Decentralised learning has recently gained traction as an alternative to federated learning in which both data and coordination are distributed. To preserve the confidentiality of users' data, decentralised learning relies on differential privacy, multi-party computation, or both. However, running multiple privacy-preserving summations in sequence may allow adversaries to perform reconstruction attacks. Current reconstruction countermeasures either cannot trivially be adapted to the distributed setting, or add excessive amounts of noise. In this work, we first show that passive honest-but-curious adversaries can infer other users' private data after several privacy-preserving summations. For example, in subgraphs with 18 users, we show that only three passive honest-but-curious adversaries succeed at reconstructing private data 11.0% of the time, requiring an average of 8.8 summations per adversary. The success rate depends only on the adversaries' direct neighbourhood, and is independent of the size of the full network. We consider weak adversaries that do not control the graph topology, cannot exploit the summation's inner workings, and do not have auxiliary knowledge; and show that these adversaries can still infer private data. We analyse how reconstruction relates to topology and propose the first topology-based decentralised defence against reconstruction attacks. We show that reconstruction requires a number of adversaries linear in the length of the network's shortest cycle. Consequently, exact attacks over privacy-preserving summations are impossible in acyclic networks. Our work is a stepping stone for a formal theory of topology-based decentralised reconstruction defences. Such a theory would generalise our countermeasure beyond summation, define confidentiality in terms of entropy, and describe the interactions with (topology-aware) differential privacy.

翻译：去中心化学习作为一种替代联邦学习的新范式，其数据与协调机制均呈分布式特征，近年来受到广泛关注。为保护用户数据的机密性，去中心化学习通常依赖差分隐私、多方计算或二者结合的技术。然而，连续执行多个隐私保护求和操作可能使攻击者实施数据重构攻击。现有的重构防御方案要么难以直接适配分布式场景，要么会引入过量噪声。本研究首先证明：在若干次隐私保护求和操作后，被动的诚实但好奇攻击者能够推断其他用户的私有数据。例如，在包含18个用户的子图中，仅需三名被动诚实但好奇攻击者即可实现11.0%的私有数据重构成功率，平均每个攻击者仅需8.8次求和操作。该成功率仅取决于攻击者的直接邻域拓扑，与全网规模无关。我们考察了不控制图拓扑结构、无法利用求和内部机制且不具备辅助知识的弱攻击者模型，证明此类攻击者仍能推断私有数据。通过分析重构攻击与拓扑结构的关联性，我们首次提出了基于拓扑结构的去中心化重构防御方案。研究表明：重构攻击所需攻击者数量与网络最短环长度呈线性关系。因此，在无环网络中，针对隐私保护求和操作的精确攻击是不可能的。本工作为建立基于拓扑结构的去中心化重构防御形式化理论奠定了基础。该理论将把我们的防御方案推广至求和以外的场景，基于熵定义机密性，并阐明与（拓扑感知）差分隐私的交互机制。