Federated learning with differential privacy and an untrusted aggregator (technical report)

We consider a scenario consisting of a data analyst and a large number of mobile devices, e.g., hundreds of million. The analyst, perhaps at a large company such as Google, is interested in learning a machine learning model over the data on the devices. For instance, the analyst may want to train a recurrent neural network (RNN) to provide auto-completion suggestions for the android keyboard (hard2018federated, ).

One restriction we place on this scenario is that the training must be done in a federated manner. (We refer the reader to prior work (tan2021cryptgpu, ; knott2021crypTen, ) for a discussion on training in the centralized, non-federated model.) As noted earlier (§1), federated learning proceeds in rounds, where in each round devices download the latest model parameters from a server, generate updates to these parameters locally, and send the updates to the server. The server aggregates the model updates. This repeats until the model achieves a target accuracy.

In this scenario, a malicious server, or even a malicious device, can execute many attacks. For instance, a malicious server can infer the training data of a device from the updates contributed by the device (zhu2019deep, ; melis2019exploiting, ; shokri2017membership, ). Similarly, a malicious device that receives model parameters from the server can execute an inference attack to learn another device’s input.

We assume the strong OB+MC threat model from Orchard. The server is honest-but-curious most of the time but occasionally byzantine (OB), while the devices are mostly correct (MC), but a small fraction can be malicious. The rationale behind the occasionality of the server’s maliciousness is that the server’s operator, e.g., Google, is reputed and subject to significant scrutiny from the press and the users, and thus unlikely to be byzantine for long. However, it may occasionally come under attack, e.g., from a rogue employee. The rationale behind the smallness of the fraction of malicious devices is that with billions of devices, it is unlikely that an adversary will control more than a small percentage. For instance, for a billion devices, only controlling 3% is already significantly larger than a large botnet. We further assume that a configurable percentage of honest devices may be offline during any given round of training.

Under the OB+MC threat model, we want our system to meet the following goals.

Meeting all of the goals described above is quite challenging. For illustration, consider the following solution approaches.

Orchard (roth2020orchard, ) takes a middle ground. It runs small(er)-scale MPC among devices while assuming an (occasionally) byzantine server. In particular, it forms a committee of a few tens of devices picked randomly from the entire population of devices; this committee then runs MPC among its members. Figure 1 shows an overview of Orchard. Orchard supports the full-batch gradient descent algorithm where all devices contribute updates in a round. For every round, Orchard runs the following four phases.

In the setup phase, Orchard samples the committee. Its members use MPC to generate keys for two cryptographic primitives: additive homomorphic encryption (AHE) (rivest1978data, ; fan2012somewhat, ) and zero-knowledge proof (ZK-proof) (groth16on, ; goldwasser2019knowledge, ).

In the generate phase, devices download the latest model parameters from the server. After local training, they encrypt their model updates (denoted by $\Delta$ in Figure 1) and generate a ZK-proof to prove to the server that the ciphertexts are well-formed and the model updates are bounded. The encryption hides the updates from the byzantine server and the proof limits the impact of malicious devices (they cannot supply arbitrary updates and thus ruin the model accuracy).

In the add phase, the server homomorphically adds the encrypted updates. The server also generates proof that it performed the addition correctly so that all devices can collaboratively verify the addition. This verification is necessary to prevent a byzantine server from launching subtle attacks to break DP. (We will discuss these attacks further in §4.3.)

In the release phase, the committee from the setup phase uses MPC to decrypt the output ciphertexts from the add phase. The committee also generates and adds the DP noise to the output, before releasing it, to guarantee (central) DP.

The challenge with Orchard is that even though it uses MPC at a smaller scale, the MPC overhead is still high. First, in the setup phase, committee devices generate fresh keys for each round, and generating one AHE key pair inside general-purpose MPC requires $\approx$180 seconds of cpu and 1 GiB of network transfers. Second, the overhead of the add phase to verify the server’s work grows linearly with the model size and becomes unpragmatic as soon as the model has a few hundred thousand parameters. Third, in the release phase, committee devices decrypt ciphertexts and generate DP noise inside general-purpose MPC, costing, for example, $\approx$2600 seconds of cpu and $\approx$38 GiB of network transfers per device for a model with just 4K parameters.

