the ability to transmit more robust hash values generated by hash operations. Generally, the larger the capacity of the hash value, the better its collision resistance, thereby enhancing the effectiveness of ensuring the integrity of the ciphertext during the FL process [31].
• Strong robustness: The robustness of the proposed scheme is defined as the ability to effectively detect tampering of the global model by an adversary. In this scheme, the hash value of the global model is transmitted to the server as secret information. Upon receiving the model parameters returned by the clients, the server extracts the embedded hash value and compares it with the recalculated hash value. If the hash values match, it indicates that the global model has not been tampered with; otherwise, it is considered tampered.

4. Proposed Scheme

For every algorithm in the suggested scheme, the pseudocode and process descriptions are shown in this section. Four steps make up the entire covert communication process in our proposed method, as Figure 5 illustrates. Prior to the sender preparing the data, there needs to be pre-negotiation between the sender and the recipient. This preprocessing includes hashing the received global model $W^{\left(t\right)}$ and calculating the embedding location using the pre-negotiated chaotic sequence seed $seed$. Then, the covert message (hash value $h_k$) is embedded into the ciphertext of the local model $C_k^{’}$ to be uploaded to the cloud server. The receiver extracts the covert message $h_k$ from the uploaded local model ciphertext $C_k^{’}$and verifies the global model $W^{\left(t\right)}$. The specific procedure will be demonstrated in this chapter’s Section 4.2, Section 4.3, Section 4.4 and Section 4.5.

4.1. Symbol

Unless otherwise noted, the symbols utilized in this work are those that are mentioned in

Table 1. The Main Symbols.

Symbol	Description
$c_i$	$\mathrm{client} i$
$W^{\left(t\right)}$	global model in the $t$-th communication round
$W_i^{\left(t\right)}$	local model of client $i$ in the $t$-th communication round
$x$	chaotic sequence seed
$r$	parameter for logistic map
$n$	the length of the position generated by the chaotic sequence
$l$	the length of the list of model parameters
$P$	selected position sequence
$p_i$	The $i$-th position in the position sequence
$S$	covert information
$s$	covert information of digital type
$s_i$	the $i$-th covert information
$\left(N, g\right)$	Paillier cryptosystem’s public key parameters

and are applied uniformly to all algorithms and procedures.

4.2. Pre-Negotiate

The information processing mechanism is pre-agreed upon by both parties, and they exchange key parameters: the chaotic sequence seed $x$, parameter for logistic map $r,$ and the length of the position generated by the chaotic sequence $n$. These parameters are shared via an off-channel communication channel [32].

4.3. Information Processing

The sender first needs to use the pre-negotiation chaotic sequence seed $x$, parameter for logistic map $r$, the length of the list of model parameters $l,$and the length of the position generated by the chaotic sequence $n$ to generate a random insertion position.

As shown in Algorithm 1, this algorithm generates a chaotic sequence of length $n$ using the logistic map and selects unique positions to form the position sequence $P$. Starting from the chaotic sequence seed $x$, the logistic map formula is used to iteratively generate new chaotic values, which are then mapped to the range $\left[0, l-1\right]$ to determine the position $p_i$. During this process, it ensures that the generated positions $p_i$are unique. If $p_i$ has not appeared before, it is added to the position sequence $P$. This continues until a sequence of length $n$ with unique positions is obtained.

Algorithm 1: Chaotic Sequence Position Selection

input: $x,r,n,l$ output: $P$ 1: Initialize $P$ as an empty list 2: Initialize a set $U$ to keep track of used positions 3: $x_0\leftarrow x$ 4: $i\leftarrow 0$ 5: while $\left|P\right|<n$ do 6:     $x_{i+1}\leftarrow r\cdot x_i\cdot \left(1-x_i\right)$ 7:     $p_i\leftarrow x_{i+1}\cdot l mod l$ 8:     if $p_i\notin U$ then 9:     Append $p_i$ to $P$ 10:   Add $p_i$ to U 11:     end if 12:     $i \leftarrow i+1$ 13: end while 14: return $P$

The sender then performs a hash operation on the received global model $W^{\left(t\right)}$. This scheme utilizes the SHA-2 family of hash functions, allowing for the selection of different SHA algorithms based on the required hash value length. Examples from the SHA-2 family include SHA-224, SHA-256, SHA-384, and SHA-512, which produce hash values of 224, 256, 384, and 512 bits, respectively. The resulting hash value is the scheme’s covert information $S$.

