Coarsening to Conceal: Enabling Privacy-Preserving Federated Learning for Graph Data

1. The novelty of this paper is quite limited. CPFL is basically a naïve combination of FGC and other FL frameworks.
2. The technical quality of this paper is not good enough. Without proposing brand new methodologies, the paper provides limited theoretical contributions, lacks baseline comparisons, and has some unexplained self-contradictory or counter-intuitive claims/conclusions.
3. The clarity of this paper can be further improved. There are many lengthy and repetitive sentences/paragraphs that can be removed to save space for more important content.

1. The core algorithm primarily involves applying the existing FGC method within the FedGNN framework, with subsequent steps adhering closely to the standard FedAvg approach. This application, while effective, may not introduce substantial methodological innovations beyond the integration of FGC.
2. The threat model is not practical. The attacker should be one of the participants, the third party, or the server. Thus, it is not practical for any of them to access the coarsened data without accessing the original data. A practical attacker may access the model parameters.
3. The statement "Thus we can say that the two dataset $G(V, E)$ and $G_r(V_r, E_r)$ are differentially private" appears to be inaccurate. The coarsened graph and the original graph are not exact neighbors, and there is no definitive guarantee that the model's output satisfies differential privacy under this transformation. Clarification or revision of this theoretical claim is necessary.
4. Certain aspects of the theoretical analysis are unclear. For example, the coarsening ratio $r$ is initially defined as m/p but later referred to as k/P.
5. The experimental evaluation compares CPFL solely with DP-SGD. Including additional privacy-preserving methods such as Secure Multi-Party Computation, Homomorphic Encryption, or noise obfuscation techniques would provide a more comprehensive assessment of CPFL's performance and its computational and communication overheads relative to other approaches.
6. The paper does not clearly delineate the relationship between CPFL's parameters and traditional differential privacy parameters. For instance, as the privacy parameter $\epsilon$ increases, model utility degradation decreases, but this may make it easier for attackers to reconstruct data. Including analysis or conducting privacy attack experiments to explore this relationship would strengthen the study.

1. The discussion on the technical innovation of the method is insufficient. For the framework, graph coarsening is applied only to the client. This raises the question: Is there a bottleneck in transferring the graph coarsening technique from centralized to distributed scenarios? Is this the first work to apply graph coarsening in FL? I also have another hypothesis, that this study aims to reveal the privacy-preserving capability of graph coarsening. Please elaborate on the differences in privacy protection that the proposed method achieves compared to existing graph coarsening techniques.
2. The statement that coarsening can satisfy differential privacy is not rigorous, lacking theoretical and experimental analysis. The paper mostly verifies the privacy protection effect of graph coarsening through experiments. However, for the attack cases proposed in the paper, there is no experimental proof that CPFL can resist these attacks while maintaining performance.
3. The experimental design and result analysis are insufficient. For example, in Table 1, why does FedProx show the same performance in CPFL and DP-SGD (both 0.62)? Why does GCFL+ show the same performance in "All" and CPFL (both 0.73)? In Table 2, does r=0.1 in CPFL correspond to the results of DP-SGD with $\epsilon$=8? Further parameter analysis is needed to clarify, even if DP methods generally perform much worse than the proposed method. CPFL only loses a small amount of performance, how can it be proven that the protection capability of graph coarsening is not limited? Please further provide relevant attack experiments mentioned in point 2 to demonstrate the actual privacy protection.

There are three major issues with this paper:

1. After reading the whole paper, I do not see why graph coarsening is needed in the learning framework that the authors proposed. In Figure 2, it seems that the only information that the server uses is the model parameters uploaded from each client (i.e., the server does model average like FedAvg), then why do we bother sending the coarse graphs $\tilde{\mathcal{D}_k}$ in Equation (7)? The white-box assumption "We assume a robust malicious entity, such as an honest-but-curious server, which lacks direct access to G but has white-box access to both the coarsened graph dataset and the model" does not hold if we do not send $\tilde{\mathcal{D}_k}$ to the server. I do not see the necessity of graph coarsening here, as we can just aggregate the model parameters without privacy concerns. If in practice one sees graph coarsening + FedAvg performs better than plain vanilla FedAvg on some datasets, it would be because graph coarsening serves as a graph denoising step that improves the model performance on each client anyhow, which has nothing to do with FL. In general, I do not believe training on graph coarsening + FedAvg would outperform FedAvg, as the coarse graph is not used at all in the proposed FL framework. Nevertheless, I do think graph coarsening could be helpful if some new designs are adopted on the server side, but not in the current framework.

2. The theory part of this paper is very weak. The proof of the privacy guarantees is described in words instead of rigorous derivations. For example, line 303-305 "This signifies that the reconstructed graph retains a similar number of nodes as the original graph, but contains more edges compared to the original graph. Thus we can say that the two dataset G(V, E) and Gr(Vr, Er) are differentially private.", this is not how edge-DP is proved, and if it is really the case, what is the value of $\varepsilon$ in this case? Furthermore, I do not quite understand what message line 308-360 wants to convey. The sensitivity analysis is used in the wrong way and the conclusion is confusing.

3. The whole framework is a simple combination of FGC + FedAvg applied to federated graph classification problems without in-depth explanations, making the contribution of this paper limited.

One minor comment is that the notations in the paper should be consistent. For example, on page 7, I believe $P$ should be $p$, $d$ should be $n$, and $k$ should be $m$.