Secure Aggregation

Fed-BioMed offers a secure aggregation framework where local model parameters of each node are encrypted before sending them to the researcher/aggregator for aggregation. Parameters are encrypted using homomorphic encryption that ties the decryption of the parameters to the execution of fixed computations. This guarantees that the model parameters will remain secure on aggregator level, and researcher (component) or/and end-user will only have the final decrypted aggregated parameters.

Technologies

MP-SPDZ

Fed-BioMed uses MP-SPDZ library for multi-party computation by launching MP-SPDZ protocols at each secure aggregation context setup request. MP-SPDZ processes are started at each request and stopped after context setup computation is completed.

Fault Tolerant Secure Aggregation

Fed-BioMed uses a modified version of Joye-Libert scheme implementation from repository fault-tolerant-secure-agg.

Methods and Techniques

Joye-Libert Secure Aggregation Scheme

Secure aggregation in Fed-BioMed is achieved through the use of a mix of the Joye-Libert (JL) aggregation scheme and the Shamir multi-party computation (MPC) protocol. JL is an additively homomorphic encryption (AHE) technique that encrypts model parameters locally using private and unique 2048-bit keys. The sum of encrypted model parameters can only be decrypted using the sum of private keys from each node that participate in the federated learning (FL) experiment. However, the encryption key used on each node is private and not shared with other parties or the central aggregator. Therefore, server key is calculated using MPC without revealing user (node) keys (server-key shares).

Shamir MPC Protocol

Shamir multi-party computation protocol is used to compute the server key, which is equal to the negative sum of nodes' keys and is used for decryption on the researcher component. Thanks to MPC, the server key generation does not reveal nodes' private keys to the aggregator.

Process-flow

Since FL experiments are launched through researcher component, activating secure aggregation and setting up necessary context is done through Experiment class of researcher component. However, the status of the secure aggregation can be managed by node as well: node owner can disable, enable or force secure aggregation (see secure aggregation node configuration for more details).

1. Generating Public Parameter Biprime

At the beginning of the FL experiment, researcher sends secure aggregation context setup request to every node that participates to this experiment. The first request is for generating public parameter Biprime. Biprime is multiplication of two prime numbers that are generated using multi party computation. Final prime number is public while prime shares are private and used for Biprime calculation. Biprime should be calculated using at least two different parties. It is used for encrypting and decrypting aggregated parameters in Joye-Libert AHE.

Current implementation

Since Biprime is public parameter, Fed-BioMed currently uses a default pre-generated 1024-bits biprime. Dynamic biprime generation on our road-map of future releases.

2. Generating random key that are double the length of biprime

After biprime is generated or a default one is loaded, researcher sends another request for generating private key of each node and the corresponding server key for researcher component. Each node generates random private keys.

Key-size

Key size depends on biprime number that is used for secure aggregation. Maximum key-size should be less or equal the double of biprime key-size.

3. Execute Shamir

Once the local key generation is completed, each node launches Shamir protocol to calculate negative sum of keys. The result is only revealed it to the researcher. This protocol is launched using MP-SPDZ library.

4. Encrypting model parameters

If secure aggregation is activated for the Experiment, the training request contains information about which secure aggregation context will be used for encryption. Once training is completed, model parameters are encrypted using biprime and the user (node)-key.

5. Decrypting sum of encrypted model parameters

After the encryption is done and the encrypted model parameters are received by the researcher, all model parameters are aggregated using JL scheme. Aggregated parameters are clear text. Aggregation and decryption can not be performed independently. It is an atomic operation.

Important

Secure aggregation requires at least 3 parties in FL experiment with one researcher and 2 nodes.

Conclusions

In Fed-BioMed, Joye-Libert secure aggregation has been chosen because it provides fast encryption and it does not require the re-generation of server-key and user-key shares for every training round, making it faster. Although it is not tolerant to drop-out during one round of training, the implementation allows the re-configuration of Joye-Libert elements for the next round if a node is dropped or a new node is added.

The security model implemented in Fed-BioMed's secure aggregation primarily targets the case of honest but curious parties.

Next steps

Configuration documentation for more detail about configuring Fed-BioMed instances for secure aggregation.
Certificate and party registration for MPC.
Activating secure aggregation for the training through researcher component.