4.4. Information Embedding

In Section 4.3, Information Processing, we obtained the position sequence $P$ and the covert information $S$. In this subsection, we will embed $S$ into the original ciphertext $C_k$. This embedding method does not result in any data loss and is a form of lossless embedding [33]. This is accomplished by utilizing the Paillier cryptosystem’s homomorphic and probabilistic features, which enable the creation of steganographic ciphertext and lossless data concealing $C_k^{’}$.

Since we used the Paillier cryptosystem to encrypt the original model parameters, the ciphertexts possess additive homomorphic properties. These properties can be expressed by Formula (5), where $\gamma$ and $\delta$ are two plaintext numbers, and the operation $\oplus$ represents the additive homomorphic operation.

$$\mathcal{D}\left(\mathcal{E}\left(\gamma \right)\oplus \mathcal{E}\left(\delta \right)\right)=\gamma +\delta$$

(5)

A special case occurs when $\delta$ equals 0, in which Equation (5) transforms into Formula (6).

$$\mathcal{D}\left(\mathcal{E}\left(\gamma \right)\oplus \mathcal{E}\left(0\right)\right)=\gamma$$

(6)

According to Equation (6), we can conclude that when the ciphertext of $\gamma$ is homomorphically added with the ciphertext of 0, the ciphertext of $\gamma$ will change, but its plaintext will remain unchanged. After decryption, the homomorphically-added ciphertext will still yield the plaintext $\gamma$.

Based on the above conclusion, we can utilize this property for covert information embedding. We stipulate that a ciphertext mod 2 equal to 0 represents 0 and a ciphertext mod 2 equal to 1 represents 1. By homomorphically adding 0 to the ciphertext, we modify the original ciphertext in the position sequence $P$ to convey the covert information $S$. The Algorithm 2 may comprehend the entire embedding procedure.

Algorithm 2: The Covert Channel Information Embedding

input: $C_k,\left(N,g\right),S,P$ output: $C_k^{’}$ 1:  Initialization $i$ = 1 2:  for $i=1$ to $l$ do 3:    $p_i=P\left[i\right]$ 4:    if $s_i==0$ then 5:       if $C_k\left(p_i\right) mod 2==0$ then 6:         $C_k^{’}\left(p_i\right)=C_k\left(p_i\right)$ 7:         $i = i + 1$ 8:         break 9:       else 10:          $C_k\left(p_i\right)=C_k\left(p_i\right)\times g^0{r}^N mod N^2$ 11:          if $C_k\left(p_i\right) mod 2==0$ then 12:          $C_k^{’}\left(p_i\right)=C_k\left(p_i\right)$ 13:            $i = i + 1$ 14:            break 15:          else 16:            continue 17:          end if 18:     end if 19:  else 20:   if $C_k\left(p_i\right) mod 2==1$ then 21:       $C_k^{’}\left(p_i\right)=C_k\left(p_i\right)$ 22:       $i = i + 1$ 23:       break 24:   else 25:       $C_k\left(p_i\right)=C_k\left(p_i\right)\times g^0{r}^N mod N^2$ 26:       if $C_k\left(p_i\right) mod 2==0$ then 27:          $C_k^{’}\left(p_i\right)=C_k\left(p_i\right)$ 28:          $i = i + 1$ 29:          break 30:       else 31:          continue 32:       end if 33:   end if 34:  end if 35: end for

4.5. Information Extracting and Check

Upon receiving $C_k^{’}$, the recipient can similarly obtain the embedding position sequence $P$ according to the pre-negotiated parameters, $x$, $r$, and $n$. By taking the ciphertext $C_k^{’}\left(p_i\right)$ modulo 2 according to this sequence P and reading the secret information $s_i$ according to Formula (7) and restoring the covert information S through Formula (8), finally, the recipient can verify the global model $W^{\left(t\right)}$ transmitted to the sender using this secret information $S$ (hash value).

$$S_i=0 \mathrm{if} C_k^{’}\left(p_i\right) mod 2=0; \mathrm{otherwise} 1$$

(7)

$$S=S_1|S_2\left|\dots \right|S_n$$

(8)

5. System Implementation and Evaluation

The system installation specifics and pertinent performance evaluation are covered in detail in this section.