In general, providing high accuracy, differential privacy, and device efficiency simultaneously in a threat model where there is no trusted party proves incredibly challenging.

DP-FedAvg proceeds in discrete rounds (Figure 2). In each round $t$, it samples a small subset of user devices using a probability parameter $q$ (line 8), and asks the sampled devices to provide updates to the global model parameters (line 10). The devices locally generate the updates before clip** them by a value $S$ and uploading them (line 21); this clip** is necessary for differential privacy and it bounds the norm (sensitivity) of a device’s update. DP-FedAvg then aggregates these updates (line 12) and (separately) adds noise sampled from a Gaussian distribution. The standard deviation of the Gaussian distribution depends on a noise scale parameter $z$ and the clip** bound $S$; both are input parameters for DP-FedAvg. Finally, DP-FedAvg updates a privacy accountant $\mathcal{M}$ that computes, based on the noise scale $z$ and sampling probability $q$, two parameters $\epsilon$ and $\delta$ associated with differential privacy (line 14). These parameters capture the strength of the guarantee: how much the model parameters learned after a round vary depending on a device’s input. A lower value of $\delta$ and $\epsilon$ is desirable, and the literature recommends ensuring that $\epsilon$ stays close to or below $1$, and $\delta$ is less than $1/W$, where $W$ is the total number of devices (mcmahan2017learning, ).

DP-FedAvg has three characteristics that are crucial for Aero. The first is the sampling of devices (lines 8 to 10 in Figure 2). For instance, the sampling parameter $q$ could be $10^{-5}$ such that 10,000 out of, say, $10^{9}$ total devices contribute updates in a round. The second characteristic is that the noise is sampled from a Gaussian distribution whose standard deviation $\sigma$ is predetermined (set before the algorithm is run). This is in contrast to other DP algorithms that utilize techniques such as the Sparse Vector Technique (SVT) that generate noise depending on the value of the updates (roth2010interactive, ; dwork2009complexity, ). The third characteristic is averaging of updates: DP-FedAvg simply adds updates and noise (line 12 in Figure 2) rather than combining them using a more complex function. Aero heavily leverages these characteristics.

Finally, we remark that Aero can support DP-FedAvg only without the amplification assumption for DP. This is because the adversary (the byzantine server) can observe all traffic and knows which devices contribute updates for training. In contrast, the amplification assumption requires the server to be oblivious to the contributors, which in turn improves the privacy budget. We leave the addition of expensive oblivious approaches (which hides who is contributing updates besides hiding the updates themselves) to future work.

Aero borrows two system components from Orchard: an aggregator and a public bulletin board (Figure 3). The aggregator runs server-side inside a data center and therefore consists of one or more powerful machines. Its main role is to combine updates from user devices without learning their content. The bulletin board is an immutable append-only log. The aggregator (which is potentially malicious) and the devices use the bulletin board to reliably broadcast messages and store states across rounds, e.g., the latest values of DP parameters $\epsilon$ and $\delta$. Like Orchard (roth2020orchard, ), Aero assumes that free web services such as Wikipedia, or a public block-chain could serve as the bulletin board.

Like Orchard, Aero also consists of committees of devices, but instead of a single committee as in Orchard, Aero has three types of committees tailored to the needs of DP-FedAvg (and similar algorithms). A master committee handles system setup, including key generation for cryptographic primitives. A DP-noise committee handles Gaussian noise generation. And multiple decryption committees perform decryption operations to release updates to the global model parameters at the end of a training round. Aero samples each committee afresh each round, dividing the committee workload across the large population of devices.

An architecture with separate committee types is deliberate and crucial. It helps tailor a committee’s protocol to its tasks to significantly improve efficiency. Besides, the use of multiple committees of the same type, i.e., multiple decryption committees, helps Aero scale with model size as each committee works on a subset of model parameters.

Notably, the ability to use separate committee types is possible only because of the specifics of DP-FedAvg. For instance, the fact that Gaussian noise generation does not depend on the value of the updates allows Aero to separate the DP-noise committee from the decryption committees.

