0% found this document useful (0 votes)
96 views15 pages

An Efficient Privacy-Enhancing Cross-Silo Federated Learning and Applications For False Data Injection Attack Detection in Smart Grids

This document summarizes a research article that proposes an efficient privacy-preserving cross-silo federated learning scheme. The scheme aims to address privacy issues in federated learning by encrypting model parameters shared with an aggregator, without requiring a trusted third party. The scheme is applied to detect false data injection attacks in smart grids, allowing different grid companies to collaboratively train models while preserving private data. Key contributions include a double-layer encryption method, use of secret sharing only during setup and rejoining, and parallel computing to accelerate performance. Theoretical and empirical analysis show the scheme provides privacy against honest-but-curious aggregators while maintaining model utility.

Uploaded by

Lokeswari Mtech
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
96 views15 pages

An Efficient Privacy-Enhancing Cross-Silo Federated Learning and Applications For False Data Injection Attack Detection in Smart Grids

This document summarizes a research article that proposes an efficient privacy-preserving cross-silo federated learning scheme. The scheme aims to address privacy issues in federated learning by encrypting model parameters shared with an aggregator, without requiring a trusted third party. The scheme is applied to detect false data injection attacks in smart grids, allowing different grid companies to collaboratively train models while preserving private data. Key contributions include a double-layer encryption method, use of secret sharing only during setup and rejoining, and parallel computing to accelerate performance. Theoretical and empirical analysis show the scheme provides privacy against honest-but-curious aggregators while maintaining model utility.

Uploaded by

Lokeswari Mtech
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 15

This article has been accepted for publication in IEEE Transactions on Information Forensics and Security.

This is the author's version which has not been fully edited and
content may change prior to final publication. Citation information: DOI 10.1109/TIFS.2023.3267892

IEEE ... , VOL. , NO. , 2023 1

An Efficient Privacy-enhancing Cross-silo


Federated Learning and Applications for False
Data Injection Attack Detection in Smart Grids
Hong-Yen Tran, Jiankun Hu*, Senior Member, IEEE, Xuefei Yin, and Hemanshu R. Pota

Abstract—Federated Learning is a prominent machine learning paradigm which helps tackle data privacy issues by allowing clients to
store their raw data locally and transfer only their local model parameters to an aggregator server to collaboratively train a shared
global model. However, federated learning is vulnerable to inference attacks from dishonest aggregators who can infer information
about clients’ training data from their model parameters. To deal with this issue, most of the proposed schemes in literature either
require a non-colluded server setting, a trusted third-party to compute master secret keys or a secure multiparty computation protocol
which is still inefficient over multiple iterations of computing an aggregation model. In this work, we propose an efficient cross-silo
federated learning scheme with strong privacy preservation. By designing a double-layer encryption scheme which has no requirement
to compute discrete logarithm, utilizing secret sharing only at the establishment phase and in the iterations when parties rejoin, and
accelerating the computation performance via parallel computing, we achieve an efficient privacy-preserving federated learning
protocol, which also allows clients to dropout and rejoin during the training process. The proposed scheme is demonstrated
theoretically and empirically to provide provable privacy against an honest-but-curious aggregator server and simultaneously achieve
desirable model utilities. The scheme is applied to false data injection attack detection (FDIA) in smart grids. This is a more secure
cross-silo FDIA federated learning resilient to the local private data inference attacks than the existing works.

Index Terms—privacy-preserving, federated learning, encryption, secret sharing, false data injection attack detection.

1 I NTRODUCTION gator. Thus, clients’ model parameters should be protected


Federated learning [1] is an emerging machine learning from the access of a corrupted aggregator to prohibit these
paradigm which addresses critical data privacy issues by potential inference attacks.
enabling clients to store their raw data locally and transfer To address this problem, existing approaches focus on
only their updated local model parameters to an aggrega- two main techniques, which are differential privacy-based
tor server for jointly training a global model. Due to this and secure aggregation-based. The former adds noise di-
characteristic, federated learning offers significant privacy rectly to the client’s models over a numerous number of
improvements over centralizing all the training data. How- iterations; thus, it has the drawbacks of sacrificing the global
ever, federated learning is vulnerable to inference attacks model accuracy to make a trade-off of privacy-utility. The
from dishonest aggregators who can infer information about latter utilizes techniques in cryptography such as secure
clients’ training data from their model parameters (weights, multiparty computation and homomorphic encryption to
gradients) [2], [3], [4], [5], [6], [7]. For example, [4] employed securely aggregate the clients’ models without knowing
generative adversarial networks to infer the private data of their specific values. However, most of these existing ap-
a target client from its shared model parameters. This means proaches rely on a trusted third party to generate the
that even if the model is trained in federated learning, data master key for aggregation or a setting with multiple non-
privacy still cannot be rigorously guaranteed. Information colluding servers. Besides, many proposed schemes are still
can be extracted from global model parameters, but this inefficient and impractical due to the expensive overhead
information cannot be linked to a specific single client of computation and communication among multiple clients
because the data samples are anonymized among multiple over multiple rounds of training.
clients. However, this is not the case if the information is False data injection attack (FDIA) detection [8], [9] is a
inferred from local model parameters by a corrupted aggre- critical security operation in a smart grid control system.
and has been solved by data-driven machine learning meth-
ods. The data-driven machine learning methods require a
• Hong-Yen Tran, Jiankun Hu* (corresponding author), and Hemanshu
R. Pota are with the School of Engineering and Information Technol-
huge amount of measurement data which are distributed
ogy, University of New South Wales Canberra at ADFA, ACT 2602, over an interconnected grid. In such an interconnected grid,
Australia (e-mail: [email protected]; [email protected]; each sub-grid is possessed and managed by an independent
[email protected]). transmission grid company (TGC) regarding power indus-
• Xuefei Yin is with the School of Information and Communication
Technology, Griffith University, Gold Coast, Queensland, Australia try deregulation [10], [11]. To build a high-accuracy model
(e-mail: [email protected]). for false data injection detection, measurement data from all
involved sub-grids should be shared. However, transmitting
Manuscript received ...; revised ... such huge measurement data over the network for a cen-

This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/
This article has been accepted for publication in IEEE Transactions on Information Forensics and Security. This is the author's version which has not been fully edited and
content may change prior to final publication. Citation information: DOI 10.1109/TIFS.2023.3267892

IEEE ... , VOL. , NO. , 2023 2

tralized detection machine learning algorithm is expensive shared parameters according to the desired privacy level.
and also leads to security and privacy issues including For example, [15] added Laplace noise to the gradients and
competitive privacy [12]. The question is how to coordinate selectively shared the perturbed gradients, [16], [17] pre-
these TGCs to detect FDI attacks while preserving their sented a client-sided differential privacy federated learning
competitive privacy. This remains a challenging problem scheme to hide clients’ model contributions during training.
which has been attracting recent studies with federated To protect local models, the added noise to each local model
learning-based solutions. In federated learning, a cross-silo must be big enough, resulting in the aggregate noise cor-
setting is often established where a number of companies or responding to the aggregate model being too large, which
organizations have a common incentive to train a model would completely destroy the utility of this model.
based on all of their data, but do not share their data
directly due to confidentiality/privacy or legal constraints The other technique is secure multiparty computation
[13]. To enhance the privacy of power companies when they and homomorphic encryption for secure aggregation. The
contribute their local training models, an efficient privacy- scheme in [18] was based on Elgamal homomorphic encryp-
preserving cross-silo federated learning for FDIA detection tion. This scheme requires a trusted dealer to provide each
over multi-area transmission grids should be designed. participant with a secret key ski and the aggregator sk0
Pk
In view of the above issues, we propose an efficient such that i=0 ski = 0. Their private secure aggregation
cross-silo federated learning with strong privacy preserva- is aggregator oblivious in the encrypt-once random oracle
tion which can be applicable to the smart grid domain. By model where each participant only encrypts once in each
designing a double-layer encryption scheme over multiple time period. To decrypt the sum, it ends up computing
federated learning rounds and utilizing Shamir secret shar- the discrete logarithm which can be implemented through
ing, we achieve an efficient privacy-preserving federated a brute-force√ search or Pollard’s lambda method which
learning protocol, which also allows some clients to drop out requires O( k∆), where k is the number of parties and
and rejoin dynamically during the training process. Specifi- ∆ is the maximum value of any party’s input. To overcome
cally, we summarize the main contributions as follows: the limitations of solving discrete logarithm problems, [19]
presented a scheme in the encrypt-once random oracle
• A general privacy-enhancing cross-silo federated
model with fast encryption and decryption based on Deci-
learning with a secure weighted aggregation scheme
sional Composite Residuosity Assumption which removes
is designed based on lightweight double-layer en-
the discrete logarithm computation. However, this scheme
cryption and Shamir secret sharing. The scheme re-
also requires a trusted dealer to generate and distribute
moves the requirement of computing discrete loga-
the secret keys to participants and an aggregator. Besides,
rithms which is the limitation of some related works.
both of the approaches in [18] and [19] only deal with
No multiple non-colluding server settings are re-
secure aggregation of scalars over periods of time (not the
quired. Besides, clients’ secret keys of two encryption
secure weighted aggregation of model vectors over multiple
layers are generated in a decentralized manner which
iterations of federated learning) and does not deal with
helps increase privacy.
dropouts/rejoining problems. Addressing the drawbacks of
• The proposed scheme is demonstrated theoretically
[18] and [19], the work in [20] proposed a secure aggregation
and empirically to provide provable privacy against
scheme where the input is a vector and can deal with
an honest-but-curious aggregator server and simul-
dropouts. The scheme is based on pairwise additive stream
taneously achieve desirable model utility.
ciphers and Shamir secret sharing to tackle client failures.
• The proposed scheme is efficient in com-
Diffie-Hellman key exchange is adopted to share common
munication/computation and robust against
pair-wise seeds of a pseudorandom generator. Double-
dropouts/rejoining during training iterations.
masking is introduced to prevent leakage if there is any
• An efficient privacy-enhancing cross-silo federated
delay in transmission. Nevertheless, this approach requires
learning resilient to the local training data inference
at least four communication rounds between each client and
attacks for FDIA detection in the smart grid domain
the aggregator in each iteration and a repetition of Shamir
is proposed and empirically evaluated.
secret sharing for each iteration. Thus, it suffers from com-
This paper consists of eight sections. Following this In- munication and computation inefficiency considering the
troduction section are the Related Works and Preliminaries huge number of iterations of federated learning. Utilizing
sections. The proposed privacy-enhancing cross-silo feder- the technique of secure data aggregation in [20], the work in
ated learning without any trusted third parties is given in [21] proposed a general privacy-enhanced federated learn-
Section 4, followed by the analysis of the scheme in Section ing scheme with secure weighted aggregation, which can
5. A concrete scenario of enhancing privacy in cross-silo deal with both the data significance evaluation and secure
federated learning for FDIA detection in smart grids with data aggregation. This scheme still inherits the same draw-
empirical evaluation is given in Section 6 and Section 7. backs as [20]. Besides, this scheme only resolved a weak
Finally, Section 8 is for the discussion and conclusions. security model where no collusion between the server and
the clients participating in the federated learning. The paper
[22] presented Prio, a privacy-preserving system for the col-
2 R ELATED WORKS lection of aggregate statistics. With a similar approach, [23]
Existing works on enhancing privacy for federated learning introduced SAFELearn, a generic design for efficient private
mainly employ two types of techniques. One technique is federated learning systems that protect against inference at-
differential privacy [14], which adds appropriate noise to tacks using secure aggregation. However, these designs rely

