Federated learning (FL) allows multiple participants to collaboratively build deep learning (DL) models without directly sharing data. Consequently, the issue of copyright protection in FL becomes important since unreliable participants may gain access to the jointly trained model. Application of homomorphic encryption (HE) in secure FL framework prevents the central server from accessing plaintext models. Thus, it is no longer feasible to embed the watermark at the central server using existing watermarking schemes. In this paper, we propose a novel client-side FL watermarking scheme to tackle the copyright protection issue in secure FL with HE. To our best knowledge, it is the first scheme to embed the watermark to models under the Secure FL environment. We design a black-box watermarking scheme based on client-side backdooring to embed a pre-designed trigger set into an FL model by a gradient-enhanced embedding method. Additionally, we propose a trigger set construction mechanism to ensure the watermark cannot be forged. Experimental results demonstrate that our proposed scheme delivers outstanding protection performance and robustness against various watermark removal attacks and ambiguity attack.

翻译：联邦学习（FL）允许多个参与者在不直接共享数据的情况下协同构建深度学习（DL）模型。因此，由于不可靠的参与者可能获取到联合训练的模型，FL中的版权保护问题变得尤为重要。在安全FL框架中应用同态加密（HE）会阻止中央服务器访问明文模型，因此无法再使用现有水印方案在中央服务器嵌入水印。本文提出了一种新颖的客户端侧FL水印方案，以解决安全FL中基于HE的版权保护问题。据我们所知，这是首个在安全FL环境下将水印嵌入模型的方案。我们设计了一种基于客户端侧后门的黑盒水印方案，通过梯度增强嵌入方法，将预设计的触发器集嵌入FL模型。此外，我们提出了一种触发器集构造机制，确保水印无法被伪造。实验结果表明，我们所提出的方案在抵御各类水印移除攻击和歧义攻击时，展现出卓越的保护性能与鲁棒性。