聯邦式學習是近年由 Google所提出的新興機器學習技術，藉由讓資料提供者的資料留在本地端進行訓練，再把所取得的區域模型交由模型提供者整合，進而達到基本的隱私保護。然而，在機器學習產業中，除了保護資料隱私外，保護模型安全也是個重要的議題。由於聯邦式學習的特殊運作架構，現有聯邦式學習系統，例如PrivFL及DPFL，很難在保護資料提供者資料隱私的同時一併保護模型提供者的模型安全。如此一來，模型提供者的模型資產可能遭竊，而模型亦可能因為遭受到投毒攻擊而影響服務品質甚至被植入後門，造成難以估計的損失。
因此，本論文提出一基於可聚合混淆電路的隱私保護可驗證聯邦式學習系統，藉此在聯邦式學習訓練過程中同時保護資料提供者的資料隱私與模型提供者的模型安全。利用將模型加密成可聚合混淆電路，模型權重及架構將可得到保護，藉此維護模型的隱私。此外，可聚合混淆電路可保證模型在訓練過程中不會被任意竄改，藉此抵抗投毒攻擊。而安全聚合協定將在訓練過程中用來保護資料提供者的資料隱私。安全分析表明，即便攻擊者共謀的情況下，本系統也能保護資料與模型隱私，並且防止模型受到投毒攻擊。實驗結果顯示，本論文提出之方法將比使用同態加密的安全機制有更好的效能，將此方法實際套用在K-mean聚類分析中，亦得到相同結論。據我們所知，本論文是第一個提出同時保護模型安全和資料隱私的聯邦式學習系統，即使發生某種程度的共謀，也能達到一定的安全保障，希冀本論文的研究成果能對機器學習產業的發展帶來助益。

Recently, Federated Learning (FL) proposed by Google emerges as an advanced machine learning technology. Generally, the training process in a FL-based system is performed on the data providers’ side to derive their own local models. These derived local models are then aggregated by the model provider to generate a global model. By this means, the privacy of data providers can be preserved during the FL training process. However, for the information industry, protecting model security is another critical issue in addition to data privacy preserving. Existing FL-based systems, such as PrivFL and DPFL, fail to provide model security while preserving data privacy. As a result, global models, the valuable assets of model providers, could be stolen or attacked via poison attacks, leading to enormous loss.
Hence, this thesis proposes a Privacy Preserving Verifiable Federating Learning Protocol (Priv-VFL) to preserve data privacy of data providers and model security of the model provider during the FL training process. By encrypting the global model into an Aggregatable Garbled Circuit (AGC), model architecture and model weights can be protected and thus model privacy preserving can be achieved. Moreover, during the FL training process, AGC ensures the integrity of the global model which resists poison attacks, while the secure aggregation protocol is employed to protect data privacy of data providers. Security analysis demonstrates that Priv-VFL preserves data/model privacy and prevents the global model from being poison attacked even if collusion exists. Experiment results also show that Priv-VFL outperforms the security mechanisms which apply the homomorphic encryption technology when performing basic operations or K-mean clustering task. To the best of our knowledge, Priv-VFL is the first protocol which protects both model and data privacy while resisting poison attacks even if collusion exists. Hopefully the proposed protocol can further be widely applied to improve the development of information industry.

Bagdasaryan, Eugene, et al. "How to backdoor federated learning." International Conference on Artificial Intelligence and Statistics. PMLR, 2020.
Bhagoji, Arjun Nitin, et al. "Model poisoning attacks in federated learning." In Workshop on Security in Machine Learning (SecML), collocated with the 32nd Conference on Neural Information Processing Systems (NeurIPS’18). 2018.
Bonawitz, Keith, et al. "Practical secure aggregation for federated learning on user-held data." arXiv preprint arXiv:1611.04482 (2016).
Bonawitz, Keith, et al. "Practical secure aggregation for privacy-preserving machine learning." proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security. 2017.
European Union, "General Data Protection Regulation" Available: https://eugdpr.org/
Fang, Minghong, et al. "Local model poisoning attacks to byzantine-robust federated learning." 29th {USENIX} Security Symposium ({USENIX} Security 20). 2020.
Geyer, Robin C., Tassilo Klein, and Moin Nabi. "Differentially private federated learning: A client level perspective." arXiv preprint arXiv:1712.07557 (2017).
Hard, Andrew, et al. "Federated learning for mobile keyboard prediction." arXiv preprint arXiv:1811.03604 (2018).
Huang, Anbu, et al. "StarFL: Hybrid federated learning architecture for smart urban computing." ACM Transactions on Intelligent Systems and Technology (TIST) 12.4 (2021): 1-23.
Mandal, Kalikinkar, and Guang Gong. "PrivFL: Practical privacy-preserving federated regressions on high-dimensional data over mobile networks." Proceedings of the 2019 ACM SIGSAC Conference on Cloud Computing Security Workshop. 2019.
McMahan, Brendan, et al. "Communication-efficient learning of deep networks from decentralized data." Artificial intelligence and statistics. PMLR, 2017.
Papernot, Nicolas, et al. "Semi-supervised knowledge transfer for deep learning from private training data." arXiv preprint arXiv:1610.05755 (2016).
Papernot, Nicolas, et al. "Scalable private learning with pate." arXiv preprint arXiv:1802.08908 (2018).
Rabin, Michael O. "How To Exchange Secrets with Oblivious Transfer." IACR Cryptol. ePrint Arch. 2005.187 (2005).
Microsoft SEAL (release 3.6.4), May 2021, Microsoft Research, Redmod, WA. Available: https://github.com/Microsoft/SEAL
Shafahi, Ali, et al. "Poison frogs! targeted clean-label poisoning attacks on neural networks." arXiv preprint arXiv:1804.00792 (2018).
Songhori, Ebrahim M., et al. "Tinygarble: Highly compressed and scalable sequential garbled circuits." 2015 IEEE Symposium on Security and Privacy. IEEE, 2015.
Wolf, Clifford. "Yosys open synthesis suite." (2016). Available: https://yosyshq.net/yosys/
Yao, Andrew Chi-Chih. "How to generate and exchange secrets." 27th Annual Symposium on Foundations of Computer Science (sfcs 1986). IEEE, 1986.
ZHENG Leqian., PracSecure, April 2021 Available: https://github.com/55199789/PracSecure
Zhu, Ligeng, and Song Han. "Deep leakage from gradients." Federated learning. Springer, Cham, 2020. 17-31.