This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/
This article has been accepted for publication in IEEE Transactions on Information Forensics and Security. This is the author's version which has not been fully edited and
content may change prior to final publication. Citation information: DOI 10.1109/TIFS.2023.3267892

IEEE ... , VOL. , NO. , 2023 3

on multiple non-colluded server settings. Dong et. al. in [24] problem of local data privacy leakage from local models
designed two secure ternary federated learning protocols as in [32] and our proposed scheme. The scheme in [32]
against semi-honest adversaries based on threshold secret enhanced privacy by utilising Pallier-based homomorphic
sharing and homomorphic encryption respectively. In the encryption for secure model aggregation, but only resolved
first protocol, threshold secret sharing is used to share all a weak security model where no collusion among the server
local gradient vectors in all iterations, which causes expen- and the clients participating in the federated learning. All
sive computation and communication overhead. Besides, clients have to share a common pair of public key and
the limitation of their second protocol is that all clients use secret key for encryption/decryption and a trusted party
the same secret key and if the server colludes with a client is required to generate this key pair.
then it can obtain all client’s models. In [25], Fang et. al. A privacy-preserving federated learning approach needs
modified the traditional ElGamal protocol into a double-key to be efficient in computation and communication while
encryption version to design a new scheme for federated providing strong privacy preservation and desirable model
learning with privacy preservation in cloud computing. utility. Most of the related works focus on the basic problem
Nevertheless, the scheme has to solve the discrete logarithm of secure aggregation with the main approaches based on
problem as [18]. The study in [26] combined additively secure multiparty computation, homomorphic encryption,
homomorphic encryption with differential privacy but can- and differential privacy. In spite of some achievements in
not tolerate client dropouts. Their system creates significant secure aggregation and privacy-preserving federated learn-
run-time overheads which makes it impractical for real- ing, there are still drawbacks. The majority of proposed
world federated learning applications. Functional encryp- schemes in literature either require a trusted third party
tion and differential privacy is utilized in [27] to design to compute master secret keys or all local parties share a
the HybridAlpha scheme. However, HybridAlpha relies on common secret key or non-colluded server settings. This
a trusted party that holds the master keys. The proposed means these works guarantee privacy in weaker security
scheme in [28] replaced the complete communication graph models (e.g., no collusion).
in [20] with a k -regular graph of the logarithmic degree to The proposed scheme does not require a trusted dealer
reduce the communication cost while maintaining the secu- to provide each participant with a secret key as the scheme
rity guarantees; however, each client shares its secret across in [18], [19], [27], [32]. While the schemes in [18], [25] require
only a subset of parties, and thus the dropout-resilience is computing the discrete logarithm, our scheme removes that
downgraded. complexity by utilizing the encryption-decryption based on
Considering the integrity of the global model besides the Decisional Composite Residuosity assumption. More-
the privacy preservation of the local data and models, the over, both of the approaches in [18] and [19] only deal
proposed approach in [29] combined the Paillier additive with secure aggregation of scalars over periods of time,
homomorphic and verifiable computation primitives. The not the secure weighted aggregation of model vectors over
scheme in [29] can verify the correctness of the aggregated multiple iterations of federated learning. The dropout and
model given the fact that every client provides their genuine rejoining problems were not investigated in these works
local models. From the perspective of privacy preservation, too. Although eliminating the drawbacks in [18], [19], the
the scheme can only tolerate a weaker threat model. No schemes in [20], [28] suffer higher computation overhead
collusion among the server and clients participating in than the proposed approach and do not address federated
the federated learning protocol was assumed as the keys learning with secure weighted aggregation. Other systems
(sk, pk) necessary for the homomorphic encryption and the in [22], [23] depend on multiple non-colluded server set-
signatures are generated by one of the clients and shared tings, which is not required with our scheme. The systems
among all clients. In the work [17], to deal with the problem in [21], [24], [29], [32] cannot tolerate the risk of revealing all
of collusion in [29], adding Gaussian noise to the local clients’ models when there is a collusion between the server
models before homomorphically encryption was proposed. and a client as our protocol. The study in [26] cannot resolve
However, the standard variation of the additive Gaussian client dropouts. Their system creates significant run-time
noise must be small to not destroy the genuine local models, overheads, making it impractical for real-world federated
resulting in the fact that the adding noise protection is not learning applications. Our scheme is resilient to dropouts
able to provide a high level of differential privacy (ε is not and provides efficient performance for real applications,
small, i.e., less than 1). such as privacy-preserving federated learning false data
The power grid scenario of false data injection attack injection detection.
detection based on federated learning in smart grids has To summarize, Table 1 gives a comparison of our scheme
been studied in [30], [31], [32]. The investigated power grid with related works regarding the application scenario of
scenario is similar in these papers and in the proposed FDIA federated learning with secure weighted aggregation
scheme. For example, in [30] an independent power system (A1, A2) and different security/privacy properties (A3-A8).
state owner (PSSO) and a detection service provider (DSP) Only three recent works [30], [31], [32] studied the FDIA fed-
correspond to an independent transmission grid company erated learning. Most of the related works do not provide all
(TGC) and a system operator (SO) in the proposed scheme. security properties A3-A8. Only the studies in [20] and [28]
The power grid scenario fits with the investigated cross- filtered from Table 1 satisfy all security/properties as the
silo federated learning setting (e.g., the number of parties proposed approach. Table 2 compares the computation and
(PSSOs/TGCs) is small and each party is facilitated with communication complexity between these two studies [20],
high-performance computing). However, [30], [31] only ap- [28] and the proposed scheme. From Table 1 and Table 2, it
ply federated learning and do not consider the security can be seen that the proposed scheme guarantees privacy

This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/
This article has been accepted for publication in IEEE Transactions on Information Forensics and Security. This is the author's version which has not been fully edited and
content may change prior to final publication. Citation information: DOI 10.1109/TIFS.2023.3267892

IEEE ... , VOL. , NO. , 2023 4

TABLE 1: Comparison of our scheme with related works. centres that have the incentive to train a shared model on
A1. FDIA federated learning, A2. Secure weighted model the union of their siloed data. [13]
aggregation, A3. No trusted dealer to generate and Several algorithms have been proposed for federated
distribute secret keys, A4. No non-colluded server setting, learning. In this work, we utilize FedAvg [1], which is the
A5. Collusion resistance, A6. Dropouts/Rejoins handling, original federated learning aggregation mechanism and is
A7. No discrete logarithm problem solving, A8. commonly applied in related works. In FedAvg, the global
Privacy-security trade-off model parameters are updated by summing the weighted
Pk
local model parameters w = i=1 nni · wi .
Work A1 A2 A3 A4 A5 A6 A7 A8
[14] × × X X X × X ×
3.3 Shamir Secret sharing
[15] × × X X X × X ×
(t, n) Shamir secret sharing scheme [33] creates k shares
[16] × × X X X × X ×
{s(1) , · · · , s(n) } of a secret s such that s can be efficiently
[17] × × X X X × X × reconstructed by any combination of t data pieces but
[18] × × × X X × × X cannot by any set of less than t data pieces.
[19] × × × X X × X X s, s(1) , · · · , s(n) are the elements in a finite field Zp for
some large prime p where 0 < t ≤ n < p. The scheme
[20] × × X X X X X X
works as follows:
[21] × X × X × X X X
• Setup: The secret holder randomly chooses
[22] × × X × × × X X
a1 , · · · , at−1 from Zp and a0 = f (0) = s to
[23] × × X × × X X X define a polynomial of degree t − 1:
[24] × × × X × X X X
f (x) = a0 + a1 x + a2 x2 + · · · + at−1 xt−1 mod p
[25] × × X X X X × X
[26] × × × X X × X X • Sharing: The secret holder computes s(i) = f (i) for
i ∈ {1, 2, · · · , n}, and sends (i, s(i) ) to the corre-
[27] × × × X X X X X
sponding participants i.
[28] × × X X X X X X • Reconstructing: Given any t of (i, s(i) ) pairs, an user
[29] × × × X × X X X is able to reconstruct the secret
[30] X × n/a n/a n/a n/a n/a n/a t t
X Y xm
[31] X × n/a n/a n/a n/a n/a n/a s = a0 = s(j) · mod p
j=1 m=0,m6=j
xm − xj
[32] X × × X × X X X
Our X X X X X X X X
3.4 Decisional Composite Residuosity Assumption
Let N = p · q for two large primes p and q . The Decisional
Composite Residuosity (DCR) assumption [34] states that
in a stronger security model and at a lower computational
the advantage of a distinguisher D, defined as the distance:
overhead than the related works.
AdvDCR
D := |Pr[D(y, N ) = 1| y = xN mod N 2 , x ←$ Z∗N ]
− Pr[D(y, N ) = 1| y ←$ Z∗N 2 ]|
3 P RELIMINARIES
3.1 Notations and definitions where probabilities are taken over all coin tosses, is a negli-
gible function
Column vectors are denoted by lower-case bold letters, like
v . The i-th entry of the vector v is vi . v T is the transpose
3.5 False data injection attacks
of the column vector v . The zero-vector is represented by
0. Given a set S , x ←$ S indicates that x is sampled False data injection attacks (FDIAs) are designed by ma-
uniformly at random from S . The notion [k] represents the nipulating some measurements to circumvent the residual-
set {0, 2, · · · , k − 1}. The computational indistinguishability based bad data detection in a power management system
of two distributions H0 and H1 , is denoted by H0 ∼ = H1 . [8], [9], [35]. Various algorithms have been designed to
Table 3 lists the notions used in this paper. detect these attacks using new techniques instead of the
residual-based bad data detection mechanism. One example
is the deep learning network to model the spatial-temporal
3.2 Federated Learning relationship between bus and line measurements in [36].
Federated learning is a machine learning scheme where
multiple clients collaborate in generating a shared machine 4 P ROPOSED P RIVACY - ENHANCING C ROSS - SILO
learning model, under the coordination of a central server.
F EDERATED L EARNING
Each client’s raw data is stored locally and not transmitted;
instead, their local model parameters are sent to the server 4.1 System model and overview of the proposed
for aggregation to achieve the learning objective. Cross-silo privacy-enhancing cross-silo federated Learning
federated learning is the federated learning setting when Consider a system with k local parties and an aggrega-
clients are different organizations or geo-distributed data tor server. Each local party owns its private dataset Di ,

