Privacy-Enhanced Federated Learning: A Restrictively Self-Sampled and Data-Perturbed Local Differential Privacy Method

Abstract

As a popular distributed learning framework, federated learning (FL) enables clients to conduct cooperative training without sharing data, thus having higher security and enjoying benefits in processing large-scale, high-dimensional data. However, by sharing parameters in the federated learning process, the attacker can still obtain private information from the sensitive data of participants by reverse parsing. Local differential privacy (LDP) has recently worked well in preserving privacy for federated learning. However, it faces the inherent problem of balancing privacy, model performance, and algorithm efficiency. In this paper, we propose a novel privacy-enhanced federated learning framework (Optimal LDP-FL) which achieves local differential privacy protection by the client self-sampling and data perturbation mechanisms. We theoretically analyze the relationship between the model accuracy and client self-sampling probability. Restrictive client self-sampling technology is proposed which eliminates the randomness of the self-sampling probability settings in existing studies and improves the utilization of the federated system. A novel, efficiency-optimized LDP data perturbation mechanism (Adaptive-Harmony) is also proposed, which allows an adaptive parameter range to reduce variance and improve model accuracy. Comprehensive experiments on the MNIST and Fashion MNIST datasets show that the proposed method can significantly reduce computational and communication costs with the same level of privacy and model utility.

1. Introduction

Machine learning has injected a strong impetus into the practical application of artificial intelligence (AI), such as computer vision, automatic speech recognition, natural language processing, and recommender systems [1,2,3,4]. The success of these machine learning techniques, especially deep learning, is based on a large quantity of data [5,6,7,8]. However, the development of data-driven AI still faces two significant challenges: privacy issues and data silos [9].

Federated learning (FL), a new paradigm for privacy-preserving AI applications, aims to break down the two barriers. Nowadays, the intelligence of network edge devices has been dramatically improved [10,11,12]. Smartphones, wearable devices, sensors, and other devices have the necessary computing and communication capabilities. The popularity of IoT applications has promoted the rapid development of the FL framework with the core concept of decentralization [13,14,15,16]. However, federated learning still has privacy issues, even if the data are kept locally. Studies have shown that if the data structure is known in federated learning, then the shared gradient information may also be exploited, leaking additional details on the training data, such as model inversion attacks [17,18].

Differential privacy (DP) has received much attention because it provides a rigorous, quantifiable privacy-preserving method independent of the background knowledge of attacks [19]. With the development of machine learning, DP has become an active research area in privacy-preserving machine learning [20]. Nevertheless, traditional centralized differential privacy (CDP) is not suitable for FL, first because a trusted server may not exist and second because the noise accumulation at each round of aggregation causes the utility to decrease. Satisfying DP, local differential privacy (LDP) further resists privacy leakage from an untrustworthy server. In federated learning with LDP (LDP-FL), the models of the clients are subjected to a data perturbation mechanism before uploading to the server to ensure that the aggregator cannot infer more information from the model. Existing LDP-FL research has achieved specific results [21,22,23,24]. Some personalized differentially private federated learning algorithms have been proposed for complex models [25,26] and non-uniform sampling processing [27]. However, utility decline should always be a rub and challenge. Some of the research has relaxed the privacy levels for utility optimization [28,29,30].

Truex et al. integrated LDP into a federated learning system for jointly training deep neural networks. Their approach efficiently handles complex models and adversarial inference attacks while achieving personalized LDP. In addition, Wang et al. proposed FedLDA, a latent Dirichlet allocation (LDA) model based on LDP in federated learning. FedLDA employs a novel random response with priors that ensures the privacy budget is independent of the dictionary size and dramatically improves accuracy through adaptive and non-uniform sampling processing. To improve the model fitting and prediction of the scheme, Bhowmick et al. proposed a relaxed LDP mechanism. Li et al. introduced an efficient meta-learning LDP mechanism that can be used to implement personalized federated learning. LDP can be used to prevent gradients from leaking privacy for federated stochastic gradient descent (FedSGD) [31]. However, the increase in dimension d causes the privacy budget to decay rapidly, the noise scale to increase, and the accuracy of the learned model to decline. Therefore, Liu et al. proposed FedSel, selecting only the most essential k dimensions to stabilize the learning process. Recently, many studies focusing on the data perturbation mechanism to improve the model’s utility have achieved good results, such as those of Laplace [19], Duchi et al. [32], Harmony [33], PM [34], and HM [34]. The data perturbation mechanism design tries to make the aggregating disturbance statistical results meet specific usability requirements by adding positive and negative noise to individual values. They devote themselves to improving asymptotic error boundaries under private premises. However, their weaknesses include low communication efficiency and poor adaptability in complex deep learning models, since the range of model parameters for different neural network layers varies widely. Assuming a fixed range for the model parameters will introduce significant variance in the estimates, resulting in a decrease in model accuracy [35]. An adaptive method has been proposed that allows the clients in each round to adaptively select the perturbation parameters according to the model training. However, the existing process, such as Adaptive-Duchi, requires that all model information be uploaded to the server after each data perturbation, causing higher time and space complexity.

Aside from that, a technique of privacy amplification has received extensive attention for improving the model utility [36,37,38]. Based on the anonymity mechanism, the shuffler scrambles the model parameters of different clients before the global model is updated. It effectively improves the model utility of federated learning without consuming the privacy budget. Another mechanism that can amplify privacy is the client self-sampling mechanism, which realizes local differential privacy by randomly deciding whether to share updates during each iteration [39]. The latest LDP-FL based on client self-sampling theoretically proves the improvement of the privacy level and performance through the shuffler and client self-sampling design. Nevertheless, the current client self-sampling technology has some shortcomings in setting the self-sampling probability, which needs a detailed analysis of the relationship between the number of participating clients and the model’s utility. Wei et al. have shown the relationship between the number of clients participating and the model performance through detailed experimental and theoretical proof [40]. However, the existing methods [39] roughly set the client participation probability to a (0, 1) interval, which leads to a decline in the convergence and accuracy of the federated model. Moreover, more client participation is needed to avoid resource waste in the training scenario.

