An anti-poisoning federated learning method and system based on function encryption

By employing multi-client function encryption technology with function hiding, we have achieved ciphertext similarity calculation and malicious gradient detection in federated learning. This solves the problems of model poisoning attacks and non-independent and identically distributed data distribution, thereby improving the robustness and accuracy of federated learning.

CN122179100APending Publication Date: 2026-06-09QUAN CHENG LABORATORY

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Applications(China)
Current Assignee / Owner
QUAN CHENG LABORATORY
Filing Date
2026-03-24
Publication Date
2026-06-09

AI Technical Summary

Technical Problem

Existing federated learning methods face challenges in terms of model security and user privacy protection, especially in the difficulty of detecting model poisoning attacks and in the case of non-independent and identically distributed client data, making it difficult to effectively utilize gradient information for learning.

Method used

Employing the multi-client function encryption (FH-MCFE) technique with function hiding, malicious gradients are identified by calculating the cosine similarity between gradients in the ciphertext and then weighted and aggregated to enhance Byzantine robustness. The Federated Learning Function-Hiding Functional Encryption (FFFE) algorithm is designed, which involves the collaborative work of the client, server, and key center.

Benefits of technology

While protecting privacy, it effectively identifies and prevents malicious gradient poisoning, improves the federated learning effect under heterogeneous data, and enhances the robustness and accuracy of model training.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN122179100A_ABST
    Figure CN122179100A_ABST
Patent Text Reader

Abstract

This invention relates to a poisoning-resistant federated learning method and system based on function encryption, comprising a client, a server, and a key center. The client is responsible for model training and providing ciphertext gradients, the server is responsible for poisoning gradient detection and Byzantine aggregation, and the key center is responsible for generating the parameters and keys for FFFE (Frequency-Frequency-Enhanced) learning. This invention implements the inner product operation between a single client's ciphertext vector and a specific vector, ensuring function hiding while avoiding interference from ciphertext label verification on gradient decryption. This invention can calculate the cosine similarity between gradients under ciphertext to identify malicious updates and detect whether the client has generated a fake gradient key, preventing malicious clients from interfering with poisoning detection. Weighted aggregation based on confidence levels enhances the Byzantine robustness of the federated learning system, demonstrating good poisoning defense performance under both client-IID and non-IID data distributions.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This invention relates to a function-based encryption-based anti-poisoning federated learning method and system, belonging to the field of information security technology. Background Technology

[0002] Federated Learning (FL), as an emerging machine learning paradigm, allows multiple data owners to collaboratively train a shared global model without directly sharing the original data. While enabling collaborative model training, Federated Learning effectively protects the data privacy of participating parties, alleviating to some extent the data silo problem faced by traditional machine learning. However, traditional federated learning still faces significant challenges in model security and user privacy protection. Research shows that even if participants only exchange local model updates, they are vulnerable to inference and reconstruction attacks, potentially leading to user privacy breaches.

[0003] To address these challenges, Privacy-Preserving Federated Learning (PPFL) has emerged. It typically employs cryptographic primitives and secure multi-party computation (MPC) techniques to protect the privacy of model updates and achieve secure aggregation. While PPFL effectively reduces the risk of privacy breaches, the encryption of local model updates makes detection of model poisoning attacks difficult; applying existing defense strategies to plaintext updates could compromise established privacy guarantees.

[0004] Functional encryption (FE) offers a novel approach to improving the efficiency and security of privacy-preserving federated learning. Inner product function encryption is a special type of function encryption that supports vector inner product computation. Given ciphertext... ( ) and with Associated decryption key The decryptor can only obtain The inner product result, but cannot obtain information about Any other information. Multi-Input Functional Encryption (MIFE) is an extension of it to multi-participant encryption, allowing multiple participants... Input and encrypt vector Each component Final decryption calculation The value of . Multi-Client Functional Encryption (MCFE) introduces a tagging mechanism on top of MIFE, ensuring that only ciphertexts carrying the same tag can be combined for decryption. This solves the mix-and-match problem between ciphertexts from different rounds and avoids potential additional information leakage. Function-Hiding Multi-Input Functional Encryption (FH-MIFE) further protects the privacy of the vector associated with the decryption key on top of MIFE, so that the decryption process does not require the plaintext information of the vector. Similarly, by introducing tag binding on top of FH-MIFE, we can obtain Function-Hiding Multi-Client Functional Encryption (FH-MCFE). In federated learning involving multiple rounds of interaction between the client and server, FH-MCFE can more effectively protect the privacy of client data.

[0005] Existing function-based encryption poisoning defense methods typically lack function hiding capabilities, only supporting cosine similarity calculation between client-local gradients and global gradients. However, when client-local data distributions are not independent and identically distributed, this method easily misclassifies normally diverging benign gradients as malicious gradients, causing the model to fail to effectively learn data from various distributions. Therefore, it is necessary to design an FH-MCFE scheme that simultaneously supports secure gradient aggregation and similarity calculation between client gradients, and construct a corresponding federated learning framework. This will allow for the effective utilization of client gradient information while protecting privacy, thereby improving the effectiveness of federated learning poisoning defense under heterogeneous data. Summary of the Invention

[0006] To address the shortcomings of existing technologies, this invention provides a poisoning-resistant federated learning method and system based on function encryption. The proposed Federated Learning Function-Hiding Functional Encryption (FFFE) algorithm includes a client... ( The system consists of a client (S), a server (S), and a key center (KC). The client is responsible for model training and providing encrypted gradients. The server is responsible for poisoning gradient detection and Byzantine aggregation. The key center is responsible for generating the parameters and keys for FFFE (Federated Learning Forward). This invention can calculate the cosine similarity between gradients in encrypted form to identify malicious updates and detect whether clients have generated fake gradient keys, preventing malicious clients from interfering with poisoning detection. Weighted aggregation based on confidence levels enhances the Byzantine robustness of the federated learning system.