This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/
This article has been accepted for publication in IEEE Transactions on Information Forensics and Security. This is the author's version which has not been fully edited and
content may change prior to final publication. Citation information: DOI 10.1109/TIFS.2023.3267892

IEEE ... , VOL. , NO. , 2023 5

TABLE 2: Comparison of secure aggregation among [20] [28] and ours. k is the number of local parties/clients. L is the
length of the clients’ model vector. τ is the Shamir Secret sharing threshold.
[20] [28] Ours
Server O(L · k2 ) O(L · k log k + k log2 k) O(L + [k2 ])
Computation overhead
Client O(L · k + k2 ) O(L · log k + log2 k) O(L + [τ · k])
Server O(L · k + k2 ) O(L · k + k log2 k) O(L · k + [k2 ])
Communication overhead
Client O(L + k) O(L + log2 k) O(L + [k])

TABLE 3: LIST OF NOTATIONS federated learning scheme.


Notation Description
4.2 High-level technical overview
k The number of local parties
T The number of learning iterations 4.2.1 Protecting local models
C Set of controlled parties The encryption scheme in [19] based on the DCR as-
N Learning network structure
sumption in the random oracle model is utilized to obtain
w(t) The global learning model vector
at the t-th iteration the global model vector as the weighted average function
(t)
xi The encoded local learning model vector of Pi of a set of local model vectors given their encryptions
(t) (t)
(t) (t)
at the t-th iteration ci,j = (1 + N1 )xi,j · H1 (j)ski mod N12 . Here, xi,j is the
L The length of the model vector
[L] = [0, · · · , L − 1] j -th element of the i-th party’s model vector encoded in
(t)
ZN The additive group of integers modulo N a non-negative integer form at the t-th iteration, ski is
Z∗N The multiplicative group of integers modulo N the secret encryption key of i-th party at the t-th iteration.
U = {Pi }i∈[k] The set of all local parities’ indices
Uat The set of alive parties’ indices
The main benefit of this construction is that the weighted
at the t-th iteration average global model vector can be retrieved without com-
Udt = U \ Uat The set of dropped parties’ indices puting the discrete logarithm as the other approaches in
at the t-th iteration literature [18], [25]. In [19], only the secure aggregation is
Urt The set of parties’ indices whose rejoins
the t-th iteration considered and it is assumed that there exists a trusted
(j)
si The share of secret si for Pj dealer generates encryption key ski , i = 1 · · · k and the
Pk
(t)
ni The number of training data of Pi at iteration t-th master key sk0 = − i=1 ski . In our proposed scheme, the
n(t)
P
= i∈[k] ni
(t) secure weighted aggregation is investigated, each party creates
(t)
its own secret key ski and the master key is computed
from clients’ secret keys in a secure computation manner.
i ∈ {1, · · · , k} with ni = |Di | samples. All local participants To enable the secure weighted aggregation of local models
agree on the same learning network structure N . The global which was not considered in [19], the number of each party’s
learning network model at t-th iteration consists of L weight training samples is also encrypted by the corresponding
(t) (t) (t) (t) (t)
parameters, denoted as wG = {w0 , w1 , ..., wL−1 }. The ski at each iteration. The master key to decrypt the global
aim is to learn a global network model from all local (t)
model vector is calculated as msk (t) = i∈Uat ski , where
P
datasets without exposing participants’ data privacy under Uat is the set of alive parties who contribute their encrypted
the coordination of the aggregator. local models for aggregation. This master key should be
The adversary is the honest-but-curious aggregator computed in a secure way to increase privacy level. This is
server which is assumed to follow the protocol honestly, but achieved by designing the second layer of the basic encryp-
attempts to infer sensitive information about participants’ tion scheme to encrypt the secret encryption keys ski of the
(t)
(t)
training data from their model updates wi . It is also as- (t) (t) (t)
first layer, which is βi = (1 + N2 )ski · H2 (t)vi mod N22 .
sumed that there are private and authenticated peer-to-peer (t)
channels between parties so that the data transferred cannot The secret encryption key of this second layer is vi . The
(t)
be eavesdropped on or modified. This can be enforced in requirement for vi is that it is privately generated by each
P (t)
practice with the appropriate use of Digital Signatures and party such that i∈U vi = 0, where U is the set of all
Certificate Authorities. To implement federated learning parties. Different from the secret keys sk of the first layer
which utilizes the union of local datasets, for each iteration, which are generated at each iteration, the secret encryption
(t)
each party contributes its local model vector wi . Unfor- keys v (0) which are created at the initial sub-protocol π0 of
tunately, this raises the risk of inference attacks performed the establishment phase basically can be used for multiple
by an honest-but-curious aggregator on each local model iterations (v (t) = v (t−1) = · · · = v (0) ). The generation of
to extract information about the corresponding party’s local v (t) is based on the correlated antiparticles using common
(t) P (t) P (t) (t)
data used for training. Hence, ordinary federated learning pair-wise secrets, vi = i<j γi,j − i>j γj,i , where γi,j
needs to be integrated with privacy protection techniques is the common initial pair-wise secrets between party i
to prohibit access to individual model updates. The system and party j created by adopting the Diffie-Hellman Key
should be designed in a way to hide local models from exchange protocol.
the aggregator to counter the inference attacks while still
enabling efficient and accurate federated learning. 4.2.2 Handling dropouts
The following section introduces and explains the main Shamir’s τ -out-of-k secret sharing is utilized to allow a user
techniques in the proposed privacy-enhancing cross-silo to split a secret into k shares, such that any τ shares can be

This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/
This article has been accepted for publication in IEEE Transactions on Information Forensics and Security. This is the author's version which has not been fully edited and
content may change prior to final publication. Citation information: DOI 10.1109/TIFS.2023.3267892

IEEE ... , VOL. , NO. , 2023 6

used to reconstruct the secret, but any set of at most τ − 1 Algorithm 1 Proposed privacy-enhancing cross-silo feder-
shares gives no information. Each party creates k shares of ated learning algorithm
(t)
its secret si , keeps one share and sends each share to each Input:
different party from k−1 remaining shares. At each iteration T : Maximum number of rounds, k : the number of
t, after receiving the ciphertexts, the aggregator broadcasts clients selected in each round, Nepoch : the number of
the set of alive parties Uat , the set of the dropped parties local epochs, and η : the local learning rate, pp: public
(t)
Udt = U \ Uat . If Uat = U then we have i∈Uat vi = 0; but, parameters
P
(t)
if Uat ⊂ U then the sum i∈Uat vi needs to be recovered.
P Output:
(ti) Global model wG
Alive parties send their shares sd of a dropped party Pd to Processing:
the aggregator. Thanks to the τ -out-of-k Shamir threshold [Server-side]
(t)
secret sharing scheme, the share sd can be recovered by 1: Initialize wG 0
the aggregator as long as the aggregator receives at least τ 2: for each round t from 1 to T do
(ti) (t)
secret shares sd . Having sd , the aggregator can compute 3: Ut contains k clients
(t) (t)
for each client i ∈ Ut in parallel do
P
vd and obtain i∈U t vi as the master key of the second 4:
d (t) (t)
P (t)
encryption layer to obtain the sum j∈Uat skj . Because the 5: Ci ← LocalTraining(i, wG , t)
P (t) 6: end for
sum j∈U t skj is the master key of the first encryption 7:
(t)
y(t+1) , n(t) ← Dec(pp, {Ci }i∈Uat )
a
(t)
1
P
layer; thus, it helps to get the sum j∈Uat xj . (t+1)
8: wG = (t) · Decode(y(t+1) )
n
4.2.3 Handling rejoining 9: end for
Assume that the secret sd
(t−1)
of a dropped party Pd was [Client-side: Party Pi ]
revealed to the aggregator. If Pd rejoins the current iteration, LocalTraining(i, w, t):
(t) (t)
(t) 10: Divide local dataset Di for round t into batches; Bi
which is the t-th iteration, Pd has to create a new secret sd .
For this case, the party Pd needs to send its updated public denotes the set of the batches.
(t) 11: for each epoch j from 1 to Nepoch do
key pkd = g sd to the aggregator, then creates and shares (t)
(t) 12: for each batch b ∈ Bi do
Shamir’s shares of its updated secret sd . The aggregator (t) (t) (t)
broadcasts the updated set of public keys and the set of 13: wi ← wi − η∇L(wi ; b)
rejoining parties. Rejoining parties Pr update the seeds 14: end for
(t) (t) (t) 15: end for
sr,i = (pki )sr shared with all other parties and compute (t) (t) (t)
(t)
16: zi ← ni · wi
their updated secret vr . Other parties Pi update the seeds (t)
17: xi ← Encode(zi )
(t)
(t) (t) (t)
si,r = (pkr )si shared with the rejoining parties and also (t)
18: Ci ← Enc(pp, xi , ni , t)
(t) (t)
(t) (t)
calculate their updated secret vi . 19: return Ci

