pith. sign in

arxiv: 2506.12846 · v10 · submitted 2025-06-15 · 💻 cs.CR · cs.AI

VFEFL: Privacy-Preserving Federated Learning against Malicious Clients via Verifiable Functional Encryption

Nina Cai , Jinguang Han , Weizhi Meng This is my paper

Pith reviewed 2026-05-19 09:39 UTC · model grok-4.3

classification 💻 cs.CR cs.AI
keywords federated learningverifiable functional encryptionprivacy preservationmalicious clientsrobust aggregationcross-ciphertext verificationdecentralized encryption
0
0 comments X

The pith

A new cross-ciphertext verifiable encryption scheme lets federated learning detect malicious clients and preserve privacy without trusted third parties or dual non-colluding servers.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper presents VFEFL, a federated learning system that keeps local model updates encrypted while still allowing the server to check whether those updates follow expected relationships. It introduces a CC-DVFE scheme that performs this verification directly on ciphertexts from multiple clients. This design removes the need for separate non-colluding servers or an external trusted party that most prior defenses rely on. If the scheme works as claimed, collaborative training can continue with high model accuracy even when some participants send harmful updates. The approach therefore addresses both data leakage risks and poisoning attacks in one integrated method.

Core claim

The VFEFL framework, built on a novel Cross-Ciphertext Decentralized Verifiable Functional Encryption scheme, achieves privacy protection for local models, robustness against malicious clients through a verifiable aggregation rule, formal verifiability of ciphertext relationships, and high-fidelity model training, all without assuming non-colluding dual servers or any trusted third party.

What carries the argument

The Cross-Ciphertext Decentralized Verifiable Functional Encryption (CC-DVFE) scheme, which defines verification of specific relationships over multi-dimensional ciphertexts from different clients.

If this is right

  • Malicious clients can be detected and excluded by checking verifiable relationships directly on their encrypted updates.
  • High-accuracy global models can still be obtained when training proceeds under adversarial client behavior.
  • Privacy of local data is maintained because the server never sees plaintext model parameters.
  • The framework eliminates dependence on non-colluding dual servers or external trusted parties for both privacy and robustness.
  • Formal security proofs and empirical tests support the claimed protection, verifiability, and fidelity properties.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

  • The same ciphertext-verification idea could extend to other distributed training settings such as decentralized optimization or multi-party computation where participants cannot be fully trusted.
  • Large-scale experiments with hundreds of clients and varied attack strengths would test whether the verification overhead remains practical outside the reported evaluation settings.
  • Adding differential privacy noise to the encrypted updates might strengthen protection against inference attacks that the current scheme does not explicitly address.

Load-bearing premise

The security and correctness of the CC-DVFE scheme hold under the paper's stated security model so the robust aggregation rule can correctly identify and exclude malicious updates.

What would settle it

A concrete attack in which a malicious client crafts an update that satisfies the verifiable ciphertext relationships yet still degrades the final model accuracy, or a successful model inversion that recovers private data despite the encryption.

Figures

Figures reproduced from arXiv: 2506.12846 by Jinguang Han, Nina Cai, Weizhi Meng.

Figure 1
Figure 1. Figure 1: The workflow and main components of DVFE [PITH_FULL_IMAGE:figures/full_fig_p006_1.png] view at source ↗
Figure 2
Figure 2. Figure 2: The workflow and main components of VFEFL [PITH_FULL_IMAGE:figures/full_fig_p012_2.png] view at source ↗
Figure 3
Figure 3. Figure 3: Model accuracy on three datasets in the absence of attacks: (a) MNIST, (b) Fashion-MNIST, and (c) CIFAR-10. [PITH_FULL_IMAGE:figures/full_fig_p015_3.png] view at source ↗
Figure 4
Figure 4. Figure 4: Model accuracy under different attacks on MNIST: (a) GA, (b) SA, and (c) AA. [PITH_FULL_IMAGE:figures/full_fig_p015_4.png] view at source ↗
Figure 5
Figure 5. Figure 5: Model accuracy under different attacks on Fashion-MNIST: (a) GA, (b) SA, and (c) AA. [PITH_FULL_IMAGE:figures/full_fig_p015_5.png] view at source ↗
Figure 6
Figure 6. Figure 6: Model accuracy under different attacks on CIFAR-10: (a) GA, (b) SA, and (c) AA. [PITH_FULL_IMAGE:figures/full_fig_p016_6.png] view at source ↗
Figure 7
Figure 7. Figure 7: AC and ASR under LF attacks on MNIST: (a) accuracy (AC) and (b) [PITH_FULL_IMAGE:figures/full_fig_p016_7.png] view at source ↗
Figure 8
Figure 8. Figure 8: AC and ASR under LF attacks on Fashion-MNIST: (a) accuracy (AC) [PITH_FULL_IMAGE:figures/full_fig_p016_8.png] view at source ↗
Figure 9
Figure 9. Figure 9: AC and ASR under LF attacks on CIFAR-10: (a) accuracy (AC) and [PITH_FULL_IMAGE:figures/full_fig_p016_9.png] view at source ↗
read the original abstract

Federated learning is a promising distributed learning paradigm that enables collaborative model training without exposing local client data, thereby protecting data privacy. However, it also brings new threats and challenges. The advancement of model inversion attacks has rendered the plaintext transmission of local models insecure, while the distributed nature of federated learning makes it particularly vulnerable to attacks raised by malicious clients. To protect data privacy and prevent malicious client attacks, this paper proposes a privacy-preserving Federated Learning framework based on Verifiable Functional Encryption (VFEFL), without a non-colluding dual-server assumption or additional trusted third-party. Specifically, we propose a novel Cross-Ciphertext Decentralized Verifiable Functional Encryption (CC-DVFE) scheme that enables the verification of specific relationships over multi-dimensional ciphertexts. This scheme is formally treated, in terms of definition, security model and security proof. Furthermore, based on the proposed CC-DVFE scheme, we design a privacy-preserving federated learning framework that incorporates a novel robust aggregation rule to detect malicious clients, enabling the effective training of high-accuracy models under adversarial settings. Finally, we provide the formal analysis and empirical evaluation of VFEFL. The results demonstrate that our approach achieves the desired privacy protection, robustness, verifiability and fidelity, while eliminating the reliance on non-colluding dual-server assumption or trusted third parties required by most existing methods.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

2 major / 2 minor

Summary. The paper proposes VFEFL, a privacy-preserving federated learning framework built on a novel Cross-Ciphertext Decentralized Verifiable Functional Encryption (CC-DVFE) scheme. CC-DVFE enables verification of specific relationships over multi-dimensional ciphertexts, which is used to support a robust aggregation rule that detects and excludes malicious clients. The work formally defines the scheme, provides a security model and proof, integrates it into FL without non-colluding dual-server or trusted third-party assumptions, and reports formal analysis plus empirical evaluation claiming privacy protection, robustness, verifiability, and fidelity.

Significance. If the security reduction and robustness link hold, the result would be significant for secure federated learning by removing common trusted-setup assumptions while combining verifiable encryption with aggregation. The formal treatment of CC-DVFE (definition, model, and proof) and the empirical evaluation are clear strengths that support reproducibility and verifiability of the claims.

major comments (2)
  1. [Security Proof of CC-DVFE] Security model and proof for CC-DVFE: The proof establishes security properties for the encryption primitive, but the manuscript provides no reduction showing that an update satisfying the verifiable linear or norm relationships cannot still be a malicious poisoning attack (e.g., adaptive backdoor or label-flip gradients that preserve the checked ciphertext relations). This link is load-bearing for the central robustness claim that eliminates trusted third parties.
  2. [Robust Aggregation Rule] Robust aggregation rule: The rule relies on CC-DVFE verification to correctly detect and exclude malicious clients, yet without a formal argument connecting the primitive's security to integrity against all poisoning behaviors under the stated FL threat model, the elimination of non-colluding server assumptions does not automatically follow.
minor comments (2)
  1. [CC-DVFE Definition] The description of multi-dimensional ciphertext handling in CC-DVFE would benefit from explicit notation for the verified relationships to improve clarity.
  2. [Empirical Evaluation] Empirical evaluation section should specify the exact attack parameters and baseline comparisons used for the robustness tests.

Simulated Author's Rebuttal

2 responses · 0 unresolved

We thank the referee for the careful review and constructive comments on our manuscript. We address each major comment point by point below, clarifying the connections between the CC-DVFE security properties and the robust aggregation in VFEFL while committing to revisions that strengthen the formal links without altering the core claims.

read point-by-point responses

  1. Referee: [Security Proof of CC-DVFE] Security model and proof for CC-DVFE: The proof establishes security properties for the encryption primitive, but the manuscript provides no reduction showing that an update satisfying the verifiable linear or norm relationships cannot still be a malicious poisoning attack (e.g., adaptive backdoor or label-flip gradients that preserve the checked ciphertext relations). This link is load-bearing for the central robustness claim that eliminates trusted third parties.

    Authors: We appreciate this observation. The CC-DVFE security proof establishes that verification of the specified functional relations (linear combinations and norm bounds over multi-dimensional ciphertexts) is sound: an adversary without the appropriate keys cannot produce a valid proof for a ciphertext that fails to satisfy the relation. In the VFEFL threat model, malicious clients must submit ciphertexts that pass this verification to participate; any poisoning attempt that violates the checked relations is thereby excluded by the robust aggregation rule. This design removes the need for non-colluding servers or trusted parties because the verification itself enforces the integrity constraint. We acknowledge that an explicit reduction or lemma directly mapping primitive security to resistance against all adaptive poisoning strategies (such as those preserving the checked relations) would make the argument tighter. We will add such a discussion and supporting lemma in the security analysis section of the revised manuscript. revision: yes

  2. Referee: [Robust Aggregation Rule] Robust aggregation rule: The rule relies on CC-DVFE verification to correctly detect and exclude malicious clients, yet without a formal argument connecting the primitive's security to integrity against all poisoning behaviors under the stated FL threat model, the elimination of non-colluding server assumptions does not automatically follow.

    Authors: Thank you for raising this point. The robust aggregation rule is constructed so that only model updates whose ciphertexts satisfy the CC-DVFE-verified relations are aggregated; updates failing verification are excluded. Because the security model of CC-DVFE guarantees that valid proofs cannot be forged for non-compliant plaintexts, the rule achieves client exclusion without external trust assumptions. We agree that the manuscript would benefit from an explicit formal argument (e.g., a theorem or corollary) that derives the FL-level integrity guarantee directly from the primitive's security definition and the threat model. We will incorporate this argument into the revised security analysis to clarify how the elimination of dual-server or trusted-third-party requirements follows from the verifiable properties. revision: yes

Circularity Check

0 steps flagged

No significant circularity detected

full rationale

The paper introduces a novel CC-DVFE scheme with explicit formal definition, security model, and security proof, then constructs the VFEFL framework and robust aggregation rule on top of it. No load-bearing step reduces by construction to its own inputs, fitted parameters renamed as predictions, or a self-citation chain; the security analysis and empirical evaluation provide independent content against the stated model. This is the common case of a self-contained proposal of a new primitive.

Axiom & Free-Parameter Ledger

0 free parameters · 1 axioms · 0 invented entities

The work relies on standard cryptographic hardness assumptions for the security of the functional encryption scheme and on the correctness of the robust aggregation rule derived from verifiable relationships. No free parameters or invented physical entities are described in the abstract.

axioms (1)
  • standard math Standard cryptographic assumptions underlying functional encryption and verifiable computation hold.
    Invoked implicitly for the security proof of CC-DVFE.

pith-pipeline@v0.9.0 · 5779 in / 1166 out tokens · 27189 ms · 2026-05-19T09:39:35.193932+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Lean theorems connected to this paper

Citations machine-checked in the Pith Canon. Every link opens the source theorem in the public Lean library.

What do these tags mean?
matches
The paper's claim is directly supported by a theorem in the formal canon.
supports
The theorem supports part of the paper's argument, but the paper may add assumptions or extra steps.
extends
The paper goes beyond the formal theorem; the theorem is a base layer rather than the whole result.
uses
The paper appears to rely on the theorem as machinery.
contradicts
The paper's claim conflicts with a theorem or certificate in the canon.
unclear
Pith found a possible connection, but the passage is too broad, indirect, or ambiguous to say the theorem truly supports the claim.

Reference graph

Works this paper leans on

36 extracted references · 36 canonical work pages

  1. [1]

    Communication-efficient learning of deep networks from decentralized data,

    B. McMahan, E. Moore, D. Ramage, S. Hampson, and B. A. y Arcas, “Communication-efficient learning of deep networks from decentralized data,” in AISTATS. PMLR, 2017, pp. 1273–1282

    work page 2017

  2. [2]

    Advances and open problems in federated learning,

    P. Kairouz, H. B. McMahan, B. Avent, A. Bellet, M. Bennis, A. N. Bhagoji, K. Bonawitz, Z. Charles, G. Cormode, R. Cummings et al. , “Advances and open problems in federated learning,” Foundations and trends® in machine learning , pp. 1–210, 2021

    work page 2021

  3. [3]

    Deep leakage from gradients,

    L. Zhu, Z. Liu, and S. Han, “Deep leakage from gradients,” Advances in neural information processing systems , vol. 32, 2019

    work page 2019

  4. [4]

    Model inversion attacks that exploit confidence information and basic countermeasures,

    M. Fredrikson, S. Jha, and T. Ristenpart, “Model inversion attacks that exploit confidence information and basic countermeasures,” in CCS

    work page

  5. [5]

    1322–1333

    New York, NY , USA: Association for Computing Machinery, 2015, pp. 1322–1333. [Online]. Available: https://doi.org/10.1145/ 2810103.2813677

    work page arXiv 2015

  6. [6]

    Auditing privacy defenses in federated learning via generative gradient leakage,

    Z. Li, J. Zhang, L. Liu, and J. Liu, “Auditing privacy defenses in federated learning via generative gradient leakage,” in CVPR, 2022, pp. 10 122–10 132

    work page 2022

  7. [7]

    AegisFL: Efficient and flexible privacy-preserving Byzantine-robust cross-silo federated learning,

    D. Chen, H. Qu, and G. Xu, “AegisFL: Efficient and flexible privacy-preserving Byzantine-robust cross-silo federated learning,” in ICML 2024 . PMLR, 21–27 Jul 2024, pp. 7207–7219. [Online]. Available: https://proceedings.mlr.press/v235/chen24ag.html

    work page 2024

  8. [8]

    Fhefl: Fully homomorphic encryption friendly privacy-preserving federated learning with byzantine users,

    Y . Rahulamathavan, C. Herath, X. Liu, S. Lambotharan, and C. Maple, “Fhefl: Fully homomorphic encryption friendly privacy-preserving federated learning with byzantine users,” 2024. [Online]. Available: https://arxiv.org/abs/2306.05112

    work page arXiv 2024

  9. [9]

    Functional encryption: Definitions and challenges,

    D. Boneh, A. Sahai, and B. Waters, “Functional encryption: Definitions and challenges,” in TCC 2011 . Berlin, Heidelberg: Springer Berlin Heidelberg, 2011, pp. 253–273

    work page 2011

  10. [10]

    Functional encryption: a new vision for public-key cryptography,

    ——, “Functional encryption: a new vision for public-key cryptography,” Communications of the ACM , vol. 55, no. 11, pp. 56–64, 2012

    work page 2012

  11. [11]

    Multi-input functional encryption,

    S. Goldwasser, S. D. Gordon, V . Goyal, A. Jain, J. Katz, F.-H. Liu, A. Sahai, E. Shi, and H.-S. Zhou, “Multi-input functional encryption,” in EUROCRYPT. Springer, 2014, pp. 578–602

    work page 2014

  12. [12]

    Multi-input inner-product functional encryption from pairings,

    M. Abdalla, R. Gay, M. Raykova, and H. Wee, “Multi-input inner-product functional encryption from pairings,” in EUROCRYPT. Springer, 2017, pp. 601–626

    work page 2017

  13. [13]

    Decentralized multi-client functional encryption for inner product,

    J. Chotard, E. Dufour Sans, R. Gay, D. H. Phan, and D. Pointcheval, “Decentralized multi-client functional encryption for inner product,” in ASIACRYPT 2018. Springer, 2018, pp. 703–732

    work page 2018

  14. [14]

    Verifiable func- tional encryption,

    S. Badrinarayanan, V . Goyal, A. Jain, and A. Sahai, “Verifiable func- tional encryption,” in ASIACRYPT 2016. Berlin, Heidelberg: Springer Berlin Heidelberg, 2016, pp. 557–587

    work page 2016

  15. [15]

    Verifiable decentralized multi-client functional encryption for inner product,

    D. D. Nguyen, D. H. Phan, and D. Pointcheval, “Verifiable decentralized multi-client functional encryption for inner product,” in CT-RSA 2023. Springer, 2023, pp. 33–65

    work page 2023

  16. [16]

    Biscotti: A blockchain system for private and secure federated learning,

    M. Shayan, C. Fung, C. J. M. Yoon, and I. Beschastnikh, “Biscotti: A blockchain system for private and secure federated learning,” IEEE Transactions on Parallel and Distributed Systems, pp. 1513–1525, 2021

    work page 2021

  17. [17]

    Privacy-preserving collaborative deep learning with unreliable participants,

    L. Zhao, Q. Wang, Q. Zou, Y . Zhang, and Y . Chen, “Privacy-preserving collaborative deep learning with unreliable participants,” IEEE Transac- tions on Information Forensics and Security , pp. 1486–1500, 2020

    work page 2020

  18. [18]

    Efficient and secure federated learning against backdoor attacks,

    Y . Miao, R. Xie, X. Li, Z. Liu, K.-K. R. Choo, and R. H. Deng, “Efficient and secure federated learning against backdoor attacks,” IEEE Transactions on Dependable and Secure Computing , pp. 4619–4636, 2024

    work page 2024

  19. [19]

    Efficient, private and robust federated learning,

    M. Hao, H. Li, G. Xu, H. Chen, and T. Zhang, “Efficient, private and robust federated learning,” in ACSAC 2021 . New York, NY , USA: ACM, 2021, pp. 45–60. [Online]. Available: https://doi.org/10.1145/3485832.3488014

    work page doi:10.1145/3485832.3488014 2021

  20. [20]

    Robust and verifiable privacy federated learning,

    Z. Lu, S. Lu, X. Tang, and J. Wu, “Robust and verifiable privacy federated learning,” IEEE Transactions on Artificial Intelligence , pp. 1895–1908, 2024

    work page 1908

  21. [21]

    Privacy-preserving fed- erated learning via functional encryption, revisited,

    Y . Chang, K. Zhang, J. Gong, and H. Qian, “Privacy-preserving fed- erated learning via functional encryption, revisited,” IEEE Transactions on Information Forensics and Security , pp. 1855–1869, 2023

    work page 2023

  22. [22]

    Bsr-fl: An efficient byzantine-robust privacy-preserving federated learn- ing framework,

    H. Zeng, J. Li, J. Lou, S. Yuan, C. Wu, W. Zhao, S. Wu, and Z. Wang, “Bsr-fl: An efficient byzantine-robust privacy-preserving federated learn- ing framework,” IEEE Transactions on Computers , pp. 2096–2110, 2024

    work page 2096

  23. [23]

    Fltrust: Byzantine-robust federated learning via trust bootstrapping,

    X. Cao, M. Fang, J. Liu, and N. Z. Gong, “Fltrust: Byzantine-robust federated learning via trust bootstrapping,” in NDSS 2021, 2021

    work page 2021

  24. [24]

    Ma- chine learning with adversaries: Byzantine tolerant gradient descent,

    P. Blanchard, E. M. El Mhamdi, R. Guerraoui, and J. Stainer, “Ma- chine learning with adversaries: Byzantine tolerant gradient descent,” in NeurIPS 2017. Curran Associates, Inc., 2017

    work page 2017

  25. [25]

    Decentralized multi-client functional encryption for inner product with applications to federated learning,

    X. Qian, H. Li, M. Hao, G. Xu, H. Wang, and Y . Fang, “Decentralized multi-client functional encryption for inner product with applications to federated learning,” IEEE Transactions on Dependable and Secure Computing, pp. 5781–5796, 2024

    work page 2024

  26. [26]

    Local model poisoning attacks to byzantine-robust federated learning,

    M. Fang, X. Cao, J. Jia, and N. Gong, “Local model poisoning attacks to byzantine-robust federated learning,” in USENIX Sec., 2020, pp. 1605– 1622

    work page 2020

  27. [27]

    Linearly homomorphic encryption from ddh,

    G. Castagnos and F. Laguillaumie, “Linearly homomorphic encryption from ddh,” in CT-RSA 2015. Cham: Springer International Publishing, 2015, pp. 487–505

    work page 2015

  28. [28]

    Two-party ecdsa from hash proof systems and efficient instantiations,

    G. Castagnos, D. Catalano, F. Laguillaumie, F. Savasta, and I. Tucker, “Two-party ecdsa from hash proof systems and efficient instantiations,” in CRYPTO 2019. Berlin, Heidelberg: Springer-Verlag, 2019, pp. 191– 221

    work page 2019

  29. [29]

    Bandwidth-efficient threshold ec-dsa,

    ——, “Bandwidth-efficient threshold ec-dsa,” in PKC 2020 . Cham: Springer International Publishing, 2020, pp. 266–296

    work page 2020

  30. [30]

    How to prove yourself: practical solutions to identification and signature problems,

    A. Fiat and A. Shamir, “How to prove yourself: practical solutions to identification and signature problems,” in CRYPTO 1986 . Berlin, Heidelberg: Springer-Verlag, 1987, pp. 186–194

    work page 1986

  31. [31]

    Simple functional encryption schemes for inner products,

    M. Abdalla, F. Bourse, A. De Caro, and D. Pointcheval, “Simple functional encryption schemes for inner products,” inIACR International Workshop on Public Key Cryptography . Springer, 2015, pp. 733–751

    work page 2015

  32. [32]

    Bulletproofs: Short proofs for confidential transactions and more,

    B. B ¨unz, J. Bootle, D. Boneh, A. Poelstra, P. Wuille, and G. Maxwell, “Bulletproofs: Short proofs for confidential transactions and more,” in IEEE S&P 2018 , 2018, pp. 315–334

    work page 2018

  33. [33]

    Random oracles are practical: a paradigm for designing efficient protocols,

    M. Bellare and P. Rogaway, “Random oracles are practical: a paradigm for designing efficient protocols,” in CCS 1993. Association for Computing Machinery, 1993, p. 62–73. [Online]. Available: https://doi.org/10.1145/168588.168596

    work page doi:10.1145/168588.168596 1993

  34. [34]

    Agic: Approximate gradient inversion attack on federated learning,

    J. Xu, C. Hong, J. Huang, L. Y . Chen, and J. Decouchant, “Agic: Approximate gradient inversion attack on federated learning,” in SRDS

    work page

  35. [35]

    IEEE, 2022, pp. 12–22

    work page 2022

  36. [36]

    A modification of shanks’ baby-step giant-step algorithm,

    D. Terr, “A modification of shanks’ baby-step giant-step algorithm,” Mathematics of Computation , pp. 767–773, 2000

    work page 2000