CN117640253B - Federal learning privacy protection method and system based on homomorphic encryption - Google Patents

Abstract

The utility model discloses a federal study privacy protection method and system based on homomorphic encryption, relate to federal study technical field, use homomorphic encryption to encrypt the gradient parameter that each customer end obtained according to global model combines local data training, uploading and issuing of gradient and the gradient aggregation stage of server all are gone on with the ciphertext, simultaneously after clustering the customer end through clustering algorithm, every cluster customer end local data has similar data distribution, adopt the average supplementary thought of gradient to supplement the gradient of online customer end gradient sum with the average value of online customer end gradient sum in every cluster in order to realize fault tolerance, need not additionally to occupy the memory space in solving the problem of falling the line, the gradient of falling the line customer end is directly supplemented by the online customer end gradient average value of same cluster, reduce memory resource cost and improved system robustness, thereby the model performance that the high-efficient safe solution customer end falls the line and the problem of data privacy leakage.

Description

Federal learning privacy protection method and system based on homomorphic encryption

Technical Field

The application relates to the technical field of federal learning, in particular to a federal learning privacy protection method and system based on homomorphic encryption.

Background

Federal learning is a distributed machine learning paradigm in which a set of clients with distributed data combine to train a model under the coordination of a centralized server, and ensure the security and privacy of local data throughout the training process. According to whether the client participates in each round of training process, federal learning is divided into two types, namely complete participation or partial participation, although the complete participation of the client is an ideal training mode for realizing optimal convergence performance, the client is disconnected due to resource (i.e. communication and calculation) consumption limitation or network and other reasons, so that only partial participation of the client in federal training becomes one of main challenges faced by federal learning, and the disconnection of the client not only can influence the performance of the federal learning model, but also can cause privacy data leakage.

In response to this problem, many studies have focused on solving this problem through strategies of active client selection, secret sharing, or up-to-date gradient replacement, where Sai Praneeth Karimireddy et al studied the convergence of the client random selection strategy, proposed a random control averaging algorithm Scaffold, demonstrating that the algorithm utilizes control variables to reduce drift between clients; the Keith Bonawitz et al proposes Secure Aggregation that the parameter server converges gradients of each client from a plurality of client scenes in a federal learning scene, wherein a secret sharing mechanism in cryptography is utilized to realize Double-Masking Double-mask scheme data restoration, but the method is low in efficiency and has high calculation and communication cost; yikai Yan et al uses the latest gradient of all clients to replace the dropped clients, and even if the clients are not available, the global model can be jointly updated in each iteration, providing a simple distributed non-convex optimization algorithm FedLaAvg, fedLaAvg that gets more stable training than FedAVg in both convex and non-convex settings, and that achieves virtually a sub-linear acceleration.

However, the scheme has the advantages that the actual performance of the training model is poor, the training process occupies a large amount of memory, and the problem of local data privacy leakage caused by the disconnection of the client is ignored to a certain extent.

Disclosure of Invention

In order to solve the technical problems, the application provides the following technical scheme:

in a first aspect, an embodiment of the present application provides a federal learning privacy protection method based on homomorphic encryption, including:

the server clusters all clients according to a clustering algorithm, wherein local data of each cluster of clients has similar data distribution;

the method comprises the steps that a neural network model is set at a server side to serve as an initial global model of federal training and distributed to all clients;

the client judges whether the specified iteration times are reached, if so, the training is finished, otherwise, each client carries out model training based on an initial global model and local data;

after the training of the client is completed, encrypting the gradient parameter w by using a homomorphic encryption algorithm to obtain a gradient parameter E (w) in a ciphertext state, and uploading the gradient parameter E (w) to the server;

the server processes the offline client;

the server uses FedAvg algorithm to aggregate and average all ciphertext gradients, and then sends down ciphertext global gradient parameters to each client;

and the client decrypts the global gradient parameters and then adjusts the model until the specified iteration times are reached.

