CN117972802A

CN117972802A - Field programmable gate array chip, aggregation method, device, equipment and medium

Info

Publication number: CN117972802A
Application number: CN202410374346.1A
Authority: CN
Inventors: 王洪良; 孔繁星; 李芮瑾; 刘伟; 卢圣才; 赵川
Original assignee: Suzhou Metabrain Intelligent Technology Co Ltd
Current assignee: Suzhou Metabrain Intelligent Technology Co Ltd
Priority date: 2024-03-29
Filing date: 2024-03-29
Publication date: 2024-05-03

Abstract

The invention provides a field programmable gate array chip, an aggregation method, a device, equipment and a medium, which relate to the technical field of data security, wherein the chip is applied to a server side and comprises the following components: the safety agent circuit is used for sending the initial model parameters and public key information corresponding to the federation learning task to each federation learning participation user terminal, and decrypting the local model parameter information uploaded by the federation learning participation user terminal to obtain target model parameters; the aggregation control module is used for aggregating parallel channels according to model parameters, carrying out parallel aggregation processing on each layer of model parameters in the target model parameters to obtain model aggregation parameters, wherein the number of the model parameter aggregation parallel channels is determined based on the number of model layers required by a federal learning task; and the global model generator is used for updating the global model according to the model aggregation parameters to obtain a target global model. The invention ensures the safety of the model aggregation process and can accelerate the realization of the model aggregation.

Description

Field programmable gate array chip, aggregation method, device, equipment and medium

Technical Field

The present invention relates to the field of data security technologies, and in particular, to a field programmable gate array chip, an aggregation method, an aggregation device, an apparatus, and a medium.

Background

With the arrival of big data age, the Internet releases massive data at moment. In such a large environmental context, various data are collected and stored, and in order to acquire useful information from these massive data, more and more machine learning (MACHINE LEARNING, abbreviated as ML) algorithms are developed and used, and the data are analyzed and calculated by the machine learning algorithms, so that a target result is acquired.

With the enhancement of data protection and privacy security requirements, local data cannot be trained intensively, so that the problem of data islanding is caused, and the traditional centralized machine learning is not suitable for the current large environment. In this case, federal learning (FEDERATED LEARNING, FL for short) has resulted, and the participants do not need to share the original data, so that the collaborative training of the machine learning model can be completed in a distributed manner.

The federal learning participants must be in a secure and trusted channel to send their own trained model data to the cloud central server of the cloud computing server. However, cloud computing service providers are self-trusted, but in the presence of great benefit, internal administrators of cloud service providers are themselves threatened, and they can have unrestricted access to users' private data, resulting in a greater risk of private data disclosure for federal learning processes. Accordingly, there is a need for a field programmable gate array chip, an aggregation method, apparatus, device, and medium that address the above-described issues.

Disclosure of Invention

Aiming at the problems existing in the prior art, the invention provides a field programmable gate array chip, an aggregation method, an aggregation device, equipment and a medium.

The invention provides a field programmable gate array chip, which is applied to a server side and comprises a security agent circuit, an aggregation control module and a global model generator, wherein:

the safety agent circuit is used for sending initial model parameters and public key information corresponding to a federal learning task to each federal learning participation user side, and decrypting local model parameter information uploaded by the federal learning participation user side to obtain target model parameters, wherein the local model parameter information is obtained by encrypting based on the federal learning participation user side;

The aggregation control module is used for aggregating parallel channels according to model parameters, and carrying out parallel aggregation processing on each layer of model parameters in the target model parameters to obtain model aggregation parameters, wherein the number of the model parameter aggregation parallel channels is determined based on the number of model layers required by the federal learning task;

the global model generator is used for updating the global model according to the model aggregation parameters to obtain a target global model.

According to the field programmable gate array chip provided by the invention, the security agent circuit comprises a first privacy processing unit and a second privacy processing unit, wherein:

The first privacy processing unit is configured to generate a corresponding public-private key pair according to the federal learning task and an asymmetric encryption algorithm, where the public-private key pair includes public key information and private key information, the public key information is used to encrypt a first hash value and a symmetric key corresponding to a local model parameter obtained by training after the federal learning participation user side completes local model training, and the symmetric key is used to encrypt the local model parameter; the private key information is used for decrypting the encrypted first hash value and the encrypted symmetric key;

And the second privacy processing unit is used for decrypting the local model parameters after the encryption processing.

According to the field programmable gate array chip provided by the invention, the security proxy circuit is further used for carrying out signature processing on the initial model parameters and the public key information through the main private key to obtain signature model parameters and signature public key information, and sending the signature model parameters and the signature public key information to each federal learning participation user side.

According to the field programmable gate array chip provided by the invention, the security proxy circuit is further used for decrypting the authentication information uploaded by the federal learning participation user terminal through the master private key and verifying the authentication information after the decryption to determine whether the federal learning participation user terminal is an authorized user or not, wherein the authentication information is obtained by encryption processing based on public key information corresponding to the master private key.

According to the field programmable gate array chip provided by the invention, the trust anchor is arranged in the security proxy circuit, and the master private key is generated in a trusted execution environment protected by the trust anchor.

The invention also provides a federal learning model aggregation method based on the field programmable gate array chip, which is applied to a server and comprises the following steps:

Determining the number of parallel channels for model parameter aggregation according to the number of model layers required by a federal learning task based on the field programmable gate array chip, wherein a security agent circuit is arranged in the field programmable gate array chip and is used for encrypting and decrypting data in the federal learning task;

Based on the security agent circuit, sending initial model parameters and public key information corresponding to the federal learning task to each federal learning participation user side, wherein the public key information is used for encrypting a first hash value and a symmetric key corresponding to a local model parameter obtained by training after the federal learning participation user side completes local model training, and the symmetric key is used for encrypting the local model parameter;

Based on the security agent circuit, the local model parameter information uploaded by the federal learning participation user side is decrypted to obtain target model parameters;

Based on the number of parallel channels of model parameter aggregation, carrying out parallel aggregation processing on each layer of model parameters in the target model parameters to obtain model aggregation parameters;

and updating the global model according to the model aggregation parameters to obtain a target global model.

According to the federal learning model aggregation method provided by the invention, the method further comprises the following steps:

Generating a corresponding public-private key pair based on the security agent circuit according to the federal learning task and an asymmetric encryption algorithm, wherein the public-private key pair comprises the public key information and the private key information;

and decrypting the local model parameter information through the private key information to obtain the first hash value and the symmetric key.

According to the federal learning model aggregation method provided by the invention, before the initial model parameters and public key information corresponding to the federal learning task are sent to each federal learning participation user terminal based on the security agency circuit, the method further comprises:

based on a main private key corresponding to the security agent circuit, carrying out signature processing on the initial model parameter and the public key information to obtain a signature model parameter and signature public key information;

the step of sending the initial model parameters and public key information corresponding to the federal learning task to each federal learning participation user terminal based on the security agent circuit comprises the following steps:

And sending the signature model parameters and the signature public key information to each federal learning participation user side so that each federal learning participation user side can carry out local model training according to the signature model parameters, and carrying out encryption processing on the first hash value and the symmetric key based on the signature public key information.

According to the federal learning model aggregation method provided by the invention, the decryption processing is completed on the local model parameter information uploaded by the federal learning participation user side based on the security agency circuit to obtain target model parameters, and the method comprises the following steps:

Verifying account information of the federal learning participation user side based on the security agency circuit, if the account information passes the verification, decrypting the encrypted local model parameters through the symmetric key, obtaining the local model parameters according to the symmetric key decryption, and calculating to obtain a second hash value;

and comparing the first hash value with the second hash value, and if the first hash value is the same as the second hash value, determining that the local model parameter obtained after the symmetric key decryption processing is the target model parameter.

According to the federal learning model aggregation method provided by the invention, the number of parallel channels for model parameter aggregation is determined according to the number of model layers required by federal learning tasks, and the method comprises the following steps:

based on a central processing unit, receiving the federal learning task and determining the model layer number according to the task type of the federal learning task;

and constructing a corresponding number of layer calculation units according to the model layer number based on the field programmable gate array chip so as to determine the number of the model parameter aggregation parallel channels.

Based on the main private key corresponding to the security proxy circuit, decrypting the authentication information uploaded by the federal learning participation user side to obtain decrypted authentication information;

And verifying the decrypted authentication information based on the security proxy circuit, and if the authentication is passed, determining the federal learning participation user terminal as an authorized user, wherein the authentication information is obtained by encryption processing based on public key information corresponding to the main private key.

According to the federal learning model aggregation method provided by the invention, the parallel aggregation processing is carried out on each layer of model parameters in the target model parameters based on the number of the model parameter aggregation parallel channels to obtain model aggregation parameters, and the method comprises the following steps:

inputting the model parameters of each layer in the target model parameters into corresponding model parameter aggregation parallel channels, and carrying out parallel aggregation processing on the model parameters of each layer in the target model parameters through the layer calculation units in the model parameter aggregation parallel channels to obtain the model aggregation parameters.

According to the federal learning model aggregation method provided by the invention, the global model is updated according to the model aggregation parameters to obtain the target global model, and the method comprises the following steps:

and testing the updated global model through the test data set, and obtaining the target global model if the test result meets the preset condition.

if the test result does not meet the preset condition, based on the security proxy circuit, randomly selecting a plurality of federal learning participation clients, and sending the public key information and the model parameters of the updated global model to the randomly selected plurality of federal learning participation clients so as to enable the randomly selected plurality of federal learning participation clients to perform the next round of local model training according to the model parameters of the updated global model;

and updating the updated global model again based on the model aggregation parameters obtained by the next round of local model training, and obtaining the target global model if the preset conditions are met.

The invention also provides a federal learning model aggregation method based on the field programmable gate array chip, which is applied to federal learning participation clients and comprises the following steps:

receiving initial model parameters and public key information sent by a server, wherein the public key information is generated based on a security agent circuit in the field programmable gate array chip;

according to the initial model parameters, carrying out local model training on the initial model to obtain local model parameters, and carrying out encryption processing on the local model parameters through a symmetric key to obtain encrypted local model parameters;

calculating a first hash value corresponding to the local model parameter through a hash algorithm, and respectively carrying out encryption processing on the first hash value and the symmetric key through the public key information to obtain an encrypted first hash value and an encrypted symmetric key;

And constructing local model parameter information according to the encrypted local model parameter, the encrypted first hash value and the encrypted symmetric key, and sending the local model parameter information to the server.

According to the federal learning model aggregation method provided by the invention, before the initial model parameters and public key information sent by the server are received, the method comprises the following steps:

encrypting the authentication information based on a main private key corresponding to the security proxy circuit to obtain encrypted authentication information, wherein the authentication information comprises user identification information of the federal learning participation user side and server side label information;

And sending the encrypted authentication information to the server, and if a result of verification passing of the authentication information sent by the server is received, determining that the server is a target server if the trusted execution environment label of the field programmable gate array chip in the server is the same as the server label information.

The invention also provides a federal learning model aggregation device based on the field programmable gate array chip, which is applied to a server and comprises:

The multi-channel construction module is used for determining the number of parallel channels for model parameter aggregation according to the number of model layers required by a federal learning task based on the field programmable gate array chip, wherein a security agent circuit is arranged in the field programmable gate array chip and is used for encrypting and decrypting data in the federal learning task;

The data transmission module is used for transmitting initial model parameters and public key information corresponding to the federal learning task to each federal learning participation user side based on the security agency circuit, wherein the public key information is used for encrypting a first hash value and a symmetric key corresponding to the local model parameters obtained by training after the federal learning participation user side completes local model training, and the symmetric key is used for encrypting the local model parameters;

the privacy processing module is used for finishing decryption processing on the local model parameter information uploaded by the federal learning participation user side based on the security agent circuit to obtain target model parameters;

The parameter aggregation module is used for carrying out parallel aggregation processing on each layer of model parameters in the target model parameters based on the number of the model parameter aggregation parallel channels to obtain model aggregation parameters;

and the model updating module is used for updating the global model according to the model aggregation parameters to obtain a target global model.

The invention also provides a federal learning model aggregation device based on the field programmable gate array chip, which is applied to federal learning participation clients and comprises:

the receiving module is used for receiving initial model parameters and public key information sent by the server side, wherein the public key information is generated based on a security agent circuit in the field programmable gate array chip;

the local model training module is used for carrying out local model training on the initial model according to the initial model parameters to obtain local model parameters, and carrying out encryption processing on the local model parameters through a symmetric key to obtain encrypted local model parameters;

The local encryption module is used for calculating a first hash value corresponding to the local model parameter through a hash algorithm, and respectively carrying out encryption processing on the first hash value and the symmetric key through the public key information to obtain an encrypted first hash value and an encrypted symmetric key;

And the local data processing module is used for constructing local model parameter information according to the encrypted local model parameter, the encrypted first hash value and the encrypted symmetric key, and sending the local model parameter information to the server side.

The invention also provides an electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, the processor implementing the federal learning model aggregation method as described in any one of the above when executing the program.

The invention also provides a non-transitory computer readable storage medium having stored thereon a computer program which, when executed by a processor, implements a federal learning model aggregation method as described in any one of the above.

The field programmable gate array chip, the aggregation method, the aggregation device, the equipment and the medium provided by the invention realize the federal learning model aggregation and reasoning process by constructing the trusted execution environment in the field programmable gate array chip, and can accelerate the model aggregation and reasoning process while ensuring the safety of the model aggregation process.

Drawings

In order to more clearly illustrate the invention or the technical solutions of the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described, and it is obvious that the drawings in the description below are some embodiments of the invention, and other drawings can be obtained according to these drawings without inventive effort for a person skilled in the art.

FIG. 1 is a schematic diagram of a field programmable gate array chip according to the present invention;

FIG. 2 is a schematic diagram of a Federal learning system based on a field programmable gate array chip according to the present invention;

FIG. 3 is a general architecture diagram of the Federal learning system provided by the present invention;

FIG. 4 is a schematic flow chart of the federal learning model aggregation method according to the present invention;

FIG. 5 is a schematic diagram of a global model shift operation provided by the present invention;

FIG. 6 is a second flow chart of the federal learning model aggregation method according to the present invention;

FIG. 7 is a schematic diagram of a federal learning aggregation interaction provided by the present invention;

FIG. 8 is a schematic diagram of a federal learning model aggregation apparatus according to the present invention;

FIG. 9 is a schematic diagram of a federal learning model aggregation apparatus according to a second embodiment of the present invention;

fig. 10 is a schematic structural diagram of an electronic device provided by the present invention.

Detailed Description

For the purpose of making the objects, technical solutions and advantages of the present invention more apparent, the technical solutions of the present invention will be clearly and completely described below with reference to the accompanying drawings, and it is apparent that the described embodiments are some embodiments of the present invention, not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.

The federal learning framework in the related art often has a central server for global model aggregation. Different computing platforms are built on the cloud server through the remote computing service, so that the cloud server is provided for a user side to use, the user side selects the different computing platforms to ensure the flexibility and reliability of computing, and the user side only needs to pay a certain fee and provide data to be computed, so that a large amount of data can be efficiently processed.

The development of remote computing services has led many clients to place federally learned central servers on cloud servers of cloud service providers. In the federal learning process, the interacted model parameters still have the risk of revealing the user privacy, and even the original sensitive data can be restored according to the risk. Therefore, the federal learning participants (i.e. the clients participating in federal learning) have to send their own trained model data to the cloud server under a safe and trusted channel. However, cloud service providers are certainly trusted, but in the presence of great benefit, internal administrators of cloud service providers are themselves threatening and they can have unlimited access to users' private data. Meanwhile, malicious internal staff can implant malicious codes on specific hardware leased by a user to cause back door attack, in this case, a cloud service provider is not trusted, and in addition, the software implementation of the related technology for protecting the federal learning data security problem has large calculation cost, and finally, the performance of a model is reduced.

In the related art, the privacy protection technology of federal learning is divided into a software protection technology and a hardware protection technology. Specifically, federal learning privacy protection research software implementations are roughly divided into 2 main lines: encryption methods represented by secure multiparty secure computing (Secure Multiparty Computation, abbreviated MPC) related technologies and perturbation methods represented by differential privacy (DIFFERENTIAL PRIVACY, DP). Whereas federally learned privacy preserving hardware implementations are mainly to build a trusted execution environment (Trusted Execution Environment, TEE for short) on the hardware.

In the related art, the encryption method can encode the data plaintext into the ciphertext which can be decoded by only specific personnel, ensure the confidentiality of the data in the storage and transmission processes, and simultaneously realize direct calculation of the ciphertext and obtain a correct result by means of a security protocol. Taking homomorphic encryption (Homomorphic Encryption, abbreviated as HE) as an example, the method can directly calculate the encrypted data without decryption, and the calculation result is identical with the calculation result calculated in the plaintext after decryption. In the federal learning process, each participant can encrypt the local model by using a homomorphic encryption method, and upload the encrypted data to the cloud service computing platform. Due to homomorphic encryption, the cloud service computing platform can directly compute the encrypted data, so that the model aggregation process is completed.

Differential privacy (DIFFERENTIAL PRIVACY) is a data processing framework for privacy protection, the core idea being to protect the effect of individual contributions on the final result by introducing some randomness in the output. In particular, differential privacy is such that the observed changes in the results do not accurately reflect the contribution of any single individual by adding noise when querying or analyzing the data. The purpose of this is to protect privacy while still allowing meaningful analysis of the overall data. In federal learning, each participant conceals individual contributions by adding noise to the gradients of the model. This helps to ensure the privacy of the participants because even if an attacker knows the training data of other devices, it is not possible to accurately infer the contribution of a particular device.

Homomorphic encryption has the advantage of being able to design a round-robin MPC protocol with minimal communication costs, but this approach often involves a large amount of computation and communication, and excessive computation and traffic presents a significant challenge to the central server and bandwidth. Compared with the encryption method, the differential privacy can be realized only through a noise adding mechanism, so that no extra calculation cost exists, but the safety of the model can be influenced if the noise is added too little, the performance of the model can be influenced to a certain extent if the noise is added too much, and the main challenge faced by the method is to design a reasonable disturbance mechanism so as to better balance the algorithm privacy and usability.

For the hardware encryption mode, in the related art, a trusted execution environment (Trusted Execution Environment, abbreviated as TEE) is constructed on hardware. A trusted execution environment is a secure computing environment that is intended to protect the security of sensitive data and executing code in a computing device. This approach is a combination of hardware and software that provides an isolation and protection mechanism that ensures that data and code are not affected by malware or unauthorized access during execution. Taking Intel SGX as an example, intel SGX can isolate a CPU from a trusted environment called Enclave, and a legitimate user can load application program computing sensitive data in Enclave, so that even if malicious personnel completely control the environment of an untrusted area, they cannot access the trusted area without authorization.

In terms of hardware isolation, the trusted execution environment can provide a safe and trusted hardware area to safely execute federal learning tasks, and meanwhile, through negotiating a communication key, safe communication between a remote user and the trusted execution environment is constructed. However, the federal learning model aggregation based on the trusted execution environment is built based on a CPU (central processing unit), and the CPU is not suitable for highly parallel workload and faces serious challenges in processing federal learning tasks in the face of encryption and decryption of data and a large number of participant model parameters. In addition, because the SGX enclaspe physical memory is smaller, frequent memory interaction can be caused when large amounts of data computation such as federal learning reasoning is faced, so that the performance of the system is reduced.

A field programmable gate array (Field Programmable GATE ARRAYS, FPGA for short) can provide a flexible computing platform in a custom hardware manner. They have unique characteristics of parallel processing, support of various data types, low latency, and lower power consumption, while being excellent in accelerating computation and coping with complex challenges, as compared to general-purpose computing platforms. The invention establishes a Trusted Execution Environment (TEE) based on the inherent advantages of the FPGA, ensures the safety of key workload, including the data of FPGA configuration and processing, and does not influence the performance. FPGAs can not only provide acceleration, but also safely handle customer workloads in a harsh cloud environment. Even if the physical access to the FPGA is limited or non-existent, it can better control its application and data security.

According to the invention, by designing the FPGA TEE, the malicious attack in the federal learning process is ensured by utilizing the characteristics of the trusted execution environment. Meanwhile, the characteristics of parallelization and customizable of the FPGA are fully utilized, and the federal learning model aggregation and reasoning process is accelerated. Specifically, the invention constructs a trusted execution environment security agent based on a national secret SM2 asymmetric cryptographic algorithm in an FPGA, and loads a Security Proxy (SP) circuit to complete the arrangement of the FPGA TEE when the FPGA is started. In addition, the FPGA TEE distributes public keys to authorized users according to the authorized federal learning participant ID (authentication information is verified in the early stage), and the authorized participants ensure that all parameters are safely uploaded to local model parameters in a hybrid encryption mode. In the design of the FPGA aggregation module, the multi-channel calculation mode is designed according to the model training layer number, and the parallel calculation characteristic of the FPGA is fully utilized to complete the aggregation process of the federal learning model. Finally, the invention utilizes the characteristics of high-efficiency flow and low power consumption of the FPGA, the FPGA TEE uses the aggregation model to test the accuracy of the test data set, and if the set accuracy is not reached, the FPGA end uses the private key signature mode to finish the redistribution of the aggregation model after updating, and the next round of training is carried out.

Fig. 1 is a schematic structural diagram of a field programmable gate array chip provided by the present invention, and as shown in fig. 1, the present invention provides a field programmable gate array chip applied to a server, including a security agent circuit 101, an aggregation control module 102 and a global model generator 103, wherein:

The security proxy circuit 101 is configured to send initial model parameters and public key information corresponding to a federal learning task to each federal learning participation user terminal, and decrypt local model parameter information uploaded by the federal learning participation user terminal to obtain target model parameters, where the local model parameter information is obtained by encrypting based on the federal learning participation user terminal;

the aggregation control module 102 is configured to aggregate parallel channels according to model parameters, and perform parallel aggregation processing on model parameters of each layer in the target model parameters to obtain model aggregate parameters, where the number of the model parameter aggregate parallel channels is determined based on the number of model layers required by the federal learning task;

the global model generator 103 is configured to update the global model according to the model aggregation parameter, so as to obtain a target global model.

In the present invention, the security agent circuit 101 is an important part of the field programmable gate array chip, dedicated to handling security related tasks. In the application of the server side, the security proxy circuit 101 encrypts the initial model parameters and public key information required by the federal learning task and sends the encrypted initial model parameters and public key information to each user side participating in federal learning, and by sending the information, the security proxy circuit 101 ensures that the user side can acquire the correct initial model parameters and use the correct public key to carry out secure communication. When the user side uploads the encrypted local model parameter information, the security proxy circuit 101 needs to decrypt the information. Through decryption processing, the security agent circuit 101 can acquire local model parameter information uploaded by the user side, and process the information through the FPGA chip to acquire target model parameters.

Further, the aggregation control module 102 aggregates the parallel channels according to the model parameters, and performs parallel aggregation processing on each layer of model parameters in the target model parameters to obtain model aggregation parameters. In the invention, the aggregation control module 102 performs parallel aggregation processing on each layer of model parameters in the target model parameters through a plurality of parallel channels, each layer of model parameters corresponds to one channel, and layer computing units (such as adders and multipliers) corresponding to the channels can accelerate the aggregation process of the model parameters through parallel processing, thereby improving the overall computing efficiency. Specifically, in the present invention, the number of parallel channels for model parameter aggregation in the aggregation control module 102 is determined based on the number of model layers required by the federal learning task, and for federal learning models with different depths, different numbers of parallel channels may be required to perform parallel aggregation processing of model parameters to meet the requirements of the federal learning task. According to the invention, the quantity of parallel channels is dynamically determined and configured, so that the aggregation control module 102 can adapt to the requirements of different model structures, and flexible and efficient model parameter aggregation is realized. Further, after parallel aggregation processing, the aggregation control module 102 outputs the obtained model aggregation parameters to the global model generator, and these parameters are used to update the global model.

