A federated learning verifiable secure aggregation method and system based on secret sharing

By employing a secret-sharing-based federated learning method, and utilizing linear homomorphic hashing and digital signatures, lightweight secure aggregation and verifiable results are achieved. This solves the problems of communication bottlenecks, computational resource consumption, and data privacy protection in federated learning, ensuring the correctness and immutability of the aggregation results.

CN122394841APending Publication Date: 2026-07-14BEIJING JIAOTONG UNIV

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Applications(China)
Current Assignee / Owner
BEIJING JIAOTONG UNIV
Filing Date
2026-03-27
Publication Date
2026-07-14

AI Technical Summary

Technical Problem

Existing federated learning secure aggregation schemes suffer from serious communication bottlenecks, high computational resource consumption, insufficient data privacy protection, and inability to guarantee the reliability of aggregation results.

Method used

The method adopts a secret-sharing approach, which combines linear homomorphic hashing and digital signatures. The client negotiates with a trusted institution to generate a shared secret seed, generates mask vector encryption model parameters, performs addition aggregation and signing on the edge server, performs global decryption and verification on the cloud server, and verifies the result on the edge server to ensure the correctness and immutability of the aggregation result.

Benefits of technology

It achieves lightweight federated learning secure aggregation, reduces the computational burden on the client, ensures data privacy protection and the verifiability of aggregation results, and prevents malicious tampering of cloud servers.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN122394841A_ABST
    Figure CN122394841A_ABST
Patent Text Reader

Abstract

The application discloses a kind of federated learning verifiable security aggregation method and system based on secret sharing, comprising: in initialization phase, client and trusted agency generate shared secret seed by negotiation;In model training and mask encryption phase, client is encrypted by using generated mask vector to local model parameter and uploads;In edge aggregation and signature phase, edge server performs non-decryption pre-aggregation to the ciphertext parameter in jurisdiction, calculates the linear homomorphic hash value of edge pre-aggregation ciphertext and carries out digital signature and uploads to cloud server;In global decryption and aggregation phase, cloud server eliminates noise in combination with the global mask provided by trusted agency, restores plaintext global model and broadcasts verification list.The application effectively reduces the terminal computing burden, while realizing lightweight and lossless parameter privacy protection, ensures the integrity and tamper-proof of global aggregation result.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This invention relates to the field of federated learning technology, and specifically to a verifiable and secure aggregation method and system for federated learning based on secret sharing. Background Technology

[0002] Federated learning, as an emerging distributed machine learning paradigm, has successfully solved the problems of privacy protection and data silos in cross-domain data collaboration by virtue of its characteristic of "data does not move, model moves". The server aggregates the model updates of the client, and the client uploads the local model updates and receives the global aggregation results, thereby collaboratively training the global model without sharing the original data.

[0003] However, existing secure aggregation schemes for federated learning still face the following problems: (1) In terms of aggregation architecture, traditional secure aggregation for federated learning adopts a centralized data transmission architecture, which leads to frequent interactions between the cloud server and the client, resulting in a serious communication bottleneck. Furthermore, the aggregation verification needs to be performed by the client, causing additional computational resource consumption; (2) In terms of data privacy protection, existing privacy protection methods based on homomorphic encryption or differential privacy have problems such as high computational overhead or noise that affects the accuracy of the global model; (3) In terms of aggregation result verification, the cloud server has a single point of trust assumption. Once attacked or malicious, it may tamper with the global aggregation parameters and output an incorrect model, resulting in the inability to guarantee the system's trustworthiness. Therefore, in order to address the above problems, a lightweight, verifiable, secure aggregation method for federated learning is urgently needed. Summary of the Invention

[0004] This invention provides a verifiable and secure aggregation method and system for federated learning based on secret sharing, so as to achieve lightweight and lossless secure aggregation of federated learning and verifiable aggregation results.

[0005] In a first aspect, the present invention provides a verifiable and secure aggregation method for federated learning based on secret sharing, comprising:

[0006] During the initialization phase, the trusted institution generates linear homomorphic hash public parameters and digital signature key pairs, and distributes them to the edge servers; the client negotiates with the trusted institution to generate a shared secret seed;

[0007] During the model training and mask encryption phase, the client uses local data to train local model parameters, generates a mask vector using a shared secret seed, and superimposes the mask vector onto the local model parameters to obtain ciphertext parameters and upload them to the edge server.

[0008] During the edge aggregation and signing stage, the edge server performs additive aggregation on the received ciphertext parameters to obtain the edge pre-aggregated ciphertext, calculates the linear homomorphic hash value of the edge pre-aggregated ciphertext and performs digital signature, and uploads the edge pre-aggregated ciphertext, hash value and signature to the cloud server.

[0009] During the global decryption and aggregation phase, the cloud server receives a global mask from a trusted institution, aggregates all edge pre-aggregated ciphertexts, and subtracts the global mask to obtain the global aggregation result.