4.2.4 Reducing communication and computation overhead


To overcome the problem of communication and compu-
tation overhead in federated learning with multiple itera- 4.3.1 Establishment
tions, the proposed solution is threefold. The first one is to
All the parties agree on the public parameters pp =
utilize a lightweight encryption/decryption scheme which
(N1 , N2 , H1 , H2 , G, T ) where: N1 is the modulus of encryp-
has no requirement to compute discrete logarithms. The
second one is to accelerate the computation performance √ 1, N2 is the modulus of encryption layer 2 and
tion layer
N2 > k · 2l1 where l1 is the bit-length of N1 and k is the
via parallel computing of Single Instruction Multiple Data
number of local parties; H1 : Z → Z∗N 2 , H2 : Z → Z∗N 2 are
(SIMD) of cryptographic operations over model vectors and 1 2

pre-computed hash functions. The third one is to limit the two hash functions, G is the learning network and T is the
number of times of creating and transmitting the secrets number of federated learning iterations. The sub-protocol
(t) π0 generates the secrets v(0) as follows:
si in the Shamir secret sharing scheme. This is effectively
performed by designing a double-layer encryption scheme Sub-protocol π0
where the secret keys sk of the first layer are used for
only one iteration and the secret keys v of the second layer 1. The aggregator chooses and publishes a λ-bit prime,
can be used for multiple iterations. Shamir’s secret sharing p, where λ is the security parameter, and g is the
for the secrets s is only implemented at the establishment generator of Z∗p
(0)
phase and in the iterations when parties rejoin. Besides, only 2. Each Pi uniformly samples si ←$ Z∗p and sends
(0)
rejoining parties Pr generate new key pairs and transmit (0)
pki = g si to the aggregator who then broadcasts
(t) (t)
their new public keys pkr = g sr . the set of all public keys to all parties
3. Each pair of clients (Pi , Pj ) computes a common
4.3 Description of the proposed protocol (0)
pairwise seed γi,j :
Algorithm 1 describes the overall steps of the proposed
privacy-enhancing cross-silo federated learning from the (0) (0) (0)
(0) (0)
(0)
client side and the server side. γj,i = (pki )sj = (pkj )si = γi,j (1)

This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/
This article has been accepted for publication in IEEE Transactions on Information Forensics and Security. This is the author's version which has not been fully edited and
content may change prior to final publication. Citation information: DOI 10.1109/TIFS.2023.3267892

IEEE ... , VOL. , NO. , 2023 7


(t)
4. Each Pi computes: else Pi updates the seeds γi,r shared with
(0)
X (0)
X (0)
rejoining parties
vi = γi,j − γi,j (2)
(t)
(t)
i<j i>j γi,r = (pkr(t) )si ; j ∈ Urt \ {i} (11)
5. Each Pi runs the Shamir-secret sharing algorithm (t)
(0) (0) Then Pi updates their secret vi
SS(si , τ, k) to create k shares of its secret key si
(0j) (t)
X (t) X (t)
and sends each triple (i, j, si ) to each other party vi = γi,j − γi,j (12)
(0j) (0)
Pj , where si is the share of si corresponding to i<j i>j
the party Pj : (t) (t) (t)
5. Pi .Encrypt(xi , ni ) → Ci =
(0,j) (0) (t) (t) (t) (t)
{(i, j, si )}j∈[k] ← SS(si , τ, k) (3) {αi , βi , {ci,j }j∈[L] }: Pi encrypts xi , which
includes the following main steps:
4.3.2 Secure weighted aggregation (t)
– Sample ski ←$ ±{0, 1}2l1
This section describes the proposed secure weighted ag-
– Compute
gregation happening at each federated learning iteration to
evaluate the global model as the weighted aggregation of (t) (t)
ci,j = (1 + N1 )xi,j · H1 (j)ski mod N12 (13)
(t)

the encrypted local models. Fig. 1 illustrates the main steps


and computations carried out during each training epoch, where j = 0 · · · L − 1
(t) (t)
where a step in square brackets (e.g. [2]) indicates that this (t)
αi = (1 + N1 )ni · H1 (L)ski mod N12
step is included if dropout/rejoining happens. (14)
At each iteration t, each Pi owns a L-length local vector (t) (t) (t)
ski vi
(t)
model wi . The following describes in detail the steps of βi = (1 + N2 ) · H2 (t) mod N22 (15)
secure weighted aggregation at the iteration t ∈ [T ] (t) (t) (t) (t) (t)
– Return Ci = {αi , βi , ci = {ci,j }j∈[L] }
(t) (t) (t)
1. Pi .Encode(wi , ni ) → xi : Pi encodes the (t)
weighted model to get the non-negative integer vec- Then Pi sends Ci to the aggregator
(t)
(t)
tor xi according to the method in [37]: 6. Receiving Ci from the alive parties, the aggregator
creates the set Uat of the alive parties and Udt = U \ Uat
(t) (t) (t) (t) (t) of the dropped parties
zi = {ni · wi,j | j ∈ [L]} ; ni = |Di | (4)
(t) (t) [7]. If Uat ⊂ U then the aggregator broadcasts Udt
xi = Encode(zi ) (5) (t,i)
[8]. Pi sends to the aggregator the value sd which is
(t) (t) (t)
zi = Decode(xi ) (6) the share of the secret sd of a dropped party Pd in
the set Udt .
[2]. If Pi rejoins this iteration, this party runs (t) (t)
Pi .GenKey() to generate a new pair of its secret and [9]. A.ReconstructSecrets(Udt ) → {sd , vd }: Having the
public key, and Pi .CreateShares() to create k shares Shamir’s secret shares from the alive parties, the ag-
(t)
(t)
of the updated secret si : gregator reconstructs the secret keys sd of dropped
(t)
parties and then computes the secret vd of every
(t)
si ←$ Z∗p (7) t
dropped party in the set Ud from the recovered
(t) (t)
si secrets.
pki =g (8)
(t)
X (t) X (t)
(t,j)
{(i, j, si )}j∈[k] ←
(t)
SS(si , τ, k) (9) vd = γd,i − γd,i , d ∈ Udt (16)
d<i d>i
(t) s
(t)
Then Pi sends the updated public key to the pki where
(t)
γd,i = pki d
aggregator.
3. Based on the receiving updated public keys, the (t) (t)
10. A. ComputeMSK({βi }i∈Uat , {vj }j∈Udt ) → msk :
aggregator creates the set of rejoining parties of this The aggregator computes the master key msk (t) :
iteration, which is Urt . If Urt = ∅ then v (t) = v (t−1) ,
else the aggregator broadcasts the updated set of the – If Uat = U :
public keys {pk} and Urt . (t)
βi − 1 mod N22
Q
[4]. Upon receiving Urt and {pk}, a rejoining party msk (t) = i∈U
(17)
checks if its updated public key is in the set and N2
then continues the protocol; if not then leaves
– If Uat ⊂ U :
the protocol (early dropout). If Urt 6= ∅ then
Pi .UpdateSeedsSecret(). (t)
P
t v
(t)
( i∈Uat βi ) · H2 (t) i∈Ud i − 1 mod N22
Q
(t)
msk =
(t) N2
If Pi rejoins, then Pi updates the seeds γi,j (18)
shared with all other parties
(t)
11. A.Eval({αi }i∈Uat , msk) → n(t) ,
(t) (t) (t)
γi,j = (pkj )si ; j ∈ U \ {i} (10) (t) (t)
A.Eval({ci,j }i∈Uat , msk) → yj

This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/
This article has been accepted for publication in IEEE Transactions on Information Forensics and Security. This is the author's version which has not been fully edited and
content may change prior to final publication. Citation information: DOI 10.1109/TIFS.2023.3267892

IEEE ... , VOL. , NO. , 2023 8

Epoch t
Pi i = 1 · · · k Aggregator A

(t) (t) (t)


1. Pi .Encode(wi , ni ) → xi
[2]. If Pi rejoins then:
Pi .GenKey()
Pi .CreateShares()

Pi sends the updated public key to the aggregator pki 3.A creates Ur
t

{pk}, Utr A broadcasts the updated set of the public keys


t
[4]. If Ur 6= ∅ then:
t
Pi .UpdateSeedsSecret(Ur )
(t) (t) (t) (t) (t) (t)
5. Pi .Encrypt(xi , ni ) → Ci = {αi , βi , {ci,j }j∈[L] }

(t) (t) t t
Pi sends Ci to the aggregator Ci 6. A creates Ua and Ud
t
[7]. If Ua ⊂ U then:
Utd A broadcasts Ud
t

(t,i)
[8]. Pi sends shares {sd
(t,i)
}d∈U t to the aggregator {sd }d∈U t [9]. A.ReconstructSecrets(Ud ) → {sd , vd }
t (t) (t)
d
d

(t) (t)
10. A.ComputeMSK({βi }i∈U t , {vj }j∈U t ) → msk
a d
(t) (t)
11. A.Eval({αi }i∈U t , msk) →n
a
(t) (t)
A.Eval({ci,j }i∈U t , msk) → yj
a

w(t+1) (t+1) 1 (t)


wj = · Decode(yj ), (j ∈ [L])
n(t)

Fig. 1: Secure weighted model aggregation procedure for one epoch

Having msk (t) , the aggregator can compute the Besides, from (2, 12), we have:
global model:
(t)
X
(t) (t)
vi =0 (23)
( i∈Uat αi ) · H1 (L)−msk − 1 mod N12
Q
(t) i∈U
n =
N1
(19) Thus,
(t) −msk(t)
− 1 mod N12
Q
(t+1) ( i∈Uat ci,j ) · H1 (j) Y (t)
P (t)
ski
yj = βi = (1 + N2 ) t
i∈Ua
mod N22 (24)
N1 i∈Uat
(20)
(t+1) 1 (t)
wj = (t) · Decode(yj ), (j ∈ [L]) (21) From (17):
n
(t)
βi − 1 mod N22
Q
Then, the aggregator sends the global model (t) i∈Uat
w(t+1) = {wj
(t+1)
}j∈[L] to all local parties for msk =
N2
the next epoch t + 1. P
ski
(t)
(1 + N2 ) t
i∈Ua
mod N22 − 1 mod N22
=
N2
(t)
ski · N2 ) mod N22 − 1 mod N22
P
5 A NALYSIS OF THE PROPOSED SCHEME (1 + i∈Uat
=
N2
5.1 Correctness X (t)
= ski mod N22 (25)
• If Uat = U : i∈Uat
From (25):
Y (t)
Y (t) (t) • If Uat ⊂ U
βi = (1 + N2 )ski · H2 (t)vi mod N22 Based on the Shamir threshold secret sharing
i∈Uat i∈Uat
scheme, the aggregator can reconstruct all the secrets
P (t) P (t) (t)
ski vi
= (1 + N2 ) t
i∈Ua
· H2 (t) t
i∈Ua
mod N22 sd of dropped parties as long as the aggregator
(t)
(22) receives at least τ shares of each sd . From that, the

