Privacy-preserving federated averaging is a central approach for protecting client privacy in federated learning. In this paper, we study this problem in an asynchronous communications setting with malicious aggregators. We propose a new solution to provide federated averaging in this model while protecting the client's data privacy through secure aggregation and differential privacy. Our solution maintains the same performance as the state of the art across all metrics. The main contributions of this paper are threefold. First, unlike existing single- or multi-server solutions, we consider malicious aggregation servers that may manipulate the model to leak clients' data or halt computation. To tolerate this threat, we replicate the aggregators, allowing a fraction of them to be corrupted. Second, we propose a new privacy preservation protocol for protocols in asynchronous communication models with Byzantine aggregators. In this protocol, clients mask their values and add Gaussian noise to their models. In contrast with previous works, we use the replicated servers to unmask the models, while ensuring the liveness of training even if aggregators misbehave. Third, the asynchronous communication model introduces new challenges not present in existing approaches. In such a setting, faster clients may contribute more frequently, potentially reducing their privacy and biasing the training. To address this, we introduce an inclusion mechanism that ensures uniform client participation and balanced privacy budgets. Interestingly, the solution presented in this paper does not rely on agreement between aggregators. Thus, we circumvent the known impossibility of consensus in asynchronous settings where processes might crash. Additionally, this feature increases availability, as a consensus-based algorithm only progresses in periods of low latency.

翻译：隐私保护联邦平均是联邦学习中保护客户端隐私的核心方法。本文研究存在恶意聚合器的异步通信场景下的该问题。我们提出一种新解决方案，在该模型中实现联邦平均，同时通过安全聚合和差分隐私保护客户端数据隐私。我们的解决方案在所有指标上均保持与现有最优技术相同的性能。本文主要贡献有三方面：首先，与现有单服务器或多服务器解决方案不同，我们考虑可能操纵模型以泄露客户端数据或中止计算的恶意聚合服务器。为容忍此威胁，我们复制聚合器，允许其中部分被破坏。其次，我们为拜占庭聚合器的异步通信模型提出新的隐私保护协议。在该协议中，客户端对其数值进行掩码处理并向模型添加高斯噪声。与先前工作不同，我们利用复制服务器解除模型掩码，同时确保即使聚合器行为异常时训练仍能持续进行。第三，异步通信模型引入了现有方法中不存在的新挑战。在此类场景中，较快的客户端可能更频繁地参与，这可能会降低其隐私保护程度并使训练产生偏差。为此，我们引入一种参与均衡机制，确保客户端均匀参与并平衡隐私预算。值得注意的是，本文提出的解决方案不依赖聚合器间达成共识。因此，我们规避了异步场景中进程可能崩溃时共识不可达的已知难题。此外，这一特性提升了可用性，因为基于共识的算法仅在低延迟时期才能取得进展。