[0007] Terminology Explanation:

[0008] 1. - Linear assumption ( -Linear, -LIN): is a class of decision-difficult hypotheses defined on prime-order cyclic groups; given a prime-order pairwise group... ,make For a fixed integer (usually) ), randomly selected , ,⋯, , ( For modulo 0 not included Finite field), randomly selected , ,⋯, No polynomial-time opponent can distinguish the following two distributions by a non-negligible advantage:

[0009] ;

[0010] ;

[0011] Right now ,in For safety parameters.

[0012] 2. Bilinear Pairing Group Generation: This is a standard algorithm in cryptography that takes a security parameter and outputs a set of bilinear group parameters. This algorithm builds the core mathematical structure required for pairing-based cryptography and is widely used in identity-based encryption, short signature and other protocols.

[0013] 3. Dual Pairing Vector Spaces (DPVS): Proposed by Okamoto and Takashima in 2009, DPVS is the standard framework for constructing vector spaces and related cryptographic schemes on bilinear groups of prime order in cryptography.

[0014] 4. Biorthogonal basis generator (OBGen): This is a biorthogonal basis generation algorithm in the dual paired vector space (DPVS) framework proposed by Okamoto and Takashima.

[0015] The technical solution of the present invention is as follows:

[0016] The first aspect of this invention provides a function-based cryptographic anti-poisoning federated learning method, comprising:

[0017] Step 1: The key center generates public parameters, encrypted orthogonal basis, and decrypted orthogonal basis; the server initializes the global model; and sends the encrypted orthogonal basis and global model to all clients.

[0018] Step 2: The client receives the global model, trains it locally to obtain the local gradient, calculates the ciphertext based on the local gradient and the encrypted orthogonal basis, and sends it to the server;

[0019] Step 3: If the global model is being trained for the first time, the server sets the aggregate weights and calculates the aggregate key based on the decrypted orthogonal basis; it calculates the global gradient using the aggregate key and the ciphertext, updates the global model using the global gradient, and distributes the global model to all clients.

[0020] Otherwise, the server calculates the gradient key based on the global gradient obtained from the previous training round and the decrypted orthogonal basis, calculates the similarity between the local gradient and the global gradient based on the ciphertext and the gradient key, and performs malicious gradient detection on the client.

[0021] After malicious gradient detection, the client calculates the aggregation key, and uses the aggregation key and ciphertext to calculate the global gradient. The global gradient is then used to update the global model, and the global model is distributed to all clients.

[0022] Step 4: Repeat steps 2 and 3 until the preset number of training rounds is reached or the global model accuracy reaches the preset target, and the final global model is obtained.

[0023] According to a preferred embodiment of the present invention, the specific implementation process of step 1 includes:

[0024] Set the security parameter λ, vector length m, number of clients n, and upper bound β of the vector inner product;

[0025] Based on the finite field F p ={0,1,2,3,...,p-1}, a bilinear group is randomly generated using the bilinear pairwise group generation algorithm. =( , , , , , ); where p is the order, and ; , , for Cyclic groups of order 1 , Groups , generator, Bilinear mapping function : ;

[0026] With bilinear group Generate a 2m+2k+1 dimensional dual pairing vector space for the parameters. = , , , , , ;in for -Parameters of the linear hypothesis , Representing groups respectively , A 2m+2k+1 dimensional vector space, , For the standard basis of the corresponding group, It is a bilinear mapping function;

[0027] From the finite field F p Randomly select elements Computational group generator = ;

[0028] Pair the dual vector space and random numbers As parameters, dual orthogonal bases are generated using the OBGen biorthogonal basis generator. and ;in, and They are vector spaces and The base, and Let B and B represent the dual orthogonal basis respectively. The 2m+2k+1th basis vector;

[0029] Each client sets an encrypted orthogonal basis based on a randomly generated dual orthogonal basis. Decrypting orthogonal bases As shown below:

[0030] ;

[0031] ;

[0032] in, , They represent the client respectively. Encrypted orthogonal basis Decrypting orthogonal bases The m-th basis vector;

[0033] Obtain common parameters =( , , and the master private key = , Where H represents the hash function, H: ;

[0034] Server initializes global model t is the number of training rounds, and the encrypted orthogonal basis and global model are distributed to all clients.

[0035] According to a preferred embodiment of the present invention, step 2 includes the following specific implementation process:

[0036] Client Receive global model from server Train the global model locally to obtain the local gradient. ,in This represents the gradient vector value of the m-th dimension of client i;

[0037] Calculate local gradient L2 norm ;

[0038] Client Using encrypted orthogonal basis Encrypted local gradients Obtain the ciphertext Including: from the finite field F p Random sampled elements ,in Indicates the first random sample taken by client i 1 element; local gradient As plaintext vector The encrypted ciphertext is calculated as follows:

[0039] = + + ;

[0040] in, This represents the encrypted ciphertext of the i-th client. Represents the plaintext vector of client i The One portion, Indicates the first random sample taken by client i One element, , , They represent the client respectively. Encrypted orthogonal basis The 2m+1 and basis vectors Indicates label The hash function output, label For bit strings of arbitrary length ;

[0041] Finally obtained the ciphertext = ( , );

[0042] Client ciphertext and L2 norm Send to the server.

