2538 IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, VOL.
18, 2023
An Efficient Privacy-Enhancing Cross-Silo
Federated Learning and Applications
for False Data Injection Attack
Detection in Smart Grids
Hong-Yen Tran , Jiankun Hu , Senior Member, IEEE, Xuefei Yin , and Hemanshu R. Pota
Abstract— Federated Learning is a prominent machine learn-
ing paradigm which helps tackle data privacy issues by allowing
clients to store their raw data locally and transfer only their
local model parameters to an aggregator server to collaboratively
train a shared global model. However, federated learning is
vulnerable to inference attacks from dishonest aggregators who
can infer information about clients’ training data from their
model parameters. To deal with this issue, most of the proposed
schemes in literature either require a non-colluded server setting,
a trusted third-party to compute master secret keys or a secure
multiparty computation protocol which is still inefficient over
multiple iterations of computing an aggregation model. In this
work, we propose an efficient cross-silo federated learning scheme
with strong privacy preservation. By designing a double-layer
encryption scheme which has no requirement to compute discrete
logarithm, utilizing secret sharing only at the establishment phase
and in the iterations when parties rejoin, and accelerating the
computation performance via parallel computing, we achieve an
efficient privacy-preserving federated learning protocol, which
also allows clients to dropout and rejoin during the training
process. The proposed scheme is demonstrated theoretically and
empirically to provide provable privacy against an honest-but-
curious aggregator server and simultaneously achieve desirable
model utilities. The scheme is applied to false data injection attack
detection (FDIA) in smart grids. This is a more secure cross-
silo FDIA federated learning resilient to the local private data
inference attacks than the existing works.
Index Terms— Privacy-preserving, federated learning, encryp-
tion, secret sharing, false data injection attack detection.
I. I NTRODUCTION
F EDERATED learning [1] is an emerging machine learning
paradigm which addresses critical data privacy issues by
enabling clients to store their raw data locally and transfer only
their updated local model parameters to an aggregator server
Manuscript received 15 April 2022; revised 22 February 2023; accepted
11 April 2023. Date of publication 17 April 2023; date of current version
26 April 2023. This work was supported in part by ARC Discovery Grant
DP190103660 and Grant DP200103207, and in part by ARC Linkage Grant
LP180100663. The associate editor coordinating the review of this manuscript
and approving it for publication was Prof. Chia-Mu Yu. (Corresponding
author: Jiankun Hu.)
Hong-Yen Tran, Jiankun Hu, and Hemanshu R. Pota are with the
School of Engineering and Information Technology, The University of
New South Wales Canberra at ADFA, Canberra, ACT 2602, Australia (e-mail:
[email protected]
;
[email protected]
;
[email protected]
). grid is possessed and managed by an independent transmission
Xuefei Yin is with the School of Information and Communication
Technology, Griffith University, Gold Coast, QLD 4222, Australia (e-mail:
[email protected]
). [10], [11]. To build a high-accuracy model for false data injec-
Digital Object Identifier 10.1109/TIFS.2023.3267892
This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/
for jointly training a global model. Due to this characteristic,
federated learning offers significant privacy improvements
over centralizing all the training data. However, federated
learning is vulnerable to inference attacks from dishonest
aggregators who can infer information about clients’ training
data from their model parameters (weights, gradients) [2],
[3], [4], [5], [6], [7]. For example, [4] employed generative
adversarial networks to infer the private data of a target client
from its shared model parameters. This means that even if
the model is trained in federated learning, data privacy still
cannot be rigorously guaranteed. Information can be extracted
from global model parameters, but this information cannot be
linked to a specific single client because the data samples are
anonymized among multiple clients. However, this is not the
case if the information is inferred from local model parameters
by a corrupted aggregator. Thus, clients’ model parameters
should be protected from the access of a corrupted aggregator
to prohibit these potential inference attacks.
To address this problem, existing approaches focus on two
main techniques, which are differential privacy-based and
secure aggregation-based. The former adds noise directly to
the client’s models over a numerous number of iterations;
thus, it has the drawbacks of sacrificing the global model
accuracy to make a trade-off of privacy-utility. The latter
utilizes techniques in cryptography such as secure multiparty
computation and homomorphic encryption to securely aggre-
gate the clients’ models without knowing their specific values.
However, most of these existing approaches rely on a trusted
third party to generate the master key for aggregation or a
setting with multiple non-colluding servers. Besides, many
proposed schemes are still inefficient and impractical due to
the expensive overhead of computation and communication
among multiple clients over multiple rounds of training.
False data injection attack (FDIA) detection [8], [9] is a
critical security operation in a smart grid control system. and
has been solved by data-driven machine learning methods.
The data-driven machine learning methods require a huge
amount of measurement data which are distributed over an
interconnected grid. In such an interconnected grid, each sub-
grid company (TGC) regarding power industry deregulation
tion detection, measurement data from all involved sub-grids
TRAN et al.: EFFICIENT PRIVACY-ENHANCING CROSS-SILO FEDERATED LEARNING AND APPLICATIONS
should be shared. However, transmitting such huge measure-
ment data over the network for a centralized detection machine
learning algorithm is expensive and also leads to security
and privacy issues including competitive privacy [12]. The
question is how to coordinate these TGCs to detect FDI attacks
while preserving their competitive privacy. This remains a
challenging problem which has been attracting recent studies
with federated learning-based solutions. In federated learning,
a cross-silo setting is often established where a number of
companies or organizations have a common incentive to train
a model based on all of their data, but do not share their data
directly due to confidentiality/privacy or legal constraints [13].
To enhance the privacy of power companies when they
contribute their local training models, an efficient privacy-
preserving cross-silo federated learning for FDIA detection
over multi-area transmission grids should be designed.
In view of the above issues, we propose an efficient cross-
silo federated learning with strong privacy preservation which
can be applicable to the smart grid domain. By designing a
double-layer encryption scheme over multiple federated learn-
ing rounds and utilizing Shamir secret sharing, we achieve an
efficient privacy-preserving federated learning protocol, which
also allows some clients to drop out and rejoin dynamically
during the training process. Specifically, we summarize the
main contributions as follows:
• A general privacy-enhancing cross-silo federated learning
with a secure weighted aggregation scheme is designed
based on lightweight double-layer encryption and Shamir
secret sharing. The scheme removes the requirement of
computing discrete logarithms which is the limitation of
some related works. No multiple non-colluding server
settings are required. Besides, clients’ secret keys of two
encryption layers are generated in a decentralized manner
which helps increase privacy.
• The proposed scheme is demonstrated theoretically and
empirically to provide provable privacy against an honest-
but-curious aggregator server and simultaneously achieve
desirable model utility.
• The proposed scheme is efficient in communica-
tion/computation and robust against dropouts/rejoining
during training iterations.
• An efficient privacy-enhancing cross-silo federated learn-
ing resilient to the local training data inference attacks
for FDIA detection in the smart grid domain is proposed
and empirically evaluated.
This paper consists of eight sections. Following this Intro-
duction section are the Related Works and Preliminaries
sections. The proposed privacy-enhancing cross-silo feder-
ated learning without any trusted third parties is given in
Section IV, followed by the analysis of the scheme in
Section V. A concrete scenario of enhancing privacy in cross-
silo federated learning for FDIA detection in smart grids with
empirical evaluation is given in Section VI and Section VII.
Finally, Section VIII is for the discussion and conclusions.
II. R ELATED W ORKS
Existing works on enhancing privacy for federated learning
mainly employ two types of techniques. One technique is
2539
differential privacy [14], which adds appropriate noise to
shared parameters according to the desired privacy level.
For example, [15] added Laplace noise to the gradients and
selectively shared the perturbed gradients, [16], [17] presented
a client-sided differential privacy federated learning scheme to
hide clients’ model contributions during training. To protect
local models, the added noise to each local model must be
big enough, resulting in the aggregate noise corresponding to
the aggregate model being too large, which would completely
destroy the utility of this model.
The other technique is secure multiparty computation and
homomorphic encryption for secure aggregation. The scheme
in [18] was based on Elgamal homomorphic encryption. This
scheme requires a trusted dealer to provide each participant
with
Pk a secret key ski and the aggregator sk0 such that
i=0 ski = 0. Their private secure aggregation is aggregator
oblivious in the encrypt-once random oracle model where each
participant only encrypts once in each time period. To decrypt
the sum, it ends up computing the discrete logarithm which
can be implemented through a brute-force
√ search or Pollard’s
lambda method which requires O( k1), where k is the num-
ber of parties and 1 is the maximum value of any party’s input.
To overcome the limitations of solving discrete logarithm
problems, [19] presented a scheme in the encrypt-once random
oracle model with fast encryption and decryption based on
Decisional Composite Residuosity Assumption which removes
the discrete logarithm computation. However, this scheme also
requires a trusted dealer to generate and distribute the secret
keys to participants and an aggregator. Besides, both of the
approaches in [18] and [19] only deal with secure aggregation
of scalars over periods of time (not the secure weighted aggre-
gation of model vectors over multiple iterations of federated
learning) and does not deal with dropouts/rejoining problems.
Addressing the drawbacks of [18] and [19], the work in [20]
proposed a secure aggregation scheme where the input is a
vector and can deal with dropouts. The scheme is based on
pairwise additive stream ciphers and Shamir secret sharing to
tackle client failures. Diffie-Hellman key exchange is adopted
to share common pair-wise seeds of a pseudorandom gen-
erator. Double-masking is introduced to prevent leakage if
there is any delay in transmission. Nevertheless, this approach
requires at least four communication rounds between each
client and the aggregator in each iteration and a repetition
of Shamir secret sharing for each iteration. Thus, it suffers
from communication and computation inefficiency considering
the huge number of iterations of federated learning. Utilizing
the technique of secure data aggregation in [20], the work
in [21] proposed a general privacy-enhanced federated learning
scheme with secure weighted aggregation, which can deal
with both the data significance evaluation and secure data
aggregation. This scheme still inherits the same drawbacks
as [20]. Besides, this scheme only resolved a weak security
model where no collusion between the server and the clients
participating in the federated learning. The paper [22] pre-
sented Prio, a privacy-preserving system for the collection of
aggregate statistics. With a similar approach, [23] introduced
SAFELearn, a generic design for efficient private federated
learning systems that protect against inference attacks using
2540
secure aggregation. However, these designs rely on multiple
non-colluded server settings. Dong et. al. in [24] designed
two secure ternary federated learning protocols against semi-
honest adversaries based on threshold secret sharing and
homomorphic encryption respectively. In the first protocol,
threshold secret sharing is used to share all local gradient
vectors in all iterations, which causes expensive computation
and communication overhead. Besides, the limitation of their
second protocol is that all clients use the same secret key and
if the server colludes with a client then it can obtain all client’s
models. In [25], Fang et. al. modified the traditional ElGamal
protocol into a double-key encryption version to design a
new scheme for federated learning with privacy preservation
in cloud computing. Nevertheless, the scheme has to solve
the discrete logarithm problem as [18]. The study in [26]
combined additively homomorphic encryption with differential
privacy but cannot tolerate client dropouts. Their system
creates significant run-time overheads which makes it imprac-
tical for real-world federated learning applications. Functional
encryption and differential privacy is utilized in [27] to design
the HybridAlpha scheme. However, HybridAlpha relies on a
trusted party that holds the master keys. The proposed scheme
