Federated learning (FL) provides an efficient paradigm to jointly train a global model leveraging data from distributed users. As local training data comes from different users who may not be trustworthy, several studies have shown that FL is vulnerable to poisoning attacks. Meanwhile, to protect the privacy of local users, FL is usually trained in a differentially private way (DPFL). Thus, in this paper, we ask: What are the underlying connections between differential privacy and certified robustness in FL against poisoning attacks? Can we leverage the innate privacy property of DPFL to provide certified robustness for FL? Can we further improve the privacy of FL to improve such robustness certification? We first investigate both user-level and instance-level privacy of FL and provide formal privacy analysis to achieve improved instance-level privacy. We then provide two robustness certification criteria: certified prediction and certified attack inefficacy for DPFL on both user and instance levels. Theoretically, we provide the certified robustness of DPFL based on both criteria given a bounded number of adversarial users or instances. Empirically, we conduct extensive experiments to verify our theories under a range of poisoning attacks on different datasets. We find that increasing the level of privacy protection in DPFL results in stronger certified attack inefficacy; however, it does not necessarily lead to a stronger certified prediction. Thus, achieving the optimal certified prediction requires a proper balance between privacy and utility loss.

翻译：联邦学习（FL）提供了一种高效范式，通过利用分布式用户的数据共同训练全局模型。由于局部训练数据来自可能不可信的不同用户，多项研究表明FL容易受到投毒攻击。同时，为保护局部用户的隐私，FL通常采用差分隐私方式训练（DPFL）。因此，本文提出以下问题：FL中差分隐私与针对投毒攻击的认证鲁棒性之间存在何种内在关联？能否利用DPFL固有的隐私属性为FL提供认证鲁棒性？能否进一步改进FL的隐私性以增强此类鲁棒性认证？我们首先研究了FL的用户级和实例级隐私，并通过形式化隐私分析实现了改进的实例级隐私。随后，针对DPFL在用户和实例两个层面，我们提出两种鲁棒性认证标准：认证预测和认证攻击无效性。理论上，基于给定有界数量的恶意用户或实例，我们依据两种标准提供了DPFL的认证鲁棒性。实证上，我们在不同数据集上针对多种投毒攻击进行了大量实验验证理论。研究发现，提升DPFL的隐私保护级别会增强认证攻击无效性的强度，但这并不必然导致更强的认证预测。因此，实现最优认证预测需要在隐私与效用损失之间取得适当平衡。