Enhancing Federated Learning with Adaptive Differential Privacy and Priority-Based Aggregation

1^st Mahtab Talaei1

Department of Electrical and Computer Engineering
Isfahan University of Technology
Isfahan, Iran
[email protected] 2^nd Iman Izadi
Department of Electrical and Computer Engineering
Isfahan University of Technology
Isfahan, Iran
[email protected]

Abstract

Federated learning (FL), a novel branch of distributed machine learning (ML), develops global models through a private procedure without direct access to local datasets. However, it is still possible to access the model updates (gradient updates of deep neural networks) transferred between clients and servers, potentially revealing sensitive local information to adversaries using model inversion attacks. Differential privacy (DP) offers a promising approach to addressing this issue by adding noise to the parameters. On the other hand, heterogeneities in data structure, storage, communication, and computational capabilities of devices can cause convergence problems and delays in develo** the global model. A personalized weighted averaging of local parameters based on the resources of each device can yield a better aggregated model in each round. In this paper, to efficiently preserve privacy, we propose a personalized DP framework that injects noise based on clients’ relative impact factors and aggregates parameters while considering heterogeneities and adjusting properties. To fulfill the DP requirements, we first analyze the convergence boundary of the FL algorithm when impact factors are personalized and fixed throughout the learning process. We then further study the convergence property considering time-varying (adaptive) impact factors.

Index Terms:

Federated Learning, Differential Privacy, Personalized Impact Factors, Adaptive Impact Factors, Systems and Statistical Heterogineties

¹¹footnotetext: Mahtab Talaei was affiliated with the Department of Electrical and Computer Engineering at Isfahan University of Technology during the research for this paper. At the time of submission, she is affiliated with the Division of Systems Engineering at Boston University, Boston, USA.

I Introduction

Smart distributed systems such as smartphones, automated vehicles, multi-agent systems, and wearable devices are growing rapidly in our daily lives. Their underlying mechanism which is attached with sensing and communicating generates an unprecedented amount of data every day. Therefore, utilizing these sources of rich information to enhance services offered to people and organizations owning the data, without violating their privacy, matters a great deal. The developments in the computational and communicational capabilities of intelligent distributed devices along with their abilities to collect and store large datasets have opened up effective alternatives for managing and analyzing local databases.

A common traditional practice to develop predictive machine learning (ML) models is to transmit raw data over networks and generate models in a centralized manner. While this method has provided data owners valuable services throughout the years, their efficiency for today’s crowdsourced data is called into question. Communication costs of sending large volumes of data on one hand, and privacy concerns for sharing personal information on the other hand have provided space for decentralized ML algorithms, such as federated learning (FL) [1].

Federated machine learning is a promising solution in settings dealing with large volumes of data as well as privacy concerns about clients’ sensitive information [2]. In this framework, each device builds its model using local datasets, and the essential model parameters, rather than raw data, are transmitted to the cloud server. The server aggregates these parameters and updates the global model throughout a recursive downloading and uploading cycle [3, 4, 5]. Hence, each client benefits from a larger database during the learning process, without direct access to it. While offering great advantages over conventional ML methods, FL has its own challenges. Expensive communications, systems and statistical heterogeneities, and security risks are considered as the four main issues while develo** FL models [6].

Deep Learning (DL) models are widely used in FL, especially for feature extraction in the large image, voice, and text datasets. In order to optimize local DL models inside the clients, stochastic gradient descent (SGD) is generally adopted [7, 8, 9]. Sending frequent gradient updates with the massive number of both parameters and clients in FL leads to an extreme rise in communication costs. Increasing the number of local updates [10, 11] is one natural way to modify communication bottlenecks with more local computations. On the other hand, quantization [12, 13, 14] and sparsification [15, 16] methods mitigate this challenge by reducing the size of transmitted messages in each round.

Dealing with systems that have different computational capabilities, network capacities, and power resources is an inevitable challenge in FL. Several approaches, including resource-based client selection [17, 18], robust and fault-tolerant algorithms [19], and asynchronous communications [20] address these challenges. On the other extreme, heterogeneity in data distributions of the clients causes problems in the training and convergence of FL algorithms. Using multi-task learning methods [21, 22] and avoiding local minimums by adding a proximal term to the objective function [23] help handling unbalanced and non-IID data in FL [6].

Even though the idea of FL was first proposed for its strong privacy guarantees, it has been shown that local datasets can be still revealed to stragglers using model inversion attacks on shared updates [24], especially when DL is used in local models [25, 26]. To mitigate this challenge, differential privacy (DP) is one of the widely used protection algorithms due to its solid theoretical guarantees [27, 28]. In order to reduce the risk of data leakage in ML algorithms, noise with Gaussian, Laplace, or Exponential distribution is deliberately added to data in DP. The work in [29] proposes a global DP algorithm in FL and gives a theoretical explanation for the convergence behavior of the suggested scheme.

As discussed earlier, nodes in a distributed architecture differ in the data structure, dataset size, network condition, reliability, availability, and computation capabilities, which can even be time-varying. A privacy-preserving approach in FL is not effective unless paying attention to these personalized characteristics. Hence, there exist multiple works on DP with the content “adaptive” to compensate systems and statistical heterogeneities in FL. These works can be divided into two general directions based on the adaptability criterion. One direction injects an adaptive noise distribution to local parameters to enhance local protection. It considers each client separately without involving their heterogeneity. For instance, adaptive clip** [30] finds the best clip** constant for DP in each device based on their local behaviors. In [31], noise with Laplace distribution is added to model updates based on the neurons’ contributions in the clients. The work in [32] achieves a trade-off between privacy and accuracy by adding more noise to less important parameters and less noise to more important ones.