in [28] replaced the complete communication graph in [20]
with a k-regular graph of the logarithmic degree to reduce the
communication cost while maintaining the security guarantees;
however, each client shares its secret across only a subset of
parties, and thus the dropout-resilience is downgraded.
Considering the integrity of the global model besides the
privacy preservation of the local data and models, the proposed
approach in [29] combined the Paillier additive homomorphic
and verifiable computation primitives. The scheme in [29] can
verify the correctness of the aggregated model given the fact
that every client provides their genuine local models. From
the perspective of privacy preservation, the scheme can only
tolerate a weaker threat model. No collusion among the server
and clients participating in the federated learning protocol was
assumed as the keys (sk, pk) necessary for the homomorphic
encryption and the signatures are generated by one of the
clients and shared among all clients. In the work [17], to deal
with the problem of collusion in [29], adding Gaussian noise
to the local models before homomorphically encryption was
proposed. However, the standard variation of the additive
Gaussian noise must be small to not destroy the genuine local
models, resulting in the fact that the adding noise protection
is not able to provide a high level of differential privacy (ε is
not small, i.e., less than 1).
The power grid scenario of false data injection attack
detection based on federated learning in smart grids has been
studied in [30], [31], and [32]. The investigated power grid
scenario is similar in these papers and in the proposed scheme.
For example, in [30] an independent power system state owner
(PSSO) and a detection service provider (DSP) correspond
to an independent transmission grid company (TGC) and a
system operator (SO) in the proposed scheme. The power grid
scenario fits with the investigated cross-silo federated learning
setting (e.g., the number of parties (PSSOs/TGCs) is small and
each party is facilitated with high-performance computing).
However, [30] and [31] only apply federated learning and
IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, VOL. 18, 2023
do not consider the security problem of local data privacy
leakage from local models as in [32] and our proposed scheme.
The scheme in [32] enhanced privacy by utilising Pallier-
based homomorphic encryption for secure model aggregation,
but only resolved a weak security model where no collusion
among the server and the clients participating in the federated
learning. All clients have to share a common pair of public key
and secret key for encryption/decryption and a trusted party is
required to generate this key pair.
A privacy-preserving federated learning approach needs to
be efficient in computation and communication while provid-
ing strong privacy preservation and desirable model utility.
Most of the related works focus on the basic problem of secure
aggregation with the main approaches based on secure multi-
party computation, homomorphic encryption, and differential
privacy. In spite of some achievements in secure aggregation
and privacy-preserving federated learning, there are still draw-
backs. The majority of proposed schemes in literature either
require a trusted third party to compute master secret keys or
all local parties share a common secret key or non-colluded
server settings. This means these works guarantee privacy in
weaker security models (e.g., no collusion).
The proposed scheme does not require a trusted dealer to
provide each participant with a secret key as the scheme
in [18], [19], [27], and [32]. While the schemes in [18]
and [25] require computing the discrete logarithm, our scheme
removes that complexity by utilizing the encryption-decryption
based on the Decisional Composite Residuosity assumption.
Moreover, both of the approaches in [18] and [19] only deal
with secure aggregation of scalars over periods of time, not the
secure weighted aggregation of model vectors over multiple
iterations of federated learning. The dropout and rejoining
problems were not investigated in these works too. Although
eliminating the drawbacks in [18] and [19], the schemes in
[20] and [28] suffer higher computation overhead than the
proposed approach and do not address federated learning with
secure weighted aggregation. Other systems in [22] and [23]
depend on multiple non-colluded server settings, which is not
required with our scheme. The systems in [21], [24], [29],
and [32] cannot tolerate the risk of revealing all clients’ models
when there is a collusion between the server and a client as
our protocol. The study in [26] cannot resolve client dropouts.
Their system creates significant run-time overheads, making
it impractical for real-world federated learning applications.
Our scheme is resilient to dropouts and provides efficient
performance for real applications, such as privacy-preserving
federated learning false data injection detection.
To summarize, Table I gives a comparison of our scheme
with related works regarding the application scenario of FDIA
federated learning with secure weighted aggregation (A1, A2)
and different security/privacy properties (A3-A8). Only three
recent works [30], [31], [32] studied the FDIA federated
learning. Most of the related works do not provide all security
properties A3-A8. Only the studies in [20] and [28] filtered
from Table I satisfy all security/properties as the proposed
approach. Table II compares the computation and communi-
cation complexity between these two studies [20], [28] and the
proposed scheme. From Table I and Table II, it can be seen that
TRAN et al.: EFFICIENT PRIVACY-ENHANCING CROSS-SILO FEDERATED LEARNING AND APPLICATIONS
TABLE I
C OMPARISON OF O UR S CHEME W ITH R ELATED W ORKS . A1. FDIA
F EDERATED L EARNING , A2. S ECURE W EIGHTED M ODEL
AGGREGATION , A3. N O T RUSTED D EALER TO G ENERATE
AND D ISTRIBUTE S ECRET K EYS , A4. N O N ON -C OLLUDED
S ERVER S ETTING , A5. C OLLUSION R ESISTANCE ,
A6. D ROPOUTS /R EJOINS H ANDLING , A7. N O
D ISCRETE L OGARITHM P ROBLEM S OLVING ,
A8. P RIVACY-S ECURITY T RADE -O FF
the proposed scheme guarantees privacy in a stronger security
model and at a lower computational overhead than the related
works.
III. P RELIMINARIES
A. Notations and Definitions
Column vectors are denoted by lower-case bold letters,
like v. The i-th entry of the vector v is vi . v T is the transpose
of the column vector v. The zero-vector is represented by
0. Given a set S, x ←$ S indicates that x is sampled
uniformly at random from S. The notion [k] represents the
set {0, 2, . . . , k − 1}. The computational indistinguishability
of two distributions H0 and H1 , is denoted by H0 ∼ = H1 .
Table III lists the notions used in this paper.
B. Federated Learning
Federated learning is a machine learning scheme where
multiple clients collaborate in generating a shared machine
learning model, under the coordination of a central server.
Each client’s raw data is stored locally and not transmitted;
instead, their local model parameters are sent to the server
for aggregation to achieve the learning objective. Cross-silo
2541
federated learning is the federated learning setting when clients
are different organizations or geo-distributed data centres that
have the incentive to train a shared model on the union of
their siloed data. [13]
Several algorithms have been proposed for federated learn-
ing. In this work, we utilize FedAvg [1], which is the original
federated learning aggregation mechanism and is commonly
applied in related works. In FedAvg, the global model param-
eters are updated Pkby nsumming the weighted local model
parameters w = i=1 n
i
· w i .
C. Shamir Secret Sharing
(t, n) Shamir secret sharing scheme [33] creates k shares
{s (1) , . . . , s (n) } of a secret s such that s can be efficiently
reconstructed by any combination of t data pieces but cannot
by any set of less than t data pieces.
s, s (1) , . . . , s (n) are the elements in a finite field Z p for some
large prime p where 0 < t ≤ n < p. The scheme works as
follows:
• Setup: The secret holder randomly chooses a1 , . . . , at−1
from Z p and a0 = f (0) = s to define a polynomial of
degree t ≤ 1:
f (x) = a0 + a1 x + a2 x 2 + · · · + at≤1 x t≤1 mod p
• Sharing: The secret holder computes s (i) = f (i) for
i ∈ {1, 2, . . . , n}, and sends (i, s (i) ) to the corresponding
participants i.
• Reconstructing: Given any t of (i, s (i) ) pairs, an user is
able to reconstruct the secret
t t
X
( j)
Y xm
s = a0 = s · mod p
xm − x j
j=1 m=0,m̸ = j
D. Decisional Composite Residuosity Assumption
Let N = p · q for two large primes p and q. The Decisional
Composite Residuosity (DCR) assumption [34] states that the
advantage of a distinguisher D, defined as the distance:
AdvDCR := |Pr[D(y, N ) = 1| y = x N mod N 2 , x ←$ Z∗N ]
D
− Pr[D(y, N ) = 1| y ←$ Z∗N 2 ]|
where probabilities are taken over all coin tosses, is a negli-
gible function
E. False Data Injection Attacks
False data injection attacks (FDIAs) are designed by manip-
ulating some measurements to circumvent the residual-based
bad data detection in a power management system [8],
[9], [35]. Various algorithms have been designed to detect
these attacks using new techniques instead of the residual-
based bad data detection mechanism. One example is the deep
learning network to model the spatial-temporal relationship
between bus and line measurements in [36].
2542
TABLE II
C OMPARISON OF S ECURE AGGREGATION A MONG [20], [28] AND O URS . k I S THE N UMBER OF L OCAL PARTIES /C LIENTS . L I S THE
L ENGTH OF THE C LIENTS ’ M ODEL V ECTOR . τ I S THE S HAMIR S ECRET S HARING T HRESHOLD
TABLE III
L IST OF N OTATIONS
IV. P ROPOSED P RIVACY-E NHANCING C ROSS -S ILO
F EDERATED L EARNING
A. System Model and Overview of the Proposed
Privacy-Enhancing Cross-Silo Federated Learning
Consider a system with k local parties and an aggregator
server. Each local party owns its private dataset Di , i ∈
{1, . . . , k} with n i = |Di | samples. All local participants agree
on the same learning network structure N . The global learning
network model at t-th iteration consists of L weight parame-
(t) (t) (t) (t)
ters, denoted as w G = {w0 , w1 , . . . , w L−1 }. The aim is to
learn a global network model from all local datasets without
exposing participants’ data privacy under the coordination of
the aggregator.
The adversary is the honest-but-curious aggregator server
which is assumed to follow the protocol honestly, but attempts
to infer sensitive information about participants’ training data
(t)
from their model updates wi . It is also assumed that there
are private and authenticated peer-to-peer channels between
parties so that the data transferred cannot be eavesdropped
on or modified. This can be enforced in practice with the
appropriate use of Digital Signatures and Certificate Authori-
ties. To implement federated learning which utilizes the union
of local datasets, for each iteration, each party contributes
(t)
its local model vector wi . Unfortunately, this raises the
IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, VOL. 18, 2023
risk of inference attacks performed by an honest-but-curious
aggregator on each local model to extract information about
the corresponding party’s local data used for training. Hence,
ordinary federated learning needs to be integrated with privacy
protection techniques to prohibit access to individual model
updates. The system should be designed in a way to hide
local models from the aggregator to counter the inference
attacks while still enabling efficient and accurate federated
learning.
The following section introduces and explains the main
techniques in the proposed privacy-enhancing cross-silo fed-
erated learning scheme.
B. High-Level Technical Overview
1) Protecting Local Models: The encryption scheme in [19]
based on the DCR assumption in the random oracle model is
utilized to obtain the global model vector as the weighted
average function of a set of local model vectors given their
(t) (t)
(t)
encryptions ci, j = (1 + N1 )xi, j · H1 ( j)ski mod N12 . Here,
(t)
xi, j is the j-th element of the i-th party’s model vector
encoded in a non-negative integer form at the t-th iteration,
(t)
ski is the secret encryption key of i-th party at the t-th
iteration. The main benefit of this construction is that the
weighted average global model vector can be retrieved without
computing the discrete logarithm as the other approaches in
literature [18], [25]. In [19], only the secure aggregation
is considered and it is assumed that there exists a trusted
dealer generatesPencryption key ski , i = 1 · · · k and the master
k
key sk0 = − i=1 ski . In our proposed scheme, the secure
weighted aggregation is investigated, each party creates its
(t)
own secret key ski and the master key is computed from
clients’ secret keys in a secure computation manner. To enable
the secure weighted aggregation of local models which was
not considered in [19], the number of each party’s training
(t)
samples is also encrypted by the corresponding ski at each
iteration. The master key P to decrypt the global model vector
(t)
is calculated as msk (t) = i∈Uat ski , where Uat is the set of
alive parties who contribute their encrypted local models for
aggregation. This master key should be computed in a secure
way to increase privacy level. This is achieved by designing
the second layer of the basic encryption scheme to encrypt
(t)
the secret encryption keys ski of the first layer, which is
(t) (t) (t)
βi = (1 + N2 )ski · H2 (t)vi mod N22 . The secret encryption
(t) (t)
key of this second layer is vi . The requirement for vi is that
(t)
it is privately generated by each party such that i∈U vi = 0,
P
where U is the set of all parties. Different from the secret keys
sk of the first layer which are generated at each iteration, the
TRAN et al.: EFFICIENT PRIVACY-ENHANCING CROSS-SILO FEDERATED LEARNING AND APPLICATIONS 2543

secret encryption keys v (0) which are created at the initial keys v of the second layer can be used for multiple iterations.
sub-protocol π0 of the establishment phase basically can be Shamir’s secret sharing for the secrets s is only implemented
used for multiple iterations (v (t) = v (t−1) = · · · = v (0) ). The at the establishment phase and in the iterations when parties
generation of v (t) is based on the correlated antiparticles
P using rejoin. Besides, only rejoining parties Pr generate new key
(t) (t) (t) (t) (t)
common pair-wise secrets, vi = γ i> j γ j,i ,
P
i< j i, j − pairs and transmit their new public keys pkr = g sr .
(t)
where γi, j is the common initial pair-wise secrets between
party i and party j created by adopting the Diffie-Hellman
Key exchange protocol. C. Description of the Proposed Protocol
2) Handling Dropouts: Shamir’s τ -out-of-k secret sharing Algorithm 1 describes the overall steps of the proposed
is utilized to allow a user to split a secret into k shares, such privacy-enhancing cross-silo federated learning from the client
that any τ shares can be used to reconstruct the secret, but side and the server side.
any set of at most τ ≤ 1 shares gives no information. Each
(t)
party creates k shares of its secret si , keeps one share and Algorithm 1 Proposed Privacy-Enhancing Cross-Silo
sends each share to each different party from k − 1 remaining Federated Learning Algorithm
shares. At each iteration t, after receiving the ciphertexts, Input:
the aggregator broadcasts the set of alive parties Uat , the T : Maximum number of rounds, k: the number of
set of the dropped parties Udt = U \ Uat . If Uat = U then clients selected in each round, Nepoch : the number of
(t)
i∈Uat vi = 0; but, if Uat ⊂ U then the sum local epochs, and η: the local learning rate, pp: public
P
we have
(t) parameters
i∈U t vi
P
needs to be recovered. Alive parties send their
a
(ti)
Output:
shares sd of a dropped party Pd to the aggregator. Thanks Global model w G
to the τ -out-of-k Shamir threshold secret sharing scheme, the Processing:
(t)
share sd can be recovered by the aggregator as long as the [Server-side]
(ti) (t)
aggregator receives at least τ secret shares sd . Having sd , 1: Initialize w 0G
(t) (t)
the aggregator can compute vd and obtain i∈U t vi
2: for each round t from 1 to T do
P
as
d
the master key of the second encryption layer to obtain the 3: Ut contains k clients
sum
P (t)
. Because the sum
P (t) 4: for each client i ∈ Ut in parallel do
j∈Uat sk j∈U sk j is the master
t (t) (t)
j a 5: Ci ← LocalTraining(i, w G , t)
key of
P the first encryption layer; thus, it helps to get the 6: end for
(t) (t)
sum t x
j∈Ua j . 7: y(t+1) , n (t) ← Dec( pp, {Ci }i∈Uat )
(t−1) (t+1) 1
3) Handling Rejoining: Assume that the secret sd of a 8: wG = (t) · Decode(y(t+1) )
dropped party Pd was revealed to the aggregator. If Pd rejoins n
9: end for
the current iteration, which is the t-th iteration, Pd has to
(t) [Client-side: Party Pi ]
create a new secret sd . For this case, the party Pd needs
(t) LocalTraining(i, w, t):
to send its updated public key pkd = g sd to the aggregator, (t)
10: Divide local dataset Di for round t into batches;
then creates and shares Shamir’s shares of its updated secret (t)
(t) Bi denotes the set of the batches.
sd . The aggregator broadcasts the updated set of public keys 11: for each epoch j from 1 to Nepoch do
and the set of rejoining parties. Rejoining parties Pr update (t)
(t)
12: for each batch b ∈ Bi do
(t) (t)
the seeds sr,i = ( pki )sr shared with all other parties and 13:
(t) (t)
wi ← wi − η∇ L(wi ; b)
(t)
(t)
compute their updated secret vr . Other parties Pi update the 14: end for
(t) (t) si(t)
seeds si,r = ( pkr ) shared with the rejoining parties and 15: end for
(t) (t) (t)
(t) 16: z i ← n i · w i
also calculate their updated secret vi . (t) (t)
4) Reducing Communication and Computation Overhead: 17: x i ← Encode(z i )
(t) (t) (t)
To overcome the problem of communication and computation 18: Ci ← Enc( pp, xi , n i , t)
(t)
overhead in federated learning with multiple iterations, the 19: return Ci
proposed solution is threefold. The first one is to utilize
a lightweight encryption/decryption scheme which has no
requirement to compute discrete logarithms. The second one 1) Establishment: All the parties agree on the public
is to accelerate the computation performance via parallel com- parameters pp = (N1 , N2 , H1 , H2 , G, T ) where: N1 is
puting of Single Instruction Multiple Data (SIMD) of crypto- the modulus of encryption layer√ 1, N2 is the modulus of
graphic operations over model vectors and pre-computed hash encryption layer 2 and N2 > k · 2l1 where l1 is the bit-
functions. The third one is to limit the number of times of length of N1 and k is the number of local parties; H1 :
(t) Z → Z∗ 2 , H2 : Z → Z∗ 2 are two hash functions, G is the
creating and transmitting the secrets si in the Shamir secret N1 N2
sharing scheme. This is effectively performed by designing a learning network and T is the number of federated learning
double-layer encryption scheme where the secret keys sk of iterations. The sub-protocol π0 generates the secrets v(0) as
the first layer are used for only one iteration and the secret follows:
2544 IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, VOL. 18, 2023