[0010] During the edge verification and global update phase, the edge server receives the global aggregation result and verification information broadcast by the cloud server, verifies the validity of the digital signature and the hash correctness of the global aggregation result, and distributes the global aggregation result after the verification is successful.

[0011] In some embodiments of the present invention, a trusted institution generates linear homomorphic hash public parameters and digital signature key pairs, and distributes them to edge servers; the client negotiates with the trusted institution to generate a shared secret seed, including:

[0012] Trusted organization inputs security parameters and model parameter dimensions Execute the initialization algorithm to generate linear homomorphic hash common parameters. Public parameters of key negotiation protocol And the common parameters of linear homomorphic hashing Broadcast to all edge servers;

[0013] The trusted institution generates asymmetric digital signature key pairs for each edge server. , sign the private key It is sent to the corresponding edge server through a secure channel, and the verification public key of all edge servers is broadcast to the cloud server and other edge servers;

[0014] Each client uses its own private key. Public keys of trusted institutions Execute key negotiation algorithm The shared secret seed was calculated. .

[0015] In some embodiments of the present invention, during the model training and mask encryption stages, the method includes:

[0016] The client will share the secret seed. and current training round labels As input to the local model, a pseudo-random mask vector with the same dimension as the local model parameters is generated by a pseudo-random number generator. ;

[0017] The client performs an encryption operation, using a pseudo-random mask vector. The local model parameters obtained from local training are superimposed. The ciphertext parameters are calculated above. It then uploads the encrypted parameters to the edge server to which it belongs.

[0018] In some embodiments of the present invention, during the edge aggregation and signature stage, the method includes:

[0019] Edge servers receive encrypted parameters uploaded by online clients within their jurisdiction. Without decryption, perform addition operations on all ciphertext parameters to calculate the edge pre-aggregated ciphertext. ;

[0020] Edge servers compute linear homomorphic hash values ​​of edge pre-aggregated ciphertexts. Then, a digital signature is generated by digitally signing the linear homomorphic hash value using the signing private key. ;

[0021] Edge servers will pre-aggregate ciphertext at the edge. Linear homomorphic hash value and digital signatures Uploaded to the cloud server, along with the list of online clients participating in this aggregation. Send to a trusted organization.

[0022] In some embodiments of the present invention, during the global decryption and aggregation phase, the method includes:

[0023] The trusted institution receives a list of online clients participating in this round of aggregation from all edge servers, calculates the sum of the masks for all online clients, and obtains the global mask. The global mask is then sent to the cloud server; simultaneously, the linear homomorphic hash value of the global mask is calculated. And send the linear homomorphic hash value to all edge servers;

[0024] The cloud server receives edge pre-aggregated ciphertext uploaded by all edge servers. Pre-aggregated ciphertext at the edge The summation is performed to obtain the globally aggregated ciphertext. Cloud servers aggregate encrypted data globally. Subtract global mask from middle Recover the global aggregation result of the plaintext. ;

[0025] The cloud server will aggregate the results globally. And a verification list containing linear homomorphic hashes and digital signatures uploaded by all edge servers is broadcast to all edge servers.

[0026] In some embodiments of the present invention, during the edge verification and global update phase, the method includes:

[0027] The edge server receives the global aggregation results and verification list broadcast by the cloud server, and receives the linear homomorphic hash value of the global mask from the trusted institution;

[0028] The edge server uses the edge server to verify the public key and the validity of the digital signature of each edge server in the verification list; if the digital signature verification passes, the edge server calculates the linear homomorphic hash value of the global aggregation result.

[0029] The edge server verifies whether the sum of the linear homomorphic hash value of the global aggregation result and the linear homomorphic hash value of the global mask is equal to the sum of the linear homomorphic hash values ​​uploaded by all edge servers in the verification list. If the verification passes, the edge server confirms that the global aggregation result has not been tampered with and distributes the global aggregation result to the clients within its jurisdiction.

[0030] Secondly, the present invention also provides a verifiable and secure aggregation system for federated learning based on secret sharing, comprising:

[0031] The client is configured to perform local model training to obtain local model parameters; negotiate with a trusted institution to generate a shared secret seed; use the shared secret seed to generate a mask vector; superimpose the mask vector on the local model parameters; and upload the resulting ciphertext parameters to the affiliated edge server.

[0032] The edge server is configured to receive ciphertext parameters uploaded by online clients within its jurisdiction, perform addition aggregation to obtain edge pre-aggregated ciphertext without decryption, calculate the linear homomorphic hash value of the edge pre-aggregated ciphertext and perform digital signature, upload the edge pre-aggregated ciphertext, linear homomorphic hash value and digital signature to the cloud server, and receive the global aggregation result broadcast by the cloud server, verify the validity of the digital signature and the hash correctness of the global aggregation result, and distribute the global aggregation result after successful verification.

[0033] The trusted institution is configured to generate linear homomorphic hash public parameters and digital signature key pairs; based on the list of online clients reported by the edge server, it calculates the sum of the masks of all online clients as a global mask and sends it to the cloud server, and calculates the linear homomorphic hash value of the global mask and sends it to the edge server.

