pith. sign in

arxiv: 2606.19129 · v1 · pith:RAD35KTOnew · submitted 2026-06-17 · 💻 cs.CR · cs.LG

Giskard : Byzantine Robust and Confidential Aggregation for Large-Scale Decentralized Learning

Ousmane Touat , C\'esar Sabater , Mohamed Maouche , Sonia Ben Mokhtar This is my paper

Pith reviewed 2026-06-26 20:22 UTC · model grok-4.3

classification 💻 cs.CR cs.LG
keywords Byzantine robustnessconfidential aggregationdecentralized learningsecure multi-party computationcommittee-based protocolsmodel poisoninglarge-scale networks
0
0 comments X

The pith

Giskard organizes parties into a tree of log-sized committees to compute a confidential approximate median via intra-committee MPC.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper addresses the conflict in decentralized learning where confidentiality requires hiding model updates while Byzantine robustness requires inspecting them for poisoning. Giskard structures n parties into a tree of O(log n)-sized committees and runs BGW-style secure multi-party computation inside each to evaluate a coordinate-wise approximate median through distributed binary search. This avoids the all-to-all communication or overloaded small subsets of earlier approaches. Theoretical analysis proves the security and confidentiality guarantees, while experiments with up to one million participants show model utility remains comparable to prior methods even with up to n/4 malicious parties.

Core claim

By organizing participants into a tree of O(log n)-sized committees and evaluating a coordinate-wise approximate median via committee-adapted distributed binary search with BGW-style MPC inside each committee, Giskard achieves both confidentiality of updates and resilience to n/4 Byzantine parties with asymptotically lower per-party communication than all-to-all or small-subset baselines.

What carries the argument

Tree of O(log n)-sized committees running BGW-style MPC for distributed binary search to compute coordinate-wise approximate median.

If this is right

  • Per-party communication complexity drops asymptotically compared with all-to-all MPC or small-subset delegation.
  • Model utility stays comparable to non-robust baselines even when up to one quarter of parties are Byzantine.
  • Formal proofs establish both security against malicious parties and confidentiality of individual updates.
  • The protocol supports networks of at least one million participants in experiments.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

  • The tree structure might extend to other robust aggregation statistics if suitable MPC subroutines exist for them.
  • Dynamic committee formation over time could reduce the impact of static topology attacks that the current design does not explicitly address.
  • The approach leaves open whether the same committee MPC pattern can be composed with differential privacy mechanisms without destroying the median guarantee.

Load-bearing premise

That structuring the network as a tree of small committees and running BGW MPC inside them is enough to deliver both confidentiality and Byzantine robustness at scale without creating new weaknesses or large overhead.

What would settle it

An experiment in which n/4 colluding parties either reveal hidden updates or shift the computed median far from the honest value in a Giskard run with a million participants.

Figures

Figures reproduced from arXiv: 2606.19129 by C\'esar Sabater, Mohamed Maouche, Ousmane Touat, Sonia Ben Mokhtar.

Figure 1
Figure 1. Figure 1: • Leaves (depicted as Level 0 in [PITH_FULL_IMAGE:figures/full_fig_p005_1.png] view at source ↗
Figure 1
Figure 1. Figure 1: Giskard secure median computation. The 𝑛 parties 𝑃1, . . . , 𝑃𝑛 are partitioned across 𝑏 = 𝑛/𝑘 𝐿 base committees C1, . . . , C𝑏 , each of size 𝑚. Each base committee receives 𝑛/𝑏 bit-vector shares from its assigned parties and aggregates them into a partial count. Partial counts are re-shared upward through 𝐿 levels of 𝑘-ary aggregation to the root committee COM, which broadcasts the next threshold 𝑝𝑡+1 do… view at source ↗
Figure 2
Figure 2. Figure 2: Minimum committee size for varying global corrup [PITH_FULL_IMAGE:figures/full_fig_p006_2.png] view at source ↗
Figure 3
Figure 3. Figure 3: Share Resharing. Each 𝑃𝑖 ∈ Cch holds share 𝜎𝑑,𝑖 of the partial count Í b𝑗 and samples polynomial 𝑔𝑖,𝑑 with 𝑔𝑖,𝑑 (0) = 𝜎𝑑,𝑖. Each 𝑃 ′ 𝑟 ∈ Cpa recombines 𝜎 ′ 𝑑,𝑟 = Í 𝑘 𝜆𝑘 𝑔𝑘,𝑑 (𝜔𝑟) into a fresh share of the same count. 𝑓 (0), the value shared by the child committee. We describe the protocol for a single coordinate; it runs in parallel across all 𝑑 ∈ [𝐷]. The full protocol is given in Appendix C.2. 3.3 Securi… view at source ↗
Figure 6
Figure 6. Figure 6: Extrapolated wall-clock time to completion versus [PITH_FULL_IMAGE:figures/full_fig_p010_6.png] view at source ↗
Figure 4
Figure 4. Figure 4: Per-party communication cost. (a) Absolute bytes at [PITH_FULL_IMAGE:figures/full_fig_p010_4.png] view at source ↗
Figure 5
Figure 5. Figure 5: Total communication cost at 𝑓 /𝑛 = 0.10 for the three topologies. Takeaway: Only Giskard keeps both per-party cost and end-to-end latency within practical budgets up to 𝑛 = 106 . 10 2 10 3 10 4 10 5 10 6 Network size n 10 3 10 6 10 9 10 12 10 15 10 18 Estimated wall-clock (s) 1 h 1 d 1 mo 1 yr A2A A2C Giskard [PITH_FULL_IMAGE:figures/full_fig_p010_5.png] view at source ↗
Figure 7
Figure 7. Figure 7: Global test accuracy under four Byzantine attacks [PITH_FULL_IMAGE:figures/full_fig_p011_7.png] view at source ↗
Figure 9
Figure 9. Figure 9: Heatmap of test accuracy as a function of the maxi [PITH_FULL_IMAGE:figures/full_fig_p011_9.png] view at source ↗
read the original abstract

Dealing simultaneously with confidentiality and Byzantine behaviors in decentralized learning is a challenging problem. Indeed, in decentralized learning, clients train a machine learning model while keeping their data locally and share their model parameters or gradients with a set of neighbors. While enforcing confidentiality calls for hiding the exchanged model parameters/gradients (e.g., by using cryptographic techniques), dealing with Byzantine contributions often requires inspecting the latter. Hence, most research works address these objectives separately. A recent line of work proposes to employ secure multi-party computation (MPC) to implement robust aggregators against model poisoning, thereby enforcing both confidentiality and Byzantine resilience. However, these solutions scale badly: they either require all-to-all communication between participants or delegate the entire computation to a small subset, whose computational and communication load grows proportionally with the size of the network. In this paper, we present Giskard, a protocol for confidential and Byzantine-robust decentralized aggregation. Giskard organizes $n$ parties into a tree of committees of size $O(\log n)$ and evaluates a coordinate-wise approximate median via a committee-adapted distributed binary search over the value domain, using BGW-style MPC within each committee. We assess Giskard both theoretically by proving its security and confidentiality properties and experimentally through extensive experiments involving up to one million participants. Compared to its closest competitors, Giskard reduces per-party communication complexity asymptotically while exhibiting comparable model utility under up to $n/4$ Byzantine parties.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

2 major / 2 minor

Summary. The paper presents Giskard, a protocol for confidential and Byzantine-robust decentralized aggregation in large-scale learning. It organizes n parties into a tree of O(log n)-sized committees and computes a coordinate-wise approximate median via distributed binary search using BGW-style MPC inside each committee. The authors claim asymptotic reduction in per-party communication complexity relative to prior MPC-based aggregators, security and confidentiality proofs, and experimental validation with up to 1M participants showing comparable model utility under up to n/4 Byzantine parties.

Significance. If the security reduction and honest-majority guarantees hold, the result would be significant: it offers a scalable alternative to all-to-all or small-subset MPC approaches for simultaneously achieving confidentiality and Byzantine resilience in decentralized ML, with concrete communication savings and large-scale empirical support.

major comments (2)
  1. [Protocol description / Abstract] Protocol description (committee formation and assignment): the n/4 Byzantine tolerance claim requires that every O(log n)-sized committee maintains an honest majority (for BGW MPC and the median step). The manuscript must supply the explicit assignment protocol together with a concentration analysis (Chernoff bounds plus union bound over Θ(n/log n) committees, plus handling of tree propagation and any adversarial influence on assignment). The abstract states the construction but does not indicate that this analysis is present; without it the central resilience claim is not yet load-bearing.
  2. [Security proof] Security proof section: the reduction to BGW security inside committees must explicitly address the case where a committee fails the honest-majority condition (even with small probability) and how tree-level propagation is handled; the current high-level claim does not yet demonstrate that a single bad committee cannot compromise the global median or confidentiality.
minor comments (2)
  1. [Experiments] The experimental section should report per-party communication volume as a function of n (not only wall-clock time) to substantiate the asymptotic claim.
  2. [Notation / Protocol] Notation for committee size c = O(log n) and the precise median approximation error should be defined once and used consistently.

Simulated Author's Rebuttal

2 responses · 0 unresolved

We thank the referee for the constructive comments on the committee assignment and security reduction. We agree that these aspects require more explicit treatment to fully support the n/4 tolerance claim and will revise the manuscript accordingly.

read point-by-point responses

  1. Referee: [Protocol description / Abstract] Protocol description (committee formation and assignment): the n/4 Byzantine tolerance claim requires that every O(log n)-sized committee maintains an honest majority (for BGW MPC and the median step). The manuscript must supply the explicit assignment protocol together with a concentration analysis (Chernoff bounds plus union bound over Θ(n/log n) committees, plus handling of tree propagation and any adversarial influence on assignment). The abstract states the construction but does not indicate that this analysis is present; without it the central resilience claim is not yet load-bearing.

    Authors: We agree that the manuscript's high-level description of the tree of O(log n) committees does not yet include an explicit assignment protocol or the required concentration analysis. In the revision we will add a concrete assignment mechanism (random sampling via a public randomness source or VRF to limit adversarial control) together with a Chernoff-bound plus union-bound argument showing that every committee has honest majority except with negligible probability. We will also analyze tree propagation to show that a local violation cannot affect the global approximate median. These additions will appear in Section 3 (Protocol) and the security analysis. revision: yes

  2. Referee: [Security proof] Security proof section: the reduction to BGW security inside committees must explicitly address the case where a committee fails the honest-majority condition (even with small probability) and how tree-level propagation is handled; the current high-level claim does not yet demonstrate that a single bad committee cannot compromise the global median or confidentiality.

    Authors: We acknowledge that the current security argument assumes the honest-majority condition holds in all committees and does not yet spell out the consequences or mitigation for the negligible-probability failure case. In the revision we will extend the proof to bound the effect of a single faulty committee on the coordinate-wise approximate median and on confidentiality, leveraging the tree structure and the fact that parent committees can cross-check results. If needed we will also describe a lightweight consistency check that aborts or excludes a suspect committee. This will be added to the security section. revision: yes

Circularity Check

0 steps flagged

No circularity; protocol and proofs rely on external MPC primitives without self-referential reduction

full rationale

The paper constructs Giskard by organizing parties into O(log n) committees and applying BGW-style MPC for median aggregation, then states it proves security and confidentiality properties. No equations or claims reduce a result to its own inputs by definition, rename a fitted parameter as a prediction, or rest the central theorem on a self-citation chain. The n/4 Byzantine tolerance and committee honest-majority requirement are design assumptions justified by concentration arguments and external MPC guarantees rather than circular redefinition. The derivation is therefore self-contained against the stated primitives.

Axiom & Free-Parameter Ledger

0 free parameters · 1 axioms · 0 invented entities

The protocol rests on standard cryptographic assumptions for BGW MPC security and the ability of approximate median to tolerate Byzantine faults; no free parameters or invented entities are described in the abstract.

axioms (1)
  • standard math Security and confidentiality properties of BGW-style secure multi-party computation hold within each committee
    Invoked to hide values while computing the median inside committees.

pith-pipeline@v0.9.1-grok · 5804 in / 1105 out tokens · 26777 ms · 2026-06-26T20:22:07.407689+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Reference graph

Works this paper leans on

71 extracted references · 18 canonical work pages

  1. [1]

    Sulaiman A Alghunaim and Kun Yuan. 2022. A unified and refined convergence analysis for non-convex decentralized learning.IEEE Transactions on Signal Processing70 (2022), 3264–3279

    2022

  2. [2]

    Zeyuan Allen-Zhu, Faeze Ebrahimianghazani, Jerry Li, and Dan Alistarh. 2021. Byzantine-Resilient Non-Convex Stochastic Gradient Descent. InInternational Conference on Learning Representations

    2021

  3. [3]

    Youssef Allouah, Sadegh Farhadkhani, Rachid Guerraoui, Nirupam Gupta, Rafaël Pinot, and John Stephan. 2023. Fixing by mixing: A recipe for optimal byzantine ml under heterogeneity. InInternational Conference on Artificial Intelligence and Statistics. PMLR, 1232–1300

    2023

  4. [4]

    Youssef Allouah, Rachid Guerraoui, Nirupam Gupta, Rafaël Pinot, and John Stephan. 2023. On the privacy-robustness-utility trilemma in distributed learning. InInternational Conference on Machine Learning. PMLR, 569–626

    2023

  5. [5]

    Youssef Allouah, Rachid Guerraoui, and John Stephan. 2025. Towards Trustwor- thy Federated Learning with Untrusted Participants. InProceedings of the 42nd International Conference on Machine Learning (Proceedings of Machine Learning Research, Vol. 267), Aarti Singh, Maryam Fazel, Daniel Hsu, Simon Lacoste-Julien, Felix Berkenkamp, Tegan Maharaj, Kiri Wags...

    2025

  6. [6]

    arkworks contributors. 2022. arkworks zkSNARK ecosystem. https://arkworks.rs

    2022

  7. [7]

    Gilad Asharov and Yehuda Lindell. 2011. A Full Proof of the BGW Protocol for Perfectly-Secure Multiparty Computation.IACR Cryptology ePrint Archive2011 (01 2011), 136

    2011

  8. [8]

    Gilad Baruch, Moran Baruch, and Yoav Goldberg. 2019. A little is enough: Circumventing defenses for distributed learning.Advances in Neural Information Processing Systems32 (2019)

    2019

  9. [9]

    James Bell, Adrià Gascón, Tancrède Lepoint, Baiyu Li, Sarah Meiklejohn, Mariana Raykova, and Cathie Yun. 2023. ACORN: input validation for secure aggregation. InProceedings of the 32nd USENIX Conference on Security Symposium(Anaheim, CA, USA)(SEC ’23). USENIX Association, USA, Article 269, 18 pages

    2023

  10. [10]

    Analyzing Information Leakage of Updates to Natural Language Models , booktitle =

    James Henry Bell, Kallista A. Bonawitz, Adrià Gascón, Tancrède Lepoint, and Mar- iana Raykova. 2020. Secure Single-Server Aggregation with (Poly)Logarithmic Overhead. InProceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security(Virtual Event, USA)(CCS ’20). Association for Com- puting Machinery, New York, NY, USA, 1253–1269. doi...

    work page doi:10.1145/3372297.3417885 2020

  11. [11]

    2017.Fast and differentially private algorithms for decentralized collaborative machine learn- ing

    Aurélien Bellet, Rachid Guerraoui, Mahsa Taziki, and Marc Tommasi. 2017.Fast and differentially private algorithms for decentralized collaborative machine learn- ing. Research Report. INRIA Lille. https://inria.hal.science/hal-01665410

    2017

  12. [12]

    Michael Ben-Or, Shafi Goldwasser, and Avi Wigderson. 1988. Completeness theo- rems for non-cryptographic fault-tolerant distributed computation. InProceedings of the Twentieth Annual ACM Symposium on Theory of Computing(Chicago, Illi- nois, USA)(STOC ’88). Association for Computing Machinery, New York, NY, USA, 1–10. doi:10.1145/62212.62213

    work page doi:10.1145/62212.62213 1988

  13. [13]

    Practical secure aggregation for privacy-preserving machine learning,

    Keith Bonawitz, Vladimir Ivanov, Ben Kreuter, Antonio Marcedone, H. Brendan McMahan, Sarvar Patel, Daniel Ramage, Aaron Segal, and Karn Seth. 2017. Practi- cal Secure Aggregation for Privacy-Preserving Machine Learning. InProceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security (Dallas, Texas, USA)(CCS ’17). Association for Co...

    work page doi:10.1145/3133956.3133982 2017

  14. [14]

    Nicolas Braud-Santoni, Rachid Guerraoui, and Florian Huc. 2013. Fast byzantine agreement. InProceedings of the 2013 ACM Symposium on Principles of Distributed Computing(Montréal, Québec, Canada)(PODC ’13). Association for Computing Machinery, New York, NY, USA, 57–64. doi:10.1145/2484239.2484243

    work page doi:10.1145/2484239.2484243 2013

  15. [15]

    Ran Canetti. 2000. Universally Composable Security: A New Paradigm for Cryptographic Protocols. Cryptology ePrint Archive, Paper 2000/067. https: //eprint.iacr.org/2000/067

    2000

  16. [16]

    Xiaoyu Cao, Minghong Fang, Jia Liu, and Neil Zhenqiang Gong. 2021. FLTrust: Byzantine-robust Federated Learning via Trust Bootstrapping. InProceedings 2021 Network and Distributed System Security Symposium(Virtual). Internet Society. doi:10.14722/ndss.2021.24434

    work page doi:10.14722/ndss.2021.24434 2021

  17. [17]

    Antoine Choffrut, Rachid Guerraoui, Rafael Pinot, Renaud Sirdey, John Stephan, and Martin Zuber. 2024. Towards Practical Homomorphic Aggregation in Byzantine-Resilient Distributed Learning. InProceedings of the 25th International Middleware Conference(Hong Kong, Hong Kong)(Middleware ’24). Association for Computing Machinery, New York, NY, USA, 431–444. d...

    work page doi:10.1145/3652892 2024

  18. [18]

    Ivan Damgård, Valerio Pastro, {Nigel P.} Smart, and Sarah Zakarias. 2012. Mul- tiparty Computation from Somewhat Homomorphic Encryption. InAdvances in Cryptology - CRYPTO 2012, Reihaneh Safavi-Naini and Ran Canetti (Eds.), Vol. 7417. Springer Berlin Heidelberg, Germany, 643–662

    2012

  19. [19]

    Minghong Fang, Zifan Zhang, Hairi, Prashant Khanduri, Jia Liu, Songtao Lu, Yuchen Liu, and Neil Gong. 2024. Byzantine-robust decentralized federated learning. InProceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications Security. 2874–2888

    2024

  20. [20]

    Choquette-Choo, Mark R Thomas, Muhammad Ahmad Kaleem, Stephan Rabanser, Congyu Fang, Somesh Jha, Nicolas Papernot, and Xiao Wang

    Nicholas Franzese, Adam Dziedzic, Christopher A. Choquette-Choo, Mark R Thomas, Muhammad Ahmad Kaleem, Stephan Rabanser, Congyu Fang, Somesh Jha, Nicolas Papernot, and Xiao Wang. 2023. Robust and Actively Secure Server- less Collaborative Learning. InAdvances in Neural Information Processing Systems, A. Oh, T. Naumann, A. Globerson, K. Saenko, M. Hardt, a...

    2023

  21. [21]

    Ali Reza Ghavamipour, Benjamin Zi Hao Zhao, Oguzhan Ersoy, and Fatih Turk- men. 2024. Privacy-Preserving Aggregation for Decentralized Learning with Byzantine-Robustness. doi:10.48550/arXiv.2404.17970 arXiv:2404.17970 [cs]

    work page doi:10.48550/arxiv.2404.17970 2024

  22. [22]

    Marc González, Rachid Guerraoui, Rafael Pinot, Geovani Rizk, John Stephan, and François Taïani. 2025. ByzFL: Research Framework for Robust Federated Learning. arXiv:2505.24802 [cs.LG] https://arxiv.org/abs/2505.24802

    arXiv 2025

  23. [23]

    István Hegedűs, Gábor Danner, and Márk Jelasity. 2019. Gossip learning as a decentralized alternative to federated learning. InDistributed Applications and Interoperable Systems: 19th IFIP WG 6.1 International Conference, DAIS 2019, Held as Part of the 14th International Federated Conference on Distributed Computing Techniques, DisCoTec 2019. Springer, Sp...

    2019

  24. [24]

    Wassily Hoeffding. 1963. Probability inequalities for sums of bounded random variables.Journal of the American statistical association58, 301 (1963), 13–30

    1963

  25. [25]

    Yangsibo Huang, Samyak Gupta, Zhao Song, Kai Li, and Sanjeev Arora. 2021. Eval- uating gradient inversion attacks and defenses in federated learning.Advances in neural information processing systems34 (2021), 7232–7241

    2021

  26. [26]

    Yufan Jiang, Maryam Zarezadeh, Tianxiang Dai, and Stefan Köpsell. 2025. AlphaFL: Secure Aggregation with Malicious 2 Security for Federated Learn- ing against Dishonest Majority. Cryptology ePrint Archive, Paper 2025/1289. https://eprint.iacr.org/2025/1289

    2025

  27. [27]

    Sai Praneeth Karimireddy, Lie He, and Martin Jaggi. 2020. Byzantine-Robust Learning on Heterogeneous Datasets via Bucketing

    2020

  28. [28]

    Sai Praneeth Karimireddy, Lie He, and Martin Jaggi. 2021. Learning from History for Byzantine Robust Optimization. InProceedings of the 38th Inter- national Conference on Machine Learning (Proceedings of Machine Learning Research, Vol. 139), Marina Meila and Tong Zhang (Eds.). PMLR, 5311–5319. https://proceedings.mlr.press/v139/karimireddy21a.html

    2021

  29. [29]

    Sai Praneeth Karimireddy, Lie He, and Martin Jaggi. 2022. Byzantine-Robust Learning on Heterogeneous Datasets via Bucketing. InInternational Conference on Learning Representations

    2022

  30. [30]

    Marcel Keller, Emmanuela Orsini, and Peter Scholl. 2016. MASCOT: Faster Malicious Arithmetic Secure Computation with Oblivious Transfer. Cryptology ePrint Archive, Paper 2016/505. doi:10.1145/2976749.2978357

    work page doi:10.1145/2976749.2978357 2016

  31. [31]

    Valerie King, Steven Lonargan, Jared Saia, and Amitabh Trehan. 2011. Load balanced scalable Byzantine agreement through quorum building, with full in- formation. InProceedings of the 12th International Conference on Distributed Com- puting and Networking(Bangalore, India)(ICDCN’11). Springer-Verlag, Berlin, Heidelberg, 203–214

    2011

  32. [32]

    Valerie King, Jared Saia, Vishal Sanwalani, and Erik Vee. 2006. Towards Secure and Scalable Computation in Peer-to-Peer Networks. InProceedings of the 47th Annual IEEE Symposium on Foundations of Computer Science (FOCS ’06). IEEE Computer Society, USA, 87–98. doi:10.1109/FOCS.2006.77

    work page doi:10.1109/focs.2006.77 2006

  33. [33]

    Eyal Kushilevitz, Yehuda Lindell, and Tal Rabin. 2010. Information-Theoretically Secure Protocols and Security under Composition.SIAM J. Comput.39, 5 (March 2010), 2090–2112

    2010

  34. [34]

    Giannakis, and Qing Ling

    Liping Li, Wei Xu, Tianyi Chen, Georgios B. Giannakis, and Qing Ling. 2019. RSA: Byzantine-robust stochastic aggregation methods for distributed learning from heterogeneous datasets. InProceedings of the Thirty-Third AAAI Confer- ence on Artificial Intelligence and Thirty-First Innovative Applications of Artificial Intelligence Conference and Ninth AAAI S...

    work page doi:10.1609/aaai.v33i01.33011544 2019

  35. [35]

    Xiangru Lian, Ce Zhang, Huan Zhang, Cho-Jui Hsieh, Wei Zhang, and Ji Liu

  36. [36]

    InProceedings of the 31st International Conference on Neural Information Processing Systems(Long Beach, California, USA)(NIPS’17)

    Can decentralized algorithms outperform centralized algorithms? a case study for decentralized parallel stochastic gradient descent. InProceedings of the 31st International Conference on Neural Information Processing Systems(Long Beach, California, USA)(NIPS’17). Curran Associates Inc., Red Hook, NY, USA, 5336–5346

  37. [37]

    Yizhong Liu, Zixiao Jia, Zian Jin, Xiao Chen, Song Bian, Runhua Xu, Dawei Li, Jianwei Liu, and Yuan Lu. 2025. Aion: robust and efficient multi-round single- mask secure aggregation against malicious participants. InProceedings of the 34th USENIX Conference on Security Symposium(Seattle, WA, USA)(SEC ’25). USENIX Association, USA, Article 156, 20 pages

    2025

  38. [38]

    Hidde Lycklama, Lukas Burkhalter, Alexander Viand, Nicolas Kuchler, and Anwar Hithnawi. 2023. RoFL: Robustness of Secure Federated Learning. In2023 IEEE Symposium on Security and Privacy (SP). IEEE, Article 33, 33 pages. doi:10.1109/ SP46215.2023.10179400

    arXiv 2023

  39. [39]

    Mohamad Mansouri, Melek Önen, Wafa Ben Jaballah, and Mauro Conti. 2023. Sok: Secure aggregation based on cryptographic schemes for federated learning. Proceedings on Privacy Enhancing Technologies(2023)

    2023

  40. [40]

    Brendan McMahan, Eider Moore, Daniel Ramage, Seth Hampson, and Blaise Aguera Y. Arcas. 2017. Communication-Efficient Learning of Deep Networks Conference’17, July 2017, Washington, DC, USA Ousmane Touat, César Sabater, Mohamed Maouche, and Sonia Ben Mokhtar from Decentralized Data. InProceedings of the 20th International Conference on Artificial Intellige...

    2017

  41. [41]

    Luca Melis, Congzheng Song, Emiliano De Cristofaro, and Vitaly Shmatikov

  42. [42]

    In2019 IEEE symposium on security and privacy (SP)

    Exploiting unintended feature leakage in collaborative learning. In2019 IEEE symposium on security and privacy (SP). IEEE, IEEE, San Francisco, CA, USA, 691–706

  43. [43]

    Viraaji Mothukuri, Reza M Parizi, Seyedamin Pouriyeh, Yan Huang, Ali De- hghantanha, and Gautam Srivastava. 2021. A survey on security and privacy of federated learning.Future Generation Computer Systems115 (2021), 619–640

    2021

  44. [44]

    Mahnush Movahedi, Jared Saia, and Mahdi Zamani. 2015. Secure Multi-party Shuffling. InPost-Proceedings of the 22nd International Colloquium on Structural Information and Communication Complexity - Volume 9439(Montserrat, Spain) (SIROCCO 2015). Springer-Verlag, Berlin, Heidelberg, 459–473. doi:10.1007/978- 3-319-25258-2_32

    work page doi:10.1007/978- 2015

  45. [45]

    Milad Nasr, Reza Shokri, and Amir Houmansadr. 2019. Comprehensive privacy analysis of deep learning: Passive and active white-box inference attacks against centralized and federated learning. In2019 IEEE symposium on security and privacy (SP). IEEE, IEEE, San Francisco, CA, USA, 739–753

    2019

  46. [46]

    Blanchard Peva, El Mhamdi El Mahdi, Guerraoui Rachid, and Stainer Julien. 2017. Machine Learning with Adversaries: Byzantine Tolerant Gradient Descent. In Advances in Neural Information Processing Systems 30: Annual Conference on Neural Information Processing Systems 2017, Guyon Isabelle, von Luxburg Ulrike, Bengio Samy, Wallach Hanna M., Fergus Rob, Vish...

    2017

  47. [47]

    Krishna Pillutla, Sham M Kakade, and Zaid Harchaoui. 2022. Robust aggregation for federated learning.IEEE Transactions on Signal Processing70 (2022), 1142– 1154

    2022

  48. [48]

    Mayank Rathee, Conghao Shen, Sameer Wagh, and Raluca Ada Popa. 2023. ELSA: Secure Aggregation for Federated Learning with Malicious Actors . In2023 IEEE Symposium on Security and Privacy (SP). IEEE Computer Society, Los Alamitos, CA, USA, 1961–1979. doi:10.1109/SP46215.2023.10179468

    work page doi:10.1109/sp46215.2023.10179468 2023

  49. [49]

    Amrita Roy Chowdhury, Chuan Guo, Somesh Jha, and Laurens van der Maaten

  50. [50]

    InProceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security(Los Angeles, CA, USA)(CCS ’22)

    EIFFeL: Ensuring Integrity for Federated Learning. InProceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security(Los Angeles, CA, USA)(CCS ’22). Association for Computing Machinery, New York, NY, USA, 2535–2549. doi:10.1145/3548606.3560611

    work page doi:10.1145/3548606.3560611 2022

  51. [51]

    Adi Shamir. 1979. How to share a secret.Commun. ACM22, 11 (Nov. 1979), 612–613. doi:10.1145/359168.359176

    work page doi:10.1145/359168.359176 1979

  52. [52]

    Muhammad Shayan, Clement Fung, Chris J. M. Yoon, and Ivan Beschastnikh

  53. [53]

    IEEE Transactions on Parallel and Distributed Systems32, 7 (July 2021), 1513–1525

    Biscotti: A Blockchain System for Private and Secure Federated Learning. IEEE Transactions on Parallel and Distributed Systems32, 7 (July 2021), 1513–1525. doi:10.1109/TPDS.2020.3044223

    work page doi:10.1109/tpds.2020.3044223 2021

  54. [54]

    Jinhyun So, Başak Güler, and A Salman Avestimehr. 2020. Byzantine-resilient secure federated learning.IEEE Journal on Selected Areas in Communications39, 7 (2020), 2168–2181

    2020

  55. [55]

    Jinhyun So, Chaoyang He, Chien-Sheng Yang, Songze Li, Qian Yu, Ramy E Ali, Basak Guler, and Salman Avestimehr. 2022. Lightsecagg: a lightweight and versatile design for secure aggregation in federated learning.Proceedings of Machine Learning and Systems4 (2022), 694–720

    2022

  56. [56]

    Raj Kiriti Velicheti, Derek Xia, and Sanmi Koyejo. 2021. Secure Byzantine-Robust Distributed Learning via Clustering. InNeurIPS Workshop New Frontiers in Feder- ated Learning: Privacy, Fairness, Robustness, Personalization and Data Ownership

    2021

  57. [57]

    Kang Wei, Jun Li, Ming Ding, Chuan Ma, Howard H Yang, Farhad Farokhi, Shi Jin, Tony QS Quek, and H Vincent Poor. 2020. Federated learning with differential privacy: Algorithms and performance analysis.IEEE transactions on information forensics and security15 (2020), 3454–3469

    2020

  58. [58]

    Cong Xie, Oluwasanmi Koyejo, and Indranil Gupta. 2020. Fall of empires: Breaking byzantine-tolerant sgd by inner product manipulation. InUncertainty in artificial intelligence. PMLR, 261–270

    2020

  59. [59]

    Andrew C. Yao. 1982. Protocols for secure computations . In23rd Annual Symposium on Foundations of Computer Science. IEEE Computer Society, Los Alamitos, CA, USA, 160–164. doi:10.1109/SFCS.1982.38

    work page doi:10.1109/sfcs.1982.38 1982

  60. [60]

    Andrew Chi Chih Yao. 1986. HOW TO GENERATE AND EXCHANGE SECRETS.. InAnnual Symposium on Foundations of Computer Science (Proceedings) (Annual Symposium on Foundations of Computer Science (Proceedings)). IEEE, 162–167. doi:10.1109/sfcs.1986.25

    work page doi:10.1109/sfcs.1986.25 1986

  61. [61]

    Dong Yin, Yudong Chen, Ramchandran Kannan, and Peter Bartlett. 2018. Byzantine-Robust Distributed Learning: Towards Optimal Statistical Rates. In Proceedings of the 35th International Conference on Machine Learning (Proceedings of Machine Learning Research, Vol. 80), Jennifer Dy and Andreas Krause (Eds.). PMLR, Stockholm, Sweden, 5650–5659

    2018

  62. [62]

    Mahdi Zamani, Mahnush Movahedi, and Jared Saia. 2014. Millions of Millionaires: Multiparty Computation in Large Networks. Cryptology ePrint Archive, Paper 2014/149. https://eprint.iacr.org/2014/149

    2014

  63. [63]

    Chengliang Zhang, Suyi Li, Junzhe Xia, Wei Wang, Feng Yan, and Yang Liu. 2020. {BatchCrypt}: Efficient homomorphic encryption for {Cross-Silo} federated learning. In2020 USENIX annual technical conference (USENIX ATC 20). 493–506

    2020

  64. [64]

    Jingwen Zhang, Jiale Zhang, Junjun Chen, and Shui Yu. 2020. GAN Enhanced Membership Inference: A Passive Local Attack in Federated Learning. InICC 2020 - 2020 IEEE International Conference on Communications (ICC). IEEE, Dublin, Ireland, 1–6. doi:10.1109/ICC40277.2020.9148790 A Open Science We provide an artifact available in the following anonymized code ...

    work page doi:10.1109/icc40277.2020.9148790 2020

  65. [65]

    Leaf-side sharing.For each 𝑑∈ [𝐷] , leaf 𝑗 computes 𝑏 𝑗,𝑑 = 1[𝑥 𝑗,𝑑 <𝑝 𝑡,𝑑 ] and invokes VSS-Share(𝑏 𝑗,𝑑 ) toward C𝑗

  66. [66]

    If verification rejects,[𝑏 𝑗,𝑑 ] ← [0]

    VSS verification.The committee completes VSS verifi- cation for each[𝑏 𝑗,𝑑 ]. If verification rejects,[𝑏 𝑗,𝑑 ] ← [0]

  67. [67]

    If the opened value is nonzero,[𝑏 𝑗,𝑑 ] ← [ 0]

    Bit-domain check.The committee jointly runs Multiply( [𝑏𝑗,𝑑 ],[ 1 −𝑏 𝑗,𝑑 ]) and opens the result via VSS-Reconst. If the opened value is nonzero,[𝑏 𝑗,𝑑 ] ← [ 0]

  68. [68]

    Protocol 2:Reshare Input.Each 𝑃𝑖 ∈ Cch holds 𝜎𝑖 =𝑓(𝛼 𝑖 ), where 𝑓 is a degree- 𝜏 polynomial

    Local aggregation.Each𝑃 𝑖 ∈ C 𝑗 locally computes [𝜎𝑑 ]𝑖 ← ∑︁ 𝑗:𝑃 𝑖 ∈ C𝑗 [𝑏 𝑗,𝑑 ]𝑖 for every𝑑∈ [𝐷]. Protocol 2:Reshare Input.Each 𝑃𝑖 ∈ Cch holds 𝜎𝑖 =𝑓(𝛼 𝑖 ), where 𝑓 is a degree- 𝜏 polynomial. Both committees have size 𝑚 with threshold 𝜏<𝑚/ 4; {𝛼𝑖 } and {𝜔𝑟 } are the public evaluation points of Cch andC pa. Output.Each 𝑃 ′ 𝑟 ∈ C pa holds 𝜎 ′ 𝑟 =𝑓 ′ (𝜔𝑟 ), ...

  69. [69]

    Each 𝑃 ′ 𝑟 ∈ C pa receives 𝑔𝑖 (𝜔𝑟 ), where 𝑔𝑖 is a degree-𝜏polynomial with𝑔 𝑖 (0)=𝜎 𝑖

    Sub-sharing.Each 𝑃𝑖 ∈ Cch invokes VSS-SubShare(𝜎𝑖 ) toward Cpa. Each 𝑃 ′ 𝑟 ∈ C pa receives 𝑔𝑖 (𝜔𝑟 ), where 𝑔𝑖 is a degree-𝜏polynomial with𝑔 𝑖 (0)=𝜎 𝑖

  70. [70]

    Each 𝑃 ′ 𝑟 ∈ Cpa locally computes 𝜎 ′ 𝑟 ← ∑︁ 𝑖∈ Cch 𝜆𝑖 ·𝑔𝑖 (𝜔𝑟 )

    Local recombination.Let {𝜆𝑖 }𝑖∈ Cch be the Lagrange coefficients interpolating 𝑓( 0) from {𝑓(𝛼 𝑖 )}. Each 𝑃 ′ 𝑟 ∈ Cpa locally computes 𝜎 ′ 𝑟 ← ∑︁ 𝑖∈ Cch 𝜆𝑖 ·𝑔𝑖 (𝜔𝑟 ). Protocol 3:Broadcast Down (in the Tree) Input.Each 𝑃 ′ 𝑟 ∈ C pa holds the same public value 𝑣∈R (e.g., a reconstructed pivot coordinate). Both committees have size 𝑚 with threshold 𝜏<𝑚/ 4.Ou...

  71. [71]

    Majority vote.Each 𝑃𝑖 ∈ Cch collects the received values{𝑣𝑟 }𝑟∈ Cpa and outputs the value with multiplicity>𝑚/2

    Send.Each 𝑃 ′ 𝑟 ∈ C pa sends 𝑣 to every 𝑃𝑖 ∈ C ch over authenticated channels.2. Majority vote.Each 𝑃𝑖 ∈ Cch collects the received values{𝑣𝑟 }𝑟∈ Cpa and outputs the value with multiplicity>𝑚/2. Substituting𝑓/𝑛=1/4−𝜖, Pr[𝑋≥𝑚/4] ≤exp − 16𝜖2 (3+4𝜖) 2 · 𝑚(3/4+𝜖) 2 =exp − 2𝜖2𝑚 3+4𝜖 . Conference’17, July 2017, Washington, DC, USA Ousmane Touat, César Sabater, M...

    2017