Falkor: Federated Learning Secure Aggregation Powered by AESCTR GPU Implementation
Authors: 
Mariya Georgieva Belorgey, Sofia Dandjee, Nicolas Gama, Dimitar Jetchev, Dmitry MikushinAuthors Info & Claims
Mariya Georgieva Belorgey, Sofia Dandjee, Nicolas Gama, Dimitar Jetchev, Dmitry MikushinAuthors Info & ClaimsAbstract
We propose a novel protocol, Falkor, for secure aggregation for Federated Learning in the multi-server scenario based on masking of local models via a stream cipher based on AES in counter mode and accelerated by GPUs running on the aggregating servers. The protocol is resilient to client dropout and has reduced clients/servers communication cost by a factor equal to the number of aggregating servers (compared to the naïve baseline method). It scales simultaneously in the two major complexity aspects: 1) large number of clients; 2) highly complex machine learning models such as CNNs, RNNs, Transformers, etc. The AES-CTR-based masking function in our aggregation protocol is built on the concept of counterbased cryptographically-secure pseudorandom number generators (csPRNGs) as described in [32] and subsequently used by Facebook for their torchcsprng csPRNG. We improve upon torchcsprng by careful use of shared memory on the GPU device, a recent idea of Cihangir Tezcan [38] and obtain 100x speedup in the masking function compared to a single CPU core.
Finally, we demonstrate scalability of our protocol in two realworld Federated Learning scenarios: 1) efficient training of large logistic regression models with 50 features and 50M data points distributed across 1000 clients that can dropout and securely aggregated via three servers (running secure multi-party computation (SMPC)); 2) training a recurrent neural network (RNN) model for sentiment analysis of Twitter feeds coming from a large number of Twitter users (more than 250,000 users). In case 1), our secure aggregation algorithm runs in less than a minute compared to a pure MPC computation (on 3 parties) that takes 27 hours and uses 400GB RAM machines as well as 1 gigabit-per-second network. In case 2), the total training is around 10 minutes using our GPU powered secure aggregation versus 10 hours using a single CPU core.
References
[1]
M. Abadi, A. Chu, I. Goodfellow, H. Brendan McMahan, I. Mironov, K. Talwar, and L. Zhang. 2016. Deep Learning with Differential Privacy. In Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, Vienna, Austria, October 24--28, 2016, Edgar R. Weippl, Stefan Katzenbeisser, Christopher Kruegel, Andrew C. Myers, and Shai Halevi (Eds.). ACM, 308--318. https://doi.org/10.1145/2976749.2978318
[2]
A. Abdelrahman, M. Fouad, H. Dahshan, and A. Mousa. 2017. High performance CUDA AES implementation: A quantitative performance analysis approach. In 2017 Computing Conference. 1077--1085. https://doi.org/10.1109/SAI. 2017.8252225
[3]
S.-W. An and S.-C. Seo. 2020. Highly Efficient Implementation of Block Ciphers on Graphic Processing Units for Massively Large Data. Applied Sciences 10, 11 (2020).
[4]
C. Beguier, M. Andreux, and E. Tramel. 2021. Efficient Sparse Secure Aggregation for Federated Learning. https://arxiv.org/pdf/2007.14861.pdf.
[5]
J. H. Bell, K. A. Bonawitz, A. Gascón, T. Lepoint, and M. Raykova. 2020. Secure Single-Server Aggregation with (Poly)Logarithmic Overhead. In CCS '20: 2020 ACM SIGSAC Conference on Computer and Communications Security, Virtual Event, USA, November 9--13, 2020, Jay Ligatti, Xinming Ou, Jonathan Katz, and Giovanni Vigna (Eds.). ACM, 1253--1269.
