CN117640253B - Federal learning privacy protection method and system based on homomorphic encryption - Google Patents
Federal learning privacy protection method and system based on homomorphic encryption Download PDFInfo
- Publication number
- CN117640253B CN117640253B CN202410101197.1A CN202410101197A CN117640253B CN 117640253 B CN117640253 B CN 117640253B CN 202410101197 A CN202410101197 A CN 202410101197A CN 117640253 B CN117640253 B CN 117640253B
- Authority
- CN
- China
- Prior art keywords
- gradient
- client
- model
- ciphertext
- parameters
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 52
- 238000012549 training Methods 0.000 claims abstract description 62
- 230000002776 aggregation Effects 0.000 claims abstract description 10
- 238000004220 aggregation Methods 0.000 claims abstract description 10
- 230000008569 process Effects 0.000 claims description 20
- 238000003062 neural network model Methods 0.000 claims description 13
- 238000004364 calculation method Methods 0.000 claims description 8
- 230000006870 function Effects 0.000 claims description 8
- 238000011176 pooling Methods 0.000 claims description 8
- 238000012545 processing Methods 0.000 claims description 7
- 238000005457 optimization Methods 0.000 claims description 5
- 238000009825 accumulation Methods 0.000 claims description 4
- 230000004913 activation Effects 0.000 claims description 4
- 230000000694 effects Effects 0.000 claims description 4
- 239000011159 matrix material Substances 0.000 claims description 4
- 230000009466 transformation Effects 0.000 claims description 4
- 238000013507 mapping Methods 0.000 claims description 2
- 239000013589 supplement Substances 0.000 abstract 1
- 238000010801 machine learning Methods 0.000 description 3
- 238000004891 communication Methods 0.000 description 2
- 238000010586 diagram Methods 0.000 description 2
- 238000012935 Averaging Methods 0.000 description 1
- 230000001133 acceleration Effects 0.000 description 1
- 230000001419 dependent effect Effects 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 230000004044 response Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 230000009469 supplementation Effects 0.000 description 1
Classifications
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D30/00—Reducing energy consumption in communication networks
- Y02D30/50—Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate
Landscapes
- Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
Abstract
The utility model discloses a federal study privacy protection method and system based on homomorphic encryption, relate to federal study technical field, use homomorphic encryption to encrypt the gradient parameter that each customer end obtained according to global model combines local data training, uploading and issuing of gradient and the gradient aggregation stage of server all are gone on with the ciphertext, simultaneously after clustering the customer end through clustering algorithm, every cluster customer end local data has similar data distribution, adopt the average supplementary thought of gradient to supplement the gradient of online customer end gradient sum with the average value of online customer end gradient sum in every cluster in order to realize fault tolerance, need not additionally to occupy the memory space in solving the problem of falling the line, the gradient of falling the line customer end is directly supplemented by the online customer end gradient average value of same cluster, reduce memory resource cost and improved system robustness, thereby the model performance that the high-efficient safe solution customer end falls the line and the problem of data privacy leakage.
Description
Technical Field
The application relates to the technical field of federal learning, in particular to a federal learning privacy protection method and system based on homomorphic encryption.
Background
Federal learning is a distributed machine learning paradigm in which a set of clients with distributed data combine to train a model under the coordination of a centralized server, and ensure the security and privacy of local data throughout the training process. According to whether the client participates in each round of training process, federal learning is divided into two types, namely complete participation or partial participation, although the complete participation of the client is an ideal training mode for realizing optimal convergence performance, the client is disconnected due to resource (i.e. communication and calculation) consumption limitation or network and other reasons, so that only partial participation of the client in federal training becomes one of main challenges faced by federal learning, and the disconnection of the client not only can influence the performance of the federal learning model, but also can cause privacy data leakage.
In response to this problem, many studies have focused on solving this problem through strategies of active client selection, secret sharing, or up-to-date gradient replacement, where Sai Praneeth Karimireddy et al studied the convergence of the client random selection strategy, proposed a random control averaging algorithm Scaffold, demonstrating that the algorithm utilizes control variables to reduce drift between clients; the Keith Bonawitz et al proposes Secure Aggregation that the parameter server converges gradients of each client from a plurality of client scenes in a federal learning scene, wherein a secret sharing mechanism in cryptography is utilized to realize Double-Masking Double-mask scheme data restoration, but the method is low in efficiency and has high calculation and communication cost; yikai Yan et al uses the latest gradient of all clients to replace the dropped clients, and even if the clients are not available, the global model can be jointly updated in each iteration, providing a simple distributed non-convex optimization algorithm FedLaAvg, fedLaAvg that gets more stable training than FedAVg in both convex and non-convex settings, and that achieves virtually a sub-linear acceleration.
However, the scheme has the advantages that the actual performance of the training model is poor, the training process occupies a large amount of memory, and the problem of local data privacy leakage caused by the disconnection of the client is ignored to a certain extent.