In one possible implementation manner, the server clusters all clients according to a clustering algorithm, including:

dividing M clients into K client clusters, and recording the number and the number of clients in each cluster;

recording the online times of the client) And skipping the iteration when all clients in a certain cluster are disconnected or all clients are disconnected.

In one possible implementation, the neural network model includes: input x, first layer convolution layerA second layer of convolution layersFirst full connection layerDropout layer->_dropout=Dropout(/>) Second full connection layer->And output y=logSoftmax(/>)；

Wherein:_flat=Flatten(/>) Representing flattening operations, conv (x, W) representing convolution operations, convolving input x using convolution kernel W, maxPool (x) representing maximum pooling operations, max pooling input x, dropout (x) representing Dropout operations, dropout being performed on input x, linear (x, W) representing fully connected layer operations, linear transformation of input x using weight matrix W, reLU (x) representing a ReLU activation function, element-by-element ReLU operations on input x, flatten (x) representing flattening input x into a one-dimensional tensor, logSoftmax (x) representing LogSoftmax operations on input x.

In one possible implementation, the model training by each client based on the initial global model and the local data includes: each client is based on an initial global modelAnd local data->Model training is carried out by using a small batch random gradient descent optimization mode to obtain a new local model +.>Subsequent local data，/>Wherein->For small numbers of batches uniformly randomly and independently sampled from a local dataset of client kAccording to the sample, < >>Random gradient for small lot data samples, +.>E is the training iteration number for the learning rate.

In one possible implementation, the model training process includes:

initializing a small batch random gradient descent optimizer;

moving the input image and the tag onto the device: images, labes=images.to (self.device), labes.to (self device);

the gradient information before is cleared to prevent gradient accumulation: model. Zero_grad ();

transmitting the image to the model to obtain the prediction probability of the model: log_probs=model (images);

calculating cross entropy loss using the prediction probability and the true label: loss = loss_func (log_probs, labes);

calculating the gradient of the loss with respect to the model parameters: backsaward ();

the usage optimizer updates model parameters based on the gradient: an optimizer, step ();

the model then updates the parameters through the steps described above in each training iteration to minimize the loss function.

In one possible implementation manner, after the training of the client is completed, the gradient parameter w is encrypted by using a homomorphic encryption algorithm to obtain a gradient parameter E (w) in a ciphertext state, and the gradient parameter E (w) is uploaded to a server, where the method includes:

encrypting each gradient parameter of each layer of the model through a for loop by adopting a method for encrypting floating point numbers in a homomorphic encryption algorithm, wherein the homomorphic encryption algorithm comprises the following steps: the Pyfhel homomorphic encryption library BFV algorithm firstly generates a key through HE=Pyfhel (), HE.contextGen (p=1024, m=2048), HE.keyGen (), encrypts parameters of a floating point number type in a for loop by using an HE.encryptfrac () method, wherein p is a specified Wen Moshu, determines the size of a plaintext data type, and generally uses a power of 2; m is the modulus of a polynomial coefficient and represents the calculation capacity which can be achieved by homomorphic operation;

the homomorphic encryption algorithm process comprises the following steps: generating a secret key, namely generating a public key and a private key by using a series of mathematical operations and random numbers, wherein the public key is used for encrypting plaintext data, the private key is used for decrypting ciphertext data, and the secret key generation needs to meet homomorphism, namely that the result of the data after the mathematical operations are carried out in the plaintext and ciphertext states is the same; the operation method comprises the following steps: the paillier algorithm of the ophelib library randomly selects two large primes p, q, n=pxq satisfying p-q and (p-1) (q-1) being primes each other,g=n+1, l (x) = (x-1)/n, +.>=(L(g^/>mod n 2-1) mod n, the public key is (n, g), and the private key is (++>,/>)；