[6]
M. Bellare, A. Desai, E. Jokipii, and P. Rogaway. 1997. A Concrete Security Treatment of Symmetric Encryption. In 38th Annual Symposium on Foundations of Computer Science, FOCS '97, Miami Beach, Florida, USA, October 19--22, 1997. IEEE Computer Society, 394--403. https://doi.org/10.1109/SFCS.1997.646128
[7]
D. Beutel, T. Topal, A. Mathur, X. Qiu, T. Parcollet, and N. Lane. 2020. Flower: A Friendly Federated Learning Research Framework. CoRR abs/2007.14390 (2020). arXiv:2007.14390 https://arxiv.org/abs/2007.14390
[8]
K. Bonawitz, V. Ivanov, B. Kreuter, A. Marcedone, H. Brendan McMahan, S. Patel, D. Ramage, A. Segal, and K. Seth. 2017. Practical Secure Aggregation for Privacy-Preserving Machine Learning. In Proceedings of the 2017 ACM SIGSAC, Bhavani M. Thuraisingham, David Evans, Tal Malkin, and Dongyan Xu (Eds.). ACM, 1175--1191. https://doi.org/10.1145/3133956.3133982
[9]
M. Burkhart, M. Strasser, D. Many, and X. Dimitropoulos. 2010. SEPIA: PrivacyPreserving Aggregation of Multi-Domain Network Events and Statistics. In 19th USENIX Security Symposium, Washington, DC, USA, August 11--13, 2010, Proceedings. USENIX Association, 223--240. http://www.usenix.org/events/sec10/tech/ full_papers/Burkhart.pdf
[10]
Sebastian Caldas, Sai Meher Karthik Duddu, Peter Wu, Tian Li, Jakub Konený, H. Brendan McMahan, Virginia Smith, and Ameet Talwalkar. 2019. LEAF: A Benchmark for Federated Settings. arXiv:1812.01097 [cs.LG]
[11]
S. Carpov, K. Deforth, N. Gama, M. Georgieva, D. Jetchev, J. Katz, I. Leontiadis, M. Mohammadi, A. Sae-Tang, and M. Vuille. 2021. Manticore: Efficient Framework for Scalable Secure Multiparty Computation Protocols. Cryptology ePrint Archive, Report 2021/200. https://eprint.iacr.org/2021/200.
[12]
H. Corrigan-Gibbs and D. Boneh. 2017. Prio: Private, Robust, and Scalable Computation of Aggregate Statistics. In 14th USENIX 2017, Aditya Akella and Jon Howell (Eds.). USENIX Association, 259--282. https://www.usenix.org/ conference/nsdi17/technical-sessions/presentation/corrigan-gibbs
[13]
cuRAND. 2015. cuRAND: The API reference guide for cuRAND, the CUDA random number generation library. https://docs.nvidia.com/cuda/curand/index.html (2015).
[14]
G. Damaskinos, R. Guerraoui, A.-M. Kermarrec, V. Nitu, R. Patra, and F. Taïani. 2020. FLeet: Online Federated Learning via Staleness Awareness and Performance Prediction. In Middleware '20: 21st International Middleware Conference, Delft, The Netherlands, December 7--11, 2020, Dilma Da Silva and Rüdiger Kapitza (Eds.). ACM, 163--177. https://doi.org/10.1145/3423211.3425685
[15]
J. Geiping, H. Bauermeister, H. Dröge, and M. Moeller. 2020. Inverting Gradients - How easy is it to break privacy in federated learning?. In Proceding of NeurIPS 2020, Hugo Larochelle, Marc'Aurelio Ranzato, Raia Hadsell, Maria-Florina Balcan, and Hsuan-Tien Lin (Eds.). https://proceedings.neurips.cc/paper/2020/ hash/c4ede56bbd98819ae6112b20ac6bf145-Abstract.html
[16]
Alec Go, Richa Bhayani, and Lei Huang. 2009. Twitter sentiment classification using distant supervision. Processing 150 (01 2009).
[17]
K. Iwai, N. Nishikawa, and T. Kurokawa. 2012. Acceleration of AES encryption on CUDA GPU. Int. J. Netw. Comput. 2, 1 (2012), 131--145.
[18]
S. Kadhe, N. Rajaraman, O. Koyluoglu, and K. Ramchandran. 2020. FastSecAgg: Scalable Secure Aggregation for Privacy-Preserving Federated Learning. CoRR abs/2009.11248 (2020). arXiv:2009.11248 https://arxiv.org/abs/2009.11248
[19]
Peter Kairouz, H. Brendan McMahan, and al. 2019. Advances and Open Problems in Federated Learning. CoRR abs/1912.04977 (2019).
