ML Security PapersFedMPDD: Communication-Efficient Federated Learning with Privacy Preservation Attributes via Projected Directional Derivative
Mohammadreza Rostami , Solmaz S. Kia
Published on arXiv
2512.20814
Model Inversion Attack
OWASP ML Top 10 — ML03
Key Finding
FedMPDD reduces uplink communication from O(d) to O(m) scalars per client while providing inherent resistance to gradient inversion attacks through low-rank projection geometry, matching FedSGD convergence at O(1/√K).
FedMPDD
Novel technique introduced
This paper introduces \texttt{FedMPDD} (\textbf{Fed}erated Learning via \textbf{M}ulti-\textbf{P}rojected \textbf{D}irectional \textbf{D}erivatives), a novel algorithm that simultaneously optimizes bandwidth utilization and enhances privacy in Federated Learning. The core idea of \texttt{FedMPDD} is to encode each client's high-dimensional gradient by computing its directional derivatives along multiple random vectors. This compresses the gradient into a much smaller message, significantly reducing uplink communication costs from $\mathcal{O}(d)$ to $\mathcal{O}(m)$, where $m \ll d$. The server then decodes the aggregated information by projecting it back onto the same random vectors. Our key insight is that averaging multiple projections overcomes the dimension-dependent convergence limitations of a single projection. We provide a rigorous theoretical analysis, establishing that \texttt{FedMPDD} converges at a rate of $\mathcal{O}(1/\sqrt{K})$, matching the performance of FedSGD. Furthermore, we demonstrate that our method provides some inherent privacy against gradient inversion attacks due to the geometric properties of low-rank projections, offering a tunable privacy-utility trade-off controlled by the number of projections. Extensive experiments on benchmark datasets validate our theory and demonstrates our results.
Key Contributions
- FedMPDD compresses client gradient uploads from O(d) to O(m) scalars using projected directional derivatives along random Rademacher vectors, with O(1/√K) convergence matching FedSGD
- Demonstrates inherent privacy against gradient inversion attacks as a byproduct of the low-rank projection geometry, offering a tunable privacy-utility tradeoff controlled by the number of projections
- Shows Rademacher distribution for projection vectors yields lower variance than Gaussian, improving the quality of the gradient estimator
🛡️ Threat Analysis
The paper explicitly evaluates resistance to gradient inversion attacks (adversaries reconstructing client training data from shared gradients) as a secondary contribution. Low-rank random projection of gradients provides geometric obfuscation against gradient reconstruction, with a tunable privacy-utility tradeoff. The OWASP spec explicitly notes FL papers defending against gradient leakage qualify for ML03 even when the primary contribution is communication efficiency.