The second direction, however, concentrates on personalized training in the heterogeneous networks. The work in [33] trains differentially private models in each client and uploads the local updates for the server. These directions both lack considering the local characteristics in the aggregating process. More specifically, they assume the same impact factor for all devices during aggregation, regardless of their local dissimilarities. This assumption not only simplifies the convergence analysis of the algorithm but also changes the DP requirements [8]. To the best of our knowledge, the privacy and convergence analysis in FL with non-identical and time-varying impact factors have not yet been studied in the existing literature.

In this paper, we combine the heterogeneity and privacy concerns in a novel FL scheme. Regardless of multi-task learning algorithms used in FL, each local model possesses a weight or an impact in the global cost function. This impact can be assigned considering many factors by the server or the clients. It can also change (increase or decrease) or even become zero during the learning process. We, therefore, propose a DP algorithm considering the non-identical impact factors, namely, personalized aggregation in differentially private federated learning (PADPFL). We further establish the convergence analysis of the algorithm and the influence of the additive noise on it.

In summary, the main contributions of this paper are as follows.

•

We propose a noise injection paradigm, PADPFL, that satisfies DP requirements with Gaussian distribution when clients have different impact factors in the aggregation process.
•

We perform a convergence analysis of the proposed algorithm for Non-IID clients when using fixed non-identical impact factors throughout training the global model.
•

We perform a convergence analysis of the proposed algorithm for Non-IID clients when using adaptive (time-varying) impact factors throughout training the global model.
•

We conduct evaluations on real-world datasets to verify the effectiveness of PADPFL, and observe the trade-off between model accuracy, privacy budget, and impact factors.

The remainder of this paper is organized as follows. In Section II, we review some preliminaries on FL,and DP. In Section III, we introduce our approach for a differentially private federated learning in a client and server side. Next, we analyse the convergence bound on the global loss function of the proposed solution for a fixed and time-varying impacts, in Section IV and V, respectively. Simulations and results are presented in Section IV, and the summary and conclusion are given in Section VI.

II Preliminaries

In this section, we briefly review some key materials of FL and DP.

II-A Federated Learning

The goal in a standard FL problem is to develop a global ML model for tens to millions of clients without direct access to their local datasets [34]. The only messages transmitted from the clients to the cloud server in this framework are the training parameter updates of the local loss functions. To formalize this goal, consider $N$ clients as depicted in Fig. 1. We wish to find weight matrix $x$ minimizing the following loss function:

\min_{x}L(x),\,\textnormal{where}\,L(x):=\sum_{i=1}^{N}p_{i}l_{i}(x,\mathcal{D% }_{i}),

(1)

where $l_{i}$ and $D_{i}$ represent the local loss function and training database of the $i$ -th client, respectively. Moreover, the coefficient $p_{i}$ is considered as the relative impact factor of device $i$ in the global model, so that

\sum_{i=1}^{N}p_{i}=1,\qquad 0\leqslant p_{i}\leqslant 1

(2)

In order to solve (1), matrix of the global parameters at itteration $(t)$ is updated using weighted averaging of the trained local parameters ( $x_{1}^{(t)},x_{2}^{t}),...x_{N}^{(t)}$ ) [35]

x^{(t)}:=\sum_{i=1}^{N}p_{i}x_{i}^{(t)},

(3)

Refer to caption — Figure 1: A FL training model.

To address heterogenities, FedProx [23] is utilized in the learning process. Therefore, defining

h_{i}(x_{i}^{(t+1)};x^{(t)})=l_{i}(x_{i}^{(t+1)})+\frac{\mu}{2}\lVert x_{i}^{(% t+1)}-x^{(t)}\rVert^{2},\quad\gamma\in[0,1],

(4)

$x_{0}$ is the $\gamma_{i}$ -inexact solution for $\min_{x}h_{i}(x,x^{(t)})$ .

II-B Differential Privacy

DP gives a rigorous mathematical definition of privacy and strongly guarantees preserving data in ML algorithms. A randomized mechanism $\mathcal{M}$ is differentially private if its output is robust to any change of one sample in the original dataset. The following definition formally clarifies this statement for $(\epsilon,\delta)$ -DP [27]:

Definition 1 ( $(\epsilon,\delta)$ -DP).

A randomized mechanism $\mathcal{M}:\mathcal{X}\rightarrow\mathcal{R}$ satisfies $(\epsilon,\delta)$ -differential privacy for two non-negative numbers $\epsilon$ and $\delta$ if for all adjacent datasets $\mathcal{D}$ and $\mathcal{D}^{\prime}$ $d(\mathcal{D},\mathcal{D}^{\prime})=1$ , and for all subsets $S\subseteq\mathcal{R}$ , there holds

\textnormal{Pr}[\mathcal{M}(\mathcal{D})\in S]\leqslant e^{\epsilon}% \textnormal{Pr}[\mathcal{M}(\mathcal{D}^{\prime})\in S]+\delta,

(5)

where the randomized algorithm $\mathcal{M}$ maps an input $x\in\mathcal{X}$ discretely to $\mathcal{M}(x)=y$ with probability $(\mathcal{M}(x))_{y},\,\forall y\in\mathcal{R}$ . The probability space is defined over the coin flips of the mechanism $\mathcal{M}$ . Note that the difference between two datasets $\mathcal{D}$ and $\mathcal{D}^{\prime}$ , $d(\mathcal{D},\mathcal{D}^{\prime})$ , is typically defined as the number of records on which they differ.