Building trustworthy federated learning that meets the requirements of privacy, performance, and efficiency has become the focus of future research [9]. Therefore, our study aims to balance privacy, utility, and efficiency through the optimization of federated learning. We propose an efficiency-optimized data perturbation mechanism (Adaptive-Harmony) which allows an adaptive parameter range to reduce variance and improve model accuracy. Furthermore, it randomly selects a dimension at each model layer and applies noise according to the parameter settings. Then, we keep the remaining dimensions to fixed values. As a result, this effectively reduces the communication cost with the server. We perform theoretical analysis and proofing to show that Adaptive-Harmony holds the advanced asymptotic error bounds and convergence performance with minimal communication costs. On this basis, a novel federated learning framework (i.e., Optimal LDP-FL) is proposed. In the framework, we use Adaptive-Harmony to provide the private local parameters with minor computational costs during the local model update. We introduce a parameter-shuffling mechanism that improves privacy by countering model-tracking attacks and improving communication efficiency under the same privacy level and model utility. We also propose a restrictive client self-sampling technology, which improves the shortcomings of existing methods in studying client self-sampling probability by further refining the quantitative relationship between self-sampling probability, convergence, and accuracy. It limits a more reasonable range of self-sampling probability, removes the assumption of a single datum in the past theoretical framework, extends the existing theoretical research to practical application, and improves the utility of federated learning in both theoretical and practical applications. We perform comprehensive experiments on the MNIST and Fashion MNIST datasets to verify and evaluate our algorithm from the utility, privacy budget, and communication cost. The results show that the proposed method can significantly reduce computational and communication costs with the same privacy and model utility level.

To be precise, our main contributions are as follows:

• We propose a novel LDP-FL, which integrates an efficiency-optimized data perturbation and a parameter-shuffling mechanism, and client self-sampling technology in the federated learning process to improve model utility and reduce communication costs, ensuring privacy.
• We propose an efficiency-optimized data perturbation algorithm, which supports perturbing parameter adaptive selection and minimum parameter transmission to hold the advanced asymptotic error boundary and improve communication efficiency.
• We propose restrictive client self-sampling technology which limits the range of self-sampling probability to a more reasonable one to improve the utility.
• We verify our method’s efficiency, privacy, and performance from theoretical and practical aspects. We analyze the asymptotic error boundary and communication cost and prove that our unbiased algorithm satisfies LDP. We also evaluate our algorithm on multiple databases from the utility, privacy budget, and communication cost standpoints.

2. Background and Related Works

2.1. Federated Learning

Federated learning aims to build a global model over data distributed across multiple clients without sending the raw data to any centralized server. The performance of the global model should approximate the ideal model’s performance adequately. FedAvg [41] is widely used in aggregating the models from clients. Supposing that there are K clients in a horizontal federated learning system, let ${\mathcal{D}}_k$ denote the data set owned by the kth client and ${\mathcal{P}}_k$ denote the index set of data points located in the kth client. Let $n_k={\mathcal{P}}_k$ denote the base number of ${\mathcal{P}}_k$; that is, we assume that the kth client has $n_k$ data points. Thus, when there are K clients in total, the loss function $f\left(w\right)$ can be written as in Equation (1):

$$f\left(w\right)=\sum _{k=1}^K\frac{n_k}{n}{F}_k\left(w\right),F_k\left(w\right)=\frac{1}{n_k}\sum _{i\in {\mathcal{P}}_k}{f}_i\left(w\right)$$

(1)

We assume that the server has the initial model and that the clients know the optimizer settings. For each client, it contains its private dataset. Based on Equation (2), each local client updates their local models by the weight ${\overline{w}}_t$ from the server. For a typical implementation of FedAvg with a fixed learning rate $\eta$, when updating the global model parameters at round t, the kth client will compute $g_k$, the average gradient of its local data at the current model parameter $w_t$. Each local model uses gradient descent to optimize the distinct local models’ weights in parallel and sends the local weights $w_{t+1}^{\left(k\right)}$ to the server:

$$\forall k,w_{t+1}^{\left(k\right)}\leftarrow {\overline{w}}_t-\eta g_k$$

(2)

Next, the server calculates the weighted average of each model weight according to Equation (3) and sends the aggregated weights ${\overline{w}}_{t+1}$ to each client. The training process of a federated learning system typically consists of local update, local upload, server update, and server broadcast:

$${\overline{w}}_{t+1}\leftarrow \sum _{k=1}^K\frac{n_k}{n}{w}_{t+1}^{\left(k\right)}$$

(3)

2.2. Differential Privacy

Differential privacy was developed in the context of statistical disclosure control, which Dwork first proposed in 2006 [19]. For its information theory guarantee, it has been widely used to enhance data privacy in machine learning with its simplicity and low cost. The mechanisms of DP in federated learning are mainly classified into LDP [42] and CDP [19]. The traditional Laplacian mechanism of CDP can be used in FL. Each user’s data are disturbed by random noise based on the specific distribution in the mechanism. However, CDP must be based on trusted data collectors. In the case of highly sensitive machine learning models, the assumption of trusted data collectors is challenging to uphold [40,43]. Therefore, there is an urgent need for a privacy-preserving method to withstand untrustworthy third-party data collectors in the sensitive model aggregation problem. LDP is well suited for the decentralized federated learning scenarios and is naturally applicable in FL:

Definition 1

($ϵ$-CDP). For two datasets D and $D^{\prime }$ that differ by only one record, a randomization mechanism $\mathcal{M}$ satisfies ϵ-CDP and for all $S\subset Range\left(\mathcal{M}\right)$ such that we have

$$Pr[\mathcal{M}\left(D\right)\in S]\le Pr[\mathcal{M}\left(D^{\prime }\right)\in S]\times e^{ϵ}$$

(4)

where ϵ denotes the privacy budget.

Definition 2

($ϵ$-LDP). A random function satisfies ϵ-LDP if and only if, for any two input tuples $t,t^{\prime }\in \mathrm{Dom}\left(f\right)$ and in any case f, the output $t^{*}$ satisfies

$$\frac{Pr[f\left(t\right)=t^{*}]}{Pr[f\left(t^{\prime }\right)=t^{*}]}\le e^{ϵ}$$

(5)

DP introduces noise to the data, ensuring privacy but damaging the utility. Existing research has shown the algorithm has better privacy guarantees with small $ϵ$, which means large noise injection. However, Jayaraman et al. [44] found that few existing DP mechanisms for machine learning have an acceptable degree of a utility-privacy tradeoff. Therefore, balancing the utility and privacy is still an open issue for DP mechanism design in machine learning.