Encrypting, namely encrypting the plaintext data by using a public key, and converting the plaintext data into ciphertext data: a plaintext m which is more than or equal to 0 and less than or equal to n is satisfied, a random number r is selected, r and n are mutually prime numbers, and a ciphertext c= (gm+rn) mod n 2 is satisfied;

decryption, plaintext m=l (c)mod n^2)*/>mod n。

In one possible implementation manner, the processing, by the server, the dropped client includes:

the server performs gradient supplementary treatment on the offline clients of each cluster;

average value calculation under ciphertext state is carried out on the uploaded encryption gradient parameters of each cluster, namely, all online client ciphertext gradient parameters of the cluster by homomorphic addition and multiplication operation: the ciphertext gradient of the offline client x is the average value of the ciphertext gradient sum of the online client y and the online client z of the cluster, namelyThe scheme can meet the effect that the client is completely participated.

In one possible implementation manner, the service end uses a FedAvg algorithm to aggregate and average all ciphertext gradients, and then sends ciphertext global gradient parameters to each client end, including:

giving different weight parameters to the client according to the online times of the client, when the online times of a certain client are 0, the weight parameters default to 1, the weight parameters of the client in other conditions are equal to the online times of the client, then summing all the weighted gradient parameters and calculating an average value, and the average value result is the new global gradient parameter：

。

In one possible implementation manner, the client adjusts the model after decrypting the global gradient parameter until reaching a specified iteration number, including:

the global gradient parameters are loaded into a local model by using a torch.nn.module class method load_state_direct () in the PyTorch, namely parameters such as loading weight, bias and the like;

and carrying out one-to-one mapping on parameter tensors on each layer according to the model structure to complete the process of updating and adjusting the speed training of the local model.

In a second aspect, embodiments of the present application provide a federal learning privacy protection system based on homomorphic encryption, including:

the client clustering module is used for the server to cluster all clients according to a clustering algorithm, wherein local data of each cluster of clients has similar data distribution;

the model initialization module is used for setting a neural network model as an initial global model of federal training at the server and distributing the neural network model to each client;

the client local training module is used for judging whether the client reaches the appointed iteration times or not, if so, finishing training, otherwise, each client carries out model training based on the initial global model and the local data;

the homomorphic encryption module is used for encrypting the gradient parameter w of the client training by using a homomorphic encryption algorithm to obtain a gradient parameter E (w) in a ciphertext state and uploading the gradient parameter E (w) to the server;

the client-side disconnection processing module is used for processing the disconnection client-side by the server-side;

the aggregation average issuing module is used for performing aggregation average on all ciphertext gradients by using a FedAVg algorithm by the server, and then issuing ciphertext global gradient parameters to each client;

and the model adjustment module is used for adjusting the model after the client decrypts the global gradient parameter until the designated iteration times are reached.

In the embodiment of the application, homomorphic encryption is used for encrypting the gradient parameters obtained by combining the global model with the local data training of each client, the gradient aggregation stages of gradient uploading and downloading and server are all performed in a ciphertext mode, meanwhile, after the clients are clustered through a clustering algorithm, the local data of each cluster of the clients have similar data distribution, the gradient of the offline client is supplemented by the average value of the gradient sum of the online clients by adopting the idea of gradient average supplementation in each cluster so as to realize fault tolerance, and therefore the problems of poor model performance and data privacy leakage caused by the offline clients are effectively and safely solved.

Drawings

FIG. 1 is a schematic diagram of a federal learning system according to an embodiment of the present disclosure;

fig. 2 is a schematic flow chart of a federal learning privacy protection method based on homomorphic encryption according to an embodiment of the present application;

fig. 3 is a schematic diagram of a federal learning privacy protection system based on homomorphic encryption according to an embodiment of the present application.

Detailed Description

The present invention is described below with reference to the drawings and the detailed description.

For clarity of description, in this embodiment, the federal learning system structure shown in fig. 1 is used, and the structure is as follows: federal learning is divided into two roles, client and server.

First, it is necessary to have multiple federal learning clients participating in the collaboration, most of the training data that these clients possess can be used to train the model, and each client can build a machine learning model. In the federal learning training model process, each client side cannot leave the local place, and only relevant information of the model, namely the data motionless model, is transmitted and exchanged. The performance of the federal learning model is close enough to that of an ideal model, which is a machine learning model obtained by training all training data together.

Referring to fig. 2, the federal learning privacy protection method based on homomorphic encryption in this embodiment includes:

s101, the server clusters all clients according to a clustering algorithm, wherein local data of each cluster of clients has similar data distribution.

The server clusters all clients according to a clustering algorithm, M clients are divided into K client clusters, the number and the number of clients in each cluster are recorded, and in addition, the server records the online times of the clients) And skipping the iteration when all clients in a certain cluster are disconnected or all clients are disconnected.

S102, the server sets a neural network model as an initial global model of federal training and distributes the neural network model to each client.

In this embodiment, the neural network model includes: input x, first layer convolution layerA second layer of convolution layersFirst full connection layerDropout layer->_dropout=Dropout(/>) Second full connection layer->And output y=logsoftmax ()>)；

Wherein:_flat=Flatten(/>) Representing flattening operations, conv (x, W) representing convolution operations, convolving input x using convolution kernel W, maxPool (x) representing maximum pooling operations, max pooling input x, dropout (x) representing Dropout operations, dropout being performed on input x, linear (x, W) representing fully connected layer operations, linear transformation of input x using weight matrix W, reLU (x) representing a ReLU activation function, element-by-element ReLU operations on input x, flatten (x) representing flattening input x into a one-dimensional tensor, logSoftmax (x) representing LogSoftmax operations on input x.

And S103, the client judges whether the specified iteration times are reached, if so, the training is finished, otherwise, each client carries out model training based on the initial global model and the local data.

Each client is based on an initial global modelAnd local data->Model training is carried out by using a small batch random gradient descent optimization mode to obtain a new local model +.>Subsequent local data，/>Wherein->For small lot data samples uniformly randomly and independently sampled from the local dataset of client k, < +.>Random gradient for small lot data samples, +.>E is the training iteration number for the learning rate.

The model training process comprises the following steps:

initializing an optimizer: initializing a small batch random gradient descent optimizer.

Moving the input image and the label onto a device (GPU): images, labes=images.to (self device), labes.to (self device).

Model gradient zeroing: the gradient information before is cleared to prevent gradient accumulation: model. Zero_grad ().

Forward propagation: transmitting the image to the model to obtain the prediction probability of the model: log_probs=model (images).

Calculating loss: calculating cross entropy loss using the prediction probability and the true label: loss=loss_func (log_probs, labes).

Back propagation: calculating the gradient of the loss with respect to the model parameters: backsaward ().

Parameter updating: the usage optimizer updates model parameters based on the gradient: optimizer.step ().

These steps constitute a complete process of model training, by which the model updates parameters in each training iteration to minimize the loss function.

And S104, after the training of the client is completed, encrypting the gradient parameter w by using a homomorphic encryption algorithm to obtain a gradient parameter E (w) in a ciphertext state, and uploading the gradient parameter E (w) to the server.

Since the gradient parameters are generally floating point numbers, each gradient parameter of each layer of the model is encrypted through a for loop by adopting a method for encrypting the floating point numbers in a homomorphic encryption algorithm, and a Pyfhel homomorphic encryption library BFV algorithm is taken as an example, firstly, a key is generated through he=pyfhel (), he.contextgen (p=1024, m=2048), he.keygen (), and the parameters of the floating point number type are encrypted in the for loop by using an he.encryptfrac () method. Where p is the designation Wen Moshu, which determines the size of the plaintext data type, typically using the power of 2, and m is the modulus of the polynomial coefficients, which represents the computational capacity achievable by homomorphic operation.