It is concluded from this definition that, with a probability of $\delta$ , the output of a differentially private mechanism on two adjacent datasets varies more than a factor of $e^{\epsilon}$ . Thus, smaller values of $\delta$ enhance the probability of having the same outputs. Smaller values of $\epsilon$ narrow down the privacy protection bound. The smaller $\epsilon$ and $\delta$ , the lower the risk of privacy violation.

Based on [27], considering $f$ as an arbitrary $d$ -dimensional function applied on a dataset, for $\epsilon\in(0,1)$ and $c\geqslant\sqrt{2\ln{(1.25/\delta)}}$ , a Gaussian mechanism with parameter $\sigma\geqslant c\Delta f/\epsilon$ that deliberately adds Gaussian noise scaled to $\mathcal{N}(0,\sigma^{2})$ to each output component of $f$ is $(\epsilon,\delta)$ -differentially private. Here, $\Delta f$ is the sensitivity of the function $f$ defined by $\Delta f=\max_{\mathcal{D},\mathcal{D}^{\prime}}\lVert f(\mathcal{D})-f({% \mathcal{D}^{\prime}})\rVert$ .

III Personalized Differential Privacy in Federated Learning

In this section, we propose the personalized noise injection for preserving DP. We first describe the threat model and then propose the algorithm.

III-A Threat Model and Design Goals

We consider the cloud server to be an “honest-but-curious” entity, ie, the central server can use model inversion attacks to recover training data. Additionally, local and global parameter updates can be revealed to adversaries in the uploading and downloading channels. For this reason, the goal of our approach is to protect the weights transmitted between the server and clients from being inferred any extra information about users to both the server or external adversaries. Preserving global privacy is the primal goal of our approach, but it leads to a level of local privacy, as well.

Following from [29], we also assume that downloading channels are exposed to more external attacks than uploading channels as they are broadcasting. Hence, considering $T$ aggregation times, the revelation of local parameters while uploading can be at most $R$ times ( $R\leqslant T$ ).

III-B Proposed Privacy-Preserving Scheme

considering systems and statistical heterogeneities, each client influences the global loss function ( $L$ ) differently. Apart from multi-task learning methods that aim to develop personalized local models, the aforementioned impact factor ( $p_{i}$ ) can play a vital role in training accurate models. The impact factors assigned to the clients at each iteration can strengthen or weaken the effect of local models in the global loss function.

Although using non-identical impact factors may seem a straightforward approach, its importance is underestimated in the literature. Assuming the natural setting $p_{i}=\frac{1}{N}$ or even $p_{i}=\frac{m_{i}}{m}$ , where $m_{i}=|\mathcal{D}_{i}|$ and $m=\sum_{i}m_{i}$ is the total number of samples, is far from reality and oversimplifies the problem. In fact, clients participate in learning in different ways as their data and structures are not the same. To compensate for these heterogeneities, we assign different impacts to clients while aggregating models. The heterogeneities between the clients can come from several sources, including:

•

data quality
•

data reliability
•

dataset size
•

link quality
•

revelation probability
•

accessibility
•

client reliability

The first three items relate to the clients, while the remaining depends primarily on the knowledge of the central server.

While working collaboratively with possibly millions of users, even when datasets have the same nature, the quality of information used in local models is not the same. For instance, while modelling image datasets, the resolution of data varies between the clients, and hence, training local models based on low-quality images reduces the global model performance. Moreover, the reliability of local datasets can influence the validity of models, as they may contain irrelevant information. So, users can send additional bits to the cloud server, based on local model performances, to help the server assign relevant impact factors. On the other hand, the size of local datasets does not necessarily affect impact factors directly. In Non-IID structures, we may have valuable informative datasets that are relatively small in size, but global models should be biased in favor of them. Therefore, the assumption $p_{i}=\frac{m_{i}}{m}$ would not be a wise choice.

Stemming from the fact that distributed learning requires training and inference of models over a wireless system, uncertainty and stochasticity exist in its nature. Link errors and delays can adversely influence the convergence speed of the learning algorithm [36]. However, utilizing variant impact factors can mitigate this challenge to some extent. When client $k$ cannot synchronize itself with the others due to network faults, the server can distribute $p_{k}$ among counterpart clients for that iteration to keep pace with the algorithm. Additionally, different levels of accessibility and reliability of local parameters lead to utilizing non-identical impact factors. When several groups of IoT devices and sensor networks perform the measurements and model updates cooperatively in a FL task, weighting the updates appropriately and based on the devices’ accuracy, reliability, or accessibility must be a priority for the server.

Along with all the aforementioned heterogeneity sources, impact factors can vary between global iterations. In other terms, the impacts assigned to the local model weights are not fixed throughout the learning process. They can change to accommodate different situations. For instance, a client sending accurate updates may become out of charge or encounter noisy links in the middle of learning process. Hence, a wise server should adaptively reduce the impact factor of its parameters to save the global model performance.

In this paper, we achieve $(\epsilon,\delta)$ -DP using Gaussian mechanism, which provides theoretical privacy guarantees for sharing DL model updates. Here, we calculate the amount of the client-side and server-side additive noise based on the sensitivity parameter when impact factors are non-identical. The differential privacy requirements are satisfied for each iteration, and the only limitation on impact factors is (2).

Client-side DP

Assume that local model parameters are sent to the cloud server as the updates. Setting the batch size equal to the local dataset size $\lvert\mathcal{D}_{i}\rvert=m_{i}$ , the function $f$ to be protected is defined as

\begin{split}f_{i}(\mathcal{D}_{i})\triangleq x_{i}&=\text{arg}\min_{x}l_{i}(x% ,\mathcal{D}_{i})\\ &=\frac{1}{m_{i}}\sum_{j=1}^{m_{i}}\text{arg}\min_{x}l_{i}(x,\mathcal{D}_{i,j}% ),\quad\forall i\end{split}

(6)

By clip** the local weights using a bounding limit $B$ , $\lVert x_{i}\rVert\leq B$ [8], the sensitivity of $f_{i}$ is calculated as

\begin{split}\Delta f_{i}&=\max_{\mathcal{D}_{i},\mathcal{D}^{\prime}_{i}}% \lVert f_{i,\mathcal{D}_{i}}-f_{i,\mathcal{D}^{\prime}_{i}}\rVert\\ &=\max_{\mathcal{D}_{i},\mathcal{D}^{\prime}_{i}}\bigg{\lVert}\frac{1}{m_{i}}% \bigg{(}\sum_{j=1}^{m_{i}}\text{arg}\min_{x}l_{i}(x,\mathcal{D}_{i,j})\\ &-\sum_{j=1}^{m_{i}}\text{arg}\min_{x}l_{i}(x,\mathcal{D}^{\prime}_{i,j})\bigg% {)}\bigg{\rVert}\\ &=\frac{1}{m_{i}}\max\big{\lVert}\text{arg}\min_{x}l_{i}(x,\mathcal{D}_{i,k})-% \text{arg}\min_{x}l_{i}(x,\mathcal{D}^{\prime}_{i,k})\big{\rVert}\\ &=\frac{2B}{m_{i}},\end{split}

(7)

where, based on the definition of sensitivity here, the $i$ -th client’s dataset $\mathcal{D}_{i}$ and $\mathcal{D}^{\prime}_{i}$ differ only in one sample ( $k$ -th sample).

To ensure $(\epsilon,\delta)$ -DP for each client in FL, we have to add Gaussian noise with parameter $\sigma=c\frac{2B}{m_{i}\epsilon}$ to the weight matrices of all clients before uploading. Considering the maximum revelation times $R$ , $\sigma$ should be multiplied with it to guarantee the desired protection level of local parameters. Hence, to have a united noise parameter, we define the standard deviation (SD) of the additive noise in the client-side as

\sigma_{C_{i}}=\frac{2BR\,c}{\min\{m_{i}\}\,\epsilon},\quad\forall i

(8)

Server-side DP

The function to be protected in the server side is the global aggregated weight transmitted to the clients defined by

f\triangleq x=\sum_{i=1}^{N}p_{i}x_{i}.

(9)

Based on the analysis provided in [8] and the client-side sensitivity in (7), the sensitivity of $f$ is bounded as

\Delta f\leq 2B\frac{\max\{p_{i}\}}{\min\{m_{i}\}}.

(10)

Here, to find the SD of the additive Gaussian noise in the server, we first calculate the distribution of the aggregated local noises. The aggregated noisy weight at each iteration is given as

x=\sum_{i=1}^{n}p_{i}\tilde{x}_{i}=\sum_{i=1}^{N}p_{i}(x_{i}+n_{i})=\sum_{i=1}% ^{N}p_{i}x_{i}+\underbrace{\sum_{i=1}^{N}p_{i}n_{i}}_{n},

(11)

where, for the independent normally distributed $n_{i}\sim\mathcal{N}(0,\sigma_{C_{i}}^{2})$ , we have

n\sim\mathcal{N}(0,\underbrace{\sum_{i=1}^{N}{\sigma_{C_{i}}^{2}p_{i}^{2}}}_{% \sigma^{2}_{AC}}).

(12)

Therefore, we have the following theorem to ensure $(\epsilon,\delta)$ -DP from the server perspective.

Theorem 1 (server-side DP).

Considering $T$ as the aggregation times and the maximum revelations in the broadcasting channels, the SD of the server-side noise is given by

\sigma_{S}=\begin{cases}\frac{2Bc\sqrt{T^{2}\max{p_{i}}^{2}-R^{2}\sum_{i=1}^{N% }p_{i}^{2}}}{\min\{m_{i}\}\,\epsilon},&{\text{if}}\ T>\frac{R\sqrt{\sum_{i}p_{% i}^{2}}}{\max\{p_{i}\}}\\ {0,}&{\text{otherwise.}}\end{cases}

(13)

Proof.

The standard deviation of the total desired noise, based on (10), is $\sigma_{A}=\frac{2B\,T\,c\max\{p_{i}\}}{\min\{m_{i}\}\,\epsilon}$ . Hence, the variance of the server-side Gaussian noise is calculated by

\sigma^{2}_{S}=\sigma^{2}_{A}-\sigma^{2}_{AC},

(14)

which results in (13). ∎

Applying the client and server-side noise with the calculated Gaussian distributions satisfies $(\epsilon,\delta)$ -DP theoretically in the uploading and downloading channels for each iteration. Since the involved clients add noise to the local parameters before uploading for the server, a level of local privacy is also achieved here. The server, subsequently, chooses the relative impact factors based on the information acquired and updates the global parameters. Then, it decides on the extra server-side noise, $n_{s}\sim\mathcal{N}(0,\sigma_{S})$ , and transmits $\tilde{x}=x+n_{s}$ for the upcoming training cycle.

IV Convergence Analysis of the
Personalized DP in FL

In this section, we analyze the convergence properties of the proposed algorithm for personalized DP in FL. Our main purpose is to reach a convergence upper limit for the algorithm when we have personalized impact factors. The required assumptions for our analysis about the properties of the global and local loss functions, regarding their relation $L(x)=\sum_{i=1}^{N}p_{i}l_{i}(x)$ , are as follows:

Assumption 1.

1.

$l_{i}(x)$ is convex.
2.

