How to ensure collaborative fairness and privacy in decentralized federated learning?

Overview

Most of the current distributed/federated learning (FL) frameworks require a parameter server to aggregate local model updates. These server-based frameworks unfortunately suffer from the single-point-of-failure problem. The other two more important aspects that may hinder collaborations are collaborative fairness and privacy. To address these problems, we build a healthy FL ecosystem, which is referred to as the decentralized Fair and Privacy-Preserving Deep Learning (FPPDL) framework. In this post, we present the main rationale behind our TPDS’20 paper “Towards Fair and Privacy-Preserving Federated Deep Models”.

Why we need collaborative fairness?

In the current federated learning paradigm [1], all participants can receive the same federated model at the end of collaborative model training regardless of their contributions. This may significantly hinder collaboration, and make the paradigm vulnerable to free-riding participants. For example, several banks may want to work together to build model to predict the creditworthiness of small and medium enterprises. However, larger banks with more data may be reluctant to train their local models based on high quality local data for fear of smaller banks benefiting from the shared FL model and eroding its market share [2]. Without the guarantee of privacy and the promise of collaborative fairness, participants with high quality and large datasets may be discouraged from joining federated learning, thereby negatively affect the formation of a healthy FL ecosystem. Existing research on fairness mostly focuses on protecting sensitive attributes or reducing the variance of the prediction distribution across participants, the problem of treating federated learning participants fairly remains open.

How to define and quantify collaborative fairness?

In federated learning systems, a high-contribution party is deserved to be rewarded with a better model than a low-contribution party. Specially, fairness can be quantified by the correlation coefficient between the contributions by different parties (X-axis) and their respective final model accuracies (Y-axis). In our paper, we use standalone model accuracy and/or sharing level to quantify party contribution. Standalone model accuracy (sacci) characterizes the learning capability of each party on its own local data, while sharing level (λi) characterizes the sharing willingness of each party. We use final model accuracy (acci) as party reward.

How to achieve collaborative fairness in FL?

We design a local credibility mutual evaluation mechanism to enforce fairness in FPPDL, where participants trade their information in an ”earn-and-pay” way using their ”points”. The local credibility and points of each participant are initialized through an initial benchmarking phase, and updated through privacy-preserving collaborative deep model training. The basic idea is that participants can earn points by contributing their information to other participants. Then, they can use the earned points to trade information with other participants. Thus, participants are encouraged to upload more samples or gradients to earn more points (as long as it is within the limit of their sharing levels), and use these points to download more gradients from others. In particular, FPPDL ensures fairness during download and upload processes as follows:

Download: Since one party might contribute differently to different parties, the credibility of this party might be different from the view of different parties. Therefore, each party i should record a private local credibility list for all parties sorted in descending order of their credibility values. The higher the credibility of party j in party i’s credibility list, the more likely party i will download gradients from party j, and consequently, more points will be rewarded to party j.

Upload: Once a party receives download request for its local gradients, it can determine how many meaningful gradients to send back based on both the download request from the requester and its own sharing level.

How to preserve privacy in FL?

Sharing gradients can prevent direct exposure of the local data, but may indirectly disclose local data information. To further prevent potential privacy leakage from sharing gradients and facilitate gradients aggregation during the federated learning process, we use additive homomorphic encryption such that each party can only decrypt the sum of all the received encrypted gradients.

As the released gradient vector is high-dimensional, encrypting gradient vector using paillier, elgamal, etc is both computation and communication expensive. Therefore, we propose a three-layer onion-style encryption scheme. The first layer protects local model gradients by using a simple and efficient stream ciphers for homomorphic encryption. The second layer and the third layer are classic hybrid encryption. In particular, in the second layer, a fresh symmetric encryption key fsk will be generated and used to re-encrypt the ciphertext of the first layer, and then the fresh symmetric key is encrypted by using the receiver’s public key in the third layer. In this way, the encryption of high-dimensional data becomes very effective, and the receiver could be authenticated as well: only the receiver who has the corresponding secret key paired with the public key can decrypt the two-layer encrypted gradients.

Implementation of FPPDL

Our FPPDL is realized in two stages to enforce both fairness and privacy, as shown in Fig. 1.

Stage 1: Initial Benchmarking. We proposed an initial benchmarking algorithm to assess the quality of local training data of each participant via mutual evaluation without looking at the raw data before collaborative model training starts. The algorithm works as follows: each participant trains a differentially private (DPGAN) based on its local training data to generate artificial samples. Each participant publishes individually generated artificial samples based on its individual sharing level (denoted by the upper bound of the number of samples or gradients one party can share with others) without releasing labels. All the other participants produce predictions for the received artificial samples using their pre-trained standalone models and send the predicted labels back to the party who generated these samples.

For local credibility initialization, each party compares the majority voting of all the combined labels with a particular party’s predicted labels to evaluate the effect of this party. It relies on the fact that the majority voting of all the combined labels reflects the outcome of the majority of parties, while the predicted labels of party j only reflect the outcome of party j.

The points gained from releasing DPGAN samples during initial benchmarking will be used to download gradients in the following federated learning process, and the number of gradients party i can download depends on both the local credibility and the sharing level of the party from which it is requesting.

Stage 2: Privacy-Preserving Collaborative Deep Learning. This stage involves how to update points as per upload/download, how to preserve the privacy of individual model updates using three-layer onion-style encryption followed by parameter and local credibility update, and credible party set maintenance by the system. In particular, the gradients download budget of party i, i.e., di, is closely related with how many points pi party i has in each communication round. More concretely, di should not exceed pi, otherwise, party i will not have enough points to pay for the gradients provided by other parties. Moreover, di can be dynamically determined based on the existing points pi in each communication round.

Baselines

1) Standalone framework assumes parties train standalone models on local training data without any collaboration. This framework delivers maximum privacy, but minimum utility, because each party is susceptible to falling into local optima when training alone.

2) Centralized framework allows a trusted server to have access to all participants’ data in the clear, and train a global model on the combined data using standard SGD. Hence, it is a privacy-violating framework.

3) Distributed framework enables parties to train independently and concurrently, and chooses a fraction of parameters to be uploaded at each iteration.

What kind of realistic settings did we consider in our paper?

We mainly investigated two realistic settings where parties contribute differently as follows:

Setting 1: Different sharing level, same data size: data sizes of all parties are the same, while the sharing levels are randomly sampled from a range, say 10%-50%, and each party releases meaningful gradients as per individual sharing level during collaboration.

Setting 2: Different data size, same sharing level: in this case, different parties have different data sizes but sharing levels are the same.

How well does our framework perform?

Fairness results: Our experimental results show that FPPDL achieves high positive values of fairness, confirming the intuition behind fairness: the party who is less private and has more training data delivers higher accuracy. In contrast, the distributed framework exhibits bad fairness with significantly lower values than that of FPPDL in all cases, and even negative values in some cases, manifesting the lack of fairness in the distributed framework. This is because in the distributed framework, all the participating parties can derive similarly well models, no matter how much one party contributes.

Accuracy results: Our FPPDL framework allows each party to derive better models than their standalone models. In particular, the most contributive party achieves the highest accuracy, which is comparable to the distributed framework.

Is it possible to defend against both insider free-riders and outsider eavesdropper?

For an inside attacker who is a participant in the decentralized system, we specially consider an interesting case: a free-rider without any data, and we remark that this free-rider belongs to the category of low-contribution party. During initialization, this free-rider may choose to send the fake information to other parties. For example, it may randomly sample from 10 classes as predicted labels for the received DPGAN samples, then release them to the corresponding party who publishes these DPGAN samples and requests labels. When the publisher receives the returned random labels from the free-rider and detects that most of them are not aligned with the majority voting, then the free-rider will be reported as a “low-contribution” party. If the majority of parties report the free-rider as “low-contribution”, then the system rules out the free-rider from the credible party set, and all parties would terminate the collaboration with the free-rider. In this way, such a malicious party is isolated from the beginning, while the collaboration among the remaining parties will not be affected. Even though the free-rider might succeed in initialization somehow, its local credibility would be significantly lower compared with the other honest parties. To further detect and isolate this malicious party during the federated learning process, we repeat mutual evaluation in each communication round by using samples generated at the initialization phase, the chance of the survival of the malicious party is significantly reduced.

For the outsider attacker like the eavesdropper who aims to steal the exchanged information by eavesdropping on the communication channels among parties, differential privacy used in the first stage and three-layer onion-style encryption applied in the second stage inherently prevent this attacker.

Conclusion

In this work, we studied collaborative fairness and privacy in decentralized federated learning. We introduced a notion of local credibility and transaction points, which are initialized by initial benchmarking, and updated during privacy-preserving collaborative deep learning. For privacy preservation, we adopt Differentially Private GAN (DPGAN) and propose a three-layer onion-style encryption scheme. Our work also provides a viable solution to detect and reduce the impact of low-contribution parties in the system. We hope that this work highlights the need for more research in the development of collaborative fairness and privacy.

Besides current results, we see some interesting avenues for future research:

1) Extension of collaborative fairness to more complex settings, like extremely Non-IID setting, vertical FL, real-world collaboration among companies, hospitals, etc.

2) Investigation on various malicious behaviours and byzantine or sybil adversary in the decentralized system. It is also worthwhile to integrate system robustness into our current fair and private system.

3) Implement our proposed framework and blockchain prototypes on blockchain platform to validate the applicability.

Where to find the paper and code?

You can find our TPDS’20 paper [3] here: https://arxiv.org/pdf/1906.01167.pdf, and the code to reproduce experiments here: https://github.com/lingjuanlv/FPPDL.

This work was done by the following authors (in random order): Lingjuan Lyu (NUS), Jiangshan Yu (Monash), Karthik Nandakumar (IBM), Yitong Li (Unimelb), Xingjun Ma (Unimelb), Jiong Jin (Swinburne), Han Yu (NTU), and Kee Siong Ng (ANU). We are happy to get in touch and hear any feedback at: lingjuanlvsmile@gmail.com!

[1] H. B. McMahan, E. Moore, D. Ramage, S. Hampson et al., “Communication-efficient learning of deep networks from decentralized data,” in AISTATS, 2017, pp. 1273–1282.

[2] Q. Yang, Y. Liu, Y. Cheng, Y. Kang, T. Chen, and H. Yu, Federated Learning. Morgan & Claypool Publishers, 2019.

[3] Lingjuan Lyu, Jiangshan Yu, Karthik Nandakumar, Yitong Li, Xingjun Ma, Jiong Jin, Han Yu, and Kee Siong Ng. 2020. Towards Fair and Privacy-Preserving Federated Deep Models. IEEE TPDS 31, 11 (2020), 2524–2541.

Ph.D., Unimelb