Homomorphic encryption algorithm process:

1. and (3) key generation: a series of mathematical operations and random numbers are used for generating a public key and a private key, the public key is used for encrypting plaintext data, the private key is used for decrypting ciphertext data, and the key generation needs to meet homomorphism, namely the result of the data after the mathematical operations are carried out in the plaintext and ciphertext states is the same.

Taking the paillier algorithm of the ophelib library as an example, two large prime numbers p, q, n=pq satisfying that p q and (p-1) q-1 are prime with each other are randomly selected,g=n+1, l (x) = (x-1)/n, +.>=(L(g^/>mod n 2-1) mod n, the public key is (n, g), and the private key is (++>,/>)。

2. Encryption: encrypting the plaintext data using the public key, converting the plaintext data into ciphertext data:

the plaintext m satisfying 0< = m < = n, the random number r is selected, the r and n are prime numbers, and the ciphertext c= (gm+rn) mod n 2.

3. Decryption: plaintext m=l (c)mod n^2)*/>mod n。

S105, the server processes the offline client.

The server performs gradient supplementary processing on the offline client for each cluster, and calculates the average value of all online client ciphertext gradient parameters of each cluster, namely all online client ciphertext gradient parameters of the cluster, by using homomorphism addition to the block and number multiplication operation, for example, the ciphertext gradient of the offline client x in a certain cluster is the average value of the ciphertext gradient sum of the online client y and the online client z of the cluster, namelyThe scheme can meet the effect that the client is completely participated.

S106, the server uses FedAvg algorithm to aggregate and average all ciphertext gradients, and then sends down ciphertext global gradient parameters to each client.

The specific implementation mode of the weighted aggregation average refers to that different weight parameters are given to the client according to the online times of the client, when the online times of a certain client are 0, the weight parameters default to 1, and the weight parameters of the client in the rest conditions are equal to the online times of the clientThen summing all weighted gradient parameters and calculating an average value, wherein the average value result is the new global gradient parameter：

。

And S107, the client decrypts the global gradient parameters and then adjusts the model until the specified iteration times are reached.

The global gradient parameters are loaded into the local model by using a torch.nn.module class method load_state_subject () in the PyTorch, namely parameters such as loading weights, biasing and the like, the parameters are mapped to each layer one by one according to the model structure, the update adjustment of the local model is completed, the model structure is not changed by the update adjustment, and the training process can be accelerated.

Corresponding to the federal learning privacy protection method based on homomorphic encryption provided in the above embodiment, the present application further provides an embodiment of the federal learning privacy protection system based on homomorphic encryption.

Referring to fig. 3, a homomorphic encryption based federal learning privacy protection system 20, comprising:

the client clustering module 201 is configured to cluster all clients according to a clustering algorithm by a server, where local data of each cluster of clients has similar data distribution;

the model initialization module 202 is configured to set a neural network model as an initial global model of federal training at the server and distribute the initial global model to each client;

the local training module 203 of the client, configured to determine whether the client reaches a specified iteration number, and end training if the client has reached, otherwise each client performs model training based on an initial global model and local data;

the homomorphic encryption module 204 is configured to encrypt the gradient parameter w by using a homomorphic encryption algorithm after the training of the client is completed, obtain a gradient parameter E (w) in a ciphertext state, and upload the gradient parameter E (w) to the server;

the client-side offline processing module 205 is configured to process the offline client by the server side;

the aggregation average issuing module 206 is configured to perform aggregation average on all ciphertext gradients by using a FedAvg algorithm, and then issue ciphertext global gradient parameters to each client;

the model adjustment module 207 is configured to adjust the model after the client decrypts the global gradient parameter until the specified iteration number is reached.

In the embodiments of the present application, "at least one" means one or more, and "a plurality" means two or more. "and/or", describes an association relation of association objects, and indicates that there may be three kinds of relations, for example, a and/or B, and may indicate that a alone exists, a and B together, and B alone exists. Wherein A, B may be singular or plural. The character "/" generally indicates that the context-dependent object is an "or" relationship. "at least one of the following" and the like means any combination of these items, including any combination of single or plural items. For example, at least one of a, b and c may represent: a, b, c, a-b, a-c, b-c, or a-b-c, wherein a, b, c may be single or plural.