$l_{i}(x)$ is $\rho$ -Lipschitz smooth, i.e., $\lVert\nabla l_{i}(a)-\nabla l_{i}(b)\rVert\leqslant\rho\lVert a-b\rVert,\,% \forall a,b$ .
3.

$L(x^{(0)})-L(x^{*})=\Theta$ ; where $x^{(0)}$ and $x^{*}$ represent the initial and optimal model parameters, respectively.
4.

$\lVert\nabla l_{i}(x)-\nabla L(x)\rVert\leqslant\varepsilon,\,\forall i,x$ ; where $\varepsilon$ is the divergence measure.

Note that the distribution of local datasets in the non-i.i.d fashion breaks the general assumption of $p_{i}=\frac{m_{i}}{m}$ . Hence, the expectation over clients $\mathbb{E}\{l_{i}(x)\}$ is not considered equal with the global expectation $\mathbb{E}\{L(x)\}$ . The only assumption on relative impact factors is $\sum_{i=1}^{N}p_{i}=1$ .

As the first step through our convergence bounding analysis, we present the following lemma for the local dissimilarity measure, when having non-identical impacts.

Lemma 1 ( $A$ -local dissimilarity).

For the local loss functions $l_{i}$ with impact factors $p_{i}$ in the FL global function $L$ , there exists $A$ as a measure of dissimilarity at $x$ such that

\sum_{i=1}^{N}p_{i}\|\nabla l_{i}(x)\|\leqslant\|\nabla L(x)\|A\quad\forall i,

(15)

Proof.

Due to Assumption 1, we have

\|\nabla l_{i}(x)-\nabla L(x)\|^{2}\leqslant\varepsilon^{2}

(16)

and

\|\nabla l_{i}(x)-\nabla L(x)\|^{2}\\ =\|\nabla l_{i}(x)\|^{2}-2\nabla l_{i}(x)^{\top}\nabla L(x)+\|\nabla L(x)\|^{2}.

(17)

Considering (17) and multiplying (16) with $p_{i},\forall i$ yields

\sum_{i=1}^{N}p_{i}\|\nabla l_{i}(x)\|^{2}-2\sum_{i=1}^{N}p_{i}\nabla l_{i}(x)% ^{\top}\nabla L(x)\\ +\|\nabla L(w)\|^{2}\sum_{i=1}^{N}p_{i}\leqslant\varepsilon^{2}\sum_{i=1}^{N}p% _{i}.

(18)

Considering $\sum_{i=1}^{N}p_{i}=1$ and $\sum_{i=1}^{N}p_{i}\nabla l_{i}(x)=\nabla L(x)$ , we have

\sum_{i=1}^{N}p_{i}\|\nabla l_{i}(x)\|^{2}\leqslant 2\nabla L(x)^{\top}\nabla L% (x)-\|\nabla L(x)\|^{2}+\varepsilon^{2}\\ =\|\nabla L(x)\|^{2}+\varepsilon^{2}=\|\nabla L(x)\|^{2}A_{1}(x)^{2}.

(19)

Note that when $\|\nabla L(x)\|^{2}\neq 0$ , there exists

A_{1}(x)=\sqrt{1+\frac{\varepsilon^{2}}{\|\nabla L(x)\|^{2}}}\geqslant 1.

(20)

Therefore, we have

\sum_{i=1}^{N}p_{i}\|\nabla l_{i}(x)\|^{2}\leqslant\|\nabla L(x)\|^{2}A_{1}^{2},

(21)

where $A_{1}$ is the upper bound of $A_{1}(x)$ . Considering (21), there also exists $A\geqslant 1$ such that

\sum_{i=1}^{N}p_{i}\|\nabla l_{i}(x)\|\leqslant\|\nabla L(x)\|A.

(22)

This completes the proof. ∎

Now, the following lemma gives an expected upper bound on the increment of global loss value per-iteration, when DP noise injection is adopted.

Lemma 2 (Per-iteration expected increment).

The expected difference of global loss functions in two consecutive iterations $(t)$ and $(t+1)$ , or the per-iteration expected increment in the value of the loss function, has the following upper limit:

\mathbb{E}\{L(\tilde{x}^{(t+1)})-L(\tilde{x}^{(t)})\}\leqslant\lambda_{2}\|L(% \tilde{x}^{(t)})\|^{2}\\ +\lambda_{1}\mathbb{E}\{\|n^{(t+1)}\|\}\|L(\tilde{x}^{(t)})\|+\lambda_{0}% \mathbb{E}\{\|n^{(t+1)}\|^{2}\},

(23)

where

\lambda_{2}=-\frac{1}{\mu}+\frac{A}{\mu}\left(\gamma+\frac{\rho(1+\gamma)}{% \overline{\mu}}\right)+\frac{\rho A^{2}{(1+\gamma)}^{2}}{2{\overline{\mu}}^{2}},

\lambda_{1}=1+\frac{\rho A(1+\gamma)}{\overline{\mu}},\lambda_{0}=\frac{\rho}{% 2},

and $n^{(t)}=\sum_{i=1}^{N}p_{i}n_{i}^{(t)}+n_{s}^{(t)}$ is the aggregated noise of the clients and server in each cycle.

Proof.

