An Efficient Privacy-Enhancing Cross-Silo Federated Learning and Applications For False Data Injection Attack Detection in Smart Grids
An Efficient Privacy-Enhancing Cross-Silo Federated Learning and Applications For False Data Injection Attack Detection in Smart Grids
This is the author's version which has not been fully edited and
content may change prior to final publication. Citation information: DOI 10.1109/TIFS.2023.3267892
Abstract—Federated Learning is a prominent machine learning paradigm which helps tackle data privacy issues by allowing clients to
store their raw data locally and transfer only their local model parameters to an aggregator server to collaboratively train a shared
global model. However, federated learning is vulnerable to inference attacks from dishonest aggregators who can infer information
about clients’ training data from their model parameters. To deal with this issue, most of the proposed schemes in literature either
require a non-colluded server setting, a trusted third-party to compute master secret keys or a secure multiparty computation protocol
which is still inefficient over multiple iterations of computing an aggregation model. In this work, we propose an efficient cross-silo
federated learning scheme with strong privacy preservation. By designing a double-layer encryption scheme which has no requirement
to compute discrete logarithm, utilizing secret sharing only at the establishment phase and in the iterations when parties rejoin, and
accelerating the computation performance via parallel computing, we achieve an efficient privacy-preserving federated learning
protocol, which also allows clients to dropout and rejoin during the training process. The proposed scheme is demonstrated
theoretically and empirically to provide provable privacy against an honest-but-curious aggregator server and simultaneously achieve
desirable model utilities. The scheme is applied to false data injection attack detection (FDIA) in smart grids. This is a more secure
cross-silo FDIA federated learning resilient to the local private data inference attacks than the existing works.
Index Terms—privacy-preserving, federated learning, encryption, secret sharing, false data injection attack detection.
This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/
This article has been accepted for publication in IEEE Transactions on Information Forensics and Security. This is the author's version which has not been fully edited and
content may change prior to final publication. Citation information: DOI 10.1109/TIFS.2023.3267892
tralized detection machine learning algorithm is expensive shared parameters according to the desired privacy level.
and also leads to security and privacy issues including For example, [15] added Laplace noise to the gradients and
competitive privacy [12]. The question is how to coordinate selectively shared the perturbed gradients, [16], [17] pre-
these TGCs to detect FDI attacks while preserving their sented a client-sided differential privacy federated learning
competitive privacy. This remains a challenging problem scheme to hide clients’ model contributions during training.
which has been attracting recent studies with federated To protect local models, the added noise to each local model
learning-based solutions. In federated learning, a cross-silo must be big enough, resulting in the aggregate noise cor-
setting is often established where a number of companies or responding to the aggregate model being too large, which
organizations have a common incentive to train a model would completely destroy the utility of this model.
based on all of their data, but do not share their data
directly due to confidentiality/privacy or legal constraints The other technique is secure multiparty computation
[13]. To enhance the privacy of power companies when they and homomorphic encryption for secure aggregation. The
contribute their local training models, an efficient privacy- scheme in [18] was based on Elgamal homomorphic encryp-
preserving cross-silo federated learning for FDIA detection tion. This scheme requires a trusted dealer to provide each
over multi-area transmission grids should be designed. participant with a secret key ski and the aggregator sk0
Pk
In view of the above issues, we propose an efficient such that i=0 ski = 0. Their private secure aggregation
cross-silo federated learning with strong privacy preserva- is aggregator oblivious in the encrypt-once random oracle
tion which can be applicable to the smart grid domain. By model where each participant only encrypts once in each
designing a double-layer encryption scheme over multiple time period. To decrypt the sum, it ends up computing
federated learning rounds and utilizing Shamir secret shar- the discrete logarithm which can be implemented through
ing, we achieve an efficient privacy-preserving federated a brute-force√ search or Pollard’s lambda method which
learning protocol, which also allows some clients to drop out requires O( k∆), where k is the number of parties and
and rejoin dynamically during the training process. Specifi- ∆ is the maximum value of any party’s input. To overcome
cally, we summarize the main contributions as follows: the limitations of solving discrete logarithm problems, [19]
presented a scheme in the encrypt-once random oracle
• A general privacy-enhancing cross-silo federated
model with fast encryption and decryption based on Deci-
learning with a secure weighted aggregation scheme
sional Composite Residuosity Assumption which removes
is designed based on lightweight double-layer en-
the discrete logarithm computation. However, this scheme
cryption and Shamir secret sharing. The scheme re-
also requires a trusted dealer to generate and distribute
moves the requirement of computing discrete loga-
the secret keys to participants and an aggregator. Besides,
rithms which is the limitation of some related works.
both of the approaches in [18] and [19] only deal with
No multiple non-colluding server settings are re-
secure aggregation of scalars over periods of time (not the
quired. Besides, clients’ secret keys of two encryption
secure weighted aggregation of model vectors over multiple
layers are generated in a decentralized manner which
iterations of federated learning) and does not deal with
helps increase privacy.
dropouts/rejoining problems. Addressing the drawbacks of
• The proposed scheme is demonstrated theoretically
[18] and [19], the work in [20] proposed a secure aggregation
and empirically to provide provable privacy against
scheme where the input is a vector and can deal with
an honest-but-curious aggregator server and simul-
dropouts. The scheme is based on pairwise additive stream
taneously achieve desirable model utility.
ciphers and Shamir secret sharing to tackle client failures.
• The proposed scheme is efficient in com-
Diffie-Hellman key exchange is adopted to share common
munication/computation and robust against
pair-wise seeds of a pseudorandom generator. Double-
dropouts/rejoining during training iterations.
masking is introduced to prevent leakage if there is any
• An efficient privacy-enhancing cross-silo federated
delay in transmission. Nevertheless, this approach requires
learning resilient to the local training data inference
at least four communication rounds between each client and
attacks for FDIA detection in the smart grid domain
the aggregator in each iteration and a repetition of Shamir
is proposed and empirically evaluated.