[0034] The cloud server is configured to receive edge pre-aggregated ciphertext uploaded by all edge servers and a global mask from a trusted institution; aggregate the edge pre-aggregated ciphertext and subtract the global mask to obtain the global aggregation result; and broadcast the global aggregation result and a verification list containing linear homomorphic hash values ​​and digital signatures uploaded by all edge servers to all edge servers.

[0035] The verifiable secure aggregation method and system based on secret sharing in this invention utilizes secret sharing to achieve lossless privacy protection of data. By combining linear homomorphic hashing and digital signatures, the system prevents cloud servers from tampering with the global aggregation results, ensuring the correctness and immutability of the global aggregation results. Attached Figure Description

[0036] To more clearly illustrate the technical solutions in the embodiments of the present invention, the accompanying drawings used in the description of the embodiments will be briefly introduced below. Obviously, the accompanying drawings described below are only some embodiments of the present invention. For those skilled in the art, other drawings can be obtained based on these drawings without creative effort.

[0037] Figure 1 This is a flowchart illustrating the verifiable secure aggregation method based on secret sharing in federated learning provided in an embodiment of the present invention.

[0038] Figure 2 This is a schematic diagram of the structure of a verifiable secure aggregation system based on secret sharing in federated learning provided in an embodiment of the present invention. Detailed Implementation

[0039] The technical solutions of the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings. Obviously, the described embodiments are only some embodiments of the present invention, and not all embodiments. Based on the embodiments of the present invention, all other embodiments obtained by those skilled in the art without creative effort are within the scope of protection of the present invention.

[0040] The terms "first" and "second" are used for descriptive purposes only and should not be construed as indicating or implying relative importance or implicitly specifying the number of technical features indicated. Therefore, a feature defined as "first" or "second" may explicitly or implicitly include one or more features. In the description of this invention, "a plurality of" means two or more, unless otherwise explicitly specified.

[0041] "A and / or B" includes the following three combinations: A only, B only, and a combination of A and B.

[0042] The use of "applies to" or "configured to" in this invention implies an open and inclusive language, which does not exclude the applicability to or configuration to devices performing additional tasks or steps. Additionally, the use of "based on" implies openness and inclusivity, because processes, steps, calculations, or other actions "based on" one or more conditions or values ​​may in practice be based on additional conditions or values ​​beyond those conditions.

[0043] In this invention, the term "exemplary" is used to mean "serving as an example, illustration, or description." Any embodiment described as "exemplary" in this invention is not necessarily to be construed as being more preferred or advantageous than other embodiments. The following description is provided to enable any person skilled in the art to make and use the invention. Details are set forth in the following description for purposes of explanation. It should be understood that those skilled in the art will recognize that the invention can be made without using these specific details. In other instances, well-known structures and processes will not be described in detail to avoid obscuring the description of the invention with unnecessary detail. Therefore, the invention is not intended to be limited to the embodiments shown, but is consistent with the broadest scope of the principles and features disclosed herein.

[0044] One existing verifiable multi-round secure federated learning scheme employs a double masking mechanism combined with secret sharing to protect parameter privacy, and utilizes bilinear pairing and homomorphic hashing techniques to verify the server's aggregation results. The drawbacks of this scheme include the requirement that each resource-constrained client must personally perform complex verification tasks. Therefore, this significantly increases the computational and communication burden on the clients during federated learning, making it difficult to adapt to resource-constrained terminal devices.

[0045] One existing personalized privacy protection scheme for hierarchical federated learning employs a personalized privacy budget allocation strategy. A drawback of this scheme is that the random noise injected to protect privacy still exists. Therefore, during model training, this noise affects the convergence of the global model, leading to an unavoidable loss of model accuracy.

[0046] One existing privacy-preserving federated learning scheme for resource-constrained devices employs dynamic function encryption to protect client privacy parameters. However, this scheme suffers from drawbacks including: it relies on the semi-honest server assumption, fails to account for potential malicious tampering by cloud servers, and lacks an effective integrity verification mechanism. Therefore, if the cloud server forges aggregation results, the client will be unaware, leading to significant security risks to the system.

[0047] Terminology Explanation:

[0048] Federated learning is a distributed network model training architecture that allows multiple participants to jointly train a global model without uploading their private data to a central server.

[0049] Verifiable aggregation: Verifiable aggregation refers to the technique of using cryptographic primitives to ensure the integrity of aggregation results during federated learning. It allows participants to verify the global aggregation results generated by the cloud server, verifying whether they were correctly calculated from legitimate local updates, thereby preventing semi-honest or malicious servers from forging or tampering with model parameters.

[0050] Secret sharing is a technique used to protect sensitive data. It involves dividing a secret into multiple parts and distributing these parts to multiple participants. The original secret can only be recovered when all the parts are put together. By distributing risk among multiple parties, it improves the security of the system.

[0051] Linear homomorphic hashing: A type of cryptographic hash function that, in addition to possessing the collision resistance of traditional hash functions, also satisfies the additive homomorphic property, meaning that the hash value of the sum of two message vectors is equal to the sum of the hashes of the two message vectors respectively.