To begin training a model, a data analyst supplies input parameters (the model architecture, the initial model parameters, and the other input parameters for DP-FedAvg) to the aggregator. The aggregator then initiates a round-based protocol consisting of discrete rounds. In each round, it executes one iteration of the for loop in the Main procedure of DP-FedAvg (line 7 in Figure 2). Each round further consists of the four phases of setup, generate, add, and release (Figure 3).

In the setup phase, the aggregator samples the various committees for the round. The master committee then receives and validates the input parameters, and generates keys for an AHE and a ZK-proof scheme. Aero’s setup phase is similar to Orchard (§2.3) with the key difference that Aero’s master committee uses techniques to reuse keys across rounds rather than generating them fresh for each round using MPC.

Next, in the generate phase, (i) devices select themselves to generate updates for the round, and (ii) the DP-noise committee generates the Gaussian noise for DP. Both types of devices use techniques to perform their work efficiently. For instance, the DP-noise committee generates noise in a distributed manner while avoiding MPC.

Next, in the add phase, the aggregator adds the model updates to the Gaussian noise without learning the plaintext content of either of them. This is done through the use of the AHE scheme. The entire population of devices collectively verifies the aggregator’s work. Again, the key is efficiency for the devices, for which the aggregator and the devices use a new verifiable aggregation protocol.

Finally, in the release phase, each decryption committee receives the secret key for the AHE scheme from the master committee and decrypts a few ciphertexts from the add phase. The key point is that a decryption committee avoids general-purpose MPC by using a specialized decryption protocol.

Much of Aero’s setup phase is similar to Orchard. During this phase, (i) the aggregator samples the master committee, which then (ii) receives and validates inputs for the round (i.e., receives model parameters $\theta^{t}$ for the current round $t$, the device selection probability $q$, noise scale $z$, and clip** bound $S$, and generates new values of the DP parameters $\epsilon,\delta$), and (iii) generates keys for cryptographic primitives (§3.3). We do not focus on the first two pieces to avoid repetition with Orchard, but include them in the supplementary material for completeness (Appendix §A.2). Instead, the key challenge in Aero is the overhead of key generation.

Recall (§2.3) that Orchard uses MPC among the master committee members to correctly run the key generation function and ensure that even if the malicious members of the committee collude, they cannot recover the AHE secret key. The overhead of this MPC is high: $\approx$1 GiB of network transfers and 180 seconds of cpu time per committee device. How can this overhead be reduced?

One idea (roth2021mycelium, ) is to reuse keys across rounds rather than generate them afresh for each round. Indeed, this is what Aero does: the master committee in round 1 generates the keys and shares them with the committee for the next round, and this committee then shares the keys with the committee for the third round, and so on. But one has to be careful.

Consider the following attack. Say that the malicious aggregator receives a victim device $k^{\prime}s$ update $Enc(pk,\Delta_{k}^{t})$ in round $t$. Then, in the next round $t+1$, the aggregator colludes with a malicious device in the overall population to use $Enc(pk,\Delta_{k}^{t})$ as the device’s update. This attack enables the aggregator to violate differential privacy as the victim device’s input does not satisfy the required clip** bound $S$ in round $t+1$ due to its multiple copies (§3.1). Orchard does not suffer from this attack as it generates fresh keys in each round: the ciphertext for round $t$ decrypts to a random message with round $t+1$’s key. However, prior work that reuses keys in this manner (in particular, Mycelium (roth2021mycelium, )) does suffer from this attack.

Thus, Aero must apply the reuse-of-keys idea with care. Aero adjusts the generate and add phases of its protocol (§3.3) to prevent the aforementioned attack. We are not in a position yet to describe these changes, but we will detail them shortly when we describe these other phases (§4.2, §4.3). Meanwhile, the changes in the setup phase relative to Orchard are the following: for the AHE secret key $sk$, Aero implements an efficient verifiable secret redistribution scheme (gupta2006extended, ; roth2021mycelium, ) such that committee members at round $t+1$ securely obtain the relevant shares of the key from the committee at round $t$. For the public keys (AHE public key $pk$, and both the ZK-proof public proving and verification keys), the committee for round $t$ signs a certificate containing these keys and uploads it to the bulletin board, and the committee for round $t+1$ downloads it from the board.

The savings by switching from key generation to key resharing are substantial for the network, with a slight increase in cpu. While the MPC solution incurs $\approx$1 GiB of network transfers and 180 seconds of cpu time per committee device, key resharing requires 125 MiB and 187 seconds, respectively (§6.2). The cpu is higher because key resharing requires certain expensive field exponentiation operations (gupta2006extended, ).

Recall from §3.3 that during this phase (i) Aero must pick a subset of devices to generate updates to the model parameters, (ii) the DP-noise committee must generate Gaussian noise for differential privacy, and (iii) both types of devices must encrypt their generated data (updates and noise).

Aero adopts a hybrid and efficient design in which devices sample themselves but the aggregator verifies the sampling. Let $B^{t}$ be a publicly verifiable source of randomness for round $t$; this is the same randomness that is used in the sortition protocol to sample committees for the round. Then, each device $k$ with public key $\pi_{k}$ computes $PRG(\pi_{k}||B^{t})$, where $PRG$ is a pseudorandom generator. Next, the device scales the PRG output to a value between 0 and 1, and checks if the result is less than $q$. For instance, if the PRG output is 8 bytes, then the device divides this number by $2^{64}-1$. If selected, the device runs the UserUpdate procedure (line 10 in Figure 2) to generate updates for the round. This approach of sampling is efficient as devices only perform local computations.

The challenge in Aero is therefore: how do we account for the $A$ malicious devices in the DP-committee? These devices may behave arbitrarily and may thus generate either no noise or large amounts of it. Adding unnecessary noise hurts accuracy, not privacy. In contrast, failing to add noise may violate privacy. We thus consider the worst case in which malicious users fail to add any noise and ask honest devices to compensate. Each honest client thus samples its noise share from the distribution $\mathcal{N}(0,I\frac{\sigma^{2}}{C-A})$.²²2Aero can further compensate for honest-but-offline devices. Say, for e.g., that $B$ of $C-A$ honest devices must be provisioned to be offline. Then, Aero subtracts $B$ from $C-A$ to get the number of honest-but-online devices.

This algorithm generates noise cheaply without expensive MPC. The downside is that it may generate more noise than necessary, hurting accuracy. To mitigate this risk, we carefully choose the committee size to minimize the ratio of additional noise. Specifically, we choose $C$ to keep the ratio $(C-A)/C$ close to 1. For instance, instead of picking a committee containing a few tens of devices similar to the master committee, we pick a somewhat larger DP-noise committee: $(A,C)=(40,280)$.³³3Using a probabilistic argument for committee size selection as before (§4), if $f=3\%$ devices in the overall population are malicious, then the chances of sampling 280 devices with more than 1/7th malicious is $4.1\cdot 10^{-14}$.

Recall that during the add phase (i) the aggregator adds ciphertexts containing device updates to those containing shares of Gaussian noise, (ii) the devices collectively verify the aggregator’s addition (§3.3).

This work during the add phase has subtle requirements. So first, we expand on these requirements while considering a toy example with two honest and a malicious device. The first honest device’s input is ${\small\textsc{Enc}}(pk,\Delta)$, where $\Delta$ is its update, while the second honest device’s input is ${\small\textsc{Enc}}(pk,n)$, where $n$ is the Gaussian noise. For this toy example, first (R1), the aggregator must not omit ${\small\textsc{Enc}}(pk,n)$ from the aggregate as the added noise would then be insufficient to protect $\Delta$ and guarantee DP. Second (R2), the aggregator must not let the malicious device use ${\small\textsc{Enc}}(pk,\Delta)$ as its input. Relatedly, the aggregator itself must not modify ${\small\textsc{Enc}}(pk,\Delta)$ to ${\small\textsc{Enc}}(pk,k\cdot\Delta)$, where $k$ is a scalar, using the additively homomorphic properties of the encryption scheme. The reason is that these changes can violate the clip** requirement that a device’s input is bounded by $S$ (e.g., $2\cdot\Delta$ may be larger than $S$). And, third (R3), the aggregator must ensure that the above (the malicious device or the aggregator copying a device’s input) does not happen across rounds, as recall that Aero uses the same encryption key in multiple rounds (§4.1).

One option to satisfy these requirements is to use the verifiable aggregation protocol of Orchard (roth2019honeycrisp, ) that is based on summation trees. The main challenge is resource costs. Briefly, in this protocol, the aggregator arranges the ciphertexts to be aggregated as leaf nodes of a tree, and publishes the nodes of the tree leading to the root node. For example, the leaf nodes will be ${\small\textsc{Enc}}(pk,\Delta)$ and ${\small\textsc{Enc}}(pk,n)$, and the root node will be ${\small\textsc{Enc}}(pk,\Delta)+{\small\textsc{Enc}}(pk,n)$, for the toy example above. Then, devices in the entire population inspect parts of this tree: download a few children and their parents and check that the addition is done correctly, that the leaf nodes haven’t been modified by the aggregator, and the leaf nodes that should be included are indeed included. The problem is that Orchard requires a device to download and check about $3\cdot s$ nodes of the tree (roth2019honeycrisp, ; roth2020orchard, ), where $s$ is a configurable parameter whose default value is six. But for realistic models, each node is made of many ciphertexts (e.g., the 1.2M parameter CNN model requires $\ell=293$ ciphertexts), and 18 such nodes add to 738 MiB.

Aero improves this protocol using two ideas. First, Aero observes that the entire population of devices that must collectively check the tree is massive (e.g., $10^{9}$). Besides, although the tree has bulky nodes with many ciphertexts, the total number of nodes is not high due to sampling (e.g., only 10,000 devices contribute updates in a round). Thus, Aero moves away from one summation tree with “bulky” nodes, to $\ell$ summation trees with “small” nodes, where $\ell$ is the number of ciphertexts comprising a device’s update (e.g., $\ell=293$ for the 1.2M parameter model). Then, each device probabilistically selects a handful of trees, and a checks few nodes within each selected tree.

Second, Aero optimizes how a device tests whether the sum of two ciphertexts equals a third ciphertext. Aero recognizes that ciphertexts can be expressed as polynomials and the validity of their addition can be checked efficiently using a technique called polynomial identity testing (PIT) (schwartz1980fast, ; zippel1979probabilistic, ). Roughly, PIT says that the sum of polynomials can be checked by evaluating them at a random point and checking the sum of these evaluations. Using PIT, Aero replaces the ciphertexts at the non-leaf nodes of the summation trees with their much smaller evaluations at a random point.

We now describe Aero’s protocol in detail, first without the PIT optimization, and then with it.

In the add step, the aggregator adds the ciphertexts via summation trees. Specifically, if device updates have $\ell$ ciphertexts, the aggregator creates $\ell$ summation trees, one per ciphertext (line 6 in Figure 4). The leaf vertices of the $j$-th tree are the $j$-th ciphertexts in the devices’ inputs, while each parent is the sum of its children ciphertexts, and the root is the $j$-th ciphertext in the aggregation result. The aggregator publishes the vertices of the summation trees on the bulletin board (line 7 in Figure 4), allowing an honest device to check that its input is not omitted (requirement R1 above).

In the verify step, each device in the system selects $q\cdot\ell$ summation trees, where $q$ is the device sampling probability (line 9 in Figure 4), and checks $s$ leaf nodes and $2s$ non-leaf nodes in each tree. ($s=6$ in our implementation.) Specifically, the device checks that the leaf node ciphertexts are committed to in the commit step (requirement R2), and the ZK-proofs of the ciphertexts are valid, e.g., the first part of the plaintext message in the ciphertexts equals the current round number (requirement R3). For the non-leafs, the device checks that they sum to their children.

As mentioned earlier, Aero reduces this overhead by using polynomial identity testing (PIT) (schwartz1980fast, ; zippel1979probabilistic, ). This test says that given a $d$-degree polynomial $g(x)$ whose coefficients are in a field $\mathbb{F}$, one can test whether $g(x)$ is a zero polynomial by picking a number $r\in\mathbb{F}$ uniformly and testing whether $g(r)==0$. This works because a $d$-degree polynomial has at most $d$ solutions to $g(x)==0$ and $d$ is much less than $|\mathbb{F}|$.

Using PIT, Aero replaces the ciphertexts at the non-leafs with their evaluations at a random point $r$. Then, during the “Verify” step, a device checks (line 11 in Fig. 4) whether these evaluations (rather than ciphertexts) add up. Thus, instead of downloading three ciphertexts with $2\cdot 2^{12}$ field elements each, a device downloads 2 elements of $\mathbb{F}$ per ciphertext.

A requirement for PIT is generation of $r$, which must be sampled uniformly from the coefficient field. For this task, Aero extends the master committee to publish an $r$ to the bulletin board in the add step, using a known protocol to securely and efficiently generate a random number (damgard2006unconditionally, ; damgaard2012multiparty, ).

During the release phase, Aero must decrypt the $\ell$ ciphertexts from the add phase, i.e., the $\ell$ root nodes of the $\ell$ summation trees. The default, but expensive, option is to use MPC among the members of the decryption committees.

Aero addresses this efficiency challenge using known ideas and applying them; i.e., Aero’s contribution in this phase is not new techniques, but the observation that existing ideas can be applied. Nevertheless, applying these ideas requires some care and work.

First, recall that Aero has multiple decryption committees (§3.2). Naturally, to reduce per-device work, each committee decrypts a few of the $\ell$ ciphertexts. A design question for Aero is how many committees should it use. On the one hand, more committees are desirable (best case is $\ell$). However, more committees also mean that each has to be larger to ensure that none of them samples more than $A$ out of $C$ malicious devices, breaking the threshold assumptions of a committee. Meanwhile, a larger committee means more overhead. In practice (§6), we take a middle ground and configure Aero to use ten decryption committees.

Second, Aero reduces each committee’s work relative to the MPC baseline, using a fast distributed decryption protocol to decrypt the ciphertexts (chen2019efficient, ). The use of this protocol is possible as a decryption committee’s task is only of decryption given how we formed and assigned work to different types of committees (§3.2). This fast protocol requires the committee devices to mainly perform local computations with little interaction with each other. The caveat is that for this protocol to be applicable, the committee members must know an upper bound on the number of additive homomorphic operations on the ciphertexts they are decrypting.⁴⁴4This bound is needed to add a “smudging noise” to the committee’s decryption output to ensure that the output does not leak information on the inputs to the aggregation (asharov2012multiparty, ). Fortunately, in Aero’s setting this bound is known: it is the maximum number of devices whose data the aggregator adds in the add phase ($M_{max}$ in Figure 4). The benefit of distributed decryption (and moving work outside MPC) meanwhile is substantial.

Aero’s protocol provides the required differential privacy guarantee (§2.2). The supplementary material (Appendix A.1) contains a proof. But, briefly, the key reasons are that (i) in the generate phase, honest devices sample themselves to make sure that they are not sampled more than expected, (ii) the verifiable aggregation protects these devices’ input, and (iii) key resharing and fast decryption protocols keep secret keys hidden.

Aero’s accuracy depends on the DP parameters $\epsilon$ and $\delta$. For Figure 6 experiments, we set $\epsilon=5.04$ and $\delta=1/W^{1.1}$. Further, for both systems, we set all other training parameters (batch size, the number of device-side training epochs, etc.) per the examples provided by FedScale for each dataset.

Figure 6 compares the accuracies after 480 rounds of training (these models converge in roughly 400-500 rounds). Generally, Aero’s accuracy loss grows with the number of model parameters. The reason is that DP-FedAvg adds noise for every parameter and thus the norm of the noise increases with the number of parameters.

Although Aero’s accuracy loss is (very) high for a larger number of parameters, this loss is recoverable by increasing $\epsilon$ (but still kee** it at a recommended value). Figure 7 shows accuracy for two values of $\epsilon$ for two example models. Increasing $\epsilon$ from 5.04 to 5.53 recovers the accuracy loss. For instance, for the CNNF model, FedScale’s accuracy is 79.3% after 480 rounds, while Aero’s is 79.2%. The reason is that as $\epsilon$ increases, more devices can contribute updates ($q$ increases), which increases the signal relative to the differential privacy noise. Overall, Aero can give competitive accuracy as plain federated learning for models with parameters ranging from tens of thousand to a few million.

Overall, an Aero device on average (considering the different types of Aero devices) spends $5.9\cdot 10^{3}-9.7\cdot 10^{4}\times$ higher cpu and $3.5\cdot 10^{3}-2.4\cdot 10^{4}\times$ higher network relative to FedScale. This overhead is due to the fact that FedScale does not use any cryptographic operations, while Aero devices use many, for example, encryption and ZK-proofs during the generate phase, and verifiable aggregation during the add phase. However, Aero’s overhead, at least, on average, is low (Figure 8). Further, as we will show next, Aero’s worst-case overhead is also moderate.

Both Aero and Orchard have multiple types of devices. Aero has devices that participate in the master committee, generate updates (or Gaussian noise), verify the aggregator’s work, and participate in the decryption committee. Similarly, Orchard has generator, verifier, and committee devices. We compare overhead for these devices separately.

Figure 8(a) shows the cpu time and Figure 9(a) shows the network transfers with a varying number of model parameters. These overheads grow linearly with the number of model parameters (the network overhead is not a straight line as it includes a fixed cost of 60 MiB to download ZK-proof proving keys). The reason is that the dominant operations for a generator device are generating ZK-proofs and ship** ciphertexts to the aggregator. The number of both operations is proportional to the number of parameters (§4.2).

In terms of absolute overhead, a specific data point of interest is a million-parameter model, e.g., the CNND model with 1.2M parameters. For this size, a generator device spends 1.01 hours in cpu time, or equivalently 13.4 minutes of latency (wall-clock time) over six cores. The generator also sends 101 MiB of data over the network. These overheads are moderate, considering the fact that the probability that a device will be a generator in a round is small: $10^{-5}$.

Finally, the cpu and network overhead for Aero and Orchard is roughly the same. The reason is that the dominant operations for the two systems are common: ZK-proofs and upload of ciphertexts.

Overall, Aero’s verifier devices, which are the bulk of the devices in the system, are efficient consuming a few milliseconds of cpu and a few KiBs of network transfers. For instance, for $q=10^{-5}$, Aero incurs 3.12 KiB in network and 15 ms of cpu time, while Orchard incurs 1.96 seconds (130$\times$) and 738 MiB ($2.36\cdot 10^{5}\times$).

Comparing Aero with Orchard, a verifier in Aero consumes lower cpu than Orchard for smaller values of $q$ but a higher cpu for larger $q$. This trend is due to constants: even though an Aero device checks $q\cdot\ell$ summation trees and $3s$ ciphertexts in each tree versus $\ell\cdot 3s$ ciphertexts in Orchard, Aero devices verify the ZK-proofs to address the reuse-of-keys issue, while Orchard does not have such a requirement (§4.3). Each proof check takes $\approx$700 ms on a single cpu of c5.24xlarge. Indeed, Aero w/o ZK-proof check (another line in the plot) is strictly better than Orchard.

Aero’s network overhead increases linearly with $q$, while Orchard’s stays constant as it does not do sampling (Figure 9(b)). Notably, when $q=1$, i.e., when Aero and Orchard check the same number of ciphertexts, a Aero verifier consumes 251 MB, which is $\approx 1/3$rd of Orchard. This is because polynomial identity testing allows a Aero verifier to download evaluations of ciphertext polynomials rather than the full polynomials from non-leaf vertices (§4.3).

Aero’s overheads are much lower than Orchard’s—for 1.2M parameters, cpu time is 206 s in Aero versus 214 hours in Orchard (i.e., $3751\times$ lower), and network is 234 MiB in Aero versus 11 TiB in Orchard (i.e., $4.8\cdot 10^{4}\times$ lower). This improvement is for two reasons. First, Aero divides the decryption of multiple ciphertexts across committees, and thus each performs less work. Second, Aero uses the distributed decryption protocol (§4.4), while Orchard uses the general-purpose SCALE-MAMBA MPC (scaleMamba, ).