A practical federated learning malicious security aggregation method and device

By adopting a deep learning-extractable ambiguity commitment scheme and a non-collusive dual-server architecture, we have achieved secure aggregation of gradient vectors in federated learning, solved the security and efficiency problems under malicious parties, and ensured the practicality and privacy protection of the protocol.

CN117035110BActive Publication Date: 2026-06-05INSTITUTE OF INFORMATION ENGINEERING CHINESE ACADEMY OF SCIENCES

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Patents(China)
Current Assignee / Owner
INSTITUTE OF INFORMATION ENGINEERING CHINESE ACADEMY OF SCIENCES
Filing Date
2023-07-21
Publication Date
2026-06-05

AI Technical Summary

Technical Problem

Existing federated learning security aggregation protocols are difficult to guarantee security and are inefficient in the event of malicious intent by participating parties, especially when dealing with high-dimensional inputs and a large number of devices, which affects their practicality.

Method used

A deep learning-extractable ambiguous commitment scheme is adopted, combined with a non-collusive dual-server architecture. Gradient vectors are masked and aggregated using masking technology. The ElGamal, Paillier and Pedersen commitment schemes are used to generate and verify commitment values, thereby achieving resistance to malicious behavior and efficient aggregation.

Benefits of technology

It achieves secure aggregation of gradient vectors without compromising user privacy, allows ordinary users to disconnect at any stage, makes the aggregation stage flexible and variable, and ensures the security and efficiency of the protocol through public verification.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN117035110B_ABST
    Figure CN117035110B_ABST
Patent Text Reader

Abstract

The application discloses a practical federated learning malicious security aggregation method and device, the method comprises the following steps: receiving a training model initialized by an initiator; negotiating the total number of participating users n, the input vector dimension d, the input vector definition domain D and the system security parameter λ with the initiator and broadcasting; broadcasting the training model obtained after the last round of federated learning task to the general user i, so that each general user i and / or the initiator who is willing to participate in the current round of federated learning task locally trains the training model obtained after the last round of federated learning task, and combines the input vector dimension d, the input vector definition domain D and the system security parameter λ to mask the gradient vector updated in the training process; after the aggregation of the received masked vector, the mask in the obtained aggregated result with the mask is removed to obtain the training model obtained after the current round of federated learning task. The application can ensure the malicious security of the protocol execution and has high efficiency without losing practicability.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This invention belongs to the field of information security technology and relates to a secure aggregation protocol for federated learning, specifically a practical method and apparatus for secure aggregation of malicious activities in federated learning. Background Technology

[0002] As data becomes one of the main drivers of rapid development in the information age, collecting and utilizing as much data as possible has become increasingly important. One of the most common technologies is distributed machine learning. However, emerging privacy requirements present significant challenges. On the one hand, real-world data is often highly sensitive, especially in scenarios such as healthcare, finance, and industrial control. This may reduce data holders' willingness to provide data. On the other hand, privacy laws and regulations force companies to ensure privacy when collecting user data.

[0003] Federated learning (FL) has long been a popular paradigm for distributed, privacy-preserving machine learning, offering privacy by allowing users to upload local model parameters instead of their own raw, private data. However, some personal information, such as gradients, can still be extracted from some local model parameters. This necessitates proposing formal security techniques for FL.

[0004] Formal security research on FL primarily focuses on provably secure aggregation protocols while ensuring practical efficiency. Current aggregation protocols only achieve security (i.e., semi-honest security) when participants are semi-honest or guarantee the privacy of honest participants in malicious scenarios. Achieving security in malicious scenarios (i.e., malicious security) often requires cumbersome cryptographic tools and computations, and FLs typically involve high-dimensional inputs and a massive number of devices (users), which significantly compromises practical efficiency.

[0005] This invention primarily utilizes the DL-extractable ambiguity commitment scheme in cryptography to construct a malicious secure aggregation protocol for federated learning.

[0006] 1. DL-Extractable Ambiguous Commitment Scheme

[0007] Definition 1.1 A DL-extractable ambiguous commitment scheme consists of four algorithms E2 = (Gen, Com, Open, Ver):

[0008] Gen(λ): Input security parameter λ, output common parameters crs = ck and trapdoor td;

[0009] ·Com(ck;m): Input commitment key ck and message m, output commitment value c;

[0010] • Open(ck; e): Input commitment key ck and challenge message e, output message Gm and open message op, satisfying that m is the discrete logarithm (DL) of Gm;

[0011] Ver(ck; c, Gm, op): Input commitment key ck, commitment value c, message Gm, and open message op. Verify whether the commitment value, message Gm, and open message are consistent. If they are consistent, output 1, indicating successful verification; otherwise, output 0, indicating verification failure.

[0012] Definition 1.2 The security requirements that a DL-extractable ambiguous commitment scheme must satisfy:

[0013] • Binding: There is no efficient algorithm that, for a given commitment value c and challenge value e, can find two different sets of messages that can both pass the verification algorithm, i.e., Ver(ck;c, Gm, op) = 1 and Ver(ck;c, Gm′, op′) = 1.

[0014] • Hiding: For any different messages m1, m2, the probability distributions of Com(ck; m1) and Com(ck; m1) are indistinguishable.

[0015] • Discrete Logarithm (DL) Extractability: There exists an efficient algorithm that, given a trapdoor td, can compute message m1 for a given commitment value c, message Gm, and open message op, satisfying Com(ck;m) = c and Ver(ck;c, Gm, op) = 1.

[0016] • Ambiguity: There exists an efficient algorithm that, given a trapdoor td, can compute the commitment value c, message Gm, and open message op for any message m and op', satisfying Ver(ck; c, Gm, op) = 1. Summary of the Invention

[0017] To address the aforementioned issues, this invention discloses a practical method and apparatus for malicious aggregation in federated learning. This method is based on a non-collusive dual-server architecture and utilizes a DL-extractable ambiguity commitment scheme to aggregate federated learning tasks. Simultaneously, it ensures the security of protocol execution against malicious behavior by participating parties and maintains overall efficiency.

[0018] The technical solution of the present invention includes:

[0019] A practical federated learning method for malicious security aggregation, applied to a server, includes:

[0020] After receiving the initial training model from an initiator, negotiate with the initiator the total number of participating users n, the dimension of the input vector d, the domain of the input vector D, and the system security parameter λ, and then broadcast the results.

[0021] The training model obtained after the previous round of federated learning is broadcast to ordinary user i, so that each ordinary user i who is willing to participate in this round of federated learning and / or the initiator can train the training model obtained after the previous round of federated learning locally, and mask the gradient vector updated during training by combining the input vector dimension d, the input vector domain D and the system security parameter λ, i≤n;

[0022] After aggregating the received mask vectors, the masks are removed from the resulting aggregated result to obtain the training model obtained after this round of federated learning.

[0023] Furthermore, the step of masking the gradient vector updated during training by combining the input vector dimension d, the input vector domain D, and the system security parameter λ includes:

[0024] The server establishes communication between the initiator and ordinary user i who is willing to participate in this round of federated learning tasks;

[0025] The server receives a commitment key ck, which is generated by a trusted third party based on the system security parameter λ, the input vector dimension d, and the input vector domain D.

[0026] The server receives the third commitment value from the initiator. And the third commitment value of ordinary user i Wherein, the third commitment value Included in the commitment key ck and gradient vector m (0) The generated commitment value c (0) The third commitment value Included in the commitment key ck and gradient vector m (i) The generated commitment value c (i) ;

[0027] The server obtains all third-party commitment values. The initiator performs a two-way secure coin toss to obtain challenge e, which is then broadcast so that both the initiator and the ordinary user i can respond to challenge e; wherein, the initiator's response to challenge e includes broadcasting a commitment value c. (0) The broadcast is based on the commitment key ck, the challenge e, and the commitment value c. (0) The received open message op (0) The broadcast is based on the commitment key ck and the gradient vector m. (0)The received message value Gm (0) The ordinary user i responds to the challenge e by: committing a value c (i) Sending to the initiator and server, based on the commitment key ck, the challenge e, and the commitment value c (i) Generate open message op (i) Send to the initiator and server, and will be based on the commitment key ck and the gradient vector m (i) The generated message value Gm (i) Send to the initiator and the server;

[0028] The server verifies the broadcast commitment value c jointly with the initiator. (i) The open message op (i) The message value Gm (i) A set of verified users is obtained, such that each ordinary user i in the set is based on a mask seed. The mask seed selected by the server and gradient vector m (i) Generate mask vector M (i) .

[0029] Furthermore, the commitment key ck is generated by a trusted third party based on the system security parameter λ, the input vector dimension d, and the input vector domain D, including:

[0030] Based on the selected p-order cyclic group G, a public-private key pair (EG.pk, EG.sk) for the ElGamal encryption scheme is generated; wherein, the private key... The public key EG.pk = (g, h) is a multiplicative group modulo a prime number p. The first element g in the public key EG.pk is a generator of the cyclic group G of order p, and the second element h = g. EG.sk ;

[0031] Based on the system security parameter λ, an optimized Paillier encryption scheme public-private key pair (Pai.pk, Pai.sk) is generated; wherein the private key Pai.sk = pq, the greatest common divisor of prime numbers p and q dividing P-1, Q-1, P-1, and Q-1 is 2, and l is a polynomial of the system security parameter λ. N Prime numbers P and Q of bit length satisfy P ≡ Q ≡ 3 mod 4, the public key Pai.pk = (N, h0), and the first element N = PQ in the public key Pai.pk has a bit length of l. N The second element h0 in the public key Pai.pk is -y 2μ mod N, It is a multiplicative group modulo N, with parameters And p′q′ and Coprime, p′, q′ are prime numbers of length l bits;

