ML Security PapersHarnessing Sparsification in Federated Learning: A Secure, Efficient, and Differentially Private Realization
Shuangqing Xu 1, Yifeng Zheng 2, Zhongyun Hua 1
Published on arXiv
2511.07123
Model Inversion Attack
OWASP ML Top 10 — ML03
Key Finding
Clover achieves utility comparable to vanilla FL with central DP while reducing inter-server communication by orders of magnitude over ORAM, with malicious-server security adding only 2.67× communication overhead over the semi-honest variant
Clover
Novel technique introduced
Federated learning (FL) enables multiple clients to jointly train a model by sharing only gradient updates for aggregation instead of raw data. Due to the transmission of very high-dimensional gradient updates from many clients, FL is known to suffer from a communication bottleneck. Meanwhile, the gradients shared by clients as well as the trained model may also be exploited for inferring private local datasets, making privacy still a critical concern in FL. We present Clover, a novel system framework for communication-efficient, secure, and differentially private FL. To tackle the communication bottleneck in FL, Clover follows a standard and commonly used approach-top-k gradient sparsification, where each client sparsifies its gradient update such that only k largest gradients (measured by magnitude) are preserved for aggregation. Clover provides a tailored mechanism built out of a trending distributed trust setting involving three servers, which allows to efficiently aggregate multiple sparse vectors (top-k sparsified gradient updates) into a dense vector while hiding the values and indices of non-zero elements in each sparse vector. This mechanism outperforms a baseline built on the general distributed ORAM technique by several orders of magnitude in server-side communication and runtime, with also smaller client communication cost. We further integrate this mechanism with a lightweight distributed noise generation mechanism to offer differential privacy (DP) guarantees on the trained model. To harden Clover with security against a malicious server, we devise a series of lightweight mechanisms for integrity checks on the server-side computation. Extensive experiments show that Clover can achieve utility comparable to vanilla FL with central DP, with promising performance.
Key Contributions
- Novel secure sparse vector aggregation mechanism for top-k sparsified gradients in a three-server distributed trust setting, outperforming ORAM-based baseline by orders of magnitude in communication and runtime
- Integration with a lightweight distributed noise generation mechanism providing differential privacy guarantees on the aggregated model
- Lightweight integrity check mechanisms hardening the system against malicious servers with only modest overhead (2.67× inter-server communication, 3.67× server runtime vs. semi-honest counterpart)
🛡️ Threat Analysis
Clover's core motivation and design is preventing an adversarial server from reconstructing clients' private training data from shared gradient updates; the secure aggregation mechanism hides both gradient values and indices to thwart gradient inversion attacks (explicitly citing ZhuLH19-style threats), matching the guideline that FL secure aggregation defending against gradient leakage qualifies as ML03.