DHSA: efficient doubly homomorphic secure aggregation for cross-silo federated learning

Abstract

Secure aggregation is widely used in horizontal federated learning (FL), to prevent the leakage of training data when model updates from data owners are aggregated. Secure aggregation protocols based on homomorphic encryption (HE) have been utilized in industrial cross-silo FL systems, one of the settings involved with privacy-sensitive organizations such as financial or medical, presenting more stringent requirements on privacy security. However, existing HE-based solutions have limitations in efficiency and security guarantees against colluding adversaries without a Trust Third Party. This paper proposes an efficient Doubly Homomorphic Secure Aggregation (DHSA) scheme for cross-silo FL, which utilizes multi-key homomorphic encryption (MKHE) and seed homomorphic pseudorandom generator (SHPRG) as cryptographic primitives. The application of MKHE provides strong security guarantees against up to \(N-2\) participates colluding with the aggregator, with no TTP required. To mitigate the large computation and communication cost of MKHE, we leverage the homomorphic property of SHPRG to replace the majority of MKHE computation by computationally friendly mask generation from SHPRG, while preserving the security. Overall, the resulting scheme satisfies the stringent security requirements of typical cross-silo FL scenarios, at the same time providing high computation and communication efficiency for practical usage. We experimentally demonstrate that our scheme brings a speedup to 20\(\times \) over the state-of-the-art HE-based secure aggregation and reduces the traffic volume to approximately 1.5\(\times \) inflation over the plain learning setting.

Appendices

Appendix A: Ring learning with errors

For a power-of-two integer n and \(R={\mathbb {Z}}[X]/(X^n+1)\), define \(R_q=R/(q\cdot R)\) as the residue ring of R modulo an integer q. The Ring Learning with Errors (RLWE) distribution consists of tuples \((a_i, b_i=s\cdot a_i+e_i)\in R_q^2\), where s is a fixed secret chosen from the key distribution \(\chi \) over R, \(a_i\) is uniformly random in \(R_q\), and \(e_i\) is an error term drawn from the error distribution \(\psi \) over \(R_q\). The search RLWE problem states that, given many samples of the form \((a_i, b_i=s\cdot a_i+e_i)\in R_q^2\), it is computationally infeasible to compute the secret s.

Appendix B: BFV

Here, we detail the common instantiation of the basic Brakerski–Fan–Vercauteren (BFV) scheme where the ciphertext space is \(R_q\), and the plaintext space is the ring \(R_t\) for \(t<q\) with \(\Delta =\left\lfloor q/t \right\rfloor \). The implementation consists of a tuple of algorithms(KeyGen, Enc, Dec, Eval) as below:

• Setup: \(pp \leftarrow \) Setup(\(1^\lambda \)): For a given security parameter \(\lambda \), set the RLWE dimension n, ciphertext modulus q, key distribution \(\chi \) and error distribution \(\psi \). Generate a random vector \(a\leftarrow U(R_q)\). Setup (\(1^\lambda \)) returns the public parameter \(pp=(n,q,\chi ,\psi ,a)\).

• Key Generation: \(\{\text {sk},\text {pk}\}\leftarrow \) KeyGen(pp): Given the public parameter pp, KeyGen(pp) outputs the secret key sk and the public key pk. The secret key is sampled randomly, which is \(\text {sk}=s\leftarrow \chi \). The public key is set as \(\text {pk}=(b,a)\), where for the sampled error vector \(e\leftarrow \psi \), \(b=-s\cdot a+e(\mod q) \in R_q\).

• Encryption: ct \(\leftarrow \) BFV.Enc(\(\text {pk}, m\)): For massage \(m\in R_t\), BFV.Enc encrypts it as \(\text {ct}=(\Delta m+ub+e_0, ua+e_1)\), where u is randomly sampled from \(\chi \) and \(e_0,e_1\) are sampled from \(\psi \).

• Decryption: \(m\leftarrow \) BFV.Dec(sk,ct): Taking the secret key sk=s and a ciphertext ct=(\(c_0, c_1\)) as input, BFV.Dec computes \(m=\left[ \left\lfloor \frac{t}{q}[c_0+c_1s]_q\right\rceil \right] _t\) which is the plaintext corresponding to ct.

• Evaluation: \({\text {ct}}'\leftarrow \)BFV.Eval(pk, \(\text {ct}_1\), \(\text {ct}_2\), f): Given the ciphertexts \(\text {ct}_1\), \(\text {ct}_2\) corresponding to public key pk, as well as the funtion f, BFV.Val outputs the ciphertext \({\text {ct}}'\) such that BFV.Dec(sk, \({\text {ct}}'\))=\(f(m_1,m_2)\), where \(\text {ct}_i\)=BFV.Enc(pk, \(m_i\)).

Appendix C: Multi-key BFV based on ciphertexts extension

A multi-key BFV based on ciphertexts extension is another method to handle homomorphic computations on ciphertexts under independently generated secret keys. Different from the compact MKBFV, ciphertexts of this scheme are associated with k different parties. The ciphertext is of the form \(\overline{\text {ct}}=(c_0,c_1,...,c_k)\in R_q^{k+1}\) for a modulus q, which is decryptable by the concatenated secret key \(\overline{\text {sk}}=(1,s_1,...,s_k)\). To achieve the purpose, a key step is the common preprocessing when performing a homomorphic operation between ciphertexts. For given ciphertexts \(\text {ct}_i=(c_{0,i},c_{1,i})\in R_q^2\) of client i, the extended ciphertexts corresponding to the tuple of parties (1, 2, ...N) are \(\overline{\text {ct}_i}=(c_{0,i}^*, c_{1,i}^*,...,c_{N,i}^*)\in R_q^{N+1}\), where \(c_{0,i}^* =c_{0,i},c_{j,i}^*=\delta _{ij}c_{1,i}\), and \(\delta _{ij}=\left\{ \begin{matrix} 1,&{}\text {if }j=i\\ 0,&{}\text {otherwise} \end{matrix}\right. \). Thus, \(\overline{\text {ct}_i}\) can be decrypted with the joint secret key \(\overline{\text {sk}} =(1,s_1,...s_N)\). For a set of N parties \({\mathcal {P}}\), this version of MKBFV consists of five PPT algorithms (Setup, KeyGen, Enc, Dec, Eval).

• Setup: \(pp \leftarrow \text {MKBFV.Setup}(\lambda , \kappa )\). Taking the security and homomorphic capacity parameters as inputs, MKBFV.Setup outputs the public parameter \(pp=\{n,q,\chi ,\psi ,a\}\).

• Key Generation: \(\{\text {sk}_i, \text {pk}_i\}\leftarrow \text {MKBFV.KeyGen}(pp)\). Each party \(P_i\in {\mathcal {P}}\) generates secret and public keys \(\{\text {sk}, \text {pk}\}\) following BFV.KeyGen(pp).

• Encryption: ct\(_i\leftarrow \)MKBFV.Enc(\(\text {pk}_i\), \(x_i\)). The usual encryption calculation of BFV is used to encrypt message under sk\(_i\) to return \(\text {ct}_i=\text {BFV.Enc(pk}_i, x_i)\in R_q^2\).

• Evaluation: \(\overline{{\text {ct}}'}\leftarrow \text {MKBFV.Eval}(F,(\text {ct}_1,\text {ct}_2,...,\text {ct}_N), \{\text {pk}_i\}_{i\in {\mathcal {P}}})\). Given a funcion F, a tuple of ciphertexts \(\text {ct}_i=\text {BFV.Enc(pk}_i, x_i)=(c_{0,i}, c_{1,i})\in R_q^2\) and the corresponding set of public keys \(\{\text {pk}_i\}_{i\in {\mathcal {P}}}\), MKBFV.Eval first extends each ciphertexts \(\text {ct}_i\) to \(\overline{\text {ct}_i}\in R_q^{N+1}\) on the joint secret key of set \({\mathcal {P}}\). Then the arithmetic F is performed on the extended ciphertexts to return \(\overline{{\text {ct}}'}\in R_q^{N+1} \).

• Decryption: \(x\leftarrow \) MKBFV.Dec(\(\overline{\text {ct}}\), \(\{\text {sk}_i\}_{i\in {\mathcal {P}}}\)). Given a ciphertext \(\overline{\text {ct}}\) encrypting x and the corresponding sequence of secret key, MKBFV.Dec outputs the plaintext x by calculating \(\left\langle \overline{\text {ct}},(1,s_1,...,s_N) \right\rangle \), where we denote \(\left\langle u,v \right\rangle \) as the usual dot product of two vectors u, v.