[0052] The following description, in conjunction with the accompanying drawings, introduces a verifiable secure aggregation method and system based on secret sharing for federated learning, provided by embodiments of the present invention.

[0053] like Figure 1 As shown, this embodiment of the invention provides a verifiable and secure aggregation method for federated learning based on secret sharing, which includes the following steps:

[0054] S101, During the initialization phase, the trusted institution TA generates a linear homomorphic hash. Common parameters The client and trusted authority negotiate to generate a shared secret seed, which is then distributed to the edge server along with a digital signature key pair.

[0055] Specifically, trusted institutions Initialize and generate a linear homomorphic hash Common parameters and Key negotiation protocol Common parameters Then for each edge server (assuming a total of (Edge server) generates digital signature key pair Then, Belonging to the edge server client collection Each client under Generate and distribute Public-private key pairs Each client and pass Key negotiation protocol to negotiate secret seed Finally, cloud servers. Distribute the initial model For all clients.

[0056] S102, during the model training and mask encryption stage, the client uses local data to train local model parameters, uses a shared secret seed to generate a mask vector, and superimposes the mask vector on the local model parameters to obtain ciphertext parameters and upload them to the edge server.

[0057] Specifically, each client Using local data Local training yields a local model. After training, the client utilizes... The Secret Seeds of Negotiation and the current round number Generate a mask vector with dimensions consistent with the model. The mask is then overlaid on the parameters to form updated parameters with a mask. And then upload it to the corresponding edge server.

[0058] S103, in the edge aggregation and signing stage, the edge server performs additive aggregation on the received ciphertext parameters to obtain edge pre-aggregated ciphertext, calculates the linear homomorphic hash value of the edge pre-aggregated ciphertext and performs digital signature, and uploads the edge pre-aggregated ciphertext, hash value and signature to the cloud server.

[0059] Specifically, the edge server performs additive aggregation on the ciphertext parameters of the online clients under its jurisdiction to obtain edge pre-aggregated ciphertext. The hash value of the edge pre-aggregated ciphertext is then calculated. and using the signing private key Sign the hash value to obtain Finally, the edge server packages the pre-aggregated ciphertext, hash value, and digital signature and uploads them to the cloud server, while simultaneously sending them to the cloud server. Report the list of online users participating in the aggregation. .

[0060] S104, in the global decryption and aggregation stage, the cloud server receives the global mask from the trusted institution, aggregates all edge pre-aggregated ciphertexts and subtracts the global mask to obtain the global aggregation result.

[0061] Specifically, trusted institutions Based on the online user list of each edge server Calculate the global mask It is then sent to the cloud server, where the linear homomorphic hash value of the global mask is calculated. The message is sent to all edge servers. The cloud server aggregates the encrypted message across all edge servers. Accumulate, then subtract the global mask. To recover the accurate global aggregation result. Subsequently, the cloud server will And all hash values ​​and signatures uploaded by edge servers are broadcast back to the edge servers.

[0062] S105, during the edge verification and global update phase, the edge server receives the global aggregation result and verification information broadcast by the cloud server, verifies the validity of the digital signature and the hash correctness of the global aggregation result, and distributes the global aggregation result after the verification is passed.

[0063] Specifically, after receiving the broadcast, the edge server first verifies the digital signatures of the edge servers in the list. The validity of the aggregation result is then verified using the homomorphic property of homomorphic hashing. and the hash value of the global mask Does the sum equal the hash values ​​of all edge servers? After successful verification, the edge server confirms that the cloud server has not tampered with the results and distributes the global aggregation results to its clients for the next round of training.

[0064] In some embodiments of the present invention, a trusted institution generates linear homomorphic hash public parameters and digital signature key pairs, and distributes them to edge servers; the client negotiates with the trusted institution to generate a shared secret seed, including:

[0065] Trusted Institutions Input security parameters and model parameter dimensions Execute the initialization algorithm to generate linear homomorphic hash common parameters. Public parameters of key negotiation protocol And the common parameters of linear homomorphic hashing Broadcast to all edge servers , which is used to calculate the hash value of the edge aggregation result in subsequent calculations.

[0066] Trusted institutions for each edge server Generate asymmetric digital signature key pairs , sign the private key Send to the corresponding edge server through a secure channel This is used to digitally sign the uploaded edge pre-aggregated ciphertext and hash value. It also verifies the public keys of all edge servers. Broadcast to cloud server And other edge servers, used for subsequent signature verification.

[0067] Trusted Institutions For each Each client in the collection Execute key generation algorithm Generate and distribute Public-private key pairs Then, the client obtains information from a trusted authority. Obtain its public key Using their private key and The public key, execute Key negotiation Calculate the shared secret seed .

[0068] Cloud server initial global model settings The system then distributes the initial global model to all clients, completing system initialization.

[0069] In some embodiments of the present invention, during the model training and mask encryption stages, the method includes:

[0070] The client will share the secret seed. and current training round labels As input to the local model, a pseudo-random mask vector with the same dimension as the local model parameters is generated by a pseudo-random number generator. .

[0071] Understandably, each client Using local datasets Compared to the previous global model (The first round is the initial model) Model training After training is complete, the local model parameters for the current round are obtained. To prevent edge servers and cloud servers from inferring sensitive data in the client's model parameters, each client utilizes... Shared secret seed of negotiation Encryption will be performed. The client will Labels for the current training round As input, a pseudo-random mask vector with the same dimension as the model parameters is generated by a pseudo-random number generator. .

[0072] The client performs an encryption operation, using a pseudo-random mask vector. The local model parameters obtained from local training are superimposed. The ciphertext parameters are calculated above. and ciphertext parameters Uploaded to its home edge server .

[0073] In some embodiments of the present invention, during the edge aggregation and signature stage, the method includes:

[0074] Edge server Receive all online clients within its jurisdiction Uploaded encrypted parameters The edge server performs addition on all received ciphertext parameters without decryption to calculate the edge pre-aggregated ciphertext. ,result It is still in an encrypted state, covered by a mask.

[0075] To prevent cloud servers from subsequently tampering with data or falsifying aggregation results, edge servers... Calculate the linear homomorphic hash value of the edge pre-aggregated ciphertext Then use its signing private key. This hash value Perform digital signature, generate signature This ensures that the data cannot be tampered with.

[0076] Edge server Pre-aggregate ciphertext at the edges Hash value and digital signatures The data is then uploaded to the cloud server. Next, the edge server will upload the list of online clients participating in this aggregation. Send to .let It can accurately calculate a global mask that contains only online users, thereby assisting cloud servers in eliminating noise in subsequent steps.

[0077] In some embodiments of the present invention, during the global decryption and aggregation phase, the method includes:

[0078] Trusted Institutions Receive the list of online clients participating in this round of aggregation reported by all edge servers. . Through key negotiation and generate a mask. Due to the characteristics of pseudo-random functions, the mask vector generated by this seed... Numerically, it is exactly the same as the mask vector generated by the client. The global mask is calculated by summing the masks of the online clients. It is sent to the cloud server to assist in decryption; then, Calculate the linear homomorphic hash value of the global mask. , hash value and The message is broadcast to all edge servers for subsequent verification.

[0079] The cloud server receives the verification sets and edge-aggregated ciphertext uploaded by all edge servers. Meanwhile, the cloud server receives data from... global mask The cloud server first accumulates the edge pre-aggregated ciphertext from all edge servers to obtain the globally aggregated ciphertext. Subsequently, the cloud server subtracts the global mask from the globally aggregated ciphertext to eliminate all noise and restore the accurate globally aggregated result. .

[0080] The cloud server will reproduce the accurate global aggregation results. And a verification list containing the hashes and digital signatures of all edge servers. Package and broadcast to all edge servers.

[0081] In some embodiments of the present invention, during the edge verification and global update phase, the method includes:

[0082] The edge server receives the global aggregation results and verification list broadcast by the cloud server. It also receives a linear homomorphic hash of the global mask from a trusted institution. Edge server traversal Use the corresponding public key Verify the validity of the digital signature on each edge server to ensure the data source is authentic and has not been tampered with. Once the signature verification is successful, the edge server... Calculate the global aggregation result hash value Then verify the equation: If the equation holds true, it means the cloud server has not tampered with the result; the edge server verification is successful.

[0083] After both of the above verification steps pass, the edge server After confirming that the global aggregation results have not been tampered with by the cloud server, a new global average model was calculated. and will Distributed to clients, clients take over Update the local model, complete this round of global update, and start the next round of local training based on the new global model.

[0084] It is understandable that a linear homomorphic hash function satisfies the additive homomorphic property, which means that the hash value of the sum of two message vectors is equal to the sum of the hash values ​​of the two message vectors respectively.

[0085] The method provided by this invention can effectively protect the original parameters uploaded by the client, preventing them from being stolen by semi-honest edge servers or cloud servers. During the model upload stage, the client does not directly upload the original parameters, but instead uploads encrypted data with an overlay mask. For edge servers, they do not possess the shared secret seed negotiated between the client and the trusted authority. Therefore, it's impossible to generate a corresponding mask vector, and thus impossible to infer the original parameters from the ciphertext. Edge servers only have access to seemingly random, noisy data. For cloud servers, through... With the assistance of [unclear], the global mask after aggregation was eliminated, and a global plaintext model was obtained. However, cloud servers can only obtain the global aggregation results and cannot obtain the original parameters of any single client. Therefore, this solution achieves strict privacy protection for individual client data.

[0086] The method provided by this invention also ensures that the global model broadcast by the cloud server is correctly calculated based on the data uploaded by all edge servers, effectively defending against tampering attacks by malicious cloud servers. The correctness of the system is guaranteed by both linear homomorphic hashing and digital signatures. During the upload phase, each edge server calculates the hash value of the edge aggregated ciphertext. And sign. During the verification phase, the edge server receives a list broadcast by the cloud server containing signature evidence from all edge nodes, and performs the verification equation. Because the hash value is signed with the edge server's private key, the cloud server cannot forge or tamper with it. By leveraging the collision resistance of homomorphic hashing, tampering with the hash value will cause verification to fail.

