Efficient Privacy-Preserving Federated Learning With Selective Parameter Encryption

We appreciate Reviewer pFrT's valuable suggestions! We sincerely hope that below we have addressed all your questions about our paper and that you can reconsider our paper as a strong candidate.

Weaknesse 1, Question 1, Question 2, Question 3, Question 4, Question 5, Question 6, Question 8, Question 10, and Question 11: Although the paper proposes an method to reduce overhead in privacy-preserving federated learning through Selective Parameter Encryption, it needs to deepen its theoretical analysis and experimental validation. Specifically, it should provide a detailed explanation of how the assumption that model parameters follow a log-normal mixture distribution is utilized in the privacy quantification framework. Additionally, offering mathematical comparisons with differential privacy would substantiate claims of superiority. The paper should include simulations of privacy attacks, such as gradient inversion attacks, to empirically demonstrate the method's effectiveness. Moreover, an in-depth discussion of potential vulnerabilities introduced by partial encryption is necessary, along with a formal security analysis to ensure the method's robustness against sophisticated attacks.

Good point! We would like to emphasize that we have provided a detailed privacy quantification in Section 4 where DP also is compared, along with a UC-Security-based security proof in A.11, A.12, and A.13, which covers a formal threat model, adversary composability, and security properties of our method. In Section 5, empirical evaluations prove the effectiveness of our methods both in efficiency and privacy guarantee. We believe that these are adequate to support our claim.

Also please note that our method is generalized without relying on the finding of the log-normal mixture distribution which is an empirical finding that helps us to understand the privacy behaviors of model parameters in practice.

We will improve the organization of our theoretical proofs for better clarity in our final version.

Question 7: Although the use of Palisade and Tenseal libraries is mentioned, there is no explanation of specific versions and configurations, and why Palisade is selected as the main evaluation object.

Good suggestion! We will include the specific versions of the HE library used in our evaluation and the reason of using Palisade primarily which is because Palisade is an optimized library that has faster computing performance (comparison results in Table 10).

Question 9: It may not be comprehensive enough to reduce attack scores to evaluate privacy protection. Based on the theoretical framework of differential privacy to discuss the possibility and risks of privacy leakage.

Good point! Our framework based on DP has given us a theoretical bound of privacy guarantee, where the empirical attack experiments with attack scores help us validate such theoretical bounds. This practice is analogous to how general differential privacy can be empirically evaluated by conducting database recovery attacks. We have included both in our experimental results in Table 2 and Figure 13-19.

Question 12: In "A.12 Quantifying Negligible Privacy Value in Full Encryption", the author tries to quantify the privacy budget under the condition of quantification, but the derivation process is not clear enough. It is necessary to provide more detailed calculation steps and explain the basis of the selection of each parameter.

Good suggestion! Here we provided a quantification process for the full encryption mode. It would definitely help the readers by including more discussion on how each derivation step is conducted including the detailed theorems from the DP papers mentioned.

We appreciate the valuable feedback from Reviewer 3uEj and we hope we have addressed your concerns below:

Weakness 1 & Question 1: The article does not fully address the risks posed by malicious clients during the negotiation of homomorphic encryption (HE) keys. While the authors propose using a threshold version to mitigate collusion risks, there remains a significant motivation for colluding clients to target a specific client, particularly in scenarios with a small number of clients. How to mitigate the risk of colluded clients stealing a targeted client’s parameters, especially since this is a common issue faced by existing HE-based federated learning solutions?

The key collusion risk is captured by our threat model and it is a standard key problem in homomorphic encryption [1]. With a reasonably sized group of clients and a correctly configured threshold in practice, this risk is bounded by the multi-party threshold. Please note that any future advancements in multi-party HE can be easily integrated into our framework.

In the presence of a malicious adversary, the scenario of colluding clients stealing a targeted client's parameter is considered an "output privacy" problem which our defined threat model here does not consider. However, output privacy is solvable by adding primitives like differential privacy [2], which is already supported by our framework.

[1] Aloufi, Asma, et al. "Computing blindfolded on data homomorphically encrypted under multiple keys: A survey." ACM Computing Surveys (CSUR) 54.9 (2021): 1-37.

[2] Truex, Stacey, et al. "LDP-Fed: Federated learning with local differential privacy." Proceedings of the third ACM international workshop on edge systems, analytics and networking. 2020.

Weakness 2 & Question 2: The method for generating mask maps may lead to inconsistencies in a heterogeneous environment. If clients use the same mask map, it could compromise privacy, especially when sensitive parameters differ across clients. Are mask maps unified across clients after aggregation? If they are, how do you handle differences in sensitive parameters? If not, what happens to the other parameters post-aggregation?

Good point! The mask maps are aggregated (also in encrypted fashion) in a way that reflects the collective sensitivity of all clients, while still allowing for local protection of parameters deemed uniquely sensitive by individual clients. This ensures consistency without compromising client-specific privacy.

Weakness 3 & Question 3: The use of the Hessian matrix to define privacy sensitivity lacks clarity. The correlation between gradient changes and privacy leakage is not sufficiently supported, particularly regarding the behavior of gradients at different training stages.How do gradient changes relate to privacy risk? Could you provide evidence that gradient changes decrease as the model converges, affecting privacy risk?

We use the Hessian matrix to define privacy sensitivity because our focus is on the threat posed by gradient inversion attacks. In such attacks, the goal is to recover users' training data by iteratively updating a dummy input to minimize the difference between the generated gradient (computed with the dummy input) and the true gradient. Therefore, the sensitivity of the generated gradient to changes in the input is crucial, motivating us to measure the sensitivity of the gradient with respect to the input (as represented by part of the Hessian matrix) as an indicator of privacy leakage risk.

Regarding why gradient changes decrease as training converges, this is based on the intuitive notion that gradients generally decrease as training gets close to completion. We have demonstrated the performance of attack at different stages during training (taking transformer3 as an example) in Appendix A.28.

Weakness 4 & Question 4: There is a notable lack of empirical evidence supporting the fitting of the log-normal mixture distribution model to various parameter models. What additional evidence can you provide to support the fitting of the log-normal mixture distribution model to different parameter models?

We apologize if our phrasing caused any confusion. Our intention is not to advocate for using a log-normal mixture distribution specifically for fitting. Instead, we use this distribution as an illustrative example to support our theoretical framework. We chose the log-normal mixture distribution here because it performed well across all models included in our experiments on defense effectiveness (Section 5.3). Our conclusions are based on a comparison of fitting results across common distributions. In Appendix A.17, you can see from the figures on the right that the privacy budget ratio curve for the log-normal mixture distribution fits the true distribution most closely. We omitted the fitting curves for other distributions on the left just to keep the plots clear.

We appreciate Reviewer 1Hx6's valuable suggestions! We sincerely hope that we have addressed all your concerns below and that you could reconsider our paper as a strong candidate.

Weakness 1 & Question 1: Limited Comparative Analysis: The manuscript lacks sufficient depth in referencing and comparing existing selective parameter encryption techniques. While some methods are briefly addressed in Table 9, a more thorough and nuanced comparative analysis is necessary to clearly establish the novelty and advantages of the proposed approach.

Thanks for the suggestion! We have provided a description on the selective encryption used by Nvidia FLARE in both Figure 1 and Figure 9, stating that FLARE provides a layer-level-only selection without a provable and quantifiable privacy guarantee. Due to its layer-level nature, the sensitive parameter selection is coarse, which results in encrypting a larger amount of unnecessary model parameters. To the best of our knowledge, our work and FLARE are the first two concurrent papers that proposed the idea of selective encryption in FL where our work provides a more fine-grained parameter-level selective encryption with quantifiable and provable privacy. We plan to highlight this comparison in the final version of our paper.

Additionally, as explained in Algorithm 1, our framework supports using selective parameter encryption with HE and differential privacy at the same time per users' desired privacy level.

Weakness 2 & Question 2: Lack of Analysis on Parameter Selection Overhead: The introduction of a parameter selection step in the encryption process is not accompanied by a detailed evaluation of the associated overhead. This omission leaves the cost-effectiveness assessment incomplete, particularly regarding practical implementation.

Good point! The parameter selection step mainly consists of parameter sensitivity calculation and encrypted global mask aggregation. Parameter sensitivity is calculated using the formula in Section 3.4 (Step 1) and encrypted global mask aggregation can be regarded as one encrypted weighted sum function (Step 2 in Section 3.4) on local masks in the initialization phase.

Regarding Point 1: Limited Comparative Analysis

Your response provides a comparison with Nvidia FLARE. This effort is commendable. However, I believe that focusing solely on selective parameter encryption schemes within the federated learning context might not fully showcase the advantages of your approach. 

To strengthen the discussion, I suggest broadening the scope to include other existing parameter selection schemes (e.g., methods like Sphinx: Enabling Privacy-Preserving Online Learning over Mobile Devices). Additionally, there are various works in the context of selective parameter encryption for neural networks that may also be relevant. While these schemes are not specifically designed for federated learning, analyzing their feasibility or limitations in this context could provide valuable insights. Explicitly clarifying why these methods cannot be directly adapted or how your approach compares in terms of strengths and weaknesses would significantly enhance the persuasiveness and academic depth of the paper. 