2.3. Data Perturbation in LDP

The current implementation of LDP in federated learning is mainly based on the data perturbation mechanism to perturb the local models and upload the perturbed models to the server to complete the aggregation [45,46]. Since the process of server model aggregation belongs to mean value estimation, the LDP mechanism applied in this process should also support mean statistical queries on continuous-type data. Duchi et al. [32] proposed a mean estimation method based on LDP. That aside, existing mean estimation methods include Laplace [19], Harmony [33], PM [34], and HM [34], which have achieved some results.

The main idea of Duchi et al. was to use a random response technique to perturb each user’s data according to a certain distribution probability while ensuring unbiased estimation. Each data tuple $V^i\in {[-1,1]}^d$ is perturbed to contain the noisy tuple ${\widehat{V}}^i\in {\{-B,B\}}^d$, where B is determined by the data dimension d and the privacy budget $ϵ$, as calculated in Equations (6) and (7):

$$B=\left\{\begin{array}{cc}\frac{2^d+C_d·\left(e^{ϵ}-1\right)}{\left(\begin{array}{c}d-1\\ (d-1)/2\end{array}\right)·\left(e^{ϵ}-1\right)},\hfill & \mathrm{if}d\mathrm{is}\mathrm{odd}\hfill \\ \frac{2^d+C_d·\left(e^{ϵ}-1\right)}{\left(\begin{array}{c}d-1\\ d/2\end{array}\right)·\left(e^{ϵ}-1\right)},\hfill & \mathrm{otherwise}\hfill \end{array}\right.$$

(6)

where

$$C_d=\left\{\begin{array}{cc}{2}^{d-1},\hfill & \mathrm{if}d\mathrm{is}\mathrm{odd}\hfill \\ 2^{d-1}-\frac{1}{2}\left(\begin{array}{c}d\\ d/2\end{array}\right),\hfill & \mathrm{otherwise}\hfill \end{array}\right.$$

(7)

Although Duchi et al.’s mechanism can achieve LDP and has asymptotic error bounds, it is relatively complex. Nguyên et al. [33] have shown that Duchi et al.’s mechanism does not satisfy $ϵ$-LDP when d is even. Nguyên et al. proposed a possible solution and their redefinition of the Bernoulli variables u according to Equation (8):

$$Pr[u=1]=\frac{e^{ϵ}·C_d}{\left(e^{ϵ}-1\right)C_d+2^d}$$

(8)

In addition, Nguyên et al. proposed the Harmony mechanism [33], which can achieve the same privacy level and asymptotic error bounds by a more straightforward method when estimating multidimensional data using LDP. Furthermore, Wang et al. [34] further proposed the PM mechanism, which has lower variance and is easier to implement than that of Duchi et al. The Laplace mechanism and Duchi et al.’s mechanism are costly. In contrast, the Harmony and PM mechanisms are less costly. For d dimensional data, the Laplace mechanism has the most significant asymptotic error bound. In contrast, the error bounds of the other three mechanisms are lower than those of the Laplace mechanism. However, all of the above methods assume a fixed range of inputs for simplicity, and we believe that this setting has a detrimental effect on the accuracy of the neural network model.

2.4. Privacy Amplification

LDP provides privacy guarantees for federated systems with untrustworthy servers [47]. However, improving the performance of LDP-FL is necessary, since LDP makes further utility decline [48]. Privacy amplification mechanisms have been proposed to enhance the utility in LDP-FL [38,49,50]. One kind of privacy amplification mechanism is called shuffling, first derived from the Encoding, Shuffle, Analyze (ESA) architecture [51]. The shuffling model amplifies privacy through anonymization. It shuffles the local update before severe aggregation, thus preventing potential attackers from associating parameter information with individual clients. Existing LDP-FL studies based on shuffling models have improved model utility while ensuring privacy, such as model shuffling and parameter shuffling [38]. In particular, a parameter-shuffling mechanism further enhances privacy based on model shuffling. Another mechanism to amplify privacy is through randomized sampling [49], including sampling by data centers acting as servers and client self-sampling [39]. The mainly used client self-sampling realizes a participant anonymity mechanism and the effect of saving the privacy budget and enhancing utility, which avoids client coordination while keeping confidential to the server. However, the existing self-sampling is insufficient in the probability by roughly setting it within (0,1), which has theoretical and practical problems. Theoretically, suppose the participation probability is too low and even approaching zero. In that case, the number of participants in each iteration is too small, which means the algorithm needs more training iterations to achieve convergence, and the accuracy of the global model will decrease. From the perspective of application scenarios, training with too few participants results in a waste of resources. Therefore, federated learning combined with privacy amplification and efficiency enhancement becomes an urgent need. The existing methods are inadequate in setting client self-sampling probability.

3. Optimal LDP-FL

3.1. Outline

As we discussed above, the existing research remains on the problem of balancing privacy and utility. For this reason, we design a horizontal federated learning framework, Optimal LDP-FL, to address the privacy, utility, and efficiency issues and rival reconstruction attacks, model inversion, and parameter tracing. In Optimal LDP-FL, we propose a novel data perturbation mechanism (Adaptive-Harmony) in the local update, making significant efficiency improvements while satisfying LDP. In addition, it also introduces the parameter-shuffling mechanism, which can save the privacy budget, thus significantly improving the model utility. We also introduce client self-sampling in Optimal LDP-FL and propose a client self-sampling technique with restrictive probability to achieve utility optimization. Clients perform self-sampling to determine whether they participate in the local update and global update in this training iteration. The server remains ignorant of the participating clients when aggregating the model. Moreover, we restrict the client self-sampling probability to a more reasonable range to improve the performance of the global model while maintaining a high privacy level. In Section 3.4, we will describe the restrictive client self-sampling technology in detail. The architecture of our framework is shown in Figure 1.

3.1.1. Local Update

Each client has his or her private training data. In each round of communication, the selected client updates the local model with the weights from the server. Next, different local models are optimized in parallel for each local model using stochastic gradient descent (SGD). LDP requires that each client not pass data and weight to each other and keep them secret from the untrustworthy server by data perturbation. Therefore, the algorithm provides privacy based on data perturbation by applying noise to the weights from the clients. After the server collects multiple models, their noise cancels each other to achieve the model accuracy.

In the process of a local update, we propose a new data perturbation algorithm, namely Adaptive-Harmony, which can satisfy the $ϵ$-LDP and the asymptotic error bound of $O\left(\frac{\sqrt{dlog(d/\beta )}}{ϵ\sqrt{n}}\right)$ under the condition of improving the communication efficiency of the algorithm to $O\left(1\right)$. In Section 3.2, we will describe Adaptive-Harmony with privacy and utility analysis in detail.

3.1.2. Global Update

The server randomly initializes the weights at the beginning. Let n be the number of clients, and during the rth round of communication, the server randomly selects $k_r\le n$ clients for communication. These clients upload the weights to the server in preparation for updating the local model in the next round. During this process, the server does not know the exact identity of the clients, as the clients remain anonymous to the server.

In order to improve the global model utility, we introduce a parameter-shuffling mechanism into the global update process, by which the uploaded models are shuffled at the parameter level. Compared with the model-shuffling mechanism, parameter shuffling provides a better privacy amplification effect. Each client will split the weights of the local model and send them to the server anonymously after a random delay. In Section 3.3, we will describe the parameter-shuffling mechanism in detail.

Algorithm 1 gives the process of implementing the above Optimal LDP-FL framework, in which Line 5 performs clients self-sampling to determine whether the clients participate in local model updates and global aggregation in the training iteration, Line 20 performs parameter shuffling, and Line 19 performs data perturbation.

3.2. Adaptive-Harmony

Due to the complexity of deep neural networks, the range of weights varies significantly for each layer in the model. Assuming a fixed range of weights would introduce a significant variance in the model aggregation process, resulting in poor model accuracy. Sun et al. [35] first proposed the concept of weight range adaption and applied it to Duchi et al.’s mechanism, and we named it “Adaptive-Duchi” in this paper.

3.2.1. Adaptive-Duchi

Given the weights W of the model, the mechanism adds random noise to all d dimensions of W and outputs perturbed weights $W^{*}$. Let the mechanism be $\mathcal{M}$, and for each $w\in W$, determine c and r such that $w\in [c-r,c+r]$, where c is the center of w and r is the radius. Both depend specifically on the method of clipping the weight. Therefore, they designed the following mechanism to perturb w in Equation (9):

$$\begin{array}{cc}\hfill w^{*}& =\mathcal{M}\left(w\right)\hfill \\ \hfill & =\left\{\begin{array}{c}c+r·\frac{e^{ϵ}+1}{e^{ϵ}-1},\mathrm{w}.\mathrm{p}.\frac{(w-c)\left(e^{ϵ}-1\right)+r\left(e^{ϵ}+1\right)}{2r\left(e^{ϵ}+1\right)}\hfill \\ c-r·\frac{e^{ϵ}+1}{e^{ϵ}-1},\mathrm{w}.\mathrm{p}.\frac{-(w-c)\left(e^{ϵ}-1\right)+r\left(e^{ϵ}+1\right)}{2r\left(e^{ϵ}+1\right)}\hfill \end{array}\right.\hfill \end{array}$$

(9)

where $w^{*}$ is the weight after perturbation and “w.p.” stands for “with probability”. The mechanism adds noise to all dimensions of W, so the communication cost of the method is $O\left(d\right)$, which means that the full model information must be uploaded to the cloud after each data perturbation. When the data dimension is high, both the time and space complexity are high, so this mechanism is not suitable for high-dimensional data.

Algorithm 1: Optimal LDP-FL

3.2.2. Adaptive-Harmony

We propose the Adaptive-Harmony data perturbation mechanism, which improves the adaptive range based on the Harmony data perturbation mechanism. If the range of weights is adaptive, then the client can choose different c and r values for each weight in each round, and these two values depend on the way we clip the gradients. Unlike Duchi et al’s mechanism, for each dimension of the weights, only one bit of data needs to be transmitted to the subsequent process, thus significantly reducing the communication cost. Moreover, the mechanism achieves equally capable privacy-preserving and asymptotic error bounds compared to Adaptive-Duchi. In Section 4, we will analyze the privacy, unbiasedness, and asymptotic error bounds of Adaptive-Harmony.

The main idea of the algorithm is that given the weights W of the model, noise is added by randomly sampling one of the $\left[d\right]$ dimensions of W in j, and the algorithm outputs a perturbed tuple $W^{*}$, which contains non-zero values only in the jth dimension. In particular, $w_j$ is randomly selected from $\left[d\right]$ dimensions of W, so $w_j$ obeys the following distribution in Equation (10):

$$Pr\left[\frac{w^{*}-c}{r}=x\right]=\left\{\begin{array}{cc}\frac{(w-c)/r·\left(e^{ϵ}-1\right)+e^{ϵ}+1}{2e^{ϵ}+2},\hfill & \mathrm{if}x=\frac{e^{ϵ}+1}{e^{ϵ}-1}·d\hfill \\ \frac{-(w-c)/r·\left(e^{ϵ}-1\right)+e^{ϵ}+1}{2e^{ϵ}+2},\hfill & \mathrm{if}x=-\frac{e^{ϵ}+1}{e^{ϵ}-1}·d\hfill \end{array}\right.$$

(10)

The above mechanism shows that for a randomly chosen weight $w_j$, the output $W^{*}$ contains only one non-zero value and only two possible values for it. Therefore, the data perturbation mechanism only needs to transfer the non-zero values and their positions to the subsequent process, so the communication cost of the mechanism is $O\left(1\right)$. Moreover, under the premise of uniform randomness of the $w_j$ selection process, the correctness of the method does not depend on the selection of $w_j$.

