research-article

Open access

Practical Secure Aggregation for Privacy-Preserving Machine Learning

Authors:

Keith Bonawitz,

Vladimir Ivanov,

Antonio Marcedone,

H. Brendan McMahan,

Karn SethAuthors Info & Claims

CCS '17: Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security

Pages 1175 - 1191

https://doi.org/10.1145/3133956.3133982

Published: 30 October 2017 Publication History

Abstract

We design a novel, communication-efficient, failure-robust protocol for secure aggregation of high-dimensional data. Our protocol allows a server to compute the sum of large, user-held data vectors from mobile devices in a secure manner (i.e. without learning each user's individual contribution), and can be used, for example, in a federated learning setting, to aggregate user-provided model updates for a deep neural network. We prove the security of our protocol in the honest-but-curious and active adversary settings, and show that security is maintained even if an arbitrarily chosen subset of users drop out at any time. We evaluate the efficiency of our protocol and show, by complexity analysis and a concrete implementation, that its runtime and communication overhead remain low even on large data sets and client pools. For 16-bit input values, our protocol offers $1.73 x communication expansion for 2¹⁰ users and 2²⁰-dimensional vectors, and 1.98 x expansion for 2¹⁴ users and 2²⁴-dimensional vectors over sending data in the clear.

Supplemental Material

MP4 File

Download
2297.92 MB

References

[1]

Martín Abadi, Andy Chu, Ian Goodfellow, H Brendan McMahan, Ilya Mironov, Kunal Talwar, and Li Zhang. 2016. Deep learning with differential privacy. In Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security. ACM, 308--318.

Digital Library

[2]

Michel Abdalla, Mihir Bellare, and Phillip Rogaway. 2001. The oracle Diffie-Hellman assumptions and an analysis of DHIES. In Cryptographers' Track at the RSA Conference. Springer, 143--158.

[3]

Gergely Ács and Claude Castelluccia. 2011. I have a DREAM! (DiffeRentially privatE smArt Metering). In International Workshop on Information Hiding. Springer, 118--132.

[4]

Stephen Advokat. 1987. Publication Of Bork's Video Rentals Raises Privacy Issue. Chicago Tribune (1987).

[5]

Toshinori Araki, Jun Furukawa, Yehuda Lindell, Ariel Nof, and Kazuma Ohara. 2016. High-Throughput Semi-Honest Secure Three-Party Computation with an Honest Majority. In Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security (CCS '16). ACM, New York, NY, USA, 805--817. https://doi.org/10.1145/2976749.2978331

Digital Library

[6]

Michael Barbaro, Tom Zeller, and Saul Hansell. 2006. A face is exposed for AOL searcher no. 4417749. New York Times 9, 2008 (2006).

[7]

Mihir Bellare and Chanathip Namprempre. 2000. Authenticated encryption: Relations among notions and analysis of the generic composition paradigm. In International Conference on the Theory and Application of Cryptology and Information Security. Springer, 531--545.

[8]

Michael Ben-Or, Shafi Goldwasser, and Avi Wigderson. 1988. Completeness theorems for non-cryptographic fault-tolerant distributed computation. In Proceedings of the twentieth annual ACM symposium on Theory of computing. ACM, 1--10.

Digital Library

[9]

Manuel Blum and Silvio Micali. 1984. How to generate cryptographically strong sequences of pseudorandom bits. SIAM journal on Computing 13, 4 (1984), 850--864.

Digital Library

[10]

Peter Bogetoft, Dan Lund Christensen, Ivan Damgård, Martin Geisler, Thomas Jakobsen, Mikkel Krøigaard, Janus Dam Nielsen, Jesper Buus Nielsen, Kurt Nielsen, Jakob Pagter, et al. 2009. Secure multiparty computation goes live. In International Conference on Financial Cryptography and Data Security. Springer, 325--343.

Digital Library

[11]

Elette Boyle, Kai-Min Chung, and Rafael Pass. 2015. Large-Scale Secure Computation: Multi-party Computation for (Parallel) RAM Programs. Springer Berlin Heidelberg, Berlin, Heidelberg, 742--762. https://doi.org/10.1007/978-3-662-48000-7_36

Digital Library

[12]

Martin Burkhart, Mario Strasser, Dilip Many, and Xenofontas Dimitropoulos. 2010. SEPIA: Privacy-preserving aggregation of multi-domain network events and statistics. Network 1 (2010), 101101.

[13]

T-H Hubert Chan, Elaine Shi, and Dawn Song. 2012. Privacy-preserving stream aggregation with fault tolerance. In International Conference on Financial Cryptography and Data Security. Springer, 200--214.

[14]

David Chaum. 1988. The dining cryptographers problem: unconditional sender and recipient untraceability. Journal of Cryptology 1, 1 (1988), 65--75.

Digital Library

[15]

Jianmin Chen, Rajat Monga, Samy Bengio, and Rafal Jozefowicz. 2016. Revisiting Distributed Synchronous SGD. In ICLR Workshop Track. https://arxiv.org/abs/1604.00981

[16]

Henry Corrigan-Gibbs and Dan Boneh. 2017. Prio: Private, Robust, and Scalable Computation of Aggregate Statistics. In 14th USENIX Symposium on Networked Systems Design and Implementation (NSDI 17). USENIX Association, Boston, MA, 259--282. https://www.usenix.org/conference/nsdi17/technical-sessions/presentation/corrigan-gibbs

[17]

Henry Corrigan-Gibbs, David Isaac Wolinsky, and Bryan Ford. 2013. Proactively Accountable Anonymous Messaging in Verdict. In USENIX Security. 147--162.

[18]

Ivan Damgård, Valerio Pastro, Nigel Smart, and Sarah Zakarias. 2012. Multi-party computation from somewhat homomorphic encryption. In Advances in Cryptology--CRYPTO 2012. Springer, 643--662.

Digital Library

[19]

Whitfield Diffie and Martin Hellman. 1976. New directions in cryptography. IEEE transactions on Information Theory 22, 6 (1976), 644--654.

Digital Library

[20]

John C Duchi, Michael I Jordan, and Martin J Wainwright. 2013. Local privacy and statistical minimax rates. In Foundations of Computer Science (FOCS), 2013 IEEE 54th Annual Symposium on. IEEE, 429--438.

Digital Library

[21]

Cynthia Dwork. 2006. Differential Privacy, In 33rd International Colloquium on Automata, Languages and Programming, part II (ICALP 2006). 4052, 1--12. https://www.microsoft.com/en-us/research/publication/differential-privacy/

Digital Library

[22]

Cynthia Dwork, Krishnaram Kenthapadi, Frank McSherry, Ilya Mironov, and Moni Naor. 2006. Our Data, Ourselves: Privacy Via Distributed Noise Generation. In Eurocrypt, Vol. 4004. Springer, 486--503.

[23]

Cynthia Dwork and Aaron Roth. 2014. The algorithmic foundations of differential privacy. Foundations and Trends® in Theoretical Computer Science 9, 3--4 (2014), 211--407.

[24]

Tariq Elahi, George Danezis, and Ian Goldberg. 2014. Privex: Private collection of traffic statistics for anonymous communication networks. In Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security. ACM, 1068--1079.

Digital Library

[25]

Úlfar Erlingsson, Vasyl Pihur, and Aleksandra Korolova. 2014. Rappor: Randomized aggregatable privacy-preserving ordinal response. In Proceedings of the 2014 ACM SIGSAC conference on computer and communications security. ACM, 1054--1067.

Digital Library

[26]

Matt Fredrikson, Somesh Jha, and Thomas Ristenpart. 2015. Model inversion attacks that exploit confidence information and basic countermeasures. In Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security. ACM, 1322--1333.

Digital Library

[27]

Oded Goldreich, Silvio Micali, and Avi Wigderson. 1987. How to play any mental game. In Proceedings of the nineteenth annual ACM symposium on Theory of computing. ACM, 218--229.

Digital Library

[28]

Philippe Golle and Ari Juels. 2004. Dining cryptographer revisited. In International Conference on the Theory and Applications of Cryptographic Techniques. Springer, 456--473.

[29]

Ian Goodfellow, Yoshua Bengio, and Aaron Courville. 2016. Deep Learning.(2016). Book in preparation for MIT Press.

[30]

Joshua Goodman, Gina Venolia, Keith Steury, and Chauncey Parker. 2002. Language modeling for soft keyboards. In Proceedings of the 7th international conference on Intelligent user interfaces. ACM, 194--195.

Digital Library

[31]

Slawomir Goryczka and Li Xiong. 2015. A comprehensive comparison of multiparty secure additions with differential privacy. IEEE Transactions on Dependable and Secure Computing (2015).

[32]

Shai Halevi, Yehuda Lindell, and Benny Pinkas. 2011. Secure computation on the web: Computing without simultaneous interaction. In Annual Cryptology Conference. Springer, 132--150.

[33]

Rob Jansen and Aaron Johnson. 2016. Safely Measuring Tor. In Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security. ACM, 1553--1567.

Digital Library

[34]

Marek Jawurek, Florian Kerschbaum, and Claudio Orlandi. 2013. Zero-knowledge using garbled circuits: how to prove non-algebraic statements efficiently. In Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security. ACM, 955--966.

Digital Library

[35]

Jakub KonečnỴ, H Brendan McMahan, Felix X Yu, Peter Richtárik, Ananda Theertha Suresh, and Dave Bacon. 2016. Federated learning: Strategies for improving communication efficiency. arXiv preprint arXiv:1610.05492 (2016).

[36]

Young Hyun Kwon. 2015. Riffle: An efficient communication system with strong anonymity. Ph.D. Dissertation. Massachusetts Institute of Technology.

[37]

Vasileios Lampos, Andrew C Miller, Steve Crossan, and Christian Stefansen. 2015. Advances in nowcasting influenza-like illness rates using search query logs. Scientific reports 5 (2015), 12760.

[38]

Iraklis Leontiadis, Kaoutar Elkhiyaoui, and Refik Molva. 2014. Private and Dynamic Time-Series Data Aggregation with Trust Relaxation. Springer International Publishing, Cham, 305--320. https://doi.org/10.1007/978-3-319-12280-9_20

Digital Library

[39]

Iraklis Leontiadis, Kaoutar Elkhiyaoui, Melek Önen, and Refik Molva. 2015. PUDA -- Privacy and Unforgeability for Data Aggregation. Springer International Publishing, Cham, 3--18. https://doi.org/10.1007/978-3-319-26823-1_1

[40]

Yehuda Lindell, Eli Oxman, and Benny Pinkas. 2011. The IPS Compiler: Optimizations, Variants and Concrete Efficiency. Advances in Cryptology--CRYPTO 2011 (2011), 259--276.

[41]

Yehuda Lindell, Benny Pinkas, Nigel P Smart, and Avishay Yanai. 2015. Efficient constant round multi-party computation combining BMR and SPDZ. In Annual Cryptology Conference. Springer, 319--338.

Digital Library

[42]

Kathryn Elizabeth McCabe. 2012. Just You and Me and Netflix Makes Three: Implications for Allowing Frictionless Sharing of Personally Identifiable Information under the Video Privacy Protection Act. J. Intell. Prop. L. 20 (2012), 413.

[43]

H Brendan McMahan, Eider Moore, Daniel Ramage, Seth Hampson, et al. 2016. Communication-Efficient Learning of Deep Networks from Decentralized Data. arXiv preprint arXiv:1602.05629 (2016).

[44]

Ilya Mironov, Omkant Pandey, Omer Reingold, and Salil Vadhan. 2009. Computational differential privacy. In Advances in Cryptology-CRYPTO 2009. Springer, 126--142.

Digital Library

[45]

Arvind Narayanan and Vitaly Shmatikov. 2008. Robust de-anonymization of large sparse datasets. In 2008 IEEE Symposium on Security and Privacy (sp 2008). IEEE, 111--125.

Digital Library

[46]

John Paparrizos, Ryen W White, and Eric Horvitz. 2016. Screening for pancreatic adenocarcinoma using signals from web search logs: Feasibility study and results. Journal of Oncology Practice 12, 8 (2016), 737--744.

[47]

Vibhor Rastogi and Suman Nath. 2010. Differentially private aggregation of distributed time-series with transformation and encryption. In Proceedings of the 2010 ACM SIGMOD International Conference on Management of data. ACM, 735--746.

Digital Library

[48]

Adi Shamir. 1979. How to share a secret. Commun. ACM 22, 11 (1979), 612--613.

Digital Library

[49]

Elaine Shi, HTH Chan, Eleanor Rieffel, Richard Chow, and Dawn Song. 2011. Privacy-preserving aggregation of time-series data. In Annual Network & Distributed System Security Symposium (NDSS). Internet Society.

[50]

Reza Shokri and Vitaly Shmatikov. 2015. Privacy-preserving deep learning. In Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security. ACM, 1310--1321.

[51]

Reza Shokri, Marco Stronati, and Vitaly Shmatikov. 2016. Membership Inference Attacks against Machine Learning Models. arXiv preprint arXiv:1610.05820 (2016).

[52]

Latanya Sweeney and Ji Su Yoo. 2015. De-anonymizing South Korean Resident Registration Numbers Shared in Prescription Data. Technology Science (2015).

[53]

Martin J Wainwright, Michael I Jordan, and John C Duchi. 2012. Privacy aware learning. In Advances in Neural Information Processing Systems. 1430--1438.

[54]

Andrew C Yao. 1982. Theory and application of trapdoor functions. In Foundations of Computer Science, 1982. SFCS'08. 23rd Annual Symposium on. IEEE, 80--91.

Cited By

Vandikas KMoradi FLarsson HJohnsson A(2024)Transfer Learning and Domain Adaptation in TelecommunicationsTransfer Learning - Leveraging the Capability of Pre-trained Models Across Different Domains [Working Title]10.5772/intechopen.114932Online publication date: 29-Apr-2024
https://doi.org/10.5772/intechopen.114932
Lewis CVaradharajan VNoman N(2024)Attacks against federated learning defense systems and their mitigationThe Journal of Machine Learning Research10.5555/3648699.364872924:1(1164-1213)Online publication date: 6-Mar-2024
https://dl.acm.org/doi/10.5555/3648699.3648729
Polychroniadou ACiprianni GHua RBalch TDastani MSichman JAlechina NDignum V(2024)Atlas-X Equity Financing: Unlocking New Methods to Securely Obfuscate Axe Inventory Data Based on Differential PrivacyProceedings of the 23rd International Conference on Autonomous Agents and Multiagent Systems10.5555/3635637.3663019(1585-1592)Online publication date: 6-May-2024
https://dl.acm.org/doi/10.5555/3635637.3663019
Show More Cited By

Index Terms

Practical Secure Aggregation for Privacy-Preserving Machine Learning
1. Security and privacy
  1. Security services
    1. Privacy-preserving protocols

Recommendations

Verifiable Secure Aggregation Protocol Under Federated Learning
Artificial Intelligence Security and Privacy
Abstract
Federated learning is a new machine learning paradigm used for collaborative training models among multiple devices. In federated learning, multiple clients participate in model training locally and use decentralized learning methods to ensure the ...
DealSecAgg: Efficient Dealer-Assisted Secure Aggregation for Federated Learning
ARES '24: Proceedings of the 19th International Conference on Availability, Reliability and Security

Federated learning eliminates the necessity of transferring private training data and instead relies on the aggregation of model updates. Several publications on privacy attacks show how these individual model updates are vulnerable to the extraction of ...
Quid-Pro-Quo-tocols: Strengthening Semi-honest Protocols with Dual Execution
SP '12: Proceedings of the 2012 IEEE Symposium on Security and Privacy

Known protocols for secure two-party computation that are designed to provide full security against malicious behavior are significantly less efficient than protocols intended only to thwart semi-honest adversaries. We present a concrete design and ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

CCS '17: Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security

October 2017

2682 pages

ISBN:9781450349468

DOI:10.1145/3133956

General Chair:
Bhavani Thuraisingham
The University of Texas at Dallas, USA
,
Program Chairs:
David Evans
University of Virginia
,
Tal Malkin
Columbia University
,
Dongyan Xu
Purdue University

Copyright © 2017 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 30 October 2017

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

CCS '17

Sponsor:

SIGSAC

CCS '17: 2017 ACM SIGSAC Conference on Computer and Communications Security

October 30 - November 3, 2017

Texas, Dallas, USA

Acceptance Rates

CCS '17 Paper Acceptance Rate 151 of 836 submissions, 18%;

Overall Acceptance Rate 1,261 of 6,999 submissions, 18%

Upcoming Conference

CCS '24

Sponsor:
sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 14 - 18, 2024

Salt Lake City , UT , USA

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

1,631
Total Citations
View Citations
31,915
Total Downloads

Downloads (Last 12 months)6,011
Downloads (Last 6 weeks)637

Reflects downloads up to 12 Sep 2024

Other Metrics

View Author Metrics

Citations

Cited By

Vandikas KMoradi FLarsson HJohnsson A(2024)Transfer Learning and Domain Adaptation in TelecommunicationsTransfer Learning - Leveraging the Capability of Pre-trained Models Across Different Domains [Working Title]10.5772/intechopen.114932Online publication date: 29-Apr-2024
https://doi.org/10.5772/intechopen.114932
Lewis CVaradharajan VNoman N(2024)Attacks against federated learning defense systems and their mitigationThe Journal of Machine Learning Research10.5555/3648699.364872924:1(1164-1213)Online publication date: 6-Mar-2024
https://dl.acm.org/doi/10.5555/3648699.3648729
Polychroniadou ACiprianni GHua RBalch TDastani MSichman JAlechina NDignum V(2024)Atlas-X Equity Financing: Unlocking New Methods to Securely Obfuscate Axe Inventory Data Based on Differential PrivacyProceedings of the 23rd International Conference on Autonomous Agents and Multiagent Systems10.5555/3635637.3663019(1585-1592)Online publication date: 6-May-2024
https://dl.acm.org/doi/10.5555/3635637.3663019
Jin XYao YYu N(2024)Efficient secure aggregation for privacy-preserving federated learning based on secret sharingJUSTC10.52396/JUSTC-2022-011654:1(0104)Online publication date: 2024
https://doi.org/10.52396/JUSTC-2022-0116
Alauthman MAl-Qerem AAlmomani AAldweesh AAburub FAlkasassbeh M(2024)Privacy-Preserving Machine Learning Cryptographic Techniques for Secure Data AnalysisInnovations in Modern Cryptography10.4018/979-8-3693-5330-1.ch017(405-430)Online publication date: 12-Jul-2024
https://doi.org/10.4018/979-8-3693-5330-1.ch017
Kanagavalli VMeenakshi A(2024)A Survey of Cryptographic Data Protection and Machine LearningMachine Learning and Cryptographic Solutions for Data Protection and Network Security10.4018/979-8-3693-4159-9.ch001(1-11)Online publication date: 31-May-2024
https://doi.org/10.4018/979-8-3693-4159-9.ch001
Babu CSurendar VDheepak NShiraj SPraveen K(2024)Revolutionizing Healthcare Harnessing IoT-Integrated Federated Learning for Early Disease Detection and Patient Privacy PreservationFederated Learning and Privacy-Preserving in Healthcare AI10.4018/979-8-3693-1874-4.ch013(195-216)Online publication date: 19-Apr-2024
https://doi.org/10.4018/979-8-3693-1874-4.ch013
Indira MMohanasundaram KSaranya M(2024)A Survey of Machine Learning and Cryptography AlgorithmsInnovative Machine Learning Applications for Cryptography10.4018/979-8-3693-1642-9.ch006(105-118)Online publication date: 4-Mar-2024
https://doi.org/10.4018/979-8-3693-1642-9.ch006
Chougule SChaudhari BGhorpade SZennaro M(2024)Exploring Computing Paradigms for Electric Vehicles: From Cloud to Edge Intelligence, Challenges and Future DirectionsWorld Electric Vehicle Journal10.3390/wevj1502003915:2(39)Online publication date: 26-Jan-2024
https://doi.org/10.3390/wevj15020039
Zhou AJiang NTang T(2024)Asynchronous Robust Aggregation Method with Privacy Protection for IoV Federated LearningWorld Electric Vehicle Journal10.3390/wevj1501001815:1(18)Online publication date: 4-Jan-2024
https://doi.org/10.3390/wevj15010018
Show More Cited By

View Options

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Media

Figures

Other

Tables

View Table of Contents