Disclosure of Invention
In order to solve the technical problems, the application provides the following technical scheme:
in a first aspect, an embodiment of the present application provides a federal learning privacy protection method based on homomorphic encryption, including:
the server clusters all clients according to a clustering algorithm, wherein local data of each cluster of clients has similar data distribution;
the method comprises the steps that a neural network model is set at a server side to serve as an initial global model of federal training and distributed to all clients;
the client judges whether the specified iteration times are reached, if so, the training is finished, otherwise, each client carries out model training based on an initial global model and local data;
after the training of the client is completed, encrypting the gradient parameter w by using a homomorphic encryption algorithm to obtain a gradient parameter E (w) in a ciphertext state, and uploading the gradient parameter E (w) to the server;
the server processes the offline client;
the server uses FedAvg algorithm to aggregate and average all ciphertext gradients, and then sends down ciphertext global gradient parameters to each client;
and the client decrypts the global gradient parameters and then adjusts the model until the specified iteration times are reached.
In one possible implementation manner, the server clusters all clients according to a clustering algorithm, including:
dividing M clients into K client clusters, and recording the number and the number of clients in each cluster;
recording the online times of the client) And skipping the iteration when all clients in a certain cluster are disconnected or all clients are disconnected.
In one possible implementation, the neural network model includes: input x, first layer convolution layerA second layer of convolution layersFirst full connection layerDropout layer->_dropout=Dropout(/>) Second full connection layer->And output y=logSoftmax(/>);
Wherein:_flat=Flatten(/>) Representing flattening operations, conv (x, W) representing convolution operations, convolving input x using convolution kernel W, maxPool (x) representing maximum pooling operations, max pooling input x, dropout (x) representing Dropout operations, dropout being performed on input x, linear (x, W) representing fully connected layer operations, linear transformation of input x using weight matrix W, reLU (x) representing a ReLU activation function, element-by-element ReLU operations on input x, flatten (x) representing flattening input x into a one-dimensional tensor, logSoftmax (x) representing LogSoftmax operations on input x.
In one possible implementation, the model training by each client based on the initial global model and the local data includes: each client is based on an initial global modelAnd local data->Model training is carried out by using a small batch random gradient descent optimization mode to obtain a new local model +.>Subsequent local data,/>Wherein->For small numbers of batches uniformly randomly and independently sampled from a local dataset of client kAccording to the sample, < >>Random gradient for small lot data samples, +.>E is the training iteration number for the learning rate.
In one possible implementation, the model training process includes:
initializing a small batch random gradient descent optimizer;
moving the input image and the tag onto the device: images, labes=images.to (self.device), labes.to (self device);
the gradient information before is cleared to prevent gradient accumulation: model. Zero_grad ();
transmitting the image to the model to obtain the prediction probability of the model: log_probs=model (images);
calculating cross entropy loss using the prediction probability and the true label: loss = loss_func (log_probs, labes);
calculating the gradient of the loss with respect to the model parameters: backsaward ();
the usage optimizer updates model parameters based on the gradient: an optimizer, step ();
the model then updates the parameters through the steps described above in each training iteration to minimize the loss function.
In one possible implementation manner, after the training of the client is completed, the gradient parameter w is encrypted by using a homomorphic encryption algorithm to obtain a gradient parameter E (w) in a ciphertext state, and the gradient parameter E (w) is uploaded to a server, where the method includes:
encrypting each gradient parameter of each layer of the model through a for loop by adopting a method for encrypting floating point numbers in a homomorphic encryption algorithm, wherein the homomorphic encryption algorithm comprises the following steps: the Pyfhel homomorphic encryption library BFV algorithm firstly generates a key through HE=Pyfhel (), HE.contextGen (p=1024, m=2048), HE.keyGen (), encrypts parameters of a floating point number type in a for loop by using an HE.encryptfrac () method, wherein p is a specified Wen Moshu, determines the size of a plaintext data type, and generally uses a power of 2; m is the modulus of a polynomial coefficient and represents the calculation capacity which can be achieved by homomorphic operation;
the homomorphic encryption algorithm process comprises the following steps: generating a secret key, namely generating a public key and a private key by using a series of mathematical operations and random numbers, wherein the public key is used for encrypting plaintext data, the private key is used for decrypting ciphertext data, and the secret key generation needs to meet homomorphism, namely that the result of the data after the mathematical operations are carried out in the plaintext and ciphertext states is the same; the operation method comprises the following steps: the paillier algorithm of the ophelib library randomly selects two large primes p, q, n=pxq satisfying p-q and (p-1) (q-1) being primes each other,g=n+1, l (x) = (x-1)/n, +.>=(L(g^/>mod n 2-1) mod n, the public key is (n, g), and the private key is (++>,/>);
Encrypting, namely encrypting the plaintext data by using a public key, and converting the plaintext data into ciphertext data: a plaintext m which is more than or equal to 0 and less than or equal to n is satisfied, a random number r is selected, r and n are mutually prime numbers, and a ciphertext c= (gm+rn) mod n 2 is satisfied;
decryption, plaintext m=l (c)mod n^2)*/>mod n。
In one possible implementation manner, the processing, by the server, the dropped client includes:
the server performs gradient supplementary treatment on the offline clients of each cluster;
average value calculation under ciphertext state is carried out on the uploaded encryption gradient parameters of each cluster, namely, all online client ciphertext gradient parameters of the cluster by homomorphic addition and multiplication operation: the ciphertext gradient of the offline client x is the average value of the ciphertext gradient sum of the online client y and the online client z of the cluster, namelyThe scheme can meet the effect that the client is completely participated.