secret sharing for each iteration. Thus, it suffers from com-
This paper consists of eight sections. Following this In- munication and computation inefficiency considering the
troduction section are the Related Works and Preliminaries huge number of iterations of federated learning. Utilizing
sections. The proposed privacy-enhancing cross-silo feder- the technique of secure data aggregation in [20], the work in
ated learning without any trusted third parties is given in [21] proposed a general privacy-enhanced federated learn-
Section 4, followed by the analysis of the scheme in Section ing scheme with secure weighted aggregation, which can
5. A concrete scenario of enhancing privacy in cross-silo deal with both the data significance evaluation and secure
federated learning for FDIA detection in smart grids with data aggregation. This scheme still inherits the same draw-
empirical evaluation is given in Section 6 and Section 7. backs as [20]. Besides, this scheme only resolved a weak
Finally, Section 8 is for the discussion and conclusions. security model where no collusion between the server and
the clients participating in the federated learning. The paper
[22] presented Prio, a privacy-preserving system for the col-
2 R ELATED WORKS lection of aggregate statistics. With a similar approach, [23]
Existing works on enhancing privacy for federated learning introduced SAFELearn, a generic design for efficient private
mainly employ two types of techniques. One technique is federated learning systems that protect against inference at-
differential privacy [14], which adds appropriate noise to tacks using secure aggregation. However, these designs rely
This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/
This article has been accepted for publication in IEEE Transactions on Information Forensics and Security. This is the author's version which has not been fully edited and
content may change prior to final publication. Citation information: DOI 10.1109/TIFS.2023.3267892
on multiple non-colluded server settings. Dong et. al. in [24] problem of local data privacy leakage from local models
designed two secure ternary federated learning protocols as in [32] and our proposed scheme. The scheme in [32]
against semi-honest adversaries based on threshold secret enhanced privacy by utilising Pallier-based homomorphic
sharing and homomorphic encryption respectively. In the encryption for secure model aggregation, but only resolved
first protocol, threshold secret sharing is used to share all a weak security model where no collusion among the server
local gradient vectors in all iterations, which causes expen- and the clients participating in the federated learning. All
sive computation and communication overhead. Besides, clients have to share a common pair of public key and
the limitation of their second protocol is that all clients use secret key for encryption/decryption and a trusted party
the same secret key and if the server colludes with a client is required to generate this key pair.
then it can obtain all client’s models. In [25], Fang et. al. A privacy-preserving federated learning approach needs
modified the traditional ElGamal protocol into a double-key to be efficient in computation and communication while
encryption version to design a new scheme for federated providing strong privacy preservation and desirable model
learning with privacy preservation in cloud computing. utility. Most of the related works focus on the basic problem
Nevertheless, the scheme has to solve the discrete logarithm of secure aggregation with the main approaches based on
problem as [18]. The study in [26] combined additively secure multiparty computation, homomorphic encryption,
homomorphic encryption with differential privacy but can- and differential privacy. In spite of some achievements in
not tolerate client dropouts. Their system creates significant secure aggregation and privacy-preserving federated learn-
run-time overheads which makes it impractical for real- ing, there are still drawbacks. The majority of proposed
world federated learning applications. Functional encryp- schemes in literature either require a trusted third party
tion and differential privacy is utilized in [27] to design to compute master secret keys or all local parties share a
the HybridAlpha scheme. However, HybridAlpha relies on common secret key or non-colluded server settings. This
a trusted party that holds the master keys. The proposed means these works guarantee privacy in weaker security
scheme in [28] replaced the complete communication graph models (e.g., no collusion).
in [20] with a k -regular graph of the logarithmic degree to The proposed scheme does not require a trusted dealer
reduce the communication cost while maintaining the secu- to provide each participant with a secret key as the scheme
rity guarantees; however, each client shares its secret across in [18], [19], [27], [32]. While the schemes in [18], [25] require
only a subset of parties, and thus the dropout-resilience is computing the discrete logarithm, our scheme removes that
downgraded. complexity by utilizing the encryption-decryption based on
Considering the integrity of the global model besides the Decisional Composite Residuosity assumption. More-
the privacy preservation of the local data and models, the over, both of the approaches in [18] and [19] only deal
proposed approach in [29] combined the Paillier additive with secure aggregation of scalars over periods of time,
homomorphic and verifiable computation primitives. The not the secure weighted aggregation of model vectors over
scheme in [29] can verify the correctness of the aggregated multiple iterations of federated learning. The dropout and
model given the fact that every client provides their genuine rejoining problems were not investigated in these works
local models. From the perspective of privacy preservation, too. Although eliminating the drawbacks in [18], [19], the
the scheme can only tolerate a weaker threat model. No schemes in [20], [28] suffer higher computation overhead
collusion among the server and clients participating in than the proposed approach and do not address federated
the federated learning protocol was assumed as the keys learning with secure weighted aggregation. Other systems
(sk, pk) necessary for the homomorphic encryption and the in [22], [23] depend on multiple non-colluded server set-
signatures are generated by one of the clients and shared tings, which is not required with our scheme. The systems
among all clients. In the work [17], to deal with the problem in [21], [24], [29], [32] cannot tolerate the risk of revealing all
of collusion in [29], adding Gaussian noise to the local clients’ models when there is a collusion between the server
models before homomorphically encryption was proposed. and a client as our protocol. The study in [26] cannot resolve
However, the standard variation of the additive Gaussian client dropouts. Their system creates significant run-time
noise must be small to not destroy the genuine local models, overheads, making it impractical for real-world federated
resulting in the fact that the adding noise protection is not learning applications. Our scheme is resilient to dropouts
able to provide a high level of differential privacy (ε is not and provides efficient performance for real applications,
small, i.e., less than 1). such as privacy-preserving federated learning false data
The power grid scenario of false data injection attack injection detection.
detection based on federated learning in smart grids has To summarize, Table 1 gives a comparison of our scheme
been studied in [30], [31], [32]. The investigated power grid with related works regarding the application scenario of
scenario is similar in these papers and in the proposed FDIA federated learning with secure weighted aggregation
scheme. For example, in [30] an independent power system (A1, A2) and different security/privacy properties (A3-A8).
state owner (PSSO) and a detection service provider (DSP) Only three recent works [30], [31], [32] studied the FDIA fed-
correspond to an independent transmission grid company erated learning. Most of the related works do not provide all
(TGC) and a system operator (SO) in the proposed scheme. security properties A3-A8. Only the studies in [20] and [28]
The power grid scenario fits with the investigated cross- filtered from Table 1 satisfy all security/properties as the
silo federated learning setting (e.g., the number of parties proposed approach. Table 2 compares the computation and
(PSSOs/TGCs) is small and each party is facilitated with communication complexity between these two studies [20],
high-performance computing). However, [30], [31] only ap- [28] and the proposed scheme. From Table 1 and Table 2, it
ply federated learning and do not consider the security can be seen that the proposed scheme guarantees privacy
This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/
This article has been accepted for publication in IEEE Transactions on Information Forensics and Security. This is the author's version which has not been fully edited and
content may change prior to final publication. Citation information: DOI 10.1109/TIFS.2023.3267892
TABLE 1: Comparison of our scheme with related works. centres that have the incentive to train a shared model on
A1. FDIA federated learning, A2. Secure weighted model the union of their siloed data. [13]
aggregation, A3. No trusted dealer to generate and Several algorithms have been proposed for federated
distribute secret keys, A4. No non-colluded server setting, learning. In this work, we utilize FedAvg [1], which is the
A5. Collusion resistance, A6. Dropouts/Rejoins handling, original federated learning aggregation mechanism and is
A7. No discrete logarithm problem solving, A8. commonly applied in related works. In FedAvg, the global
Privacy-security trade-off model parameters are updated by summing the weighted
Pk
local model parameters w = i=1 nni · wi .
