Decentralized learning (DL) enables collaborative learning without a server and without training data leaving the users' devices. However, the models shared in DL can still be used to infer training data. Conventional defenses such as differential privacy and secure aggregation fall short in effectively safeguarding user privacy in DL, either sacrificing model utility or efficiency. We introduce Shatter, a novel DL approach in which nodes create virtual nodes (VNs) to disseminate chunks of their full model on their behalf. This enhances privacy by (i) preventing attackers from collecting full models from other nodes, and (ii) hiding the identity of the original node that produced a given model chunk. We theoretically prove the convergence of Shatter and provide a formal analysis demonstrating how Shatter reduces the efficacy of attacks compared to when exchanging full models between nodes. We evaluate the convergence and attack resilience of Shatter with existing DL algorithms, with heterogeneous datasets, and against three standard privacy attacks. Our evaluation shows that Shatter not only renders these privacy attacks infeasible when each node operates 16 VNs but also exhibits a positive impact on model utility compared to standard DL. In summary, Shatter enhances the privacy of DL while maintaining the utility and efficiency of the model.
翻译:去中心化学习(DL)使得协作学习无需服务器且训练数据无需离开用户设备。然而,DL中共享的模型仍可能被用于推断训练数据。传统防御机制如差分隐私和安全聚合在有效保护DL用户隐私方面存在不足,要么牺牲模型效用,要么降低效率。我们提出Shatter,一种新颖的DL方法,其中节点创建虚拟节点(VNs)来代表其分发完整模型的片段。该方法通过以下方式增强隐私:(i)防止攻击者从其他节点收集完整模型;(ii)隐藏生成特定模型片段的原始节点身份。我们从理论上证明了Shatter的收敛性,并通过形式化分析展示了与节点间交换完整模型相比,Shatter如何降低攻击的有效性。我们使用现有DL算法、异构数据集以及针对三种标准隐私攻击,评估了Shatter的收敛性和抗攻击能力。评估结果表明,当每个节点运行16个VNs时,Shatter不仅使这些隐私攻击不可行,而且与标准DL相比对模型效用产生了积极影响。总之,Shatter在保持模型效用和效率的同时,增强了DL的隐私性。