In one possible implementation manner, the service end uses a FedAvg algorithm to aggregate and average all ciphertext gradients, and then sends ciphertext global gradient parameters to each client end, including:
giving different weight parameters to the client according to the online times of the client, when the online times of a certain client are 0, the weight parameters default to 1, the weight parameters of the client in other conditions are equal to the online times of the client, then summing all the weighted gradient parameters and calculating an average value, and the average value result is the new global gradient parameter:
。
In one possible implementation manner, the client adjusts the model after decrypting the global gradient parameter until reaching a specified iteration number, including:
the global gradient parameters are loaded into a local model by using a torch.nn.module class method load_state_direct () in the PyTorch, namely parameters such as loading weight, bias and the like;
and carrying out one-to-one mapping on parameter tensors on each layer according to the model structure to complete the process of updating and adjusting the speed training of the local model.
In a second aspect, embodiments of the present application provide a federal learning privacy protection system based on homomorphic encryption, including:
the client clustering module is used for the server to cluster all clients according to a clustering algorithm, wherein local data of each cluster of clients has similar data distribution;
the model initialization module is used for setting a neural network model as an initial global model of federal training at the server and distributing the neural network model to each client;
the client local training module is used for judging whether the client reaches the appointed iteration times or not, if so, finishing training, otherwise, each client carries out model training based on the initial global model and the local data;
the homomorphic encryption module is used for encrypting the gradient parameter w of the client training by using a homomorphic encryption algorithm to obtain a gradient parameter E (w) in a ciphertext state and uploading the gradient parameter E (w) to the server;
the client-side disconnection processing module is used for processing the disconnection client-side by the server-side;
the aggregation average issuing module is used for performing aggregation average on all ciphertext gradients by using a FedAVg algorithm by the server, and then issuing ciphertext global gradient parameters to each client;
and the model adjustment module is used for adjusting the model after the client decrypts the global gradient parameter until the designated iteration times are reached.
In the embodiment of the application, homomorphic encryption is used for encrypting the gradient parameters obtained by combining the global model with the local data training of each client, the gradient aggregation stages of gradient uploading and downloading and server are all performed in a ciphertext mode, meanwhile, after the clients are clustered through a clustering algorithm, the local data of each cluster of the clients have similar data distribution, the gradient of the offline client is supplemented by the average value of the gradient sum of the online clients by adopting the idea of gradient average supplementation in each cluster so as to realize fault tolerance, and therefore the problems of poor model performance and data privacy leakage caused by the offline clients are effectively and safely solved.
Drawings
FIG. 1 is a schematic diagram of a federal learning system according to an embodiment of the present disclosure;
fig. 2 is a schematic flow chart of a federal learning privacy protection method based on homomorphic encryption according to an embodiment of the present application;
fig. 3 is a schematic diagram of a federal learning privacy protection system based on homomorphic encryption according to an embodiment of the present application.
Detailed Description
The present invention is described below with reference to the drawings and the detailed description.
For clarity of description, in this embodiment, the federal learning system structure shown in fig. 1 is used, and the structure is as follows: federal learning is divided into two roles, client and server.
First, it is necessary to have multiple federal learning clients participating in the collaboration, most of the training data that these clients possess can be used to train the model, and each client can build a machine learning model. In the federal learning training model process, each client side cannot leave the local place, and only relevant information of the model, namely the data motionless model, is transmitted and exchanged. The performance of the federal learning model is close enough to that of an ideal model, which is a machine learning model obtained by training all training data together.
Referring to fig. 2, the federal learning privacy protection method based on homomorphic encryption in this embodiment includes:
s101, the server clusters all clients according to a clustering algorithm, wherein local data of each cluster of clients has similar data distribution.
The server clusters all clients according to a clustering algorithm, M clients are divided into K client clusters, the number and the number of clients in each cluster are recorded, and in addition, the server records the online times of the clients) And skipping the iteration when all clients in a certain cluster are disconnected or all clients are disconnected.
S102, the server sets a neural network model as an initial global model of federal training and distributes the neural network model to each client.
