CN116438554A - Distributed training with random security averaging - Google Patents

Distributed training with random security averaging Download PDF

Info

Publication number
CN116438554A
CN116438554A CN202080107117.3A CN202080107117A CN116438554A CN 116438554 A CN116438554 A CN 116438554A CN 202080107117 A CN202080107117 A CN 202080107117A CN 116438554 A CN116438554 A CN 116438554A
Authority
CN
China
Prior art keywords
client device
central server
key
client
model update
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202080107117.3A
Other languages
Chinese (zh)
Inventor
托马斯·凡内特
周雪冰
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Huawei Technologies Co Ltd
Original Assignee
Huawei Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co Ltd filed Critical Huawei Technologies Co Ltd
Publication of CN116438554A publication Critical patent/CN116438554A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0407Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the identity of one or more communicating identities is hidden
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N20/00Machine learning

Landscapes

  • Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Evolutionary Computation (AREA)
  • Artificial Intelligence (AREA)
  • Computer Vision & Pattern Recognition (AREA)
  • Computer Hardware Design (AREA)
  • Medical Informatics (AREA)
  • Data Mining & Analysis (AREA)
  • Signal Processing (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Mathematical Physics (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

A method for distributed machine learning of a network, comprising: a local model update vector is received. The method further includes generating a public key and a secret key. The method also includes receiving an external public key of each other client device. The method further includes generating a pseudo-random number based on the key and the external public key. The method also includes determining whether to assign each other client device to a set of neighbor devices of the client device. The method further comprises the steps of: and generating model update output according to safety and protocols based on the neighbor device set, and outputting the model update output for sending the model update output to a central server to be combined into global model update. The method enhances the privacy protection of the user data, solves the expansion problem, and ensures high practical utility.

