Towards Trustworthy Federated Learning: Security, Privacy, and Verifiability

Abstract

Federated learning enables collaborative model training across institutions that cannot share raw data, but practical deployments rely on trust assumptions that do not hold in adversarial environments. Malicious clients may omit or falsify computation, inject poisoned updates, or free-ride on collective training with negligible detection risk. Existing defenses address security, privacy, and verifiability in isolation: privacy mechanisms obscure the signals required for robustness, while general-purpose zero-knowledge proof systems incur costs that scale with circuit size and are impractical for neural network workloads. The result is a structural \emph{trust deficit} that no single existing mechanism resolves.

This thesis argues that the security--privacy--verifiability tension in federated learning is \emph{architectural rather than fundamental}. By decomposing trust into \emph{four separable research problems}, namely, adversarial client selection, privacy-compatible robust aggregation, cryptographic training verification, and compositional architecture, and by exploiting the algebraic structure of learning workloads, each property can be enforced by a mechanism with explicit assumptions and well-defined interfaces. These mechanisms are independently deployable and compose via defined interfaces without requiring cross-mechanism security re-analysis, yielding a \emph{modular trust architecture} for trustworthy federated learning.

\textsc{TrustBandit} addresses the security dimension by formulating client selection as an adversarial multi-armed bandit under partial observability. Importance-weighted reputation estimation with adaptive exploration achieves a provable regret bound $O(\sqrt{T N \ln N})$, where $T$ is the number of training rounds and $N$ is the number of clients, and, in evaluation, identifies trustworthy clients with $94$--$99\%$ success in low-adversary settings (up to $20\%$ adversaries) and maintains $67$--$69\%$ selection success under $50\%$ adversarial participation, while sustaining $70.97\%$ test accuracy at $50\%$ adversarial participation and improving robustness by up to $5.5\times$ over standard selection baselines.

\textsc{PROFILE} addresses the privacy--robustness tension through architectural separation rather than algorithmic compromise: anomaly detection is relocated from centralized plaintext inspection to server-side predictive detection over bucket-wise homomorphically encrypted aggregates with semantic client assignment. The framework enforces IND-CPA computational privacy for individual updates under Ring-LWE hardness, with LDP-protected metadata, while preserving Byzantine robustness under poisoning and backdoor attacks; empirically it achieves accuracy within 2--3\,pp of the best plaintext baseline (FLTrust) while operating under full RLWE encryption, with detection rates from $0.87$ to $0.99$ across all datasets and non-adaptive attack types; adaptive adversaries that suppress per-round statistical signals fall outside this bound, as characterised by the leakage--detectability frontier.

\textsc{zkMaP} and \textsc{zkExp} address verifiability by specializing to the dominant computational kernels in training. \textsc{zkMaP} gives succinct verification for matrix multiplication via polynomial identities over pairing groups, achieving $O(n^2)$ prover complexity for matrix dimension $n$, constant-size proofs (320 bytes), and constant-time verification (3.68\,ms), yielding up to $19.07\times$ verification speedup over prior specialized matrix multiplication protocols at comparable security. \textsc{zkExp} provides a succinct proof system for exponentiation with constant-time verification and constant-size proofs (160 bytes for single proofs; 256 bytes in batched mode), with low amortized batch overhead (1.35$\times$).

\textsc{RIV} composes these primitives into an end-to-end proof-of-training protocol. Training transcripts are committed prior to challenge selection, preventing selective honest computation. Stochastic Interval Commitments certify native IEEE-754 floating-point computation within backward-error-derived bounds while preserving cryptographic binding. The resulting protocol provides parameterized detection guarantees: for an adversary corrupting a $q_{\mathrm{adv}}$-fraction of challenged layers, the per-round acceptance probability is bounded by $(1-q_{\mathrm{adv}})^k + k\varepsilon_{\mathrm{crypto}} + \delta_{\mathrm{fp}}$ (where $\varepsilon_{\mathrm{crypto}} \le 2m/|\mathbb{F}_p| + \mathsf{negl} \lambda)$ per challenged layer), yielding explicit trade-offs between challenge rate, overhead, and adversarial detectability (e.g., $>99.99\%$ cumulative detection at $k=3$ over 50 rounds). Collectively, these results demonstrate that cryptographically grounded trust in federated learning is achievable through specialized, composable mechanisms rather than monolithic designs.