In this embodiment, the neural network model includes: input x, first layer convolution layerA second layer of convolution layersFirst full connection layerDropout layer->_dropout=Dropout(/>) Second full connection layer->And output y=logsoftmax ()>);
Wherein:_flat=Flatten(/>) Representing flattening operations, conv (x, W) representing convolution operations, convolving input x using convolution kernel W, maxPool (x) representing maximum pooling operations, max pooling input x, dropout (x) representing Dropout operations, dropout being performed on input x, linear (x, W) representing fully connected layer operations, linear transformation of input x using weight matrix W, reLU (x) representing a ReLU activation function, element-by-element ReLU operations on input x, flatten (x) representing flattening input x into a one-dimensional tensor, logSoftmax (x) representing LogSoftmax operations on input x.
And S103, the client judges whether the specified iteration times are reached, if so, the training is finished, otherwise, each client carries out model training based on the initial global model and the local data.
Each client is based on an initial global modelAnd local data->Model training is carried out by using a small batch random gradient descent optimization mode to obtain a new local model +.>Subsequent local data,/>Wherein->For small lot data samples uniformly randomly and independently sampled from the local dataset of client k, < +.>Random gradient for small lot data samples, +.>E is the training iteration number for the learning rate.
The model training process comprises the following steps:
initializing an optimizer: initializing a small batch random gradient descent optimizer.
Moving the input image and the label onto a device (GPU): images, labes=images.to (self device), labes.to (self device).
Model gradient zeroing: the gradient information before is cleared to prevent gradient accumulation: model. Zero_grad ().
Forward propagation: transmitting the image to the model to obtain the prediction probability of the model: log_probs=model (images).
Calculating loss: calculating cross entropy loss using the prediction probability and the true label: loss=loss_func (log_probs, labes).
Back propagation: calculating the gradient of the loss with respect to the model parameters: backsaward ().
Parameter updating: the usage optimizer updates model parameters based on the gradient: optimizer.step ().
These steps constitute a complete process of model training, by which the model updates parameters in each training iteration to minimize the loss function.
And S104, after the training of the client is completed, encrypting the gradient parameter w by using a homomorphic encryption algorithm to obtain a gradient parameter E (w) in a ciphertext state, and uploading the gradient parameter E (w) to the server.
Since the gradient parameters are generally floating point numbers, each gradient parameter of each layer of the model is encrypted through a for loop by adopting a method for encrypting the floating point numbers in a homomorphic encryption algorithm, and a Pyfhel homomorphic encryption library BFV algorithm is taken as an example, firstly, a key is generated through he=pyfhel (), he.contextgen (p=1024, m=2048), he.keygen (), and the parameters of the floating point number type are encrypted in the for loop by using an he.encryptfrac () method. Where p is the designation Wen Moshu, which determines the size of the plaintext data type, typically using the power of 2, and m is the modulus of the polynomial coefficients, which represents the computational capacity achievable by homomorphic operation.
Homomorphic encryption algorithm process:
1. and (3) key generation: a series of mathematical operations and random numbers are used for generating a public key and a private key, the public key is used for encrypting plaintext data, the private key is used for decrypting ciphertext data, and the key generation needs to meet homomorphism, namely the result of the data after the mathematical operations are carried out in the plaintext and ciphertext states is the same.
Taking the paillier algorithm of the ophelib library as an example, two large prime numbers p, q, n=pq satisfying that p q and (p-1) q-1 are prime with each other are randomly selected,g=n+1, l (x) = (x-1)/n, +.>=(L(g^/>mod n 2-1) mod n, the public key is (n, g), and the private key is (++>,/>)。
2. Encryption: encrypting the plaintext data using the public key, converting the plaintext data into ciphertext data:
the plaintext m satisfying 0< = m < = n, the random number r is selected, the r and n are prime numbers, and the ciphertext c= (gm+rn) mod n 2.
3. Decryption: plaintext m=l (c)mod n^2)*/>mod n。
S105, the server processes the offline client.
The server performs gradient supplementary processing on the offline client for each cluster, and calculates the average value of all online client ciphertext gradient parameters of each cluster, namely all online client ciphertext gradient parameters of the cluster, by using homomorphism addition to the block and number multiplication operation, for example, the ciphertext gradient of the offline client x in a certain cluster is the average value of the ciphertext gradient sum of the online client y and the online client z of the cluster, namelyThe scheme can meet the effect that the client is completely participated.
S106, the server uses FedAvg algorithm to aggregate and average all ciphertext gradients, and then sends down ciphertext global gradient parameters to each client.
The specific implementation mode of the weighted aggregation average refers to that different weight parameters are given to the client according to the online times of the client, when the online times of a certain client are 0, the weight parameters default to 1, and the weight parameters of the client in the rest conditions are equal to the online times of the clientThen summing all weighted gradient parameters and calculating an average value, wherein the average value result is the new global gradient parameter:
。
And S107, the client decrypts the global gradient parameters and then adjusts the model until the specified iteration times are reached.