Description

Distributed training with random security averaging
Technical Field
The present disclosure relates generally to the fields of data security and machine learning; and more particularly to a method and apparatus for distributed machine learning (or training) using a random secure average protocol.
Background
Today, many services use Machine Learning (ML) to improve their usability in everyday life. Generally, machine learning algorithms include two phases: a training phase and a prediction phase. Using machine learning algorithms, models were developed that were trained using sample data. The sample data is used during a training phase in order to make predictions (or decisions) during a prediction phase of the model. In general, when using customer data or personal data during the training phase and the prediction phase of the model, how to implement privacy protection becomes a major technical problem.
Currently, several approaches have been proposed to enhance privacy, such as traditional federal learning (federated learning, FL). Traditional federal learning is used as a distributed training mechanism for models, without forcing clients (or clients) to upload their raw data during the training phase. Thus, traditional federal learning reduces overall communication costs while partially enhancing privacy. Traditional federal learning addresses to some extent the need to continually update models at low cost and presents the possibility of locally training models by using local data of the client (or clients). However, conventional federal learning has privacy concerns, for example, personal data can be extracted directly from model updates received by conventional servers. In addition, models (or trained models) that are shared with other clients may also reveal personal information of clients (or clients) that are engaged in the model training phase. The privacy problem of conventional federal learning can be solved to some extent by using conventional security and techniques and conventional differential privacy (differential privacy, DP) techniques. In other words, distributed training of the model (or machine learning model) is performed by using conventional security and techniques or conventional differential privacy techniques. Conventional security and techniques are cryptographic techniques that simultaneously perform distributed and private computations on the sum of updates for multiple clients (or clients) and prevent conventional servers from observing any individual updates. Thus, conventional security and techniques protect the privacy of individual clients in a distributed learning manner. However, as the number of clients increases, traditional security and techniques incur higher computational costs and do not provide privacy guarantees for the final trained model. In conventional differential privacy techniques, a conventional server adds noise after each global iteration of the training phase. Thus, conventional differential privacy techniques provide a certain amount of formal privacy guarantees for the final trained model. However, conventional differential privacy techniques do not address privacy concerns associated with conventional servers. Furthermore, conventional differential privacy techniques require a large number of clients, whereas conventional security and techniques exhibit expansion problems (i.e., are not properly expandable and are prone to error) as the number of clients increases. Thus, when a large number of clients are involved, or when the number of clients (i.e., client devices) increases, there is a technical problem that privacy protection of client data or personal data is insufficient, and the expansion problem is revealed.
Thus, in light of the foregoing discussion, there is a need to overcome the above-described shortcomings associated with conventional techniques for distributed machine learning.
Disclosure of Invention
The present disclosure seeks to provide methods and apparatus for distributed machine learning that improve privacy protection of user data or personal data with high performance and high utility. The present disclosure seeks to provide a solution to the existing problem of insufficient privacy protection of the client's data or personal data when a large number of clients are involved or when the number of clients (i.e. client devices) increases leading to expansion problems. It is an object of the present disclosure to provide a solution that at least partially overcomes the problems encountered in the prior art and to provide methods and apparatus for distributed machine learning that improve privacy protection of user data, including personal data, while addressing the expansion problem and ensuring high performance and high practical utility.
The object of the present disclosure is achieved by the solution provided in the attached independent claims. Advantageous implementations of the present disclosure are further defined in the dependent claims.
In one aspect, the present disclosure provides a method for distributed machine learning of a network, comprising: a processor of the client device receives the local model update vector. The method further comprises the steps of: the processor generates a public key and a secret key, wherein the public key is for broadcasting to a plurality of other client devices on the network. The method also includes the processor receiving an external public key of each of the other client devices. The method further includes, for each of the other client devices: generating a pseudo-random number based on the secret key and an external public key; a determination is made as to whether to assign each other client device to a set of neighbor devices of the client device based on the pseudorandom number and a predetermined neighbor probability parameter. The method further comprises the steps of: the processor generates model updating output according to safety and protocol based on the neighbor device set; the processor outputs a model update output for sending the model update output to the central server for incorporation into the global model update.
The method of the present disclosure uses distributed machine learning with a random secure average (random secure averaging, rdSA) protocol. The disclosed methods provide enhanced privacy protection, improved performance, and high utility of data (including personal data) of a client device (or user). The disclosed methods use a combination of security and techniques (or cryptographic techniques) and differential privacy techniques in a coordinated and synergistic manner to enhance data privacy of client devices. Methods using security and protocols prevent the central server from accessing private information from any individual client. Advantageously, the method of the present disclosure uses a neighbor selection algorithm. Based on a neighbor selection algorithm, a neighbor set is selected in each iteration of the random secure average (RdSA) protocol. By using a neighbor selection algorithm, the number of client devices is reduced in each iteration of the RdSA protocol, which further solves the expansion problem. The use of neighbor selection algorithms also enables the use of differential privacy techniques to further enhance the privacy protection of data of the client device.
In one implementation, the neighbor probability parameter is used to define the number of neighbors in a set of neighbor devices based on predefined values, wherein the predefined values are defined based on modeling risk of a successful attack.
The disclosed method provides enhanced privacy protection and improved performance of user data, even in the presence of a large number of client devices. By using neighbor selection algorithms, the expansion problem of traditional security and technology is solved. By using a neighbor selection algorithm, the client device selects its neighbors based on neighbor probability parameters. The neighbors are chosen in such a way that each pair of client devices negotiates as to whether they are neighbors, and that any other client device (e.g. a central server) has no knowledge as to whether they are neighbors. When the number of client devices is large, the neighbor selection algorithm still provides strong privacy at low computational cost by selecting a neighbor client device set. Furthermore, the use of neighbor selection algorithms enables the use of differential privacy techniques to further enhance the data privacy of the client.
In another implementation, for a neighbor probability parameter p and a predefined value r:
f(n h p) > 1-r, and for accuracy delta, f (n h ,p-δ)<1-r
Wherein:
Figure BDA0004224235390000021
wherein:
Figure BDA0004224235390000022
by configuring the neighbor probability parameter p, the disclosed method can be used with both active and passive security models. The active security model provides protection against very powerful (e.g., national or state level) or internal attackers. The passive security model provides protection against data leakage, remote hackers, and compliance with regulations.
In another implementation, generating a model update output according to security and protocol includes: a one-time codebook is generated for each neighbor device and a plurality of one-time codebooks are added to the local model update vector, wherein the one-time codebook for each neighbor device is generated based on a shared key derived from a key of the client device and an external public key of the neighbor device.
Adding a plurality of one-time codebooks to the local model update vector of the client device encrypts the key value of the client device.
In another implementation, the set of all one-time codebooks generated by the plurality of client devices is substantially zero in aggregate.
The set of all onetime codebooks generated by the plurality of client devices is added at the central server, essentially zero, which means that the central server obtains the sum of the (unencrypted) keys of the clients.
In another implementation, generating the model update output according to the security and protocol includes splitting the local model vector update into a plurality of portions according to the number of neighbor devices, sending the plurality of portions to the respective neighbor devices, receiving external portions from the neighbor devices, and summing the plurality of external portions to form the model update output.
Splitting the local model vector update into multiple parts according to the number of neighbor devices improves the key sharing at the client side compared to traditional security and techniques where the expansion problem is prominent.
In another implementation, generating the model update output includes adding a locally generated noise signal to the local model update vector, the distribution of the locally generated noise signal being gaussian or binomial.
In differential privacy techniques, locally generated noise signals are added to the local model update vector to provide improved local privacy, which means that private data is adequately protected. The central server cannot observe any private information from any individual client. The noise signal is added locally (client side) rather than centrally (server side) because local privacy is preferable to central privacy. The locally generated binomial distributed noise signal is used to provide local privacy protection.
In another implementation, the locally generated noise signals are generated with a standard deviation defined by noise parameters received from the central server, wherein the noise parameters of each client device are such that the corresponding locally generated noise signals from the plurality of client devices are aggregated into a global noise with a predetermined standard deviation.
The global noise is binomially distributed by generating a locally generated noise signal with a standard deviation selected by the central server.
In another implementation, the method further includes converting the local model update vector from a vector of floating point values to an integer vector.
Converting the local model update vector from a vector of floating point values to a (modulo) integer vector ensures the security of the client.
In another implementation, the method further includes sending the public key to a central server and receiving the external public key from the central server.
The public key is transmitted to a central server which further transmits the public key to other client devices so that the client devices can perform key agreement with the other client devices and select their neighbors.
In another implementation, a computer readable medium stores instructions that, when executed, cause a client device processor to perform the method.
The client device processor achieves all the advantages and effects of the method.
In another aspect, the present disclosure provides a client device including a training module for generating a local model update vector. The client device also includes a processor for generating the public key and the secret key. The client device further comprises a transceiver for: the public key is broadcast to a plurality of other client devices on the network, the external public key of each other client device is received, and the model update output is sent to a central server for incorporation into the global model update. The processor of the client device is further configured to generate a pseudo-random number for each of the other client devices based on the key and the external public key. The processor of the client device is further configured to determine whether to assign each other client device to a set of neighbor devices of the client device based on the pseudo-random number and the predetermined neighbor probability parameter. The processor of the client device is further configured to generate a model update output based on the set of neighbor devices according to the security and protocol.
The client device of the present disclosure exhibits enhanced local privacy of personal data. The client device uses a neighbor selection algorithm that reduces the number of client devices per iteration of the RdSA protocol. Thus, the client device exhibits reduced computational cost even in the presence of a large number of client devices. The client device uses security and technology (or cryptographic technology) and prevents the central server from accessing private information from any individual client.
In one implementation, the neighbor probability parameter is used to define the number of neighbors in a set of neighbor devices based on predefined values, wherein the predefined values are defined based on modeling risk of a successful attack.
The client device selects its neighbors by using neighbor probability parameters in a neighbor selection algorithm. The neighbors are chosen in such a way that each pair of client devices negotiates as to whether they are neighbors, and that any other client device (e.g. a central server) has no knowledge as to whether they are neighbors.
In another implementation, for a neighbor probability parameter p and a predefined value r:
f(n h p) > 1-r, and for accuracy delta, f (n h ,p-δ)<1-r
Wherein:
Figure BDA0004224235390000041
wherein:
Figure BDA0004224235390000042
by configuring the neighbor probability parameter p, the client device can be used in an active security model and for a passive security model.
In another implementation, the processor is further configured to generate the model update output according to the security and protocol by: a one-time codebook is generated for each neighbor device and a plurality of one-time codebooks are added to the local model update vector, wherein the one-time codebook for each neighbor device is generated based on a shared key derived from a key of the client device and an external public key of the neighbor device.
Adding a plurality of one-time codebooks to the local model update vector of the client device encrypts the key value of the client device.
In another implementation, the set of all one-time codebooks generated by the plurality of client devices is substantially zero in aggregate.
The set of all onetime codebooks generated by the plurality of client devices is added at the central server, essentially zero, which means that the central server obtains the sum of the (unencrypted) keys of the clients.
In another implementation, the processor is further configured to generate the model update output according to the security and protocol by: splitting the local model vector update into a plurality of portions according to the number of neighbor devices, sending the plurality of portions to respective neighbor devices, receiving external portions from the neighbor devices, and summing the plurality of external portions to form a model update output.
Splitting the local model vector update into multiple parts according to the number of neighbor devices improves the key sharing at the client side compared to traditional security and techniques where the expansion problem is prominent.
In another implementation, the processor is configured to generate the model update output by adding a locally generated noise signal to the local model update vector, the distribution of the locally generated noise signal being gaussian or binomial.
In differential privacy techniques, a client device adds locally generated noise signals to a local model update vector to provide improved local privacy, which means that private data is adequately protected. The central server cannot observe any private information from any individual client. The noise signal is added locally (client side) rather than centrally (server side) because local privacy is preferable to central privacy. The locally generated binomial distributed noise signal is used to provide local privacy protection.
In another implementation, the locally generated noise signals are generated with a standard deviation defined by noise parameters received from the central server, wherein the noise parameters of each client device are such that the corresponding differential private noise signals from the plurality of client devices are aggregated into a global noise with a predetermined standard deviation.
The global noise is binomially distributed by generating a locally generated noise signal with a standard deviation selected by the central server.
In another implementation, the processor is further configured to convert the local model update vector from a vector of floating point values to an integer vector.
The client device converts the local model update vector from a vector of floating point values to a (modulo) integer vector to ensure security.
In another implementation, the transceiver is further configured to send the public key to the central server and receive the external public key from the central server.
The client device transmits the public key to the central server, which further transmits the public key to other client devices so that the client device can perform key agreement with the other client devices and select its neighbors.
In another aspect, the present disclosure provides a method for distributed machine learning of a network, comprising: the method comprises the steps that a central server receives a plurality of model update outputs sent by a plurality of client devices; the method further comprises the steps of: the central server determines a sum of model updates based on the plurality of model update outputs. The method further comprises the steps of: the central server updates the global model based on the sum of model updates. The method further comprises the steps of: the central server sends global model updates to each client device.
The central server performs a random security averaging of the plurality of model update outputs sent by the plurality of client devices. Based on the random security average, the central server determines global model updates that are further shared with the plurality of client devices. Due to the global model update, multiple client devices exhibit improved accuracy and enhanced personal data privacy protection.
In one implementation, updating the global model includes converting integer vectors to floating point vectors.
The global model includes a conversion from integer vectors to floating point vectors for ease of operation.
In another implementation, the method further includes the central server determining that the client device has been dropped. The method further includes the central server adding additional noise to the sum of model updates based on a predetermined variance value of the local noise added to the sum of model updates.
The central server determines if any client devices are dropped during execution of the RdSA protocol. After determining the drop, the central server compensates for the missing noise by adding additional noise to the sum of the model updates. In this way, the center server also performs differential noise recovery.
In another implementation, the method further includes executing a client drop recovery protocol (client dropout recovery protocol), comprising: the central server receives a plurality of key parts from a plurality of client devices, represents a key set of each client device, is split into a plurality of key parts according to a key sharing protocol, is distributed among the client devices, and is transmitted to the central server by each client device. The method also includes the central server determining that the client device has been dropped. The method also includes the central server combining the received plurality of key portions corresponding to the dropped client to recover the key corresponding to the dropped client.
The central server performs client-side drop recovery by using a key sharing protocol in the event of client-side drop.
In another implementation, a computer readable medium stores instructions that, when executed, cause a central server processor to perform the method.
The central server processor achieves all the advantages and effects of this approach.
In another aspect, the present disclosure provides a central server comprising a transceiver for receiving a plurality of model update outputs transmitted by a plurality of client devices and transmitting a global model update to each client device. The central server further includes a processor for determining a sum of model updates based on the plurality of model update outputs and updating the global model based on the sum of model updates to generate a global model update.
The central server performs a random security averaging of the plurality of model update outputs sent by the plurality of client devices. Based on the random security average, the central server determines global model updates that are further shared with the plurality of client devices. Due to the global model update, multiple client devices exhibit improved accuracy and enhanced personal data privacy protection.
In one implementation, updating the global model includes converting integer vectors to floating point vectors.
The global model includes a conversion from integer vectors to floating point vectors to make the central server easy to operate.
In another implementation, the processor is further configured to determine that the client device has been dropped. The processor is further configured to add additional noise to the sum of model updates based on a predetermined variance value of the local noise added to the sum of model updates.
The central server determines if any client devices are dropped during execution of the RdSA protocol. After determining the dropped line, the central server compensates for the lost noise by adding additional noise to the sum of the model updates. In this way, the center server also performs differential noise recovery.
In another implementation, the central server is further configured to perform a client-side offline recovery protocol, including: the transceiver receives a plurality of key parts from a plurality of client devices, represents a key set of each client device, is split into a plurality of key parts according to a key sharing protocol, is distributed among the client devices, and is transmitted to the center server by each client device. The central server is further configured to perform a client-side offline recovery protocol, including: the processor determines that the client device has dropped. The central server is further configured to perform a client-side offline recovery protocol, including: the processor combines the received plurality of key portions corresponding to the dropped client to recover the key corresponding to the dropped client.
The central server performs client-side drop recovery by using a key sharing protocol in the event of client-side drop.
It should be noted that all devices, elements, circuits, units and modules described in this application may be implemented by software or hardware elements or any type of combination thereof. All steps performed by the various entities described in this application and the functions described to be performed by the various entities are intended to indicate that the respective entities are suitable for or for performing the respective steps and functions. Although in the following description of specific embodiments, specific functions or steps performed by external entities are not reflected in the description of specific detailed elements of the entity performing the specific steps or functions, it should be clear to a skilled person that these methods and functions may be implemented by corresponding hardware or software elements or any combination thereof. It should be understood that various combinations of the features of the disclosure may be made without departing from the scope of the disclosure as defined in the appended claims.
Additional aspects, advantages, features and objects of the present disclosure will become apparent from the accompanying drawings and detailed description of illustrative implementations which are explained in connection with the following appended claims.
Drawings
The foregoing summary, as well as the following detailed description of illustrative embodiments, is better understood when read in conjunction with the appended drawings. For the purpose of illustrating the disclosure, there is shown in the drawings exemplary constructions of the disclosure. However, the present disclosure is not limited to the specific methods and instrumentalities disclosed herein. Moreover, those skilled in the art will appreciate that the drawings are not drawn to scale. Wherever possible, like elements are designated by like numerals.
Embodiments of the present disclosure will now be described, by way of example only, with reference to the following figures.
Fig. 1 is a flow chart of a method for distributed machine learning of a network according to an embodiment of the present disclosure.
Fig. 2 is a flow chart of a method for distributed machine learning of a network according to another embodiment of the present disclosure.
FIG. 3A is a network environment diagram depicting distributed machine learning using random security averaging, according to an embodiment of the present disclosure.
Fig. 3B is a block diagram of various exemplary components of a client device according to embodiments of the present disclosure.
Fig. 3C is a block diagram of various exemplary components of a central server according to an embodiment of the present disclosure.
FIG. 4 is a network environment diagram depicting distributed machine learning with random security averaging in accordance with another embodiment of the present disclosure.
Fig. 5 illustrates an exemplary implementation scenario of distributed machine learning according to an embodiment of the present disclosure.
In the drawings, the underlined numbers are used to denote items where the underlined numbers are located or items adjacent to the underlined numbers. The non-underlined number refers to an item identified by a line connecting the non-underlined number with the item. When a number is not underlined and has an associated arrow, the number without the underline is used to identify the general item to which the arrow points.
Detailed Description
The following detailed description describes embodiments of the present disclosure and the manner in which the embodiments may be implemented. While some modes of carrying out the disclosure have been disclosed, those skilled in the art will recognize that other embodiments for carrying out or practicing the disclosure may also exist.
Fig. 1 is a flow chart of a method for distributed machine learning of a network according to an embodiment of the present disclosure. Referring to fig. 1, a method 100 for distributed machine learning of a network is shown. Method 100 includes steps 102, 104, 106, 108, 110, 112, and 114. In one implementation, the method 100 is performed by a client device, such as described in detail in fig. 3A and 3B.
In step 102, the method 100 includes: a processor of the client device receives the local model update vector. The processor of the client device updates the local model update vector by using the local data or the raw data of the client device.
In step 104, the method 100 further comprises: the processor generates a public key and a secret key, wherein the public key is for broadcasting to a plurality of other client devices on the network. The generated public key and the key (or private key) of the client device are used to perform key agreement with another client device.
In step 106, the method 100 further includes the processor receiving an external public key of each of the other client devices. The processor of the client device performs a key agreement with a plurality of other client devices on the network and generates a key pair based on the received external public key. Key negotiation is performed using a key negotiation scheme, such as elliptic curve-diffie-hellman (ECDH), that supports two client devices establishing a shared key over an unsecured channel, each with an elliptic curve external public-key pair (also referred to as a shared key). For example, s u,v Is a shared key between two clients, e.g. client u and client v. The shared key is obtained by applying a secure key derivation function, such as a hash-based key derivation function (hash-based key derivation function, HKDF), to the public key-key pair (or shared key) outside the elliptic curve.
In step 108, the method 100 further comprises, for each other client device: a pseudo-random number is generated based on the secret key and the external public key. Elliptic curve external public key-key pairs based on the key and the external public key are used to generate pseudo-random numbers for each of the other client devices. Shared secret s u,v As pseudo-randomSeed of a number generator, which is secure and deterministic. For example, the number of the cells to be processed,
Figure BDA0004224235390000071
is a random number sequence generated by the client pair (u, v).
In step 110, the method 100 further comprises, for each other client device: a determination is made as to whether to assign each other client device to a set of neighbor devices of the client device based on the pseudorandom number and a predetermined neighbor probability parameter. For example, for each other client device (i.e., client v), the client device (i.e., client u) generates a pseudo-random number, e.g.
Figure BDA0004224235390000072
At least 128 bits. The neighbor device set (i.e., of client u) for the client device is:
Figure BDA0004224235390000073
wherein: p is a predetermined neighbor probability parameter for each other client device and d is the bit size of the generated pseudo random number.
In step 112, the method 100 further comprises: the processor generates a model update output based on the set of neighbor devices according to the security and protocol. Security and protocols are used to generate model update outputs by using either an additive key sharing scheme or a one-time-pad (OTP) based scheme.
In step 114, the method 100 further comprises: the processor outputs a model update output for sending the model update output to the central server for incorporation into the global model update. The processor of the client device sends the locally trained model update output to the central server to ultimately determine global model updates that are further shared with each client device.
According to an embodiment, the neighbor probability parameter is used to define the number of neighbors in the set of neighbor devices based on a predefined value, wherein the predefined value is defined based on a modeling risk of a successful attack. For N-wheel trainingTraining, a predefined value of modeling risk based on a successful attack is denoted r tot . The predefined value calculated for each round of training is
Figure BDA0004224235390000081
So that 1- (1-r) N =r tot . The modeling risk of a successful attack is also referred to as the risk parameter α, such that α ε [0,1 ]]. The risk parameter α represents the probability that the privacy of at least one client is not protected by the central server. The risk parameter α may be calculated for each round of training, or may be calculated for N rounds of training (or the entire training). In one example, if α=0.01 per round, the likelihood that the privacy of at least one client is not protected in terms of the central server is 1% for each round of training. In another example, if α=0.1 for 100 (i.e., n=100) rounds of training, then at some point during the training, the likelihood that at least one customer's privacy is not protected is 10%. The risk parameter a may be selected based on the traffic needs. Higher privacy risks translate into better computing performance. Typically, the risk parameter α is chosen to be of the same order of magnitude as the standard δ -parameter used in conventional differential privacy techniques.
According to an embodiment, for a neighbor probability parameter p and a predefined value r:
f(n h p) > 1-r, and for accuracy delta, f (n h ,p-δ)<1-r
Wherein:
Figure BDA0004224235390000082
wherein:
Figure BDA0004224235390000083
f(n h p) is n h Probability of random graph connection on each vertex. The method 100 includes an active security model and a passive security model. Active security model attempts to recover at malicious server by modifying messages sent by multiple clientsPrivacy protection is provided in the case of updates of the client. The active security model provides security suitable for highly confidential data (e.g., medical data or financial data). In addition, the active security model provides protection against very powerful (e.g., national or state level) or internal attackers. The passive security model provides privacy protection in the case of honest but curious servers, where an attacker attempts to recover updates of clients by listening to conversations between the number of clients and the legacy server. The passive security model provides security suitable for personal data, for example. Additionally, the passive security model provides protection against data leakage, remote hacking, and compliance with regulations.
According to an embodiment, generating model update outputs from security and protocol includes: a one-time codebook is generated for each neighbor device and a plurality of one-time codebooks are added to the local model update vector, wherein the one-time codebook for each neighbor device is generated based on a shared key derived from a key of the client device and an external public key of the neighbor device. In general, in cryptography, a one-time codebook is an encryption technique that encrypts a shared key using a key of a client device and an external public key of a neighbor device. For example, for each other client device (i.e., client v), the client device (i.e., client u) uses the generated pseudo-random number sequence
Figure BDA0004224235390000084
A one-time pad (OTP) is generated such that two neighbor devices use the same OTP. Thereafter, a plurality of one-time codebooks (i.e., encryption keys) generated for a plurality of other client devices are added to the local model update vector. Thus, a sum is obtained for the (unencrypted) key of each client device. According to an embodiment, the number of neighbors per client is significantly reduced by the neighbor selection algorithm described above, which reduces the costs associated with the aggregation step on the client device.
According to an embodiment, the set of all onetime codebooks generated by the plurality of client devices amounts to substantially zero. The generated OTPs of each pair of neighbors cancel each other out, and therefore the sum of the set of all one-time codebooks generated by the plurality of client devices is equal to zero.
