Privacy Preserving Federated Machine Learning on
Recycling Data
Bachelor Semester Project S5 (Academic Year 2024/25), University of Luxembourg
Sven Kuffer Dr. Jeff Mangers
BICS Student Extrernal Advisor
University of Luxembourg
[email protected]
[email protected]
[email protected]
Abstract—Data privacy and secure data sharing are essential in
today’s data-driven economy, particularly when multiple stake-
holders require sensitive information to achieve mutually benefi-
cial outcomes. This proposal outlines a framework for secure,
distributed, and sandboxed multi-party computation (SMPC)
for data processing between two distinct entities: a product-
designing Beginning-of-Life (BOL) company and an End-of-
Life (EOL) recycling and sorting company. These companies
aim to securely share data to analyze and improve product
recyclability, with each retaining ownership of their proprietary
information. The proposed solution involves a secure computation
environment leveraging sandboxed virtual machines and MPC
protocols, ensuring that sensitive data is processed in situ (on
site) within each company’s environment without compromising
confidentiality. Using open-source tools such as ZeroVM, a
distributed framework that processes each company’s data locally
is poposed, producing insights that guide the BOL company
in optimizing product design for recyclability based on the
EOL company’s operational metrics. By enabling secure, private,
and decentralized data analysis, this approach has potential
applications beyond recycling, offering a scalable solution for
collaborative data analysis in supply chains and product life cycle
management.
Index Terms—distributed processing, data, security, sandbox,
virtual machine (VM)
I. I NTRODUCTION
In 2016, the EU released a new legislation, the General
Data Protection Regulation [2] (GDPR), for data protection.
This directive was meant to protect sensitive user data
from third-party companies processing them. The way the
directive was written, users have to consent to their data
being processed and stored, accounting for a potential future
use of fully homomorphic encryption [12] as a possible
solution to the problem of third party data processors. As
Fully Homomorphic Encryption schemes (FHE) are still in
the early days and come with increasing overhead the more
the data is processed and data having to adhere to very
specific formats, for the time being, one has to result to using
other methods.
Although this directive was tailored for sensitive consumer
data, companies want to protect their data as well from third
parties accessing them. Data are a very valuable asset for
these companies.
Prof. Thomas Engel
Supervisor
CRAB University of Luxembourg
In the current industry, companies often need to collaborate
and share data to optimize processes and improve workflows.
In the automotive industry, autonomous vehicles with AI
technology often need to share image data to enhance their
training on object and obstacle recognition. The focus of
research has been to train YOLO models locally per vehicle
and compute a combined model by all actors, to prevent
sensitive location and image data to be shared among actors.
However, in the scenario for this paper, recycling facilities
create their own image datasets of recycling streams, with the
goal of training an image recognition model to help improve
sortability and predictions. While they can all locally train
their own models, the end-goal is a superior model from the
combination of all datasets and the combined computational
power. The following two research questions highlight the
extend of the described problem:
(1) This scenario introduces a critical challenge: How can
the companies involved reach their combined computational
goal, without revealing their data and, by that, their company
secrets?
(2) How can a semi-trusted third party reconstruct the output
and get the averaged model and verify the claims about each
dataset, without revealing any sensitive information.
Different secure multi-party computation (SMPC) techniques
can be considered to reach the goal of privacy preserving
federated machine-learning, some of which are discussed in
the next section.
II. R ELATED W ORK
A. Machine Learning
Machine Learning (ML) is an umbrella term for many
different implementations of algorithm classes that learn and
optimize from the given data, instead of following a rigid
function. Machine learning is a set of converging optimization
problems. We generally consider three categories of ma-
chine learning, Supervised-Learning, Unsupervised-Learning
and Reinforcement-Learning. In this paper we mainly focus
on supervised-learning, where our data is labeled and the
algorithm is learning to predict those labels. More precisely,
we focus on computer vision algorithms, where the inputs are
a labeled dataset of images. The labels in this case are class
labeled boxes with coordinates and size parameters.
1) Computer Vision: Computer vision describes the iden-
tification of certain features in image, video or LIDAR data.
Mostly, it describes the use och machine learning and AI to
achieve these goals.
a) You only look once: You only look once (YOLO)
describes a family of computer vision machine learning al-
gorithms that is prominent for a fast learning implementation
on image data. It achieves this speed and efficiency by only
looking once over each image. The yolo models used in our
testing are based on ultralytics [14] models that enable ob-
ject detection, segmentation, classification, and poses. Object
detection is the focus of this paper.