Fig. 1. Secure weighted model aggregation procedure for one epoch.

a) Sub-protocol π0 : each training epoch, where a step in square brackets (e.g. [2])
1. The aggregator chooses and publishes a λ-bit prime, p, indicates that this step is included if dropout/rejoining happens.
where λ is the security parameter, and g is the generator At each iteration t, each Pi owns a L-length local vector
(t)
of Z∗p model wi . The following describes in detail the steps of
(0) secure weighted aggregation at the iteration t ∈ [T ]
2. Each Pi uniformly samples si ←$ Z∗p and sends
(t) (t) (t)
(0) (0) 1. Pi .Encode(wi , n i ) → x i : Pi encodes the weighted
pki = g si to the aggregator who then broadcasts the (t)
set of all public keys to all parties model to get the non-negative integer vector x i accord-
3. Each pair of clients (Pi , P j ) computes a common pairwise ing to the method in [37]:
(0) (t) (t) (t) (t) (t)
seed γi, j : z i = {n i · wi, j | j ∈ [L]} ; n i = |Di | (4)
(0) (0) (t) (t)
(0) (0)
γ j,i = ( pki )s j = ( pk j )si
(0) (0)
= γi, j (1) x i = Encode(z i ) (5)
(t) (t)
zi = Decode(x i ) (6)
4. Each Pi computes:
(0)
X (0)
X (0) [2]. If Pi rejoins this iteration, this party runs Pi .GenKey()
vi = γi, j − γi, j (2)
to generate a new pair of its secret and public key, and
i< j i> j
Pi .CreateShares() to create k shares of the updated
5. Each Pi runs the Shamir-secret sharing algorithm (t)
(0) (0)
secret si :
SS(si , τ, k) to create k shares of its secret key si and (t)
(0 j)
sends each triple (i, j, si ) to each other party P j , where si ←$ Z∗p (7)
(0 j) (0) (t) (t)
si
si is the share of si corresponding to the party P j : pki =g (8)
(0, j) (0) (t, j) (t)
{(i, j, si )} j∈[k] ← SS(si , τ, k) (3) {(i, j, si )} j∈[k] ← SS(si , τ, k) (9)
(t)
2) Secure Weighted Aggregation: This section describes Then Pi sends the updated public key to the pki
the proposed secure weighted aggregation happening at each aggregator.
federated learning iteration to evaluate the global model as the 3. Based on the receiving updated public keys, the aggrega-
weighted aggregation of the encrypted local models. Fig. 1 tor creates the set of rejoining parties of this iteration,
illustrates the main steps and computations carried out during which is Urt . If Urt = ∅ then v (t) = v (t−1) , else the
TRAN et al.: EFFICIENT PRIVACY-ENHANCING CROSS-SILO FEDERATED LEARNING AND APPLICATIONS 2545

aggregator broadcasts the updated set of the public keys – If Uat ⊂ U:

{ pk} and Urt . (t)
vi
P
(t) i∈Udt
[4]. Upon receiving Urt and { pk}, a rejoining party checks if ( i∈Uat βi ) · H2 (t) − 1 mod N22
Q
its updated public key is in the set and then continues the msk (t) =
N2
protocol; if not then leaves the protocol (early dropout).
(18)
If Urt ̸ = ∅ then Pi .UpdateSeedsSecret().
(t) (t)
If Pi rejoins, then Pi updates the seeds γi, j shared 11. A.Eval({αi }i∈Uat , msk) → n (t) ,
(t) (t)
with all other parties A.Eval({ci, j }i∈Uat , msk) → y j
(t) (t) (t) Having msk (t) , the aggregator can compute the global
γi, j = ( pk j )si ; j ∈ U \ {i} (10)
model:
(t) (t) (t)
else Pi updates the seeds γi,r shared with rejoining ( i∈Uat αi ) · H1 (L)−msk − 1 mod N12
Q
(t)
parties n =
N 1
(t) (t) (19)
γi,r = ( pkr(t) )si ; j∈ Urt \ {i} (11)
(t) (t)
( i∈Uat ci, j ) · H1 ( j)−msk − 1 mod N12
Q
(t) (t+1)
Then Pi updates their secret vi yj = (20)
N1
(t)
X (t) X (t) 1
vi = γi, j − γi, j (t+1) (t)
(12) wj = · Decode(y j ), ( j ∈ [L]) (21)
i< j i> j n (t)
Then, the aggregator sends the global model
(t) (t) (t) (t) (t) (t) (t+1)
5. Pi .Encrypt(x i , n i ) → Ci = {αi , βi , {ci, j } j∈[L] }: w (t+1) = {w j } j∈[L] to all local parties for the
(t)
Pi encrypts x i , which includes the following main steps: next epoch t + 1.
(t)
– Sample ski ←$ ±{0, 1}2l1
– Compute V. A NALYSIS OF THE P ROPOSED S CHEME
(t) (t) A. Correctness
(t)
ci, j = (1 + N1 )xi, j · H1 ( j)ski mod N12 • If Uat = U:
where j = 0 · · · L − 1 (13) From (25):
(t) (t) (t) Y (t) (t) (t)
αi = (1 + N1 )n i · H1 (L)ski mod N12 (1 + N2 )ski · H2 (t)vi mod N22
Y
(14) βi =
(t) (t) (t)
vi
βi = (1 + N2 ) ski
· H2 (t) mod N22 (15) i∈Uat i∈Uat
(t) (t)
vi
P P
ski
(t) (t) (t) (t) (t) = (1 + N2 ) i∈Uat · H2 (t) i∈Uat mod N22
– Return Ci = {αi , βi , ci = {ci, j } j∈[L] }
(t) (22)
Then Pi sends Ci to the aggregator
(t) Besides, from (2, 12), we have:
6. Receiving Ci from the alive parties, the aggregator
creates the set Uat of the alive parties and Udt = U \ Uat X (t)
vi = 0 (23)
of the dropped parties
i∈U
[7]. If Uat ⊂ U then the aggregator broadcasts Udt
(t,i) Thus,
[8]. Pi sends to the aggregator the value sd which is the
(t) (t)
share of the secret sd of a dropped party Pd in the set Udt . (t)
P
Y ski
(t) (t)
βi = (1 + N2 ) i∈Uat mod N22 (24)
[9]. A.ReconstructSecrets(Udt ) → {sd , vd }: Having the i∈Uat
Shamir’s secret shares from the alive parties, the aggre-
(t) From (17):
gator reconstructs the secret keys sd of dropped parties
(t) (t)
and then computes the secret vd of every dropped party βi − 1 mod N22
Q
(t) i∈Uat
in the set Udt from the recovered secrets. msk =
N2
(t)
X (t) X (t) P (t)
vd = γd,i − γd,i , d ∈ Udt (1 + N2 ) i∈Uat ski
mod N22 − 1 mod N22
d<i d>i =
(t)
N2
(t) s (t)
where γd,i = pki d (1 + i∈Uat ski · N2 ) mod N22 − 1 mod N22
P
(16)
=
(t) (t) N2
10. A. ComputeMSK({βi }i∈Uat , {v j } j∈U t ) → msk: The X (t)
d
= ski mod N22 (25)
aggregator computes the master key msk (t) :
i∈Uat
– If Uat = U:
(t)
• If Uat ⊂ U
β − 1 mod N22
Q
(t) Based on the Shamir threshold secret sharing scheme, the
msk = i∈U i (17) (t)
N2 aggregator can reconstruct all the secrets sd of dropped
2546 IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, VOL. 18, 2023

parties as long as the aggregator receives at least τ shares Similarly, substitute (28, 30) into (20), we have:
(t) (t)
of each sd . From that, the aggregator can recover vi of (t) (t)
( i∈Uat ci, j ) · H1 ( j)−msk − 1 mod N12
Q
(t)
dropped parties and obtains i∈U t vi .
P
(t+1)
d yj =
N1
(t) (t)
(1 + i∈Uat xi, j · N1 ) mod N12 − 1 mod N12
Y
βi
P

i∈Uat
=
N1
(t) (t) X (t)
vi
P P
ski 2
= (1 + N2 ) i∈Uat · H2 (t) i∈Uat mod N22 = xi, j mod N1 (32)
i∈Uat
(26)
(t+1) 1 (t+1)
(t)
wj = · Decode(y j )
i∈Uat vi
n (t)
P
Substitute (26) into (18), and note that +
(t) (t) 1
xi, j (t) )
X
i∈U t vi = i∈U vi = 0, we have:
P P
= (t) · Decode(
d n t
i∈Ua
(t)
vi
P
(t) 1 X
z i, j (t) (from (6))
i∈Udt
( i∈Uat βi ) · H2 (t) − 1 mod N22
Q
= (t) ·
msk (t) = n t i∈Ua
N2
(t) 1 X (t) (t)
P
(1 + N2 ) i∈Uat ski
· H2 (t)0 − 1 mod N22 = · n i · wi, j (from (4)) (33)
= n (t) t
N2 i∈Ua
(t)
(1 + i∈Uat ski · N2 ) mod N22 − 1 mod N22
P
This proves that the aggregator can compute the global model
= as the weighted average of all local models even if the
N2
X (t) aggregator does not know the true value of each local model.
2
= ski mod N2 (27)
i∈Uat
B. Security Analysis
Hence, in P
both cases, we successfully compute the master key
(t) In this section, we prove that the proposed protocol is
msk (t) = i∈Uat ski mod N22
√ (t) secure multiparty computation against an honest-but-curious
From N2 > k · 2l1 and ski < 22l1 , we have: adversary who controls the aggregator server and a set C of
X (t) colluded parties where |C| < τ . The aggregator is always
N22 > k · 22l1 > ski online while participants Pi may drop out and rejoin at any
i∈Uat iteration.
The security guarantee of the proposed scheme is based on
Then
Shamir’s secret sharing scheme, and the aggregator oblivious-
(t) ness security provided by the encryption construction in [19]
msk (t) =
X
ski (28)
under DCR assumption in the random oracle model. Secu-
i∈Uat
rity is against a computationally-bounded honest-but-curious
Next, we prove that with this master key, the global model aggregator server.
can be correctly computed. In fact, from (13, 14) we have: We will consider the executions of the proposed protocol
where an honest-but-curious aggregator server interacts with a
(t) (t)
(t) set of parties, the underlying encryption construction is based
P P
Y ni ski
αi = (1 + N1 ) i∈Uat · H1 (L) i∈Uat mod N12
on DCR assumption, and the Shamir secret sharing’s threshold
i∈Uat
is set to τ . In such executions, users might drop and rejoin
(29) at any iteration. The following proves the indistinguishability
(t) (t)
(t) of the distribution of the random variable representing the
P P
i∈Uat xi, j i∈Uat ski
Y
ci, j = (1 + N1 ) · H1 ( j) mod N12
adversary view in a real execution of the proposed protocol
i∈Uat
and the distribution of the random variable representing the
(30) adversary view in a secure-by-definition “ideal world” using
a simulation-based proof, which is a standard for security
Substitute (28, 29) into (19), we have: analysis of multiparty computation protocol [38]. The security
(t) (t) analysis of the protocol indicates that what the adversary
( i∈Uat αi ) · H1 (L)−msk − 1 mod N12
Q
n (t)
= learns from the real protocol execution is no more than
N1 what she can learn from the ideal protocol execution which
(t)
(1 + · N1 ) mod N12 − 1 mod N12 provides security/privacy. This also means the protocol in real
P
i∈Uat n i
= execution is secure against an honest-but-curious adversarial
N1
X (t)
model. To be more specific, the joint view of the server and
= n i mod N12 (31) any set of less than τ clients does not leak any information
i∈Uat about the other clients’ inputs (i.e., locally trained models/local
TRAN et al.: EFFICIENT PRIVACY-ENHANCING CROSS-SILO FEDERATED LEARNING AND APPLICATIONS
training data) besides what can be inferred from the output of
the protocol computation (i.e., the aggregate model).
,τ,λ
Let REALU C ∩A be a random variable representing the view
of the adversary in a real execution of the proposed protocol.
Let SCU∩,τ,λ
A be the view of the adversary generated by a
simulator in a secure-by-definition “ideal world”. It is going
,τ,λ U ,τ,λ
to be proved that the distributions of REALU C ∩A and SC ∩A
are indistinguishable.
{REALU ,τ,λ } ∼
= {S
C ∩A
U ,τ,λ
}
C ∩A
We use the hybrid argument technique to prove this. First,
we define a series of hybrid random variables H0 , H1 , · · · to
construct the simulator S in an “ideal world” by the subsequent
modifications such that any two subsequent random variables
Hi and Hi+1 are computationally indistinguishable, starting
,τ,λ
from H0 which is the same as REALU C ∩A . The final result of
U ,τ,λ
subsequent modification is SC ∩A .
• H0 : This random variable is distributed exactly as
,τ,λ ∼
{REALU C ∩A } = {H0 }
• H1 : This hybrid is distributed exactly as H0 , but shares
of 0 (using a different sharing of 0 for every honest party)
(t)
substitute for all shares of si generated by honest parties
and given to the corrupted parties. Since the adversaries in
(t)
C ∩ A do not receive any additional shares of si from an
honest party, the combined view of adversaries has only
(t)
|C| < τ shares of each secret si . The security properties
of Shamir’s secret sharing guarantee that the distribution
of any shares of 0 is identical to the distribution of
an equivalent number of shares of any given secret
(t)
si , making this hybrid identically distributed to H0 ,
{H0 } ∼= {H1 }
• H2 : In this hybrid, compared to H1 , for each honest party
(t) (t)
Pi , the ciphertexts ci, j , t ∈ [T ] of xi, j is replaced by
the cipher text of a dummy vector 0, the ciphertexts
(t) (t)
αi , t ∈ [T ] of n i is replaced by the ciphertext of a
dummy value 0; hash function H1 is substituted with a
truly random function O1 . The aggregator obliviousness
security in the random-oracle model under the DCR
assumption of the construction in [19] guarantees that
this hybrid is indistinguishable from the previous one,
{H1 } ∼= {H2 }
• H3 : In this hybrid, compared to H2 , for each honest party,
(t) (t)
vi is replaced by random yi subject to i∈U \C yi =
P
(t)
− j∈C v j ; and hash function H2 is substituted with a
P
truly random function O2 . The aggregator obliviousness
security in the random-oracle model under the DCR
assumption of the construction in [19] guarantees that
this hybrid is indistinguishable from the previous one,
{H2 } ∼= {H3 }
Defining such a simulator S as described in the last hybrid, the
view generated by S is computationally indistinguishable from
,τ,λ ∼
that of the real execution: {REALU ∼
C ∩A } = {H0 } = {H1 } =
{H2 } ∼
= {H3 } ∼
U ,τ,λ
= {SC ∩A }.
C. Communication and Computation Analysis
Communication and computation overheads are analyzed
according to the establishment phase and each iteration of
2547
TABLE IV
C OMPUTATION OVERHEAD OF E ACH L OCAL PARTY AND THE
AGGREGATOR AT THE E STABLISHMENT P HASE AND E ACH
I TERATION . T HE E XPRESSIONS IN [] A RE I NCLUDED
IN THE C ASE OF D ROPOUT /R EJOINING H APPENS
federated learning where there is kr (0 ≤ kr < k) rejoined
parties (with or without Pi ) and kd (0 ≤ kd < k) dropped
parties. The computation and communication overheads are
summarized in Table IV and Table V, respectively. Denote
l pk , lss , li , le1 , le2 , l p are the sizes in bits of a public key,
a secret share, an integer, a first-layered ciphertext, a second-
layered ciphertext, and a plaintext, respectively. The cost in the
square brackets ([]) is included in the case of dropouts/rejoins
happens.
1) Computation Cost:
a) Computation cost of a local party: The computation
cost of each party Pi at the establishment phase includes the
main parts: 1- generating its public key, 2- performing each
pair-wise secret agreement with each of other k − 1 parties,
which takes O(k −1), and 3- creating τ -out-of-k Shamir secret
(t)
shares of si which is O(τ · k). Thus, the computation cost
of each party Pi at the establishment phase is O(τ · k).
Pi ’s computation cost at each iteration is the cost of
(t) (t) (t)
creating the ciphertexts ci, j , αi , βi which takes O(L).
If Pi rejoins, then there is extra computation cost as the
cost of Pi in the establishment phase, which is O(τ · k).
Thus the total computation of each party in an iteration is
O(L + [τ · k]).
b) Computation cost of the aggregator: The aggregator’s
computation cost can be divided into the main operations:
1- reconstructing Shamir secrets (one for each dropped party)
whenever dropouts happen, which takes the total time O(k 2 ),
and 2- obtaining wt by carrying decryption O(L) times. Thus
the total computation cost of the aggregator at an iteration is
O(L + [k 2 ]).
2) Communication Cost:
a) Communication cost of a local party: The communi-
(t)
cation cost of each party Pi at the establishment phase includes
the main parts: sending its public key to the aggregator,
sending k − 1 secret shares to other k − 1 parties (each secret
share to each party), resulting l pk +(k −1)·lss , which is O(k).
The communication cost of each party Pi at an iteration
can be partitioned into the main parts: 1- receiving k updated
public keys from the aggregator, which takes k ·l pk , 2- sending
(t)
k − 1 secret shares of its updated secret si when it rejoins
which takes (k − 1) · lss , 3- sending its secret shares of
∼ kd dropped parties’ secrets which is kd · lss , 4- sending an
(t) (t) (t) (t) (t)
encryption message Ci = {αi , βi , ci = {ci, j } j∈[L] } to
the aggregator at every iteration t, which accounts for (le1 +
le2 + L · le1 ), and 5- receiving the aggregate model, which is
L ·l p . Thus, communication cost of Pi at an iteration includes:
download cost (i.e., receiving messages) is [k · l pk ] + L · l p or
2548 IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, VOL. 18, 2023

TABLE V
C OMMUNICATION OVERHEAD OF E ACH L OCAL PARTY AND THE AGGREGATOR AT THE E STABLISHMENT P HASE AND E ACH
I TERATION . T HE E XPRESSIONS IN [] I S I NCLUDED IN THE C ASE OF D ROPOUTS /R EJOINS H APPENS

O(L+[k]), upload cost (i.e, sending messages) is [(k−1)·lss ]+ TABLE VI

[kd ·lss ]+(le1 +le2 + L ·le1 ) < [(2k −1)·λ]+(le1 +le2 + L ·le1 ) PARAMETERS FOR L AYERS OF THE N ETWORK IN F IG . 2
(l pk = lss = λ), or O(L + [k]).
b) Communication cost of the aggregator: The commu-
nication cost of the aggregator at establishment phase includes
receiving k public keys of k parties, resulting k · l pk , which
is O(k).
The communication cost of the aggregator at an iteration
can be broken into the main parts: 1- receiving kr updated
public keys which is kr · l pk , 2- sending the updated set of
public keys to k parties which is k · k · l pk , 3- receiving secret
shares of the dropped parties from the alive parties, which
causes maximum (k−kd )·kd ·lss , 4- receiving k−kd encryption
message which is (k −kd )·(le1 +le2 +L ·le1 ), and 5- sending the
TABLE VII
aggregate model to each local party, which is k·L ·l p . Thus, the
PARAMETERS FOR LSTM L AYERS OF THE N ETWORK IN F IG . 2
communication cost of the aggregator at an iteration includes:
upload cost is [k 2 ] + k · L ·l p or O(L · k + [k 2 ]), download cost
is [kr ·l pk ]+[(k −kd )·kd ·lss ]+k ·(le1 +le2 + L ·le1 )−[kd ·(le1 +
le2 + L · le1 )] < [k · l pk ] + [k 2 /4 · lss ] + k · (le1 + le2 + L · le1 ) =
2
[( k4 +k)·λ]+k ·(le1 +le2 + L ·le1 ), resulting in O(L ·k +[k 2 ]).

VI. P RIVACY-E NHANCING C ROSS -S ILO F EDERATED

L EARNING FDIA D ETECTION IN S MART G RIDS
Consider a multi-area grid of k non-overlapping areas man-
aged by k independent transmission grid companies (TGCs).
There is a system operator (SO) who takes care of the inter-
connection areas and coordinates operations. Each Pi TGC
owns a private local dataset Di , i ∈ {1, . . . , k} with n i = |Di |
samples and has communication lines with the SO and other
TGCs.
For FDIA detection in smart grids, the federated learning
approach is superior to the centralised in terms of data privacy
protection and communication overhead. From a data privacy
protection viewpoint, the private data of each local party
are not transmitted outside of federated learning, while for
a centralized approach, all these data have to be uploaded
to a central server, which is a risk to more security threats.
From a communication overhead perspective, in federated
learning, local models are transmitted to the centre instead of
raw measurement data. This also helps reduce communication
overhead due to the fact that the size of models is often much
smaller than raw measurement data.
An honest-but-curious adversarial model is considered.
Adversaries are assumed to be honest but curious in the
sense that they follow the protocol but can obtain available
transcripts to learn extra information that should remain pri-
vate. A good result of detecting false data injection attacks
supporting security operations and power management is a
common interest of all parties, thus it is reasonable that they
are incentivised to follow the protocol to achieve the best
output. However, some parties might be motivated to conspire
with each other to infer private training data samples of a
target party for some business benefits. In the context of the
above-proposed system model, a semi-honest adversary is an
adversary that controls SO and a set of colluded TGCs.
To model the spatial-temporal relationship between bus and
line measurements, a network architecture modified from the
method [36] is trained for the FDIA detection, as shown
in Fig. 2. The model in Fig. 2 is utilized to detect false
data injection attacks in transmission power grids. In the
training stage, the model is securely trained by the pro-
posed privacy-enhancing cross-silo federated learning frame-
work. The trained global model is then distributed to each
participant/sub-grid. In the test stage, each sub-grid utilizes the
trained global model to detect FDIAs individually. Time-series
bus measurements Zbti and transmission line measurements Zlti
are fed into the model, which is utilized to model the spatial-
temporal relationship between bus and line measurements. The
model will output the likelihood of FDIAs in the current sub-
grid. The details of network parameters are summarised in
Table VI and Table VII.
With the above training network architecture, the training
network model for FDIA detection has 132743 parameters.
TRAN et al.: EFFICIENT PRIVACY-ENHANCING CROSS-SILO FEDERATED LEARNING AND APPLICATIONS
Fig. 2. The network architecture for FDIA detection in AC-model transmission power grids.
TABLE VIII
D ETAILS A BOUT THE T RANSMISSION P OWER
G RID ‘1-HV- MIXED -0-N O S W ’
The proposed privacy-enhancing cross-silo FDIA detection
is based on the classical federated learning framework
FedAvg [1] with the privacy protection part on top.
VII. E MPIRICAL E VALUATION
This section demonstrates the desirable utility and effi-
ciency of the proposed cross-silo privacy-enhancing federated
learning. In the following, we provide the description of the
measurement dataset and the transmission power grid system
which includes several subgrids controlled by local TGCs
and a SO who coordinates the federated learning process.
Following that is the training/testing setting and the discussion
of the performance in terms of accuracy, training time and
inference time.
A. Description of Datasets
1) Transmission Power Grid Test Set: A transmission power
grid, ‘1-HV-mixed-0-no sw’, from the benchmark dataset
SimBench [39] was used to evaluate the FDIA detection. This
power grid contains 64 buses, 58 loads, and 355 measure-
ments, with more details shown in Table VIII. This power grid
is divided into four sub-grids, with each sub-grid containing
16 buses, summarised as follows:
• sub-grid S1 contains bus 62, 26, 130, 44, 94, 104, 74, 48,
106, 50, 12, 54, 52, 0, 56, 34,
• sub-grid S2 contains bus 64, 100, 128, 68, 110, 112, 126,
66, 122, 98, 124, 102, 38, 96, 116, 120,
2549
• sub-grid S3 contains bus 92, 22, 84, 14, 20, 76, 132, 18,
114, 4, 80, 90, 42, 40, 82, 28, and
• sub-grid S4 contains bus 32, 2, 36, 70, 72, 108, 46, 78,
16, 86, 118, 24, 58, 88, 60, 30.
For each sub-grid, the bus measurements consist of
active/reactive power injections and bus voltage magnitude,
denoted by z btk ∈ Rn b ×3 at time tk ; and the line measurements
consist of active/reactive power flows and line electrical cur-
rent, denoted by zltk ∈ Rnl ×3 at time tk .
2) Normal and FDIA Measurement Data: The power grid
‘1-HV-mixed-0-no sw’ contains 35136 demand profiles, with
one profile per 15 minutes for one year. To generate the
datasets which include the normal measurement and the FDIA
measurement, the commercial software PowerFactory 2017
SP4,1 the open source software Pandapower,2 and the bench-
mark SimBench 3 were utilised. The normal measurements
were obtained by calculating the power flow using the com-
mercial software PowerFactory 2017 SP4. The attacks were
launched on a target bus by modifying either its voltage angle
or voltage magnitude. All of these FDIA measurement samples
have bypassed the residual-based data detection function of
PowerFactory 2017 SP4.
B. Training and Testing Setting
There are 35136 normal measurement samples and 35136
FDIA measurement samples, with normal measurement sam-
ples labelled 0 and FDIA samples labelled 1. In the training
stage, 29952 normal samples and 29952 FDIA samples for the
first 312 days are grouped as the training dataset; the other
5184 normal and FDIA samples for the remaining 54 days
are used as the test dataset. In the federated learning training,
the number of global epochs was set to 200, the number
of local epochs was set to 5, the number of local batches
was set to 48, and the sequence number for LSTM layers is
set to 96. In each federated learning training round, 3 local
sub-grids were randomly selected to collaboratively train the
global model. The federated learning source code 4 and the
popular deep learning framework Pytorch-1.9.05 were used
to implement the proposed FDIA federated learning detection
framework for the model training and testing.
Three commonly used metrics were applied to evaluate the
accuracy of the FDIA detection, namely precision, recall, and
1 https://www.digsilent.de/en/powerfactory.html
2 https://www.pandapower.org/
3 https://simbench.readthedocs.io/en/stable/about/installation.html
4 https://github.com/AshwinRJ/Federated-Learning-PyTorch
5 https://pytorch.org/docs/1.9.0/
2550 IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, VOL. 18, 2023
TABLE IX
C ENTRALIZED T RAINED FDIA D ETECTION ACCURACY
TABLE X
F EDAVG FDIA D ETECTION ACCURACY
F1 score, expressed by
 Nt p

