Secure aggregation (SecAgg) is a commonly-used privacy-enhancing mechanism in federated learning, affording the server access only to the aggregate of model updates while safeguarding the confidentiality of individual updates. Despite widespread claims regarding SecAgg's privacy-preserving capabilities, a formal analysis of its privacy is lacking, making such presumptions unjustified. In this paper, we delve into the privacy implications of SecAgg by treating it as a local differential privacy (LDP) mechanism for each local update. We design a simple attack wherein an adversarial server seeks to discern which update vector a client submitted, out of two possible ones, in a single training round of federated learning under SecAgg. By conducting privacy auditing, we assess the success probability of this attack and quantify the LDP guarantees provided by SecAgg. Our numerical results unveil that, contrary to prevailing claims, SecAgg offers weak privacy against membership inference attacks even in a single training round. Indeed, it is difficult to hide a local update by adding other independent local updates when the updates are of high dimension. Our findings underscore the imperative for additional privacy-enhancing mechanisms, such as noise injection, in federated learning.

翻译：安全聚合（SecAgg）是联邦学习中常用的隐私增强机制，它允许服务器仅访问模型更新的聚合结果，同时保护单个更新的机密性。尽管人们普遍声称安全聚合具有隐私保护能力，但缺乏对其隐私特性的形式化分析，使得此类假设缺乏依据。本文通过将安全聚合视为针对每个本地更新的局部差分隐私机制，深入探讨其隐私影响。我们设计了一种简单攻击：在联邦学习单轮训练中，恶意服务器试图从两个可能的更新向量中推断客户端提交的是哪一个。通过隐私审计，我们评估了该攻击的成功概率，并量化了安全聚合提供的局部差分隐私保证。数值结果表明，与普遍观点相反，即使在单轮训练中，安全聚合对成员推理攻击提供的隐私保护也较弱。实际上，当更新维度较高时，通过添加其他独立的本地更新来隐藏某个本地更新是困难的。我们的研究结果强调，联邦学习中必须引入额外的隐私增强机制，例如噪声注入。