5.1. Implementation

This paper opts to conduct experiments in a single machine-simulated FL environment, which effectively simulates the collaborative training process of multiple client devices. In this environment, multiple virtual clients are created using a single machine, with each client independently training a model on local data and sending the updated model parameters to a central server for aggregation. This approach allows us to test and evaluate the performance of the proposed stealthy communication system model for the privacy-preserving FL framework based on HE.

The experimental portion of the study was carried out on a Windows 10 platform using the following hardware setup in order to assess the effectiveness of the suggested method: CPU: 11th Gen Intel(R) Core (TM) i5-11300H @ 3.10 GHz, GPU: NVIDA GeForce MX450 2 GB and 16 GB RAM (DDR4-3200). The algorithms designed for the experiment were all implemented in Python3, and the code was written using the phe library.

The dataset used for the experiments is MNIST, and the network is a simple 2NN network with three fully connected layers. The first fully connected layer (fc1) has 784 input units and 200 output units, with 156,800 weight parameters and 200 bias parameters, totaling 157,000 parameters. The second fully connected layer (fc2) has 200 input units and 200 output units, with 40,000 weight parameters and 200 bias parameters, totaling 40,200 parameters. The third fully connected layer (fc3) has 200 input units and 10 output units, with 2000 weight parameters and 10 bias parameters, totaling 2010 parameters. The network has 199,210 parameters. The FL aggregation algorithm used is FedAvg.

This experiment was a single-machine simulation, with no virtual machine configuration. The experiment involved two clients, each of which trained locally for 10 epochs, with a batch size of 100, and the learning rate was set to 0.005. The total number of communication rounds was 20, and the data was set to be non-IID.

5.2. Concealment

The scheme selects 1000 sets of Paillier ciphertexts as normal ciphertexts and uses these normal ciphertexts as the control group. Then, different capacities of hash algorithms (e.g., SHA-224, SHA-256, SHA-384, and SHA-512 from the SHA-2 family) are chosen to hash the same global parameters. Utilizing the embedding method of the scheme, the normal ciphertexts are modified to generate ciphertexts embedded with secret information. Subsequently, evaluations are conducted to determine whether the datasets before and after embedding are statistically indistinguishable.

The concealment of the proposed scheme is evaluated using cumulative distribution function (CDF), Kolmogorov–Smirnov (K–S) test, Welch’s t-test, and Kullback–Leibler (K-L) divergence [34,35,36,37].

5.2.1. K–S Test and K–L Divergence

The CDF is the integral of the probability density function and can fully describe the probability distribution of a real-valued random variable. The definition is given in Formula (9):

$$F\left(x\right)=P\left(X\le x\right)$$

(9)

where $X$ is a random variable and $x$ represents all real numbers. By comparing the similarity of the CDFs of the normal ciphertext and the ciphertext embedded with secret information, we can intuitively see whether they are indistinguishable. Figure 6 shows the CDF curves for these datasets.

In Figure 6a, the curves almost completely overlap, indicating that the datasets are very similar or indistinguishable in terms of character distribution.

The K–S test is a nonparametric test used to compare the CDFs of two datasets or a sample dataset against a reference probability distribution. It calculates the maximum difference between the observed and theoretical cumulative distributions, providing a statistic to infer whether the two distributions differ significantly. This test is particularly useful for validating the goodness-of-fit of a sample to a reference distribution or comparing two samples to determine if they originate from the same distribution.

If the p-value for the K–S test is more than 0.05, we conclude that the two distributions are similar and there is no discernible difference between them. This implies that we cannot reject the null hypothesis and thus assume that the two samples come from the same distribution.

Table 2. The $p$-value of the K–S Test.

Hash Algorithm	Number of Embedded Bits	K–S Test $\mathit{p}$-Value
SHA-224	224	1.0
SHA-256	256	1.0
SHA-384	384	1.0
SHA-512	512	1.0

shows the experimental results. Figure 6b shows the visualization of the$p$-value of the K–S test.

A probability distribution’s divergence from a second, expected probability distribution is measured using the K–L divergence. K–L divergence is a quantitative measure of the difference between two probability distributions in statistics, machine learning, and information theory. Closer distributions are indicated by smaller K–L divergence values, whereas bigger values suggest greater disparities.