Alternatively, according to an embodiment, generating the model update output according to the security and protocol includes splitting the local model vector update into a plurality of portions according to the number of neighbor devices, sending the plurality of portions to the respective neighbor devices, receiving the external portions from the neighbor devices, and summing the plurality of external portions to form the model update output. Security and protocols are used to generate model update outputs by using an additive key sharing scheme, such as Shamir key sharing (Shamir Secret Sharing, SSS). In the additive key sharing scheme, the local model update vector is quantized and treated as a vector of fixed length integers. The client device splits each integer into multiple parts, one for each neighbor device. The plurality of portions are transmitted to respective neighbor devices. Thereafter, an external portion is received from the neighbor device and added to form a model update output.
According to an embodiment, generating the model update output comprises adding a locally generated noise signal to the local model update vector, the distribution of the locally generated noise signal being gaussian or binomial. The locally generated noise signal has a gaussian distribution or a binomial distribution. Binomial distribution is generally preferred, particularly for small word sizes.
According to an embodiment, the locally generated noise signals are generated with a standard deviation defined by noise parameters received from the central server, wherein the noise parameters of each client device are such that the corresponding locally generated noise signals from the plurality of client devices are aggregated into a global noise with a predetermined standard deviation. The corresponding locally generated noise signal sets from the plurality of client devices have a binomial distribution and a predetermined standard deviation (σ) when added to the global noise.
According to an embodiment, the method 100 further comprises converting the local model update vector from a vector of floating point values to an integer vector. The local model update vector is converted from a vector of floating point values to an integer (or modulo) vector by a quantization process. In the quantization process, an unbiased, space-efficient algorithm is used. For example, the requirement for separate model parameters requires efficient mapping of boundary support to integer space. These boundaries may be provided directly by the central server or may be inferred from Differential Privacy (DP) specific parameters, such as model update cutoff boundaries S. Quantification must take into account the risk of overflow when summing weighted updates from multiple other client devices. In particular, a number of other client devices must know the sum of the weights to be used during this iteration.
According to an embodiment, the method 100 further comprises sending the public key to the central server and receiving the external public key from the central server. The public key generated by the processor of the client device is transmitted to the central server. The processor of the client device is configured to receive the external public key of each of the other client devices from the central server.
According to an embodiment, a computer-readable medium stores instructions that, when executed, cause a client device processor to perform the method 100. The processor of the client device is configured to perform the method 100.
Steps 102, 104, 106, 108, 110, 112, and 114 are merely illustrative, and other alternatives may be provided in which one or more steps are added, one or more steps are deleted, or one or more steps are provided in a different order without departing from the scope of the claims herein.
Fig. 2 is a flow chart of a method for distributed machine learning of a network according to another embodiment of the present disclosure. Fig. 2 is described in connection with the elements of fig. 1. Referring to fig. 2, a method 200 for distributed machine learning of a network is shown. Method 200 includes steps 202, 204, 206, and 208. In one implementation, the method 200 is performed by a central server, such as described in detail in fig. 3A and 3C.
In step 202, the method 200 includes a central server receiving a plurality of model update outputs transmitted by a plurality of client devices. The central server receives a plurality of model update outputs corresponding to a plurality of client devices. Each of the plurality of client devices generates one of a plurality of model update outputs by training its respective local model update vector.
In step 204, the method 200 further comprises: the central server determines a sum of model updates based on the plurality of model update outputs. The central server obtains a vector representing a sum of model updates based on the plurality of model update outputs.
In step 206, the method 200 further includes the central server updating the global model based on the sum of model updates. The central server determines a global model update shared with each of the plurality of client devices based on the sum of the model updates.
In step 208, the method 200 further includes the central server sending global model updates to each client device. The central server sends the global model updates to each client device for the next iteration.
According to an embodiment, updating the global model includes converting the integer vector to a floating point vector. The global model is updated by converting from integer (modulo) vectors to floating point vectors through an inverse quantization process. Conversion from integer (modulo) vectors to floating point vectors results in the sum of noise model updates. If the client device has dropped during this process, the central server considers the lost noise when performing the dequantization process.
According to an embodiment, the method further comprises the central server determining that the client device has been dropped. The method further includes the central server adding additional noise to the sum of model updates based on a predetermined variance value of the local noise added to the sum of model updates. In one case, the central server is configured to perform noise compensation in the event that one or more of the plurality of client devices have been dropped during execution of a random secure average (RdSA) protocol. The central server is configured to add additional noise to the sum of model updates based on a predetermined variance value of local noise added to the sum of model updates, such as is described in detail in fig. 3A.
According to an embodiment, the method further comprises executing a client-side drop recovery protocol, comprising: the central server receives a plurality of key parts from a plurality of client devices, represents a key set of each client device, splits the key set into a plurality of key parts according to a key sharing protocol, distributes among the client devices, and transmits to the central server by each client device. The method also includes the central server determining that the client device has been dropped. The method also includes the central server combining the received plurality of key portions corresponding to the dropped client to recover the key corresponding to the dropped client. The central server combines the received plurality of key portions corresponding to the dropped clients to derive a value of random noise added in the sum of the model updates. The addition of the value of the random noise is used to compensate for the noise lost in the sum of model updates due to dropped clients. For example, detailed description is provided in fig. 3A.
According to an embodiment, a computer readable medium stores instructions that, when executed, cause a central server processor to perform the method 200. The processor of the central server is used to perform the method 200.
Steps 202, 204, 206, and 208 are merely illustrative, and other alternatives may be provided in which one or more steps are added, deleted, or provided in a different order without departing from the scope of the claims herein.
Fig. 3A is a network environment diagram depicting distributed machine learning using a random secure average protocol in accordance with an embodiment of the present disclosure. Fig. 3A is described in conjunction with the elements of fig. 1 and 2. Referring to fig. 3A, a system 300A is shown that includes a plurality of client devices 302, a central server 304, and a network 306. The plurality of client devices 302 includes a client device 302A and other client devices 302B-302N. System 300A depicts an exemplary sequence of operations 308A, 308B, 308C, 308D, 308E, and 308F performed by client device 302A.
Each of the plurality of client devices 302 may comprise suitable logic, circuitry, interfaces and/or code that may be operable to communicate with the central server 304 via the network 306. Each of the plurality of client devices 302 is also used to train the local model update vector and calculate a model update output. Examples of the plurality of client devices 302 may include, but are not limited to, user devices, notebook computers, computing devices, communicators, including portable or non-portable electronic devices, or supercomputers. For example, various exemplary components of client device 302A are described in detail in fig. 3B.
The central server 304 may comprise suitable logic, circuitry, interfaces, or code that may be operable to communicate with a plurality of client devices 302 via a network 306. The central server 304 is also used to determine global model updates that are further shared with each of the plurality of client devices 302 for the next iteration. Examples of the central server 304 include, but are not limited to, a storage server, a cloud server, a Web server, an application server, or a combination thereof. According to an embodiment, the central server 304 includes physical or virtual computing entity devices capable of enhancing information to perform various computing tasks. In one example, the central server 304 may be a single hardware server. In another example, the central server 304 may be a plurality of hardware servers operating in a parallel or distributed architecture. In one implementation, the central server 304 may include components, such as memory, processors, network interfaces, etc., to store, process, or share information with the plurality of client devices 302. In another implementation, the central server 304 is implemented as a computer program that provides various services (e.g., database services) to a plurality of client devices 302 or modules or apparatuses. For example, various exemplary components of central server 304 are described in detail in FIG. 3C.
Network 306 includes a medium (e.g., a communication channel) through which a plurality of client devices 302 communicate with central server 304 and vice versa. The network 306 may be a wired or wireless communication network. Examples of network 306 may include, but are not limited to, a wireless fidelity (Wireless Fidelity, wi-Fi) network, a local area network (Local Area Network, LAN), a wireless personal area network (wireless personal area network, WPAN), a wireless local area network (Wireless Local Area Network, WLAN), a wireless wide area network (wireless wide area network, WWAN), a cloud network, a long term evolution (Long Term Evolution, LTE) network, a metropolitan area network (Metropolitan Area Network, MAN), or the internet. Multiple client devices 302 and central servers 304 may be used to connect to network 306 according to various wired and wireless communication protocols. Examples of such wired and wireless communication protocols may include, but are not limited to, transmission control protocol and internet protocol (Transmission Control Protocol and Internet Protocol, TCP/IP), user datagram protocol (User Datagram Protocol, UDP), hypertext transfer protocol (Hypertext Transfer Protocol, HTTP), file transfer protocol (File Transfer Protocol, FTP), zigBee, EDGE, infrared (IR), IEEE 802.11, 802.16, long Term Evolution (LTE), light Fidelity (Li-Fi), or other cellular communication protocol or Bluetooth (BT) communication protocol, including variants thereof.
In operation, a client device 302A of the plurality of client devices 302 performs local training in a series of operations. In operation 308A, the client device 302A is configured to generate a local model update vector. Client device 302A updates the local model update vector by using the local data.
In operation 308B, the client device 302A is also used to generate a public key and a secret key. Client device 302A generates a public key and a secret key (or private key) to perform key agreement with other client devices 302B-302N.
In operation 308C, the client device 302A is also configured to broadcast the public key to the other client devices 302B-302N on the network 306, receive the external public key of each of the other client devices 302B-302N, and send the model update output to the central server 304 for incorporation into the global model update 312. Client device 302A is configured to broadcast the generated public key to other client devices 302B-302N on network 306. In one case, the client device 302A cannot communicate directly with the other client devices 302B-302N. In this case, the generated public key is broadcast to the other client devices 302B-302N through the central server 304. In another instance of the active security model (or malicious server), a trusted third party is used to initially establish key agreement between each of the clients 302. Thereafter, the client device 302A is also operable to receive an external public key of each of the other client devices 302B-302N to generate a key pair based on the received external public key and the generated key. Key agreement is performed using an elliptic curve-diffie-hellman (ECDH) key agreement scheme that supports two client devices, each with an elliptic curve external public-key pair (also referred to as a shared key), to establish a shared key over an unsecured channel.
In operation 308D, the client device 302A is further operable to generate a pseudo-random number for each of the other client devices 302B-302N based on the key and the external public key. Two client devices that establish a shared key create the same pseudo-random number for indicating that the two clients are neighbors of each other.
In operation 308E, the client device 302A is further operable to determine whether to assign each of the other client devices 302B-302N to the set of neighbor devices of the client device 302A based on the pseudo-random number and the predetermined neighbor probability parameter. The neighbor device set for client device 302A is:
Figure BDA0004224235390000121
wherein: p is a predetermined neighbor probability parameter for each of the other client devices 302B-302N and d is the bit size of the generated pseudo random number.
In operation 308F, the client device 302A is further configured to generate a model update output according to the security sum protocol 310 based on the set of neighbor devices. Client device 302A generates model updates by applying security and protocols 310 to the set of neighbor devices. The security and protocol 310 is applied through an additive key sharing scheme or a one-time pad (OTP) based scheme.
According to an embodiment, the neighbor probability parameter is used to define the number of neighbors in the set of neighbor devices based on a predefined value, wherein the predefined value is defined based on a modeling risk of a successful attack. The number of neighbors in the set of neighbor devices is calculated using a neighbor selection algorithm. The neighbor selection algorithm includes two phases, a setup phase and an online phase. In the setup phase, the calculation of the number of neighbors in the neighbor set depends on the risk parameter r of N rounds of training tot And a neighbor probability parameter p, for example, as already described in detail in fig. 1. In the online phase, client device 302A obtains other client devicesA shared key for one of the devices 302B-302N. Client device 302A is configured to derive k shared constant speed bits b from a shared key i Then, if sigma i b i 2 i <p2 k A corresponding one of the other client devices 302B-302N is added to the neighbor list.
According to an embodiment, for a neighbor probability parameter p and a predefined value r:
f(n h p) > 1-r, and for accuracy delta, f (n h ,p-δ)<1-r
Wherein:
Figure BDA0004224235390000122
wherein:
Figure BDA0004224235390000123
client device 302A displays the active security model and the passive security model as desired. For example, an active security model and a passive security model have been described in detail in fig. 1.
According to an embodiment, the client device 302A is further configured to generate a model update output according to the security and protocol 310 by: a one-time codebook is generated for each neighbor device and a plurality of one-time codebooks are added to the local model update vector, wherein the one-time codebook for each neighbor device is generated based on a shared key derived from the key of the client device 302A and the external public key of the neighbor device. After neighbor selection, security and protocol 310 is applied using, for example, an OTP-based scheme as detailed in fig. 1. After generating the OTP for each neighbor device, client device 302A adds multiple one-time codebooks to the local model update vector and generates a model update output.
According to an embodiment, the set of all one-time codebooks generated by the plurality of client devices 302 amounts to substantially zero. The OTPs generated for each pair of neighbors cancel each other out, and therefore the sum of the set of all onetime codebooks generated by the multiple client devices is equal to zero.
Alternatively, according to an embodiment, client device 302A is further configured to generate model update output according to security and protocol 310 by: splitting the local model vector update into a plurality of portions according to the number of neighbor devices, sending the plurality of portions to respective neighbor devices, receiving external portions from the neighbor devices, and summing the plurality of external portions to form a model update output. After neighbor selection, the security and protocol 310 is applied through an additive key sharing scheme, such as the Shamir key sharing (SSS) scheme. In the additive key sharing scheme, the local model update vector is quantized and treated as a vector of fixed length modulo integers. Client device 302A splits each integer into multiple parts, one for each neighbor device. The multiple portions are transmitted to respective neighbor devices 302B-302N. Thereafter, external portions are received from the neighbor devices 302B-302N and added to form a model update output.
According to an embodiment, the client device 302A is further configured to generate the model update output by adding a locally generated noise signal to the local model update vector, the distribution of the locally generated noise signal being gaussian or binomial. The locally generated noise signal has a gaussian distribution or a binomial distribution. Binomial distribution is generally preferred, particularly for small word sizes.
According to an embodiment, the locally generated noise signals are generated with a standard deviation defined by noise parameters received from the central server 304, wherein the noise parameters of each client device 302A-302N are such that the corresponding differential private noise signals from the plurality of client devices 302 are aggregated into a global noise with a predetermined standard deviation. The central server 304 is used to determine noise parameters (e.g., noise multiplier z) and model update truncation boundaries S. The locally generated noise signal is derived from the noise multiplier by: in a first step, a standard deviation is calculated, which is added to the sum, σ=zs. In a second step, a noise splitting strategy is selected to split the locally generated noise signal to a plurality of clients 302. The noise splitting policy is provided with the standard deviation sigma and the weight set { w } of the plurality of clients 302 u } u And returns the local noise set { sigma } u } u So that
Figure BDA0004224235390000131
Three different noise splitting strategies may be used, strategy 1: />
Figure BDA0004224235390000132
Strategy 2:
Figure BDA0004224235390000133
strategy 3: />
Figure BDA0004224235390000134
To generate a Gaussian-distributed locally generated noise signal, client device 302A has local noise of +.>
Figure BDA0004224235390000135
Has a normal distribution, a mean value of 0 and a variance +.>
Figure BDA0004224235390000136
To generate a binomial locally generated distributed noise signal, four steps are followed. The steps are as follows: (a) Setting n=2 wordsize (b) setting quantization parameter +.>
Figure BDA0004224235390000137
(c) Setting up
Figure BDA0004224235390000138
Or->
Figure BDA0004224235390000139
So that is sigma u N u =n, (d) calculate local noise following the following binomial mechanism:
Figure BDA00042242353900001310
in this way, corresponding local generation from multiple client devices 302Has a binomial distribution and a predetermined standard deviation (sigma) when added to the global noise.
According to an embodiment, client device 302A is also configured to convert a local model update vector from a vector of floating point values to an integer vector. The local model update vector is converted from a vector of floating point values to an integer (or modulo) vector by a quantization process. In the quantization process, an unbiased, space-efficient algorithm is used. For example, the requirement for separate model parameters requires efficient mapping of boundary support to integer space. These boundaries may be provided directly or inferred from the differential privacy parameters S. The quantization process must take into account the risk of overflow when summing weighted updates from a plurality of other client devices 302B-302N. In particular, the number of other client devices 302B-302N must know the sum of the weights to be used during this iteration.
According to an embodiment, the client device 302A is further configured to send the public key to the central server 304 and receive the external public key from the central server 304. For example, in one case, the client device 302A cannot communicate directly with a plurality of other client devices 302B-302N. Then, in this case, the client device 302A transmits the generated public key to the central server 304, and the central server 304 further transmits the generated public key to the plurality of other client devices 302B-302N. After transmitting the generated public key to the central server 304, the client device 302A is configured to receive an external public key from the central server 304.
Thus, each of the plurality of client devices 302 trains a local model update vector and generates a model update output. Each of the plurality of client devices 302 scales the local model update vector, quantizes the local model update vector, and then adds calibration noise with a binomial distribution to the local model update vector. The calibration noise is based on privacy requirements and the type of security model used (i.e., active or passive security model). Thereafter, each of the plurality of client devices 302 is assigned a risk parameter and a selected security model, and then each of the plurality of client devices 302 derives a neighbor probability parameter p using a neighbor selection algorithm. The neighbor selection algorithm is based on the connectivity concept of a random graph. After neighbor selection, each pair of client devices shares a key. The shared key is used to derive a shared randomness. Using the neighbor probability parameter p (on shared randomness), each pair of client devices is selected as a neighbor. Each pair of neighbors generates the same pseudo-random number and adds it to the corresponding key value (of opposite sign) to generate a model update output. Thereafter, each of the plurality of client devices 302 sends the generated model update output to the central server 304.
The central server 304 is operable to receive a plurality of model update outputs transmitted by a plurality of client devices 302 and transmit global model updates 312 to each of the client devices 302A-302N. The central server 304 determines a global model update 312 by using a plurality of model update outputs sent by a plurality of client devices 302. The central server 304 is also operable to send global model updates 312 to each client device 302A-302N for the next iteration.
The central server 304 is also operable to determine a sum of model updates based on the plurality of model update outputs and update the global model based on the sum of model updates to generate a global model update 312. The central server 304 obtains a vector representing the sum of model updates based on the plurality of model update outputs. The central server 304 determines a global model update 312 that is shared with each of the plurality of client devices 302 based on the sum of the model updates.
According to an embodiment, updating the global model includes converting the integer vector to a floating point vector. The global model is updated by converting from integer (modulo) vectors to floating point vectors through an inverse quantization process. Conversion from integer (modulo) vectors to floating point vectors results in the sum of noise model updates. If the client device has dropped during this process, the central server 304 takes into account when performing the dequantization process.
According to an embodiment, the central server 304 is also used to determine that the client device has been dropped. The central server 304 is further configured to add additional noise to the sum of model updates based on a predetermined variance value of the local noise added to the sum of model updates. In one case, the central server 304 is configured to perform a random secure average (RdSA) protocol for a plurality of guests during execution of the RdSA protocolNoise compensation is performed in the event that one or more of the client devices 302 have dropped. In the event of such a client drop, the total noise in the sum of the model updates is less than the desired value. Thus, the central server 304 is configured to add additional noise to the sum of model updates based on a predetermined variance value of local noise added to the sum of model updates. In one example, if Gaussian local noise is added to the sum of model updates, the predetermined variance is
Figure BDA0004224235390000141
Wherein (1)>
Figure BDA0004224235390000142
Is the set of clients whose model update outputs are included in the sum of model updates. In another example, if binomial distributed local noise is added to the sum of model updates, the predetermined variance is +.>
Figure BDA0004224235390000143
Wherein (1)>
Figure BDA0004224235390000144
Is the set of clients whose model update outputs are included in the sum of model updates. Based on the distribution of local noise, additive noise is added to the sum of model updates. In one implementation, if a Gaussian distribution is used, then there will be an average of 0 and standard deviation
Figure BDA0004224235390000145
Gaussian noise (i.e. additive noise)/(additive noise)>
Figure BDA0004224235390000146
Added to the sum of model updates. In another implementation, if a binomial distribution is used, binomial noise is added>
Figure BDA0004224235390000147
(wherein,
Figure BDA0004224235390000148
) Added to the sum of model updates.
According to an embodiment, the central server 304 is further configured to perform a client drop recovery protocol, including: a plurality of key portions are received from a plurality of client devices 302, representing a keyset for each client device 302A-302N that is split into a plurality of key portions according to a key sharing protocol, distributed among the client devices, and sent by each client device 302A-302N to a central server 304. The central server 304 is also used to determine that a client device has been dropped. The central server 304 is further configured to combine the received plurality of key portions corresponding to the dropped client to recover the key corresponding to the dropped client. In one implementation, to determine that a client device has been dropped, the central server 304 is configured to combine the received plurality of key portions corresponding to the dropped client to recover the key corresponding to the dropped client. After the central server 304 determines that the client device has been dropped, the central server 304 combines the received plurality of key portions corresponding to the dropped client to derive a value of random noise added in the sum of model updates. The value of this random noise added due to the dropped client is removed from the sum of the model updates. In another implementation, the central server 304 is configured to combine the received plurality of key portions corresponding to non-dropped clients to derive a value of local random noise added in the sum of model updates. The value of this local random noise added due to the non-dropped clients is removed from the sum of the model updates. In this way, the central server 304 obtains the sum of the model updates that are not dropped.
Thus, the central server 304 determines the global model update 312 by using model update outputs received from the plurality of client devices 302. Thereafter, the central server 304 shares the global model update 312 with the plurality of client devices 302 in preparation for the next iteration.
The system 300A is based on graph theory and connectivity attributes of the random graph. In system 300A, central server 304 learns the sum of at least n/3 private model updates unless the probability is equal to risk parameter α. The system 300A provides enhanced privacy protection, improved performance, and high utility of data (including personal data) of a client device. The system 300A uses a combination of security and technology (or cryptographic technology) and differential privacy technology. Security and technology (or cryptographic technology) prevents the central server 304 from accessing private information from any individual client. In differential privacy techniques, noise is added locally (on the client side) rather than centrally (on the central server side), which provides strong privacy protection.
Fig. 3B is a block diagram of various exemplary components of a client device according to embodiments of the present disclosure. Fig. 3B is described in conjunction with the elements of fig. 1, 2 and 3A. Referring to fig. 3B, a block diagram 300B of client device 302A (of fig. 3A) is shown, including a processor 314, a network interface 316, a memory 318, and an input/output (I/O) component 320. The memory 318 also includes a training module 318A.
The processor 314 may comprise suitable logic, circuitry, or interfaces for generating public keys and secret keys. In one implementation, processor 314 is configured to execute instructions stored in memory 318. In one example, the processor 314 may be a general purpose processor. Other examples of processor 314 may include, but are not limited to, a microprocessor, a microcontroller, a complex instruction set computing (complex instruction set computing, CISC) processor, an application-specific integrated circuit (ASIC) processor, a reduced instruction set (reduced instruction set, RISC) processor, a very long instruction word (very long instruction word, VLIW) processor, a central processing unit (central processing unit, CPU), a state machine, a data processing unit, and other processors or control circuits. Further, processor 314 may refer to one or more separate processors, processing devices, or processing units that are part of a machine, such as client device 302A.
The network interface 316 may comprise suitable logic, circuitry, or interfaces that may be operable to: the public key is broadcast to a plurality of other client devices 302B-302N on the network 306, the external public key of each of the other client devices 302B-302N is received, and the model update output is sent to the central server 304 for incorporation into the global model update 312. Examples of the network interface 316 may include, but are not limited to, an antenna, a Radio Frequency (RF) transceiver, one or more amplifiers, a digital signal processor, or a subscriber identity module (subscriber identity module, SIM) card.
The memory 318 may comprise suitable logic, circuitry, or interfaces for storing instructions executable by the processor 314. Examples of implementations of Memory 318 may include, but are not limited to, electrically Erasable Programmable Read Only Memory (EEPROM), random access Memory (Random Access Memory, RAM), read Only Memory (ROM), hard Disk Drive (HDD), flash Memory, solid State Drive (SSD), or CPU cache Memory. Memory 318 may store an operating system or other program product (including one or more operating algorithms) to operate client device 302A.
In an exemplary implementation, training module 318A is used to generate local model update vectors. The training module 318A corresponds to a machine learning model trained by updating vectors using local models. Training module 318A trains locally on client device 302A. During training, client device 302A uses security and protocol 310, which prevents central server 304 from observing any private information from training module 318A. Additionally, the client device 302A adds local Differential Privacy (DP) noise to the training module 318A to further enhance privacy protection. After training, client device 302A shares the locally trained model with central server 304. Similarly, the central server 304 receives a locally trained model with respect to each of the plurality of other client devices 302B-302N. After receiving the locally trained modules, the central server 304 calculates global model updates that are shared with each of the plurality of client devices 302. Global model updates exhibit improved performance in terms of more accurate predictions or decisions, privacy protection of personal data, and lower computational costs even in the presence of large numbers of client devices. In one implementation, training module 318A (which may include one or more software modules) may be implemented as separate circuitry in client device 302A. Alternatively, in another implementation, training module 318A is implemented as part of another circuit to perform various operations.
Input/output (I/O) component 320 refers to input and output components (or devices) that can receive input from a user (e.g., client device 302A) and provide output to the user (i.e., client device 302A). The I/O component 320 can be communicatively coupled to the processor 314. Examples of input components may include, but are not limited to, a touch screen, such as a touch screen of a display device, a microphone, a motion sensor, a light sensor, a dedicated hardware input unit (e.g., buttons), and a docking station. Examples of output components include a display device and a speaker.
In operation, training module 318A is used to generate local model update vectors. Processor 314 is used to generate public and secret keys. The transceiver 316 (or network interface) is used to: the public key is broadcast to a plurality of other client devices 302B-302N on the network 306, the external public key of each of the other client devices 302B-302N is received, and the model update output is sent to the central server 304 for incorporation into the global model update 312. The processor 314 is also operable to generate a pseudo-random number for each of the other client devices 302B-302N based on the key and the external public key. The processor 314 is also configured to determine whether to assign each of the other client devices 302B-302N to the set of neighbor devices of the client device 302A based on the pseudorandom number and the predetermined neighbor probability parameter. The processor 314 is also configured to generate model update outputs according to security and protocols based on the set of neighbor devices. In one implementation, the processor 314 is further configured to generate model update outputs according to security and protocols by: a one-time codebook is generated for each neighbor device and a plurality of one-time codebooks are added to the local model update vector, wherein the one-time codebook for each neighbor device is generated based on a shared key derived from the key of the client device 302A and the external public key of the neighbor device. The set of all one-time codebooks generated by the plurality of client devices 302 amounts to substantially zero. In another implementation, the processor 314 is further configured to generate model update outputs according to security and protocols by: splitting the local model vector update into a plurality of portions according to the number of neighbor devices, sending the plurality of portions to respective neighbor devices, receiving external portions from the neighbor devices, and summing the plurality of external portions to form a model update output. According to an embodiment, the processor 314 is further configured to generate the model update output by adding the locally generated noise signal to the local model update vector, wherein the distribution of the locally generated noise signal is gaussian or binomial. The processor 314 is also configured to convert the local model update vector from a vector of floating point values to an integer vector. The various embodiments, operations, and variations disclosed in method 100 of fig. 1 are applicable to client device 302A and processor 314.
Fig. 3C is a block diagram of various exemplary components of a central server according to an embodiment of the present disclosure. Fig. 3C is described in conjunction with the elements of fig. 1, 2, 3A and 3B. Referring to fig. 3C, a block diagram 300C of the central server 304 (of fig. 3A) is shown, including a processor 322, a network interface 324, and a memory 326.
The processor 322 may comprise suitable logic, circuitry, or interfaces that may be operable to: a sum of model updates is determined based on the plurality of model update outputs, and a global model is updated based on the sum of model updates to generate a global model update. In one implementation, processor 322 is configured to execute instructions stored in memory 326. In one example, the processor 322 may be a general purpose processor. Other examples of processor 322 may include, but are not limited to, microprocessors, microcontrollers, complex Instruction Set Computing (CISC) processors, application Specific Integrated Circuit (ASIC) processors, reduced Instruction Set (RISC) processors, very long instruction word (very long instruction word, VLIW) processors, central processing units (central processing unit, CPU), state machines, data processing units, and other processors or control circuits. Further, processor 322 may refer to one or more separate processors, processing devices, or processing units that are part of a machine, such as central server 304.
The network interface 324 may comprise suitable logic, circuitry, or interfaces that may be operable to: a plurality of model update outputs transmitted by a plurality of client devices 302 are received and global model updates 312 are transmitted to each of the client devices 302A-302N. Examples of network interface 324 may include, but are not limited to, an antenna, a Radio Frequency (RF) transceiver, one or more amplifiers, a digital signal processor, or a Subscriber Identity Module (SIM) card.
Memory 326 may comprise suitable logic, circuitry, or interfaces for storing instructions executable by processor 322. Examples of implementations of memory 326 may include, but are not limited to, electrically erasable programmable read-only memory (EEPROM), random Access Memory (RAM), read-only memory (ROM), hard Disk Drive (HDD), flash memory, solid State Disk (SSD), or CPU cache memory. Memory 326 may store an operating system or other program product (including one or more operating algorithms) to operate central server 304.
In operation, transceiver 324 (or network interface) is operable to receive a plurality of model update outputs transmitted by a plurality of client devices 302 and to transmit global model updates 312 to each of client devices 302A-302N. The processor 322 is configured to determine a sum of model updates based on the plurality of model update outputs and update the global model based on the sum of model updates to generate the global model update 312.
According to an embodiment, the processor 322 is further configured to determine that the client device has been dropped and to add additional noise to the sum of model updates based on a predetermined variance value of the local noise added to the sum of model updates. The central server 304 is further configured to perform a client-side offline recovery protocol, including: transceiver 324 receives the plurality of key portions from the plurality of client devices 302, representing a keyset for each client device 302 that is split into the plurality of key portions according to a key sharing protocol, distributed among the client devices, and transmitted by each client device 302 to central server 304. The central server 304 is further configured to perform a client-side offline recovery protocol, including: processor 322 determines that the client device has been dropped, and processor 322 combines the received plurality of key portions corresponding to the dropped client to recover the key corresponding to the dropped client. The various embodiments, operations, and variations disclosed in method 200 of fig. 2 are applicable to central server 304 and processor 322 as opposed.
Fig. 4 is a network environment diagram depicting distributed machine learning random security averaging in accordance with another embodiment of the present disclosure. Fig. 4 is described in conjunction with the elements of fig. 1, 2, 3A, 3B, and 3C. Referring to fig. 4, a system 400 is shown that describes in more detail an implementation of distributed machine learning with random security averaging (RdSA). System 400 depicts an exemplary sequence of operations 402, 402A, 402B, 402C, 402D, 402E, 402F, 402G, 402H, and 402I performed by client device 302A. Also shown are exemplary sequences of operations 404A, 404B, 404C, 404D, 404E, 404F, and 406 performed by the central server 304.
The system 400 includes the plurality of client devices 302 and the central server 304 of fig. 3A. Client-side distributed learning or client-side random security averaging is explained with respect to the client device 302A and the plurality of other client devices 302B-302N. Similarly, central server-side distributed learning or central server-side random security averaging is explained with respect to central server 304.
In operation, a client device 302A of the plurality of client devices 302 performs local training of the global model in a series of operations. The global model is shared by the central server 304 with each of the plurality of client devices 302. In addition, the central server 304 selects values for standard distributed learning parameters, such as the number of local training periods, the learning rate, or the total number of iterations N. The central server 304 shares the selected standard distributed learning parameters with the plurality of client devices 302.
In operation 402, the client device 302 begins local training of the local model update vector by using the local data or the raw data.
In operation 402A, the client device 302 performs a selection of parameters shared by the central server 304. The selected parameters are used for local training of the local model update vector.
In operation 402B, the client device 302A is also used to generate a public key and a secret key. Client device 302A generates a public key and a secret key (or private key) to perform key agreement with other client devices 302B-302N. In one case, the client device 302A cannot communicate directly with a plurality of other client devices 302B-302N. In this case, the client device 302A transmits the generated public key to the center server 304. The central server 304 shares the generated public key with each of the plurality of client devices 302. Thus, in return, each client device 302 receives an external public key from the central server 304.
In operation 402C, the client device 302A is further configured to generate a key pair based on the generated key and the received external public key. The generated key pair is used to perform key agreement with a plurality of other client devices 302B-302N. Key agreement is performed using an elliptic curve-diffie-hellman (ECDH) key agreement scheme that supports two client devices, each with an elliptic curve external public-key pair (also referred to as a shared key), to establish a shared key over an unsecured channel.
In operation 402D, the client device 302A is also configured to select its neighbors using a neighbor selection algorithm, e.g., as described in detail in fig. 1 and 3A. Two client devices that establish a shared key create the same pseudo-random number for indicating that the two clients are neighbors of each other.
In operation 402E, key sharing is performed to split the private key of the client device 302A. The two private keys of client device 302A are split in operation 402E, such as the key of client device 302A, from which the shared key is derived, for generating a one-time codebook for each neighbor device, and the personal seed of client device 302A for adding random noise in further operations.
In operation 402F, the client device 302A is further configured to add a locally generated Differential Privacy (DP) noise signal to the local model update vector, wherein a distribution of the locally generated DP noise signal is gaussian or binomial. The locally generated noise signal has a gaussian distribution or a binomial distribution. The noise parameters are selected by the central server 304 and shared with each of the plurality of client devices 302 for generating the DP noise signal.
In operation 402G, the client device 302A is further configured to perform a quantization process after adding the locally generated Differential Privacy (DP) noise signal to the local model update vector. During quantization, the local model update vector is converted from a vector of floating point values to an integer (or modulo) vector.
In operation 402H, the client device 302A is further configured to apply the security and protocol 310 by generating a one-time codebook for each neighbor device and adding the generated one-time codebook to the quantization model update vector. The one-time codebook for each neighbor device is generated based on a shared key derived from the key of the client device 302A and the external public key of the neighbor device. In addition, the client device 302A is also configured to calculate local random noise based on its personal seed and to add the calculated local random noise to the quantization model update vector.
In operation 402I, the client device 302A is configured to transmit a portion of each of the other clients to the central server 304. In one example, if another client device drops during execution of the RdSA protocol, client device 302A is configured to communicate a portion of the other client device's key to central server 304 in order to derive the other client device's shared OTP. In another example, if the other client device drops during execution of the RdSA protocol, the client device 302A is configured to transmit a portion of the personal seed of the other client device to the central server 304 to derive the local random noise of the plurality of other client devices 302B-302N.
Operations 402A through 402G are necessary to perform client-side random security averaging. Operations 402A through 402I are performed in the same order for each of the plurality of client devices 302. By performing operations from 402A, 402B, 402C, 402D, 402E, 402F, and 402G, each of the plurality of client devices 302 is operable to determine a plurality of model update outputs after training the local model update vectors, respectively. Each of the plurality of client devices 302 shares a plurality of model update outputs with the central server 304.
Similarly, the central server 304 is operable to perform a series of operations to determine the global model update 406. In operation 404A, the central server 304 is operable to broadcast the generated public key of the client device 302A to a plurality of other devices 302B-302N.
In operation 404B, the central server 304 is used to assign portions of the client device 302A to a plurality of other client devices 302B-302N.
In operation 404C, the central server 304 is operable to receive a plurality of model update outputs transmitted by the plurality of client devices 302. The central server 304 is also configured to determine a sum of model updates based on the plurality of model update outputs. The central server 304 obtains a vector representing the sum of model updates based on the plurality of model update outputs. The central server 304 determines global model updates 406 that are shared with each of the plurality of client devices 302 based on the sum of the model updates.
In operation 404D, the central server 304 is used to perform a dropped call restoration. For example, two methods of dropped recovery have been described in detail in fig. 3A.
In operation 404E, the central server 304 is used to perform an inverse quantization process that converts integer vectors to floating point vectors. Conversion from integer (modulo) vectors to floating point vectors results in the sum of noise model updates.
In operation 404F, the central server 304 is configured to compensate for differential privacy noise in the event that one or more client devices are dropped during the RdSA protocol execution. The central server 304 is further configured to add additional noise to the sum of model updates based on a predetermined variance value of the local noise added to the sum of model updates.
After performing operations from 404A, 404B, 404C, 404D, 404E, and 404F, the central server 304 determines a global model update 406. The global model update 406 is communicated to each of the plurality of client devices 302 in preparation for the next iteration. The order of operation of 404A, 404B, 404C, 404D, 404E, and 404F indicates a central server-side random security average (RdSA).
Fig. 5 illustrates an exemplary implementation scenario of distributed machine learning according to an embodiment of the present disclosure. Fig. 5 is described in conjunction with the elements of fig. 1, 2, 3A, 3B, 3C, and 4. Referring to fig. 5, a system 500 is illustrated that includes a plurality of client devices 502, a central server 504, and a network 506. The plurality of client devices 502 includes a client device 502A and other client devices 502B-502N. Client device 502A uses video recommendation tool 508A (e.g., a machine learning model). Similarly, the other client devices 502B-502N use video recommendation tools 508B-508N.
The plurality of client devices 502, the central server 504, and the network 506 correspond to the plurality of client devices 302, the central server 304, and the network 306 of fig. 3A, respectively.
Client device 502A uses video recommendation tool 508A, and video recommendation tool 508A uses a predictive model. The video recommendation tool 508A is trained locally on the client device 502A because the system 500 uses distributed machine learning using a random secure average (RdSA) protocol. Similarly, the other client devices 502B-502N train their respective video recommendation tools 508B-508N locally. Each of the plurality of client devices 502 shares its respective local training video recommendation tool with the central server 504. Thereafter, the RdSA protocol is used to calculate private global model updates for N (hundreds to thousands) client devices at the central server 504. The private global model updates computed at the central server 504 are shared with each of the plurality of client devices 502, the plurality of client devices 502 benefiting from the improved accuracy and privacy protection of the video recommendation tool.
In another implementation scenario, the plurality of client devices 502 may correspond to a plurality of computing devices used by a hospital or laboratory. For example, client device 502A corresponds to a computing device used by a hospital, client device 502B corresponds to another computing device used by a laboratory or organization, and so on. Each of the plurality of client devices 502 uses a training model trained from images and annotations provided manually by a physician for detecting a disease using medical images. In many jurisdictions, such medical image models cannot be shared between different hospitals or laboratories. Thus, the local training of such models is performed on the corresponding computing devices used by the hospital, laboratory or organization. After local training, each of a plurality of computing devices used in a hospital or laboratory or organization shares its locally trained model with the central server 504. In this exemplary scenario, the central server 504 may calculate global model updates by using the RdSA protocol and share the calculated global model updates with each of a plurality of computing devices used in a hospital, laboratory, or organization that is accurately detecting disease while maintaining improved privacy and personal data protection (which may provide a formal guarantee of powerful data privacy protection) and avoiding expansion problems.
Modifications may be made to the embodiments of the disclosure described above without departing from the scope of the disclosure, as defined by the appended claims. Expressions such as "comprising," "combining," "having," "being" and the like used to describe and claim the present disclosure are intended to be interpreted in a non-exclusive manner, i.e., supporting the existence of items, components, or elements that are not explicitly described. Reference to the singular is also to be construed to relate to the plural. The word "exemplary" is used herein to mean "serving as an example, instance, or illustration. Any embodiment described as "exemplary" is not necessarily to be construed as preferred or advantageous over other embodiments, and/or as excluding combinations of features of other embodiments. The word "optionally" as used herein means "provided in some embodiments but not in others. It is appreciated that some features of the present disclosure, which are, for clarity, described in the context of separate embodiments, may also be provided in combination in a single embodiment. Conversely, various features of the disclosure that are, for brevity, described in the context of a single embodiment, may also be provided separately, in any suitable combination, or in any other described embodiment suitable for the disclosure.