Considering the aggregation process with artificial noises of the client and server side in the $(t+1)$ -th aggregation, we have

\tilde{x}^{(t+1)}=\sum_{i=1}^{N}p_{i}x_{i}^{(t+1)}+n^{(t+1)},

(24)

where

n^{(t)}=\sum_{i=1}^{N}p_{i}n_{i}^{(t)}+n_{s}^{(t)}

(25)

Because $l_{i}(\cdot)$ is $\rho$ -Lipschitz smooth, we have

l_{i}(\tilde{x}^{(t+1)})\leqslant l_{i}(\tilde{x}^{(t)})+\nabla l_{i}(\tilde{x% }^{(t)})^{\top}(\tilde{x}^{(t+1)}-\tilde{x}^{(t)})\\ +\frac{\rho}{2}\|\tilde{x}^{(t+1)}-\tilde{x}^{(t)}\|^{2}

(26)

for all $\tilde{x}^{(t+1)},\leavevmode\nobreak\ \tilde{x}^{(t)}$ . Summation of (26) multiplied with $p_{i},\forall i$ yields

\begin{split}&\sum_{i=1}^{N}p_{i}l_{i}(\tilde{x}^{(t+1)})\leqslant\sum_{i=1}^{% N}p_{i}l_{i}(\tilde{x}^{(t)})\\ &+\sum_{i=1}^{N}p_{i}\nabla l_{i}(\tilde{x}^{(t)})^{\top}(\tilde{x}^{(t+1)}-% \tilde{x}^{(t)})\\ &+\frac{\rho}{2}\|\tilde{x}^{(t+1)}-\tilde{x}^{(t)}\|^{2}\sum_{i=1}^{N}p_{i}.% \end{split}

(27)

Considering the definition of global loss function $L(\cdot)$ and $\sum_{i=1}^{N}p_{i}=1$ , we have

L(\tilde{x}^{(t+1)})-L(\tilde{x}^{(t)})\leqslant\nabla L(\tilde{x}^{(t)})^{% \top}(\tilde{x}^{(t+1)}-\tilde{x}^{(t)})\\ +\frac{\rho}{2}\|\tilde{x}^{(t+1)}-\tilde{x}^{(t)}\|^{2}

(28)

and therefore,

\begin{split}&\mathbb{E}\{L(\tilde{x}^{(t+1)})-L(\tilde{x}^{(t)})\}\leqslant\\ &\mathbb{E}\left\{\left\langle\nabla L(\tilde{x}^{(t)}),(\tilde{x}^{(t+1)}-% \tilde{x}^{(t)})\right\rangle\right\}+\frac{\rho}{2}\mathbb{E}\{\|\tilde{x}^{(% t+1)}-\tilde{x}^{(t)}\|^{2}\}\end{split}

(29)

Defining

h(x_{i}^{(t+1)};\tilde{x}^{(t)})\triangleq l_{i}(x_{i}^{(t+1)})+\frac{\mu}{2}% \|x_{i}^{(t+1)}-\tilde{x}^{(t)}\|^{2},

(30)

we have

\nabla h(x_{i}^{(t+1)};\tilde{x}^{(t)})=\nabla l_{i}(x_{i}^{(t+1)})+\mu(x_{i}^% {(t+1)}-\tilde{x}^{(t)}).

(31)

Summation of (31) multiplied with $p_{i},\,\forall i$ yields

\sum_{i=1}^{N}p_{i}\nabla h(x_{i}^{(t+1)};\tilde{x}^{(t)})=\sum_{i=1}^{N}p_{i}% \nabla l_{i}(x_{i}^{(t+1)})\\ +\mu\sum_{i=1}^{N}p_{i}(x_{i}^{(t+1)}-\tilde{x}^{(t)})=\sum_{i=1}^{N}p_{i}% \nabla l_{i}(x_{i}^{(t+1)})\\ +\mu\sum_{i=1}^{N}p_{i}x_{i}^{(t+1)}-\mu\tilde{x}^{(t)}

(32)

and therefore,

\begin{split}&\tilde{x}^{(t+1)}-\tilde{x}^{(t)}=\sum_{i=1}^{N}p_{i}x_{i}^{(t+1% )}+n^{(t+1)}-\tilde{x}^{(t)}\\ &=\frac{1}{\mu}\left[\sum_{i=1}^{N}p_{i}\left(\nabla h(x_{i}^{(t+1)};\tilde{x}% ^{(t)})-\nabla l_{i}(x_{i}^{(t+1)})\right)\right]+n^{(t+1)}.\end{split}

(33)

Substituting (33) into (29), we obtain

\begin{split}&\mathbb{E}\{L(\tilde{x}^{(t+1)})-L(\tilde{x}^{(t)})\}\leqslant% \mathbb{E}\Bigg{\{}\frac{1}{\mu}\Big{\langle}\nabla L(\tilde{x}^{(t)}),\\ &\sum_{i=1}^{N}p_{i}\left(\nabla h(x_{i}^{(t+1)};\tilde{x}^{(t)})-\nabla l_{i}% (x_{i}^{(t+1)})\right)\Big{\rangle}\\ &+\left\langle\nabla L(\tilde{x}^{(t)}),n^{(t+1)}\right\rangle\Bigg{\}}+\frac{% \rho}{2}\mathbb{E}\left\{\|\tilde{x}^{(t+1)}-\tilde{x}^{(t)}\|^{2}\right\}\\ &=\mathbb{E}\Bigg{\{}\frac{1}{\mu}\Big{\langle}\nabla L(\tilde{x}^{(t)}),\sum_% {i=1}^{N}p_{i}\left(\nabla h(x_{i}^{(t+1)};\tilde{x}^{(t)})\right.\\ &-\nabla l_{i}(x_{i}^{(t+1)})+\left.\nabla l_{i}(\tilde{x}^{(t)})\right)-\sum_% {i=1}^{N}p_{i}\nabla l_{i}(\tilde{x}^{(t)})\Big{\rangle}\\ &+\Big{\langle}\nabla L(\tilde{x}^{(t)}),n^{(t+1)}\Big{\rangle}\Bigg{\}}+\frac% {\rho}{2}\mathbb{E}\left\{\|\tilde{x}^{(t+1)}-\tilde{x}^{(t)}\|^{2}\right\}\\ &=-\frac{1}{\mu}\|\nabla L(\tilde{x}^{(t)})\|^{2}+\mathbb{E}\Bigg{\{}\frac{1}{% \mu}\Big{\langle}\nabla L(\tilde{x}^{(t)}),\\ &\sum_{i=1}^{N}p_{i}\nabla h(x_{i}^{(t+1)};\tilde{x}^{(t)})+\sum_{i=1}^{N}p_{i% }\left(\nabla l_{i}(\tilde{x}^{(t)})\right.\\ &-\left.\nabla l_{i}(x_{i}^{(t+1)})\right)\Big{\rangle}\Bigg{\}}+\mathbb{E}% \left\{\Big{\langle}\nabla L(\tilde{x}^{(t)}),n^{(t+1)}\Big{\rangle}\right\}\\ &+\frac{\rho}{2}\mathbb{E}\left\{\|\tilde{x}^{(t+1)}-\tilde{x}^{(t)}\|^{2}% \right\}\end{split}

(34)

Now, let us bound $\|\tilde{x}^{(t+1)}-\tilde{x}^{(t)}\|$ . We know

\|x_{i}^{(t+1)}-\tilde{x}^{(t)}\|\leqslant\|x_{i}^{(t+1)}-\hat{x}_{i}^{(t+1)}% \|+\|\hat{x}_{i}^{(t+1)}-\tilde{x}^{(t)}\|,

(35)

where $\hat{x}_{i}^{(t+1)}=\text{arg}\min_{x}h_{i}(x;\tilde{x}^{(t)})$ Define $\overline{\mu}=\mu-\rho_{-}>0$ , due to the $\overline{\mu}$ -convexity of $h_{i}(x;\tilde{x}^{(t)})$ we have

\|\hat{x}_{i}^{(t+1)}-x_{i}^{(t+1)}\|\leqslant\frac{\gamma}{\overline{\mu}}\|% \nabla l_{i}(\tilde{x}^{(t)})\|

(36)

and

\|\hat{x}_{i}^{(t+1)}-\tilde{x}^{(t)}\|\leqslant\frac{1}{\overline{\mu}}\|% \nabla l_{i}(\tilde{x}^{(t)})\|

(37)

where $\gamma\in[0,1]$ denotes a $\gamma$ -inexact solution of $\min_{x}h_{i}(x;\tilde{x}^{(t)})$ [37]. For such a solution, $x_{0}$ , we have

\|\nabla h(x_{0};\tilde{x})\|\leqslant\gamma\|\nabla h(\tilde{x};\tilde{x})\|.

(38)

Now we can use (36) and (37) to obtain

\|x_{i}^{(t+1)}-\tilde{x}^{(t)}\|\leqslant\frac{1+\gamma}{\overline{\mu}}\|% \nabla l_{i}(\tilde{x}^{(t)})\|.

(39)

Therefore,

\begin{split}\|\tilde{x}^{(t+1)}&-\tilde{x}^{(t)}\|=\|x^{(t+1)}+n^{(t+1)}-% \tilde{x}^{(t)}\|\\ &\leqslant\|x^{(t+1)}-\tilde{x}^{(t)}\|+\|n^{(t+1)}\|\\ &=\left\|\sum_{i=1}^{N}p_{i}(x_{i}^{(t+1)}-\tilde{x}^{(t)})\right\|+\|n^{(t+1)% }\|\\ &\leqslant\sum_{i=1}^{N}p_{i}\|x_{i}^{(t+1)}-\tilde{x}^{(t)}\|+\|n^{(t+1)}\|\\ &\leqslant\sum_{i=1}^{N}p_{i}\left(\frac{1+\gamma}{\overline{\mu}}\|\nabla l_{% i}(\tilde{x}^{(t)})\|\right)+\|n^{(t+1)}\|\\ &\leqslant\frac{A(1+\gamma)}{\overline{\mu}}\|\nabla L(\tilde{x}^{(t)})\|+\|n^% {(t+1)}\|.\end{split}

(40)

Since $l_{i}(\cdot)$ is $\rho$ -Lipschitz smooth, we have

\|\nabla l_{i}(\tilde{x}^{(t)})-\nabla l_{i}(x_{i}^{(t+1)})\|\leqslant\rho\|% \tilde{x}^{(t)}-x_{i}^{(t+1)}\|

(41)

Using the triangle inequality, (38), (40), and (41), we obtain

\begin{split}&\Bigg{\|}\sum_{i=1}^{N}p_{i}\nabla h(w_{i}^{(t+1)};\tilde{x}^{(t% )})+\sum_{i=1}^{N}p_{i}\left(\nabla l_{i}(\tilde{x}^{(t)})\right.\\ &-\left.\nabla l_{i}(x_{i}^{(t+1)})\right)\Bigg{\|}\leqslant\left\|\sum_{i=1}^% {N}p_{i}\nabla h(x_{i}^{(t+1)};\tilde{x}^{(t)})\right\|\\ &+\left\|\sum_{i=1}^{N}p_{i}\left(\nabla l_{i}(\tilde{x}^{(t)})\right.-\left.% \nabla l_{i}(x_{i}^{(t+1)})\right)\right\|\\ &\leqslant\sum_{i=1}^{N}p_{i}\left\|\nabla h(x_{i}^{(t+1)};\tilde{x}^{(t)})% \right\|+\sum_{i=1}^{N}p_{i}\Big{\|}\left(\nabla l_{i}(\tilde{x}^{(t)})\right.% \\ &-\left.\nabla l_{i}(x_{i}^{(t+1)})\right)\Big{\|}\leqslant\gamma\sum_{i=1}^{N% }p_{i}\|\nabla l_{i}(\tilde{x}^{(t)})\|\\ &+\rho\sum_{i=1}^{N}p_{i}\|\tilde{x}^{(t)}-x_{i}^{(t+1)}\|\leqslant A\gamma\|% \nabla L(\tilde{x}^{(t)})\|\\ &+\frac{\rho A(1+\gamma)}{\overline{\mu}}\|\nabla L(\tilde{x}^{(t)})\|.\end{split}

