Bidirectional privacy-preservation federated learning is crucial as both local gradients and the global model may leak privacy. However, only a few works attempt to achieve it, and they often face challenges such as excessive communication and computational overheads, or significant degradation of model accuracy, which hinders their practical applications. In this paper, we design an efficient and high-accuracy bidirectional privacy-preserving scheme for federated learning to complete secure model training and secure aggregation. To efficiently achieve bidirectional privacy, we design an efficient and accuracy-lossless model perturbation method on the server side (called $\mathbf{MP\_Server}$) that can be combined with local differential privacy (LDP) to prevent clients from accessing the model, while ensuring that the local gradients obtained on the server side satisfy LDP. Furthermore, to ensure model accuracy, we customize a distributed differential privacy mechanism on the client side (called $\mathbf{DDP\_Client}$). When combined with $\mathbf{MP\_Server}$, it ensures LDP of the local gradients, while ensuring that the aggregated result matches the accuracy of central differential privacy (CDP). Extensive experiments demonstrate that our scheme significantly outperforms state-of-the-art bidirectional privacy-preservation baselines (SOTAs) in terms of computational cost, model accuracy, and defense ability against privacy attacks. Particularly, given target accuracy, the training time of SOTAs is approximately $200$ times, or even over $1000$ times, longer than that of our scheme. When the privacy budget is set relatively small, our scheme incurs less than $6\%$ accuracy loss compared to the privacy-ignoring method, while SOTAs suffer up to $20\%$ accuracy loss. Experimental results also show that the defense capability of our scheme outperforms than SOTAs.

翻译：双向隐私保护联邦学习至关重要，因为本地梯度和全局模型均可能泄露隐私。然而，目前仅有少数研究尝试实现该目标，且常面临通信与计算开销过大或模型精度显著下降等挑战，阻碍了其实际应用。本文设计了一种高效高精度的联邦学习双向隐私保护方案，以完成安全模型训练与安全聚合。为实现高效双向隐私保护，我们在服务器端设计了一种高效无损精度的模型扰动方法（称为 $\mathbf{MP\_Server}$），该方法可与本地差分隐私（LDP）结合，防止客户端访问模型，同时确保服务器端获得的本地梯度满足LDP。此外，为保障模型精度，我们在客户端定制了分布式差分隐私机制（称为 $\mathbf{DDP\_Client}$）。当与 $\mathbf{MP\_Server}$ 结合时，该机制在保证本地梯度LDP的同时，确保聚合结果达到中心化差分隐私（CDP）的精度水平。大量实验表明，本方案在计算成本、模型精度及隐私攻击防御能力方面显著优于现有双向隐私保护基线方法（SOTAs）。特别地，在给定目标精度时，SOTAs的训练耗时约为本方案的 $200$ 倍甚至超过 $1000$ 倍。当隐私预算设置较小时，本方案相比忽略隐私的方法精度损失低于 $6\%$，而SOTAs的精度损失高达 $20\%$。实验结果同时表明，本方案的防御能力优于现有SOTAs。