A method and system for anti-quantum privacy computing and ciphertext aggregation oriented to distributed AI collaboration
By combining lattice-based fully homomorphic encryption and hardware root of trust, the problems of quantum computing attacks and malicious aggregation nodes in federated learning are solved, and efficient quantum-resistant federated learning is achieved.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Applications(China)
- Current Assignee / Owner
- 廖长林
- Filing Date
- 2026-05-06
- Publication Date
- 2026-07-14
AI Technical Summary
Existing federated learning schemes are at high risk of data leakage under quantum computing attacks, aggregation nodes are easily tampered with, traditional encryption algorithms cannot prevent malicious attacks, and communication links lack quantum security protection.
A lattice-based fully homomorphic encryption algorithm is used to protect local model updates, and weighted aggregation is performed in the ciphertext state. Combined with hardware root of trust for signature verification and behavior monitoring, the post-quantum security of the communication link is ensured.
It effectively prevents quantum hacking and malicious attacks, ensures the integrity and privacy of model updates, communication security, and training efficiency increases by only 18%.
Smart Images

Figure FT_1
Abstract
Description
Technical Field
[0001] This invention relates to the fields of privacy computing and federated learning technology, specifically to a method and system for protecting the data privacy and model integrity of each participant in a distributed AI collaborative training scenario through quantum-resistant homomorphic encryption, aggregation node behavior monitoring, and hardware root of trust followed by quantum signature verification. Background Technology
[0002] In federated learning scenarios, each participant uploads model updates to an aggregation node for aggregation. However, existing solutions face a double threat: traditional encryption algorithms can be cracked under quantum computing attacks, leading to the leakage of update data; the aggregation node itself may be maliciously compromised, allowing attackers to tamper with the aggregated global model or attempt to infer private data from encrypted updates. While existing technologies have applied post-lattice quantum homomorphic encryption to federated learning, these solutions only address the quantum vulnerability of the model update data itself and have the following drawbacks: they do not consider the quantum security of the communication link, allowing attackers to crack the data during transmission using a quantum computer; they still assume that the aggregation nodes are semi-honest, making it impossible to prevent malicious aggregation nodes from exporting ciphertext data for offline attacks, tampering with aggregation results, or poisoning attacks; and the signature of the aggregation result is usually implemented in software, making the private key vulnerable to theft and failing to guarantee the integrity and immutability of the aggregation result. Existing technologies do not disclose a scheme for the coordinated implementation of fully homomorphic encrypted state aggregation of lattice bases and independent behavior monitoring of aggregation nodes. Summary of the Invention
[0003] This invention is the first to achieve quantum-resistant security protection for the entire distributed AI collaborative training process, while breaking through the assumption of "semi-honest aggregation nodes" in traditional federated learning. By combining lattice-based fully homomorphic encrypted encrypted computation with aggregation node behavior monitoring independent of the computation unit, it not only solves the threat of quantum computing to cracking traditional encryption algorithms, but also effectively prevents malicious aggregation nodes from decrypting, tampering, poisoning, and other attacks. Specifically, this invention employs a lattice-based post-quantum fully homomorphic encryption algorithm to protect local model updates; aggregation nodes complete aggregation in ciphertext and are subject to continuous behavior monitoring; aggregation results are distributed after verification by a hardware root of trust using a post-quantum signature; key operation logs for all aggregation, signing, and distribution processes are permanently stored using a hardware root of trust; and all communication links are encrypted using a post-quantum cryptographic algorithm. This addresses the risks of quantum-based data breaking and the lack of trust in aggregation nodes in federated learning. In one specific embodiment, the preset malicious behavior includes at least one of the following: the aggregation node attempts to decrypt or bypass the original model update data of any participant; the aggregation node tampers with the encrypted model update data or encrypts the global model update data; the aggregation node exports the ciphertext data to an unauthorized storage location or external device; the aggregation node performs unauthorized access to the encrypted key storage area; the aggregation node deletes or discards the encrypted model update data of any participant; the aggregation node performs unauthorized computational operations. In one specific embodiment, the weighted aggregation operation in the ciphertext state is implemented in the following way: before uploading the encrypted gradient data, each participant synchronously uploads the number of samples trained locally as the reference value of the weight coefficient in plaintext; the aggregation node performs element-wise multiplication of each participant's encrypted gradient vector with the corresponding weight coefficient reference value in the ciphertext state, and then performs ciphertext addition on each weighted encrypted gradient vector to generate an encrypted global model update. In one specific embodiment, before uploading the plaintext weight coefficients, each participant performs differential privacy processing by adding Laplace noise or Gaussian noise to protect the sample quantity information implicit in the weight coefficients. In one specific embodiment, the hardware trust root module is built into the aggregation node and uses a pre-stored, non-exportable post-quantum signature private key to digitally sign the cryptographic global model update. The aggregation node sends the hash value of the cryptographic global model update to the hardware trust root module, which signs the hash value using its internally stored private key and returns the signature result. The private key does not leave the hardware trust root module throughout the signing process. The hardware trust root module can be selected from a TPM 2.0 chip, an Intel SGX enclave, an AMD SEV enclave, or an ARM TrustZone. In one specific embodiment, when an aggregation node is marked as untrusted, the system automatically selects a trusted aggregation node from a preset list of backup aggregation nodes to take over the current aggregation task and resends all encrypted model update data to the trusted aggregation node to ensure the continuity of federated learning training. In one specific embodiment, the public keys used for homomorphic encryption among the participants are distributed through a secure channel established by the NIST-standardized CRYSTALS-Kyber post-quantum key negotiation protocol to ensure that the public keys are not tampered with or stolen by man-in-the-middle attacks during the distribution process. Performance test results show that in training a model with 10 participants and 1 million parameters, the training time per round of this scheme is only 18% longer than that of the traditional unencrypted scheme, while the communication overhead is 23% higher. In contrast, under the same security level, the traditional scheme based on RSA encryption increases the training time per round by 127% and cannot resist quantum computing attacks. Attached Figure Description
[0004] Figure 1 This is a schematic diagram of the method flow of the present invention. Detailed Implementation
[0005] The present invention will now be described in detail with reference to the accompanying drawings and embodiments: Multiple banks jointly trained an anti-fraud model. Homomorphic encrypted public keys were distributed among the participants through a secure channel established by the NIST-standardized CRYSTALS-Kyber post-quantum key negotiation protocol. Each participant calculated the model update gradient after local training, encrypted the gradient using a lattice-based FHEW scheme, and then uploaded it. Each participant simultaneously uploaded the number of plaintext samples processed with differential privacy as a reference value for the weight coefficients; differential privacy was achieved by adding Laplace noise. The aggregation node performs weighted aggregation in ciphertext mode, multiplying the encrypted gradient vector and plaintext weight coefficients element-wise in ciphertext mode, and then performing ciphertext addition on the weighted encrypted gradient vectors to generate an encrypted global model update. The administrator console displays all unreadable ciphertext data. In one specific embodiment, the aggregation node behavior monitoring module is deployed in a monitoring module independent of the aggregation node's computing unit, collecting the aggregation node's system call logs, file access logs, and memory access logs in real time. When it detects that an aggregation node administrator is attempting to export a batch of encrypted gradient data to an external storage device, it determines that there is malicious behavior, immediately terminates the current aggregation task, and marks the node as untrusted. Subsequently, the system automatically selects a trusted aggregation node from a preset list of backup aggregation nodes to take over the aggregation task. After aggregation, the aggregating node sends the encrypted global model update to the built-in hardware root of trust module. This module digitally signs the global model update using an internally stored, non-exportable CRYSTALS-Dilithium private key. All critical operation logs during the aggregation, signing, and distribution processes are permanently stored and verified through the hardware root of trust, ensuring the entire process is tamper-proof. The aggregating node distributes the signed encrypted global model update to each participant via a CRYSTALS-Kyber encrypted communication link. Each participant first verifies the signature, and then decrypts the update using their private key.
Claims
1. A quantum-resistant privacy-preserving computation and dense-state aggregation method for distributed AI collaboration, applied to federated learning or multi-party secure computation scenarios, characterized in that... Includes the following steps: Public key distribution steps: Each participant establishes a secure channel through a post-quantum key negotiation protocol and distributes a lattice-based post-quantum fully homomorphic encryption public key; Local training and quantum-resistant homomorphic encryption steps: Each participant trains the model locally using its own private data and calculates the model update gradient or parameter increment; the model update gradient or parameter increment is encrypted using a lattice-based post-quantum homomorphic encryption algorithm to generate encrypted model update data; The steps for encrypted aggregation and aggregation node behavior monitoring are as follows: The aggregation node receives the encrypted model update data from each participant, performs a weighted aggregation operation in encrypted state, and generates an encrypted global model update; during the encrypted aggregation process, the behavior of the aggregation node is continuously monitored, and when a preset malicious behavior is detected, the current aggregation task is immediately terminated and the aggregation node is marked as untrusted. The steps for verifying and distributing quantum-resistant signatures of aggregated results are as follows: The aggregated node updates the encrypted global model and performs digital signature using a post-quantum cryptography algorithm through a hardware root of trust; All critical operation logs for the aggregation, signing, and distribution processes are permanently stored using a hardware root of trust. The signed encrypted global model update is then distributed to all participants. Upon receiving the signed encrypted global model update, each participant first verifies the validity of the digital signature. Only after successful verification can the update be decrypted and used.
2. The method according to claim 1, characterized in that, The post-quantum digital signature algorithm adopts the NIST-standardized CRYSTALS-Dilithium algorithm.
3. The method according to claim 1, characterized in that, It also includes a quantum-resistant communication encryption step: all communication links between each participant and the aggregation node use the NIST-standardized post-quantum key negotiation algorithm for key negotiation and encrypted transmission, establishing an end-to-end quantum-resistant encrypted communication link, through which all subsequent data transmissions are carried out.
4. The method according to claim 1, characterized in that, The preset malicious behavior includes at least one of the following: The aggregation node attempts to decrypt or bypass the original model update data of any participant; Aggregator nodes may tamper with encrypted model update data or encrypt global model update data. The aggregation node exports encrypted data to unauthorized storage locations or external devices; The aggregation node gains unauthorized access to the encryption key storage area; The aggregation node deletes or discards the encrypted model update data of any participant; The aggregation node is performing unauthorized computational operations.
5. The method according to claim 1, characterized in that, The hardware trust root module is selected from TPM 2.0 chip, Intel SGX enclave, AMD SEV enclave or ARM TrustZone, and the post-quantum signature private key stored in it cannot be exported outside the hardware trust root module.
6. The method according to claim 1, characterized in that, When an aggregation node is marked as untrusted, the system automatically selects a trusted aggregation node from the preset list of backup aggregation nodes to take over the aggregation task and resends all encrypted model update data to that trusted aggregation node.
7. The method according to claim 1, characterized in that, Before uploading the plaintext weight coefficients, each participant performs differential privacy processing by adding Laplace noise or Gaussian noise to protect the sample quantity information implicit in the weight coefficients.
8. A quantum-resistant privacy computing and dense-state aggregation system for distributed AI collaboration, characterized in that, include: The public key distribution module is used to establish a secure channel among the participants through a post-quantum key negotiation protocol and distribute lattice-based post-quantum fully homomorphic encryption public keys. The local training and encryption module is deployed at each participating party to train the model locally using private data, calculate the model update gradient or parameter increment, and encrypt it using a lattice-based post-quantum fully homomorphic encryption algorithm. The encrypted aggregation module, deployed on the aggregation node, is used to receive encrypted model update data from each participant, perform weighted aggregation operations in encrypted state, and generate encrypted global model updates. The aggregation node behavior monitoring module is deployed independently of the dense aggregation module. It is used to continuously monitor the behavior of aggregation nodes. When a preset malicious behavior is detected, the current aggregation task is immediately terminated and the aggregation node is marked as untrusted. The signature verification and distribution module communicates with the hardware root of trust to perform post-quantum digital signatures on the update of the cryptographic global model and distributes them to all participants through a quantum-resistant cryptographic communication link; at the same time, the hardware root of trust solidifies and preserves the key operation logs of all aggregation, signing and distribution processes. The standby node takeover module is used to select a trusted aggregation node from a preset list of standby aggregation nodes to take over the current aggregation task after the aggregation node is marked as untrusted.