[Paper] Practical Framework for Privacy-Preserving and Byzantine-robust Federated Learning

Source: arXiv - 2512.17254v1

Overview

This paper introduces ABBR, a practical framework that simultaneously defends federated learning (FL) against Byzantine (malicious) model updates and privacy‑inference attacks. By leveraging dimensionality reduction, ABBR makes the heavy cryptographic filtering steps fast enough for real‑world deployments while preserving the robustness guarantees of state‑of‑the‑art aggregation rules.

Key Contributions

• First use of dimensionality reduction to accelerate private computation of complex filtering rules in privacy‑preserving FL.
• Theoretical analysis of the accuracy loss caused by applying vector‑wise filtering in a low‑dimensional space.
• Adaptive tuning strategy that automatically adjusts filter thresholds to mitigate the impact of malicious updates that slip through.
• Integration with existing Byzantine‑robust aggregators (e.g., Krum, Median, Trimmed Mean) without redesigning them.
• Comprehensive empirical evaluation on standard FL benchmarks showing orders‑of‑magnitude speedup and negligible extra communication compared with prior defenses.

Methodology

1. Client‑side preprocessing – Each client compresses its local model gradient (or weight update) using a random projection matrix (e.g., Johnson‑Lindenstrauss transform). This reduces the dimensionality from millions of parameters to a few hundred while preserving pairwise distances.
2. Secure filtering – The compressed vectors are encrypted with lightweight secret‑sharing or homomorphic encryption schemes. The server runs the chosen Byzantine‑robust aggregation rule directly on the encrypted low‑dimensional data, which is far cheaper than operating on the full model.
3. Adaptive thresholding – The server monitors the distribution of filtered updates; if the variance spikes (indicating possible malicious bypass), it automatically tightens the filter’s acceptance radius.
4. Reconstruction – Accepted low‑dimensional updates are projected back to the original space (using the same random matrix) and aggregated to form the global model.
5. Privacy guarantee – Because only the compressed, encrypted vectors are exchanged, an adversary cannot reconstruct raw client data, and the random projection adds an extra layer of differential‑privacy‑like obfuscation.

Results & Findings

• ABBR cuts the computation time by ≈ 10× on GPUs and ≈ 9× on CPUs.
• Communication drops by ≈ 13× thanks to the compact representation.
• Model accuracy and Byzantine resilience remain virtually unchanged (≤ 0.3 % drop).
• The adaptive tuning keeps the attack success rate low even when attackers craft updates that survive the low‑dimensional filter.

Practical Implications

• Deployable on edge devices: The lightweight projection and encryption steps fit within the memory and compute budgets of smartphones, IoT sensors, or embedded GPUs.
• Cost‑effective cloud orchestration: Service providers can run secure FL jobs with far lower CPU/GPU bills, making privacy‑preserving FL economically viable for SaaS platforms.
• Compatibility with existing pipelines: Since ABBR works as a wrapper around any Byzantine‑robust aggregator, teams can adopt it without rewriting their model‑training code.
• Regulatory compliance: The reduced data exposure and provable privacy guarantees help meet GDPR‑style data‑minimization requirements.
• Rapid prototyping: Developers can experiment with stronger adversarial settings (higher Byzantine ratios) without incurring prohibitive runtime penalties.

Limitations & Future Work

• Projection dimension trade‑off: Choosing too aggressive a reduction may degrade filter precision; the paper leaves the optimal dimension selection for heterogeneous model sizes as an open question.
• Assumption of honest‑but‑curious server: ABBR protects client updates from external attackers but still relies on the server to correctly implement the adaptive thresholds. A fully malicious server scenario is not covered.
• Limited attack spectrum: Experiments focus on backdoor and label‑flipping attacks; future work could explore more sophisticated model‑poisoning strategies (e.g., gradient‑matching attacks).
• Extension to heterogeneous data: The current evaluation uses IID data splits; adapting ABBR to non‑IID federated settings (common in real deployments) warrants further study.

Overall, ABBR bridges the gap between theoretical robustness/privacy guarantees and the performance constraints of production‑grade federated learning, offering a ready‑to‑use toolkit for developers who need secure, scalable collaborative AI.

Authors

• Baolei Zhang
• Minghong Fang
• Zhuqing Liu
• Biao Yi
• Peizhao Zhou
• Yuan Wang
• Tong Li
• Zheli Liu

Paper Information

• arXiv ID: 2512.17254v1
• Categories: cs.CR, cs.DC, cs.LG
• Published: December 19, 2025
• PDF: Download PDF