[0043] According to a preferred embodiment of the present invention, the server sets aggregate weights and calculates an aggregate key based on the decrypted orthogonal basis; calculates the global gradient using the aggregate key and the ciphertext, updates the global model using the global gradient, and distributes the global model to all clients; including:

[0044] The server will aggregate the weights for each client. Set as where n is the number of clients;

[0045] In the finite field F p The mask value is randomly sampled for each client: ;in, Let represent the mask for random sampling by client i, and satisfy . = ; This represents the (k-1)th mask value randomly sampled by client i;

[0046] Calculate the decryption key As shown below:

[0047] = + + ;

[0048] in, Represents the aggregate weight vector The j-th dimension component, aggregate weight vector = ( ), where dimension The amount Aggregate weights All others are 0; , , Let i represent the decryption orthogonal basis of client i, respectively. The jth, 2m+1th and basis vectors Indicates the sampling of client i. One mask value;

[0049] Obtain the aggregation key = ;

[0050] Compute using aggregated key and ciphertext = = = ;in, This represents the intermediate result of the discrete logarithm to be solved; For target group Generators;

[0051] Through calculation = The discrete logarithm is used to obtain the inner product result. = ;in, This represents the plaintext vector, i.e., the local gradient. , For aggregation dimension The corresponding aggregated weight vector; inner product result This refers to the j-th dimension component of the global gradient. The global gradient is obtained by calculating the inner product of all dimensions. ;

[0052] The server uses global gradients. Update the global model: ;in The learning rate is used to update the global model. Distribute to all clients.

[0053] According to a preferred embodiment of the present invention, the server calculates the gradient key based on the global gradient obtained from the previous training round and the decryption orthogonal basis, calculates the similarity between the local gradient and the global gradient based on the ciphertext and the gradient key, and performs malicious gradient detection on the client; including:

[0054] The server uses the global gradient obtained from the previous training round. Query the gradient key from the key center;

[0055] The key center receives query requests in the finite field F p Random sampling ;in This represents the (k-1)th mask value randomly sampled by client i;

[0056] The gradient key is calculated as follows:

[0057] = + ;

[0058] in, Representing vectors The Dimensional components; vector Global gradient ; and These represent the first and second halves of the client i, respectively. The and the first One mask value;

[0059] gradient key Send to the server;

[0060] The server uses ciphertext. and gradient key ,calculate = = = ;in, This represents the intermediate result of the discrete logarithm to be solved. Represents the local gradient of client i , For target group Generators;

[0061] calculate = The inner product is obtained from the discrete logarithm. = Inner product And calculate the cosine similarity. = ;

[0062] The server finds the cosine similarity. Minimal client , The cosine similarity is Client Provide local gradients to the key center and will Local gradient Recorded as the standard for poisoning ;

[0063] Key center generates poisoning benchmark gradient key And send it to the server, including in the limited domain F p Random sampling ;in This represents the (k-1)th mask value randomly sampled by client i;

[0064] Calculate gradient key = + ;

[0065] in, Representing vectors The Dimensional component values, vector As a benchmark for poisoning ; Indicates the first random sample taken by client i One mask value;

[0066] Client The ciphertext is Using ciphertext and gradient key Computing Client Local gradient Compared with the standard of poisoning inner product result and calculate the client The local gradient and the cosine similarity to the poisoning benchmark. = ;

[0067] like Then the client Add to a malicious client pool and discard the ciphertext. Cosine similarity and gradient key Reselect cosine similarity The lowest-ranking client is selected, and the cosine similarity between the local gradient and the poisoned benchmark is calculated. Until .

[0068] According to a preferred embodiment of the present invention, after malicious gradient detection, the client calculates an aggregate key, calculates a global gradient using the aggregate key and ciphertext, updates the global model using the global gradient, and distributes the global model to all clients; including:

[0069] The server uses ciphertext { } and gradient key Calculate the local gradient and poisoning benchmark for different clients. inner product result And calculate the cosine similarity. = ;

[0070] Calculate the confidence level for each client. = Set the aggregate weight of each client to = ;

[0071] The server uses aggregate weights. The malicious client group queries the key center for an aggregated key; the key center generates the aggregated key. Including in the finite field F p In the middle, there is a random sampling mask value for the set of non-malicious clients: ;in, Let represent the mask for random sampling by client i, and satisfy . = ; This represents the (k-1)th mask value randomly sampled by client i;

[0072] Calculate the decryption key = + + ;in, Represents the aggregate weight vector The j-th dimension component, aggregate weight vector = ( (i.e., aggregated dimension) The amount The above is the aggregate weight. All others are 0; Decoding orthogonal basis The basis vectors; Indicates the sampling of client i. One mask value;

[0073] Obtain the aggregation key = ,in, It belongs to the set of non-malicious customers;

[0074] Aggregate key And send it to the server;

[0075] The server uses ciphertext { } and aggregate key The global gradient for this round was calculated. ;

[0076] The server uses global gradients. Updated global model: ;in The learning rate is used to update the global model. Distribute to all clients.

[0077] A computer device includes a memory and a processor, the memory storing a computer program, the processor executing the computer program to implement steps of a function-based encryption-based anti-poisoning federated learning method.

[0078] A computer-readable storage medium having a computer program stored thereon, which, when executed by a processor, implements the steps of a function-encrypted anti-poisoning federated learning method.

[0079] A second aspect of the present invention provides a poisoning-resistant federated learning system based on function encryption, comprising:

[0080] The initialization module is configured to: generate common parameters, encrypted orthogonal basis, and decrypted orthogonal basis at the key center; initialize the global model on the server; and send the encrypted orthogonal basis and global model to all clients.

[0081] The local training module is configured such that the client receives the global model, trains it locally to obtain the local gradient, calculates the ciphertext based on the local gradient and the encrypted orthogonal basis, and sends it to the server.

[0082] The model update module is configured as follows: if the global model is in the first round of training, the server sets the aggregate weights and calculates the aggregate key based on the decrypted orthogonal basis; calculates the global gradient using the aggregate key and the ciphertext, updates the global model using the global gradient, and distributes the global model to all clients;

[0083] Otherwise, the server calculates the gradient key based on the global gradient obtained from the previous training round and the decrypted orthogonal basis, calculates the similarity between the local gradient and the global gradient based on the ciphertext and the gradient key, and performs malicious gradient detection on the client.