 Pr ecision = ,


 N tp + N f p
 Nt p
Recall = ,

 N tp + N f n
 F1 = 2 × Pr ecision × Recall ,


 without privacy protection consumes around 233 seconds. The
Pr ecision + Recall
where N f p indicates the number of false positive, Nt p indi-
cates the number of true positive, N f n indicates the number of
false negative, and Ntn indicates the number of true negative.
C. FDIA Detection Accuracy and Time Overhead
We have compared the performance of the proposed solution
(i.e. the federated learning trained model on encrypted local
models from each local dataset) with the centralized trained
model on the whole plain dataset. The same model was trained,
without the proposed encryption scheme, in the centralized
way using the same hyperparameters in Section VII-B. The
results of the centralized trained model on the whole plain
dataset are summarized in Table IX. Table X is for the FDIA
detection accuracy of FedAvg FDIA detection algorithm on
the test dataset. As can be seen from Table IX and Table X,
there is no big difference in the accuracy.
The privacy-enhancing FedAvg FDIA detection version has
the same accuracy as the original FedAvg FDIA detection
version. However, the average training time for each sub-grid
as well as for the whole system to get the weighted global
model is longer due to the complexity of privacy protection
added for secure weighted aggregation. The average training
time is collected by evaluating the framework in a Linux
system with each sub-grid using one Nvidia Tesla Volta V100-
SXM2-32GB GPU.
Encryption parameters are set as: λ = 2048 (modulus p in
the sub-protocol π0 is a 2048-bit prime), l1 = 256 (modulus
N1 of the first encryption layer is 256-bit length integer),
l2 = 512 (modulus N2 of the second encryption layer is a
512-bit length), l p = 64.
For each federated learning round, each TGC timed its
own part including the local model training part and the
privacy protection part; SO timed the section of obtaining the
TABLE XI
AVERAGE C OMPUTATIONAL T IME IN S ECONDS PER O NE G LOBAL
E POCH IN A S INGLE -P ROCESSING M ANNER
TABLE XII
AVERAGE C OMPUTATIONAL T IME IN S ECONDS PER O NE G LOBAL
E POCH IN A M ULTI -P ROCESSING M ANNER W ITH 4 CPU S
encrypted aggregation model and decrypting it. In Table XI
we provide the average computational time in seconds per
one global epoch (one federated learning round) of our pro-
posed privacy-enhancing FDIA detection federated learning
in a single-processing manner. The local model training part
average extra time for the privacy protection part comprises
1- the time for the initial setting of the protection scheme
which is 16.41 seconds on average, 2- the computation time of
local model protection which happens at the client side at every
federated learning round which is 12.35 seconds in average
per client per round, 3- the computation time of obtaining the
encrypted aggregation model and decrypting it which happens
at the server side at every federated learning round which is
12.14 seconds in average per round.
To test the ability to accelerate the computation time, the
multiprocessing technique is implemented to partition the
Singular Instruction Multiple Data (SIMD) computations of
cryptography operations over model vectors onto 4 CPUs.
Table XII illustrates the possibility of accelerating the speed by
multiprocessing utilizing 4 CPUs. The computation overhead
of local model protection in each federated learning round with
security on top only incurs 5.56 seconds, i.e., 2.38% compared
to 233 seconds of the underlying model without security.
The total extra time of the privacy protection component
running over 200 epochs of federated learning training in a
single-processing manner is around 83 minutes, while in a
multi-processing manner with 4 CPUs is around 36 minutes.
The implementation of our proposed scheme is well-suited
for parallel computation. Thus, the extra computational time
overhead that occurred from our privacy-protection component
could be significantly reduced by using more CPUs that local
transmission grid operators are facilitated or from the cloud at
the very low price.6
From the communication analysis in Section V-C.2, with
the above encryption parameter setting for the experiment and
the size of model vector is L = 132743, the download cost of
a client is less than k · λ + L · l p = 4 · 2048 + 132743 · 64 =
8503744 bits ≈ 8.5 Mbits = 1 Mbyte, the upload cost of
6 https://aws.amazon.com/ec2/pricing/on-demand/
TRAN et al.: EFFICIENT PRIVACY-ENHANCING CROSS-SILO FEDERATED LEARNING AND APPLICATIONS
a client is less than [(2k − 1) · λ] + (le1 + le2 + L · le1 ) =
(2 · 4 − 1) · 2048 + (512 + 1024 + 132743 · 512) ≈ 68 Mbits =
8.5 Mbytes;
The model training is not a real-time process, thus we
can afford more time for transmission leading to a lower
bandwidth. If 1 second per iteration is used for uploading data
from a local party to the aggregator (resulting in 0.05 hours
of uploading data from a local party to the aggregator in
the whole training process with 200 epochs used in the
experiment), then the upload bandwidth requirement would
be 68Mbps. The network bandwidth for our campus office is
900Mbps.
In the inference stage, each sub-grid utilizes the trained
global model to detect FDIAs individually. Time-series bus
measurements Zbti and transmission line measurements Zlti are
fed into the model, which is utilized to model the spatial-
temporal relationship between bus and line measurements. The
model will output the likelihood of FDIAs in the current sub-
grid. Detecting FDIA given a trained model (i.e., inference) in
the proposed scheme is 6.7 milliseconds on average, which is
fast for relevant smart grid operations, e.g., state estimation.
VIII. C ONCLUSION
In this paper, we propose a cross-silo privacy-enhancing
federated learning which is secure in the honest-but-curious
adversarial model. With the main techniques of secure multi-
party computation based on double-layer encryption and secret
sharing, the scheme is efficient in communication and com-
putation overhead and robust against dropouts and rejoining.
The scheme removes the requirement of computing discrete
logarithms or multiple non-colluding server settings which are
the limitations of some related works. In addition, the client’s
secret keys of two encryption layers are generated by each
party in a decentralized manner which helps increase the level
of privacy guarantee. We also firstly design and empirically
evaluate a practical and efficient privacy-enhancing cross-silo
federated learning resilient to the local private data inference
attacks for FDIA detection in the smart grid domain. The
proposed scheme provides a framework which can be adapted
to other domains. The analysis of security and the empirical
evaluation proves that the proposed scheme achieves prov-
able privacy against an honest-but-curious aggregator server
colluding with some clients while providing desirable model
utility in an efficient manner. In future works, we are going
to investigate more different adversarial models in various
federated learning settings which is applicable for security in
cyber-physical systems.
R EFERENCES
[1] B. McMahan, E. Moore, D. Ramage, S. Hampson, and B. A. y. Arcas,
“Communication-efficient learning of deep networks from decentral-
ized data,” in Proc. 20th Int. Conf. Artif. Intell. Statistics. (AIS-
TATS), Fort Lauderdale, FL, USA, in Proceedings of Machine
Learning Research, vol. 54, A. Singh and J. Zhu, Eds. PMLR,
Apr. 2017, pp. 1273–1282. [Online]. Available: http://proceedings.mlr.
press/v54/mcmahan17a?ref=https://githubhelp.com.
[2] M. Fredrikson, S. Jha, and T. Ristenpart, “Model inversion attacks
that exploit confidence information and basic countermeasures,” in
Proc. 22nd ACM SIGSAC Conf. Comput. Commun. Secur., Oct. 2015,
pp. 1322–1333.
2551
[3] F. Tramèr, F. Zhang, A. Juels, M. K. Reiter, and T. Ristenpart, “Stealing
machine learning models via prediction APIs,” in Proc. 25th USENIX
Secur. Symp., 2016, pp. 601–618.
[4] B. Hitaj, G. Ateniese, and F. Perez-Cruz, “Deep models under the GAN:
Information leakage from collaborative deep learning,” in Proc. ACM
SIGSAC Conf. Comput. Commun. Secur., Oct. 2017, pp. 603–618.
[5] Z. He, T. Zhang, and R. B. Lee, “Model inversion attacks against
collaborative inference,” in Proc. 35th Annu. Comput. Secur. Appl. Conf.,
Dec. 2019, pp. 148–162.
[6] L. Melis, C. Song, E. De Cristofaro, and V. Shmatikov, “Exploiting
unintended feature leakage in collaborative learning,” in Proc. IEEE
Symp. Secur. Privacy (SP), May 2019, pp. 691–706.
[7] N. Carlini, C. Liu, U. Erlingsson, J. Kos, and D. Song, “The secret
sharer: Evaluating and testing unintended memorization in neural net-
works,” in Proc. 28th USENIX Secur. Symp., 2019, pp. 267–284.
[8] G. Hug and J. A. Giampapa, “Vulnerability assessment of AC state
estimation with respect to false data injection cyber-attacks,” IEEE
Trans. Smart Grid, vol. 3, no. 3, pp. 1362–1370, Sep. 2012.
[9] G. Liang, J. Zhao, F. Luo, S. R. Weller, and Z. Y. Dong, “A review of