[0087] The method provided by this invention can also effectively prevent attackers from inferring client privacy information by correlating uploaded data from different training rounds. The mask generation algorithm in this solution... Dynamic round tags were introduced. This is used as an input parameter. This means that for the same client, the mask vector generated in each training round is different. Therefore, attackers cannot eliminate the mask through simple subtraction or difference analysis, effectively resisting cross-round correlation attacks.

[0088] The method provided by this invention can also effectively prevent malicious cloud servers from attempting to collude with edge servers or clients to obtain clients' private data.

[0089] In the method provided by this invention, the client's privacy mask It is generated by a secret seed negotiated between the client and a trusted institution. Neither the cloud server nor the edge server has this seed. The edge server only has the sum of edge ciphertext uploaded by the clients under the cluster. To restore the plaintext, the total mask of the cluster must be known. However, the cloud server can only obtain the total global mask from the trusted institution. Therefore, the colluding parties cannot decrypt the intermediate results of the edge layer.

[0090] In the method provided by this invention, the mask seed of the client is only held by itself and trusted institutions. Malicious clients can only provide their own seed and cannot know the seed of honest clients. They cannot calculate the mask of honest users and therefore cannot recover the original parameters of honest users.

[0091] In the method provided by this invention, the computational overhead is mainly distributed in two stages: encryption of model parameters (mask generation) and homomorphic hash verification. Assume the model parameter dimension is... The total number of clients participating in the training is The number of edge servers is The client only needs to perform mask generation. The complexity of the pseudo-random number generator (PRG) generating the mask vector and performing integer addition operations is O(n). This invention employs a trusted mechanism-based approach. The seed negotiation mechanism allows the client to generate only one mask vector regardless of the number of participants. Therefore, the client's computational complexity is O(n log n). , with the total number of users Irrelevant. Compared to homomorphic encryption schemes, the client does not need to perform time-consuming encryption and decryption operations, significantly reducing the computational burden on terminal devices. Furthermore, this invention offloads computationally intensive verification tasks from the client to edge servers, further reducing the client's computational load. After completing local training and uploading the noisy ciphertext, the client can immediately go offline. As long as the client successfully uploads data, the trusted organization can calculate the corresponding mask using an online list, ensuring the system's robustness in environments where IoT devices frequently lose connection.

[0092] This invention uses a layered architecture that combines cloud, edge, and client collaboration. By introducing edge servers to perform pre-aggregation and verification tasks, it solves the problems of severe communication bottlenecks on cloud servers and excessive computational burden on resource-constrained clients in traditional federated learning architectures.

[0093] This invention uses a lightweight additive masking technique based on secret sharing. By mathematically eliminating the mask during the aggregation process, it solves the problems of excessive computational overhead in existing homomorphic encryption schemes and the decrease in global model accuracy caused by noise in differential privacy schemes.

[0094] This invention uses an aggregation verification technique that combines linear homomorphic hashing with digital signatures. It utilizes the additive homomorphic properties of homomorphic hashing to construct a verification equation, which solves the problem that malicious cloud servers may forge or tamper with the global aggregation results and lack an effective mechanism for integrity verification.

[0095] like Figure 2 As shown, the present invention also provides a verifiable secure aggregation system for federated learning based on secret sharing, which includes a client, an edge server, a cloud server, and a trusted authority (TA).

[0096] The client is configured to perform local model training to obtain local model parameters; negotiate with a trusted institution to generate a shared secret seed; use the shared secret seed to generate a mask vector; superimpose the mask vector on the local model parameters; and upload the resulting ciphertext parameters to the affiliated edge server.

[0097] In some examples, clients train their models using local datasets. After training, the client generates an additive privacy mask using a secret seed negotiated with a trusted institution, overlays the mask onto the model parameters for encryption, and uploads the encrypted parameters to the corresponding edge server. Upon receiving the globally plaintext model distributed by the edge server, the client updates its local model and begins a new round of training. The clients are honest but curious. They honestly perform local training and generate the mask and upload parameters according to the protocol, but they may attempt to obtain the training parameters of other participants to infer sensitive data.

[0098] The edge server is configured to receive ciphertext parameters uploaded by online clients within its jurisdiction, perform addition aggregation to obtain edge pre-aggregated ciphertext without decryption, calculate the linear homomorphic hash value of the edge pre-aggregated ciphertext and perform digital signature, upload the edge pre-aggregated ciphertext, linear homomorphic hash value and digital signature to the cloud server, and receive the global aggregation result broadcast by the cloud server, verify the validity of the digital signature and the hash correctness of the global aggregation result, and distribute the global aggregation result after successful verification.