2) Federated Learning: Whilst there are many ways to
achieve federated learning [4] [11], in order to achieve pri-
vacy, the need for cryptographic methods arises, such as
homomorphic-encryption or secure multi-party computation
schemes, as described in the next part. To achieve this,
typically one would need to alter the functions used in training
to work with MPC [13], however, this is not always feasible.
For once, it can add significant overhead to the computation,
the increased computational power need cannot be carried by
all actors, in addition to adding significant training time. On
the other hand, one does not have the ability to change the
architecture of closed source models that easily. In order to
not having to opt for a potentially inferior architecture and
reducing the added computational cost, a different method can
be applied. [5]
In a slow offline phase, the actors will perform their normal
model training on their own dataset. After this phase follows a
faster online-phase, using cryptographic protocols to keep the
data protected, where the actors calculate a combined model
by averaging their parameter weights, weighed by their input-
dataset size [10] [9] to increase fairness and ensure a robust
superior model output.
B. Secure Multi-Party-Computation (MPC)
Secure Multi-Party-Computation (MPC) [7] is a term that
describes the involvement of multiple parties, trying to achieve
a combined computational goal, whilst involving crypto-
graphic schemes to protect each party from malicious inter-
vention by other parties. There are many different schemes for
different applications and one has to also consider the problem
statement and setup to derive a security model to chose the
correct scheme wisely.
1) Adversaries: First, consider two different types of ad-
versaries that result in different security models that can be
applied. [8]
a) Semi-honest adversaries: are not interested in harm-
ing the computation and its output, they do however have an
interest in gaining information about the input of a computa-
tion from other parties.
b) Malicious adversaries: on the other hand may also
want to harm the computation itself, this requires a higher
level of security.
2) Passive and Active Security: In a semi-honest environ-
ment, passive security is sufficient, as malicious actors do
not want to harm the resulting computation output, but might
seek insight into the input data. In a malicious environment,
however, active security is required. Luckily, the problem
statement of this paper only requires passive security with a
semi-honest model.
3) Malicious-Majority: A malicious majority describes a
state where the majority of parties act maliciously. One has to
make sure that, if this is the case, no majority can reconstruct
the secret without the involvement of the other parties.
4) Secret Sharing: While there are many different schemes
for smpc computation, such as garbled circuits [5] or homo-
morphic encryption [12], the function that should be computed
only requires a summation of parameters. For this, secret
sharing schemes, such as Shamir-Secret sharing [3] come
in handy. The idea is to plot a secret on a t-dimensional
function, where the secret is at f(0) and each party receives
a random point on this function. To reconstruct the secret,
at least t shares are needed. The reconstruction happens using
Lagrange Interpolation. Each share computes a function where
g(x) equals 1 for their own share and 0 for all other points
that have been shared. By summing all these functions, we
receive again our secret at g(0) = f(0). This is the basis of
the later discussed implementation. Usually this happens in
a finite field, using modulo operations, to prevent over- and
underflow. This however means that it only works on positive
integers, while the parameters in a machine learning model are
floats. This means that normalization has to be applied to split
the sign, flag zeros and get a fixed precision representation of
a float using mantissa and exponent, that can then be scaled
to an integer. Alternatively, the finite field constraint can be
omitted, if one can be sure that over- or underflow cannot
happen.
a) Floating Point Arithmetic in Secret Sharing: is not an
easy task. Usually, we perform secret sharing over a finite set
of integers using modulo operations. For this, a large enough
prime number P is selected to create a modulo field FP .
However, this lets us only compute over positive integers. In
machine learning, our parameters are mostly small floating
point numbers, that can also be negative. To deal with this,
a solution is to scale the floating point numbers to integers
and reverse the scaling later. A framework such as crypten [6]
by Meta can be used. It encrypts a floating point number for
federated machine learning to an integer. However, this alone
is not secure, as it only scales it using a semi-random large
number, leaving the need for secret sharing. To pre-process
the parameters, one can extract from the float the sign, a flag
for the zero as well as the mantissa and exponent as a tuple
¡s,z,m,e¿. The mantissa and exponent give us a fixed point
representation of the number f = m ∗ 2p . The float can be
written as u = (1 − 2s)(1 − z)m ∗ 2e . [1]. With this extraction,
we can get a number that we can scale to an integer with
the sign kept separate. Finally, all operations need to work on
tensors.
5) Homomorphic Encryption: Homomorphic encryption
[12] is another encryption that can be used to secure
a secret and perform computations on said secret. Fully-
homomorphic encryption is still largely a theory that can
so far only be achieved by scaling partially-homomorphic
encryption schemes, resulting in an increase of entropy with
each operation on either multiplication or addition. Somewhat-
homomorphic encryption schemes on the other hand have been
know for a while, such as RSA, which was the first one
to be discovered by Shamir. These schemes however, only
enable one type of operation. This would be enough for this
use case, as during the secure phase only addition is needed.
In this paper secret sharing was chosen over homomorphic
encryption.
III. D ESIGN
The goal is to implement a privacy preserving federated
learning scheme for a You-Only-Look-Once convolutional
neural network. In combination with MPC, each input is being
processed to produce an output of both that satisfies all the
security constraints for all entities.
In the offline phase, each actor will train their own model
locally. They will add a hash ’H’ about the dataset and a
commitment ’C’ about the claimed dataset size as metadata
within the models checkpoint. The verifier can prove using
a zero-knowledge-proof scheme that the claims were in fact
correct.
In the online phase, the actors will extract the models weights
and average them using mpc protocols, weighed by their
claimed dataset size, to prioritize superior models. The output
will be given to all participating actors, without revealing sen-
sitive data. Finally, the semi-trusted third party can verify the
claims and validate each models performance on a validation
set.
A. Computational goal
The goal is to compute a weighted average of all learnt
models. Normally the average of Pna parameter Pi for n parties
can be calculated as Pi = ( j=1 Pij )/n. To weight this
average, to increase importance of better performing models,
we chose to weigh the average using the local
Pndataset size
dj with the global dataset size being D =
j=1 dj . The
weights can be played around with, an extra weight α, from
a performance test of each model on a validation set could
be introduced for P example. The resulting weighted average
n
equation is Pi = ( j=1 Pij ∗ dj )/D. This equation involves
both addition and multiplication, however, this complicates
things for secret sharing as multiplication would involve
multiple rounds of communication between nodes and sharing
triples. To eliminate the need for both multiplication steps, one
can firstly perform the weighting by the local dataset size in
the offline pre-processing step, locally. In order to deal with
the multiplication by the inverse of the global dataset size,
the output can first be re-constructed by the mediator. The
local dataset sizes can be sent to the mediator, as they are not
considered sensitive data. The mediator, after re-construction,
can then divide by the summed sizes without any need of
further encryption and communication. This leaves a simple
summation, using only addition, for the secret sharing online-
phase.
B. Actors
This section describes all actors involved in this problem.
• Dataset-Owners: The owner of a dataset has an incentive
to keep their valuable data private, while taking part in
the combined training of a superior model.
• Semi-Trusted Third Party: The semi-trusted third party
may or may not have their own dataset and, or participate
in the online phase of the federated learning process.
Most importantly though, their goal is to verify the claims
by each party and validate and rate the trained model
checkpoints.
• Processing company: A processing company is an ana-
lytics entity, only participating in the online-phase of the
federated learning process.
C. Input
This section describes the parameters involved in the com-
putation. The computer vision machine learning task involving
a YOLO cnn is a supervised learning algorithm. This means
that the input consists of both the image data and the cor-
responding labels. The labels for each object in the image
consist of a tuple L =< c, x, y, w, h >, where c is the class
index, x and y are the Cartesian coordinates, and w and h are
the width and height. In addition a base model needs to be
shared as a foundation to start the training on. The metadata
of this model has again the class names listed, as well as some
hyperparameters for the model to use in training.
• Labeled dataset of recycling stream images or videos, that
fit the YOLO format.
• Base model with predefined classes to start the offline
training process.
• Hash and Commitment about the dataset size.
IV. MPC AST F RAMEWORK
From the problem statement, the requirements and the
design for a solution follows the implementation of a Peer-to-
Peer framework for training local models and averaging the
learned parameters in a secure environment, meet MPCast.
