Hao Liang

Hao Liang

A machine learning, signal processing and statistic fan

Summary of Differential Privacy for Federated Learning (2025)

5 minute read

Published:

Paper List

Differential Privacy for Federated Learning

1. DP-FedAvg, ICLR, 2018

2. DP-FL, NIPS Workshop, 2017

3. LDP-Fed, EdgeSys Workshop, 2020

4. NbAFL, TIFS, 2020

5. CLDP-SGD, AISTATS, 2021

6. FL-LD, UAI, 2021

7. LDPFL, ESORICS, 2022

8. UDP, TMC, 2022

9. PFLF, TIFS, 2022

10. PVFL, TIFS, 2023

11. ISRL-DPFL, ICLR, 2023

12. ISRL-DPFL-Nonconvex, ICLR, 2023

13. Privacy-FL, 2024


1. DP-FedAvg, ICLR, 2018

McMahan H B, Ramage D, Talwar K, et al. Learning Differentially Private Recurrent Language Models[C]//International Conference on Learning Representations. 2018.

  • user-level differential privacy (user-adjacent datasets)
  • clipping strategy: flat clipping or per-layer clipping
  • client sampling probability (corresponding to SGD sampling probability)
  • add Gaussian noise to the final average update (after aggregation)
  • privacy analysis:
    • moments accountant

2. DP-FL, NIPS Workshop, 2017

Geyer R C, Klein T, Nabi M. Differentially private federated learning: A client level perspective[J]. arXiv preprint arXiv:1712.07557, 2017.

  • client level differential privacy
  • privacy analysis:
    • moments accountant

3. LDP-Fed, EdgeSys Workshop, 2020

Truex S, Liu L, Chow K H, et al. LDP-Fed: Federated learning with local differential privacy[C]//Proceedings of the third ACM international workshop on edge systems, analytics and networking. 2020: 61-66.

  • $\alpha$-CLDP (condensed local differential privacy)
  • privacy analysis:
    • basis composition theorem
    • privacy amplification by sampling

4. NbAFL, TIFS, 2020

– Noising before model aggregation FL

Wei K, Li J, Ding M, et al. Federated learning with differential privacy: Algorithms and performance analysis[J]. IEEE transactions on information forensics and security, 2020, 15: 3454-3469.

  • $T$ aggregation times (exist optimal $T$)
  • $K$-client random scheduling strategy (exist optimal $K$)
  • adding noisy perturbations at both the clients and the server (downlink noise + uplink noise)
  • privacy analysis (sample-level differential privacy):
    • basic composition for non-sampling case
    • basic composition + sampling theorem for sampling case
  • convergence analysis:
    • convex
    • PL
    • Lipschitz (non-clipping analysis)
    • smooth

5. CLDP-SGD, AISTATS, 2021

– distributed communication-efficient and local differentially private SGD

Girgis A, Data D, Diggavi S, et al. Shuffled model of differential privacy in federated learning[C]//International Conference on Artificial Intelligence and Statistics. PMLR, 2021: 2521-2529.

  • $(\epsilon_0,b)$-CLDP (local differential privacy with communication budget)
  • privacy analysis:
    • strong composition
    • SGD sampling (using privacy amplification by sampling)
    • client shuffling (using privacy amplification by shuffling)
  • convergence:
    • convex
    • bounded domain (no contribution to privacy analysis)
    • Lipschitz continuous (no clipping)

6. FL-LD, UAI, 2021

– distributed communication-efficient and local differentially private SGD

“Proceedings of the Fortieth Conference on Uncertainty in Artificial Intelligence”, 2024 published

Deng W, Zhang Q, Ma Y A, et al. On convergence of federated averaging langevin dynamics[J]. arXiv preprint arXiv:2112.05120, 2021.

  • federated averaging Lagnevin dynamics:
    • stochastic gradient Langevin dynamics for FL
  • privacy analysis:
    • strong composition
    • privacy amplification by sampling

7. LDPFL, ESORICS, 2022

Mahawaga Arachchige P C, Liu D, Camtepe S, et al. Local differential privacy for federated learning[C]//European Symposium on Research in Computer Security. Cham: Springer International Publishing, 2022: 195-216.

  • privacy analysis (LDP):

    • basis composition theorem

    • post-processing property

    • randomized aggregatable privacy-preserving ordinal response (RAPPOR)

      Erlingsson Ú, Pihur V, Korolova A. Rappor: Randomized aggregatable privacy-preserving ordinal response[C]//Proceedings of the 2014 ACM SIGSAC conference on computer and communications security. 2014: 1054-1067.

8. UDP, TMC, 2022

Wei K, Li J, Ding M, et al. User-level privacy-preserving federated learning: Analysis and performance optimization[J]. IEEE Transactions on Mobile Computing, 2021, 21(9): 3388-3401.

  • $T$ communication rounds (exist optimal $T$)
  • privacy analysis (user perspective but just sample-level $(\epsilon_i,\delta_i)$-DP):
    • moment accountant
  • convergence analysis:
    • convex
    • PL
    • Lipschitz (non-clipping analysis)
    • smooth

9. PFLF, TIFS, 2022

Zhou H, Yang G, Dai H, et al. PFLF: Privacy-preserving federated learning framework for edge computing[J]. IEEE Transactions on Information Forensics and Security, 2022, 17: 1905-1918.

  • privacy analysis ($\epsilon$-DP):
    • basic composition + privacy amplification by sampling
  • convergence analysis:
    • convex
    • PL
    • Lipschitz

10. PVFL, TIFS, 2023

Zhou H, Yang G, Huang Y, et al. Privacy-preserving and verifiable federated learning framework for edge computing[J]. IEEE Transactions on Information Forensics and Security, 2022, 18: 565-580.

  • homomorphic hash
  • privacy analysis (just for each iteration):
    • Gaussian mechanism + sensitivity
  • convergence analysis:
    • convex
    • PL
    • Lipschitz

11. ISRL-DPFL, ICLR, 2023

Lowy A, Razaviyayn M. Private federated learning without a trusted server: Optimal algorithms for convex losses[C]//The Eleventh International Conference on Learning Representations. 2023.

  • inter-silo record-level differential privacy (ISRL-DP) and shuffle differential privacy (SDP)

  • privacy analysis:

    • Gaussian mechanism

    • privacy amplification by subsampling

    • advanced composition or moments accountant

    • parallel composition

      McSherry F D. Privacy integrated queries: an extensible platform for privacy-preserving data analysis[C]//Proceedings of the 2009 ACM SIGMOD International Conference on Management of data. 2009: 19-30.

    • privacy amplification by shuffling (if SDP)

      Feldman V, McMillan A, Talwar K. Hiding among the clones: A simple and nearly optimal analysis of privacy amplification by shuffling[C]//2021 IEEE 62nd Annual Symposium on Foundations of Computer Science (FOCS). IEEE, 2022: 954-964.

  • convergence analysis:

    • (strongly) convex
    • bounded domain
    • Lipschitz

12. ISRL-DPFL-Nonconvex, AISTATS, 2023

Lowy A, Ghafelebashi A, Razaviyayn M. Private non-convex federated learning without a trusted server[C]//International Conference on Artificial Intelligence and Statistics. PMLR, 2023: 5749-5786.

  • inter-silo record-level differential privacy (ISRL-DP) and shuffle differential privacy (SDP)

  • privacy analysis:

    • Gaussian mechanism

    • advanced composition or moments accountant

    • parallel composition

      McSherry F D. Privacy integrated queries: an extensible platform for privacy-preserving data analysis[C]//Proceedings of the 2009 ACM SIGMOD International Conference on Management of data. 2009: 19-30.

    • binomial-noised shuffle vector summation protocol

      Cheu A, Joseph M, Mao J, et al. Shuffle private stochastic convex optimization[J]. arXiv preprint arXiv:2106.09805, 2021.

  • convergence analysis:

    • proximal PL (PPL) or non-convex
    • Lipschitz
    • (non-) smooth

13. Privacy-FL, 2024

Sen J, Waghela H, Rakshit S. Privacy in Federated Learning[J]. arXiv preprint arXiv:2408.08904, 2024.

  • an incomplete review of the field of differential privacy in FL
  • include other privacy methods, such as encryption, secure aggregation, and anonymization and pseudonymization

You May Also Enjoy