[20]
J. Konecný, H. B. McMahan, D. Ramage, and P. Richtárik. 2016. Federated Optimization: Distributed Machine Learning for On-Device Intelligence. CoRR abs/1610.02527 (2016). arXiv:1610.02527 http://arxiv.org/abs/1610.02527
[21]
W. Li, F. Milletarì, D. Xu, N. Rieke, J. Hancox, W. Zhu, M. Baust, Y. Cheng, S. Ourselin, M. J. Cardoso, and A. Feng. 2019. Privacy-Preserving Federated Brain Tumour Segmentation. In Machine Learning in Medical Imaging - 10th International Workshop, MLMI 2019 (LNCS, Vol. 11861), Heung-Il Suk, Mingxia Liu, Pingkun Yan, and Chunfeng Lian (Eds.). Springer, 133--141. https://doi.org/10. 1007/978--3-030--32692-0_16
[22]
D. Lie and P. Maniatis. 2017. Glimmers: Resolving the Privacy/Trust Quagmire. In Proceedings of the 16th Workshop on Hot Topics in Operating Systems, HotOS 2017, Whistler, BC, Canada, May 8--10, 2017, Alexandra Fedorova, Andrew Warfield, Ivan Beschastnikh, and Rachit Agarwal (Eds.). ACM, 94--99. https: //doi.org/10.1145/3102980.3102996
[23]
Zhen Lin, Utkarsh Mathur, and Huiyang Zhou. 2019. Scatter-and-Gather Revisited: High-Performance Side-Channel-Resistant AES on GPUs. In Proceedings of the 12th Workshop on General Purpose Processing Using GPUs (Providence, RI, USA) (GPGPU '19). Association for Computing Machinery, New York, NY, USA, 2--11. https://doi.org/10.1145/3300053.3319415
[24]
S. Manavski. 2007. CUDA Compatible GPU as an Efficient Hardware Accelerator for AES Cryptography. In 2007 IEEE International Conference on Signal Processing and Communications. 65--68.
[25]
B. McMahan, E. Moore, D. Ramage, S. Hampson, and B. Agüera y Arcas. 2017. Communication-Efficient Learning of Deep Networks from Decentralized Data. In Proceedings of the 20th AISTATS, Aarti Singh and Xiaojin (Jerry) Zhu (Eds.), Vol. 54. PMLR, 1273--1282. http://proceedings.mlr.press/v54/mcmahan17a.html
[26]
H. Brendan McMahan, Eider Moore, Daniel Ramage, Seth Hampson, and Blaise Agüera y Arcas. 2017. Communication-Efficient Learning of Deep Networks from Decentralized Data. arXiv:1602.05629 [cs.LG]
[27]
National Institute of Standards and Technology. 2001. Advanced Encryption Standard. NIST FIPS PUB 197 (2001).
[28]
Jeffrey Pennington, Richard Socher, and Christopher Manning. 2014. GloVe: Global Vectors for Word Representation. In Proceedings of the 2014 Conference on Empirical Methods in Natural Language Processing (EMNLP). Association for Computational Linguistics, Doha, Qatar, 1532--1543. https://doi.org/10.3115/v1/ D14--1162
[29]
PyTorch. 2020. CSPRNG: Cryptographically secure pseudorandom number generators for PyTorch. https://github.com/pytorch/csprng (2020).
[30]
S. J. Reddi, Z. Charles, M. Zaheer, Z. Garrett, K. Rush, J. Konený, S. Kumar, and H. Brendan McMahan. 2021. Adaptive Federated Optimization. In 9th International Conference on Learning Representations, ICLR 2021, Virtual Event, Austria, May 3--7, 2021. OpenReview.net.
[31]
rocRAND. 2017. RAND library for HIP programming language. https://github. com/ROCmSoftwarePlatform/rocRAND (2017).
[32]
John K. Salmon, Mark A. Moraes, Ron O. Dror, and David E. Shaw. 2011. Parallel Random Numbers: As Easy as 1, 2, 3. In Proceedings of 2011 International Conference for High Performance Computing, Networking, Storage and Analysis (Seattle, Washington) (SC '11). Association for Computing Machinery, New York, NY, USA, Article 16, 12 pages. https://doi.org/10.1145/2063384.2063405
[33]
Felix Sattler, Simon Wiedemann, Klaus-Robert Müller, and Wojciech Samek. 2019. Sparse Binary Compression: Towards Distributed Deep Learning with minimal Communication. In International Joint Conference on Neural Networks, IJCNN 2019 Budapest, Hungary, July 14--19, 2019. IEEE, 1--8.
