Federated learning is known to be vulnerable to both security and privacy issues. Existing research has focused either on preventing poisoning attacks from users or on concealing the local model updates from the server, but not both. However, integrating these two lines of research remains a crucial challenge since they often conflict with one another with respect to the threat model. In this work, we develop a principle framework that offers both privacy guarantees for users and detection against poisoning attacks from them. With a new threat model that includes both an honest-but-curious server and malicious users, we first propose a secure aggregation protocol using homomorphic encryption for the server to combine local model updates in a private manner. Then, a zero-knowledge proof protocol is leveraged to shift the task of detecting attacks in the local models from the server to the users. The key observation here is that the server no longer needs access to the local models for attack detection. Therefore, our framework enables the central server to identify poisoned model updates without violating the privacy guarantees of secure aggregation.

翻译：联邦学习已知易受安全与隐私问题的影响。现有研究要么侧重于防止用户发起的投毒攻击，要么侧重于向服务器隐藏局部模型更新，但未能兼顾二者。然而，整合这两条研究路线仍是一项关键挑战，因为它们在威胁模型方面往往相互冲突。在本文中，我们开发了一个原则性框架，既为用户提供隐私保障，又能针对用户发起的投毒攻击进行检测。通过引入一个包含诚实但好奇的服务器和恶意用户的新型威胁模型，我们首先提出了一种使用同态加密的安全聚合协议，使服务器能够以隐私方式合并局部模型更新。然后，利用零知识证明协议，将检测局部模型中攻击的任务从服务器转移到用户。这里的关键观察是，服务器不再需要访问局部模型来进行攻击检测。因此，我们的框架使中央服务器能够识别受污染的模型更新，而不会违反安全聚合的隐私保障。