[0032] Based on the system security parameter λ, generate The commitment key and trapdoor (DF.ck, DF.td) of the integer commitment scheme; wherein, the commitment key The second element in the commitment key DF.ck The first element in the commitment key DF.ck random numbers For model The integer group, wherein the trapdoor DF.td = α;

[0033] Generate the commitment key and trapdoor (Ped.ck, Ped.td) for the Pedersen commitment scheme; wherein, the trapdoor... The commitment key Ped.ck = (u, v), where the first element u in Ped.ck is another generator of the prime-order p-order cyclic group G, and the second element v in Ped.ck = u Ped.td ;

[0034] Randomly select a collision-resistant hash function H;

[0035] Randomly select a d-dimensional vector g←G from the cyclic group G. d ;

[0036] Output the commitment key ck = (p, EG.pk, Pai.pk, DF.ck, Ped.ck, g, H) and the trapdoor td = (EG.sk, Pai.sk, DF.td, Ped.td).

[0037] Furthermore, the server receives a third commitment value from the initiator. include:

[0038] The initiator calculates the gradient vector m (0) Corresponding message value mod p, where It is the gradient vector m (0) The j-th component, g i It is the j-th component of vector g;

[0039] The initiator selects a random number. The message value Gm is encrypted using the ElGamal encryption scheme. (0) Generate the first commitment value

[0040] The initiator chooses a d-dimensional random vector. For all indices j∈[d], encrypt m using optimized Paillier encryption. j generate Obtain the second commitment value

[0041] The initiator selects a random number. random numbers d-dimensional random vector d-dimensional random vector random numbers We obtain a random number set s = (s1, s2, s3, s4, s5); where, Modulus p·2 2λ 2 l , A group of integers, where the superscript d indicates that a d-dimensional random vector is obtained by repeatedly selecting d random times from the group.

[0042] The initiator calculates the randomized message set based on the random number set s = (s1, s2, s3, s4, s5). Among them, random messages Random message Random message Random message Random message

[0043] The initiator constructs the statement message to be proved. And calculate the hash value of the statement message x.

[0044] The initiator selects a random number. Use the Pedersen commitment hash value h x To generate a third commitment value

[0045] Generate the initiator's commitment value

[0046] The initiator broadcasts the third commitment value. So that the server obtains the third commitment value

[0047] Furthermore, the initiator broadcasts based on the commitment key ck, the challenge e, and the commitment value c. (0) The received open message op (0) ,include:

[0048] By calculating the response value z1 = r1·e + s2 and the response value z2 = m (0)Given the response values ​​z3 = r2·e+s4 and z4 = s1·e+s5, we obtain the response value z = (z1, z2, z3, z4).

[0049] Generate open message

[0050] Furthermore, the server jointly verifies the broadcast commitment value c with the initiator. (i) The open message op (i) The message value Gm (i) A set of verified users is obtained, such that each ordinary user i in the set is based on a mask seed. The mask seed selected by the server and gradient vector m (i) Generate mask vector M (i) ,include:

[0051] The promised value c for each ordinary user i (i) and open message op (i) Call E2's verification algorithm Ver(ck; c) (i) ,Gm (i) ,op (i) Verification will be performed.

[0052] In the commitment value c (i) and the open message op (i) If the condition is correct, add the ordinary user i to the verification set U1;

[0053] For all ordinary users i∈U1, the server randomly selects a seed. Generate mask vector And random seed After sending to the corresponding user i, broadcast the verification set U1;

[0054] Determine whether the validation set U1 is equal to the validation set. Wherein, the verification set It is the commitment value c made by the initiator for each ordinary user i. (i) and open message op (i) Based on the verification algorithm Ver(ck;c) of E2. (i) ,Gm (i) ,op (i) This was obtained through verification.

[0055] If the verification set U1 is equal to the verification set The initiator then randomly selects a seed. Generate mask vector and seeds After sending to the corresponding user i, broadcast the verification set U1;

[0056] For all ordinary user i ∈ U1, based on the seed and seeds Generate mask vector Then, the mask vector M (i) Return to the server and the initiator.

[0057] Further, the aggregation of the gradient vectors after removing the mask from the mask vector includes:

[0058] The server receives the mask vector M. (i) Then, the corresponding ordinary user i is added to set U2, and the aggregated mask vector is calculated. Then, send set U2 and mask vector Smsk. s To the initiator;

[0059] The initiator receives the mask vector M (i) Then, add the corresponding ordinary user i to the set. And determine whether set U2 is equivalent to set U2.

[0060] In set U2, it is equivalent to set In this case, the initiator calculates the final demask vector. And send the demasking vector Smsk to the server;

[0061] The server calculates the aggregation results. And verify Is it valid?

[0062] exist If the condition is met, the aggregation result A is taken as the aggregation result of the gradient vector in this round.

[0063] A practical federated learning malicious security aggregation device includes:

[0064] The initialization module is used to receive the training model initialized by an initiator, negotiate with the initiator the total number of participating users n, the dimension of the input vector d, the domain of the input vector D, and the system security parameter λ, and then broadcast it.

[0065] The model distribution module is used to broadcast the training model obtained after the previous round of federated learning task to ordinary user i, so that each ordinary user i who is willing to participate in this round of federated learning task and / or the initiator can train the training model obtained after the previous round of federated learning task locally, and mask the gradient vector updated during training by combining the input vector dimension d, the input vector domain D and the system security parameter λ, i≤n;

[0066] The vector aggregation module is used to aggregate the received mask vectors, and then remove the mask from the resulting aggregated result to obtain the training model after this round of federated learning.

[0067] A computer device, characterized in that the computer device comprises: a processor and a memory storing computer program instructions; the processor, when executing the computer program instructions, implements the practical federated learning malicious security aggregation method described above.

[0068] Compared to existing technologies, this invention achieves secure aggregation of updated gradient vectors in federated learning without compromising user privacy. It's worth noting that our secure aggregation protocol, besides improving security, also allows ordinary users to disconnect at any stage, as ordinary users are independent of each other, and the final number of users aggregated is flexible and variable. Therefore, the aggregation phase includes a check of the current set of remaining valid users. Furthermore, by broadcasting all messages in the protocol except for the seed, the verification algorithm Ver and the verification of the final aggregation result in E2 become public verification, allowing any entity in the protocol to perform the verification. Attached Figure Description

[0069] Figure 1 A schematic diagram of a secure aggregation scenario in federated learning.

[0070] Figure 2 A practical schematic diagram of the process of federated learning malicious security aggregation protocol. Detailed Implementation

[0071] The exemplary embodiments will now be described in detail with reference to the accompanying drawings.

[0072] In the scenario of secure aggregation in federated learning, the user's privacy input is often a high-dimensional gradient vector. Therefore, this invention is based on the DL-extractable UC commitment scheme proposed by Abdolmaleki et al., and extends it to a practical DL-extractable ambiguous commitment scheme E2 applicable to input vectors, which includes four stages: Gen stage, Com stage, Open stage, and Ver stage.

[0073] ●Gen phase.

[0074] Inputs to the Gen phase: security parameter λ, dimension d.

[0075] • Output of the Gen phase: common parameter crs = ck, trapdoor td.

[0076] • Processing procedure in the Gen phase:

[0077] 1. Generate the public-private key pair (EG.pk, EG.sk) for the ElGamal encryption scheme. The process is as follows: g is the generator of the prime-order p-order cyclic group G, and is randomly selected. Calculate the second element h = g of the ElGamal public key. EG.sk Thus, we obtain EG.pk = (g, h);

[0078] 2. Generate an optimized Paillier encryption scheme public-private key pair (Pai.pk, Pai.sk) that satisfies: l is a polynomial of the security parameter λ, l N The bit length is N = PQ, and the prime numbers p′, q′, and l are of length l bits. N For prime numbers P and Q of length 1 and 2, P ≡ Q ≡ 3 mod 4, and the greatest common divisor of p and q that divide P-1, Q-1, P-1, and Q-1 respectively is 2. The relationship between p′ and q′ is also given. Coprime, Select random number Calculate the second element h0 of the Paillier public key = -y 2μ mod N, we finally get Pai.pk = (N, h0) and Pai.sk = pq;

[0079] 3. Generate The commitment key and trapdoor (DF.ck, DF.td) of the integer commitment scheme are selected randomly. The second element of the commitment key Select random number Calculate Dam The i-th element of the commitment key Finally obtained DF.td = α;

[0080] 4. Generate the commitment key and trapdoor (Ped.ck, Ped.td) for the Pedersen commitment scheme, satisfying: u is a generator of the prime p-order cyclic group G, and the trapdoor is randomly selected. Calculate the second element v = u of the Pedersen commitment key. Ped.td This yields Ped.ck = (u, v);

[0081] 5. Randomly select a collision-resistant hash function H;

[0082] 6. Randomly select a d-dimensional vector g←G from the cyclic group G. d ;

[0083] 7. Output the common parameters (which are also the commitment keys for the entire scheme) crs = ck = (p, EG.pk, Pai.pk, DF.ck, Ped.ck, g, H) and trapdoor td = (EG.sk, Pai.sk, DF.td, Ped.td).

[0084] ●Com phase.

[0085] • Com phase input: commitment key ck, user-private input d-dimensional vector m

[0086] •Com phase output: Commitment value c.

[0087] • Processing steps in the Com phase:

[0088] 1. Calculation Where m i It is the i-th component of m, g i It is the i-th component of g;

[0089] 2. Select random numbers Generate the first commitment value by encrypting Gm using ElGamal.

[0090] 3. Choose a d-dimensional random vector For all indices j∈[d], encrypt m using optimized Paillier encryption. j generate The second commitment value c2 is obtained;

[0091] 4. Select random numbers random numbers d-dimensional random vector d-dimensional random vector random numbers The set of random numbers s = (s1, s2, s3, s4, s5) is obtained;

[0092] 5. Calculate 5 messages randomized using the above random numbers. For all j∈[d], Obtain the randomized message set

[0093] 6. Given the statement message to be proved, x = (p, EG.pk, Pai.pk, c1, c2), calculate the hash value h. x =H(x, a);

[0094] 7. Select random numbers Using Pedersen promise h x Generate a third commitment value

[0095] 8. Obtain and output the commitment value c = (c1, c2, c3).

[0096] ●Open phase.

[0097] • Inputs for the Open phase: commitment key ck, challenge message e.

[0098] • Output of the Open phase: Gm and the open message op.

[0099] • Processing steps during the Open phase:

[0100] 1. Calculate z1 = r1·e + s2, z2 = m·e + s3, z3 = r2·e + s4, z4 = s1·e + s5, and get z = (z1, z2, z3, z4);

[0101] 2. We obtain op = (c3, e, a, z, r3);

[0102] 3. Output the Gm that has been calculated in the Com phase and the aforementioned open message op.

[0103] ●Ver stage.

[0104] Input: commitment key ck, commitment value c, message Gm, and open message op.

[0105] Output: 1 or 0.

[0106] • Ver stage processing:

[0107] 1. Parse and obtain x and a from the input commitment key ck, commitment value c, message Gm, and open message op, then calculate the hash value h. x =H(x, a);

[0108] 2. Inspection Check if the condition is true. If true, continue; otherwise, output 0.

[0109] 3. For all j∈[d], check target 3,j ∈[-2 l+λ ,2 l ·(1+2 λ If all conditions are met, continue; otherwise, output 0.

[0110] 4. Inspection Check if the condition is true. If true, continue; otherwise, output 0.

[0111] 5. Inspection Check if the condition is true. If true, continue; otherwise, output 0.

[0112] 6. Inspection Check if the condition is true. If true, continue; otherwise, output 0.

[0113] 7. For all j∈[d], check If both conditions are met, output 1; otherwise, output 0.

[0114] Based on the above practical DL-extractable ambiguity commitment scheme E2 applicable to input vectors, such as Figure 1 and Figure 2 As shown, the federated learning malicious security aggregation method practical in this invention, when applied to a server, includes the following steps 1-3.

[0115] Step 1: After receiving the training model initialized by an initiator, negotiate with the initiator the total number of participating users n, the dimension of the input vector d, the domain of the input vector D, and the system security parameter λ, and then broadcast the results.

[0116] The system model upon which this invention is based consists of three entities: the initiator, the server, and ordinary users. It is assumed that the initiator and the server do not collude, and each ordinary user has a secure channel to communicate with the initiator and the server.

[0117] Initiator: The initiator is responsible for initializing a federated learning task and training a model. Their participation in the federated learning system aims to train a better model from more data, thus benefiting their production practice. Specifically, the initiator also possesses its own data and can therefore train and generate updated gradient vectors themselves.

[0118] Server: A server can be a platform that provides federated learning services, has channels to contact ordinary users who wish to participate in federated learning, and is responsible for assisting in the secure aggregation of federated learning.

[0119] Ordinary users: An ordinary user can be an enterprise, institution, or individual who is willing to join a federated learning task that interests them, and then train the model based on their own private inputs, which may be disconnected at any time.

[0120] Furthermore, since federated learning consists of multiple iterative rounds, in the first iteration, the initiator first tells the server the target training model and sends the initialized model parameters to the server. The server then broadcasts the initial model to ordinary users. Simultaneously, the broadcaster negotiates with the initiator the total number of participating users n, the input vector dimension d, the input vector domain D, and the system security parameter λ, so that a trusted third party (TTP) can execute the first phase of the secure aggregation protocol of this invention: the Setup phase.

[0121] ● Setup stage.

[0122] • Execution Entity: Trusted Third Party (TTP)

[0123] 1. TTP obtains the negotiated parameters: total number of participating users n, input vector dimension d, domain of input vector D, and system security parameter λ; calls E2's generation algorithm Gen(λ, d) to obtain the commitment key ck and trapdoor td, such that p > (n+1)·D in ck;

[0124] 2. TTP broadcasts the commitment key ck to all ordinary users, initiators, and servers; removes the trapdoor td.

[0125] Afterward, the initiator, server, and ordinary users can begin multiple iterations. Steps 2-3 below mainly outline the secure aggregation of one iteration.

[0126] Step 2: Broadcast the training model obtained after the previous round of federated learning to ordinary user i, so that each ordinary user i who is willing to participate in this round of federated learning and / or the initiator can train the training model obtained after the previous round of federated learning locally, and mask the gradient vector updated during training by combining the input vector dimension d, the input vector domain D and the system security parameter λ.

[0127] After the server broadcasts the trained model obtained from the previous federated learning task to ordinary users, those willing to participate in this federated learning task can begin training locally and obtain updated gradient vectors. Simultaneously, the initiator can also train locally and obtain updated gradient vectors. After a specific time, both the initiator and ordinary users can upload their masked gradient vectors to the server.

[0128] During this process, ordinary users, initiators, and servers will execute the second to fourth phases of the security aggregation protocol of this invention, depending on the specific circumstances: the Commit phase, the Generate Mask phase, and the Upload phase.

[0129] ●Commit phase.

[0130] • Execution entities: ordinary users, initiators, and servers

[0131] 1. The initiator's input vector m (0) Calling the E2 commitment algorithm Com(ck;m) (0) ) Obtain the commitment value c (0) , and broadcast;

[0132] 2. A regular user i has control over its input vector m. (i) Calling the E2 commitment algorithm Com(ck;m) (i) ) Obtain the commitment value c (i) , and Send to the initiator and server;

[0133] 3. The initiator and the server perform a secure coin toss to obtain a challenge ch of length λ bits, which is then broadcast to ordinary users;

[0134] 4. After receiving the challenge, the initiator will... and Broadcast, and call E2's open algorithm Open(ck; ch) to get Gm. (0) and open message op (0) , will Gm (0) and op (0) broadcast;

[0135] 5. After receiving the challenge from ch, ordinary user i will... and Broadcast, and call E2's open algorithm Open(ck; ch) to get Gm. (i) and open message op (i) , will Gm (i) and op (i) Send to the initiator and the server.

[0136] ●Generate Mask stage.

[0137] • Execution entities: ordinary users, initiators, and servers

[0138] 1. The server, in response to the initiator's promise and open message, calls the E2 verification algorithm Ver(ck;c) (0) ,Gm (0) ,op (0) If the result is 1, the agreement continues; otherwise, the agreement is terminated.

[0139] 2. For all i∈[n], the server calls the E2 verification algorithm Ver(ck; c) (i) ,Gm (i) ,op (i)If the result is 1, then the corresponding i is added to the initially empty set U1; otherwise, the user is ignored; the final set U1 represents the set of online users who have passed the server verification.

[0140] 3. For all i∈U1, the server randomly selects a seed. Generate mask vector Will Send it to the corresponding user i, and broadcast U1;

[0141] 4. For all i∈[n], the initiator calls the E2 verification algorithm Ver(ck; c (i) ,Gm (i) ,op (i) If we obtain l, then we add the corresponding i to the set that was initialized to empty. Otherwise, ignore the user; the final set obtained This represents the set of online users who have passed the initiator's verification.

[0142] 5. If The initiator terminates the agreement; otherwise, the agreement continues.

[0143] 6. For all i∈U1, the initiator randomly selects a seed. Generate mask vector Will Send it to the corresponding user i and broadcast it to U1.

[0144] ●Upload stage.

[0145] • Execution Entity: Ordinary User

[0146] For all i∈U1, ordinary user i generates a mask vector respectively. and calculate And send M (i) For the initiator and the server.

[0147] Step 3: After aggregating the received mask vectors, remove the masks from the resulting aggregated result to obtain the training model after this round of federated learning.

[0148] The server aggregates the gradient vector after receiving the mask, and uses the five-stage Aggregate method of the secure aggregation protocol of this invention to remove the mask, thereby obtaining the final aggregation result.

[0149] ●Aggregate phase.

[0150] • Execution entities: Initiator and Server

[0151] 1. For all i∈U1, receive M (i) Then, the server adds i to the set U2, which is initialized to an empty set, and calculates the aggregated mask vector. Send U2 and Smsk s To the initiator;

[0152] 2. For all i∈U1, receive M (i) Then, the initiator adds i to the set that was initialized to an empty set. In the middle, if Then send Give the server the termination protocol; otherwise, continue the protocol.

[0153] 3. For all i∈U2, the initiator computes the final solution mask vector. And send Smsk to the server;

[0154] 4. The server calculates the aggregation results. And verify If the condition is met, accept and output the aggregation result; otherwise, terminate the protocol.

[0155] In summary, this invention constructs a practical secure aggregation protocol for federated learning malicious attacks. The protocol is constructed such that E2 = (Gen, Com, Open, Ver) is a DL-extractable ambiguous commitment scheme, PRG is a pseudo-random generator, and the secure aggregation protocol completes each round of federated learning training through five steps (Setup, Commit, Generate Mask, Upload, Aggregate).

[0156] The following example illustrates the process of combining the secure aggregation protocol of the present invention with existing federated learning techniques:

[0157] 1) The initiator initializes the training model, sends it to the server, and negotiates parameters with the server: total number of participating users, input vector dimension, domain of input vector, system security parameters; and broadcasts these parameters.

[0158] 2) The server helps the initiator and ordinary users establish communication, and each ordinary user has a unique identifier i;

[0159] 3) A trusted third party invokes the Gen algorithm, obtains the commitment key, and broadcasts it to all ordinary users, initiators, and servers; trapdoors are removed;

[0160] 4) The gradient vectors obtained by the initiator and ordinary users through local training are used as input vectors, and the commitment algorithm Com is called to obtain the commitment value;

[0161] 5) The initiator and the server generate a challenge by tossing coins together, and then broadcast the challenge value;

[0162] 6) Both the initiator and the ordinary user respond to the challenge, call the Open algorithm, and send the Open message and the corresponding Gm value to the initiator and the server;

[0163] 7) The initiator and the server call the verification algorithm Ver to verify the received commitment value, open message and corresponding Gm value; broadcast the set of verified users to each other, and each generates a mask seed to send to the corresponding ordinary users;

[0164] 8) Ordinary users generate a mask vector using the received mask seed, and upload the masked gradient vector to the initiator and the server;

[0165] 9) The initiator and the server first aggregate the mask vector, and then eliminate the mask through interaction to finally obtain the aggregated result.

[0166] The above embodiments are only used to illustrate the technical solutions of the present invention and are not intended to limit them. Those skilled in the art can modify or equivalently replace some components of the technical solutions of the present invention without departing from the spirit and scope of the present invention. The protection scope of the present invention should be determined by the claims.

Claims

1. A practical method for federated learning of malicious security aggregation, characterized in that, Applied to a server, the method includes: After receiving the initial training model from the initiator, negotiate the total number of participating users with the initiator. Input vector dimension Domain of input vector and system security parameters And broadcast; The trained model obtained after the previous round of federated learning is broadcast to ordinary users. To enable every ordinary user willing to participate in this round of federated learning tasks And / or the trained model obtained by the initiator after training the previous round of federated learning task locally, combined with the input vector dimension. The domain of the input vector and the system security parameters Masking the gradient vectors updated during training. ; After aggregating the received mask vectors, the masks are removed from the resulting aggregated result to obtain the training model after this round of federated learning. Wherein, the combination of the input vector dimension The domain of the input vector and the system security parameters Masking the gradient vectors updated during training includes: The server initiator and ordinary users willing to participate in this round of federated learning tasks. Communication between them; The server receives the commitment key. The commitment key For a trusted third party based on the system security parameters The input vector dimension and the domain of the input vector generate; The server receives the third commitment value from the initiator. and ordinary users The third commitment value ; wherein, the third commitment value Included in the commitment key and gradient vector The generated commitment value The third commitment value Included in the commitment key and gradient vector The generated commitment value ; The server obtains all third-party commitment values. The initiator conducts a two-way safe coin toss and receives a challenge. And broadcast, so that the initiator and the ordinary user Responding to the challenge The initiator responds to the challenge. Includes: Broadcast commitment value Broadcast based on the promised key The challenges mentioned and commitment value The received open message and broadcast based on committed keys and the gradient vector Received message value The ordinary user Responding to the challenge Includes: the commitment value Send to the initiator and server, based on the promised key The challenges mentioned and the commitment value Generate open message Send to the initiator and server, and will be based on the commitment key. and the gradient vector Generated message value Send to the initiator and the server; The server verifies the broadcast commitment value in conjunction with the initiator. The opened message The message value A verification set is obtained so that each ordinary user in the verification set... Based on mask seed The mask seed selected by the server and gradient vector Generate mask vector .

2. The method as described in claim 1, characterized in that, The commitment key For a trusted third party based on the system security parameters The input vector dimension and the domain of the input vector Generation, including: Based on selection Cyclic group Generate public-private key pairs for the ElGamal encryption scheme. The private key , Modulo prime number The multiplication group, the public key The public key The first element It is the prime number. Cyclic group The generator, the public key The second element ; Based on the system security parameters Generate optimized public-private key pairs for the Paillier encryption scheme. The private key , prime number and prime numbers Divisible by each , and The greatest common factor is , These are system security parameters. polynomial, prime numbers of bit length and prime numbers satisfy The public key The public key The first element The bit length is The public key The second element , , For model Multiplicative group, parameters and and Coprime, for Prime numbers with a bit length; Based on the system security parameters Generate the commitment key and trapdoor for the Damgård-Fujisaki integer commitment scheme. The commitment key The commitment key The second element The commitment key The first element random numbers , For model The integer group, the trapdoor ; Generate the commitment key and trapdoor for the Pedersen commitment scheme ; wherein, the trapdoor The commitment key The commitment key The first element in It is a prime number Cyclic group Another generator, the commitment key The second element ; Randomly select a collision-resistant hash function ; From the cyclic group Randomly select one dimensional vector ; Output commitment key and trapdoor .

3. The method as described in claim 2, characterized in that, The server receives the third commitment value from the initiator. ,include: The initiator calculates the gradient vector. Corresponding message value ,in It is the gradient vector The One portion, It is a vector No. One component; The initiator selects a random number. And encrypt the message value based on the ElGamal encryption scheme. Generate the first commitment value ; Initiator selection 3D random vector For all indexes Encrypted with optimized Paillier generate The second commitment value was obtained. ; The initiator selects a random number. random numbers , 3D random vector , 3D random vector random numbers To obtain a set of random numbers ;in, , , respectively model , , The integer group, with the superscript at the top right. This indicates repeated random selection within the group. This time received 3D random vector; The initiator is based on a set of random numbers. Calculate the randomized message set Among them, random messages Random message Random message Random message Random message ; The initiator constructs the statement message to be proved. and calculate the stated message hash value ; The initiator selects a random number. Using Pedersen commitment hash value To generate a third commitment value ; Generate the initiator's commitment value ; The initiator broadcasts the third commitment value. So that the server can obtain the third commitment value. .

4. The method as described in claim 3, characterized in that, The initiator broadcasts based on the commitment key. The challenges mentioned and commitment value The received open message ,include: By calculating the response value Response value Response value and response value Receive response value ; Generate open message .

5. The method as described in claim 4, characterized in that, The server verifies the broadcast commitment value in conjunction with the initiator. The opened message The message value A set of verified users is obtained, such that each ordinary user in the set of verified users... Based on mask seed The mask seed selected by the server and gradient vector Generate mask vector ,include: For each ordinary user Commitment value and open message , call Verification algorithm Verification is required; The commitment value and the open message If it is correct, then this ordinary user Add to the validation set ; For all For regular users, the server randomly selects seeds. Generate mask vector and random seed Send to the corresponding user Then, broadcast verification set ; Validation set Is it equivalent to the verification set? ; wherein, the verification set It is initiated by the organizer targeting each ordinary user. Commitment value and open message Based on the call Verification algorithm The results were obtained through verification. If the verification set Equivalent to the verification set The initiator then randomly selects a seed. Generate mask vector and seeds Send to the corresponding user Then, broadcast verification set ; For all ordinary users Based on seeds and seeds Generate mask vector Then, the mask vector Return to the server and the initiator.

6. The method as described in claim 5, characterized in that, After removing the mask from the mask vector, the gradient vector aggregation includes: The server receives the mask vector. Then, the corresponding ordinary users Add to collection And calculate the aggregated mask vector. Then, send the set. and mask vector To the initiator; The initiator receives the mask vector Then, the corresponding ordinary users Add to collection and determine the set Is it equivalent to a set? ; In the set Equivalent to a set In this case, the initiator calculates the final demask vector. and the demasking vector Send to the server; The server calculates the aggregation results. and verify Is it valid? exist If true, the aggregation result will be... This serves as the aggregation result of the gradient vectors in this round.

7. A practical federated learning malicious security aggregation device, characterized in that, The device includes: The initialization module is used to receive the training model initialized by an initiator and then negotiate the total number of participating users with the initiator. Input vector dimension Domain of input vector and system security parameters And broadcast; The model distribution module is used to broadcast the trained model obtained after the previous round of federated learning to ordinary users. To enable every ordinary user willing to participate in this round of federated learning tasks And / or the trained model obtained by the initiator after training the previous round of federated learning task locally, combined with the input vector dimension. The domain of the input vector and the system security parameters Masking the gradient vectors updated during training. ; The vector aggregation module is used to aggregate the received mask vectors and then remove the mask from the resulting aggregated result to obtain the training model after this round of federated learning. Wherein, the combination of the input vector dimension The domain of the input vector and the system security parameters Masking the gradient vectors updated during training includes: The server initiator and ordinary users willing to participate in this round of federated learning tasks. Communication between them; The server receives the commitment key. The commitment key For a trusted third party based on the system security parameters The input vector dimension and the domain of the input vector generate; The server receives the third commitment value from the initiator. and ordinary users The third commitment value ; wherein, the third commitment value Included in the commitment key and gradient vector The generated commitment value The third commitment value Included in the commitment key and gradient vector The generated commitment value ; The server obtains all third-party commitment values. The initiator conducts a two-way safe coin toss and receives a challenge. And broadcast, so that the initiator and the ordinary user Responding to the challenge The initiator responds to the challenge. Includes: Broadcast commitment value Broadcast based on the promised key The challenges mentioned and commitment value The received open message and broadcast based on committed keys and the gradient vector Received message value The ordinary user Responding to the challenge Includes: the commitment value Send to the initiator and server, based on the promised key The challenges mentioned and the commitment value Generate open message Send to the initiator and server, and will be based on the commitment key. and the gradient vector Generated message value Send to the initiator and the server; The server verifies the broadcast commitment value in conjunction with the initiator. The opened message The message value A verification set is obtained so that each ordinary user in the verification set... Based on mask seed The mask seed selected by the server and gradient vector Generate mask vector .

8. A computer device, characterized in that, The computer device includes: a processor and a memory storing computer program instructions; when the processor executes the computer program instructions, it implements the practical federated learning malicious security aggregation method as described in any one of claims 1-6.