Federated learning (FL) preserves privacy by training models across decentralized devices without sharing raw data. The main privacy techniques include differential privacy, secure multi-party computation (SMPC), and homomorphic encryption. These methods address risks like data leakage during model updates or aggregation while maintaining model utility. Below, I’ll explain each technique in practical terms for developers.
Differential Privacy (DP) adds controlled noise to data or model updates to prevent exposing individual data points. For example, clients in FL can inject noise into their local model gradients before sending them to the server for aggregation. Parameters like epsilon (ε) determine the privacy-accuracy trade-off: lower ε means stronger privacy but potentially reduced model performance. Frameworks like TensorFlow Federated and PySyft support DP by clipping gradients and adding Gaussian or Laplacian noise. A common implementation is the DP-SGD algorithm, which ensures that even if an attacker accesses aggregated updates, they can’t reverse-engineer individual contributions. Developers must tune ε carefully to balance privacy guarantees with model utility.
Secure Multi-Party Computation (SMPC) uses cryptographic protocols to aggregate model updates without revealing individual contributions. One approach is secret sharing, where clients split their updates into encrypted shares distributed among multiple servers. The servers compute aggregated results without ever seeing the raw data. Another method is secure aggregation, used in Google’s FL framework: clients encrypt updates with pairwise keys, and the server sums them such that individual values remain masked. For instance, if two clients share a secret mask, their combined masks cancel out during aggregation. This ensures the server only sees the sum of updates, not individual values. SMPC is efficient for large-scale FL but requires coordination between parties to manage encryption keys and communication.
Homomorphic Encryption (HE) allows computations on encrypted data, enabling clients to send encrypted model updates to the server. The server aggregates these ciphertexts and returns an encrypted result, which only authorized parties can decrypt. For example, a healthcare FL system might use HE to ensure sensitive patient data remains encrypted end-to-end. However, HE is computationally intensive, making it less practical for real-time applications. Libraries like Microsoft SEAL or TenSEAL provide HE tools for developers, but optimizations like partial encryption (applying HE only to critical parameters) are often needed. While HE offers strong privacy, its overhead limits scalability compared to DP or SMPC, making it better suited for high-security, low-latency-tolerant scenarios.