The global gradient parameters are loaded into the local model by using a torch.nn.module class method load_state_subject () in the PyTorch, namely parameters such as loading weights, biasing and the like, the parameters are mapped to each layer one by one according to the model structure, the update adjustment of the local model is completed, the model structure is not changed by the update adjustment, and the training process can be accelerated.
Corresponding to the federal learning privacy protection method based on homomorphic encryption provided in the above embodiment, the present application further provides an embodiment of the federal learning privacy protection system based on homomorphic encryption.
Referring to fig. 3, a homomorphic encryption based federal learning privacy protection system 20, comprising:
the client clustering module 201 is configured to cluster all clients according to a clustering algorithm by a server, where local data of each cluster of clients has similar data distribution;
the model initialization module 202 is configured to set a neural network model as an initial global model of federal training at the server and distribute the initial global model to each client;
the local training module 203 of the client, configured to determine whether the client reaches a specified iteration number, and end training if the client has reached, otherwise each client performs model training based on an initial global model and local data;
the homomorphic encryption module 204 is configured to encrypt the gradient parameter w by using a homomorphic encryption algorithm after the training of the client is completed, obtain a gradient parameter E (w) in a ciphertext state, and upload the gradient parameter E (w) to the server;
the client-side offline processing module 205 is configured to process the offline client by the server side;
the aggregation average issuing module 206 is configured to perform aggregation average on all ciphertext gradients by using a FedAvg algorithm, and then issue ciphertext global gradient parameters to each client;
the model adjustment module 207 is configured to adjust the model after the client decrypts the global gradient parameter until the specified iteration number is reached.
In the embodiments of the present application, "at least one" means one or more, and "a plurality" means two or more. "and/or", describes an association relation of association objects, and indicates that there may be three kinds of relations, for example, a and/or B, and may indicate that a alone exists, a and B together, and B alone exists. Wherein A, B may be singular or plural. The character "/" generally indicates that the context-dependent object is an "or" relationship. "at least one of the following" and the like means any combination of these items, including any combination of single or plural items. For example, at least one of a, b and c may represent: a, b, c, a-b, a-c, b-c, or a-b-c, wherein a, b, c may be single or plural.
The foregoing is merely specific embodiments of the present application, and any person skilled in the art may easily conceive of changes or substitutions within the technical scope of the present application, which should be covered by the protection scope of the present application. The protection scope of the present application shall be subject to the protection scope of the claims.
Claims (5)
1. The federal learning privacy protection method based on homomorphic encryption is characterized by comprising the following steps:
the server clusters all clients according to a clustering algorithm, wherein local data of each cluster of clients has similar data distribution;
the method comprises the steps that a neural network model is set at a server side to serve as an initial global model of federal training and distributed to all clients;
the neural network model includes: input x, first layer convolution layerSecond layer convolution layer->First full connection layerDropout layer->_dropout=Dropout(/>) Second full connection layer->And output y=logsoftmax ()>);
Wherein:_flat=Flatten(/>) Representing flattening operations, conv (x, W) representing convolution operations, convolving input x using a convolution kernel W, maxPool (x) representing maximum pooling operations, max pooling input x, dropout (x) representing Dropout operations, dropout being performed on input x, linear (x, W) representing fully connected layer operations, linear transformation of input x using a weight matrix W, reLU (x) representing a ReLU activation function, element-by-element ReLU operations on input x, flatten (x) representing flattening input x into a one-dimensional tensor, logSoftmax (x) representing LogSoftmax operations on input x;
the client judges whether the specified iteration times are reachedAnd ending training if the number is reached, otherwise, each client performs model training based on the initial global model and the local data, and the method comprises the following steps: each client is based on an initial global modelAnd local data->Model training is carried out by using a small batch random gradient descent optimization mode to obtain a new local model +.>Subsequent local data +.>,/>Wherein->For small lot data samples uniformly randomly and independently sampled from the local dataset of client k, < +.>Random gradient for small lot data samples, +.>E is the training iteration number for learning rate;
the model training process comprises the following steps:
initializing a small batch random gradient descent optimizer;
moving the input image and the tag onto the device: images, labes=images.to (self.device), labes.to (self device);