[0099] In some examples, the edge server acts as an intermediate aggregation node connecting clients and the cloud server. Its primary responsibility is to collect ciphertext parameters uploaded by clients within its jurisdiction and perform edge pre-aggregation without decryption. Subsequently, it calculates the linear homomorphic hash value of the edge pre-aggregation result and digitally signs it to ensure tamper-proofing. Finally, it uploads the edge pre-aggregated ciphertext, hash value, and signature to the cloud server. Furthermore, the edge server is also responsible for verifying the correctness of the global aggregation results distributed by the cloud server, preventing malicious tampering. The edge server is honest but curious. It will honestly perform ciphertext pre-aggregation, hash calculation, and verification tasks. However, it may attempt to analyze the aggregation results received from clients to infer their private information.

[0100] The trusted institution is configured to generate linear homomorphic hash public parameters and digital signature key pairs; based on the list of online clients reported by the edge server, it calculates the sum of the masks of all online clients as a global mask and sends it to the cloud server, and calculates the linear homomorphic hash value of the global mask and sends it to the edge server.

[0101] In some examples, the trusted authority is a trusted third-party entity responsible for system initialization, including generating homomorphic hash public parameters, distributing signing key pairs to edge servers, and negotiating secret seeds for mask generation with each client. In each aggregation phase, the trusted authority calculates the sum of masks for all online users based on the list of online users reported by the edge servers, sends it to the cloud server for decryption, and simultaneously sends the hash value of the mask sum to the edge servers for verification.

[0102] The cloud server is configured to receive edge pre-aggregated ciphertext uploaded by all edge servers and a global mask from a trusted institution; aggregate the edge pre-aggregated ciphertext and subtract the global mask to obtain the global aggregation result; and broadcast the global aggregation result and a verification list containing linear homomorphic hash values ​​and digital signatures uploaded by all edge servers to all edge servers.

[0103] In some examples, the cloud server acts as a central node with powerful computing capabilities, responsible for the global aggregation of pre-aggregated ciphertext from various edge servers. Simultaneously, the cloud server receives a global mask sum from a trusted institution to eliminate mask noise in the aggregation result, reconstructing an accurate plaintext global model. Finally, the cloud server sends the global model and a list of signatures from all edge servers back to the edge servers for verification and distribution. However, the cloud server could be malicious. It might attempt to infer client privacy information by analyzing the received edge aggregation results and could maliciously tamper with the aggregation results or discard updates from specific edge servers during the global aggregation process, thereby compromising the model's convergence.

[0104] The device embodiments described above are merely illustrative. The units described as separate components may or may not be physically separate, and the components shown as units may or may not be physical units; that is, they may be located in one place or distributed across multiple network units. Some or all of the modules can be selected to achieve the purpose of this embodiment according to actual needs. Those skilled in the art can understand and implement this without any creative effort.

[0105] Through the above description of the embodiments, those skilled in the art can clearly understand that each embodiment can be implemented by means of software plus necessary general-purpose hardware platforms, and of course, it can also be implemented by hardware. Based on this understanding, the above technical solutions, in essence or the part that contributes to the prior art, can be embodied in the form of a software product. This computer software product can be stored in a computer-readable storage medium, such as ROM / RAM, magnetic disk, optical disk, etc., including several instructions to cause a computer device (which may be a personal computer, server, or network device, etc.) to execute the methods of various embodiments or some parts of embodiments.

[0106] The foregoing has provided a detailed description of a verifiable secure aggregation method and system based on secret sharing in federated learning, as provided in the embodiments of the present invention. Specific examples have been used to illustrate the principles and implementation methods of the present invention. The descriptions of the embodiments above are only for the purpose of helping to understand the method and core ideas of the present invention. At the same time, for those skilled in the art, there will be changes in the specific implementation methods and application scope based on the ideas of the present invention. Therefore, the content of this specification should not be construed as a limitation of the present invention.

Claims

1. A verifiable and secure aggregation method for federated learning based on secret sharing, characterized in that, include: During the initialization phase, the trusted institution generates linear homomorphic hash public parameters and digital signature key pairs, and distributes them to edge servers; The client negotiates with the trusted institution to generate a shared secret seed; During the model training and mask encryption phase, the client uses local data to train local model parameters, uses the shared secret seed to generate a mask vector, and superimposes the mask vector on the local model parameters to obtain ciphertext parameters and upload them to the edge server. During the edge aggregation and signing stage, the edge server performs additive aggregation on the received ciphertext parameters to obtain edge pre-aggregated ciphertext, calculates the linear homomorphic hash value of the edge pre-aggregated ciphertext and performs digital signature, and uploads the edge pre-aggregated ciphertext, hash value and signature to the cloud server. During the global decryption and aggregation phase, the cloud server receives a global mask from the trusted institution, aggregates all edge pre-aggregated ciphertexts, and subtracts the global mask to obtain the global aggregation result. During the edge verification and global update phase, the edge server receives the global aggregation result and verification information broadcast by the cloud server, verifies the validity of the digital signature and the hash correctness of the global aggregation result, and distributes the global aggregation result after the verification is successful.