[0084] After malicious gradient detection, the client calculates the aggregation key, and uses the aggregation key and ciphertext to calculate the global gradient. The global gradient is then used to update the global model, and the global model is distributed to all clients.

[0085] The final global model acquisition module is configured to repeatedly execute the local training module and the model update module until the preset number of training rounds is reached or the global model accuracy reaches the preset target, thus obtaining the final global model.

[0086] The beneficial effects of this invention are as follows:

[0087] 1. A function hiding multi-client function encryption method FFFE is proposed for defense against poisoning in federated learning. It realizes the inner product operation between the vector ciphertext of a single client and a specific vector, which ensures function hiding while avoiding interference from the label verification of the ciphertext to the gradient decryption.

[0088] 2. A privacy-preserving federated learning method based on FFFE is proposed, which supports calculating the cosine similarity of gradients under ciphertext to judge malicious updates, identify whether the client submits a fake gradient key, and perform weighted aggregation based on confidence. It has good poisoning defense effect under both client IID and non-IID data distributions. Attached Figure Description

[0089] Figure 1 This is a schematic diagram illustrating how the encryption time overhead of the function in this invention varies with the number of clients;

[0090] Figure 2 This is a schematic diagram illustrating how the encryption time overhead of the function in this invention varies with the vector dimension;

[0091] Figure 3 This is a schematic diagram illustrating the accuracy variation under the IID data distribution of this invention; Figure 3 (a) shows the change in accuracy of targeted poisoning attacks on the MNIST dataset. Figure 3 (b) is a schematic diagram showing the accuracy changes of non-targeted poisoning attacks under MNIST. Figure 3 (c) is a schematic diagram illustrating the accuracy changes of targeted poisoning attacks under the CIFAR10 dataset; Figure 3 (d) is a schematic diagram illustrating the accuracy changes of non-targeted poisoning attacks under the CIFAR10 dataset;

[0092] Figure 4 This is a schematic diagram illustrating the accuracy variation under the non-IID data distribution of this invention; Figure 4 (a) shows the change in accuracy of targeted poisoning attacks on the MNIST dataset. Figure 4 (b) is a schematic diagram showing the accuracy changes of non-targeted poisoning attacks under MNIST. Figure 4 (c) is a schematic diagram illustrating the accuracy changes of targeted poisoning attacks under the CIFAR10 dataset; Figure 4 (d) is a schematic diagram illustrating the accuracy changes of non-targeted poisoning attacks under the CIFAR10 dataset. Detailed Implementation

[0093] The present invention will be further described below with reference to the embodiments and accompanying drawings, but is not limited thereto.

[0094] Example 1

[0095] A poisoning-resistant federated learning method based on function encryption includes:

[0096] Step 1: The key center generates public parameters, encrypted orthogonal basis, and decrypted orthogonal basis; the server initializes the global model; and sends the encrypted orthogonal basis and global model to all clients.

[0097] Step 2: The client receives the global model, trains it locally to obtain the local gradient, calculates the ciphertext based on the local gradient and the encrypted orthogonal basis, and sends it to the server;

[0098] Step 3: If the global model is being trained for the first time, the server sets the aggregate weights and calculates the aggregate key based on the decrypted orthogonal basis; it calculates the global gradient using the aggregate key and the ciphertext, updates the global model using the global gradient, and distributes the global model to all clients.

[0099] Otherwise, the server calculates the gradient key based on the global gradient obtained from the previous training round and the decrypted orthogonal basis, calculates the similarity between the local gradient and the global gradient based on the ciphertext and the gradient key, and performs malicious gradient detection on the client.

[0100] After malicious gradient detection, the client calculates the aggregation key, and uses the aggregation key and ciphertext to calculate the global gradient. The global gradient is then used to update the global model, and the global model is distributed to all clients.

[0101] Step 4: Repeat steps 2 and 3 until the preset number of training rounds is reached or the global model accuracy reaches the preset target, and the final global model is obtained.

[0102] Example 2

[0103] The difference between the anti-poisoning federated learning method based on function encryption described in Example 1 and the method described in Example 1 is as follows:

[0104] The specific implementation process of step 1 includes:

[0105] Set the security parameter λ (preset input such as λ=128), vector length m (length of the vector to be encrypted), number of clients n, and upper bound of the vector inner product β (set according to the actual computation message size).

[0106] Based on the finite field F p ={0,1,2,3,...,p-1}, a bilinear group is randomly generated using the Bilinear Pairing Group Generation algorithm. =( , , , , , ); where p is the order (a prime number with 2λ digits), and ; , , for Cyclic groups of order 1 , Groups , generator, Bilinear mapping function : (This is a function naturally defined by elliptic curve pairing, which can convert a set of...) , Elements in the group are mapped to the target group superior);

[0107] With bilinear group Generate a 2m+2k+1 dimensional dual pairing vector space for the parameters. = , , , , , ;in for - Linear assumption ( The parameter (k=2) of -LIN) , Representing groups respectively , A 2m+2k+1 dimensional vector space, , For the standard basis of the corresponding group, It is a bilinear mapping function;

[0108] From the finite field F p (Excluding zero elements) Randomly select elements Computational group generator = ;

[0109] Pair the dual vector space and random numbers As parameters, dual orthogonal bases are generated using the OBGen biorthogonal basis generator. and (OBGen uses a random invertible matrix) Calculate its dual matrix. (in It is a random non-zero constant, and -1 represents the inverse of the matrix. (Indicates transpose), for Each row vector calculate (in For standard base The (basic vectors) That is, the first of the dual orthogonal bases B Similarly, using basis vectors, we can... calculate available );in, and They are vector spaces and The base, satisfying = , ; and Let B and B represent the dual orthogonal basis respectively. The 2m+2k+1th basis vector;

[0110] Each client sets an encrypted orthogonal basis based on a randomly generated dual orthogonal basis. Decrypting orthogonal bases As shown below:

[0111] ;

[0112] ;

[0113] in, , They represent the client respectively. Encrypted orthogonal basis Decrypting orthogonal bases The m-th basis vector (in the dual orthogonal basis) and (the m-th basis vector selected in the middle).