Further, the global model generator 103 receives model aggregation parameters from the aggregation control module 102 as input according to the model aggregation parameters and uses these parameters to update the global model. By processing and integrating the model aggregation parameters, the global model generator 103 can ensure that the global model can obtain the latest participant model information, thereby timely reflecting the contributions of the respective participants. In the present invention, the global model generator 103 performs a corresponding update operation on the global model according to the received model aggregation parameters, and the update process may involve operations such as weighted average, gradient descent, etc. of the model parameters, so as to ensure that the global model can fully fuse the model information of each participant, and realize progress and optimization of the model. After the model updating operation, the global model generator 103 takes the obtained global model as output, so as to obtain the target global model obtained after the contribution information of each participant of the federal learning task is integrated.

Fig. 2 is a schematic diagram of the architecture of the federal learning system based on the field programmable gate array chip provided by the invention, and can be referred to as fig. 2, in the invention, the aggregation process of the federal learning model is completed by adopting a cloud heterogeneous cpu+fpga method. First, cloud service providers provide central servers for federal learning model aggregation processes, since untrusted cloud internals (i.e., malicious personnel) can make unlimited access to information loaded onto the cloud, malicious personnel may attempt to steal private information in the CPU information transmission process, while federal learning participants are users of the cloud services, the federal learning participants themselves are trusted, but the channels through which the participants send their local data to the cloud are not trusted.

Therefore, in order to solve the threat, the invention adopts the FPGA trusted execution environment to realize the federal learning model aggregation process. When the host program at the server transmits data, the user side decrypts and calculates all sensitive data in the FPGA under the assumption that the host CPU is not trusted and does not depend on any security mechanism provided by the CPU TEE. According to the method, the FPGA of the cloud central server encrypts an algorithm to be trained and related public key information and then sends the algorithm to each participant user, after each participant user finishes own local training, model parameters obtained through training are encrypted and then sent to the cloud central server, so that the FPGA is used for completing a decryption process of the encrypted parameters and carrying out parallel aggregation processing on the decrypted parameters, and finally the global model is updated to obtain the target global model. It should be noted that, in the present invention, the functions implemented by the security agent circuit 101 and the aggregation control module 102 may be all set in a System On Chips (SOC) with TEE to ensure the reliability of the FPGA. For the FPGA without TEE at present, the invention adopts the security agent module and the aggregation control module arranged in the FPGA, thereby providing remote key generation, configuration, isolation and encryption operation; meanwhile, the authenticity and the integrity of the FPGA configuration can be ensured through remote authentication, and the authenticity of the federal learning participants is ensured.

The field programmable gate array chip provided by the invention realizes the federal learning model aggregation and reasoning process by constructing the trusted execution environment in the field programmable gate array chip, and can accelerate the model aggregation and reasoning process while ensuring the safety of the model aggregation process.

On the basis of the above embodiment, the security proxy circuit includes a first privacy processing unit and a second privacy processing unit, wherein:

Fig. 3 is a general architecture diagram of a federal learning system according to the present invention, and may refer to fig. 3, where in the present invention, a security proxy circuit is provided with a first privacy processing unit and a second privacy processing unit, and the first privacy processing unit generates a public-private key pair according to the federal learning task and an asymmetric encryption algorithm, and sends the public-private key pair to each federal learning participant client through the security proxy circuit, where public key information is used to encrypt data, and private key information is used to decrypt data. In the invention, the first privacy processing unit is constructed based on a national secret SM2 algorithm, and the second privacy processing unit is constructed based on a national secret SM4 algorithm.

Specifically, after the federation learning participation user side completes the local model training, the federation learning participation user side calculates a corresponding hash value (namely a first hash value) according to the local model parameter obtained by training, and then encrypts the first hash value and the symmetric key through public key information generated by the first privacy processing unit. Meanwhile, the federal learning participation user side encrypts the local model parameters obtained through training through the symmetric key, so that the data is ensured not to be stolen or tampered in the transmission process. Further, after the security proxy circuit receives the encrypted data sent by the federal learning participation user terminal, the encrypted hash value and the symmetric key are decrypted based on the private key information generated by the first privacy processing unit, and the encrypted local model parameter is decrypted by the symmetric key after decryption through the second privacy processing unit, so that the data privacy and the security of the participation user terminal in the federal learning task are ensured, the establishment of a reliable data sharing environment is facilitated, and the overall security and the reliability of the federal learning system are improved.

On the basis of the above embodiment, the security proxy circuit is further configured to perform signature processing on the initial model parameter and the public key information through a master private key, obtain a signature model parameter and signature public key information, and send the signature model parameter and the signature public key information to each federal learning participation client.

In the invention, the security agent circuit uses the master private key to sign the initial model parameters and the public key information, thereby ensuring the integrity and the authenticity of the data. Through the signature processing, the security agent circuit obtains signed model parameters and signature public key information, and the data already contains a digital signature and is used for verifying the validity and the integrity of the data. In an embodiment, a trust anchor may be set in the security proxy circuit, and is used for authenticating the master private key, and when the user terminal initiates authentication request verification, the user terminal may encrypt the information to be authenticated by requesting the public key corresponding to the master private key, so as to complete remote authentication.

Further, the security agent circuit transmits the signature model parameters and the signature public key information to each user side participating in federal learning. The user side can verify the signed data through the public key, so that the credibility and the integrity of the data source are ensured. Through the process, the security agent circuit can ensure the integrity and the authenticity of the initial model parameters and the public key information in the transmission process, so that the security and the reliability of the federal learning system are improved.

On the basis of the above embodiment, the security proxy circuit is further configured to decrypt the authentication information uploaded by the federal learning participation client through the master private key, and verify the authentication information after the decryption process to determine whether the federal learning participation client is an authorized user, where the authentication information is obtained by performing encryption processing based on public key information corresponding to the master private key.

In the invention, the security proxy circuit uses the master private key to decrypt the authentication information uploaded by the user side, because the authentication information is obtained by encrypting the public key information corresponding to the master private key, and only the corresponding private key is used for decrypting the information. The security agent circuit then verifies the obtained authentication information to determine whether the user terminal is an authorized user, and this verification process may include checking the identity information and authority of the user, etc., to ensure the validity and authorization status of the user.

The security agent circuit in the invention can effectively decrypt and verify the authentication information uploaded by the user terminal to determine the legal identity and the authorized state of the user, prevent the unauthorized user from participating in the system and protect the security of data and models.

On the basis of the embodiment, a trust anchor is arranged in the security proxy circuit, and the main private key is generated in a trusted execution environment protected by the trust anchor.

A trusted execution environment refers to a computing environment that is highly trusted and provides additional security. In such an environment, both the operations performed and the data generated can be considered trusted. In the invention, the trust anchor is arranged in the security proxy circuit, so that the reliability of key data and operation in the system is ensured. Thus, in the security proxy circuit of the present invention, the master private key is generated in a trusted execution environment protected by the trust anchor, so that the generation process of the master private key is highly secured, and the generated master private key can also be considered to be trusted.

In one embodiment, referring to fig. 3, the field programmable gate array chip provided by the present invention allows external devices to directly access the memory of the computer system through a high-speed serial computer expansion bus standard (PERIPHERAL COMPONENT INTERCONNECT EXPRESS, PCIe for short) direct memory access (Direct Memory Access, DMA for short) unit, i.e., the PCIe control panel in fig. 3, so as to implement high-speed data transmission between the server and the client, avoid CPU intervention, and improve the efficiency and speed of data transmission. A first-in first-out (First Input First Output, FIFO) unit is disposed between the PCIe DMA and the two mapping processing units (i.e., the first privacy unit and the second privacy unit), and in a parallel computing or multithreading environment, the FIFO unit may be used to coordinate data transfer between different modules, so as to implement parallel data processing. Referring to fig. 3, the field programmable gate array chip also has a function of generating random numbers, and a random number generator randomly selects a certain number of participant clients from the stored client IDs to execute the current federal learning task. In the invention, the global controller has the functions of configuring and managing the global resources of the FPGA, so that the global resources can be reasonably utilized and allocated; meanwhile, the global controller also comprises management and control functions for communication interfaces (such as PCIe interfaces, ethernet interfaces and the like) and bears tasks of the whole FPGA system level control, including system initialization, exception handling, performance monitoring and the like.

Further, the security proxy circuit realizes high-performance data Stream transmission through an advanced extensible interface (Advanced eXtensible Interface, AXI) Stream, that is, axist in fig. 3, and performs data transmission through a special data channel, so that model parameters of each layer are input into a corresponding channel through an aggregation control module to perform parallel fusion processing (using a layer computing unit such as an adder and a multiplier in each channel), and then updating of a global model is completed through a global model generator by using model aggregation parameters obtained through parallel aggregation. And finally, performing calculation test and data processing on the updated global model through a model reasoning module, and further judging whether a test result meets the preset accuracy, so that when the global model meets the preset condition, a trained global model, namely a target global model, is obtained.

Fig. 4 is a schematic flow chart of a federal learning model aggregation method provided by the present invention, and as shown in fig. 4, the present invention provides a federal learning model aggregation method based on the field programmable gate array chip described in the foregoing embodiments, which is applied to a server, and includes:

step 401, determining the number of parallel channels for model parameter aggregation according to the number of model layers required by a federal learning task based on the field programmable gate array chip, wherein a security agent circuit is arranged in the field programmable gate array chip and is used for encrypting and decrypting data in the federal learning task;

Step 402, based on the security proxy circuit, sending initial model parameters and public key information corresponding to the federal learning task to each federal learning participation user terminal, where the public key information is used to encrypt a first hash value and a symmetric key corresponding to a local model parameter obtained by training after the federal learning participation user terminal completes local model training, and the symmetric key is used to encrypt the local model parameter.

In the invention, based on the field programmable gate array chip, when performing federal learning tasks, the number of parallel channels for model parameter aggregation is required to be determined according to the number of layers of a model to be trained. In the process, a security agent circuit is arranged in the field programmable gate array chip, and the security agent circuit can encrypt and decrypt data participating in federal learning tasks.

Specifically, after each client completes training in the federal learning task, they will send the parameter updates of the local model to the central server for aggregation. During this transmission, the data may be compromised, so the security proxy circuit may encrypt the data, ensure confidentiality and integrity during data transmission, and decrypt the received data so that the central server can correctly receive and process the data updates.

And step 403, based on the security agent circuit, finishing decryption processing on the local model parameter information uploaded by the federal learning participation user side to obtain target model parameters.

In the invention, the initial model parameters and public key information can be sent to each user end participating in federal learning through a security agency circuit. Once the user side completes the training of the local model, the public key information is used for carrying out encryption processing on the first hash value and the symmetric key corresponding to the local model parameter obtained through training, and on the side of the user side, the local model parameter is encrypted through the symmetric key, so that the initial model parameter and related information related to the federal learning task are protected in the transmission process, namely the confidentiality and the integrity of data transmission can be guaranteed through the use of the public key information, the security of the local model parameter can be guaranteed through the encryption processing of the symmetric key, and the sensitive information in the federal learning task is effectively protected.

And step 404, based on the number of the parallel channels of the model parameter aggregation, carrying out parallel aggregation processing on each layer of model parameters in the target model parameters to obtain model aggregation parameters.

In the invention, the server side can analyze factors such as the task type, the data scale, the data distribution and the like of federal learning, and determine a model structure suitable for the task based on the factors. In one embodiment, the server side may consult existing model structures or architectures to determine the number of layers of the model based on experience and best practices of previous similar tasks. Further, the target model parameters are grouped according to different levels, and the model parameters of each level can be regarded as a parallel processing unit. And for each parallel processing unit, parallel aggregation processing is carried out on the model parameters in the parallel processing units, so that aggregation calculation is carried out on the model parameters of each layer on each parallel channel, the aggregation process of the model parameters is effectively accelerated, and the efficiency and performance of the federal learning system are improved. Meanwhile, the parallel channels are reasonably arranged, so that the concurrent processing scale can be better controlled, and the model and system requirements of different scales can be met.

And step 405, updating the global model according to the model aggregation parameters to obtain a target global model.

In the invention, model aggregation parameters are integrated, and the updating quantity of the global model is calculated according to different aggregation strategies (such as mean aggregation, weighted aggregation and the like). And applying the calculated global model updating quantity to the current global model to perform parameter updating operation. The updated global model can be used as a reference model to continuously participate in the federal learning task in the next round of training.

The federal learning model aggregation method provided by the invention realizes federal learning model aggregation and reasoning processes by constructing the trusted execution environment in the field programmable gate array chip, and can accelerate the model aggregation and reasoning processes while ensuring the safety of the model aggregation process.

On the basis of the above embodiment, the method further includes:

In the invention, a security agent circuit is designed on the FPGA of the server side. The security agent circuit can be safely loaded into the FPGA through a programmable read-Only Memory (Programmable Read-Only Memory, abbreviated as PROM). In the invention, the security agent circuit is internally provided with a national secretThe algorithm module (i.e. the first privacy processing unit in the above embodiment) provides remote key generation, configuration, isolation and encryption operations, and performs secure communication with the authorized remote user end through encryption and decryption. Furthermore, after all data streams are encrypted and decrypted by the security proxy circuit, all the data streams can enter each module in the FPGA to carry out subsequent operation, namely the security proxy circuit has exclusive access rights to the interior of the FPGA. In addition, in the invention, a trust anchor, namely a main private key/>, for authenticating the FPGA TEE is arranged in the security proxy circuitThe remote user side is used for encrypting authentication information by requesting a public key corresponding to the main private key, so that the remote authentication of the FPGA TEE is completed.

On the basis of the foregoing embodiment, before the security proxy circuit sends the initial model parameters and public key information corresponding to the federal learning task to each federal learning participation client, the method further includes:

In the present invention, the security agent circuit use in the FPGA is scheduled by the CPUThe algorithm module generates a pair of public and private key pairs/>, which are used for federal learning encryption and decryptionThen, the security proxy circuit randomly picks a certain number of participant user terminals through a random number generator and marks ID information of each participant user terminal. /(I)

Further, the security proxy circuit uses its own master private keyAfter signing the model parameters and public key information of all layers in the initial model, distributing the model parameters and public key information to the selected participant user side, namelyWherein/>Representing the operation of the security agent circuit to load all layer parameters inside the neural network.

The invention signs the initial model parameters and public key information of the Union learning task by using the main private key of the security proxy circuit so as to ensure the security and the integrity of data.

On the basis of the above embodiment, the decryption processing is completed on the local model parameter information uploaded by the federal learning participation user side based on the security agent circuit, to obtain a target model parameter, including:

In the invention, the selected participant user terminal initializes the model parameters after receiving the initial model parameters. The participant user side firstly uses own local data to train model parameters and forms own local model parameters after trainingAnd use national density/>Symmetric key encryption self-training of algorithm to obtain local model parameters, namely/>Wherein/>Represents the/>Symmetric keys for individual participant users.

Further, each party user end marks the encrypted local model parameters by using own ID information, and obtains a hash value (first hash value), namely. At the same time, public key information is usedEncryption/>Symmetric key/>I.e./>. Finally, each participant user terminal willAnd/>And sending the FPGA TEE to the server side together.

Further, the FPGA passes through the model layer numberDetermining the number of model aggregation channels/>Each layer of model parameters uploaded by the user side of each participant enter the corresponding channel/>, respectively. In the invention, model parameters of all the participants are aggregated in a multichannel parallel mode. Specifically, security proxy circuitry within the FPGA uses private keys/>Decrypting model parameter information uploaded by a participant user side and verifying/>And determining whether the user is a selected user, namely determining whether the user is a randomly selected participant user side of the federation task. If the participant user side is the selected user, the security proxy circuit uses the symmetric key/>Decrypting the model parameters to obtain the symmetric key decryption processing to obtain the local model parameters. Finally, calculating the parameters of the decryption model through the security proxy circuit(The hash value corresponding to the local model parameter is obtained after the symmetric key decryption processing, namely the second hash value) and the first hash value/>And (3) comparing to ensure that the data is not tampered in the transmission process. In the invention, after the data is decrypted, the model parameters uploaded by the parameter side user side are transmitted to the subsequent parallel aggregation related units through an AXI-ST protocol.

On the basis of the above embodiment, the determining the number of parallel channels for model parameter aggregation according to the number of model layers required by the federal learning task includes:

Since the CPU does not rely on any TEE, the CPU itself is not trusted. In the invention, the CPU is only responsible for information forwarding and task scheduling, and the sensitive data of the CPU exist in the form of ciphertext. The CPU is used as a coordinator for determining basic structure information such as the number of model layers, the number of neurons of each layer, the connection mode between layers and the like. Further, the invention determines the number of parallel aggregation channels in the FPGA according to the model layer number, wherein the model layer number is used forAnd (3) representing. After the model structure is determined, initializing model parameters of each layer, so that the FPGA builds a corresponding number of layer computing units through the model basic structure.

Based on the above embodiment, the aggregating the number of parallel channels based on the model parameters, performing parallel aggregation processing on each layer of model parameters in the target model parameters to obtain model aggregated parameters, including:

In the invention, the FPGA trains the layer number according to the participant modelDetermining the number of model aggregation channels/>Taking convolutional neural network as an example, the model training layer number is the total number of convolutional layers and full-connection layers. The invention adopts multichannel parallel computing to aggregate model parameters of each participant, and can adjust operators and the number of digital signal processors (DIGITAL SIGNAL processors, DSP for short) used in the aggregation process according to different federal learning algorithms. Firstly, after a security proxy circuit in an FPGA receives the trained encryption model parameters of a participant user side, a main private key is used for decrypting/>And verify/>Whether the user is the selected user of the federal learning task, if the user side of the participant is the selected user, the security agent circuit uses the symmetric keyDecryption model parameters. After the data is decrypted, the model parameters are sent to the aggregation control module through AXI-ST, and the module is used for controlling the aggregation control module according to the model layer number/>The parameters are divided into S blocks and fed into a global model generator in parallel. And then, sending the data of the participants into the DSP in a pipelining mode, namely calling an adder and a multiplier according to different aggregation algorithms, thereby completing the parameter aggregation process.

Taking FedAvg federal aggregation algorithm as an example, the formula is as follows:

；

in this algorithm, only the parameters of the participant model are averaged by addition, wherein For the participant user side/>And uploading model parameters. Because FedAvg the aggregation algorithm only involves addition and division, the process is to add and aggregate model parameters of all the participant user terminals and then divide the model parameters. For the division operation, the number of randomly selected participants is set to be the power of 2 in the third step, and at this time, the division operation is converted into a shift operation, which is beneficial to the acceleration of the FPGA. To sum up, for FedAvg federal learning algorithms, it is assumed that the participant model architecture is composed of two convolution layers and two Fully Connected layers (FC for short), i.e., conv1, conv2, FC1, FC2, and further, it is assumed that four participant clients participate in the federal learning process. After the model parameters of the participants are transmitted to the aggregation control module, the aggregation control module layers the model parameters of the users of the participants according to the number of layers, wherein each layer stores the weight and bias of the respective layer. In the invention, because the model training layer number is 4, the FPGA aggregation control module divides the parameters according to layers and respectively sends the parameters into 4 adders, and meanwhile, the model parameters of each participant user side are added and aggregated. When the last participant user end starts to accumulate, the global model is designed to carry out shift operation in a flow-line mode, and the shift operation is determined by the number of the participant user ends. Fig. 5 is a schematic diagram of a global model shifting operation provided in the present invention, and a specific process may be shown in fig. 5.

On the basis of the above embodiment, the method further includes:

In the invention, since the federal learning participant user side needs to use the server side to perform operations such as model aggregation, each participant user side needs to acquire the use right of the cloud service. And each participant user terminal acquires legal user ID information through interaction with the cloud service provider and the FPGA TEE, wherein the legal ID information can ensure that the participant user terminal is credible.

Further, the user end needs to confirm the validity and the authenticity of the FPGA TEE in the cloud environment, and the FPGA TEE needs to confirm that the user end of the FPGA is a legal user. Therefore, remote certification is required between the Federal learning participant user terminal and the FPGA TEE, so that both sides are legal and credible. In particular, in the invention, for the remote authentication process of the FPGA TEE, the participation of a third party can be based, and as most of remote certification protocols take the FPGA producer as a trusted third party, a remote user can request the authentication information of the FPGA TEE from the FPGA producerWherein/>Public key corresponding to main private key in security proxy circuit,/>For FPGA TEE tag,/>Authentication information is provided for the FPGA. The user end of the federal learning participant sends the authentication information to a security agency circuit in the FPGA in a ciphertext mode, the security agency circuit decrypts through a main private key, after verifying that the user end of the participant is a legal user, the authentication result information is returned to the user end of the federal learning participant, and the user end of the federal learning participant completes the authenticity authentication of the FPGA TEE through comparing the authentication information, so that the mutual authentication of the user end of the federal learning participant and the FPGA TEE is completed before the federal learning task is carried out, and the double sending credibility of the federal learning process is ensured.

On the basis of the foregoing embodiment, updating the global model according to the model aggregation parameter to obtain a target global model includes:

In the invention, based on an aggregation control module in an FPGA, model parameters uploaded by each participant user side are classified layer by layer and then input into a layer calculation unit (such as an adder and a multiplier), and the model parameters of each layer uploaded by each participant user side in the calculation unit are correspondingly added. After model parameters of all the participant user terminals are added layer by layer, the aggregation parameters are controlled to enter a global model generator through a security agent circuit so as to complete updating of the global model. Furthermore, because the FPGA has the characteristics of low power consumption, high parallelism and the like, the invention designs the reasoning module according to the federal learning model, arranges global parameters into the model reasoning module after gradient updating, and tests the accuracy of the trained global model by using a test data set. And for the model reasoning module, a highly parallel pipeline adding mode is adopted to accelerate the federal learning model reasoning process, and the updated global model is subjected to accuracy test by using a test data set, so that the availability of the model is judged.

On the basis of the above embodiment, the method further includes:

In the invention, when the test result does not reach the preset condition, a certain number of participant user terminals are selected randomly through the security proxy circuit, and the ID information of each participant user terminal is marked; at the same time, the security agent circuit uses its own master private keyAfter signing the updated model parameters and public key information, distributing the updated model parameters and public key information to the selected participant user side, so that the participant user side performs corresponding local training and data encryption based on the local model training process of the embodiment, further sends the encrypted data to the server side for parallel aggregation processing and global model updating until the new global model converges or reaches the accuracy rate meeting the target, and obtaining the global model parameters/>。

Fig. 6 is a second flow chart of a federal learning model aggregation method provided by the present invention, as shown in fig. 6, the present invention provides a federal learning model aggregation method based on the field programmable gate array chip described in the foregoing embodiments, which is applied to a federal learning participation client, and includes:

Step 601, receiving initial model parameters and public key information sent by a server, wherein the public key information is generated based on a security agent circuit in the field programmable gate array chip;

Step 602, performing local model training on an initial model according to the initial model parameters to obtain local model parameters, and performing encryption processing on the local model parameters through a symmetric key to obtain encrypted local model parameters;

Step 603, calculating a first hash value corresponding to the local model parameter through a hash algorithm, and respectively carrying out encryption processing on the first hash value and the symmetric key through the public key information to obtain an encrypted first hash value and an encrypted symmetric key;

step 604, constructing local model parameter information according to the encrypted local model parameter, the encrypted first hash value and the encrypted symmetric key, and sending the local model parameter information to the server.

In the invention, each user side participating in federal learning locally performs model updating and training according to the received initial model parameters. After local model training, each user side obtains optimized and adjusted local model parameters, then, the SM4 cryptographic algorithm symmetric key is used for encrypting the local model parameters, and the symmetric key is a key capable of being used for encryption and decryption at the same time and is used for ensuring data transmission safety and privacy protection between two communication parties. And encrypting the local model parameters by using the symmetric key at each user terminal to obtain the encrypted local model parameters, so that each user terminal can safely share the local model parameters without exposing the data privacy.