This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/
This article has been accepted for publication in IEEE Transactions on Information Forensics and Security. This is the author's version which has not been fully edited and
content may change prior to final publication. Citation information: DOI 10.1109/TIFS.2023.3267892

IEEE ... , VOL. , NO. , 2023 9


(t)
aggregator can recover vi Similarly, substitute (28, 30) into (20), we have:
of dropped parties and
P (t)
obtains i∈U t vi . (t) (t)
( i∈Uat ci,j ) · H1 (j)−msk − 1 mod N12
Q
d
(t+1)
yj =
P (t) P (t) N1
t ski t vi
Y (t)
2
βi = (1 + N2 ) i∈Ua
· H2 (t) i∈Ua
mod N2 (t)
(1 + i∈Uat xi,j · N1 ) mod N12 − 1 mod N12
P
i∈Uat =
(26) N1
X (t)
= xi,j mod N12 (32)
i∈U t
P (t) a
Substitute (26) into (18), and note that i∈U t vi +
a (t+1) 1 (t+1)
P (t) P (t) wj = (t) · Decode(yj )
i∈Udt vi = i∈U vi = 0, we have: n
1 X
= (t) · Decode( xi,j (t) )
(t)
P (t)
i∈U t vi
n
− 1 mod N22 t
Q
( i∈Uat βi ) · H2 (t) d i∈Ua
msk (t) = 1 X
N2 = (t) · zi,j (t) (from (6))
n i∈Uat
(27)
P (t) 1 X (t) (t)
sk
(1 + N2 ) i∈Uat i · H2 (t)0 − 1 mod N22 = (t) · ni · wi,j (from (4)) (33)
= n i∈Uat
N2
(t)
(1 + i∈Uat ski · N2 ) mod N22 − 1 mod N22 This proves that the aggregator can compute the global
P
= model as the weighted average of all local models even if
N2 the aggregator does not know the true value of each local
X (t)
= ski mod N22 model.
i∈Uat

5.2 Security analysis


Hence, in both cases, we successfully compute the master
(t) In this section, we prove that the proposed protocol is se-
key msk (t) = i∈U t ski mod N22
P
√ a cure multiparty computation against an honest-but-curious
(t)
From N2 > k · 2l1 and ski < 22l1 , we have: adversary who controls the aggregator server and a set C of
colluded parties where |C| < τ . The aggregator is always
N22 > k · 22l1 >
X (t)
ski online while participants Pi may drop out and rejoin at any
iteration.
i∈Uat
The security guarantee of the proposed scheme is based
on Shamir’s secret sharing scheme, and the aggregator
Then obliviousness security provided by the encryption construc-
tion in [19] under DCR assumption in the random ora-
(t)
X
msk (t) = ski (28) cle model. Security is against a computationally-bounded
i∈Uat honest-but-curious aggregator server.
We will consider the executions of the proposed proto-
Next, we prove that with this master key, the global model col where an honest-but-curious aggregator server interacts
can be correctly computed. In fact, from (13, 14) we have: with a set of parties, the underlying encryption construc-
tion is based on DCR assumption, and the Shamir secret
P (t) P (t) sharing’s threshold is set to τ . In such executions, users
(t) ni ski
Y
αi = (1 + N1 ) t
i∈Ua
· H1 (L) t
i∈Ua
mod N12 might drop and rejoin at any iteration. The following proves
i∈Uat the indistinguishability of the distribution of the random
(29) variable representing the adversary view in a real execution
Y (t)
P (t)
xi,j
P
ski
(t)
of the proposed protocol and the distribution of the random
ci,j = (1 + N1 ) t
i∈Ua
· H1 (j) t
i∈Ua
mod N12
variable representing the adversary view in a secure-by-
i∈Uat
definition “ideal world” using a simulation-based proof, which
(30) is a standard for security analysis of multiparty computation
protocol [38]. The security analysis of the protocol indi-
Substitute (28, 29) into (19), we have: cates that what the adversary learns from the real protocol
execution is no more than what she can learn from the
(t) (t) ideal protocol execution which provides security/privacy.
αi ) · H1 (L)−msk − 1 mod N12
Q
( i∈Uat
n (t)
= This also means the protocol in real execution is secure
N1 against an honest-but-curious adversarial model. To be more
(t) 2 2 specific, the joint view of the server and any set of less than
P
(1 + n
i∈Uat i · N 1 ) mod N1 − 1 mod N1
= τ clients does not leak any information about the other
N1
X (t) clients’ inputs (i.e., locally trained models/local training
= ni mod N12 (31) data) besides what can be inferred from the output of the
i∈Uat protocol computation (i.e., the aggregate model).

This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/
This article has been accepted for publication in IEEE Transactions on Information Forensics and Security. This is the author's version which has not been fully edited and
content may change prior to final publication. Citation information: DOI 10.1109/TIFS.2023.3267892

IEEE ... , VOL. , NO. , 2023 10


U ,τ,λ
Let REALC∩A be a random variable representing the parties (with or without Pi ) and kd (0 ≤ kd < k) dropped
view of the adversary in a real execution of the proposed parties. The computation and communication overheads
U ,τ,λ
protocol. Let SC∩A be the view of the adversary generated are summarized in Table 4 and Table ??, respectively. De-
by a simulator in a secure-by-definition ”ideal world”. It is note lpk , lss , li , le1 , le2 , lp are the sizes in bits of a public
U ,τ,λ key, a secret share, an integer, a first-layered ciphertext, a
going to be proved that the distributions of REALC∩A and
U ,τ,λ second-layered ciphertext, and a plaintext, respectively. The
SC∩A are indistinguishable.
cost in the square brackets ([]) is included in the case of
,τ,λ ∼
{REALU U ,τ,λ
C∩A } = {SC∩A } dropouts/rejoins happens.
We use the hybrid argument technique to prove this. First, TABLE 4: Computation overhead of each local party and
we define a series of hybrid random variables H0 , H1 , · · · the aggregator at the establishment phase and each
to construct the simulator S in an ”ideal world” by the iteration. The expressions in [] are included in the case of
subsequent modifications such that any two subsequent dropout/rejoining happens
random variables Hi and Hi+1 are computationally indistin-
U ,τ,λ
guishable, starting from H0 which is the same as REALC∩A . Establishment Each iteration
U ,τ,λ
The final result of subsequent modification is SC∩A . Local party O(τ · k) O(L + [τ · k])
• H0 : This random variable is distributed exactly as Aggregator n/a O(L + [k2 ])
,τ,λ ∼
{REALU C∩A } = {H0 }
• H1 : This hybrid is distributed exactly as H0 , but
shares of 0 (using a different sharing of 0 for every 5.3.1 Computation cost
(t)
honest party) substitute for all shares of si gener- a. Computation cost of a local party
ated by honest parties and given to the corrupted The computation cost of each party Pi at the estab-
parties. Since the adversaries in C ∩ A do not receive lishment phase includes the main parts: 1- generating its
(t) public key, 2- performing each pair-wise secret agreement
any additional shares of si from an honest party,
the combined view of adversaries has only |C| < τ with each of other k − 1 parties, which takes O(k − 1), and
(t) (t)
shares of each secret si . The security properties of 3- creating τ -out-of-k Shamir secret shares of si which is
Shamir’s secret sharing guarantee that the distribu- O(τ · k). Thus, the computation cost of each party Pi at the
tion of any shares of 0 is identical to the distribution establishment phase is O(τ · k).
of an equivalent number of shares of any given secret Pi ’s computation cost at each iteration is the cost of
(t) (t) (t) (t)
si , making this hybrid identically distributed to H0 , creating the ciphertexts ci,j , αi , βi which takes O(L). If Pi
{H0 } ∼= {H1 } rejoins, then there is extra computation cost as the cost of Pi
• H2 : In this hybrid, compared to H1 , for each hon- in the establishment phase, which is O(τ · k). Thus the total
(t) (t)
est party Pi , the ciphertexts ci,j , t ∈ [T ] of xi,j is computation of each party in an iteration is O(L + [τ · k]).
replaced by the cipher text of a dummy vector 0, b. Computation cost of the aggregator
(t) (t) The aggregator’s computation cost can be divided into
the ciphertexts αi , t ∈ [T ] of ni is replaced by
the main operations: 1- reconstructing Shamir secrets (one
the ciphertext of a dummy value 0; hash function
for each dropped party) whenever dropouts happen, which
H1 is substituted with a truly random function O1 .
takes the total time O(k 2 ), and 2- obtaining wt by carrying
The aggregator obliviousness security in the random-
decryption O(L) times. Thus the total computation cost of
oracle model under the DCR assumption of the con-
the aggregator at an iteration is O(L + [k 2 ]).
struction in [19] guarantees that this hybrid is indis-
tinguishable from the previous one, {H1 } ∼ = {H2 }
• H3 : In this hybrid, compared to H2 , for each hon- 5.3.2 Communication cost
(t) (t)
est party, vi is replaced by random yi subject a. Communication cost of a local party
P (t) P (t)
to i∈U \C yi = − j∈C vj ; and hash function The communication cost of each party Pi at the establish-
H2 is substituted with a truly random function O2 . ment phase includes the main parts: sending its public
The aggregator obliviousness security in the random- key to the aggregator, sending k − 1 secret shares to other
oracle model under the DCR assumption of the con- k − 1 parties (each secret share to each party), resulting
struction in [19] guarantees that this hybrid is indis- lpk + (k − 1) · lss , which is O(k)
tinguishable from the previous one, {H2 } ∼ = {H3 } The communication cost of each party Pi at an iteration can
Defining such a simulator S as described in the last hybrid, be partitioned into the main parts: 1- receiving k updated
the view generated by S is computationally indistinguish- public keys from the aggregator, which takes k · lpk , 2-
(t)
able from that of the real execution: {REALC∩A } ∼
U ,τ,λ
= {H0 } ∼
= sending k − 1 secret shares of its updated secret si when it
∼ ∼ ∼ U ,τ,λ
{H1 } = {H2 } = {H3 } = {SC∩A }. rejoins which takes (k − 1) · lss , 3- sending its secret shares
of kd dropped parties’ secrets which is kd · lss , 4- sending
(t) (t) (t) (t) (t)
an encryption message Ci = {αi , βi , ci = {ci,j }j∈[L] }
5.3 Communication and computation analysis to the aggregator at every iteration t, which accounts for
Communication and computation overheads are analyzed (le1 + le2 + L · le1 ), and 5- receiving the aggregate model,
according to the establishment phase and each iteration of which is L · lp . Thus, communication cost of Pi at an
federated learning where there is kr (0 ≤ kr < k) rejoined iteration includes: download cost (i.e., receiving messages)

This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/
This article has been accepted for publication in IEEE Transactions on Information Forensics and Security. This is the author's version which has not been fully edited and
content may change prior to final publication. Citation information: DOI 10.1109/TIFS.2023.3267892

IEEE ... , VOL. , NO. , 2023 11

TABLE 5: Communication overhead of each local party and the aggregator at the establishment phase and each iteration.
The expressions in [] is included in the case of dropouts/rejoins happens

Establishment Each iteration


Download Upload Download Upload
Local party n/a O(k) O(L + [k]) O(L + [k])
Aggregator O(k) n/a O(L · k + [k2 ]) O(L · k + [k2 ])

is [k · lpk ] + L · lp or O(L + [k]), upload cost (i.e, sending a common interest of all parties, thus it is reasonable that
messages) is [(k − 1) · lss ] + [kd · lss ] + (le1 + le2 + L · le1 ) < they are incentivised to follow the protocol to achieve the
[(2k −1)·λ]+(le1 +le2 +L·le1 ) (lpk = lss = λ), or O(L+[k]). best output. However, some parties might be motivated
b. Communication cost of the aggregator to conspire with each other to infer private training data
The communication cost of the aggregator at establishment samples of a target party for some business benefits. In
phase includes receiving k public keys of k parties, resulting the context of the above-proposed system model, a semi-
k · lpk , which is O(k). honest adversary is an adversary that controls SO and a set
The communication cost of the aggregator at an iteration of colluded TGCs.
can be broken into the main parts: 1- receiving kr updated To model the spatial-temporal relationship between bus
public keys which is kr · lpk , 2- sending the updated set and line measurements, a network architecture modified
of public keys to k parties which is k · k · lpk , 3- receiving from the method [36] is trained for the FDIA detection, as
secret shares of the dropped parties from the alive parties, shown in Fig. 2. The model in Fig. 2 is utilized to detect
which causes maximum (k − kd ) · kd · lss , 4- receiving k − kd false data injection attacks in transmission power grids.
encryption message which is (k −kd )·(le1 +le2 +L·le1 ), and In the training stage, the model is securely trained by the
5- sending the aggregate model to each local party, which is proposed privacy-enhancing cross-silo federated learning
k · L · lp . Thus, the communication cost of the aggregator framework. The trained global model is then distributed to
at an iteration includes: upload cost is [k 2 ] + k · L · lp or each participant/sub-grid. In the test stage, each sub-grid
O(L·k +[k 2 ]), download cost is [kr ·lpk ]+[(k −kd )·kd ·lss ]+ utilizes the trained global model to detect FDIAs individ-
k·(le1 +le2 +L·le1 )−[kd ·(le1 +le2 +L·le1 )] < [k·lpk ]+[k 2 /4· ually. Time-series bus measurements Zbti and transmission
2
lss ]+k·(le1 +le2 +L·le1 ) = [( k4 +k)·λ]+k·(le1 +le2 +L·le1 ), line measurements Zlti are fed into the model, which is
resulting in O(L · k + [k 2 ]). utilized to model the spatial-temporal relationship between
bus and line measurements. The model will output the
likelihood of FDIAs in the current sub-grid. The details of
6 P RIVACY - ENHANCING CROSS - SILO FEDERATED network parameters are summarised in Table 6 and Table 7.
LEARNING FDIA DETECTION IN SMART GRIDS
Consider a multi-area grid of k non-overlapping areas TABLE 6: Parameters for layers of the network in Fig. 2
managed by k independent transmission grid companies
(TGCs). There is a system operator (SO) who takes care of Kernel Kernel Batch Activation
Layer
the interconnection areas and coordinates operations. Each Size Numbers Normalization Function
Pi TGC owns a private local dataset Di , i ∈ {1, · · · , k} with f1c--bn-a 1×3 12 Yes ELU
ni = |Di | samples and has communication lines with the SO
f1c--ln-a 1×3 12 Yes ELU
and other TGCs.
For FDIA detection in smart grids, the federated learning f2c--bn-a 1 × 12 4 Yes ELU
approach is superior to the centralised in terms of data f2c--ln-a 1 × 12 4 Yes ELU
privacy protection and communication overhead. From a f3c--bl
n-a nbl × 4 2nbl Yes ELU
data privacy protection viewpoint, the private data of each l
f6-bl-a
4nbl × 1 1 no sigmoid
local party are not transmitted outside of federated learning,
while for a centralized approach, all these data have to be
uploaded to a central server, which is a risk to more secu- TABLE 7: Parameters for LSTM layers of the network in
rity threats. From a communication overhead perspective, Fig. 2
in federated learning, local models are transmitted to the
centre instead of raw measurement data. This also helps Layer Input Size Output Size
reduce communication overhead due to the fact that the
f4LST
-bl
M 2nbl 2nbl
size of models is often much smaller than raw measurement
data. f5LST
-bl
M 2nbl 4nbl
An honest-but-curious adversarial model is considered.
Adversaries are assumed to be honest but curious in the With the above training network architecture, the train-
sense that they follow the protocol but can obtain available ing network model for FDIA detection has 132743 parame-
transcripts to learn extra information that should remain pri- ters. The proposed privacy-enhancing cross-silo FDIA detec-
vate. A good result of detecting false data injection attacks tion is based on the classical federated learning framework
supporting security operations and power management is FedAvg [1] with the privacy protection part on top.

This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/
This article has been accepted for publication in IEEE Transactions on Information Forensics and Security. This is the author's version which has not been fully edited and
content may change prior to final publication. Citation information: DOI 10.1109/TIFS.2023.3267892

IEEE ... , VOL. , NO. , 2023 12

Fig. 2: The network architecture for FDIA detection in AC-model transmission power grids.

7 E MPIRICAL EVALUATION denoted by ztbk ∈ Rnb ×3 at time tk ; and the line mea-
This section demonstrates the desirable utility and effi- surements consist of active/reactive power flows and line
ciency of the proposed cross-silo privacy-enhancing feder- electrical current, denoted by ztlk ∈ Rnl ×3 at time tk .
ated learning. In the following, we provide the description 7.1.2 Normal and FDIA measurement data
of the measurement dataset and the transmission power
The power grid ‘1-HV-mixed–0-no sw’ contains 35136 de-
grid system which includes several subgrids controlled by
mand profiles, with one profile per 15 minutes for one year.
local TGCs and a SO who coordinates the federated learning
To generate the datasets which include the normal measure-
process. Following that is the training/testing setting and
ment and the FDIA measurement, the commercial software
the discussion of the performance in terms of accuracy,
PowerFactory 2017 SP4 1 , the open source software Pan-
training time and inference time.
dapower 2 , and the benchmark SimBench 3 were utilised.
The normal measurements were obtained by calculating the
7.1 Description of datasets power flow using the commercial software PowerFactory
7.1.1 Transmission power grid test set 2017 SP4. The attacks were launched on a target bus by
A transmission power grid, ‘1-HV-mixed–0-no sw’, from the modifying either its voltage angle or voltage magnitude.
benchmark dataset SimBench [39] was used to evaluate the All of these FDIA measurement samples have bypassed the
FDIA detection. This power grid contains 64 buses, 58 loads, residual-based data detection function of PowerFactory 2017
and 355 measurements, with more details shown in Table 8. SP4.
This power grid is divided into four sub-grids, with each
7.2 Training and testing setting
TABLE 8: Details about the transmission power grid There are 35136 normal measurement samples and 35136
‘1-HV-mixed–0-no sw’. FDIA measurement samples, with normal measurement
samples labelled 0 and FDIA samples labelled 1. In the train-
Component Quantity Explanation ing stage, 29952 normal samples and 29952 FDIA samples
Bus 64 all the buses are in service. for the first 312 days are grouped as the training dataset; the
other 5184 normal and FDIA samples for the remaining 54
Load 58
days are used as the test dataset. In the federated learning
Static Generator 103 training, the number of global epochs was set to 200, the
Lines 95 all the lines are in service. number of local epochs was set to 5, the number of local
Transformer 6 batches was set to 48, and the sequence number for LSTM
External grid 3 supply/generate power layers is set to 96. In each federated learning training round,
3 local sub-grids were randomly selected to collaboratively
demand profiles 35,136 power profiles for one year
train the global model. The federated learning source code
bus active/reactive power injection, 4
and the popular deep learning framework Pytorch-1.9.05
bus voltage magnitude, were used to implement the proposed FDIA federated learn-
Measurements 355
line active/reactive power flows, ing detection framework for the model training and testing.
and line electrical current Three commonly used metrics were applied to evaluate
the accuracy of the FDIA detection, namely precision, recall,
and F1 score, expressed by
sub-grid containing 16 buses, summarised as follows: 
Ntp
sub-grid S1 contains bus 62, 26, 130, 44, 94, 104, 74, P recision = ,

• 
Ntp + Nf p


48, 106, 50, 12, 54, 52, 0, 56, 34,


 Ntp
• sub-grid S2 contains bus 64, 100, 128, 68, 110, 112, Recall = ,
126, 66, 122, 98, 124, 102, 38, 96, 116, 120,