[0114] Obtain common parameters =( , , and the master private key = , Where H represents the hash function, H: (Able to map label inputs to a finite field F modulo p) p Above, such as bit string labels Calculate using a standard hash function (such as SHA-256) hash value The hash value is converted into an integer, and the final hash result is obtained by taking the modulo of p.

[0115] Server initializes global model t is the number of training rounds (t=0). If a suitable model structure is selected (such as CNN, ResNet-18), the weights of each layer are randomly sampled using a standard weight initialization method that matches the activation function (such as He initialization or Xavier initialization), the bias term is initialized to 0, and the encrypted orthogonal basis and global model are distributed to all clients.

[0116] The specific implementation process of step 2 includes:

[0117] Client Receive global model from server (The global model is initialized at t=0). The global model is trained locally to obtain the local gradient. ,in This represents the gradient vector value of the m-th dimension of client i;

[0118] Calculate local gradient L2 norm ;

[0119] Client Using encrypted orthogonal basis Encrypted local gradients Obtain the ciphertext Including: from the finite field F p Random sampled elements ,in Indicates the first random sample taken by client i 1 element; local gradient As plaintext vector The encrypted ciphertext is calculated as follows:

[0120] = + + ;

[0121] in, This represents the encrypted ciphertext of the i-th client. Represents the plaintext vector of client i The One portion, Indicates the first random sample taken by client i One element, , , They represent the client respectively. Encrypted orthogonal basis The 2m+1 and basis vectors Indicates label The hash function output, label For bit strings of arbitrary length (In each round, the key center publicly broadcasts a random tag) All clients use the same label for encryption, but the key center generates different labels for different rounds. );

[0122] Finally obtained the ciphertext = ( , );

[0123] Client ciphertext and L2 norm Send to the server.

[0124] The server sets the aggregation weights and calculates the aggregation key based on the decrypted orthogonal basis; it calculates the global gradient using the aggregation key and ciphertext, updates the global model using the global gradient, and distributes the global model to all clients; including:

[0125] Perform the first round of the Byzantine convergence phase of FL;

[0126] The server will aggregate the weights for each client. Set as where n is the number of clients;

[0127] In the finite field F p The mask value is randomly sampled for each client: ;in, Let represent the mask for random sampling by client i, and satisfy . = ; This represents the (k-1)th mask value randomly sampled by client i;

[0128] Calculate the decryption key As shown below:

[0129] = + + ;

[0130] in, Represents the aggregate weight vector The j-th dimension component, aggregate weight vector = ( ), where dimension The amount Aggregate weights All others are 0; , , Let i represent the decryption orthogonal basis of client i, respectively. The jth, 2m+1th and basis vectors Indicates the sampling of client i. One mask value;

[0131] Obtain the aggregation key = ;

[0132] Compute using aggregated key and ciphertext = = = ;in, This represents the intermediate result of solving the discrete logarithm (in the target group). (intermediate calculation results above) For target group Generators;

[0133] Through calculation = The discrete logarithm is used to obtain the inner product result. = ;in, This represents the plaintext vector, i.e., the local gradient. , For aggregation dimension The corresponding aggregated weight vector; inner product result This refers to the j-th dimension component of the global gradient. The global gradient is obtained by calculating the inner product of all dimensions. ;

[0134] The server uses global gradients. Update the global model: ;in The learning rate is used to update the global model. Distribute to all clients.

[0135] The server calculates the gradient key based on the global gradient obtained from the previous training round and the decryption orthogonal basis. It then calculates the similarity between the local gradient and the global gradient based on the ciphertext and the gradient key, and performs malicious gradient detection on the client. This includes:

[0136] If it's not the first round of federated learning (FL), a malicious gradient detection phase is performed after the local training phase (assuming all local gradients in the initial training rounds are benign, therefore malicious gradient detection is not performed during the first round of federated learning training, and federated averaging is performed directly):

[0137] The server uses the global gradient obtained from the previous training round. Query the gradient key from the key center;

[0138] The key center receives query requests in the finite field F p Random sampling ;in This represents the (k-1)th mask value randomly sampled by client i;

[0139] The gradient key is calculated as follows:

[0140] = + ;

[0141] in, Representing vectors The Dimensional components; vector Global gradient ; and These represent the first and second halves of the client i, respectively. The and the first One mask value;

[0142] gradient key Send to the server;

[0143] The server uses ciphertext. and gradient key ,calculate = = = ;in, This represents the intermediate result of the discrete logarithm to be solved. Represents the local gradient of client i , For target group Generators;

[0144] calculate = The inner product is obtained from the discrete logarithm. = Inner product (Local gradient) With global gradient (the inner product result), and calculate the cosine similarity. = ;

[0145] The server finds the cosine similarity. Minimal client , The cosine similarity is Client Provide local gradients to the key center and will Local gradient Recorded as the standard for poisoning ;

[0146] Key center generates poisoning benchmark gradient key And send it to the server, including in the limited domain F p Random sampling ;in This represents the (k-1)th mask value randomly sampled by client i;

[0147] Calculate gradient key = + ;

[0148] in, Representing vectors The Dimensional component values, vector As a benchmark for poisoning ; Indicates the first random sample taken by client i One mask value;

[0149] Client The ciphertext is Using ciphertext and gradient key Computing Client Local gradient Compared with the standard of poisoning inner product result (Use the same method as above, such as) = = = ,calculate The inner product is obtained by taking the discrete logarithm of the product and calculating the client. The local gradient and the cosine similarity to the poisoning benchmark. = ;

[0150] like This indicates the client Generate gradient key Provided Generate ciphertext Gradient used If they are different, then the client will be... Add to a malicious client pool and discard the ciphertext. Cosine similarity and gradient key Reselect cosine similarity The client with the lowest similarity (excluding the previously selected client with the lowest similarity) is selected, and the cosine similarity between the local gradient and the poisoning benchmark is calculated. Until ;

[0151] After malicious gradient detection, the client calculates the aggregation key, and then uses the aggregation key and ciphertext to calculate the global gradient. The global gradient is then used to update the global model, which is subsequently distributed to all clients. This includes:

[0152] Byzantine Assembly Phase: Non-first round FL:

[0153] The server uses ciphertext { } and gradient key Calculate the local gradient and poisoning benchmark for different clients. inner product result (Calculate using the same method as above, such as) = = = ,calculate The inner product is obtained by taking the discrete logarithm, and the cosine similarity is calculated. = ;

[0154] Calculate the confidence level for each client. = Set the aggregate weight of each client to = ;

[0155] The server uses aggregate weights. The malicious client group queries the key center for an aggregated key; the key center generates the aggregated key. Including in the finite field F p In the middle, the mask value is randomly sampled from clients in the non-malicious client set (clients outside the malicious client set): ;in, Let represent the mask for random sampling by client i, and satisfy . = ; This represents the (k-1)th mask value randomly sampled by client i;

[0156] Calculate the decryption key = + + ;in, Represents the aggregate weight vector The j-th dimension component, aggregate weight vector = ( (i.e., aggregated dimension) The amount The above is the aggregate weight. All others are 0; Decoding orthogonal basis The basis vectors; Indicates the sampling of client i. One mask value;

[0157] Obtain the aggregation key = ,in, It belongs to the set of non-malicious customers;

[0158] Aggregate key And send it to the server;

[0159] The server uses ciphertext { } and aggregate key The global gradient for this round was calculated. (e.g., calculation) = = = ,calculate = The discrete logarithm is used to obtain the inner product result. The global gradient is obtained after decryption of all gradient dimensions.

[0160] The server uses global gradients. Updated global model: ;in The learning rate is used to update the global model. Distribute to all clients.

[0161] Global model parameters The current round of FL training ends after the data is sent to all clients, and the next round of FL training begins. When the training has completed the preset number of training rounds or the global model accuracy reaches the preset target, the server obtains the final trained global model. The goal of federated learning is to collaboratively train a high-quality machine learning model with multiple data owners (clients) while protecting user data privacy. The final model can be deployed on the server for user applications to use, or it can be distributed to clients for use.

[0162] Federated learning, as a distributed machine learning paradigm, has broad applicability and can be applied to various data privacy-sensitive fields such as healthcare, finance, smart terminals, and the Internet of Things. The federated learning method and system designed in this invention possess good versatility. The global model obtained after training can be directly deployed on the local devices of participating parties or the central inference node to perform specific intelligent tasks. For example, in facial recognition or medical image analysis scenarios, the global model can be used to detect lesions, segment organs, or verify identities on input images, outputting structured diagnostic or recognition results; in financial risk control scenarios, the global model can perform real-time scoring and anomaly detection of transaction behavior to assist in determining whether fraud risks exist. The above are only typical application examples; the technical solution of this invention is not limited to these and can also be applied to other scenarios requiring collaborative modeling while protecting data privacy.

[0163] Figure 1 The diagram illustrates the time complexity of the FFFE algorithm under different numbers of clients, with each client's vector dimension fixed at 10. The encryption in the diagram represents the total time spent on serial encryption of all client vectors, while aggregate key generation includes aggregate key generation across all vector dimensions. The time complexity of each algorithm increases linearly with the number of clients. Figure 2 This demonstrates the time complexity of the FFFE algorithm under different vector dimensions, with a fixed number of clients (10). Increasing the vector dimension leads to an orthogonal key basis. and The increased size makes initialization and aggregation decryption, which requires pairing operations, more complex; for encryption algorithms, it only increases the vector length of the addition and multiplication processes, so the time cost is linearly related to the dimensionality; however, aggregation key generation involves cyclic processing along the vector dimension, and the keys involved in the calculation... sum vector The size is also affected by the dimensionality, so the variation in its time cost is more significant. Gradient key generation and gradient decryption contain all client ciphertext and a specific vector. The time cost of the inner product operation is linearly related to both the vector dimension and the number of clients. In summary, the main overhead of the FFFE algorithm lies in the aggregation key generation and aggregation decryption algorithms. To address the computational complexity caused by high vector dimensions, segmenting long vectors can be considered in practical applications. Furthermore, employing parallel processing strategies can effectively reduce time overhead. Figure 3 and Figure 4The paper presents the accuracy comparison results of the federated learning scheme of this invention on the MNIST and CIFAR-10 datasets under both IID and non-IID data distributions, against both targeted and non-targeted label-flipping attacks (40% malicious client ratio), compared with other baseline methods (R-PPDFL, FLTrust, Foolsgold, Multi-Krum). The experimental results demonstrate that the scheme of our invention (Ours) has better defense performance against different data distributions and label-flipping attacks.

[0164] Example 3

[0165] A computer device includes a memory and a processor. The memory stores a computer program, and the processor executes the computer program to implement the steps of the function encryption-based anti-poisoning federated learning method described in Embodiment 1 or 2.

[0166] Example 4

[0167] A computer-readable storage medium having a computer program stored thereon, which, when executed by a processor, implements the steps of the function-encryption-based anti-poisoning federated learning method described in Embodiment 1 or 2.

[0168] Example 5

[0169] A poisoning-resistant federated learning system based on function encryption includes:

[0170] The initialization module is configured to: generate common parameters, encrypted orthogonal basis, and decrypted orthogonal basis at the key center; initialize the global model on the server; and send the encrypted orthogonal basis and global model to all clients.

[0171] The local training module is configured such that the client receives the global model, trains it locally to obtain the local gradient, calculates the ciphertext based on the local gradient and the encrypted orthogonal basis, and sends it to the server.

[0172] The model update module is configured as follows: if the global model is in the first round of training, the server sets the aggregate weights and calculates the aggregate key based on the decrypted orthogonal basis; calculates the global gradient using the aggregate key and the ciphertext, updates the global model using the global gradient, and distributes the global model to all clients;

[0173] Otherwise, the server calculates the gradient key based on the global gradient obtained from the previous training round and the decrypted orthogonal basis, calculates the similarity between the local gradient and the global gradient based on the ciphertext and the gradient key, and performs malicious gradient detection on the client.

[0174] After malicious gradient detection, the client calculates the aggregation key, and uses the aggregation key and ciphertext to calculate the global gradient. The global gradient is then used to update the global model, and the global model is distributed to all clients.

[0175] The final global model acquisition module is configured to repeatedly execute the local training module and the model update module until the preset number of training rounds is reached or the global model accuracy reaches the preset target, thus obtaining the final global model.

Claims

1. A poisoning-resistant federated learning method based on function encryption, characterized in that, include: Step 1: The key center generates public parameters, encrypted orthogonal basis, and decrypted orthogonal basis; the server initializes the global model; and sends the encrypted orthogonal basis and global model to all clients. Step 2: The client receives the global model, trains it locally to obtain the local gradient, calculates the ciphertext based on the local gradient and the encrypted orthogonal basis, and sends it to the server; Step 3: If the global model is being trained for the first time, the server sets the aggregate weights and calculates the aggregate key based on the decrypted orthogonal basis; it calculates the global gradient using the aggregate key and the ciphertext, updates the global model using the global gradient, and distributes the global model to all clients. Otherwise, the server calculates the gradient key based on the global gradient obtained from the previous training round and the decrypted orthogonal basis, calculates the similarity between the local gradient and the global gradient based on the ciphertext and the gradient key, and performs malicious gradient detection on the client. After malicious gradient detection, the client calculates the aggregation key, and uses the aggregation key and ciphertext to calculate the global gradient. The global gradient is then used to update the global model, and the global model is distributed to all clients. Step 4: Repeat steps 2 and 3 until the preset number of training rounds is reached or the global model accuracy reaches the preset target, and the final global model is obtained.

2. The anti-poisoning federated learning method based on function encryption according to claim 1, characterized in that, The specific implementation process of step 1 includes: Set the security parameter λ, vector length m, number of clients n, and upper bound β of the vector inner product; Based on the finite field F p ={0,1,2,3,...,p-1}, a bilinear group is randomly generated using the bilinear pairwise group generation algorithm. =( , , , , , ); where p is the order, and ; , , for Cyclic groups of order 1 , Groups , generator, Bilinear mapping function : ; With bilinear group Generate a 2m+2k+1 dimensional dual pairing vector space for the parameters. = , , , , , ;in for -Parameters of the linear hypothesis , Representing groups respectively , A 2m+2k+1 dimensional vector space, , For the standard basis of the corresponding group, It is a bilinear mapping function; From the finite field F p Randomly select elements Computational group generator = ; Pair the dual vector space and random numbers As parameters, dual orthogonal bases are generated using the OBGen biorthogonal basis generator. and ;in, and They are vector spaces and The base, and Let B and B represent the dual orthogonal basis respectively. The 2m+2k+1th basis vector; Each client sets an encrypted orthogonal basis based on a randomly generated dual orthogonal basis. Decrypting orthogonal bases As shown below: ; ; in, , They represent the client respectively. Encrypted orthogonal basis Decrypting orthogonal bases The m-th basis vector; Obtain common parameters =( , , and the master private key = , Where H represents the hash function, H: ; Server initializes global model t is the number of training rounds, and the encrypted orthogonal basis and global model are distributed to all clients.

3. The anti-poisoning federated learning method based on function encryption according to claim 2, characterized in that, The specific implementation process of step 2 includes: Client Receive global model from server Train the global model locally to obtain the local gradient. ,in This represents the gradient vector value of the m-th dimension of client i; Calculate local gradient L2 norm ; Client Using encrypted orthogonal basis Encrypted local gradients Obtain the ciphertext Including: from the finite field F p Random sampled elements ,in Indicates the first random sample taken by client i 1 element; local gradient As plaintext vector The encrypted ciphertext is calculated as follows: = + + ; in, This represents the encrypted ciphertext of the i-th client. Represents the plaintext vector of client i The One portion, Indicates the first random sample taken by client i One element, , , They represent the client respectively. Encrypted orthogonal basis The 2m+1 and basis vectors Indicates label The hash function output, label For bit strings of arbitrary length ; Finally obtained the ciphertext = ( , ); Client ciphertext and L2 norm Send to the server.

