ML Security PapersNET-SA: An Efficient Secure Aggregation Architecture Based on In-Network Computing
Qingqing Ren , Wen Wang , Shuyong Zhu , Zhiyuan Wu , Yujun Zhang
Published on arXiv
2501.01187
Model Inversion Attack
OWASP ML Top 10 — ML03
Key Finding
NET-SA achieves up to 77x and 12x runtime improvements and 2x reduction in total client communication cost compared to state-of-the-art secure aggregation methods on real server clusters and Intel Tofino programmable switches.
NET-SA
Novel technique introduced
Privacy-preserving machine learning (PPML) enables clients to collaboratively train deep learning models without sharing private datasets, but faces privacy leakage risks due to gradient leakage attacks. Prevailing methods leverage secure aggregation strategies to enhance PPML, where clients leverage masks and secret sharing to further protect gradient data while tolerating participant dropouts. These methods, however, require frequent inter-client communication to negotiate keys and perform secret sharing, leading to substantial communication overhead. To tackle this issue, we propose NET-SA, an efficient secure aggregation architecture for PPML based on in-network computing. NET-SA employs seed homomorphic pseudorandom generators for local gradient masking and utilizes programmable switches for seed aggregation. Accurate and secure gradient aggregation is then performed on the central server based on masked gradients and aggregated seeds. This design effectively reduces communication overhead due to eliminating the communication-intensive phases of seed agreement and secret sharing, with enhanced dropout tolerance due to overcoming the threshold limit of secret sharing. Extensive experiments on server clusters and Intel Tofino programmable switch demonstrate that NET-SA achieves up to 77x and 12x enhancements in runtime and 2x decrease in total client communication cost compared with state-of-the-art methods.
Key Contributions
- NET-SA architecture using programmable network switches (Intel Tofino) to perform seed aggregation in-network, eliminating communication-intensive key negotiation and secret sharing rounds
- Seed homomorphic pseudorandom generator-based gradient masking scheme that enables accurate server-side gradient reconstruction from masked gradients and aggregated seeds without exposing raw gradients
- Dropout-tolerant design that overcomes the threshold limit of traditional secret sharing, demonstrated to achieve up to 77x runtime speedup and 2x reduction in client communication cost over SOTA
🛡️ Threat Analysis
NET-SA is a secure aggregation protocol that defends against gradient leakage attacks — the adversary reconstructs private training data from gradients shared during federated learning. The paper uses seed homomorphic PRGs and gradient masking so that neither the aggregation server nor any eavesdropper can reconstruct raw gradients or the training data they encode. Per the ML03 definition, secure aggregation protocols for FL defending against gradient leakage qualify even when systems optimization is the primary engineering contribution.