 Ntp + Nf n
P recision × Recall


sub-grid S3 contains bus 92, 22, 84, 14, 20, 76, 132, 18,  F1 = 2 × ,

• 
114, 4, 80, 90, 42, 40, 82, 28, and P recision + Recall
• sub-grid S4 contains bus 32, 2, 36, 70, 72, 108, 46, 78, 1. https://www.digsilent.de/en/powerfactory.html
16, 86, 118, 24, 58, 88, 60, 30. 2. https://www.pandapower.org/
3. https://simbench.readthedocs.io/en/stable/about/installation.html
For each sub-grid, the bus measurements consist of ac- 4. https://github.com/AshwinRJ/Federated-Learning-PyTorch
tive/reactive power injections and bus voltage magnitude, 5. https://pytorch.org/docs/1.9.0/

This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/
This article has been accepted for publication in IEEE Transactions on Information Forensics and Security. This is the author's version which has not been fully edited and
content may change prior to final publication. Citation information: DOI 10.1109/TIFS.2023.3267892

IEEE ... , VOL. , NO. , 2023 13

where Nf p indicates the number of false positive, Ntp the protection scheme which is 16.41 seconds on average,
indicates the number of true positive, Nf n indicates the 2- the computation time of local model protection which
number of false negative, and Ntn indicates the number of happens at the client side at every federated learning round
true negative. which is 12.35 seconds in average per client per round, 3- the
computation time of obtaining the encrypted aggregation
7.3 FDIA detection accuracy and time overhead model and decrypting it which happens at the server side
We have compared the performance of the proposed solu- at every federated learning round which is 12.14 seconds in
tion (i.e. the federated learning trained model on encrypted average per round.
local models from each local dataset) with the centralized
TABLE 11: Average computational time in seconds per one
trained model on the whole plain dataset. The same model
global epoch in a single-processing manner
was trained, without the proposed encryption scheme, in
the centralized way using the same hyperparameters in
Avg. TGC’s time Avg. SO’s time
Section 7.2. The results of the centralized trained model on
the whole plain dataset are summarized in Table 9. Table for model protection for model aggregation and decryption
10 is for the FDIA detection accuracy of FedAvg FDIA ∼ 12.35 seconds ∼ 12.14 seconds
detection algorithm on the test dataset. As can be seen
from Table 9 and Table 10, there is no big difference in the To test the ability to accelerate the computation time, the
accuracy. multiprocessing technique is implemented to partition the
TABLE 9: Centralized trained FDIA detection accuracy Singular Instruction Multiple Data (SIMD) computations of
cryptography operations over model vectors onto 4 CPUs.
Table 12 illustrates the possibility of accelerating the speed
P recision (%) Recall (%) F1 (%)
by multiprocessing utilizing 4 CPUs. The computation over-
98.515 97.261 97.884 head of local model protection in each federated learning
round with security on top only incurs 5.56 seconds, i.e.,
2.38% compared to 233 seconds of the underlying model
TABLE 10: FedAvg FDIA detection accuracy
without security. The total extra time of the privacy pro-
tection component running over 200 epochs of federated
Sub-grid P recision (%) Recall (%) F1 (%)
learning training in a single-processing manner is around
S1 97.472 96.701 97.085 83 minutes, while in a multi-processing manner with 4
S2 98.167 96.103 97.124 CPUs is around 36 minutes. The implementation of our
S3 97.865 96.393 97.123 proposed scheme is well-suited for parallel computation.
S4 97.098 96.798 96.947
Thus, the extra computational time overhead that occurred
from our privacy-protection component could be signifi-
cantly reduced by using more CPUs that local transmission
The privacy-enhancing FedAvg FDIA detection version
grid operators are facilitated or from the cloud at the very
has the same accuracy as the original FedAvg FDIA
low price 6 .
detection version. However, the average training time for
each sub-grid as well as for the whole system to get the TABLE 12: Average computational time in seconds per one
weighted global model is longer due to the complexity of global epoch in a multi-processing manner with 4 CPUs
privacy protection added for secure weighted aggregation.
The average training time is collected by evaluating the
Avg. TGC’s time Avg. SO’s time
framework in a Linux system with each sub-grid using one
for model protection for model aggregation and decryption
Nvidia Tesla Volta V100-SXM2-32GB GPU.
∼ 5.56 seconds ∼ 5.24 seconds
Encryption parameters are set as: λ = 2048 (modulus
p in the sub-protocol π0 is a 2048-bit prime), l1 = 256 From the communication analysis in Section 5.3.2, with
(modulus N1 of the first encryption layer is 256-bit length the above encryption parameter setting for the experiment
integer), l2 = 512 (modulus N2 of the second encryption and the size of model vector is L = 132743, the download
layer is a 512-bit length), lp = 64. cost of a client is less than k·λ+L·lp = 4·2048+132743·64 =
8503744 bits ≈ 8.5 Mbits = 1 Mbyte, the upload cost of a
For each federated learning round, each TGC timed its client is less than [(2k − 1) · λ] + (le1 + le2 + L · le1 ) =
own part including the local model training part and the (2 · 4 − 1) · 2048 + (512 + 1024 + 132743 · 512) ≈ 68 Mbits
privacy protection part; SO timed the section of obtaining = 8.5 Mbytes;
the encrypted aggregation model and decrypting it. In Table The model training is not a real-time process, thus we
11 we provide the average computational time in seconds can afford more time for transmission leading to a lower
per one global epoch (one federated learning round) of bandwidth. If 1 second per iteration is used for uploading
our proposed privacy-enhancing FDIA detection federated data from a local party to the aggregator (resulting in 0.05
learning in a single-processing manner. The local model hours of uploading data from a local party to the aggregator
training part without privacy protection consumes around in the whole training process with 200 epochs used in
233 seconds. The average extra time for the privacy pro-
tection part comprises 1- the time for the initial setting of 6. https://aws.amazon.com/ec2/pricing/on-demand/.

This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/
This article has been accepted for publication in IEEE Transactions on Information Forensics and Security. This is the author's version which has not been fully edited and
content may change prior to final publication. Citation information: DOI 10.1109/TIFS.2023.3267892

IEEE ... , VOL. , NO. , 2023 14

the experiment), then the upload bandwidth requirement [7] N. Carlini, C. Liu, Ú. Erlingsson, J. Kos, and D. Song, “The secret
would be 68Mbps. The network bandwidth for our campus sharer: Evaluating and testing unintended memorization in neural
networks,” in 28th USENIX Security Symposium (USENIX Security
office is 900Mbps. 19), 2019, pp. 267–284.
In the inference stage, each sub-grid utilizes the trained [8] G. Hug and J. A. Giampapa, “Vulnerability assessment of AC state
global model to detect FDIAs individually. Time-series bus estimation with respect to false data injection cyber-attacks,” IEEE
measurements Zbti and transmission line measurements Zlti Transactions on Smart Grid, vol. 3, no. 3, pp. 1362–1370, 2012.
[9] G. Liang, J. Zhao, F. Luo, S. R. Weller, and Z. Y. Dong, “A review of
are fed into the model, which is utilized to model the spatial- false data injection attacks against modern power systems,” IEEE
temporal relationship between bus and line measurements. Transactions on Smart Grid, vol. 8, no. 4, pp. 1630–1638, 2016.
The model will output the likelihood of FDIAs in the current [10] R. D. Christie, B. F. Wollenberg, and I. Wangensteen, “Transmis-
sub-grid. Detecting FDIA given a trained model (i.e., infer- sion management in the deregulated environment,” Proceedings of
the IEEE, vol. 88, no. 2, pp. 170–195, 2000.
ence) in the proposed scheme is 6.7 milliseconds on average,
[11] F. Karmel, “Deregulation and reform of the electricity industry in
which is fast for relevant smart grid operations, e.g., state australia,” Australian Government-Department of Foreign Affairs and
estimation. Trade, 2018.
[12] L. Sankar, “Competitive privacy: Distributed computation with
privacy guarantees,” 2013 IEEE Global Conference on Signal and
8 C ONCLUSION Information Processing, GlobalSIP 2013 - Proceedings, pp. 325–328,
In this paper, we propose a cross-silo privacy-enhancing 2013.
[13] K. et al., “Advances and open problems in federated learning,”
federated learning which is secure in the honest-but-curious Foundations and Trends in Machine Learning, vol. 14, no. 1-2, pp.
adversarial model. With the main techniques of secure 1–210, 2021.
multiparty computation based on double-layer encryption [14] C. Dwork and A. Roth, “The algorithmic foundations of differen-
and secret sharing, the scheme is efficient in communication tial privacy,” Foundations and Trends in Theoretical Computer Science,
vol. 9, no. 3-4, pp. 211–487, 2013.
and computation overhead and robust against dropouts and
[15] R. Shokri and V. Shmatikov, “Privacy-preserving deep learning,”
rejoining. The scheme removes the requirement of comput- in Proceedings of the 22nd ACM SIGSAC conference on computer and
ing discrete logarithms or multiple non-colluding server communications security, 2015, pp. 1310–1321.
settings which are the limitations of some related works. In [16] R. C. Geyer, T. Klein, and M. Nabi, “Differentially private
federated learning: A client level perspective,” arXiv preprint
addition, the client’s secret keys of two encryption layers are arXiv:1712.07557, 2017.
generated by each party in a decentralized manner which [17] A. G. Sébert, R. Sirdey, O. Stan, and C. Gouy-Pailler, “Protecting
helps increase the level of privacy guarantee. We also firstly data from all parties: Combining fhe and dp in federated learn-
design and empirically evaluate a practical and efficient ing,” arXiv preprint arXiv:2205.04330, 2022.
privacy-enhancing cross-silo federated learning resilient to [18] E. Shi, T. H. H. Chan, E. Rieffel, R. Chow, and D. Song, “Privacy-
preserving aggregation of time-series data,” in Proc. NDSS, vol. 2.
the local private data inference attacks for FDIA detection Citeseer, 2011, pp. 1–17.
in the smart grid domain. The proposed scheme provides [19] M. Joye and B. Libert, “A scalable scheme for privacy-preserving
a framework which can be adapted to other domains. The aggregation of time-series data,” in International Conference on
Financial Cryptography and Data Security. Springer, 2013, pp. 111–
analysis of security and the empirical evaluation proves that
125.
the proposed scheme achieves provable privacy against an [20] K. Bonawitz, V. Ivanov, B. Kreuter, A. Marcedone, H. B. McMahan,
honest-but-curious aggregator server colluding with some S. Patel, D. Ramage, A. Segal, and K. Seth, “Practical secure
clients while providing desirable model utility in an efficient aggregation for privacy-preserving machine learning,” Proceedings
of the ACM Conference on Computer and Communications Security,
manner. In future works, we are going to investigate more pp. 1175–1191, 2017.
different adversarial models in various federated learning [21] J. Guo, Z. Liu, K.-Y. Lam, J. Zhao, and Y. Chen, “Privacy-enhanced
settings which is applicable for security in cyber-physical federated learning with weighted aggregation,” in International
systems. Symposium on Security and Privacy in Social Networks and Big Data.
Springer, 2021, pp. 93–109.
[22] H. Corrigan-Gibbs and D. Boneh, “Prio: Private, robust, and scal-
R EFERENCES able computation of aggregate statistics,” in 14th {USENIX} Sym-
posium on Networked Systems Design and Implementation ({NSDI}
[1] B. McMahan, E. Moore, D. Ramage, S. Hampson, and B. A. y Ar-
17), 2017, pp. 259–282.
cas, “Communication-efficient learning of deep networks from
[23] H. Fereidooni, S. Marchal, M. Miettinen, A. Mirhoseini,
decentralized data,” in Artificial intelligence and statistics. PMLR,
H. Möllering, T. D. Nguyen, P. Rieger, A.-R. Sadeghi, T. Schnei-
2017, pp. 1273–1282.
der, H. Yalame et al., “Safelearn: Secure aggregation for private
[2] M. Fredrikson, S. Jha, and T. Ristenpart, “Model inversion attacks
federated learning,” in 2021 IEEE Security and Privacy Workshops
that exploit confidence information and basic countermeasures,”
(SPW). IEEE, 2021, pp. 56–62.
Proceedings of the ACM Conference on Computer and Communications
Security, vol. 2015-Octob, pp. 1322–1333, 2015. [24] Y. Dong, X. Chen, L. Shen, and D. Wang, “Eastfly: Efficient and
[3] F. Tramèr, F. Zhang, A. Juels, M. K. Reiter, and T. Ristenpart, secure ternary federated learning,” Computers & Security, vol. 94,
“Stealing machine learning models via prediction {APIs},” in 25th p. 101824, 2020.
USENIX security symposium (USENIX Security 16), 2016, pp. 601– [25] C. Fang, Y. Guo, N. Wang, and A. Ju, “Highly efficient federated
618. learning with strong privacy preservation in cloud computing,”
[4] B. Hitaj, G. Ateniese, and F. Perez-Cruz, “Deep models under the Computers & Security, vol. 96, p. 101889, 2020.
gan: information leakage from collaborative deep learning,” in [26] S. Truex, N. Baracaldo, A. Anwar, T. Steinke, H. Ludwig, R. Zhang,
Proceedings of the 2017 ACM SIGSAC conference on computer and and Y. Zhou, “A hybrid approach to privacy-preserving federated
communications security, 2017, pp. 603–618. learning,” in Proceedings of the 12th ACM workshop on artificial
[5] Z. He, T. Zhang, and R. B. Lee, “Model inversion attacks against intelligence and security, 2019, pp. 1–11.
collaborative inference,” ACM International Conference Proceeding [27] R. Xu, N. Baracaldo, Y. Zhou, A. Anwar, and H. Ludwig, “Hy-
Series, pp. 148–162, 2019. bridalpha: An efficient approach for privacy-preserving federated
[6] L. Melis, C. Song, E. De Cristofaro, and V. Shmatikov, “Exploiting learning,” in Proceedings of the 12th ACM Workshop on Artificial
unintended feature leakage in collaborative learning,” in 2019 Intelligence and Security, 2019, pp. 13–23.
IEEE Symposium on Security and Privacy (SP). IEEE, 2019, pp. [28] J. H. Bell, K. A. Bonawitz, A. Gascón, T. Lepoint, and M. Raykova,
691–706. “Secure single-server aggregation with (poly) logarithmic over-

This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/
This article has been accepted for publication in IEEE Transactions on Information Forensics and Security. This is the author's version which has not been fully edited and
content may change prior to final publication. Citation information: DOI 10.1109/TIFS.2023.3267892

IEEE ... , VOL. , NO. , 2023 15

head,” in Proceedings of the 2020 ACM SIGSAC Conference on Jiankun Hu is currently a Professor with the
Computer and Communications Security, 2020, pp. 1253–1269. School of Engineering and IT, University of New
[29] A. Madi, O. Stan, A. Mayoue, A. Grivet-Sébert, C. Gouy-Pailler, South Wales, Canberra, Australia. He is also
and R. Sirdey, “A secure federated learning framework using an invited expert of Australia Attorney-General’s
homomorphic encryption and verifiable computing,” in 2021 Rec- Office, assisting the draft of Australia National
onciling Data Analytics, Automation, Privacy, and Security: A Big Data Identity Management Policy. He has received
Challenge (RDAAPS). IEEE, 2021, pp. 1–8. nine Australian Research Council (ARC) Grants
[30] W.-T. Lin, G. Chen, and Y. Huang, “Incentive edge-based federated and has served at the Panel on Mathemat-
learning for false data injection attack detection on power grid ics, Information, and Computing Sciences, Aus-
state estimation: A novel mechanism design approach,” Applied tralian Research Council ERA (The Excellence
Energy, vol. 314, p. 118828, 2022. in Research for Australia) Evaluation Committee
[31] L. Zhao, J. Li, Q. Li, and F. Li, “A federated learning framework 2012. His research interests are in the field of cyber security covering
for detecting false data injection attacks in solar farms,” IEEE intrusion detection, sensor key management, and biometrics authen-
Transactions on Power Electronics, vol. 37, no. 3, pp. 2496–2501, 2021. tication. He has many publications in top venues, including the IEEE
[32] Y. Li, X. Wei, Y. Li, Z. Dong, and M. Shahidehpour, “Detection of TRANSACTIONS ON PATTERN ANALYSIS AND MACHINE INTELLI-
false data injection attacks in smart grid: A secure federated deep GENCE, the IEEE TRANSACTION COMPUTERS, the IEEE TRANS-
learning approach,” IEEE Transactions on Smart Grid, vol. 13, no. 6, ACTIONS ON PARALLEL AND DISTRIBUTED SYSTEMS, the IEEE
pp. 4862–4872, 2022. TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY,
[33] A. Shamir, “How to share a secret,” Communications of the ACM, Pattern Recognition, and the IEEE TRANSACTIONS ON INDUSTRIAL
vol. 22, no. 11, pp. 612–613, 1979. INFORMATICS. He is a senior area editor of the IEEE TRANSACTIONS
[34] P. Paillier, “Public-key cryptosystems based on composite degree ON INFORMATION FORENSICS AND SECURITY.
residuosity classes,” in International conference on the theory and
applications of cryptographic techniques. Springer, 1999, pp. 223–
238.
[35] R. Deng, G. Xiao, R. Lu, H. Liang, and A. V. Vasilakos, “False data
injection on state estimation in power systems—Attacks, impacts,
and defense: A survey,” IEEE Transactions on Industrial Informatics,
vol. 13, no. 2, pp. 411–423, 2016.
[36] X. Yin, Y. Zhu, and J. Hu, “A Sub-grid-oriented Privacy-Preserving
Microservice Framework based on Deep Neural Network for False
Data Injection Attack Detection in Smart Grids,” IEEE Transactions
on Industrial Informatics, vol. PP, pp. 1–1, 2021.
[37] M. De Cock, R. Dowsley, A. C. Nascimento, D. Railsback, J. Shen, Hemanshu R. Pota received B.E. from Sar-
and A. Todoki, “High performance logistic regression for privacy- dar Vallabhbhai Regional College of Engineer-
preserving genome analysis,” BMC Medical Genomics, vol. 14, no. 1, ing and Technology, Surat, India, in 1979, M.E.
pp. 1–18, 2021. from the Indian Institute of Science, Bangalore,
[38] Y. Lindell, “How to simulate it–a tutorial on the simulation proof India, in 1981, and the Ph.D. from the University
technique,” Tutorials on the Foundations of Cryptography: Dedicated of Newcastle, NSW, Australia, in 1985; all in
to Oded Goldreich, pp. 277–346, 2017. Electrical Engineering. He is currently an asso-
[39] S. Meinecke, D. Sarajlić, S. R. Drauz, A. Klettke, L.-P. Lauven, ciate professor at the University of New South
C. Rehtanz, A. Moser, and M. Braun, “Simbenc - a benchmark Wales, Canberra, Australia. He has held visiting
dataset of electric power systems to compare innovative solutions appointments at the Columbia University, New
based on power flow analysis,” Energies, vol. 13, p. 3290, 2020. York City, NY; University of California, Los An-
geles; the University of Delaware; Iowa State University; Kansas State
University; Old Dominion University; the University of California, San
Diego; and Centre for AI and Robotics, Bangalore.

Xuefei Yin received the B.S. degree from Liaon-


ing University, Liaoning, China; the M.E. de-
gree from Tianjin University, Tianjin, China; and
the Ph.D. degree from the University of New
South Wales, Canberra, Australia. He is now
with the School of Information and Communica-
tion Technology, Griffith University, Gold Coast,
Queensland, Australia. His research interests
include biometrics, pattern recognition, privacy-
preserving, and intrusion detection. He has pub-
lished articles in top journals including IEEE
Transactions on Pattern Analysis and Machine Intelligence, IEEE Trans-
Hong-Yen Tran is currently a PhD student at the
actions on Information Forensics and Security, ACM Computing Sur-
School of Engineering and IT, University of New
veys, IEEE Transactions on Industrial Informatics, and IEEE Internet of
South Wales, Canberra, Australia. Her research
Things Journal.
interests are in the field of information security,
privacy-preserving data analytics, and applied
cryptography in cyber physical security.

This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/

You might also like