Work A1 A2 A3 A4 A5 A6 A7 A8
[14] × × X X X × X ×
3.3 Shamir Secret sharing
[15] × × X X X × X ×
(t, n) Shamir secret sharing scheme [33] creates k shares
[16] × × X X X × X ×
{s(1) , · · · , s(n) } of a secret s such that s can be efficiently
[17] × × X X X × X × reconstructed by any combination of t data pieces but
[18] × × × X X × × X cannot by any set of less than t data pieces.
[19] × × × X X × X X s, s(1) , · · · , s(n) are the elements in a finite field Zp for
some large prime p where 0 < t ≤ n < p. The scheme
[20] × × X X X X X X
works as follows:
[21] × X × X × X X X
• Setup: The secret holder randomly chooses
[22] × × X × × × X X
a1 , · · · , at−1 from Zp and a0 = f (0) = s to
[23] × × X × × X X X define a polynomial of degree t − 1:
[24] × × × X × X X X
f (x) = a0 + a1 x + a2 x2 + · · · + at−1 xt−1 mod p
[25] × × X X X X × X
[26] × × × X X × X X • Sharing: The secret holder computes s(i) = f (i) for
i ∈ {1, 2, · · · , n}, and sends (i, s(i) ) to the corre-
[27] × × × X X X X X
sponding participants i.
[28] × × X X X X X X • Reconstructing: Given any t of (i, s(i) ) pairs, an user
[29] × × × X × X X X is able to reconstruct the secret
[30] X × n/a n/a n/a n/a n/a n/a t t
X Y xm
[31] X × n/a n/a n/a n/a n/a n/a s = a0 = s(j) · mod p
j=1 m=0,m6=j
xm − xj
[32] X × × X × X X X
Our X X X X X X X X
3.4 Decisional Composite Residuosity Assumption
Let N = p · q for two large primes p and q . The Decisional
Composite Residuosity (DCR) assumption [34] states that
in a stronger security model and at a lower computational
the advantage of a distinguisher D, defined as the distance:
overhead than the related works.
AdvDCR
D := |Pr[D(y, N ) = 1| y = xN mod N 2 , x ←$ Z∗N ]
− Pr[D(y, N ) = 1| y ←$ Z∗N 2 ]|
3 P RELIMINARIES
3.1 Notations and definitions where probabilities are taken over all coin tosses, is a negli-
gible function
Column vectors are denoted by lower-case bold letters, like
v . The i-th entry of the vector v is vi . v T is the transpose
3.5 False data injection attacks
of the column vector v . The zero-vector is represented by
0. Given a set S , x ←$ S indicates that x is sampled False data injection attacks (FDIAs) are designed by ma-
uniformly at random from S . The notion [k] represents the nipulating some measurements to circumvent the residual-
set {0, 2, · · · , k − 1}. The computational indistinguishability based bad data detection in a power management system
of two distributions H0 and H1 , is denoted by H0 ∼ = H1 . [8], [9], [35]. Various algorithms have been designed to
Table 3 lists the notions used in this paper. detect these attacks using new techniques instead of the
residual-based bad data detection mechanism. One example
is the deep learning network to model the spatial-temporal
3.2 Federated Learning relationship between bus and line measurements in [36].
Federated learning is a machine learning scheme where
multiple clients collaborate in generating a shared machine 4 P ROPOSED P RIVACY - ENHANCING C ROSS - SILO
learning model, under the coordination of a central server.
F EDERATED L EARNING
Each client’s raw data is stored locally and not transmitted;
instead, their local model parameters are sent to the server 4.1 System model and overview of the proposed
for aggregation to achieve the learning objective. Cross-silo privacy-enhancing cross-silo federated Learning
federated learning is the federated learning setting when Consider a system with k local parties and an aggrega-
clients are different organizations or geo-distributed data tor server. Each local party owns its private dataset Di ,
This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/
This article has been accepted for publication in IEEE Transactions on Information Forensics and Security. This is the author's version which has not been fully edited and
content may change prior to final publication. Citation information: DOI 10.1109/TIFS.2023.3267892
TABLE 2: Comparison of secure aggregation among [20] [28] and ours. k is the number of local parties/clients. L is the
length of the clients’ model vector. τ is the Shamir Secret sharing threshold.
[20] [28] Ours
Server O(L · k2 ) O(L · k log k + k log2 k) O(L + [k2 ])
Computation overhead
Client O(L · k + k2 ) O(L · log k + log2 k) O(L + [τ · k])
Server O(L · k + k2 ) O(L · k + k log2 k) O(L · k + [k2 ])
Communication overhead
Client O(L + k) O(L + log2 k) O(L + [k])
This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/
This article has been accepted for publication in IEEE Transactions on Information Forensics and Security. This is the author's version which has not been fully edited and
content may change prior to final publication. Citation information: DOI 10.1109/TIFS.2023.3267892
used to reconstruct the secret, but any set of at most τ − 1 Algorithm 1 Proposed privacy-enhancing cross-silo feder-
shares gives no information. Each party creates k shares of ated learning algorithm
(t)
its secret si , keeps one share and sends each share to each Input:
different party from k−1 remaining shares. At each iteration T : Maximum number of rounds, k : the number of
t, after receiving the ciphertexts, the aggregator broadcasts clients selected in each round, Nepoch : the number of
the set of alive parties Uat , the set of the dropped parties local epochs, and η : the local learning rate, pp: public
(t)
Udt = U \ Uat . If Uat = U then we have i∈Uat vi = 0; but, parameters
P
(t)
if Uat ⊂ U then the sum i∈Uat vi needs to be recovered.
P Output:
(ti) Global model wG
Alive parties send their shares sd of a dropped party Pd to Processing:
the aggregator. Thanks to the τ -out-of-k Shamir threshold [Server-side]
(t)
secret sharing scheme, the share sd can be recovered by 1: Initialize wG 0
the aggregator as long as the aggregator receives at least τ 2: for each round t from 1 to T do
(ti) (t)
secret shares sd . Having sd , the aggregator can compute 3: Ut contains k clients
(t) (t)
for each client i ∈ Ut in parallel do
P
vd and obtain i∈U t vi as the master key of the second 4:
d (t) (t)
P (t)
encryption layer to obtain the sum j∈Uat skj . Because the 5: Ci ← LocalTraining(i, wG , t)
P (t) 6: end for
sum j∈U t skj is the master key of the first encryption 7:
(t)
y(t+1) , n(t) ← Dec(pp, {Ci }i∈Uat )
a
(t)
1
P
layer; thus, it helps to get the sum j∈Uat xj . (t+1)
8: wG = (t) · Decode(y(t+1) )
n
4.2.3 Handling rejoining 9: end for
Assume that the secret sd
(t−1)
of a dropped party Pd was [Client-side: Party Pi ]
revealed to the aggregator. If Pd rejoins the current iteration, LocalTraining(i, w, t):
(t) (t)
(t) 10: Divide local dataset Di for round t into batches; Bi
which is the t-th iteration, Pd has to create a new secret sd .
For this case, the party Pd needs to send its updated public denotes the set of the batches.
(t) 11: for each epoch j from 1 to Nepoch do
key pkd = g sd to the aggregator, then creates and shares (t)
(t) 12: for each batch b ∈ Bi do
Shamir’s shares of its updated secret sd . The aggregator (t) (t) (t)
broadcasts the updated set of public keys and the set of 13: wi ← wi − η∇L(wi ; b)
rejoining parties. Rejoining parties Pr update the seeds 14: end for
(t) (t) (t) 15: end for
sr,i = (pki )sr shared with all other parties and compute (t) (t) (t)
(t)
16: zi ← ni · wi
their updated secret vr . Other parties Pi update the seeds (t)
17: xi ← Encode(zi )
(t)
(t) (t) (t)
si,r = (pkr )si shared with the rejoining parties and also (t)
18: Ci ← Enc(pp, xi , ni , t)
(t) (t)
(t) (t)
calculate their updated secret vi . 19: return Ci
pre-computed hash functions. The third one is to limit the two hash functions, G is the learning network and T is the
number of times of creating and transmitting the secrets number of federated learning iterations. The sub-protocol
(t) π0 generates the secrets v(0) as follows:
si in the Shamir secret sharing scheme. This is effectively
performed by designing a double-layer encryption scheme Sub-protocol π0
where the secret keys sk of the first layer are used for
only one iteration and the secret keys v of the second layer 1. The aggregator chooses and publishes a λ-bit prime,
can be used for multiple iterations. Shamir’s secret sharing p, where λ is the security parameter, and g is the
for the secrets s is only implemented at the establishment generator of Z∗p
(0)
phase and in the iterations when parties rejoin. Besides, only 2. Each Pi uniformly samples si ←$ Z∗p and sends
(0)
rejoining parties Pr generate new key pairs and transmit (0)
pki = g si to the aggregator who then broadcasts
(t) (t)
their new public keys pkr = g sr . the set of all public keys to all parties
3. Each pair of clients (Pi , Pj ) computes a common
4.3 Description of the proposed protocol (0)
pairwise seed γi,j :
Algorithm 1 describes the overall steps of the proposed
privacy-enhancing cross-silo federated learning from the (0) (0) (0)
(0) (0)
(0)
client side and the server side. γj,i = (pki )sj = (pkj )si = γi,j (1)
This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/
This article has been accepted for publication in IEEE Transactions on Information Forensics and Security. This is the author's version which has not been fully edited and
content may change prior to final publication. Citation information: DOI 10.1109/TIFS.2023.3267892
This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/
This article has been accepted for publication in IEEE Transactions on Information Forensics and Security. This is the author's version which has not been fully edited and
content may change prior to final publication. Citation information: DOI 10.1109/TIFS.2023.3267892
Epoch t
Pi i = 1 · · · k Aggregator A
Pi sends the updated public key to the aggregator pki 3.A creates Ur
t
(t) (t) t t
Pi sends Ci to the aggregator Ci 6. A creates Ua and Ud
t
[7]. If Ua ⊂ U then:
Utd A broadcasts Ud
t
(t,i)
[8]. Pi sends shares {sd
(t,i)
}d∈U t to the aggregator {sd }d∈U t [9]. A.ReconstructSecrets(Ud ) → {sd , vd }
t (t) (t)
d
d
(t) (t)
10. A.ComputeMSK({βi }i∈U t , {vj }j∈U t ) → msk
a d
(t) (t)
11. A.Eval({αi }i∈U t , msk) →n
a
(t) (t)
A.Eval({ci,j }i∈U t , msk) → yj
a
Having msk (t) , the aggregator can compute the Besides, from (2, 12), we have:
global model:
(t)
X
(t) (t)
vi =0 (23)
( i∈Uat αi ) · H1 (L)−msk − 1 mod N12
Q
(t) i∈U
n =
N1
(19) Thus,
(t) −msk(t)
− 1 mod N12
Q
(t+1) ( i∈Uat ci,j ) · H1 (j) Y (t)
P (t)
ski
yj = βi = (1 + N2 ) t
i∈Ua
mod N22 (24)
N1 i∈Uat
(20)
(t+1) 1 (t)
wj = (t) · Decode(yj ), (j ∈ [L]) (21) From (17):
n
(t)
βi − 1 mod N22
Q
Then, the aggregator sends the global model (t) i∈Uat
w(t+1) = {wj
(t+1)
}j∈[L] to all local parties for msk =
N2
the next epoch t + 1. P
ski
(t)
(1 + N2 ) t
i∈Ua
mod N22 − 1 mod N22
=
N2
(t)
ski · N2 ) mod N22 − 1 mod N22
P
5 A NALYSIS OF THE PROPOSED SCHEME (1 + i∈Uat
=
N2
5.1 Correctness X (t)
= ski mod N22 (25)
• If Uat = U : i∈Uat
From (25):
Y (t)
Y (t) (t) • If Uat ⊂ U
βi = (1 + N2 )ski · H2 (t)vi mod N22 Based on the Shamir threshold secret sharing
i∈Uat i∈Uat
scheme, the aggregator can reconstruct all the secrets
P (t) P (t) (t)
ski vi
= (1 + N2 ) t
i∈Ua
· H2 (t) t
i∈Ua
mod N22 sd of dropped parties as long as the aggregator
(t)
(22) receives at least τ shares of each sd . From that, the
This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/
This article has been accepted for publication in IEEE Transactions on Information Forensics and Security. This is the author's version which has not been fully edited and
content may change prior to final publication. Citation information: DOI 10.1109/TIFS.2023.3267892
This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/
This article has been accepted for publication in IEEE Transactions on Information Forensics and Security. This is the author's version which has not been fully edited and
content may change prior to final publication. Citation information: DOI 10.1109/TIFS.2023.3267892
This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/
This article has been accepted for publication in IEEE Transactions on Information Forensics and Security. This is the author's version which has not been fully edited and
content may change prior to final publication. Citation information: DOI 10.1109/TIFS.2023.3267892
TABLE 5: Communication overhead of each local party and the aggregator at the establishment phase and each iteration.
