Federated learning (FL) provides an efficient paradigm to jointly train a global model leveraging data from distributed users. As local training data comes from different users who may not be trustworthy, several studies have shown that FL is vulnerable to poisoning attacks. Meanwhile, to protect the privacy of local users, FL is usually trained in a differentially private way (DPFL). Thus, in this paper, we ask: What are the underlying connections between differential privacy and certified robustness in FL against poisoning attacks? Can we leverage the innate privacy property of DPFL to provide certified robustness for FL? Can we further improve the privacy of FL to improve such robustness certification? We first investigate both user-level and instance-level privacy of FL and provide formal privacy analysis to achieve improved instance-level privacy. We then provide two robustness certification criteria: certified prediction and certified attack inefficacy for DPFL on both user and instance levels. Theoretically, we provide the certified robustness of DPFL based on both criteria given a bounded number of adversarial users or instances. Empirically, we conduct extensive experiments to verify our theories under a range of poisoning attacks on different datasets. We find that increasing the level of privacy protection in DPFL results in stronger certified attack inefficacy; however, it does not necessarily lead to a stronger certified prediction. Thus, achieving the optimal certified prediction requires a proper balance between privacy and utility loss.

翻译：联邦学习（FL）提供了一种高效范式，可利用分布式用户的数据联合训练全局模型。由于本地训练数据来自可能不可信的不同用户，多项研究表明FL易受投毒攻击。同时，为保护本地用户的隐私，FL通常采用差分隐私方式训练（DPFL）。因此，本文提出以下问题：在FL对抗投毒攻击中，差分隐私与可认证鲁棒性之间存在何种内在联系？我们能否利用DPFL固有的隐私特性为FL提供可认证鲁棒性？能否进一步改进FL的隐私性以增强此类鲁棒性认证？我们首先研究了FL的用户级和实例级隐私，并提供了形式化隐私分析以实现改进的实例级隐私。随后，我们提出了两种鲁棒性认证标准：认证预测和认证攻击无效性，分别针对用户级和实例级的DPFL。理论上，我们基于这两种标准，在对抗用户或实例数量有界的前提下，给出了DPFL的可认证鲁棒性。实验上，我们在不同数据集上针对一系列投毒攻击进行了大量实验以验证理论。我们发现，提高DPFL的隐私保护级别可增强认证攻击无效性，但并不必然导致更强的认证预测。因此，实现最优认证预测需要在隐私与效用损失之间取得适当平衡。