Table 3. The K–L Divergence.

Hash Algorithm	Number of Embedded Bits	K–L Divergence
SHA-224	224	$1.32 \times {10}^{-6}$
SHA-256	256	$1.95 \times {10}^{-6}$
SHA-384	384	$4.27 \times {10}^{-6}$
SHA-512	512	$1.01 \times {10}^{-6}$

displays the K–L divergence results, while Figure 7 provides a representation of the data.

Based on the above experimental results, all K–S test p-values are greater than 0.05, and the K–L divergence values are within an extremely small range, indicating there is no statistically significant difference between the ciphertext with embedded secret information and the normal ciphertext. Moreover, all K–S test p-values for different hash algorithms are 1.0, and the K–L divergence values are also very small, further supporting this conclusion.

5.2.2. Welch’s T-Test

A statistical hypothesis test called Welch’s t-test is used to ascertain whether the means of two independent samples differ significantly from one another. Welch’s t-test calculates the test statistic based on the sample means, variances, and sample sizes and uses this statistic to infer whether the difference in means is statistically significant.

A significant difference between the means of the two samples is shown if Welch’s t-test p-value is less than or equal to 0.05.

Table 4. The $p$-value of Welch’s t-test.

Hash Algorithm	Number of Embedded Bits	Welch’s t-Test $\mathit{p}$-Value
SHA-224	224	0.9951
SHA-256	256	0.9972
SHA-384	384	0.9973
SHA-512	512	0.9974

displays the outcomes of the experiment.

The various tests above indicate that the proposed scheme has good concealment. This is because we utilized the properties of the Paillier HE algorithm to embed secret information, which does not significantly alter the distribution of the ciphertexts, thereby ensuring good concealment.

5.3. Channel Capacity

We measure the channel capacity of the proposed scheme by the number of secret information bits that can be transmitted per round, as shown in Formula (10):

$$C={\displaystyle \frac{B}{N}}$$

(10)

where $C$ is the channel capacity, $B$ is the total number of bits that can be embedded, and $N$ is the number of communication rounds.

In the 2NN network used in this paper, the maximum secret information capacity that can be transmitted per round is the SHA-512 hash value, which is 512 bits per round. In

Table 5. Channel Capacity Comparison.

Scheme	Channel Capacity (Bits/Round)
Proposed	512.00
Hitaj et al. (1 sender)	19.76
Hitaj et al. (2 sender)	65.87
Hitaj et al. (4 sender)	263.47

, we compare this with other FL-based covert channel schemes.

Table 5 clearly shows that our scheme has a higher channel capacity compared to other FL-based covert channel schemes.

5.4. Performance Comparison before and after Scheme Implementation

In this section, we will conduct experiments to compare the performance of the FL system before and after the implementation of the proposed scheme. This comparison aims to evaluate the impact of the scheme on the system’s overall performance, focusing on two key metrics: model accuracy and convergence time. By analyzing the results from both scenarios, we can determine whether the scheme introduces any negative impacts on model training effectiveness or other aspects of system performance. The specific performance results are shown in Figure 8.

Based on the experimental results, we can draw the following conclusions: whether or not the proposed scheme is implemented, the training accuracy reaches a peak of 90–95% between rounds 10–15, and the validation accuracy stabilizes around 90%. Regarding convergence time, the implementation of the scheme did not significantly extend the overall convergence time of the model. This demonstrates that the proposed scheme does not have a negative impact on the FL system in terms of model accuracy and convergence time.

6. Related Works

This paper conducts a comprehensive survey and analysis of existing FL-based covert communication techniques. Here, we focus on the characteristics and advantages and disadvantages of three representative schemes. By analyzing the following schemes, we can better understand their applicability and effectiveness in different application scenarios.

Hitaj et al. [38] proposed FedComm, a novel technique that leverages FL as a covert communication medium. FL trains deep neural networks collaboratively across multiple parties, avoiding the sharing of actual training data and thus protecting data privacy. However, FedComm exploits the shared model parameters in FL to establish a covert communication channel for transmitting arbitrary information among participants. This paper thoroughly investigates the communication capacity of FedComm and proposes encoding schemes based on code division multiple access (CDMA) and low-density parity-check (LDPC) error correction techniques. Experimental results demonstrate that FedComm can successfully transmit information up to thousands of bits in size before the FL process converges, without significantly interfering with the training process. Furthermore, FedComm is independent of the application domain and neural network architecture, exhibiting high robustness and concealment. The advantage of this technique lies in utilizing the shared model parameters of FL to establish a covert communication channel, incorporating CDMA and LDPC error correction techniques. While FedComm shows high robustness and concealment, it requires achieving covert communication without significantly disrupting the training process, and its practical effectiveness across different application domains and neural network architectures requires further validation.

Kim et al. [39] proposed an innovative covert communication technique that enables covert communication between the FL server and participants without affecting the performance of FL. The covert message is superimposed onto the aggregated gradient by the FL server, which then broadcasts the superimposed signal to all FL participants. FL participants remove the hidden message from the superimposed signal, consider the aggregated gradient as interference, and then restore the original global model. However, the scheme does not adequately consider the impact of noise and channel fading on the covert communication rate and FL performance. Although the authors mentioned that future research will address these factors, the current study does not provide specific solutions or experimental data.

Hou et al. [40] proposed a novel covert communication technique that integrates unmanned aerial vehicles (UAVs) with FL. The UAV is responsible for orchestrating FL operations and enhancing communication secrecy by emitting artificial noise (AN) to interfere with eavesdroppers. This technique achieves a balance between security and training cost by optimizing the UAV’s trajectory and AN transmission power, as well as the CPU frequency, transmission power, and bandwidth allocation of participating devices. However, the proposed scheme’s reliance on emitting AN to enhance security could adversely affect the channels of legitimate users, thereby impacting FL performance.

Both Hitaj et al.’s FedComm scheme and Kim et al.’s scheme achieve covert communication by exploiting shared model parameters, which can potentially impact FL performance. In contrast, the proposed scheme utilizes the homomorphic additive property of HE to embed secret information, ensuring that the ciphertext remains identical in usability before and after embedding, thus avoiding any negative impact on FL performance. Hou et al.’s scheme relies on UAVs and AN to enhance security, which may negatively affect legitimate users’ communication channels. In contrast, the proposed scheme ensures high concealment and transmission efficiency while minimizing any adverse effects on FL performance.

7. Conclusions and Future Works

This paper presents a stealthy communication system model for the privacy-preserving FL framework based on HE, addressing the issue of protecting the integrity of aggregated results in FL. The proposed scheme embeds the hash value of the aggregated result received by the client into the ciphertext of the local model parameters as secret information. The server can then verify whether the sent aggregated result has been tampered with upon receiving the ciphertext containing the secret. Additionally, the scheme enhances its stealthiness by using chaotic sequences to select the embedding positions of the secret information. Experimental results demonstrate that the normal ciphertext and the ciphertext with embedded covert information are indistinguishable through statistical methods, and it has a high channel capacity, ensuring the secure transmission of secret information. This scheme can serve as a solution for protecting the integrity of FL aggregated results.

However, the proposed scheme in this paper still has limitations. For instance, during the upload process of the local model, there remains the risk of integrity attacks on the ciphertext of the local model parameters by adversaries. This issue has not yet been resolved in our current scheme and will be the focus of our future research work.

In future work, we plan to explore how to use covert communication to protect the integrity of local models in FL, thus expanding the application scope of the scheme. This approach will further enhance the integrity of ciphertexts in HE-based FL. Furthermore, to fully capitalize on each method’s advantages in terms of privacy protection, we will consider incorporating encryption algorithms alongside covert channel strategies. By combining these encryption techniques with covert communication, we aim to develop a more resilient defense system capable of addressing a variety of challenging security issues. Our goal is to develop a more resilient defense system that can handle a variety of challenging security issues by merging these methods. User trust will rise as a result of this integration’s contribution to a more thorough data privacy and security precaution. In addition, we plan to use the SHA-3 hashing algorithm—which is derived from the Keccak algorithm—into our upcoming studies. Since SHA-3 is a more recent hash algorithm, it offers superior security and collision resistance, giving our system further safety. We think that by making these improvements, FL systems’ overall security and dependability can be further strengthened, satisfying the needs of a wider range of applications.