the gradient information before is cleared to prevent gradient accumulation: model. Zero_grad ();
transmitting the image to the model to obtain the prediction probability of the model: log_probs=model (images);
calculating cross entropy loss using the prediction probability and the true label: loss = loss_func (log_probs, labes);
calculating the gradient of the loss with respect to the model parameters: backsaward ();
the usage optimizer updates model parameters based on the gradient: an optimizer, step ();
subsequently, in each training iteration, updating parameters of the model through the steps so as to minimize a loss function;
after the training of the client is completed, encrypting the gradient parameter w by using a homomorphic encryption algorithm to obtain a gradient parameter E (w) in a ciphertext state, and uploading the gradient parameter E (w) to the server, wherein the method comprises the following steps:
encrypting each gradient parameter of each layer of the model through a for loop by adopting a method for encrypting floating point numbers in a homomorphic encryption algorithm, wherein the homomorphic encryption algorithm comprises the following steps: the Pyfhel homomorphic encryption library BFV algorithm firstly generates a key through HE=Pyfhel (), HE.contextGen (p=1024, m=2048), HE.keyGen (), encrypts parameters of a floating point number type in a for loop by using an HE.encryptfrac () method, wherein p is a specified Wen Moshu, determines the size of a plaintext data type, and generally uses a power of 2; m is the modulus of a polynomial coefficient and represents the calculation capacity which can be achieved by homomorphic operation;
the homomorphic encryption algorithm process comprises the following steps: generating a secret key, namely generating a public key and a private key by using a series of mathematical operations and random numbers, wherein the public key is used for encrypting plaintext data, the private key is used for decrypting ciphertext data, and the secret key generation needs to meet homomorphism, namely that the result of the data after the mathematical operations are carried out in the plaintext and ciphertext states is the same; the operation method comprises the following steps: the paillier algorithm of the ophelib library randomly selects two large primes p, q, n=pxq satisfying p-q and (p-1) (q-1) being primes each other,g=n+1, l (x) = (x-1)/n, +.>=(L(g^/>mod n 2-1) mod n, the public key is (n, g), and the private key is (++>,/>);
Encrypting, namely encrypting the plaintext data by using a public key, and converting the plaintext data into ciphertext data: a plaintext m which is more than or equal to 0 and less than or equal to n is satisfied, a random number r is selected, r and n are mutually prime numbers, and a ciphertext c= (gm+rn) mod n 2 is satisfied;
decryption, plaintext m=l (c) mod n^2)* />mod n;
The server processes the offline client, including:
the server performs gradient supplementary treatment on the offline clients of each cluster;
average value calculation under ciphertext state is carried out on the uploaded encryption gradient parameters of each cluster, namely, all online client ciphertext gradient parameters of the cluster by homomorphic addition and multiplication operation: the ciphertext gradient of the offline client x is the average value of the ciphertext gradient sum of the online client y and the online client z of the cluster, namelyThe scheme can meet the effect that the client is completely participated in;
the server uses FedAvg algorithm to aggregate and average all ciphertext gradients, and then sends down ciphertext global gradient parameters to each client;
and the client decrypts the global gradient parameters and then adjusts the model until the specified iteration times are reached.
2. The federal learning privacy protection method based on homomorphic encryption according to claim 1, wherein the server clusters all clients according to a clustering algorithm, comprising:
dividing M clients into K client clusters, and recording the number and the number of clients in each cluster;
recording the online times of the client) And skipping the iteration when all clients in a certain cluster are disconnected or all clients are disconnected.
3. The homomorphic encryption-based federal learning privacy protection method of claim 1, wherein the server uses a FedAvg algorithm to aggregate and average all ciphertext gradients, and then issues ciphertext global gradient parameters to each client, comprising:
giving different weight parameters to the client according to the online times of the client, when the online times of a certain client are 0, the weight parameters default to 1, the weight parameters of the client in other conditions are equal to the online times of the client, then summing all the weighted gradient parameters and calculating an average value, and the average value result is the new global gradient parameter:
。
4. The homomorphic encryption-based federal learning privacy protection method of claim 3, wherein the client adjusts the model after decrypting the global gradient parameters until a specified number of iterations is reached, comprising:
the global gradient parameters are loaded into a local model by using a torch.nn.module class method load_state_direct () in the PyTorch, namely parameters such as loading weight, bias and the like;
and carrying out one-to-one mapping on parameter tensors on each layer according to the model structure to complete the process of updating and adjusting the speed training of the local model.