The foregoing is merely specific embodiments of the present application, and any person skilled in the art may easily conceive of changes or substitutions within the technical scope of the present application, which should be covered by the protection scope of the present application. The protection scope of the present application shall be subject to the protection scope of the claims.

Claims (5)

1. The federal learning privacy protection method based on homomorphic encryption is characterized by comprising the following steps:

the server clusters all clients according to a clustering algorithm, wherein local data of each cluster of clients has similar data distribution;

the method comprises the steps that a neural network model is set at a server side to serve as an initial global model of federal training and distributed to all clients;

the neural network model includes: input x, first layer convolution layerSecond layer convolution layer->First full connection layerDropout layer->_dropout=Dropout(/>) Second full connection layer->And output y=logsoftmax ()>)；

Wherein:_flat=Flatten(/>) Representing flattening operations, conv (x, W) representing convolution operations, convolving input x using a convolution kernel W, maxPool (x) representing maximum pooling operations, max pooling input x, dropout (x) representing Dropout operations, dropout being performed on input x, linear (x, W) representing fully connected layer operations, linear transformation of input x using a weight matrix W, reLU (x) representing a ReLU activation function, element-by-element ReLU operations on input x, flatten (x) representing flattening input x into a one-dimensional tensor, logSoftmax (x) representing LogSoftmax operations on input x;

the client judges whether the specified iteration times are reachedAnd ending training if the number is reached, otherwise, each client performs model training based on the initial global model and the local data, and the method comprises the following steps: each client is based on an initial global modelAnd local data->Model training is carried out by using a small batch random gradient descent optimization mode to obtain a new local model +.>Subsequent local data +.>，/>Wherein->For small lot data samples uniformly randomly and independently sampled from the local dataset of client k, < +.>Random gradient for small lot data samples, +.>E is the training iteration number for learning rate;

the model training process comprises the following steps:

initializing a small batch random gradient descent optimizer;

moving the input image and the tag onto the device: images, labes=images.to (self.device), labes.to (self device);

the gradient information before is cleared to prevent gradient accumulation: model. Zero_grad ();

transmitting the image to the model to obtain the prediction probability of the model: log_probs=model (images);

calculating cross entropy loss using the prediction probability and the true label: loss = loss_func (log_probs, labes);

calculating the gradient of the loss with respect to the model parameters: backsaward ();

the usage optimizer updates model parameters based on the gradient: an optimizer, step ();

subsequently, in each training iteration, updating parameters of the model through the steps so as to minimize a loss function;

after the training of the client is completed, encrypting the gradient parameter w by using a homomorphic encryption algorithm to obtain a gradient parameter E (w) in a ciphertext state, and uploading the gradient parameter E (w) to the server, wherein the method comprises the following steps:

encrypting each gradient parameter of each layer of the model through a for loop by adopting a method for encrypting floating point numbers in a homomorphic encryption algorithm, wherein the homomorphic encryption algorithm comprises the following steps: the Pyfhel homomorphic encryption library BFV algorithm firstly generates a key through HE=Pyfhel (), HE.contextGen (p=1024, m=2048), HE.keyGen (), encrypts parameters of a floating point number type in a for loop by using an HE.encryptfrac () method, wherein p is a specified Wen Moshu, determines the size of a plaintext data type, and generally uses a power of 2; m is the modulus of a polynomial coefficient and represents the calculation capacity which can be achieved by homomorphic operation;

the homomorphic encryption algorithm process comprises the following steps: generating a secret key, namely generating a public key and a private key by using a series of mathematical operations and random numbers, wherein the public key is used for encrypting plaintext data, the private key is used for decrypting ciphertext data, and the secret key generation needs to meet homomorphism, namely that the result of the data after the mathematical operations are carried out in the plaintext and ciphertext states is the same; the operation method comprises the following steps: the paillier algorithm of the ophelib library randomly selects two large primes p, q, n=pxq satisfying p-q and (p-1) (q-1) being primes each other,g=n+1, l (x) = (x-1)/n, +.>=(L(g^/>mod n 2-1) mod n, the public key is (n, g), and the private key is (++>,/>)；

Encrypting, namely encrypting the plaintext data by using a public key, and converting the plaintext data into ciphertext data: a plaintext m which is more than or equal to 0 and less than or equal to n is satisfied, a random number r is selected, r and n are mutually prime numbers, and a ciphertext c= (gm+rn) mod n 2 is satisfied;

decryption, plaintext m=l (c) mod n^2)* />mod n；

The server processes the offline client, including:

the server performs gradient supplementary treatment on the offline clients of each cluster;

average value calculation under ciphertext state is carried out on the uploaded encryption gradient parameters of each cluster, namely, all online client ciphertext gradient parameters of the cluster by homomorphic addition and multiplication operation: the ciphertext gradient of the offline client x is the average value of the ciphertext gradient sum of the online client y and the online client z of the cluster, namelyThe scheme can meet the effect that the client is completely participated in;

the server uses FedAvg algorithm to aggregate and average all ciphertext gradients, and then sends down ciphertext global gradient parameters to each client;

and the client decrypts the global gradient parameters and then adjusts the model until the specified iteration times are reached.

2. The federal learning privacy protection method based on homomorphic encryption according to claim 1, wherein the server clusters all clients according to a clustering algorithm, comprising:

dividing M clients into K client clusters, and recording the number and the number of clients in each cluster;

recording the online times of the client) And skipping the iteration when all clients in a certain cluster are disconnected or all clients are disconnected.

3. The homomorphic encryption-based federal learning privacy protection method of claim 1, wherein the server uses a FedAvg algorithm to aggregate and average all ciphertext gradients, and then issues ciphertext global gradient parameters to each client, comprising:

giving different weight parameters to the client according to the online times of the client, when the online times of a certain client are 0, the weight parameters default to 1, the weight parameters of the client in other conditions are equal to the online times of the client, then summing all the weighted gradient parameters and calculating an average value, and the average value result is the new global gradient parameter：

。

4. The homomorphic encryption-based federal learning privacy protection method of claim 3, wherein the client adjusts the model after decrypting the global gradient parameters until a specified number of iterations is reached, comprising:

the global gradient parameters are loaded into a local model by using a torch.nn.module class method load_state_direct () in the PyTorch, namely parameters such as loading weight, bias and the like;

and carrying out one-to-one mapping on parameter tensors on each layer according to the model structure to complete the process of updating and adjusting the speed training of the local model.

5. A homomorphic encryption-based federal learning privacy protection system, comprising:

the client clustering module is used for the server to cluster all clients according to a clustering algorithm, wherein local data of each cluster of clients has similar data distribution;

the model initialization module is used for setting a neural network model as an initial global model of federal training at the server and distributing the neural network model to each client;

the neural network model includes: input x, first layer convolution layerSecond layer convolution layer->First full connection layerDropout layer->_dropout=Dropout(/>) Second full connection layer->And output y=logsoftmax ()>)；

Wherein:_flat=Flatten(/>) Representing flattening operations, conv (x, W) representing convolution operations, convolving input x using a convolution kernel W, maxPool (x) representing maximum pooling operations, max pooling input x, dropout (x) representing Dropout operations, dropout being performed on input x, linear (x, W) representing fully connected layer operations, linear transformation of input x using a weight matrix W, reLU (x) representing a ReLU activation function, element-by-element ReLU operations on input x, flatten (x) representing flattening input x into a one-dimensional tensor, logSoftmax (x) representing LogSoftmax operations on input x;

the local training module of the client, is used for the client to judge whether to reach the appointed iteration number, if already reached, finish training, otherwise each client carries on model training based on the initial global model and local data, including: each client is based on an initial global modelAnd local data->Model training is carried out by using a small batch random gradient descent optimization mode to obtain a new local model +.>Subsequent local data +.>，Wherein->For small batches of data samples uniformly randomly and independently sampled from the local dataset of client k,random gradient for small lot data samples, +.>E is the training iteration number for learning rate;

the model training process comprises the following steps:

initializing a small batch random gradient descent optimizer;

moving the input image and the tag onto the device: images, labes=images.to (self.device), labes.to (self device);

the gradient information before is cleared to prevent gradient accumulation: model. Zero_grad ();

transmitting the image to the model to obtain the prediction probability of the model: log_probs=model (images);

calculating cross entropy loss using the prediction probability and the true label: loss = loss_func (log_probs, labes);

calculating the gradient of the loss with respect to the model parameters: backsaward ();

the usage optimizer updates model parameters based on the gradient: an optimizer, step ();

subsequently, in each training iteration, updating parameters of the model through the steps so as to minimize a loss function;

the homomorphic encryption module is used for encrypting the gradient parameter w of the client after training is completed by using a homomorphic encryption algorithm to obtain a gradient parameter E (w) in a ciphertext state, and uploading the gradient parameter E (w) to the server, and comprises the following steps:

encrypting each gradient parameter of each layer of the model through a for loop by adopting a method for encrypting floating point numbers in a homomorphic encryption algorithm, wherein the homomorphic encryption algorithm comprises the following steps: the Pyfhel homomorphic encryption library BFV algorithm firstly generates a key through HE=Pyfhel (), HE.contextGen (p=1024, m=2048), HE.keyGen (), encrypts parameters of a floating point number type in a for loop by using an HE.encryptfrac () method, wherein p is a specified Wen Moshu, determines the size of a plaintext data type, and generally uses a power of 2; m is the modulus of a polynomial coefficient and represents the calculation capacity which can be achieved by homomorphic operation;

homomorphic encryption algorithmThe process comprises the following steps: generating a secret key, namely generating a public key and a private key by using a series of mathematical operations and random numbers, wherein the public key is used for encrypting plaintext data, the private key is used for decrypting ciphertext data, and the secret key generation needs to meet homomorphism, namely that the result of the data after the mathematical operations are carried out in the plaintext and ciphertext states is the same; the operation method comprises the following steps: the paillier algorithm of the ophelib library randomly selects two large primes p, q, n=pxq satisfying p-q and (p-1) (q-1) being primes each other,g=n+1, l (x) = (x-1)/n, +.>=(L(g^/>mod n 2-1) mod n, the public key is (n, g), and the private key is (++>,/>)；

Encrypting, namely encrypting the plaintext data by using a public key, and converting the plaintext data into ciphertext data: a plaintext m which is more than or equal to 0 and less than or equal to n is satisfied, a random number r is selected, r and n are mutually prime numbers, and a ciphertext c= (gm+rn) mod n 2 is satisfied;

decryption, plaintext m=l (c) mod n^2)* />mod n；

The client-side disconnection processing module is used for processing the disconnection client-side by the server-side, and comprises the following steps:

the server performs gradient supplementary treatment on the offline clients of each cluster;

encryption ladder uploaded for each clusterThe degree parameter is average value calculation under ciphertext state by using homomorphic addition and digital multiplication operation of ciphertext gradient parameters of all online clients of the cluster: the ciphertext gradient of the offline client x is the average value of the ciphertext gradient sum of the online client y and the online client z of the cluster, namelyThe scheme can meet the effect that the client is completely participated in;

the aggregation average issuing module is used for performing aggregation average on all ciphertext gradients by using a FedAVg algorithm by the server, and then issuing ciphertext global gradient parameters to each client;

and the model adjustment module is used for adjusting the model after the client decrypts the global gradient parameter until the designated iteration times are reached.