Federated learning and MPC
This post is copied from the blog of Alibaba Gemini Lab.
Federated learning (FL) orginally proposed by Google, is one of the Privacy-preserving machine learning (PPML) technologies. According to the definitions in wikipedia, FL is a machine learning technique that trains a model across multiple decentralized edge devices or servers holding local data samples. FL has a design of exchanging parameters instead of exchanging raw data, which provides users with a sense of security, and has made FL one of the most promising PPML techniques.
FL shares some same settings with MPC, and this blog will try to describe their differences.
Main idea of FL
The main idea of FL comes from the design of parameter server which aims to solve the distributed training problem. The following figure picked from Li et.al. could roughly summarize the FL architecture:
- The coordinator sends the initial model W to all the participants;
- The i_th participant trains locally using W and obtains an update ΔW_i;
- All the participants send their updates to the coordinator;
- The coordinator aggregates the updates and use them to update W;
- Repeat the Step 1–4 loop until converge.
Secure aggregation
At first glance, the security lies in whether the update ΔW_i leaks information about the underlying data samples. Unfortunately a lot of research works have already made a conclusion that the answer is YES:
Exploiting unintended feature leakage in collaborative learning (in SP2019),
Deep leakage from gradients (in NeurIPS2019),
Beyond Inferring Class Representatives: User-Level Privacy Leakage From Federated Learning (in INFOCOM2019).
How to reduce the leakage caused by the updates? The answer is using secure aggregation, which is a method that secretly sums all the updates so that the coordinator only sees the aggregated result. Since the result comes from all of the participants, the coordinator can hardly learn anything meaningful about a single participant.
Note that secure aggregation could also be initialized by cryptographic methods such as MPC and homomorphic encryption, but it just makes the aggregation step of FL secure, and does not ensure a fully secure FL procedure.
Limitation of secure aggregation
Note that secure aggregation is only effective if there’s a big number of participants, such as the edge computing scenario, where the participants are mobile devices. Google Gboard is one of such use cases.
But if we use FL on a few number (e.g. two) of participants, it becomes problematic, even with secure aggregation. The reason is straightforward: Upon seeing the updated model in i_th loop, one of the participant can simply remove its update in i−1_th loop to figure out the other one’s update. It’s inevitable as long as a new model is released in clear each round.
There also exists solutions which encrypt the updates with homomorphic encryption, but as long as the updates are decrypted at some intermediate step, the same problem exists.
We have a short paper Quantification of the Leakage in Federated Learning (in FL-NeurIPS2019) describing this.
Comparing FL with Secure Multi-party Computation (MPC)
We introduced MPC in our previous blog. Briefly speaking, MPC is a cryptographic definition which reveals no intermediate information during the whole computation, all it reveals is the final result. In contrast, FL is a machine learning definition that iteratively collects and updates the model, which is revealed in each iteration.
MPC enjoys a much higher security level, at the price of expensive cryptographic operations, which often results in higher computation and communication cost. FL loosen the security requirements, enabling more clear and efficient implementation.
It’s worth mentioning MPC is already very efficient for simple model and small participant numbers. E.g. The logistic regression example in our another blog could be done in several seconds. However, in complex tasks such as training on millions of mobile phones, probably FL is the only realistic solution.
Conclusion
As a conclusion, we compare FL with MPC using the following figure, which only stands for the writer’s personal view.