false data injection attacks against modern power systems,” IEEE Trans.
Smart Grid, vol. 8, no. 4, pp. 1630–1638, Jul. 2017.
[10] R. D. Christie, B. F. Wollenberg, and I. Wangensteen, “Transmission
management in the deregulated environment,” Proc. IEEE, vol. 88, no. 2,
pp. 170–195, Feb. 2000.
[11] F. Karmel, “Deregulation and reform of the electricity industry in
Australia,” Aust. Government-Dept. Foreign Affairs Trade, Barton,
ACT, Australia, Aust.-Jpn. Found. Grant 2017-18, 2018. [Online].
Available: https://www.dfat.gov.au/sites/default/files/deregulation-of-the-
energy-industry-australian-experience.pdf
[12] L. Sankar, “Competitive privacy: Distributed computation with privacy
guarantees,” in Proc. IEEE Global Conf. Signal Inf. Process., Dec. 2013,
pp. 325–328.
[13] P. Kairouz et al., “Advances and open problems in federated learning,”
Found. Trends Mach. Learn., vol. 14, nos. 1–2, pp. 1–210, Jun. 2021.
[14] C. Dwork and A. Roth, “The algorithmic foundations of differential pri-
vacy,” Found. Trends Theor. Comput. Sci., vol. 9, nos. 3–4, pp. 211–487,
2013.
[15] R. Shokri and V. Shmatikov, “Privacy-preserving deep learning,” in
Proc. 22nd ACM SIGSAC Conf. Comput. Commun. Secur., 2015,
pp. 1310–1321.
[16] R. C. Geyer, T. Klein, and M. Nabi, “Differentially private federated
learning: A client level perspective,” 2017, arXiv:1712.07557.
[17] A. G. Sébert, R. Sirdey, O. Stan, and C. Gouy-Pailler, “Protecting data
from all parties: Combining FHE and DP in federated learning,” 2022,
arXiv:2205.04330.
[18] E. Shi, T. H. Chan, E. Rieffel, R. Chow, and D. Song, “Privacy-
preserving aggregation of time-series data,” in Proc. NDSS, vol. 2, 2011,
pp. 1–17.
[19] M. Joye and B. Libert, “A scalable scheme for privacy-preserving
aggregation of time-series data,” in Proc. Int. Conf. Financial Cryptogr.
Data Secur. Cham, Switzerland: Springer, 2013, pp. 111–125.
[20] K. Bonawitz et al., “Practical secure aggregation for privacy-preserving
machine learning,” in Proc. ACM SIGSAC Conf. Comput. Commun.
Secur., Oct. 2017, pp. 1175–1191.
[21] J. Guo, Z. Liu, K.-Y. Lam, J. Zhao, and Y. Chen, “Privacy-enhanced
federated learning with weighted aggregation,” in Proc. Int. Symp. Secur.
Privacy Social Netw. Big Data. Cham, Switzerland: Springer, 2021,
pp. 93–109.
[22] H. Corrigan-Gibbs and D. Boneh, “Prio: Private, robust, and scalable
computation of aggregate statistics,” in Proc. 14th USENIX Symp.
Networked Syst. Design Implement., 2017, pp. 259–282.
[23] H. Fereidooni et al., “SAFELearn: Secure aggregation for private
federated learning,” in Proc. IEEE Secur. Privacy Workshops (SPW),
May 2021, pp. 56–62.
[24] Y. Dong, X. Chen, L. Shen, and D. Wang, “EaSTFLy: Efficient and
secure ternary federated learning,” Comput. Secur., vol. 94, Jul. 2020,
Art. no. 101824.
[25] C. Fang, Y. Guo, N. Wang, and A. Ju, “Highly efficient federated
learning with strong privacy preservation in cloud computing,” Comput.
Secur., vol. 96, Sep. 2020, Art. no. 101889.
[26] S. Truex et al., “A hybrid approach to privacy-preserving federated
learning,” in Proc. 12th ACM Workshop Artif. Intell. Secur., Nov. 2019,
pp. 1–11.
2552 IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, VOL. 18, 2023
[27] R. Xu, N. Baracaldo, Y. Zhou, A. Anwar, and H. Ludwig, “Hybridalpha:
An efficient approach for privacy-preserving federated learning,” in Proc.
12th ACM Workshop Artif. Intell. Secur., Nov. 2019, pp. 13–23.
[28] J. H. Bell, K. A. Bonawitz, A. Gascón, T. Lepoint, and M. Raykova,
“Secure single-server aggregation with (poly)logarithmic overhead,”
in Proc. ACM SIGSAC Conf. Comput. Commun. Secur., Oct. 2020,
pp. 1253–1269.
[29] A. Madi, O. Stan, A. Mayoue, A. Grivet-Sebert, C. Gouy-Pailler, and
R. Sirdey, “A secure federated learning framework using homomorphic
encryption and verifiable computing,” in Proc. Reconciling Data Anal.,
Automat., Privacy, Secur., Big Data Challenge (RDAAPS), May 2021,
pp. 1–8.
[30] W.-T. Lin, G. Chen, and Y. Huang, “Incentive edge-based federated
learning for false data injection attack detection on power grid state esti-
mation: A novel mechanism design approach,” Appl. Energy, vol. 314,
May 2022, Art. no. 118828.
[31] L. Zhao, J. Li, Q. Li, and F. Li, “A federated learning framework for
detecting false data injection attacks in solar farms,” IEEE Trans. Power
Electron., vol. 37, no. 3, pp. 2496–2501, Mar. 2022.
[32] Y. Li, X. Wei, Y. Li, Z. Dong, and M. Shahidehpour, “Detection of false
data injection attacks in smart grid: A secure federated deep learning
approach,” IEEE Trans. Smart Grid, vol. 13, no. 6, pp. 4862–4872,
Nov. 2022.
[33] A. Shamir, “How to share a secret,” Commun. ACM, vol. 22, no. 11,
pp. 612–613, Nov. 1979.
[34] P. Paillier, “Public-key cryptosystems based on composite degree resid-
uosity classes,” in Proc. Int. Conf. Theory Appl. Cryptograph. Techn.
Cham, Switzerland: Springer, 1999, pp. 223–238.
[35] R. Deng, G. Xiao, R. Lu, H. Liang, and A. V. Vasilakos, “False
data injection on state estimation in power systems—Attacks, impacts,
and defense: A survey,” IEEE Trans. Ind. Informat., vol. 13, no. 2,
pp. 411–423, Apr. 2017.
[36] X. Yin, Y. Zhu, and J. Hu, “A subgrid-oriented privacy-preserving
microservice framework based on deep neural network for false data
injection attack detection in smart grids,” IEEE Trans. Ind. Informat.,
vol. 18, no. 3, pp. 1957–1967, Mar. 2022.
[37] M. De Cock, R. Dowsley, A. C. A. Nascimento, D. Railsback, J. Shen,
and A. Todoki, “High performance logistic regression for privacy-
preserving genome analysis,” BMC Med. Genomics, vol. 14, no. 1,
pp. 1–18, Dec. 2021.
[38] Y. Lindell, “How to simulate it—A tutorial on the simulation
proof technique,” in Tutorials on the Foundations of Cryptog-
raphy (Information Security and Cryptography), Y. Lindell, Ed.
Cham, Switzerland: Springer, 2017. [Online]. Available: https://link.
springer.com/chapter/10.1007/978-3-319-57048-8_6.
[39] S. Meinecke et al., “SimBench—A benchmark dataset of electric power
systems to compare innovative solutions based on power flow analysis,”
Energies, vol. 13, no. 12, p. 3290, Jun. 2020.
Hong-Yen Tran is currently pursuing the Ph.D.
degree with the School of Engineering and IT,
The University of New South Wales Canberra at
ADFA, Canberra, Australia. Her research interests
are in the field of secure and verifiable computation,
applied cryptography in cyber-physical systems, and
bio-cryptography.
Jiankun Hu (Senior Member, IEEE) is currently
a Professor with the School of Engineering and
IT, The University of New South Wales Can-
berra at ADFA, Canberra, Australia. He is also
an invited Expert of Australia Attorney-General’s
Office, assisting the draft of Australia National
Identity Management Policy. He has received nine
Australian Research Council (ARC) Grants and has
served at the Panel on Mathematics, Information,
and Computing Sciences, Australian Research Coun-
cil ERA—The Excellence in Research for Australia
Evaluation Committee in 2012. His research interests are in the field of cyber
security covering intrusion detection, sensor key management, and biometrics
authentication. He has many publications in top venues, including the IEEE
T RANSACTIONS ON PATTERN A NALYSIS AND M ACHINE I NTELLIGENCE,
the IEEE T RANSACTIONS ON C OMPUTERS, the IEEE T RANSACTIONS ON
PARALLEL AND D ISTRIBUTED S YSTEMS, the IEEE T RANSACTIONS ON
I NFORMATION F ORENSICS AND S ECURITY, Pattern Recognition, and the
IEEE T RANSACTIONS ON I NDUSTRIAL I NFORMATICS. He is a Senior Area
Editor of the IEEE T RANSACTIONS ON I NFORMATION F ORENSICS AND
S ECURITY.
Xuefei Yin received the B.S. degree from Liaoning
University, Liaoning, China, the M.E. degree from
Tianjin University, Tianjin, China, and the Ph.D.
degree from The University of New South Wales
Canberra at ADFA, Canberra, Australia. He is cur-
rently with the School of Information and Com-
munication Technology, Griffith University, Gold
Coast, QLD, Australia. He has published articles
in top journals, including IEEE T RANSACTIONS
ON PATTERN A NALYSIS AND M ACHINE I NTELLI -
GENCE , IEEE T RANSACTIONS ON I NFORMATION
F ORENSICS AND S ECURITY, ACM Computing Surveys, IEEE T RANSAC -
TIONS ON I NDUSTRIAL I NFORMATICS , and IEEE I NTERNET OF T HINGS
J OURNAL. His research interests include biometrics, pattern recognition,
privacy-preserving, and intrusion detection.
Hemanshu R. Pota received the B.E. degree from
the Sardar Vallabhbhai Regional College of Engi-
neering and Technology, Surat, India, in 1979, the
M.E. degree from the Indian Institute of Science,
Bengaluru, India, in 1981, and the Ph.D. degree
from The University of Newcastle, NSW, Australia,
in 1985, all in electrical engineering. He is cur-
rently an Associate Professor with The University
of New South Wales Canberra at ADFA, Canberra,
Australia. He has held visiting appointments with
Columbia University, New York City, NY, USA; the
University of California at Los Angeles, Los Angeles; the University of
Delaware; Iowa State University; Kansas State University; Old Dominion
University; the University of California at San Diego, San Diego; and the
Centre for AI and Robotics, Bengaluru.