[34]
Reza Shokri and Vitaly Shmatikov. 2015. Privacy-Preserving Deep Learning. In Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, Denver, CO, USA, October 12--16, 2015, Indrajit Ray, Ninghui Li, and Christopher Kruegel (Eds.). ACM, 1310--1321.
[35]
J. So, B. Guler, and A. Avestimehr. 2020. Turbo-Aggregate: Breaking the Quadratic Aggregation Barrier in Secure Federated Learning. IACR Cryptol. ePrint Arch. 2020 (2020), 167. https://eprint.iacr.org/2020/167
[36]
Sijun Tan, Brian Knott, Yuan Tian, and David J. Wu. 2021. CryptGPU: Fast Privacy-Preserving Machine Learning on the GPU. CoRR abs/2104.10949 (2021). arXiv:2104.10949 https://arxiv.org/abs/2104.10949
[37]
Hanlin Tang, Chen Yu, Xiangru Lian, Tong Zhang, and Ji Liu. 2019. DoubleSqueeze: Parallel Stochastic Gradient Descent with Double-pass ErrorCompensated Compression. In Proceedings of the 36th International Conference on Machine Learning, ICML 2019, 9--15 June 2019, Long Beach, California, USA (Proceedings of Machine Learning Research, Vol. 97), Kamalika Chaudhuri and Ruslan Salakhutdinov (Eds.). PMLR, 6155--6165.
[38]
Cihangir Tezcan. 2021. Optimization of Advanced Encryption Standard on Graphics Processing Units. IEEE Access 9 (2021), 67315--67326. https://doi.org/ 10.1109/ACCESS.2021.3077551
[39]
tinyAES. 2020. Small portable AES128/192/256 in C. https://github.com/kokke/ tiny-AES-c (2020).
[40]
Zhibo Wang, Mengkai Song, Zhifei Zhang, Yang Song, Qian Wang, and Hairong Qi. 2019. Beyond Inferring Class Representatives: User-Level Privacy Leakage From Federated Learning. In 2019 IEEE Conference on Computer Communications, INFOCOM 2019, Paris, France, April 29 - May 2, 2019. IEEE, 2512--2520. https: //doi.org/10.1109/INFOCOM.2019.8737416
[41]
L. Zhu and S. Han. 2020. Deep Leakage from Gradients. In Federated Learning - Privacy and Incentive, Qiang Yang, Lixin Fan, and Han Yu (Eds.). Lecture Notes in Computer Science, Vol. 12500. Springer, 17--31. https://doi.org/10.1007/978- 3-030--63076--8_2
Index Terms
- Falkor: Federated Learning Secure Aggregation Powered by AESCTR GPU Implementation
Recommendations
Verifiable Secure Aggregation Protocol Under Federated Learning
Artificial Intelligence Security and PrivacyAbstractFederated learning is a new machine learning paradigm used for collaborative training models among multiple devices. In federated learning, multiple clients participate in model training locally and use decentralized learning methods to ensure the ...
DealSecAgg: Efficient Dealer-Assisted Secure Aggregation for Federated Learning
ARES '24: Proceedings of the 19th International Conference on Availability, Reliability and SecurityFederated learning eliminates the necessity of transferring private training data and instead relies on the aggregation of model updates. Several publications on privacy attacks show how these individual model updates are vulnerable to the extraction of ...
FedShare: Secure Aggregation based on Additive Secret Sharing in Federated Learning
IDEAS '23: Proceedings of the 27th International Database Engineered Applications SymposiumFederated learning is a machine learning technique where multiple clients with local data collaborate in training a machine learning model. In FedAvg, the main federated learning algorithm, clients train machine learning models locally and share the ...
Comments
Information & Contributors
Information
Published In
November 2023
111 pages
Copyright © 2023 ACM.
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].
Sponsors
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
Published: 26 November 2023
Check for updates
Author Tags
Qualifiers
- Research-article
Conference
CCS '23
Sponsor:
CCS '23: ACM SIGSAC Conference on Computer and Communications Security
November 26, 2023
Copenhagen, Denmark
Acceptance Rates
Overall Acceptance Rate 6 of 17 submissions, 35%
Upcoming Conference
CCS '24
- Sponsor:
- sigsac
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 67Total Downloads
- Downloads (Last 12 months)67
- Downloads (Last 6 weeks)1
Reflects downloads up to 10 Aug 2024
Other Metrics
Citations
View Options
Get Access
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign in