[Paper Review] Differentially Private Federated Learning: A Client Level Perspective
The paper proposes a client-level differential privacy mechanism for federated learning that hides a participating client’s data while preserving model performance, especially as the number of clients grows.
Federated learning is a recent advance in privacy protection. In this context, a trusted curator aggregates parameters optimized in decentralized fashion by multiple clients. The resulting model is then distributed back to all clients, ultimately converging to a joint representative model without explicitly having to share the data. However, the protocol is vulnerable to differential attacks, which could originate from any party contributing during federated optimization. In such an attack, a client's contribution during training and information about their data set is revealed through analyzing the distributed model. We tackle this problem and propose an algorithm for client sided differential privacy preserving federated optimization. The aim is to hide clients' contributions during training, balancing the trade-off between privacy loss and model performance. Empirical studies suggest that given a sufficiently large number of participating clients, our proposed procedure can maintain client-level differential privacy at only a minor cost in model performance.
Motivation & Objective
- Motivate privacy concerns in federated learning where a client's participation could be revealed.
- Propose a DP mechanism that protects entire client datasets during federated optimization.
- Enable dynamic adaptation of the DP mechanism to improve performance under privacy constraints.
- Evaluate privacy-utility trade-offs across varying numbers of participating clients.
Proposed method
- Introduce a randomized mechanism that subsamples clients each round and distorts the aggregated updates with a Gaussian mechanism.
- Clip updates to a sensitivity S using per-round medians of update norms.
- Add Gaussian noise with variance S^2 * sigma^2 to the averaged updates; account for privacy with a moments accountant.
- Use the ratio sigma^2 / m_t to control distortion and privacy loss for each round.
- Track privacy loss delta via the moments accountant and stop training when delta exceeds a threshold Q.
- Define and monitor between-client variance V_c and update scale U_s to inform parameter choices.
Experimental results
Research questions
- RQ1Can client-level differential privacy be achieved in federated learning with acceptable model performance?
- RQ2How should the DP mechanism be tuned (S, sigma, m) to balance privacy loss and accuracy across rounds?
- RQ3What is the impact of the number of participating clients on privacy-utility trade-offs?
Key findings
- With sufficiently many participating clients, client-level DP can be achieved with only minor losses in model performance.
- Performance improves when increasing the number of participating clients in later rounds despite privacy constraints.
- DP-augmented federated learning achieves higher accuracy as the client count grows (100 → 1000 → 10000) in the reported experiments.
- The best DP models reach 0.78–0.96 accuracy across 100–10000 clients versus 0.97 accuracy for non-DP at 100 clients.
- The experiments show non-DP performance close to DP performance when many clients are involved (K=10000).
- Training stops when the privacy budget delta reaches a predefined threshold, ensuring DP safeguards.
Better researchstarts right now
From paper design to paper writing, dramatically reduce your research time.
No credit card · Free plan available
This review was created by AI and reviewed by human editors.