The expressions in [] is included in the case of dropouts/rejoins happens
is [k · lpk ] + L · lp or O(L + [k]), upload cost (i.e, sending a common interest of all parties, thus it is reasonable that
messages) is [(k − 1) · lss ] + [kd · lss ] + (le1 + le2 + L · le1 ) < they are incentivised to follow the protocol to achieve the
[(2k −1)·λ]+(le1 +le2 +L·le1 ) (lpk = lss = λ), or O(L+[k]). best output. However, some parties might be motivated
b. Communication cost of the aggregator to conspire with each other to infer private training data
The communication cost of the aggregator at establishment samples of a target party for some business benefits. In
phase includes receiving k public keys of k parties, resulting the context of the above-proposed system model, a semi-
k · lpk , which is O(k). honest adversary is an adversary that controls SO and a set
The communication cost of the aggregator at an iteration of colluded TGCs.
can be broken into the main parts: 1- receiving kr updated To model the spatial-temporal relationship between bus
public keys which is kr · lpk , 2- sending the updated set and line measurements, a network architecture modified
of public keys to k parties which is k · k · lpk , 3- receiving from the method [36] is trained for the FDIA detection, as
secret shares of the dropped parties from the alive parties, shown in Fig. 2. The model in Fig. 2 is utilized to detect
which causes maximum (k − kd ) · kd · lss , 4- receiving k − kd false data injection attacks in transmission power grids.
encryption message which is (k −kd )·(le1 +le2 +L·le1 ), and In the training stage, the model is securely trained by the
5- sending the aggregate model to each local party, which is proposed privacy-enhancing cross-silo federated learning
k · L · lp . Thus, the communication cost of the aggregator framework. The trained global model is then distributed to
at an iteration includes: upload cost is [k 2 ] + k · L · lp or each participant/sub-grid. In the test stage, each sub-grid
O(L·k +[k 2 ]), download cost is [kr ·lpk ]+[(k −kd )·kd ·lss ]+ utilizes the trained global model to detect FDIAs individ-
k·(le1 +le2 +L·le1 )−[kd ·(le1 +le2 +L·le1 )] < [k·lpk ]+[k 2 /4· ually. Time-series bus measurements Zbti and transmission
2
lss ]+k·(le1 +le2 +L·le1 ) = [( k4 +k)·λ]+k·(le1 +le2 +L·le1 ), line measurements Zlti are fed into the model, which is
resulting in O(L · k + [k 2 ]). utilized to model the spatial-temporal relationship between
bus and line measurements. The model will output the
likelihood of FDIAs in the current sub-grid. The details of
6 P RIVACY - ENHANCING CROSS - SILO FEDERATED network parameters are summarised in Table 6 and Table 7.
LEARNING FDIA DETECTION IN SMART GRIDS
Consider a multi-area grid of k non-overlapping areas TABLE 6: Parameters for layers of the network in Fig. 2
managed by k independent transmission grid companies
(TGCs). There is a system operator (SO) who takes care of Kernel Kernel Batch Activation
Layer
the interconnection areas and coordinates operations. Each Size Numbers Normalization Function
Pi TGC owns a private local dataset Di , i ∈ {1, · · · , k} with f1c--bn-a 1×3 12 Yes ELU
ni = |Di | samples and has communication lines with the SO
f1c--ln-a 1×3 12 Yes ELU
and other TGCs.
For FDIA detection in smart grids, the federated learning f2c--bn-a 1 × 12 4 Yes ELU
approach is superior to the centralised in terms of data f2c--ln-a 1 × 12 4 Yes ELU
privacy protection and communication overhead. From a f3c--bl
n-a nbl × 4 2nbl Yes ELU
data privacy protection viewpoint, the private data of each l
f6-bl-a
4nbl × 1 1 no sigmoid
local party are not transmitted outside of federated learning,
while for a centralized approach, all these data have to be
uploaded to a central server, which is a risk to more secu- TABLE 7: Parameters for LSTM layers of the network in
rity threats. From a communication overhead perspective, Fig. 2
in federated learning, local models are transmitted to the
centre instead of raw measurement data. This also helps Layer Input Size Output Size
reduce communication overhead due to the fact that the
f4LST
-bl
M 2nbl 2nbl
size of models is often much smaller than raw measurement
data. f5LST
-bl
M 2nbl 4nbl
An honest-but-curious adversarial model is considered.
Adversaries are assumed to be honest but curious in the With the above training network architecture, the train-
sense that they follow the protocol but can obtain available ing network model for FDIA detection has 132743 parame-
transcripts to learn extra information that should remain pri- ters. The proposed privacy-enhancing cross-silo FDIA detec-
vate. A good result of detecting false data injection attacks tion is based on the classical federated learning framework
supporting security operations and power management is FedAvg [1] with the privacy protection part on top.
This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/
This article has been accepted for publication in IEEE Transactions on Information Forensics and Security. This is the author's version which has not been fully edited and
content may change prior to final publication. Citation information: DOI 10.1109/TIFS.2023.3267892
Fig. 2: The network architecture for FDIA detection in AC-model transmission power grids.
7 E MPIRICAL EVALUATION denoted by ztbk ∈ Rnb ×3 at time tk ; and the line mea-
This section demonstrates the desirable utility and effi- surements consist of active/reactive power flows and line
ciency of the proposed cross-silo privacy-enhancing feder- electrical current, denoted by ztlk ∈ Rnl ×3 at time tk .
ated learning. In the following, we provide the description 7.1.2 Normal and FDIA measurement data
of the measurement dataset and the transmission power
The power grid ‘1-HV-mixed–0-no sw’ contains 35136 de-
grid system which includes several subgrids controlled by
mand profiles, with one profile per 15 minutes for one year.
local TGCs and a SO who coordinates the federated learning
To generate the datasets which include the normal measure-
process. Following that is the training/testing setting and
ment and the FDIA measurement, the commercial software
the discussion of the performance in terms of accuracy,
PowerFactory 2017 SP4 1 , the open source software Pan-
training time and inference time.
dapower 2 , and the benchmark SimBench 3 were utilised.
The normal measurements were obtained by calculating the
7.1 Description of datasets power flow using the commercial software PowerFactory
7.1.1 Transmission power grid test set 2017 SP4. The attacks were launched on a target bus by
A transmission power grid, ‘1-HV-mixed–0-no sw’, from the modifying either its voltage angle or voltage magnitude.
benchmark dataset SimBench [39] was used to evaluate the All of these FDIA measurement samples have bypassed the
FDIA detection. This power grid contains 64 buses, 58 loads, residual-based data detection function of PowerFactory 2017
and 355 measurements, with more details shown in Table 8. SP4.
This power grid is divided into four sub-grids, with each
7.2 Training and testing setting
TABLE 8: Details about the transmission power grid There are 35136 normal measurement samples and 35136
‘1-HV-mixed–0-no sw’. FDIA measurement samples, with normal measurement
samples labelled 0 and FDIA samples labelled 1. In the train-
Component Quantity Explanation ing stage, 29952 normal samples and 29952 FDIA samples
Bus 64 all the buses are in service. for the first 312 days are grouped as the training dataset; the
other 5184 normal and FDIA samples for the remaining 54
Load 58
days are used as the test dataset. In the federated learning
Static Generator 103 training, the number of global epochs was set to 200, the
Lines 95 all the lines are in service. number of local epochs was set to 5, the number of local
Transformer 6 batches was set to 48, and the sequence number for LSTM
External grid 3 supply/generate power layers is set to 96. In each federated learning training round,
3 local sub-grids were randomly selected to collaboratively
demand profiles 35,136 power profiles for one year
train the global model. The federated learning source code
bus active/reactive power injection, 4
and the popular deep learning framework Pytorch-1.9.05
bus voltage magnitude, were used to implement the proposed FDIA federated learn-
Measurements 355
line active/reactive power flows, ing detection framework for the model training and testing.
and line electrical current Three commonly used metrics were applied to evaluate
the accuracy of the FDIA detection, namely precision, recall,
and F1 score, expressed by
sub-grid containing 16 buses, summarised as follows:
Ntp
sub-grid S1 contains bus 62, 26, 130, 44, 94, 104, 74, P recision = ,
•
Ntp + Nf p
48, 106, 50, 12, 54, 52, 0, 56, 34,
Ntp
• sub-grid S2 contains bus 64, 100, 128, 68, 110, 112, Recall = ,
126, 66, 122, 98, 124, 102, 38, 96, 116, 120,
Ntp + Nf n
P recision × Recall
sub-grid S3 contains bus 92, 22, 84, 14, 20, 76, 132, 18, F1 = 2 × ,
•
114, 4, 80, 90, 42, 40, 82, 28, and P recision + Recall
• sub-grid S4 contains bus 32, 2, 36, 70, 72, 108, 46, 78, 1. https://www.digsilent.de/en/powerfactory.html
16, 86, 118, 24, 58, 88, 60, 30. 2. https://www.pandapower.org/
3. https://simbench.readthedocs.io/en/stable/about/installation.html
For each sub-grid, the bus measurements consist of ac- 4. https://github.com/AshwinRJ/Federated-Learning-PyTorch
tive/reactive power injections and bus voltage magnitude, 5. https://pytorch.org/docs/1.9.0/
This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/
This article has been accepted for publication in IEEE Transactions on Information Forensics and Security. This is the author's version which has not been fully edited and
content may change prior to final publication. Citation information: DOI 10.1109/TIFS.2023.3267892
where Nf p indicates the number of false positive, Ntp the protection scheme which is 16.41 seconds on average,
indicates the number of true positive, Nf n indicates the 2- the computation time of local model protection which
number of false negative, and Ntn indicates the number of happens at the client side at every federated learning round
true negative. which is 12.35 seconds in average per client per round, 3- the
computation time of obtaining the encrypted aggregation
7.3 FDIA detection accuracy and time overhead model and decrypting it which happens at the server side
We have compared the performance of the proposed solu- at every federated learning round which is 12.14 seconds in
tion (i.e. the federated learning trained model on encrypted average per round.
local models from each local dataset) with the centralized
TABLE 11: Average computational time in seconds per one
trained model on the whole plain dataset. The same model
global epoch in a single-processing manner
was trained, without the proposed encryption scheme, in
the centralized way using the same hyperparameters in
Avg. TGC’s time Avg. SO’s time
Section 7.2. The results of the centralized trained model on
the whole plain dataset are summarized in Table 9. Table for model protection for model aggregation and decryption
10 is for the FDIA detection accuracy of FedAvg FDIA ∼ 12.35 seconds ∼ 12.14 seconds
detection algorithm on the test dataset. As can be seen
from Table 9 and Table 10, there is no big difference in the To test the ability to accelerate the computation time, the
accuracy. multiprocessing technique is implemented to partition the
TABLE 9: Centralized trained FDIA detection accuracy Singular Instruction Multiple Data (SIMD) computations of
cryptography operations over model vectors onto 4 CPUs.
Table 12 illustrates the possibility of accelerating the speed
P recision (%) Recall (%) F1 (%)
by multiprocessing utilizing 4 CPUs. The computation over-
98.515 97.261 97.884 head of local model protection in each federated learning
round with security on top only incurs 5.56 seconds, i.e.,
2.38% compared to 233 seconds of the underlying model
TABLE 10: FedAvg FDIA detection accuracy
without security. The total extra time of the privacy pro-
tection component running over 200 epochs of federated
Sub-grid P recision (%) Recall (%) F1 (%)
learning training in a single-processing manner is around
S1 97.472 96.701 97.085 83 minutes, while in a multi-processing manner with 4
S2 98.167 96.103 97.124 CPUs is around 36 minutes. The implementation of our
S3 97.865 96.393 97.123 proposed scheme is well-suited for parallel computation.
S4 97.098 96.798 96.947
Thus, the extra computational time overhead that occurred
from our privacy-protection component could be signifi-
cantly reduced by using more CPUs that local transmission
The privacy-enhancing FedAvg FDIA detection version
grid operators are facilitated or from the cloud at the very
has the same accuracy as the original FedAvg FDIA
low price 6 .
detection version. However, the average training time for
each sub-grid as well as for the whole system to get the TABLE 12: Average computational time in seconds per one
weighted global model is longer due to the complexity of global epoch in a multi-processing manner with 4 CPUs
privacy protection added for secure weighted aggregation.
The average training time is collected by evaluating the
Avg. TGC’s time Avg. SO’s time
framework in a Linux system with each sub-grid using one
for model protection for model aggregation and decryption
Nvidia Tesla Volta V100-SXM2-32GB GPU.
∼ 5.56 seconds ∼ 5.24 seconds
Encryption parameters are set as: λ = 2048 (modulus
p in the sub-protocol π0 is a 2048-bit prime), l1 = 256 From the communication analysis in Section 5.3.2, with
(modulus N1 of the first encryption layer is 256-bit length the above encryption parameter setting for the experiment
integer), l2 = 512 (modulus N2 of the second encryption and the size of model vector is L = 132743, the download
layer is a 512-bit length), lp = 64. cost of a client is less than k·λ+L·lp = 4·2048+132743·64 =
8503744 bits ≈ 8.5 Mbits = 1 Mbyte, the upload cost of a
For each federated learning round, each TGC timed its client is less than [(2k − 1) · λ] + (le1 + le2 + L · le1 ) =
own part including the local model training part and the (2 · 4 − 1) · 2048 + (512 + 1024 + 132743 · 512) ≈ 68 Mbits
privacy protection part; SO timed the section of obtaining = 8.5 Mbytes;
the encrypted aggregation model and decrypting it. In Table The model training is not a real-time process, thus we
11 we provide the average computational time in seconds can afford more time for transmission leading to a lower
per one global epoch (one federated learning round) of bandwidth. If 1 second per iteration is used for uploading
our proposed privacy-enhancing FDIA detection federated data from a local party to the aggregator (resulting in 0.05
learning in a single-processing manner. The local model hours of uploading data from a local party to the aggregator
training part without privacy protection consumes around in the whole training process with 200 epochs used in
233 seconds. The average extra time for the privacy pro-
tection part comprises 1- the time for the initial setting of 6. https://aws.amazon.com/ec2/pricing/on-demand/.
This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/
This article has been accepted for publication in IEEE Transactions on Information Forensics and Security. This is the author's version which has not been fully edited and
content may change prior to final publication. Citation information: DOI 10.1109/TIFS.2023.3267892
the experiment), then the upload bandwidth requirement [7] N. Carlini, C. Liu, Ú. Erlingsson, J. Kos, and D. Song, “The secret
would be 68Mbps. The network bandwidth for our campus sharer: Evaluating and testing unintended memorization in neural
networks,” in 28th USENIX Security Symposium (USENIX Security
office is 900Mbps. 19), 2019, pp. 267–284.
In the inference stage, each sub-grid utilizes the trained [8] G. Hug and J. A. Giampapa, “Vulnerability assessment of AC state
global model to detect FDIAs individually. Time-series bus estimation with respect to false data injection cyber-attacks,” IEEE
measurements Zbti and transmission line measurements Zlti Transactions on Smart Grid, vol. 3, no. 3, pp. 1362–1370, 2012.
[9] G. Liang, J. Zhao, F. Luo, S. R. Weller, and Z. Y. Dong, “A review of
are fed into the model, which is utilized to model the spatial- false data injection attacks against modern power systems,” IEEE
temporal relationship between bus and line measurements. Transactions on Smart Grid, vol. 8, no. 4, pp. 1630–1638, 2016.
The model will output the likelihood of FDIAs in the current [10] R. D. Christie, B. F. Wollenberg, and I. Wangensteen, “Transmis-
sub-grid. Detecting FDIA given a trained model (i.e., infer- sion management in the deregulated environment,” Proceedings of
the IEEE, vol. 88, no. 2, pp. 170–195, 2000.
ence) in the proposed scheme is 6.7 milliseconds on average,
[11] F. Karmel, “Deregulation and reform of the electricity industry in
which is fast for relevant smart grid operations, e.g., state australia,” Australian Government-Department of Foreign Affairs and
estimation. Trade, 2018.
[12] L. Sankar, “Competitive privacy: Distributed computation with
privacy guarantees,” 2013 IEEE Global Conference on Signal and
8 C ONCLUSION Information Processing, GlobalSIP 2013 - Proceedings, pp. 325–328,
In this paper, we propose a cross-silo privacy-enhancing 2013.
[13] K. et al., “Advances and open problems in federated learning,”
federated learning which is secure in the honest-but-curious Foundations and Trends in Machine Learning, vol. 14, no. 1-2, pp.
adversarial model. With the main techniques of secure 1–210, 2021.
multiparty computation based on double-layer encryption [14] C. Dwork and A. Roth, “The algorithmic foundations of differen-
and secret sharing, the scheme is efficient in communication tial privacy,” Foundations and Trends in Theoretical Computer Science,
vol. 9, no. 3-4, pp. 211–487, 2013.
and computation overhead and robust against dropouts and
[15] R. Shokri and V. Shmatikov, “Privacy-preserving deep learning,”
rejoining. The scheme removes the requirement of comput- in Proceedings of the 22nd ACM SIGSAC conference on computer and
ing discrete logarithms or multiple non-colluding server communications security, 2015, pp. 1310–1321.
settings which are the limitations of some related works. In [16] R. C. Geyer, T. Klein, and M. Nabi, “Differentially private
federated learning: A client level perspective,” arXiv preprint
addition, the client’s secret keys of two encryption layers are arXiv:1712.07557, 2017.
generated by each party in a decentralized manner which [17] A. G. Sébert, R. Sirdey, O. Stan, and C. Gouy-Pailler, “Protecting
helps increase the level of privacy guarantee. We also firstly data from all parties: Combining fhe and dp in federated learn-
design and empirically evaluate a practical and efficient ing,” arXiv preprint arXiv:2205.04330, 2022.
privacy-enhancing cross-silo federated learning resilient to [18] E. Shi, T. H. H. Chan, E. Rieffel, R. Chow, and D. Song, “Privacy-
preserving aggregation of time-series data,” in Proc. NDSS, vol. 2.
the local private data inference attacks for FDIA detection Citeseer, 2011, pp. 1–17.
in the smart grid domain. The proposed scheme provides [19] M. Joye and B. Libert, “A scalable scheme for privacy-preserving
a framework which can be adapted to other domains. The aggregation of time-series data,” in International Conference on
Financial Cryptography and Data Security. Springer, 2013, pp. 111–
analysis of security and the empirical evaluation proves that
125.
the proposed scheme achieves provable privacy against an [20] K. Bonawitz, V. Ivanov, B. Kreuter, A. Marcedone, H. B. McMahan,
honest-but-curious aggregator server colluding with some S. Patel, D. Ramage, A. Segal, and K. Seth, “Practical secure
clients while providing desirable model utility in an efficient aggregation for privacy-preserving machine learning,” Proceedings
of the ACM Conference on Computer and Communications Security,
manner. In future works, we are going to investigate more pp. 1175–1191, 2017.
different adversarial models in various federated learning [21] J. Guo, Z. Liu, K.-Y. Lam, J. Zhao, and Y. Chen, “Privacy-enhanced
settings which is applicable for security in cyber-physical federated learning with weighted aggregation,” in International
systems. Symposium on Security and Privacy in Social Networks and Big Data.
Springer, 2021, pp. 93–109.
[22] H. Corrigan-Gibbs and D. Boneh, “Prio: Private, robust, and scal-
R EFERENCES able computation of aggregate statistics,” in 14th {USENIX} Sym-
posium on Networked Systems Design and Implementation ({NSDI}
[1] B. McMahan, E. Moore, D. Ramage, S. Hampson, and B. A. y Ar-
17), 2017, pp. 259–282.
cas, “Communication-efficient learning of deep networks from
[23] H. Fereidooni, S. Marchal, M. Miettinen, A. Mirhoseini,
decentralized data,” in Artificial intelligence and statistics. PMLR,
H. Möllering, T. D. Nguyen, P. Rieger, A.-R. Sadeghi, T. Schnei-
2017, pp. 1273–1282.
der, H. Yalame et al., “Safelearn: Secure aggregation for private
[2] M. Fredrikson, S. Jha, and T. Ristenpart, “Model inversion attacks
federated learning,” in 2021 IEEE Security and Privacy Workshops
that exploit confidence information and basic countermeasures,”
(SPW). IEEE, 2021, pp. 56–62.
Proceedings of the ACM Conference on Computer and Communications
Security, vol. 2015-Octob, pp. 1322–1333, 2015. [24] Y. Dong, X. Chen, L. Shen, and D. Wang, “Eastfly: Efficient and
[3] F. Tramèr, F. Zhang, A. Juels, M. K. Reiter, and T. Ristenpart, secure ternary federated learning,” Computers & Security, vol. 94,
“Stealing machine learning models via prediction {APIs},” in 25th p. 101824, 2020.
USENIX security symposium (USENIX Security 16), 2016, pp. 601– [25] C. Fang, Y. Guo, N. Wang, and A. Ju, “Highly efficient federated
618. learning with strong privacy preservation in cloud computing,”
[4] B. Hitaj, G. Ateniese, and F. Perez-Cruz, “Deep models under the Computers & Security, vol. 96, p. 101889, 2020.
gan: information leakage from collaborative deep learning,” in [26] S. Truex, N. Baracaldo, A. Anwar, T. Steinke, H. Ludwig, R. Zhang,
Proceedings of the 2017 ACM SIGSAC conference on computer and and Y. Zhou, “A hybrid approach to privacy-preserving federated
communications security, 2017, pp. 603–618. learning,” in Proceedings of the 12th ACM workshop on artificial
[5] Z. He, T. Zhang, and R. B. Lee, “Model inversion attacks against intelligence and security, 2019, pp. 1–11.
collaborative inference,” ACM International Conference Proceeding [27] R. Xu, N. Baracaldo, Y. Zhou, A. Anwar, and H. Ludwig, “Hy-
Series, pp. 148–162, 2019. bridalpha: An efficient approach for privacy-preserving federated
[6] L. Melis, C. Song, E. De Cristofaro, and V. Shmatikov, “Exploiting learning,” in Proceedings of the 12th ACM Workshop on Artificial
unintended feature leakage in collaborative learning,” in 2019 Intelligence and Security, 2019, pp. 13–23.
IEEE Symposium on Security and Privacy (SP). IEEE, 2019, pp. [28] J. H. Bell, K. A. Bonawitz, A. Gascón, T. Lepoint, and M. Raykova,
691–706. “Secure single-server aggregation with (poly) logarithmic over-
This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/
This article has been accepted for publication in IEEE Transactions on Information Forensics and Security. This is the author's version which has not been fully edited and
content may change prior to final publication. Citation information: DOI 10.1109/TIFS.2023.3267892
head,” in Proceedings of the 2020 ACM SIGSAC Conference on Jiankun Hu is currently a Professor with the
Computer and Communications Security, 2020, pp. 1253–1269. School of Engineering and IT, University of New
[29] A. Madi, O. Stan, A. Mayoue, A. Grivet-Sébert, C. Gouy-Pailler, South Wales, Canberra, Australia. He is also
and R. Sirdey, “A secure federated learning framework using an invited expert of Australia Attorney-General’s
homomorphic encryption and verifiable computing,” in 2021 Rec- Office, assisting the draft of Australia National
onciling Data Analytics, Automation, Privacy, and Security: A Big Data Identity Management Policy. He has received
Challenge (RDAAPS). IEEE, 2021, pp. 1–8. nine Australian Research Council (ARC) Grants
[30] W.-T. Lin, G. Chen, and Y. Huang, “Incentive edge-based federated and has served at the Panel on Mathemat-
learning for false data injection attack detection on power grid ics, Information, and Computing Sciences, Aus-
state estimation: A novel mechanism design approach,” Applied tralian Research Council ERA (The Excellence
Energy, vol. 314, p. 118828, 2022. in Research for Australia) Evaluation Committee
[31] L. Zhao, J. Li, Q. Li, and F. Li, “A federated learning framework 2012. His research interests are in the field of cyber security covering
for detecting false data injection attacks in solar farms,” IEEE intrusion detection, sensor key management, and biometrics authen-
Transactions on Power Electronics, vol. 37, no. 3, pp. 2496–2501, 2021. tication. He has many publications in top venues, including the IEEE
[32] Y. Li, X. Wei, Y. Li, Z. Dong, and M. Shahidehpour, “Detection of TRANSACTIONS ON PATTERN ANALYSIS AND MACHINE INTELLI-
false data injection attacks in smart grid: A secure federated deep GENCE, the IEEE TRANSACTION COMPUTERS, the IEEE TRANS-
learning approach,” IEEE Transactions on Smart Grid, vol. 13, no. 6, ACTIONS ON PARALLEL AND DISTRIBUTED SYSTEMS, the IEEE
pp. 4862–4872, 2022. TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY,
[33] A. Shamir, “How to share a secret,” Communications of the ACM, Pattern Recognition, and the IEEE TRANSACTIONS ON INDUSTRIAL
vol. 22, no. 11, pp. 612–613, 1979. INFORMATICS. He is a senior area editor of the IEEE TRANSACTIONS
[34] P. Paillier, “Public-key cryptosystems based on composite degree ON INFORMATION FORENSICS AND SECURITY.
residuosity classes,” in International conference on the theory and
applications of cryptographic techniques. Springer, 1999, pp. 223–
238.
[35] R. Deng, G. Xiao, R. Lu, H. Liang, and A. V. Vasilakos, “False data
injection on state estimation in power systems—Attacks, impacts,
and defense: A survey,” IEEE Transactions on Industrial Informatics,
vol. 13, no. 2, pp. 411–423, 2016.
[36] X. Yin, Y. Zhu, and J. Hu, “A Sub-grid-oriented Privacy-Preserving
Microservice Framework based on Deep Neural Network for False
Data Injection Attack Detection in Smart Grids,” IEEE Transactions
on Industrial Informatics, vol. PP, pp. 1–1, 2021.
[37] M. De Cock, R. Dowsley, A. C. Nascimento, D. Railsback, J. Shen, Hemanshu R. Pota received B.E. from Sar-
and A. Todoki, “High performance logistic regression for privacy- dar Vallabhbhai Regional College of Engineer-
preserving genome analysis,” BMC Medical Genomics, vol. 14, no. 1, ing and Technology, Surat, India, in 1979, M.E.
pp. 1–18, 2021. from the Indian Institute of Science, Bangalore,
[38] Y. Lindell, “How to simulate it–a tutorial on the simulation proof India, in 1981, and the Ph.D. from the University
technique,” Tutorials on the Foundations of Cryptography: Dedicated of Newcastle, NSW, Australia, in 1985; all in
to Oded Goldreich, pp. 277–346, 2017. Electrical Engineering. He is currently an asso-
[39] S. Meinecke, D. Sarajlić, S. R. Drauz, A. Klettke, L.-P. Lauven, ciate professor at the University of New South
C. Rehtanz, A. Moser, and M. Braun, “Simbenc - a benchmark Wales, Canberra, Australia. He has held visiting
dataset of electric power systems to compare innovative solutions appointments at the Columbia University, New
based on power flow analysis,” Energies, vol. 13, p. 3290, 2020. York City, NY; University of California, Los An-
geles; the University of Delaware; Iowa State University; Kansas State
University; Old Dominion University; the University of California, San
Diego; and Centre for AI and Robotics, Bangalore.
This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/