ML Security PapersCQSA: Byzantine-robust Clustered Quantum Secure Aggregation in Federated Learning
Published on arXiv
2602.22269
Data Poisoning Attack
OWASP ML Top 10 — ML02
Model Inversion Attack
OWASP ML Top 10 — ML03
Key Finding
CQSA achieves superior GHZ state fidelity over global QSA while enabling Byzantine client detection through statistical analysis of cluster-level aggregates
CQSA (Clustered Quantum Secure Aggregation)
Novel technique introduced
Federated Learning (FL) enables collaborative model training without sharing raw data. However, shared local model updates remain vulnerable to inference and poisoning attacks. Secure aggregation schemes have been proposed to mitigate these attacks. In this work, we aim to understand how these techniques are implemented in quantum-assisted FL. Quantum Secure Aggregation (QSA) has been proposed, offering information-theoretic privacy by encoding client updates into the global phase of multipartite entangled states. Existing QSA protocols, however, rely on a single global Greenberger-Horne-Zeilinger (GHZ) state shared among all participating clients. This design poses fundamental challenges: fidelity of large-scale GHZ states deteriorates rapidly with the increasing number of clients; and (ii) the global aggregation prevents the detection of Byzantine clients. We propose Clustered Quantum Secure Aggregation (CQSA), a modular aggregation framework that reconciles the physical constraints of near-term quantum hardware along with the need for Byzantine-robustness in FL. CQSA randomly partitions the clients into small clusters, each performing local quantum aggregation using high-fidelity, low-qubit GHZ states. The server analyzes statistical relationships between cluster-level aggregates employing common statistical measures such as cosine similarity and Euclidean distance to identify malicious contributions. Through theoretical analysis and simulations under depolarizing noise, we demonstrate that CQSA ensures stable model convergence, achieves superior state fidelity over global QSA.
Key Contributions
- CQSA framework that partitions FL clients into small clusters for local quantum aggregation using high-fidelity, low-qubit GHZ states, overcoming decoherence scaling issues of global QSA
- Inter-cluster Byzantine detection mechanism using cosine similarity and Euclidean distance on cluster-level partial sums to identify and reject malicious contributions
- Theoretical and simulation analysis under depolarizing noise demonstrating superior GHZ state fidelity and stable model convergence compared to global single-state QSA
🛡️ Threat Analysis
Directly defends against Byzantine attacks in FL where malicious clients submit corrupted model updates to degrade the global model — proposes inter-cluster detection using cosine similarity and Euclidean distance, constituting a Byzantine-fault-tolerant robust aggregation protocol.
Quantum secure aggregation component defends against gradient leakage and model inversion attacks; encoding updates into GHZ state global phases ensures the server receives only the aggregated sum, protecting individual client training data from reconstruction by an adversarial server.