Abstract

In this paper, we present the first Federated Learning (FL) framework which is secure against both confidentiality and integrity threats from the aggregation server, in the case where the resulting model is not disclosed to the latter. We do so by combining Homomorphic Encryption (HE) and Verifiable Computing (VC) techniques in order to perform a Federated Averaging operator directly in the encrypted domain (by means of HE) and produce formal proofs that the operator was correctly applied (by means of VC). Due to the simplicity of the aggregation function, we are able to ground our approach in additive HE techniques which are highly mature in terms of security and decently efficient. We also introduce a number of optimizations which allows to reach practical execution performances on the larger deep learning models end of the spectrum. The paper also provides extensive experimental results on the FEMNIST dataset demonstrating that the approach preserves the quality of the resulting models at the cost of practically meaningful computing and communication overheads, at least in the cross-silo setting for which higher-end machines can be involved on both the client and server sides.