5. A homomorphic encryption-based federal learning privacy protection system, comprising:
the client clustering module is used for the server to cluster all clients according to a clustering algorithm, wherein local data of each cluster of clients has similar data distribution;
the model initialization module is used for setting a neural network model as an initial global model of federal training at the server and distributing the neural network model to each client;
the neural network model includes: input x, first layer convolution layerSecond layer convolution layer->First full connection layerDropout layer->_dropout=Dropout(/>) Second full connection layer->And output y=logsoftmax ()>);
Wherein:_flat=Flatten(/>) Representing flattening operations, conv (x, W) representing convolution operations, convolving input x using a convolution kernel W, maxPool (x) representing maximum pooling operations, max pooling input x, dropout (x) representing Dropout operations, dropout being performed on input x, linear (x, W) representing fully connected layer operations, linear transformation of input x using a weight matrix W, reLU (x) representing a ReLU activation function, element-by-element ReLU operations on input x, flatten (x) representing flattening input x into a one-dimensional tensor, logSoftmax (x) representing LogSoftmax operations on input x;
the local training module of the client, is used for the client to judge whether to reach the appointed iteration number, if already reached, finish training, otherwise each client carries on model training based on the initial global model and local data, including: each client is based on an initial global modelAnd local data->Model training is carried out by using a small batch random gradient descent optimization mode to obtain a new local model +.>Subsequent local data +.>,Wherein->For small batches of data samples uniformly randomly and independently sampled from the local dataset of client k,random gradient for small lot data samples, +.>E is the training iteration number for learning rate;
the model training process comprises the following steps:
initializing a small batch random gradient descent optimizer;
moving the input image and the tag onto the device: images, labes=images.to (self.device), labes.to (self device);
the gradient information before is cleared to prevent gradient accumulation: model. Zero_grad ();
transmitting the image to the model to obtain the prediction probability of the model: log_probs=model (images);
calculating cross entropy loss using the prediction probability and the true label: loss = loss_func (log_probs, labes);
calculating the gradient of the loss with respect to the model parameters: backsaward ();
the usage optimizer updates model parameters based on the gradient: an optimizer, step ();
subsequently, in each training iteration, updating parameters of the model through the steps so as to minimize a loss function;
the homomorphic encryption module is used for encrypting the gradient parameter w of the client after training is completed by using a homomorphic encryption algorithm to obtain a gradient parameter E (w) in a ciphertext state, and uploading the gradient parameter E (w) to the server, and comprises the following steps:
encrypting each gradient parameter of each layer of the model through a for loop by adopting a method for encrypting floating point numbers in a homomorphic encryption algorithm, wherein the homomorphic encryption algorithm comprises the following steps: the Pyfhel homomorphic encryption library BFV algorithm firstly generates a key through HE=Pyfhel (), HE.contextGen (p=1024, m=2048), HE.keyGen (), encrypts parameters of a floating point number type in a for loop by using an HE.encryptfrac () method, wherein p is a specified Wen Moshu, determines the size of a plaintext data type, and generally uses a power of 2; m is the modulus of a polynomial coefficient and represents the calculation capacity which can be achieved by homomorphic operation;
homomorphic encryption algorithmThe process comprises the following steps: generating a secret key, namely generating a public key and a private key by using a series of mathematical operations and random numbers, wherein the public key is used for encrypting plaintext data, the private key is used for decrypting ciphertext data, and the secret key generation needs to meet homomorphism, namely that the result of the data after the mathematical operations are carried out in the plaintext and ciphertext states is the same; the operation method comprises the following steps: the paillier algorithm of the ophelib library randomly selects two large primes p, q, n=pxq satisfying p-q and (p-1) (q-1) being primes each other,g=n+1, l (x) = (x-1)/n, +.>=(L(g^/>mod n 2-1) mod n, the public key is (n, g), and the private key is (++>,/>);
Encrypting, namely encrypting the plaintext data by using a public key, and converting the plaintext data into ciphertext data: a plaintext m which is more than or equal to 0 and less than or equal to n is satisfied, a random number r is selected, r and n are mutually prime numbers, and a ciphertext c= (gm+rn) mod n 2 is satisfied;
decryption, plaintext m=l (c) mod n^2)* />mod n;
The client-side disconnection processing module is used for processing the disconnection client-side by the server-side, and comprises the following steps:
the server performs gradient supplementary treatment on the offline clients of each cluster;
encryption ladder uploaded for each clusterThe degree parameter is average value calculation under ciphertext state by using homomorphic addition and digital multiplication operation of ciphertext gradient parameters of all online clients of the cluster: the ciphertext gradient of the offline client x is the average value of the ciphertext gradient sum of the online client y and the online client z of the cluster, namelyThe scheme can meet the effect that the client is completely participated in;
the aggregation average issuing module is used for performing aggregation average on all ciphertext gradients by using a FedAVg algorithm by the server, and then issuing ciphertext global gradient parameters to each client;