4. The anti-poisoning federated learning method based on function encryption according to claim 3, characterized in that, The server sets the aggregation weights and calculates the aggregation key based on the decryption orthogonal basis; The global gradient is calculated by combining the aggregate key and ciphertext, the global model is updated using the global gradient, and the global model is then distributed to all clients. include: The server will aggregate the weights for each client. Set as where n is the number of clients; In the finite field F p The mask value is randomly sampled for each client: ;in, Let represent the mask for random sampling by client i, and satisfy . = ; This represents the (k-1)th mask value randomly sampled by client i; Calculate the decryption key As shown below: = + + ; in, Represents the aggregate weight vector The j-th dimension component, aggregate weight vector = ( ), where dimension The amount Aggregate weights All others are 0; , , Let i represent the decryption orthogonal basis of client i, respectively. The jth, 2m+1th and basis vectors Indicates the sampling of client i. One mask value; Obtain the aggregation key = ; Compute using aggregated key and ciphertext = = = ;in, This represents the intermediate result of the discrete logarithm to be solved; For target group Generators; Through calculation = The discrete logarithm is used to obtain the inner product result. = ;in, This represents the plaintext vector, i.e., the local gradient. , For aggregation dimension The corresponding aggregated weight vector; inner product result This refers to the j-th dimension component of the global gradient. The global gradient is obtained by calculating the inner product of all dimensions. ; The server uses global gradients. Update the global model: ;in The learning rate is used to update the global model. Distribute to all clients.

5. The anti-poisoning federated learning method based on function encryption according to claim 4, characterized in that, The server calculates the gradient key based on the global gradient obtained from the previous training round and the decryption orthogonal basis. It then calculates the similarity between the local gradient and the global gradient based on the ciphertext and the gradient key, and performs malicious gradient detection on the client. This includes: The server uses the global gradient obtained from the previous training round. Query the gradient key from the key center; The key center receives query requests in the finite field F p Random sampling ;in This represents the (k-1)th mask value randomly sampled by client i; The gradient key is calculated as follows: = + ; in, Representing vectors The Dimensional components; vector Global gradient ; and These represent the first and second halves of the client i, respectively. The and the first One mask value; gradient key Send to the server; The server uses ciphertext. and gradient key ,calculate = = = ;in, This represents the intermediate result of the discrete logarithm to be solved. Represents the local gradient of client i , For target group Generators; calculate = The inner product is obtained from the discrete logarithm. = Inner product And calculate the cosine similarity. = ; The server finds the cosine similarity. Minimal client , The cosine similarity is Client Provide local gradients to the key center and will Local gradient Recorded as the standard for poisoning ; Key center generates poisoning benchmark gradient key And send it to the server, including in the limited domain F p Random sampling ;in This represents the (k-1)th mask value randomly sampled by client i; Calculate gradient key = + ; in, Representing vectors The Dimensional component values, vector As a benchmark for poisoning ; Indicates the first random sample taken by client i One mask value; Client The ciphertext is Using ciphertext and gradient key Computing Client Local gradient Compared with the standard of poisoning inner product result and calculate the client The local gradient and the cosine similarity to the poisoning benchmark. = ; like Then the client Add to a malicious client pool and discard the ciphertext. Cosine similarity and gradient key Reselect cosine similarity The lowest-ranking client is selected, and the cosine similarity between the local gradient and the poisoned benchmark is calculated. Until .

6. The anti-poisoning federated learning method based on function encryption according to claim 5, characterized in that, After malicious gradient detection, the client calculates the aggregation key, and uses the aggregation key and ciphertext to calculate the global gradient. The global gradient is then used to update the global model, and the global model is distributed to all clients. include: The server uses ciphertext { } and gradient key Calculate the local gradient and poisoning benchmark for different clients. inner product result And calculate the cosine similarity. = ; Calculate the confidence level for each client. = Set the aggregate weight of each client to = ; The server uses aggregate weights. The malicious client group queries the key center for an aggregated key; the key center generates the aggregated key. Including in the finite field F p In the middle, there is a random sampling mask value for the set of non-malicious clients: ;in, Let represent the mask for random sampling by client i, and satisfy . = ; This represents the (k-1)th mask value randomly sampled by client i; Calculate the decryption key = + + ;in, Represents the aggregate weight vector The j-th dimension component, aggregate weight vector = ( (i.e., aggregated dimension) The amount The above is the aggregate weight. All others are 0; Decoding orthogonal basis The basis vectors; Indicates the sampling of client i. One mask value; Obtain the aggregation key = ,in, It belongs to the set of non-malicious customers; Aggregate key And send it to the server; The server uses ciphertext { } and aggregate key The global gradient for this round was calculated. ; The server uses global gradients. Updated global model: ;in The learning rate is used to update the global model. Distribute to all clients.

7. A computer device comprising a memory and a processor, wherein the memory stores a computer program, characterized in that, When the processor executes the computer program, it implements the steps of the anti-poisoning federated learning method based on function encryption as described in any one of claims 1-6.

8. A computer-readable storage medium having a computer program stored thereon, characterized in that, When the computer program is executed by the processor, it implements the steps of the anti-poisoning federated learning method based on function encryption as described in any one of claims 1-6.

9. A poisoning-resistant federated learning system based on function encryption, characterized in that, include: The initialization module is configured to: generate common parameters, encrypted orthogonal basis, and decrypted orthogonal basis at the key center; initialize the global model on the server; and send the encrypted orthogonal basis and global model to all clients. The local training module is configured such that the client receives the global model, trains it locally to obtain the local gradient, calculates the ciphertext based on the local gradient and the encrypted orthogonal basis, and sends it to the server. The model update module is configured as follows: if the global model is in the first round of training, the server sets the aggregate weights and calculates the aggregate key based on the decrypted orthogonal basis; calculates the global gradient using the aggregate key and the ciphertext, updates the global model using the global gradient, and distributes the global model to all clients; Otherwise, the server calculates the gradient key based on the global gradient obtained from the previous training round and the decrypted orthogonal basis, calculates the similarity between the local gradient and the global gradient based on the ciphertext and the gradient key, and performs malicious gradient detection on the client. After malicious gradient detection, the client calculates the aggregation key, and uses the aggregation key and ciphertext to calculate the global gradient. The global gradient is then used to update the global model, and the global model is distributed to all clients. The final global model acquisition module is configured to repeatedly execute the local training module and the model update module until the preset number of training rounds is reached or the global model accuracy reaches the preset target, thus obtaining the final global model.