A. Architecture
From the design section can be derived the architecture for
such a framework.1
 The framework consists of two different parties with specific
roles. The first party is the mediator, a (semi-)trusted party
that initiates and orchestrates communication, shares the initial
base-model for training, receives the end-result, reconstructs
it and averages it. The second party could potentially be split
into two sub-parties, a data holder and a computation node,
but for the sake of this implementation, both are fused into
one single node type. This party receives the base-model and
performs a training session on the model. The training can
be independently implemented, straight forward or even as
complex batch processing, with checkpoints, fail-safes and
orchestration. The implementation is left to the user. After the
training has finished, a completion statement is issued back
to the mediator, who then initiates the next phase. Still in
the offline-phase, the nodes prepare their data. The model is
preprocessed by extracting the state, scaling it by the dataset
size and pre-processing it, by normalizing it, to prepare it for
generating shares. Normalization in this case means splitting
the sign and ensuring the tensor values are all integers, so
that it can work in a field of FP , where P is a prime large
enough for all potential values. The nodes then generate shares
using a (n,t)-Shamir sharing scheme, where n is the number of Fig. 2: figure
nodes and at least t shares are required to reconstruct a secret. P2P Network
Now moving to the online-phase, the nodes distribute their
shares peer-to-peer. Once all shares have been received, they
sum the shares that they have received and report the output multi threading, file reads and parallel incoming of requests.
back to the mediator. The mediator receives all the shares and This is solved with thread locking, setting some flags and
can now reconstruct the summed secret. This sum can now be redundancy, such as retries in the sending of files. Flask comes
averaged to reveal the newly learned model. This model can with a development server and is not production ready, for
then be validated and if needed, learning can continued. that a Web Server Gateway Interface (wsgi) is needed and
https certificates to secure the communication across channels.
If the communication is not secure, then the whole smpc
calculation is pointless. In the conclusion section of the report,
the choice of the communication framework is again reflected
upon. To help with the secret sharing part, crypten by Meta
is used. It is a machine learning focused, torch friendly small
encryption library that helps with the normalization of our
tensors. The rest of the shamir secret sharing scheme is
implemented natively in python, notably the generation of
shares, the distribution, summation and reconstruction using
Lagrange Interpolation. The averaging has been simplified to
remove multiplication and division from the equation, as this
would have required multiple communication rounds between
Fig. 1: figure nodes. It is nonetheless the same calculation, just that the first
Architecture multiplication happens in the pre-processing step, locally and
the division by the sum of all dataset sizes happens after the
reconstruction. This is achievable as we do not consider the
B. Implementation dataset size to be sensitive data to share.
When it comes to the implementation, python was chosen The project includes two nodes, mediator.py and node.py. Each
as a main language, as it is the standard in machine learning node can be started with a port as an argument. The IP of the
applications. While we use a YOLO model using torch, any mediator is supposed to be known beforehand as a way to
model could potentially work. The peer-to-peer communica- access the network. For testing, all nodes can be auto started
tion between nodes was also implemented in python, using by running the launch script, which will first start the mediator,
flask.2 While flask is mainly a web server framework, modi- then all other nodes with auto-assigned port numbers. For
fying it a bit using multi threading, results in a p2p network deployment, https would be needed for secure communication
over http(s). Some race conditions apply when working with channels, without this, the project is not secure and it does not
work properly. The nodes spawn worker threads for certain
tasks, that use the files trainer.py, distributor.py, calculator.py,
in that order. The trainer is just a simulation of a training
environment and can be replaced by any training protocol, as is
or using parallelization and containerization for optimization.
For the sharing, the tool uses the SecureSharedModel class that
itself uses the SecureSharedTensor class. The SecureShared-
Model performs the operations on the entire model, while
delegating each tensor operation to the SecureSharedFloat
class, having implemented a tensor friendly calculation for
the sharing. A base-model in the models folder is needed
to run the program as a mediator. Some additional files are
generated, that were used for debugging purposes. These can
be streamlined in production. A testing and inspector file are
included to inevstigate the models.
V. C ONCLUSION
To conclude, we will first identify, which goals from the
proposal have been reached or not. We will then discuss
what was good or bad or could have been improved. Lastly,
we propose some topics that may be interesting for further
research.
The scenario in the first research question was later redefined
and refined to better reflect the use case. The goal of this
question has been reached, the computation has been securely
achieved using secret sharing.