and the model adjustment module is used for adjusting the model after the client decrypts the global gradient parameter until the designated iteration times are reached.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202410101197.1A CN117640253B (en) | 2024-01-25 | 2024-01-25 | Federal learning privacy protection method and system based on homomorphic encryption |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202410101197.1A CN117640253B (en) | 2024-01-25 | 2024-01-25 | Federal learning privacy protection method and system based on homomorphic encryption |
Publications (2)
Publication Number | Publication Date |
---|---|
CN117640253A CN117640253A (en) | 2024-03-01 |
CN117640253B true CN117640253B (en) | 2024-04-05 |
Family
ID=90027289
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202410101197.1A Active CN117640253B (en) | 2024-01-25 | 2024-01-25 | Federal learning privacy protection method and system based on homomorphic encryption |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN117640253B (en) |
Citations (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2022116491A1 (en) * | 2020-12-01 | 2022-06-09 | 平安科技(深圳)有限公司 | Dbscan clustering method based on horizontal federation, and related device therefor |
CN115438714A (en) * | 2022-08-01 | 2022-12-06 | 华南理工大学 | Clustering federal learning driven mechanical fault diagnosis method, device and medium |
CN115510936A (en) * | 2021-06-23 | 2022-12-23 | 华为技术有限公司 | Model training method based on federal learning and cluster analyzer |
CN115577360A (en) * | 2022-11-14 | 2023-01-06 | 湖南大学 | Gradient-independent clustering federal learning method and system |
CN116029455A (en) * | 2023-02-20 | 2023-04-28 | 东北大学秦皇岛分校 | Short-term load prediction method based on federal learning |
CN116029391A (en) * | 2023-02-06 | 2023-04-28 | 中国烟草总公司贵州省公司 | Model training method, prediction method and device based on federal learning |
CN116595584A (en) * | 2023-05-19 | 2023-08-15 | 西安体育学院 | Physical medicine data fusion privacy protection method based on cloud and fog architecture longitudinal federal learning |
CN116933318A (en) * | 2023-07-28 | 2023-10-24 | 南京工程学院 | Power consumption data privacy protection method based on federal learning |
-
2024
- 2024-01-25 CN CN202410101197.1A patent/CN117640253B/en active Active
Patent Citations (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2022116491A1 (en) * | 2020-12-01 | 2022-06-09 | 平安科技(深圳)有限公司 | Dbscan clustering method based on horizontal federation, and related device therefor |
CN115510936A (en) * | 2021-06-23 | 2022-12-23 | 华为技术有限公司 | Model training method based on federal learning and cluster analyzer |
CN115438714A (en) * | 2022-08-01 | 2022-12-06 | 华南理工大学 | Clustering federal learning driven mechanical fault diagnosis method, device and medium |
CN115577360A (en) * | 2022-11-14 | 2023-01-06 | 湖南大学 | Gradient-independent clustering federal learning method and system |
CN116029391A (en) * | 2023-02-06 | 2023-04-28 | 中国烟草总公司贵州省公司 | Model training method, prediction method and device based on federal learning |
CN116029455A (en) * | 2023-02-20 | 2023-04-28 | 东北大学秦皇岛分校 | Short-term load prediction method based on federal learning |
CN116595584A (en) * | 2023-05-19 | 2023-08-15 | 西安体育学院 | Physical medicine data fusion privacy protection method based on cloud and fog architecture longitudinal federal learning |
CN116933318A (en) * | 2023-07-28 | 2023-10-24 | 南京工程学院 | Power consumption data privacy protection method based on federal learning |
Also Published As
Publication number | Publication date |
---|---|
CN117640253A (en) | 2024-03-01 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
Li et al. | Privacy-preserving federated learning framework based on chained secure multiparty computing | |
CN109684855B (en) | Joint deep learning training method based on privacy protection technology | |
CN110557245B (en) | Method and system for SPDZ fault tolerant and secure multiparty computing | |
US9049011B1 (en) | Secure key storage and distribution | |
CN110572253A (en) | Method and system for enhancing privacy of federated learning training data | |
CN109644128A (en) | Secure data processing | |
CN104883580B (en) | Video security convolution computing system and method based on homomorphic encryption | |
WO2023138152A1 (en) | Federated learning method and system based on blockchain | |
CN115310121B (en) | Real-time reinforced federal learning data privacy security method based on MePC-F model in Internet of vehicles | |
US11991156B2 (en) | Systems and methods for secure averaging of models for federated learning and blind learning using secure multi-party computation | |
Qu et al. | Privacy-preserving model training architecture for intelligent edge computing | |
Chattopadhyay et al. | Secure data outsourcing on cloud using secret sharing scheme. | |
US20060036861A1 (en) | Method and apparatus for algebro-geometric key establishment protocols based on matrices over topological monoids | |
CN117640253B (en) | Federal learning privacy protection method and system based on homomorphic encryption | |
CN110209994B (en) | Matrix decomposition recommendation method based on homomorphic encryption | |
CN115021905A (en) | Method for aggregating parameters of local model for federated learning | |
CN114399031A (en) | Intelligent factory temperature and humidity control method based on federal learning | |
CN116865938A (en) | Multi-server federation learning method based on secret sharing and homomorphic encryption | |
CN117540426A (en) | Method and device for sharing energy power data based on homomorphic encryption and federal learning | |
Bharadwaj et al. | Image encryption based on neural network architecture and chaotic systems | |
CN116305186A (en) | Security aggregation method with low communication overhead and decentralization | |
CN118077170A (en) | Secure computing using multiparty computing and trusted execution environments | |
Kaneko et al. | Improvement of Communication Traffic and Security of Proactive Secret Sharing Schemes and Combination Proactive Secret Sharing Scheme with an Asymmetric Secret Sharing Scheme | |
Yang et al. | An encrypted image editing scheme based on homomorphic encryption | |
CN117150524A (en) | Self-adaptive safe two-party computing method and system based on GPU |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |