ZHANG Weiting ,LIANG Haotian ,XU Yuhua ,ZHANG Chuan
(1.Beijing Jiaotong University,Beijing 100091,China;2.Beijing Institute of Technology,Beijing 100081,China)
Abstract: Recently,various privacy-preserving schemes have been proposed to resolve privacy issues in federated learning (FL).However,most of them ignore the fact that anomalous users holding low-quality data may reduce the accuracy of trained models.Although some existing works manage to solve this problem,they either lack privacy protection for users’ sensitive information or introduce a two-cloud model that is difficult to find in reality.A reliable and privacy-preserving FL scheme named reliable and privacy-preserving federated learning (RPPFL) based on a single-cloud model is proposed.Specifically,inspired by the truth discovery technique,we design an approach to identify the user’s reliability and thereby decrease the impact of anomalous users.In addition,an additively homomorphic cryptosystem is utilized to pro‐vide comprehensive privacy preservation (user’s local gradient privacy and reliability privacy).We give rigorous theoretical analysis to show the security of RPPFL.Based on open datasets,we conduct extensive experiments to demonstrate that RPPEL compares favorably with exist‐ing works in terms of efficiency and accuracy.
Keywords: federated learning;anomalous user;privacy preservation;reliability;homomorphic cryptosystem
With the popularity of big data techniques,machine learning has promoted wide applications in artifi‐cial intelligence fields,such as the smart IoT[1–2],smart industry[3–4],and autonomous driving[5–6].Nowadays,due to the emergence of data protection regulations,like General Data Protection Regulation (GDPR)[7]and Califor‐nia Consumer Privacy Act (CCPA)[8],users pay increasing atten‐tion to data privacy.Data privacy significantly hinders training data collection,which limits the development of machine learn‐ing.Federated learning (FL),as a collaborative machine learn‐ing paradigm,is considered a promising solution to the chal‐lenges and has attracted tremendous attention from industry and academia.Specifically,a typical framework of FL consists of a server and some users (i.e.,data owners).In FL,to preserve data privacy,users only share the trained local models’ param‐eters instead of sharing raw data.
In spite of the benefits,there are two challenges in design‐ing such an FL scheme.The first one is that the gradient at‐tack may lead to privacy leakage.Specifically,in the gradient attack,adversaries utilize user-shared model parameters to in‐fer sensitive information from training data.Thus far,some works[9–10]have been proposed to utilize the gradient leak at‐tack to compromise user privacy.For instance,ZHU et al.[10]introduced a gradient inversion attack scheme to reconstruct sensitive information from public shared gradients,where ad‐versaries launch attacks by iteratively optimizing the dummy inputs and the corresponding labels.Followed by Ref.[10],some gradient attack schemes have been proposed[11–12].For instance,to enhance the performance of gradient inversion at‐tacks,ZHAO et al.[11]proposed a simple and effective gradient inversion attack.Their scheme improves the effectiveness of recovering label information by combining the mathematical analysis of the gradients.Subsequently,YIN et al.[12]extended the gradient inversion attack into FL applications that are more practical,e.g.,high-resolution images with large batchsize.If gradient attacks are not considered well in designing FL schemes,user privacy will incur serious threats.Therefore,users will be reluctant to participate in these applications,which significantly hinders the development of FL.The sec‐ond challenge is that users with low-quality data decrease the performance of FL.In practical applications,the data quality of different users is usually uneven due to various reasons (e.g.,device quality and education level)[13].For example,users with high-quality devices usually own superior data,while users with low-quality devices have poorer data.If anomalous users are not identified in the training process,they will impair the perfor‐mance of FL and even lead to the unavailability of FL models.Thus,it is also crucial to identify anomalous users and reduce their negative influence on the FL training process.
In recent years,to deal with the gradient attacks and pre‐serve user privacy in FL,some solutions[14–16]have been pro‐posed.Particularly,based on their cryptographic tools,these schemes can be categorized into three classes,i.e.,secure multi-party computation (SMC) based schemes,homomorphic encryption (HE) based schemes,and differential privacy (DP) based schemes.DP-based FL schemes address the privacy leakage issues by adding noise[14].However,the introduction of noise unavoidably reduces the model accuracy,hindering the applications of FL.To preserve user privacy,some SMCbased schemes[15]are proposed without compromising model accuracy.However,frequent user interaction introduces tre‐mendous resource overhead to users and the server.To make a trade-off among the model’s accuracy,user privacy,and re‐source overhead,some HE-based FL schemes are proposed[16].
Unfortunately,most existing privacy-preserving FL schemes ignore anomalous users.To address the challenge,several works[17–18]have been proposed to identify anomalous users and reduce their impacts.Specifically,ZHAO et al.[17]utilized the differential privacy technique and function mecha‐nism to enable privacy-preserving FL.In their scheme,the server is allowed to access each user’s data quality for identi‐fying anomalous users.However,in practice,the user’s data quality should be private.Once the data quality is disclosed to the server,it will lead to discrimination in the training pro‐cess,which significantly reduces the users’ enthusiasm to par‐ticipate in FL.To preserve data quality information when iden‐tifying anomalous users,XU et al.[18]designed a framework to support privacy-preserving FL by introducing a non-colluding two-cloud model.In their scheme,additively homomorphic cryptosystem and YAO’s garbled circuits are utilized to evalu‐ate user data quality without compromising user privacy.It is hard to find two non-colluding clouds in practice,thereby lim‐iting its implementation in real-world applications.Moreover,it also ignores the problem of user collusion.In FL,users may collude with each other to infer others’ sensitive information.Therefore,a privacy-preserving FL scheme with anomalous user identification and user collusion resistance deserves to be investigated.
To solve the challenges,we propose a reliable and privacypreserving FL (RPPFL) scheme based on the single-cloud model.The comparison results of RPPFL and other existing works are shown in Table 1.To identify anomalous users,RPPFL evaluates data quality without compromising user pri‐vacy.Particularly,we epitomize the contributions as follows:
▼Table 1.Comparison of RPPFL and other existing works
? We first discover the challenges in designing a privacypreserving FL scheme that supports anomalous identification.Then,to resolve these challenges,we design a reliable and privacy-preserving FL scheme named RPPFL,which is also resilient to user collusion attacks.
? We adopt the truth discovery technique to evaluate data quality.Subsequently,we utilize the (p,t) threshold Paillier cryptosystem to strengthen RPPFL to protect user privacy from being exposed and defend against user collusion attacks.
? Formal analysis proves the security of RPPFL.Then,based on the open datasets MNIST and CIFAR-10,extensive experiments are conducted to demonstrate that RPPFL is prac‐tically efficient and effective.
In this paper,the remainder is established as follows.In the next section,we illustrate the related models and security re‐quirements of our construction.The preliminaries are re‐viewed in Section 3,and the detailed construction is pre‐sented in Section 4.Section 5 provides the security analysis.The experiments are given in Section 6,and Section 7 dis‐cusses the related works.Section 8 concludes the paper.
We first present the system model and threat model of RPPFL.After that,based on the threat model,we give the se‐curity requirements.To have a better understanding,we list some frequently used notations that appear in RPPFL,which is shown in Table 2.
As we can see in Fig.1,the system model of RPPFL con‐sists of an aggregation server and several users.
? The aggregation server is an entity with strong computing and storage capabilities.To reduce the anomalous users’ negative impacts on the accuracy of the model,the aggrega‐tion server is allowed to identify users’ data quality (i.e.,user reliability).Then,with the user’s reliability and local gradi‐ents,the aggregation server aggregates the global gradients in a privacy-preserving manner.Subsequently,global gradients will be sent to the users.
? The users are entities holding different datasets that can be utilized to train FL models.To get models with better per‐formance,they cooperate in training models with the help of an aggregation server.Instead of sharing datasets directly,they share the gradients of local models.To protect gradient privacy,users first encrypt local gradients with an additively homomorphic cryptosystem.Then,users send them to the ag‐gregation server and update local models after receiving global gradients from the aggregation server.
In our scenario,like previous works[20–21],we presume that the aggregation server and all users are honest-but-curious.That is,the server will faithfully obey the designed proceduresto accomplish its task.However,it may try to retrieve others’ sensitive information using prior acquired knowledge.Be‐sides,we presume that the aggregation server will not collude with users and there are at mostt-1 users colluding.Then,we mainly consider the following two adversaries.
▼Table 2.Frequently used notations
▲Figure 1.System model of reliable and privacy-preserving federated learning (RPPFL)
1) The aggregation server may try to deduce users’ local gra‐dients and reliability according to the information it acquired.
2) The user may try to infer the information of his∕her reli‐abilities according to the information he∕she acquired.
On the basis of system and threat models,we have devel‐oped the following security requirements.
1) User’s local gradient privacy.To effectively preserve user privacy,the user’s local gradients should be sent to the aggregation server in the ciphertext,which prevents the adver‐sary (e.g.,the server) from recovering the user’s sensitive in‐formation from the shared gradients and global parameters.
2) Privacy protection of reliability for users.To ensure the fairness of the FL process,all information related to the reli‐ability of the user should be kept secret and unavailable to any participant,even to the user itself.
In this section,we will illustrate the preliminaries about truth discovery,FL,and the additively homomorphic crypto‐system.
Truth discovery aims at estimating ground truth data from numerous heterogeneous data.In general,it is composed of two main steps: weight update and truth update.
1) Weight update
In this step,the weight of each user is computed based on the distance between their provided data and the ground truths.Without losing generality,we here assume the ground truths are fixed.Typically,each user’s weightwkcan be com‐puted as,wherefdenotes a monotoni‐cally decreasing function,andd(,) is a distance function (i.e.,the Euclidean distance).Therefore,if the provided data from a specific user are close to the ground truth,the user’s weight will be assigned to a higher value.
2) Truth update
In this step,on the basis of each user’s weight,the ground truth is estimated according to Eq.(1):
In the case of continuous data,means the estimated ground truth.As for the categorical data,represents a prob‐ability vector.Each element in the vector means the probabil‐ity of a specific answer being the truth[22].
As a collaborative learning paradigm,FL intends to train models based on data from distributed users.The basic train‐ing process of FL is shown below.
1) Selecting users
Assume there existNusers,each holding a local datasetDj,j∈[1,N],which is derived from the whole training datasetD={(ui,vi);i=1,2,…,M},whereD=∪j∈[1,N]Dj.For each epocht∈{1,2,…} in FL,the aggregation server choosesKus‐ers at random,whereK 2) Local training Each selected userk,k∈[1,K],randomly chooses a small batch of datasetBk.Then,they leverage stochastic gradient de‐scent (SGD),a commonly used optimization algorithm,to calcu‐late gradients over their local datasets.Specifically,we letanddenote the feature vector and its corresponding label inBk,respectively,anddenotes the parameters of the model in the current epoch.The loss function,indicating the distance be‐tween prediction results and real labels,can be denoted as.Then,the gradient can be calculated as Eq.(2): 3) Global aggregation After receiving local gradients from all selected users, the aggregation server will aggregate the global gradients as Eq. (3): The cryptosystem in RPPFL is on the basis of the (p,t)-threshold Paillier cryptosystem[22].As a typical asymmetric cryptosystem,it utilizes the public key (pk) to encrypt the plaintexts and secret key (sk) to recover the plaintexts.Note that (p,t)-threshold Paillier cryptosystem splits the secret key intopparts,i.e.,(sk1,sk2,…,skp),and sends them topdiffer‐ent parties.In (p,t)-threshold Paillier cryptosystem-based ap‐plications,any entity cannot decrypt the ciphertexts alone.That is,the ciphertext can only be decrypted if at leasttenti‐ties cooperate together.Moreover,even if some users are dropped off during the process because of the insatiability,the ciphertext can still be recovered. We use Encpk(?) to denote the ciphertexts encrypted by the public key.Then,assumingm∈Zndenotes a plaintext,its corresponding ciphertext can be calculated as follows: wherer∈is a randomly selected value and should be kept secret.For decryption,each partyl,l∈[1,p],requires to com‐pute the partial decryptionclaccording to Eq.(6) with the se‐cret key skl, where we denote Δ=p!.Based on the algorithm in Ref.[23],these partial decryptions can be composed together for de‐crypting the ciphertextCin order to recover the plaintextm. Then,we further present additively homomorphic properties of our adapted cryptosystem.Specifically,given the cipher‐texts of two plaintexts,m1,m2∈Znare encrypted with the same public key: In this section,we first illustrate the approach that we uti‐lize to handle anomalous users.Then,we give the details of our proposed RPPFL. To decrease the negative influence of anomalous users on the trained model in federation learning,here we describe the mechanismMeAU,which is inspired by the truth discovery[24].In RPPFL,we assume that the data from different users are in‐dependently and equally distributed.We assume that each user holdsMcategories of gradients (in Section 3.2) after train‐ing on their local dataset.Them-th gradient of thek-th user can be represented as,wherem∈[1,M],k∈[1,K].We useto denote the globalm-th gradient ofKselected users.Additionally,we letRkrepresent the reliability (indicates the data quality) of the userk.MeAUmainly includes two phases: updating the user’s reliability and updating global gradients. 1) Update user’s reliability The user’s reliability will be given a high value when the calculated gradient is close to the global gradient from the server.Specifically,given the global gradient,the reliabil‐ity of userkis calculated as follows: 2) Update global gradients With the reliability of each user given, the aggregated result ofm-gradient is calculated as Note that we do not directly remove these anomalous users.The reason is that the reliability information is kept secret from all participants,even the users themselves,to prevent discrimination during the training phase.The existence of low-quality data is inevitable.In some rare cases where all users are normal,there is still the possibility that the trained model will be overfitted in the actual prediction.Based on the above facts,RPPFL tolerates gradients from anomalous users but ensures that the global gradients are mainly con‐tributed by normal users.However,ensuring that each par‐ticipant in federated learning is unaware of users’ reliability will inevitably increase the difficulty of reducing the impacts of low-quality data. As shown below,we first briefly summarize the main pro‐cess of RPPFL,i.e.,reliability identification and gradient ag‐gregation,and then give its details.The workflow of RPPFL is displayed in Fig.2,and the protocol framework is shown as Protocol 1.We assume that a trusted third party (TTP) has ex‐ecuted the (p,t)-threshold Paillier cryptosystem before run‐ning the reliable and privacy-preserving federated learning protocol,wherep=N+1 andt=K+1.The secret keys (sk1,sk2,…,skN) are sent toNdifferent users,respectively,and skN+1is sent to the aggregation server.Besides,the pub‐lic key is distributed to all entities. ? Reliability identification.In this step,each selected user first calculates the Euclidean distance between its local gradi‐ents and the global gradients from the aggregation server.These calculation results will be encrypted using the public key and then transmitted to the aggregation server.With these ciphertexts,the aggregation server calculates the reliability of each user while protecting data privacy.Ultimately,the en‐crypted reliability will be sent to the corresponding user for the following procedure. ? Gradient aggregation.In this phase,each user calcu‐lates the product of their gradient and reliability in the en‐cryption domain.These ciphertexts are transmitted to the server.With the help ofKselected users,the server de‐crypts these received ciphertexts and subsequently updates the global models. ▲Figure 2.Workflow of reliable and privacy-preserving federated learning (RPPFL) Protocol 1.Reliable and privacy-preserving federated learning Based on the threat model in Section 2.2,the potential threats mainly come from the entities (i.e.,users and the aggre‐gation server).Thus,the objective of RPPFL is to protect the user’s local gradient and the user’s reliability from being ex‐posed to any entity in RPPFL.Furthermore,it should also be resilient to the user collusion attack.Here,we prove the secu‐rity of RPPFL by giving Theorem 1,followed by the corre‐sponding proof. Theorem 1.Assuming that the aggregation server is noncolluding with users and there are at mostt-1 users collud‐ing,neither the user’s local gradient nor the user’s reliability will be leaked to any entity in RPPFL. Proof.First,we prove that each user cannot infer their own reliability from the information they have acquired and the ci‐phertexts returned by the aggregation server.Next,we show that the aggregation server cannot infer each user’s local gra‐dient and reliability from the information it holds and the ci‐phertexts returned by the user. The user knows the ciphertexts,EncGlobal,and plaintexts.Since there are at mostt-1 users colluding,the user cannot recover the secret key (sk),from skk.Additionally,the (p,t)-threshold Paillier cryptosystem has already been demonstrated to defend against chosen-plaintext attacks[22].Therefore,the user cannot decrypt these ciphertexts.With the global gradient,the user calculates D locally.However,since C is only known by the ag‐gregation server.Without knowing C,it is impossible for the user to acquire its reliability. For the aggregation server,it knows the ciphertextsand plaintexts C,.Since the (p,t)-threshold Paillier cryptosystem has been demonstrated to defend against chosenplaintext attacks,the aggregation server cannot recover the se‐cret key,and thus cannot decrypts these ciphertexts.As for C,without the plaintexts D,the aggregation server cannot obtain the users’ reliabilities.Although the aggregation server knows the sum ofKusers’ reliabilities,i.e.,,it is impos‐sible to identify the individual reliability of each user without knowing other information.Similarly,it is also impossible to separate the individual reliability and model weight from Therefore,RPPFL can prevent the user’s local gradient and reliabilities from disclosing to other entities.Moreover,for the user collusion attack,the properties of the Paillier crypto‐system ensure the safety of the scheme when there are no more thant-1 users colluding. In this section,we perform experiments to observe the per‐formance of RPPFL.The FL framework is built via PyTorch with Cuda 10.2,which runs on the server with two Nvidia Tesla-P40 GPUs for hardware and RedHat for the operating system.For the cryptosystem,we utilize the Paillier library for implementation,and the running environment is Java 18.0.Moreover,we choose MNIST and CIFAR-10 as the datasets in FL,which are commonly used in many scenarios.As for the users in FL,they are all equipped with the same convolutional neural network (CNN) to calculate local gradients with the use of their local data.The model in the experiments is inspired by LeNet widely used in various situations.Finally,as for the hyper-parameters,the learning rate is set to 0.001,while the batch size is 128. In this part,we observe the accuracy performance of RPPFL.As mentioned before,many attributes influence the model’s accuracy.Here,we mainly focus on the impact of the number of users and the number of gradients per user.With‐out losing generality,we set the dataset Difor each userkin the same size.Meanwhile,to construct low-quality data for anomalous users,we replace a fixed proportion of their origi‐nal data with random noises?∈[0,1].The ratio of the re‐placed data is set to 20% in our experiments. 1) Number of users We first illustrate the influence of the number of users that take part in the training process.To better demonstrate the performance of RPPFL,we take two related works[18,28]for comparison. Fig.3 displays the comparison of accuracy based on a dif‐ferent number of users,where the number of gradients for each user is set to 2 500.The figure demonstrates that the in‐crement in the number of users in RPPFL does improve the model accuracy because more data from corresponding users contribute to the trained model.Moreover,for both the MNIST dataset in Fig.3(a) and CIFAR-10 dataset in Fig.3(b),the accuracy of RPPFL is about the same as PPFDL in Ref.[18] and outperforms that in Ref.[28].Therefore,we can reach the conclusion that RPPFL can ensure the aggregation gradients are mainly con‐tributed by users with data of high quality. 2) Number of gradients per user We then discuss the influence of the number of gra‐dients for each user on accuracy performance. Fig.4 demonstrates that the model accuracy will also improve when the number of gradients increases.It is evident that more involved gradients in the FL training procedure will boost the convergence rate and make the model more accurate.From Figs.4(a) and 4(b),the per‐formance of RPPFL is still better than the schemes in Refs.[28] and [18].In conclusion,RPPFL ensures that the user with high-quality data is rewarded with high re‐liability and guarantees that the aggregation result is mainly contributed by these users. In this part,we observe the efficiency performance of RPPFL.For simplicity,we here only discuss and visual‐ize the efficiency in the aggregation phase of FL.To keep fairness,we test the schemes in Refs.[28] and [18] on the same platform (hardware and software) for RPPFL.Specifically,the CNN network is the same for every user,and other hyper-parameters remain the same. Fig.5(a) demonstrates the computational cost for dif‐ferent user numbers,while Fig.5(b) presents the one for different gradient numbers per user.It can be ob‐served that with the growth of the number of users and the number of gradients per user,the aggregation time increases for all the schemes.Moreover,RPPFL has better efficiency than the one in Ref.[28].As we can see,the RPPFL is moderately inferior to the one in Ref.[18].It is because the PPFDL in Ref.[18] adopts a two-cloud model,where the computational costs are shared between the two cloud servers,while RPPFL is established on a single cloud model.However,PPFDL requires two noncolluding cloud servers,which is not practical in real-world scenarios compared with RPPFL. In this section,we illustrate some related works of privacypreserving federated learning. ▲Figure 3.Accuracy performance with different user numbers for MNIST and CIFAR-10 datasets ▲Figure 4.Accuracy performance with different gradient numbers for MNIST and CIFAR-10 datasets ▲Figure 5.Computational costs for different schemes Since the proposal of the original FL,many schemes have been designed to preserve data privacy in FL based on privacy-preserving techniques.These techniques can be mainly divided into three categories: differential privacy,secure multi-party computation,and homomorphic encryption.As for the differential privacy,the authors in Ref.[29] proposed a mechanism that set different proportions of selected parameters to preserve data privacy while preserving training accuracy.In 2016,ABADI et al.[30]leveraged differential privacy with a mod‐erate privacy budget to learn models of deep neural networks.When it comes to secure multi-party computation,the authors in Ref.[19] proposed a safe and practical aggregation protocol in the FL training process.SMC was adopted to ensure the pri‐vacy of the users’ gradients shared with the aggregation server.In 2018,JAYARAMAN et al.[31]introduced a distributed learn‐ing method that combines DP with SMC.Moreover,because the users’ access to power and network bandwidth is always under a particular constraint in real-world scenarios,secret sharing and key exchange protocols are also considered to enhance the robustness of FL.Authors in Ref.[32] proposed a scheme lever‐aging the secret key-sharing technique to protect privacy in FL while verifying the integrity of aggregation results.For homo‐morphic encryption,in 2018,PHONE et al.[16]presented a sys‐tem for privacy-preserving collaborative deep learning.It uti‐lizes Learning with Errors (LWE)-based homomorphic encryp‐tion to secure the privacy of publicly shared model parameters among the participants.Furthermore,the authors in Ref.[20] designed high-efficiency protocols by adopting secure two-party computation,which was established on the two-server model (non-collusion).In 2021,MADI et al.[28]presented a scheme with a combination of homomorphic encryption and verifiable computing.The aim was to execute a federated averaging opera‐tor directly in the ciphertext and prove that the operator is cor‐rectly executed. In conclusion,homomorphic encryption can be applied for privacy-preserving federated learning according to its property of addition and multiplication in the ciphertext domain.How‐ever,the enormous computational burden is unacceptable in scenarios that exist plenty of users or training data with large dimensions.Although SMC is better that HE in terms of com‐putational costs,it always needs many interactions among enti‐ties.This brings a high communication burden and a lack of robustness.Compared with the other two techniques,differen‐tial privacy performs better in cost.But a balance between pri‐vacy and accuracy should always be considered.Ref.[33] demonstrated that if the model accuracy was acceptable,ad‐versaries could still reconstruct the user’s private data.Au‐thors in Ref.[34] successfully leveraged a generative adver‐sarial network (GAN) to violate data privacy even if all shared parameters were protected by differential privacy.Therefore,combining the advantages of different privacy-preserving mechanisms while overcoming their drawback has raised much concern for researchers. Moreover,all these solutions mentioned above fail to con‐sider the problem of anomalous users.To tackle this problem,SecProbe was proposed[17]as the first solution to handling anomalous users in collaborative deep learning while protect‐ing data privacy.It utilized techniques based on DP to per‐turb the objective function of the target network.However,Ref.[34] showed that the current mechanism of DP can hardly reach an acceptable balance between security and ac‐curacy.XU et al.[18]designed PPFDL with the leverage of ad‐ditively homomorphic cryptosystem and garbled circuits.How‐ever,their system structure is based on the two-cloud model,and it requires two non-colluding cloud servers.Therefore,such limitation makes their scheme impractical in many realworld situations like edge computing.Moreover,their PPFDL is also vulnerable to user collusion attacks. In this paper,we propose RPPFL,a reliable and privacypreserving federated learning scheme.RPPFL uses a truth dis‐covery technique to identify each user’s reliability according to their data quality and thereby reduce the contribution of anomalous users on the global models.Specifically,we lever‐age an additively homomorphic cryptosystem to enrich the truth discovery technique to provide comprehensive privacy protection (e.g.,model privacy and data quality privacy) and user collusion resistance.Security analysis demonstrates the security of RPPFL.Experimental results of two different realworld datasets indicate that RPPFL has acceptable perfor‐mance on both accuracy and efficiency.For future work,con‐sidering that the user may infer data information of others with the global gradients,we will focus on designing a reliable and privacy-preserving federated learning scheme that can protect the privacy of gradients on both the aggregation server side and the user side.3.3 Additively Homomorphic Cryptosystem
4 Scheme Design and Details
4.1 Approach to Handling Anomalous Users
4.2 Reliable and Privacy-Preserving Federated Learning
5 Security Analysis
6 Experiments
6.1 Accuracy Performance
6.2 Efficiency
7 Related Works
8 Conclusions