The second research question redefined the role of the mediat-
ing party from a trusted party to a semi-trusted party, however,
the goal remained the same. The goal has been partially
reached, reconstruction of the output is possible with Lagrange
interpolation, the last step of calculating the average can than
be done by the mediator, as no sensitive data is involved here.
However, while it would be possible to verify the dataset size
claim, it would be hard to prove that the actual size was used
in the weighting of the parameters. For this reason, the claim
verification is not performed, as it provides no purpose.
While the initially proposed solution used a sandboxed en-
vironment to reach security, the final implemented solution
used a different approach, using secret sharing, used in many
federated machine learning papers.
The final solution provides an easy way to reach the goal,
it can be done relatively fast, as opposed to more complex
solutions, that alter the model architectures to share parameters
in between layers. The solution generally works, but it might
not perform well, if datasets and classes used between parties
are largely different, this could be further examined in further
research and how to make models more robust. The peer to
peer communication was achieved using python and flask with
some additional threads to handle asynchronous tasks, this
generally works, but performance could be increased by using
a compiled language and establishing a proper peer to peer
network. What this paper did not answer, is whether the data
is actually the sensitive data that requires protection. Further
research could acquire, whether the data is more valuable, or
the learnt parameters. There are many different ways to protect
parameters, labels or data, this paper just explored one of
many ways. Future research might look into homomorphism,
data or label obfuscation, or the effects of noise on the output
parameters.
VI. ACKNOWLEDGMENTS
I would like to thank Prof. Dr. Thomas Engel for their
guidance, expertise and feedback and Dr. Jeff Mangers for
the opportunity to research for this paper in the first place. I
would like to thank both of them for their invested time and
enabling me to pursue this project.
LATEX [?] [?].
R EFERENCES
[1] Mehrdad Aliasgari, Marina Blanton, Yihua Zhang, and Aaron Steele.
Secure computation on floating point numbers.
[2] European Parliament and Council of the European Union. Regulation
(EU) 2016/679 of the European Parliament and of the Council.
[3] Timothy Finamore. SHAMIR’s SECRET SHARING SCHEME USING
FLOATING POINT ARITHMETIC.
[4] Deepthi Jallepalli, Navya Chennagiri Ravikumar, Poojitha Vurtur Badar-
inath, Shravya Uchil, and Mahima Agumbe Suresh. Federated learning
for object detection in autonomous vehicles. In 2021 IEEE Seventh Inter-
national Conference on Big Data Computing Service and Applications
(BigDataService), pages 107–114. IEEE.
[5] Marcel Keller. MP-SPDZ: A versatile framework for multi-party
computation. In Proceedings of the 2020 ACM SIGSAC Conference
on Computer and Communications Security, pages 1575–1590. ACM.
[6] Brian Knott, Shobha Venkataraman, Awni Hannun, Shubho Sengupta,
Mark Ibrahim, and Laurens van der Maaten. CrypTen: Secure multi-
party computation meets machine learning.
[7] Fengxia Liu, Zhiming Zheng, Yexuan Shi, Yongxin Tong, and Yi Zhang.
A survey on federated learning: a perspective from multi-party compu-
tation. 18(1):181336.
[8] Yun Luo, Yuling Chen, Tao Li, Yilei Wang, Yixian Yang, and Xiaomei
Yu. An entropy-view secure multiparty computation protocol based on
semi-honest model:. 34(10):1–17.
[9] Michael Matena and Colin Raffel. Merging models with fisher-weighted
averaging.
[10] Vaikkunth Mugunthan, Antigoni Polychroniadou, David Byrd, and
Tucker Hybinette Balch. SMPAI: Secure multi-party computation for
federated learning.
[11] Gaith Rjoub, Omar Abdel Wahab, Jamal Bentahar, and Ahmed Saleh
Bataineh. Improving autonomous vehicles safety in snow weather
using federated YOLO CNN learning. In Jamal Bentahar, Irfan Awan,
Muhammad Younas, and Tor-Morten Grønli, editors, Mobile Web and
Intelligent Information Systems, volume 12814, pages 121–134. Springer
International Publishing. Series Title: Lecture Notes in Computer
Science.
[12] Shefer Roper and Plessner Bar. Secure computing protocols without
revealing the inputs to each of the various participants.
[13] Ajith Suresh. MPCLeague: Robust MPC platform for privacy-preserving
machine learning.
[14] Ultralytics. YOLO11 NEW.