TY - GEN
T1 - Combating Deep Leakage from Gradients in Cross-Silo Federated Learning with QKD
AU - Wang, Xiaoyu
AU - Zhao, Yangming
AU - Tian, Chen
AU - Chen, Kai
AU - Li, Qi
AU - Yang, Kun
AU - Qiao, Chunming
N1 - Publisher Copyright:
© 2025 IEEE.
PY - 2025
Y1 - 2025
N2 - Deep Leakage from Gradients (DLG) could reveal training data privacy from gradients transmitted over an insecure channel in Cross-Silo Federated Learning (CSFL) systems. So far, One-Time Pad (OTP) based on secret keys generated by Quantum Key Distribution (QKD) is the only perfectly secure approach to defending channel security and preserving privacy. Nevertheless, current QKD systems cannot generate keys at a rate high enough to support OTP in practical CSFL systems, while we find that encrypting only part of the gradients or several bits of each gradient is not adequate to preserve data privacy. To overcome these challenges, we propose QuGrad to encrypt each gradient using only one bit of secret keys. In QuGrad, it is unpredictable which or how many bits of each gradient will be changed and the encrypted gradient vector will be orthogonal to the original one, which potentially hides the maximum amount of training data information. By implementing QuGrad on a testbed and conducting extensive experiments, we show that QuGrad can reduce the average Jaccard similarity between the recovered data and the original ones by up to 89% compared with the state-of-the-art technique to defend training data against DLG.
AB - Deep Leakage from Gradients (DLG) could reveal training data privacy from gradients transmitted over an insecure channel in Cross-Silo Federated Learning (CSFL) systems. So far, One-Time Pad (OTP) based on secret keys generated by Quantum Key Distribution (QKD) is the only perfectly secure approach to defending channel security and preserving privacy. Nevertheless, current QKD systems cannot generate keys at a rate high enough to support OTP in practical CSFL systems, while we find that encrypting only part of the gradients or several bits of each gradient is not adequate to preserve data privacy. To overcome these challenges, we propose QuGrad to encrypt each gradient using only one bit of secret keys. In QuGrad, it is unpredictable which or how many bits of each gradient will be changed and the encrypted gradient vector will be orthogonal to the original one, which potentially hides the maximum amount of training data information. By implementing QuGrad on a testbed and conducting extensive experiments, we show that QuGrad can reduce the average Jaccard similarity between the recovered data and the original ones by up to 89% compared with the state-of-the-art technique to defend training data against DLG.
UR - https://www.scopus.com/pages/publications/105011028705
U2 - 10.1109/INFOCOM55648.2025.11044743
DO - 10.1109/INFOCOM55648.2025.11044743
M3 - Conference contribution
AN - SCOPUS:105011028705
T3 - Proceedings - IEEE INFOCOM
BT - INFOCOM 2025 - IEEE Conference on Computer Communications
PB - Institute of Electrical and Electronics Engineers Inc.
T2 - 2025 IEEE Conference on Computer Communications, INFOCOM 2025
Y2 - 19 May 2025 through 22 May 2025
ER -