To describe of the difference between these two mechanisms more specifically, we assume that the model $M=[W_1^d,W_2^d,\cdots ,W_n^d]$ has n layers, each with $d_i$ dimensions such that $w_j^{*+}=c+r·\frac{e^{ϵ}+1}{e^{ϵ}-1}$ and, similarly, $w_j^{*-}=c-r·\frac{e^{ϵ}+1}{e^{ϵ}-1}$. According to Duchi et al.’s mechanism, we have Equation (11):

$$M^{*}=\left[\mathcal{M}\left(W_1^{d_1}\right),\mathcal{M}\left(W_2^{d_2}\right),\cdots ,\mathcal{M}\left(W_n^{d_n}\right)\right]=\left[\begin{array}{cccc}{w}_1^{*+}& w_1^{*-}& \cdots & w_1^{*-}\\ w_2^{*+}& w_2^{*+}& \cdots & w_2^{*-}\\ ⋮& ⋮& \ddots & ⋮\\ w_{d_1}^{*+}& w_{d_2}^{*-}& \cdots & w_{d_n}^{*+}\end{array}\right]$$

(11)

Equation (11) shows that all positions of $M^{*}$ have the value $w_j^{*+}$ or $w_j^{*-}$ and are related to the unperturbed M at the corresponding positions. The privacy budget is equally distributed to each w. Therefore, the time complexity and the communication cost of this mechanism are both $O\left(nd\right)$. By contrast, in the Adaptive-Harmony mechanism we proposed, the privacy budget is assigned only to non-zero values such that $w_j^{*+}=c+d·r·\frac{e^{ϵ}+1}{e^{ϵ}-1}$, and similarly, $w_j^{*-}=c-d·r·\frac{e^{ϵ}+1}{e^{ϵ}-1}$ can be obtained. Therefore, we have Equation (12):

$$M^{*}=\left[\mathcal{M}\left(W_1^{d_1}\right),\mathcal{M}\left(W_2^{d_2}\right),\cdots ,\mathcal{M}\left(W_n^{d_n}\right)\right]=\left[\begin{array}{cccc}{w}_1^{*+}& 0& \cdots & 0\\ 0& 0& \cdots & w_2^{*-}\\ ⋮& ⋮& \ddots & ⋮\\ 0& w_{d_2}^{*-}& \cdots & 0\end{array}\right]$$

(12)

Equation (12) shows that each layer $W_i$ of $M^{*}$ has one and only one dimension with non-zero values, so the time complexity and communication cost of each layer is $O\left(1\right)$, and the total time complexity and communication cost is $O\left(n\right)$, although for a single model, the weights after perturbation deviate too much and are too sparse compared with those before perturbation, making them almost unusable for neural networks. However, when enough clients upload the model for aggregation, this deviation can be offset by mean estimation, thus restoring the high availability of the model.

Algorithm 2 gives the implementation of the Adaptive-Harmony data perturbation mechanism.

Algorithm 2: Adaptive-Harmony

According to Algorithm 2, there are only two possible values for each non-zero weight. Since the perturbation algorithm is known, the server only needs to obtain the direction of the perturbation to calculate these values using known c, d, and r values. Therefore, the position corresponding to the perturbed model contains only one bit of information, and therefore, the proposed method dramatically improves the efficiency of the algorithm.

3.3. Parameter Shuffling

In federated learning, the clients are required to upload gradient updates to the server in multiple iterations. Therefore, the privacy budget will accumulate in LDP-FL, resulting in an explosion in the total privacy budget. The studies in [38,51] show that, overall, privacy is effectively improved when data are transmitted anonymously at each point in time and are not associated with a transmission time.

However, Sun et al. [35] argue that the clients’ anonymity is insufficient to prevent side channel attacks. If clients upload models simultaneously in each aggregation, then the server can still associate a large number of weight updates together to distinguish specific clients.

As shown in Figure 2, for the local models $M_1$, $M_2$, $M_3$, and $M_4$, each model has the same structure but different weights. As shown in Figure 2a, the clients send the total weights to the server in the original federated learning. The researchers in Figure 2b [36,37,38] ensure the anonymity of the communication between the clients and the server by model shuffling. However, the work of these researchers does not consider privacy amplification in the high dimensionality of deep neural networks. Therefore, we introduce a local parameter-shuffling mechanism to break the connection between weight updates from the same clients and mix them with weight updates from other clients, thus making it more difficult for the server to combine multiple weight updates and infer more information about any client. To avoid servers tracking specific clients based on a large number of weight updates in a short period, we should employ parameter shuffling, which is performed in two steps as shown in Figure 2c. In the first step, each client splits the weights of the local model and marks each weight with $id$ to indicate the positions of the weights in the network structure. In the second step, each client samples a small random delay t for each weight from a uniform distribution $U(0,t)$, where $t>0$ and waits for a time t before sending the weights to the server. Since all uploads are made randomly in the same period, the server cannot distinguish them by upload time and cannot correlate weight updates from the same client.

Algorithm 3 gives the implementation of the above parameter shuffling mechanism.

Algorithm 3: Parameter Shuffling

3.4. Restrictive Client Self-Sampling

In this paper, restrictive client self-sampling technology is introduced in Optimal LDP-FL. In the traditional client self-sampling, each client tosses a coin in each iteration and participates in the subsequent training process if the coin turns to heads. The data in clients’ local datasets also participate randomly in local updates with a certain probability. Since a client decides to participate or not participate locally, the server does not need to coordinate all clients to achieve LDP:

Definition 3

(Client Self-Sampling Probability). The client self-sampling probability $q_1$ is the probability of each client’s participation in each iteration, where m clients perform self-sampling with the probability $q_1$ to determine whether to participate in this iteration. Assuming that x out of m clients participate in an iteration, then we have $q_1=\frac{x}{m}$.

Definition 4

(Client Data Sampling Probability). The client data sampling probability $q_2$ is the probability of data participating in training among the overall dataset $\mathcal{D}$. For any client i in each iteration, y entries of data are selected from ${\mathcal{D}}_i$ to participate in training, assuming that each client contains r data entries in total, and therefore $q_2=\frac{xy}{mr}=\frac{q_{1}y}{r}$.

However, in the existing client self-sampling technology, the value of the client self-sampling probability $q_1$ is roughly set to (0, 1), which causes both theoretical and practical problems. From a theoretical point of view, the number of participants in federated learning has a significant impact on the model’s performance. Furthermore, considering the practical application scenario, where the number of client participants is too small, it wastes resources, and such circumstances do not conform to the realistic federated scenario. Therefore, we conducted a thorough study on the range of $q_1$. Wei et al. [40] studied the relationship between the number of clients participating and the model performance in detail. Based on this, we drew the following conclusions according to the user self-sampling scenarios in Theorem 1:

Theorem 1.

There is a positive correlation between the number of participants and the convergence. In other words, the larger the number of participants, the higher the convergence. The global model accuracy changes with the number of participants as a convex function curve. Its inflection point occurs when the number of participants approaches the total number of clients.

Proof. 

Since the convergence of the global model approximates to the optimum when $x\to m$ and $q_1=\frac{x}{m}$, the convergence of the global model approximates to optimal when $q_1\to 1$. As $q_1=\frac{x}{m}$, the relationship between the global model accuracy and $q_1$ is also convex. To obtain the optimal global model accuracy, the value of $q_1$ should be placed in (0.5, 1).    □

We drew the conclusions as follows according to Theorem 1. Based on these theoretical analysis, we present a restrictive client self-sampling algorithm with a client self-sampling probability $q_1$ in a specific range of (0.5, 1), as shown in Algorithm 4. According to the theorem of parallel composition in DP, increasing the number of participating clients does not consume the privacy budget. Therefore, Algorithm 4 can acquire optimal convergence and global accuracy while guaranteeing a consistent privacy level.

• There exists an optimal $q_1$ that renders an optimal performance, since in an FL system with m clients, there is the optimal number of participating clients x which optimizes the performance. Therefore, for $q_1=\frac{x}{m}$, there is an optimal $q_1$ range that guarantees the best convergence and model accuracy.
• When the number of participants approaches all participants, the performance is optimal. Therefore, the optimal FL model performance (i.e., convergence and model accuracy) can be achieved when restricting the optimal $q_1$ range to $(0.5,1)$.

Algorithm 4: Restrictive Self-Sampling

4. Utility Analysis

4.1. Privacy Analysis

We prove that the Adaptive-Harmony mechanism $\mathcal{M}$ meets the definition of LDP when the weights take values in the range of $\left[c-r,c+r\right]$:

Theorem 2.

Given an arbitrary number $w\in \left[c-r,c+r\right]$, where c is the center of the range of values of w and r is the radius of that range, the range is denoted as $\left[c-r,c+r\right]$ when the mechanism $\mathcal{M}$ conforms to the definition of ϵ-LDP.

Both $ϵ$ and r affect the privacy level, where $ϵ$ determines how well the data are hidden in a “crowd” and r determines the size of the “crowd”. Assuming that the true average weight in each $w\in W$ during the iteration is $\overline{w}=\frac{1}{n}{\sum }_u{w}_u$, the LDP mechanism in Equation (10) implements the average weight $\overline{\mathcal{M}\left(w\right)}=\frac{1}{n}{\sum }_u\mathcal{M}\left(w_u\right)$ for unbiased estimation:

Lemma 1.

Algorithm 2 satisfies ϵ-LDP.

Proof. 

Let $W^{*}$ be the output of this algorithm and $w^{*}$ be the only value in $W^{*}$ that is not 0. Let W and $W^{\prime }$ be any two tuples and u and $u^{\prime }$ be the Bernoulli variables generated by the input W and $W^{\prime }$ in line 3 of this algorithm. The following proof is for the case $w^{*}=c+d·r·\frac{e^{ϵ}+1}{e^{ϵ}-1}$, and the other case is proved by the same reasoning.

According to the algorithm, we have Equation (13):

$$\begin{array}{cc}\hfill \frac{Pr\left[W^{*}\mid W\right]}{Pr\left[W^{*}\mid W^{\prime }\right]}& =\frac{1/d·Pr[u=1\mid W]}{1/d·Pr\left[u^{\prime }=1\mid W^{\prime }\right]}\hfill \\ \hfill & \le \frac{{max}_{W}Pr[u=1\mid W]}{{min}_{W^{\prime }}Pr\left[u^{\prime }=1\mid W^{\prime }\right]}\hfill \\ \hfill & =\frac{{max}_{w\in \left[c-r,c+r\right]}\left(\left(w-c\right)/r·\left(e^{ϵ}-1\right)+e^{ϵ}+1\right)}{{min}_{w^{\prime }\in \left[c-r,c+r\right]}\left(\left(w^{\prime }-c\right)/r·\left(e^{ϵ}-1\right)+e^{ϵ}+1\right)}\hfill \\ \hfill & =e^{ϵ}\hfill \end{array}$$

(13)

□

4.2. Utility Analysis

Model aggregation is the process of estimating the mean value of the weights. In order to maximize model utility, the data perturbation mechanism should satisfy two conditions: unbiasedness and the smallest possible asymptotic error bound. In the following, the unbiasedness of the Adaptive-Harmony algorithm will be demonstrated.

Let $D=\{W^1,W^2,\cdots ,W^N\}$ be the weights of all clients and N be the number of clients. Each tuple $W^i=(w_1^i,w_2^i,\cdots ,w_d^i)$ is the weight data of the ith client. Without loss of generality, the range of each weight is determined as $[c-r,c+r]$, and the mean estimation involves estimating the weights $W_j(j\in [1,d])$ for N clients (e.g., $\frac{1}{N}{\sum }_{i=1}^N{w}_j^i$). Let ${\widehat{W}}^i=\left({\widehat{w}}_1^i,{\widehat{w}}_2^i,\cdots ,{\widehat{w}}_d^i\right)$ be the d-dimensional weights after the ith user perturbation. Given a data perturbation mechanism $\mathcal{M}$, let $\mathbb{E}\left[{\widehat{w}}_j\right]$ be the mathematical expectation of the output at input $w_j$. The $ϵ$-LDP data perturbation mechanism $\mathcal{M}$ is unbiased when it satisfies the following two equations:

$$\mathbb{E}\left[{\widehat{w}}_j\right]=w_j$$

(14)

$$\mathbb{P}\left[{\widehat{w}}_j\in \mathbb{V}\mid w\right]=1$$

(15)

As we mentioned above, Equation (14) shows that $\mathcal{M}$ is unbiased, and Equation (15) shows that the probability of the sum of output values must be one, where $\mathbb{P}$ is the output range of $\mathcal{M}$:

Lemma 2.

Let $W^{*}$ be the output of Algorithm 2 given an input d-dimensional model W. Then, for any $j\in \left[d\right]$, $\mathbb{E}\left[w_j^{*}=w_j\right]$.

Proof. 

$$\begin{array}{cc}\hfill \mathbb{E}\left[\frac{w_j^{*}-c}{r}\right]=& Pr\left[w_j^{*}=c+d·r·\frac{e^{ϵ}+1}{e^{ϵ}-1}\right]·\frac{e^{ϵ}+1}{e^{ϵ}-1}·d\hfill \\ \hfill & +Pr\left[w_j^{*}=c-d·r·\frac{e^{ϵ}+1}{e^{ϵ}-1}\right]\hfill \\ \hfill & ·\left(-\frac{e^{ϵ}+1}{e^{ϵ}-1}·d\right)\hfill \\ \hfill & +Pr\left[\frac{w_j^{*}-c}{r}=0\right]·0\hfill \\ \hfill =& \frac{2\left(w_j-c\right)/r·\left(e^{ϵ}-1\right)}{2e^{ϵ}-2}\hfill \\ \hfill =& \frac{w_j-c}{r}\hfill \end{array}$$

(16)

□

Lemma 2 proves the unbiasedness of the Adaptive-Harmony algorithm so that the server can use $\frac{1}{N}{\sum }_{i=1}^N{w}_j^i$ as an unbiased estimator of the $w_j$ mean.

The asymptotic error bound of the Adaptive-Harmony algorithm is derived below to show that the method in this paper has an equivalent asymptotic error bound to that of Adaptive-Duchi (i.e., $O\left(\frac{\sqrt{dlog(d/\beta )}}{ϵ\sqrt{n}}\right)$). Lemma 3 provides the accuracy guarantee of our mechanism:

Lemma 3.

For any $j\in \left[d\right]$, let $Z\left[w_j\right]=\frac{1}{n}{\sum }_{i=1}^n(w_j^{*}-c)/r$ and $X\left[w_j\right]=\frac{1}{n}{\sum }_{i=1}^n(w_j-c)/r$. With at least $1-\beta$ probability, we have

$$\underset{j\in \left[d\right]}{max}|Z\left[w_j\right]-X\left[w_j\right]|=O\left(\frac{\sqrt{dlog(d/\beta )}}{ϵ\sqrt{n}}\right)$$

(17)

Proof. 

First, note that for any $i\in \left[d\right]$ and any $j\in \left[d\right]$, the variance of $(w_j-c)/r-(w_j^{*}-c)/r$ is equivalent to Equation (18):

$$\begin{array}{cc}\hfill Var\left[\frac{w_j^{*}-c}{r}-\frac{w_j-c}{r}\right]& =Var\left[\frac{w_j^{*}-c}{r}\right]\hfill \\ \hfill & =\mathbb{E}\left[{\left(\frac{w_j^{*}-c}{r}\right)}^2\right]\hfill \\ \hfill & -{\left(\mathbb{E}\left[\frac{w_j^{*}-c}{r}\right]\right)}^2\hfill \\ \hfill & =\frac{1}{d}{\left(\frac{e^{ϵ}+1}{e^{ϵ}-1}·d\right)}^2-{\left(\frac{w_j-c}{r}\right)}^2\hfill \\ & \le {\left(\frac{e^{ϵ}+1}{e^{ϵ}-1}\right)}^2·d\hfill \end{array}$$

(18)

According to Bernstein’s inequality, we have Equation (19):

$$\begin{array}{cc}\hfill & Pr\left[|Z\left[w_j\right]-X\left[w_j\right]|\ge \lambda \right]\hfill \\ \hfill & \le 2·exp\left(-\frac{n{\lambda }^2}{\frac{2}{n}{\sum }_{i=1}^{n}Var\left[(w_j^{*}-c)/r-(w_j-c)/r\right]+\frac{2}{3}\lambda ·\frac{e^{ϵ}+1}{e^{ϵ}-1}·2d}\right)\hfill \\ \hfill & =2·exp\left(-\frac{n{\lambda }^2}{2d·\left(O\left(1/{ϵ}^2\right)+\lambda ·O(1/ϵ)\right)}\right)\hfill \end{array}$$

(19)

By the union bound, there exists $\lambda =O\left(\frac{\sqrt{dlog(d/\beta )}}{ϵ\sqrt{n}}\right)$ such that

${max}_{j\in \left[d\right]}|Z\left[w_j\right]-X\left[w_j\right]|<\lambda$ holds with at least $1-\beta$ probability. □

On the other hand, we proved the relationship between the global model accuracy and the number of participating clients in Algorithm 4. In Optimal LDP-FL, it was proven that the value of the loss function always has a particular functional relationship with the number of clients participating in the iteration. There was an inflection point in the curve of the loss function value, which minimized the value of the loss function. This also shows that the loss function value was the lowest when the participating clients approached the total number of clients. Therefore, Algorithm 4 set the self-sampling probability $q_1$ within the range of (0.5, 1), which could make the number of clients participating in the training closer to the inflection point of this function. Therefore, it could effectively improve the accuracy of the global model.

In summary, our proposed Optimal LDP-FL framework satisfies $ϵ$-LDP. The proposed Adaptive-Harmony mechanism is unbiased, and its asymptotic error bounds are on par with existing algorithms, as both are $O\left(\frac{\sqrt{dlog(d/\beta )}}{ϵ\sqrt{n}}\right)$. However, in every layer $W_i^{*}$ of $W^{*}$ in the Adaptive-Harmony algorithm, there was only one dimension with a non-zero value. That means the time complexity and communication cost of each layer were reduced from $O\left(d\right)$ to $O\left(1\right)$, and the total cost was reduced from $O\left(nd\right)$ to $O\left(n\right)$. Moreover, the parameter-shuffling mechanism and client self-sampling technology were adopted to improve the model’s performance under the same privacy level. Finally, we should also note that although for a single model, the model parameters after the perturbation were too large and too sparse compared with those before the perturbation, which were almost unusable for the neural network. However, when enough participants uploaded models for aggregation, the sparse model could be filled with a large number of parameters, and the deviation could be offset by mean value estimation, thereby restoring the high availability of the model. Therefore, when the number of clients was large enough, the convergence speed of our model would not be significantly different from the traditional method.

5. Evaluation

5.1. Experimental Setting

We tested the results of Optimal LDP-FL on the image classification task with a two-layer CNN and evaluated the global model’s accuracy and time metrics as the utility indicators. We selected the MNIST dataset [52] and FashionMNIST dataset [53], which are commonly used in deep learning. Then, we randomly sampled the training and test sets and distributed them equally to all clients. To ensure the model’s generalization, the random sampling process followed the independent and identical distribution (i.i.d.) principle. We set different ranges for the MNIST and Fashion MNIST datasets for the clipping weights. We chose the following two algorithms for comparison: the non-private federated averaging (FedAvg) the classic LDP-FL framework (Sun et al. [35]), along with our proposed framework (Optimal LDP-FL).

5.2. Utility Evaluation

5.2.1. Model Accuracy vs. Number of Clients

To analyze the effect of the number of clients on the accuracy, we designed the experiment shown in Figure 3. Figure 3a,b shows the accuracy performance of different algorithms on the MNIST and Fashion MNIST datasets, respectively, with the number of clients. As shown in Figure 3a,b, the FedAvg framework and LDP-FL model accuracy showed a slight downward trend with the increasing number of clients because the training set and test set would be directly and equally distributed to each client. The larger the number of clients, the fewer data each client could obtain, and the model accuracy decreased accordingly. As shown in Figure 3a in the MNIST dataset, for Optimal LDP-FL, the aggregated model was too sparse when the number of clients was small, resulting in lower global model accuracy. However, as the number of clients increased, the model accuracy increased back to normal with a slight upward trend, because although a smaller amount of data broke the accuracy of the local model, at the same time, a more significant number of clients could provide more local models to the server, which could better offset the effect of noise on the global model during the aggregation stage. As shown in Figure 3a,b, the model accuracies of LDP-FL and Optimal LDP-FL were slightly lower than that of FedAvg. Optimal LDP-FL reached a better model accuracy than LDP-FL, since the reasonable restriction of self-sampling probability increased the number of influential participating clients, thus effectively improving the accuracy of the global model.

5.2.2. Model Accuracy vs. Privacy Budget

To analyze the impact of the privacy budget on the accuracy, we compared two LDP-FL frameworks in Figure 4 on the MNIST and Fashion MNIST datasets with the privacy budget set to $ϵ\in [1,10]$ and chose the model accuracy of FedAvg without privacy protection as the benchmark. In our experiment, the number of clients was fixed at $n=200$. The results show that Optimal LDP-FL could maintain relatively stable accuracy across various privacy budgets. Note that more complex data and tasks require more privacy budgets, mainly because complex tasks require complex neural networks with a large number of model parameters. At the same time, in complex tasks, the range of each model parameter is also more comprehensive, which leads to more considerable variance in the estimated model parameters. However, the model accuracy of Optimal LDP-FL on different datasets was slightly higher than that of LDP-FL. Therefore, the performance of Optimal LDP-FL was better.

5.3. Efficiency Evaluation

To compare the communication costs of the two frameworks, we designed the experiment in Figure 5. The way we measured the communication cost was mainly through the running time of the program, because the difference in the network traffic consumed by different frameworks could not be reflected well in the case of a single device simulating federated learning. As shown in Figure 5a,b, the time consumed by various federated learning frameworks increased linearly with the number of clients, and the running time was roughly the same for different datasets. Compared with FedAvg, LDP-FL or Optimal LDP-FL had data perturbation and a parameter shuffling process. Due to the complex logic of data perturbation and parameter shuffling, which cannot be computed on a GPU, it consumed a lot of time. Compared with the LDP-FL mechanism, our proposed Optimal LDP-FL method saved a lot of time due to its concise data perturbation mechanism. In other words, our proposed Adaptive-Harmony mechanism could achieve a higher operating efficiency and lower communication cost under the same conditions.

To sum up, the experiment showed that the model with the highest accuracy was non-private FedAvg. The algorithm’s accuracy could be effectively improved by restricting the probability. Our proposed optimal LDP-FL mechanism improved the accuracy performance to a certain extent. Both frameworks were insensitive to changes in privacy budgets and could maintain high model accuracy at lower privacy budgets. However, the proposed Optimal LDP-FL mechanism significantly improved the operating efficiency. Under the same conditions, it could save more than 40% of the running time. Meanwhile, since the client sends less data to the server, optimal LDP-FL also consumes significantly less network traffic and can further save time on slower internet connections.

6. Conclusions

To achieve credible federated learning, we researched the privacy protection of federated learning and the balance of privacy, model utility, and algorithm efficiency. We proposed an efficiency-optimized data perturbation mechanism (i.e., Adaptive-Harmony). It adaptively configures the perturbation parameters, mainly the center and radius of the weight, for each client and each iteration according to the gradient descent and reduces the communication cost from each dimension to one dimension. The theoretical analysis and proof guarantee that our improved data perturbation mechanism is unbiased, convergent, and has an equivalent asymptotic error bound with the Adaptive-Duchi mechanism. We also integrated Adaptive-Harmony and privacy amplification into FL to propose a new federated learning framework (i.e., Optimal LDP-FL). It has been proven that our framework satisfies $ϵ$-LDP. It can avoid privacy leakages caused by server tracking clients through parameter shuffling. A restrictive self-sampling probability was also proposed which eliminated the randomness of the self-sampling probability settings in existing studies and improved the utilization of the federated system. Due to the restrictively self-sampling and efficient data perturbation, Optimal LDP-FL had good model performance, especially in terms of computational and communication costs. Model accuracy was also improved due to the combination of the restrictive client self-sampling technology. Comprehensive experiments on different datasets showed that our framework performed well in terms of classification accuracy and improved communication efficiency by 40%.

Our method proposes a restrictive self-sampling probability in the interval (0.5, 1). However, the compactness of this interval has yet to be verified. In theory, 0.5 is the relaxed lower bound of our estimate, and the tighter lower bound is an exciting direction for future research.