Claims (30)

1. A method (100) for distributed machine learning of a network (306), comprising:
a processor (314) of the client device (302A) receives the local model update vector;
the processor (314) generates a public key and a secret key, wherein the public key is for broadcasting to a plurality of other client devices (302B-302N) on the network (306);
-said processor (314) receiving an external public key of each of said other client devices (302B-302N);
for each other client device (302B-302N):
generating a pseudo-random number based on the key and the external public key;
determining whether to assign each of the other client devices (302B-302N) to a set of neighbor devices of the client device (302A) based on the pseudo-random number and a predetermined neighbor probability parameter;
-the processor (314) generating a model update output according to a security sum protocol (310) based on the set of neighbor devices;
the processor (314) outputs the model update output for sending the model update output to a central server (304) for incorporation into a global model update (312).
2. The method (100) of claim 1, wherein the neighbor probability parameter is used to define a number of neighbors in the set of neighbor devices based on a predefined value, wherein the predefined value is defined based on a modeling risk of a successful attack.
3. The method (100) according to claim 2, wherein for the neighbor probability parameter p and the predefined value r:
f(n h p) > 1-r, and for accuracy delta, f (n h ,p-δ)<1-r
Wherein:
Figure FDA0004224235380000011
for n h >1
Wherein:
Figure FDA0004224235380000012
4. the method (100) of any one of the preceding claims, wherein generating the model update output according to the security and protocol (310) comprises: a one-time codebook is generated for each neighbor device and a plurality of one-time codebooks are added to the local model update vector, wherein the one-time codebook for each neighbor device is generated based on a shared key derived from the key of the client device and the external public key of the neighbor device.
5. The method (100) of claim 4, wherein the set of all onetime codebooks generated by the plurality of client devices (302) is substantially zero in total.
6. A method (100) according to any one of claims 1 to 3, wherein generating the model update output according to the security and protocol (310) comprises: splitting the local model vector update into a plurality of portions according to the number of the neighbor devices, transmitting the plurality of portions to respective neighbor devices, receiving a plurality of external portions from the neighbor devices, and summing the plurality of external portions to form the model update output.
7. The method (100) of any one of the preceding claims, wherein generating the model update output comprises adding a locally generated noise signal to the local model update vector, the distribution of the locally generated noise signal being gaussian or binomial.
8. The method (100) of claim 7, wherein the locally generated noise signals are generated with a standard deviation defined by noise parameters received from the central server (304), wherein the noise parameters of each client device (302A-302N) are such that the corresponding locally generated noise signals from the plurality of client devices (302) are aggregated into a global noise with a predetermined standard deviation.
9. The method (100) according to any one of the preceding claims, further comprising: the local model update vector is converted from a vector of floating point values to an integer vector.
10. The method (100) according to any one of the preceding claims, further comprising: -sending the public key to the central server (304) and receiving the external public key from the central server (304).
11. A computer readable medium storing instructions that, when executed, cause a client device processor (314) to perform the method (100) of any of the preceding claims 1 to 10.
12. A client device (302A), comprising:
a training module (318A) for generating a local model update vector;
a processor (314) for generating a public key and a secret key;
a transceiver (316) for: broadcasting the public key to a plurality of other client devices (302B-302N) on the network (306), receiving an external public key of each of the other client devices (302B-302N), and sending a model update output to a central server (304) for incorporation into a global model update (312);
wherein the processor (314) is further configured to:
generating a pseudo-random number for each other client device (302B-302N) based on the key and the external public key;
determining whether to assign each of the other client devices (302B-302N) to a set of neighbor devices of the client device (302A) based on the pseudo-random number and a predetermined neighbor probability parameter;
based on the set of neighbor devices, the model update output is generated according to a security and protocol (310).
13. The client device (302A) of claim 12, wherein the neighbor probability parameter is used to define a number of neighbors in the set of neighbor devices based on a predefined value, wherein the predefined value is defined based on a modeled risk of a successful attack.
14. The client device (302A) according to claim 13, wherein for the neighbor probability parameter p and the predefined value r:
f(n h p) > 1-r, and for accuracy delta, f (n h ,p-δ)<1-r
Wherein:
Figure FDA0004224235380000021
wherein:
Figure FDA0004224235380000022
15. the client device (302A) according to any one of claims 12-14, wherein the processor (314) is configured to generate the model update output according to the security sum protocol (310) by: a one-time codebook is generated for each neighbor device and a plurality of one-time codebooks are added to the local model update vector, wherein the one-time codebook for each neighbor device is generated based on a shared key derived from the key of the client device and the external public key of the neighbor device.
16. The client device (302A) of claim 15, wherein the set of all onetime codebooks generated by the plurality of client devices (302) is substantially zero in total.
17. The client device (302A) according to any one of claims 12-14, wherein the processor (314) is configured to generate the model update output according to the security sum protocol (310) by: splitting the local model vector update into a plurality of parts according to the number of the neighbor devices, transmitting the plurality of parts to respective neighbor devices, receiving external parts from the neighbor devices, and summing the plurality of external parts to form the model update output.
18. The client device (302A) according to any one of claims 12-17, wherein the processor (314) is configured to generate the model update output by adding a locally generated noise signal to the local model update vector, the distribution of the locally generated noise signal being gaussian or binomial.
19. The client device (302A) according to claim 18, wherein the locally generated noise signals are generated with a standard deviation defined by noise parameters received from the central server (304), wherein the noise parameters of each client device (302A-302N) are such that the corresponding differential private noise signals from the plurality of client devices (302) are aggregated into a global noise with a predetermined standard deviation.
20. The client device (302A) according to any one of claims 12-19, wherein the processor (314) is further configured to convert the local model update vector from a vector of floating point values to an integer vector.
21. The client device (302A) according to any one of claims 12-20, wherein the transceiver (316) is further configured to send the public key to the central server (304) and to receive the external public key from the central server (304).
22. A method (200) for distributed machine learning of a network (306), comprising:
the central server (304) receives a plurality of model update outputs transmitted by a plurality of client devices (302);
the central server (304) determining a sum of model updates based on the plurality of model update outputs;
-the central server (304) updating a global model based on the sum of the model updates;
the central server (304) sends the global model update (312) to each client device (302A-302N).
23. The method (200) of claim 22, wherein updating the global model includes converting integer vectors to floating point vectors.
24. The method (200) of claim 22 or 23, further comprising:
the central server (304) determines that a client device has been dropped;
the central server (304) adds additional noise to the sum of model updates based on a predetermined variance value of local noise added to the sum of model updates.
25. The method (200) of any of claims 22 to 24, further comprising: executing a client-side offline recovery protocol, comprising:
-the central server (304) receiving a plurality of key parts from the plurality of client devices (302), representing a key set for each client device (302), the key set being split into a plurality of key parts according to a key sharing protocol, distributed among the client devices, and sent by each client device to the central server (304);
The central server (304) determines that a client device has been dropped;
the central server (304) combines the received plurality of key portions corresponding to the dropped clients to recover the keys corresponding to the dropped clients.
26. A computer readable medium storing instructions that, when executed, cause a central server processor (322) to perform the method (200) of any one of claims 22 to 25.
27. A central server (304), comprising:
a transceiver (324) for receiving a plurality of model update outputs transmitted by a plurality of client devices (302) and transmitting a global model update (312) to each client device (302A-302N);
a processor (322) for determining a sum of model updates based on the plurality of model update outputs and updating a global model based on the sum of model updates to generate the global model update (312).
28. The central server (304) according to claim 27, wherein updating the global model includes converting integer vectors to floating point vectors.
29. The central server (304) according to claim 27 or 28, wherein the processor (322) is further configured to:
determining that the client device has been dropped;
Additional noise is added to the sum of model updates based on a predetermined variance value of local noise added to the sum of model updates.
30. The central server (304) according to any of claims 27-28, further being configured to: executing a client-side offline recovery protocol, comprising:
-the transceiver (324) receives a plurality of key parts from the plurality of client devices (302), representing a key set for each client device (302), the key set being split into a plurality of key parts according to a key sharing protocol, distributed among the client devices, and sent by each client device to the central server (304);
the processor (322) determines that a client device has dropped;
the processor (322) combines the received plurality of key portions corresponding to the dropped client to recover the key corresponding to the dropped client.
CN202080107117.3A 2020-11-24 2020-11-24 Distributed training with random security averaging Pending CN116438554A (en)

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/EP2020/083154 WO2022111789A1 (en) 2020-11-24 2020-11-24 Distributed training with random secure averaging

Publications (1)

Publication Number Publication Date
CN116438554A true CN116438554A (en) 2023-07-14

Family

ID=73554447

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202080107117.3A Pending CN116438554A (en) 2020-11-24 2020-11-24 Distributed training with random security averaging

Country Status (2)

Country Link
CN (1) CN116438554A (en)
WO (1) WO2022111789A1 (en)

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105165051A (en) * 2013-05-10 2015-12-16 上海贝尔股份有限公司 Method and device for discovering neighbor in device-to-device communication
CN107368752A (en) * 2017-07-25 2017-11-21 北京工商大学 A kind of depth difference method for secret protection based on production confrontation network
CN111460478A (en) * 2020-03-30 2020-07-28 西安电子科技大学 Privacy protection method for collaborative deep learning model training

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11461690B2 (en) * 2016-07-18 2022-10-04 Nantomics, Llc Distributed machine learning systems, apparatus, and methods
WO2019231481A1 (en) * 2018-05-29 2019-12-05 Visa International Service Association Privacy-preserving machine learning in the three-server model

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105165051A (en) * 2013-05-10 2015-12-16 上海贝尔股份有限公司 Method and device for discovering neighbor in device-to-device communication
CN107368752A (en) * 2017-07-25 2017-11-21 北京工商大学 A kind of depth difference method for secret protection based on production confrontation network
CN111460478A (en) * 2020-03-30 2020-07-28 西安电子科技大学 Privacy protection method for collaborative deep learning model training

Also Published As

Publication number Publication date
WO2022111789A1 (en) 2022-06-02

Similar Documents

Publication Publication Date Title
JP6720424B1 (en) Key sharing device and method
Wang et al. An efficient and privacy-preserving outsourced support vector machine training for internet of medical things
US9319877B2 (en) Secret key generation
US9077539B2 (en) Server-aided multi-party protocols
US8977847B1 (en) Distributed challenge-response authentication
CN111581648B (en) Method of federal learning to preserve privacy in irregular users
EP2698945B1 (en) Vectorial private equality testing
US20170257218A1 (en) Cryptographic hash generation system
CN108055128B (en) RSA key generation method, RSA key generation device, storage medium and computer equipment
CN112262544A (en) Apparatus, system, and method for generating and processing cryptographic parameters
CN114390519A (en) Wireless channel key generation method, device, equipment and storage medium
EP3627757B1 (en) Key generation device, key generation method, and computer readable medium
JP2021086158A (en) Methods of generating encryption key and digital signature based on lattices
CN108292347A (en) A kind of user property matching process and terminal
Nguyen et al. Encrypted Data Caching and Learning Framework for Robust Federated Learning-Based Mobile Edge Computing
Jin et al. Efficient side-channel attacks beyond divide-and-conquer strategy
CN110198216A (en) A kind of increment true value discovery method, apparatus, computer equipment and storage medium for protecting privacy
WO2018213875A1 (en) Asymmetric cryptography and authentication
CN113556333A (en) Computer network data secure transmission method and device
Kumar et al. Proficient approaches for scalability and security in IoT through edge/fog/cloud computing: a survey
CN116438554A (en) Distributed training with random security averaging
CN116170142B (en) Distributed collaborative decryption method, device and storage medium
JP2009517703A (en) Key management
Hu et al. Multi-Round Efficient and Secure Truth Discovery in Mobile Crowdsensing Systems
EP4072062A1 (en) Apparatus for processing non-polynomial operation on homomorphic encrypted messages and methods thereof

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination