Privacy and Byzantine resilience are two indispensable requirements for a federated learning (FL) system. Although there have been extensive studies on privacy and Byzantine security in their own track, solutions that consider both remain sparse. This is due to difficulties in reconciling privacy-preserving and Byzantine-resilient algorithms. In this work, we propose a solution to such a two-fold issue. We use our version of differentially private stochastic gradient descent (DP-SGD) algorithm to preserve privacy and then apply our Byzantine-resilient algorithms. We note that while existing works follow this general approach, an in-depth analysis on the interplay between DP and Byzantine resilience has been ignored, leading to unsatisfactory performance. Specifically, for the random noise introduced by DP, previous works strive to reduce its impact on the Byzantine aggregation. In contrast, we leverage the random noise to construct an aggregation that effectively rejects many existing Byzantine attacks. We provide both theoretical proof and empirical experiments to show our protocol is effective: retaining high accuracy while preserving the DP guarantee and Byzantine resilience. Compared with the previous work, our protocol 1) achieves significantly higher accuracy even in a high privacy regime; 2) works well even when up to 90% of distributive workers are Byzantine.

翻译：隐私保护与拜占庭鲁棒性是联邦学习系统不可或缺的两项要求。尽管针对隐私与拜占庭安全性各自的领域已有大量研究，但能同时兼顾这两者的解决方案仍较为稀少。这是由于隐私保护算法与拜占庭鲁棒算法难以协调统一所致。本文针对这一双重问题提出解决方案：首先采用我们改进的差分隐私随机梯度下降（DP-SGD）算法保护隐私，再应用我们的拜占庭鲁棒算法。需要指出的是，尽管现有工作遵循这一总体思路，但忽略了差分隐私与拜占庭鲁棒性之间交互作用的深入分析，导致性能不尽如人意。具体而言，对于差分隐私引入的随机噪声，先前的工作致力于降低其对拜占庭聚合的影响。与之相反，我们则利用随机噪声构建聚合机制，有效抵御了多种现有拜占庭攻击。我们通过理论证明与实验验证表明，该协议在保持差分隐私保证与拜占庭鲁棒性的同时，能够保留高精度。与先前工作相比，我们的协议：1）即使在强隐私约束下仍能实现显著更高的精度；2）即使高达90%的分布式工人是拜占庭节点时仍能稳定运行。