2. The method according to claim 1, characterized in that, The trusted institution generates linear homomorphic hash public parameters and digital signature key pairs, and distributes them to the edge server; the client negotiates with the trusted institution to generate a shared secret seed, including: The trusted organization inputs security parameters and model parameter dimensions Execute the initialization algorithm to generate linear homomorphic hash common parameters. Public parameters of key negotiation protocol and the linear homomorphic hash common parameters Broadcast to all edge servers; The trusted organization generates asymmetric digital signature key pairs for each edge server. , sign the private key It is sent to the corresponding edge server through a secure channel, and the verification public key of all edge servers is broadcast to the cloud server and other edge servers; Each client uses its own private key. Public keys of trusted institutions Execute key negotiation algorithm The shared secret seed is calculated. .

3. The method according to claim 1, characterized in that, During the model training and mask encryption phases, the method includes: The client will share the secret seed. and current training round labels As input to the local model, a pseudo-random mask vector with the same dimension as the local model parameters is generated by a pseudo-random number generator. ; The client performs an encryption operation, converting the pseudo-random mask vector... The local model parameters obtained from local training are superimposed. The ciphertext parameters are calculated above. The encrypted parameters are then uploaded to the edge server to which they belong.

4. The method according to claim 1, characterized in that, In the edge aggregation and signature stage, the method includes: The edge server receives encrypted parameters uploaded by online clients within its jurisdiction. Without decryption, an addition operation is performed on all the ciphertext parameters to calculate the edge pre-aggregated ciphertext. ; The edge server calculates the linear homomorphic hash value of the edge pre-aggregated ciphertext. The linear homomorphic hash value is digitally signed using a signing private key to generate a digital signature. ; The edge server pre-aggregates the ciphertext at the edge. The linear homomorphic hash value and the digital signature Uploaded to the cloud server, along with the list of online clients participating in this aggregation. Send to a trusted organization.

5. The method according to claim 1, characterized in that, During the global decryption and aggregation phase, the method includes: The trusted institution receives a list of online clients participating in this round of aggregation reported by all edge servers, calculates the sum of the masks of all online clients, and obtains the global mask. The global mask is then sent to the cloud server; simultaneously, the linear homomorphic hash value of the global mask is calculated. The linear homomorphic hash value is then sent to all edge servers. The cloud server receives edge pre-aggregated ciphertext uploaded by all edge servers. Pre-aggregated ciphertext at the edge The summation is performed to obtain the globally aggregated ciphertext. The cloud server retrieves the globally aggregated ciphertext. Subtract the global mask from the middle Recover the global aggregation result of the plaintext. ; The cloud server will aggregate the global results. And a verification list containing linear homomorphic hashes and digital signatures uploaded by all edge servers is broadcast to all edge servers.

6. The method according to claim 1, characterized in that, During the edge verification and global update phases, the method includes: The edge server receives the global aggregation results and verification list broadcast by the cloud server, and receives the linear homomorphic hash value of the global mask from the trusted institution; The edge server uses the edge server verification public key to verify the validity of the digital signature of each edge server in the verification list; if the digital signature verification passes, the edge server calculates the linear homomorphic hash value of the global aggregation result; The edge server verifies whether the sum of the linear homomorphic hash value of the global aggregation result and the linear homomorphic hash value of the global mask is equal to the sum of the linear homomorphic hash values ​​uploaded by all edge servers in the verification list. If the verification passes, the edge server confirms that the global aggregation result has not been tampered with and distributes the global aggregation result to the clients within its jurisdiction.

7. A verifiable and secure aggregation system for federated learning based on secret sharing, characterized in that, include: The client is configured to perform local model training to obtain local model parameters; A shared secret seed is generated in consultation with a trusted institution. A mask vector is generated using the shared secret seed. The mask vector is superimposed on the local model parameters, and the resulting ciphertext parameters are uploaded to the belonging edge server. Edge servers are configured to receive ciphertext parameters uploaded by online clients within their jurisdiction and perform addition aggregation to obtain edge pre-aggregated ciphertext without decryption. Calculate the linear homomorphic hash value of the edge pre-aggregated ciphertext and perform digital signature; upload the edge pre-aggregated ciphertext, linear homomorphic hash value and digital signature to the cloud server; and receive the global aggregation result broadcast by the cloud server, verify the validity of the digital signature and the hash correctness of the global aggregation result, and distribute the global aggregation result after verification. A trusted institution is configured to generate linear homomorphic hash public parameters and digital signature key pairs; based on the list of online clients reported by the edge server, it calculates the sum of the masks of all online clients as a global mask and sends it to the cloud server, and calculates the linear homomorphic hash value of the global mask and sends it to the edge server. The cloud server is configured to receive edge pre-aggregated ciphertext uploaded by all edge servers and a global mask from a trusted institution; aggregate the edge pre-aggregated ciphertext and subtract the global mask to obtain a global aggregation result; and broadcast the global aggregation result and a verification list containing linear homomorphic hash values ​​and digital signatures uploaded by all edge servers to all edge servers.