Decentralised learning has recently gained traction as an alternative to federated learning in which both data and coordination are distributed over its users. To preserve the confidentiality of users' data, decentralised learning relies on differential privacy, multi-party computation, or a combination thereof. However, running multiple privacy-preserving summations in sequence may allow adversaries to perform reconstruction attacks. Unfortunately, current reconstruction countermeasures either cannot trivially be adapted to the distributed setting, or add excessive amounts of noise. In this work, we first show that passive honest-but-curious adversaries can reconstruct other users' private data after several privacy-preserving summations. For example, in subgraphs with 18 users, we show that only three passive honest-but-curious adversaries succeed at reconstructing private data 11.0% of the time, requiring an average of 8.8 summations per adversary. The success rate is independent of the size of the full network. We consider weak adversaries, who do not control the graph topology and can exploit neither the workings of the summation protocol nor the specifics of users' data. We develop a mathematical understanding of how reconstruction relates to topology and propose the first topology-based decentralised defence against reconstruction attacks. Specifically, we show that reconstruction requires a number of adversaries linear in the length of the network's shortest cycle. Consequently, reconstructing private data from privacy-preserving summations is impossible in acyclic networks. Our work is a stepping stone for a formal theory of decentralised reconstruction defences based on topology. Such a theory would generalise our countermeasure beyond summation, define confidentiality in terms of entropy, and describe the effects of (topology-aware) differential privacy.

翻译：分散式学习最近作为一种联邦学习的替代方案受到关注，其数据和协调都分布在用户之间。为了保护用户数据的机密性，分散式学习依赖于差分隐私、多方计算或两者的结合。然而，连续运行多个隐私保护求和操作可能使攻击者能够执行重建攻击。不幸的是，现有的重建防御措施要么无法直接适应分布式设置，要么会添加过量的噪声。在这项工作中，我们首先表明，被动的诚实但好奇的攻击者可以在多次隐私保护求和后重建其他用户的私有数据。例如，在包含18个用户的子图中，我们证明仅需三个被动的诚实但好奇的攻击者，就有11.0%的概率成功重建私有数据，每个攻击者平均需要8.8次求和操作。该成功率与完整网络的规模无关。我们考虑弱攻击者，他们不控制图拓扑，也无法利用求和协议的工作原理或用户数据的具体细节。我们建立了重建与拓扑之间关系的数学理解，并提出了首个基于拓扑的分散式重建攻击防御方法。具体而言，我们表明，重建需要攻击者数量与网络最短环的长度成线性关系。因此，在无环网络中，从隐私保护求和中重建私有数据是不可能的。我们的工作为基于拓扑的分散式重建防御形式化理论奠定了基础。该理论将把我们的防御措施推广到求和之外，以熵的形式定义机密性，并描述（拓扑感知的）差分隐私的效果。