Further, in the invention, the user side marks the encrypted local model parameter by using the ID information of the user side, and carries out hash calculation on the encrypted local model parameter by using a hash algorithm to generate a unique hash value. The hash algorithm converts the input data into a fixed-length hash value, which may help ensure the uniqueness and integrity of the data. Then, the calculated hash value and the symmetric key are encrypted using the public key information. Public key encryption is an asymmetric encryption technology, and only the corresponding private key can decrypt data, so that only the server side can decrypt the encrypted data. And finally, combining the encrypted local model parameters, the encrypted hash value and the symmetric key into a complete local model parameter information structure, and transmitting the complete local model parameter information structure to a server side. The server side may decrypt the hash value and symmetric key using the corresponding private key and then decrypt the local model parameters to further process and update the global model. Through the steps, the safe encryption and transmission of the local model parameters can be realized, and the privacy and the safety of data are ensured. The encryption mechanism is helpful for improving the security of the federal learning system and preventing sensitive information from being leaked or tampered.

On the basis of the above embodiment, before the receiving the initial model parameters and the public key information sent by the server, the method includes:

In the invention, the main private key corresponding to the security proxy circuit is used for encrypting the authentication information comprising the user identification information of the federal learning participation user side and the label information of the server side. This ensures the security and confidentiality of the authentication information during transmission.

Further, the encrypted authentication information is sent to the server side for authentication and checking of the trusted execution environment. If the authentication information sent by the server side passes the verification, and the trusted execution environment label of the field programmable gate array chip in the server side is the same as the server side label information, determining that the server side is a target server side.

When the user receives the authentication information verification passing result sent by the server and the trusted execution environment tag of the programmable gate array chip in the server is matched with the server tag information, the user can confirm that the server is the target server. Such confirmation may ensure that the client is connected to the intended, trusted server.

Through the steps, the identity verification of the server side and the checking of the trusted execution environment in the federal learning environment can be ensured, so that the safety and the credibility of the whole federal learning system are improved.

In the invention, the improved FPGA is used for accelerating machine learning, so that the parallel processing capability of the FPGA can be fully utilized, and lower power consumption than that of the GPU can be realized; meanwhile, in order to prevent privacy risk leakage, the design of the improved trusted execution environment of the FPGA is also possible, so that the trusted execution environment of the application FPGA is used for accelerating decryption of model parameters uploaded by the user side of each participant, and the characteristic of the FPGA is fully utilized to complete the federal learning model aggregation process.

In the invention, firstly, the construction of the FPGA trusted execution environment is finished at the server side, so that the user side of the federal learning participant obtains the use right of the server side, meanwhile, the FPGA trusted execution environment stores the ID information of each user side which is determined to be legal authorized, and the user sides can finish the remote authentication of the FPGA by using the corresponding ID information.

Fig. 7 is a schematic diagram of federal learning aggregation interaction provided by the present invention, and referring to fig. 7, in a built FPGA trusted execution environment, the federal learning model aggregation process is completed by:

1. loading an FPGA security agent at a server side;

2. mutual authentication is carried out between the server side and the user side;

3. CPU dispatches federal learning task, and initializes model parameters and training layer number in FPGA TEE, namely, initializes ；

4. The FPGA TEE randomly selects the federal learning participants and distributes the encrypted initial model and public key information, namely；

5. The federal learning participants receiving the model training tasks perform local training;

6. federal learning participants encrypt model training parameter information using a hybrid key, i.e And/>And sending to the FPGA TEE;

7. The FPGA TEE decrypts model parameters, sets a plurality of parallel computing channels according to the training layer number information, accelerates the aggregation of the federal learning model, uses a test training set to execute an reasoning process on the aggregation model, and performs accuracy test;

8. and repeatedly executing the steps 4 to 7 until the model converges.

The invention realizes the federal learning model aggregation and reasoning process by constructing the FPGA trusted execution environment, not only can ensure that the model aggregation process is not attacked by data inference attack, attribute inference attack, member inference attack and the like, but also can accelerate the realization of the model aggregation and reasoning process. The trusted execution environment uses a mixed encryption mode combining asymmetric encryption and symmetric encryption, so that the computing efficiency in the federal learning process is greatly improved while the safety is ensured. And the number of channels aggregated by the FPGA model is determined according to the model training layer number, and the parallel computing capacity of the FPGA is fully utilized to accelerate the federal learning model aggregation process.

The federal learning model aggregation device provided by the invention is described below, and the federal learning model aggregation device described below and the federal learning model aggregation method described above can be referred to correspondingly.

Fig. 8 is a schematic structural diagram of a federal learning model aggregation device provided by the present invention, as shown in fig. 8, the present invention provides a federal learning model aggregation device based on the field programmable gate array chip described in the foregoing embodiments, which is applied to a server, and includes a multi-channel building module 801, a data transmission module 802, a privacy processing module 803, a parameter aggregation module 804, and a model update module 805, where the multi-channel building module 801 is configured to determine, based on the field programmable gate array chip, the number of parallel channels for model parameter aggregation according to the number of model layers required by a federal learning task, and the field programmable gate array chip is provided with a security proxy circuit, where the security proxy circuit is configured to encrypt and decrypt data in the federal learning task; the data transmission module 802 is configured to send, based on the security proxy circuit, initial model parameters and public key information corresponding to the federal learning task to each federal learning participation user side, where the public key information is used to encrypt a first hash value and a symmetric key corresponding to a local model parameter obtained by training after the federal learning participation user side completes local model training, and the symmetric key is used to encrypt the local model parameter; the privacy processing module 803 is configured to complete decryption processing on the local model parameter information uploaded by the federal learning participation user side based on the security agent circuit, so as to obtain a target model parameter; the parameter aggregation module 804 is configured to aggregate the model parameters of each layer in the target model parameters in parallel based on the number of parallel channels to obtain model aggregate parameters; the model updating module 805 is configured to update the global model according to the model aggregation parameter, so as to obtain a target global model.

The federal learning model aggregation device provided by the invention realizes federal learning model aggregation and reasoning processes by constructing the trusted execution environment in the field programmable gate array chip, and can accelerate the model aggregation and reasoning processes while ensuring the safety of the model aggregation process.

Fig. 9 is a second schematic structural diagram of a federal learning model aggregation device provided by the present invention, as shown in fig. 9, the present invention provides a federal learning model aggregation device for a field programmable gate array chip, which is applied to a federal learning participation client and includes a receiving module 901, a local model training module 902, a local encryption module 903 and a local data processing module 904, where the receiving module 901 is configured to receive initial model parameters and public key information sent by a server, and the public key information is generated based on a security agent circuit in the field programmable gate array chip; the local model training module 902 is configured to perform local model training on the initial model according to the initial model parameter to obtain a local model parameter, and encrypt the local model parameter with a symmetric key to obtain an encrypted local model parameter; the local encryption module 903 is configured to calculate a first hash value corresponding to the local model parameter through a hash algorithm, and encrypt the first hash value and the symmetric key through the public key information, so as to obtain an encrypted first hash value and an encrypted symmetric key; the local data processing module 904 is configured to construct local model parameter information according to the encrypted local model parameter, the encrypted first hash value, and the encrypted symmetric key, and send the local model parameter information to the server.

The device provided by the invention is used for executing the method embodiments, and specific flow and details refer to the embodiments and are not repeated herein.

Fig. 10 is a schematic structural diagram of an electronic device according to the present invention, as shown in fig. 10, the electronic device may include: a Processor (Processor) 1001, a communication interface (Communications Interface) 1002, a Memory (Memory) 1003, and a communication bus 1004, wherein the Processor 1001, the communication interface 1002, and the Memory 1003 complete communication with each other through the communication bus 1004. The processor 1001 may invoke logic instructions in the memory 1003 to perform a federal learning model aggregation method comprising: determining the number of parallel channels for model parameter aggregation according to the number of model layers required by a federal learning task based on the field programmable gate array chip, wherein a security agent circuit is arranged in the field programmable gate array chip and is used for encrypting and decrypting data in the federal learning task; based on the security agent circuit, sending initial model parameters and public key information corresponding to the federal learning task to each federal learning participation user side, wherein the public key information is used for encrypting a first hash value and a symmetric key corresponding to a local model parameter obtained by training after the federal learning participation user side completes local model training, and the symmetric key is used for encrypting the local model parameter; based on the security agent circuit, the local model parameter information uploaded by the federal learning participation user side is decrypted to obtain target model parameters; based on the number of parallel channels of model parameter aggregation, carrying out parallel aggregation processing on each layer of model parameters in the target model parameters to obtain model aggregation parameters; updating the global model according to the model aggregation parameters to obtain a target global model;

Or, receiving initial model parameters and public key information sent by a server, wherein the public key information is generated based on a security agent circuit in the field programmable gate array chip; according to the initial model parameters, carrying out local model training on the initial model to obtain local model parameters, and carrying out encryption processing on the local model parameters through a symmetric key to obtain encrypted local model parameters; calculating a first hash value corresponding to the local model parameter through a hash algorithm, and respectively carrying out encryption processing on the first hash value and the symmetric key through the public key information to obtain an encrypted first hash value and an encrypted symmetric key; and constructing local model parameter information according to the encrypted local model parameter, the encrypted first hash value and the encrypted symmetric key, and sending the local model parameter information to the server.

Further, the logic instructions in the memory 1003 described above may be implemented in the form of software functional units and sold or used as a separate product, and may be stored in a computer readable storage medium. Based on this understanding, the technical solution of the present invention may be embodied essentially or in a part contributing to the prior art or in a part of the technical solution, in the form of a software product stored in a storage medium, comprising several instructions for causing a computer device (which may be a personal computer, a server, a network device, etc.) to perform all or part of the steps of the method according to the embodiments of the present invention. And the aforementioned storage medium includes: a usb disk, a removable hard disk, a Read-Only Memory (ROM), a random access Memory (RAM, random Access Memory), a magnetic disk, or an optical disk, or other various media capable of storing program codes.

In another aspect, the present invention also provides a computer program product comprising a computer program stored on a non-transitory computer readable storage medium, the computer program comprising program instructions which, when executed by a computer, are capable of performing the federal learning model aggregation method provided by the methods described above, the method comprising: determining the number of parallel channels for model parameter aggregation according to the number of model layers required by a federal learning task based on the field programmable gate array chip, wherein a security agent circuit is arranged in the field programmable gate array chip and is used for encrypting and decrypting data in the federal learning task; based on the security agent circuit, sending initial model parameters and public key information corresponding to the federal learning task to each federal learning participation user side, wherein the public key information is used for encrypting a first hash value and a symmetric key corresponding to a local model parameter obtained by training after the federal learning participation user side completes local model training, and the symmetric key is used for encrypting the local model parameter; based on the security agent circuit, the local model parameter information uploaded by the federal learning participation user side is decrypted to obtain target model parameters; based on the number of parallel channels of model parameter aggregation, carrying out parallel aggregation processing on each layer of model parameters in the target model parameters to obtain model aggregation parameters; updating the global model according to the model aggregation parameters to obtain a target global model;

In yet another aspect, the present invention also provides a non-transitory computer readable storage medium having stored thereon a computer program which, when executed by a processor, is implemented to perform the federal learning model aggregation method provided by the above embodiments, the method comprising: determining the number of parallel channels for model parameter aggregation according to the number of model layers required by a federal learning task based on the field programmable gate array chip, wherein a security agent circuit is arranged in the field programmable gate array chip and is used for encrypting and decrypting data in the federal learning task; based on the security agent circuit, sending initial model parameters and public key information corresponding to the federal learning task to each federal learning participation user side, wherein the public key information is used for encrypting a first hash value and a symmetric key corresponding to a local model parameter obtained by training after the federal learning participation user side completes local model training, and the symmetric key is used for encrypting the local model parameter; based on the security agent circuit, the local model parameter information uploaded by the federal learning participation user side is decrypted to obtain target model parameters; based on the number of parallel channels of model parameter aggregation, carrying out parallel aggregation processing on each layer of model parameters in the target model parameters to obtain model aggregation parameters; updating the global model according to the model aggregation parameters to obtain a target global model;

The apparatus embodiments described above are merely illustrative, wherein the elements illustrated as separate elements may or may not be physically separate, and the elements shown as elements may or may not be physical elements, may be located in one place, or may be distributed over a plurality of network elements. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of this embodiment. Those of ordinary skill in the art will understand and implement the present invention without undue burden.

From the above description of the embodiments, it will be apparent to those skilled in the art that the embodiments may be implemented by means of software plus necessary general hardware platforms, or of course may be implemented by means of hardware. Based on this understanding, the foregoing technical solution may be embodied essentially or in a part contributing to the prior art in the form of a software product, which may be stored in a computer readable storage medium, such as ROM/RAM, a magnetic disk, an optical disk, etc., including several instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to execute the method described in the respective embodiments or some parts of the embodiments.

Finally, it should be noted that: the above embodiments are only for illustrating the technical solution of the present invention, and are not limiting; although the invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical scheme described in the foregoing embodiments can be modified or some technical features thereof can be replaced by equivalents; such modifications and substitutions do not depart from the spirit and scope of the technical solutions of the embodiments of the present invention.

Claims

1. The field programmable gate array chip is characterized by being applied to a server side and comprising a security agent circuit, an aggregation control module and a global model generator, wherein:

2. The field programmable gate array chip of claim 1, wherein the security agent circuit comprises a first privacy processing unit and a second privacy processing unit, wherein:

3. The field programmable gate array chip of claim 1, wherein the security proxy circuit is further configured to perform signature processing on the initial model parameters and the public key information by using a master private key to obtain signature model parameters and signature public key information, and send the signature model parameters and the signature public key information to each of the federal learning participant clients.

4. The field programmable gate array chip of claim 3, wherein the security proxy circuit is further configured to decrypt the authentication information uploaded by the federal learning participant client through the master private key, and verify the decrypted authentication information to determine whether the federal learning participant client is an authorized user, where the authentication information is obtained by performing encryption processing based on public key information corresponding to the master private key.

5. The field programmable gate array chip of claim 4, wherein a trust anchor is disposed in the security proxy circuit, the master private key being generated in a trusted execution environment protected by the trust anchor.

6. A federal learning model aggregation method based on a field programmable gate array chip according to any one of claims 1 to 5, applied to a server side, comprising:

7. The federal learning model aggregation method of claim 6, further comprising:

8. The federal learning model aggregation method according to claim 7, wherein before the initial model parameters and public key information corresponding to the federal learning task are sent to each federal learning participant client based on the security agent circuit, the method further comprises:

9. The federal learning model aggregation method according to claim 7, wherein the step of completing decryption processing on the local model parameter information uploaded by the federal learning participation client based on the security agent circuit to obtain the target model parameter includes:

10. The federal learning model aggregation method according to claim 6, wherein determining the number of parallel channels for model parameter aggregation according to the number of model layers required for the federal learning task comprises:

11. The federal learning model aggregation method of claim 8, further comprising:

12. The federal learning model aggregation method according to claim 10, wherein the aggregating the model parameters of each layer of the target model parameters in parallel based on the number of parallel channels to obtain model aggregation parameters includes:

13. The federal learning model aggregation method according to claim 8, wherein updating the global model according to the model aggregation parameters to obtain the target global model comprises:

14. The federal learning model aggregation method of claim 13, further comprising:

15. A federal learning model aggregation method based on a field programmable gate array chip according to any one of claims 1 to 5, applied to a federal learning participation client, comprising:

16. The federal learning model aggregation method of claim 15, wherein prior to receiving the initial model parameters and public key information transmitted by the server side, the method comprises:

17. A federal learning model aggregation apparatus based on a field programmable gate array chip according to any one of claims 1 to 5, applied to a server side, comprising:

18. A federal learning model aggregation apparatus based on a field programmable gate array chip according to any one of claims 1 to 5, applied to a federal learning participation client, comprising:

19. An electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, wherein the processor when executing the computer program implements the federal learning model aggregation method of any one of claims 6 to 14 or the federal learning model aggregation method of any one of claims 15 to 16.

20. A non-transitory computer readable storage medium having stored thereon a computer program, wherein the computer program when executed by a processor implements the federal learning model aggregation method according to any one of claims 6 to 14, or the federal learning model aggregation method according to any one of claims 15 to 16.