Regarding Point 2: Overhead Analysis of Parameter Selection Steps

Your explanation of the parameter selection steps is clear. However, I believe that a description alone is insufficient. Direct evaluations of the overhead, such as the time required or resource consumption, are crucial for a complete assessment of the method's practicality and overall cost-effectiveness. 

Specifically, I would like to understand how the overhead introduced by the parameter selection step compares to the cost of encrypting a large number of unnecessary parameters, as mentioned in your response. Having a clear, quantitative comparison between these two types of overhead would provide a more intuitive understanding of the trade-offs involved. This comparison is important to justify the practicality of the proposed selective encryption scheme and to better highlight the efficiency gains it offers. 

I appreciate the time and effort you have put into addressing these points. Should you address these concerns adequately, I would be happy to reconsider my evaluation.

Thank you for the additional efforts and clarifications. You have clearly demonstrated the significant optimization of training overhead with selective parameter encryption. I noticed that the presentation of Figure 27.a is slightly unclear and did not entirely help me quickly grasp the specifics. However, considering the overall completeness of your response, this is not a major issue. I believe you have adequately addressed this concern, and I appreciate your attention to detail and improvements. 

Regarding the question on data heterogeneity and model diversity, you mentioned that your approach is capable of handling these scenarios. However, it seems that the paper does not provide explicit experiments or analyses to fully support this claim.

Thank you for your detailed response and for providing additional insights and experimental results. I appreciate the effort to clarify the applicability of your method to diverse models and data distributions. However, I have a few questions:

Clarification on Data Heterogeneity:

My interpretation of "data heterogeneity" primarily pertains to scenarios such as label skew, feature skew, or other variations in data distributions across clients. However, it seems your experiments focus on comparing different datasets (e.g., MNIST, CIFAR-100, WIKITEXT). Could you clarify whether your definition of heterogeneity relates to using the same model across distinct tasks/datasets and observing differences in the encrypted parameters?

Comparison with Explainable Learning Techniques:

Your approach to selectively encrypt the most sensitive parameters is intriguing and well-supported by experimental results. However, could you elaborate on how this differs from explainable learning methods that identify and prioritize important parameters?

Thank you again for your thoughtful response and contributions to this important field.

Synchronization of New Experimental Code
The new experimental setup in the paper is not entirely clear, and providing the corresponding code would greatly help in understanding and verifying the experiments. Has the code for the newly added experiments been synchronized with as part of the supplementary materials?

Anonymity vs. Reproducibility
I noticed the authors mentioned:
"To maintain anonymity of the submission, here we only provide the core code related to HE in our FL system (the rest of the system will give out too many identifiers which is hard to anonymize)."
Will the authors consider releasing the complete code of the system after the anonymity period ends to facilitate reproducibility?

Appreciate the time and effort you have put into addressing these points.

To demonstrate the difference in sensitivity distribution, we use two client data distributions constructed from the ImageNet dataset with 100 images from distinct classes sampled at equal intervals. Distribution 1 contains data with labels of 0 to 4 while Distribution 2 contains data whose labels span across the first 400. The above preliminary experiment adopts this setup as a proof of concept. To further investigate this aspect, experimental setups in the previous work [1, 2] for the FL data heterogeneity can be considered in future work on this topic regarding privacy sensitivity calculation. We have updated our manuscript to reflect this discussion.

We plan to open-source the entire codebase (including newly added experiments during this rebuttal) of this paper and integrate it into our existing open-source platform.

[1] Guleria, Arpit, et al. "On Homomorphic Encryption Based Strategies for Class Imbalance in Federated Learning." arXiv preprint arXiv:2410.21192 (2024). [2] Mendieta, Matias, et al. "Local learning matters: Rethinking data heterogeneity in federated learning." Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition. 2022.

We thank Reviewer 9HzQ for considering our paper as a strong candidate! We hope we have addressed your point about extending our work to more recent LLMs below:

Weakness 1 and Question 1: The chosen base model, GPT-2, is relatively small, which may limit the generalizability of the results to larger foundational models. Since the paper aims to demonstrate the feasibility of implementing privacy-preserving techniques in foundational models, GPT-2 may not be sufficiently representative of these larger-scale models. I suggest testing the proposed method on a more current, widely used model such as the latest LLaMA 3.2, to provide stronger evidence of its scalability and applicability to modern foundational models.

We acknowledge the point about the generalizability of our results to more recent LLMs. GPT-2 was selected due to its wide recognition and balanced trade-offs between computational requirements and experimental reproducibility. We agree that testing on more recent and larger models, such as LLaMA 3.2, would strengthen the paper's claims. Per our existing experiments, we notice a general trend of privacy/overhead (in Table 1) that similarly larger models might follow. We are considering a follow-up work to analyze the effectiveness of our method on newer/larger models.