(42)

Then, from (42) and the Cauchy-Schwarz inequality we have

\begin{split}&\Big{\langle}\nabla L(\tilde{x}^{(t)}),\sum_{i=1}^{N}p_{i}\nabla h% (x_{i}^{(t+1)};\tilde{x}^{(t)})\\ &+\sum_{i=1}^{N}p_{i}\left(\nabla l_{i}(\tilde{x}^{(t)})\right.-\left.\nabla l% _{i}(x_{i}^{(t+1)})\right)\Big{\rangle}\leqslant\|\nabla L(\tilde{x}^{(t)})\|% \\ &\left[\left(A\gamma\ +\frac{\rho A(1+\gamma)}{\overline{\mu}}\right)\|\nabla L% (\tilde{x}^{(t)})\|\right]\\ &=\left(A\gamma\ +\frac{\rho A(1+\gamma)}{\overline{\mu}}\right)\|\nabla L(% \tilde{x}^{(t)})\|^{2}\end{split}

(43)

Substituting (40) and (43) into (34) yields

\begin{split}&\mathbb{E}\{L(\tilde{x}^{(t+1)})-L(\tilde{x}^{(t)})\}\leqslant-% \frac{1}{\mu}\|\nabla L(\tilde{x}^{(t)})\|^{2}\\ &+\left(\frac{A\gamma}{\mu}+\frac{\rho A(1+\gamma)}{\mu\overline{\mu}}\right)% \|\nabla L(\tilde{x}^{(t)})\|^{2}\\ &+\mathbb{E}\{\|\nabla L(\tilde{x}^{(t)})\|\|n^{(t+1)}\|\}\\ &+\frac{\rho}{2}\mathbb{E}\left\{\left[\frac{A(1+\gamma)}{\overline{\mu}}\|% \nabla L(\tilde{x}^{(t)})\|+\|n^{(t+1)}\|\right]^{2}\right\}.\end{split}

(44)

Then, we obtain

\mathbb{E}\{L(\tilde{x}^{(t+1)})-L(\tilde{x}^{(t)})\}\leqslant\lambda_{2}\|L(% \tilde{x}^{(t)})\|^{2}\\ +\lambda_{1}\mathbb{E}\{\|n^{(t+1)}\|\}\|L(\tilde{x}^{(t)})\|+\lambda_{0}% \mathbb{E}\{\|n^{(t+1)}\|^{2}\},

(45)

where

\lambda_{2}=-\frac{1}{\mu}+\frac{A}{\mu}\left(\gamma+\frac{\rho(1+\gamma)}{% \overline{\mu}}\right)+\frac{\rho A^{2}{(1+\gamma)}^{2}}{2{\overline{\mu}}^{2}},

\lambda_{1}=1+\frac{\rho A(1+\gamma)}{\overline{\mu}}\text{ and }\lambda_{0}=% \frac{\rho}{2}

This completes the proof. ∎

As expected, lemma $2$ indicates the adverse effect of differential privacy in the expected per-iteration increment of the global loss value. ….

As the final step, we use the per-iteration increment to establish the convergence analysis of the proposed algorithm.

Theorem 2 (Convergence upper bound of personalized ….).

The upper limit of the difference between the $T$ -th and the optimal loss function values defined as the convergence property is given by

\begin{split}&\mathbb{E}\{{L(\tilde{x}^{(T)})-L(x^{*})}\}\leqslant\Theta+k_{2}% T+\frac{k_{1}T^{2}}{\epsilon}+\frac{k_{0}T^{3}}{\epsilon^{2}},\end{split}

(46)

where $k_{2}=\lambda_{2}\beta^{2},\,k_{1}=\frac{2\lambda_{1}\beta Bc\max\{p_{i}\}}{% \max\{m_{i}\}}\sqrt{\frac{2N}{\pi}},\text{ and }k_{0}=\frac{4\lambda_{0}B^{2}c% ^{2}{\max\{p_{i}\}}^{2}}{{\max\{m_{i}\}}^{2}}$ .

Proof.

Considering the same and independent noise distribution of the additive noise, we define $\mathbb{E}\{\|n^{(t)}\|\}=\mathbb{E}\{\|n\|\}\text{ and }\mathbb{E}\{\|n^{(t)}% \|^{2}\}=\mathbb{E}\{\|n\|^{2}\}$ . Applying (45) recursively for $0\leqslant t\leqslant T$ yields

\mathbb{E}\{{L(\tilde{x}^{(T)})-L(\tilde{x}^{(0)})}\}\leqslant T\lambda_{2}\|L% (\tilde{x}^{(t)})\|^{2}\\ +T\lambda_{1}\|L(\tilde{x}^{(t)})\|\mathbb{E}\{\|n\|\}+T\lambda_{0}\mathbb{E}% \{\|n\|^{2}\},

(47)

Considering $\|L(\tilde{x}^{(t)})\|\leqslant\beta$ and Adding $\mathbb{E}\{L(\tilde{x}^{(0)})-L(x^{*})\}$ to both sides of (47), we have

\mathbb{E}\{{L(\tilde{w}^{(T)})-L(w^{*})}\}\leqslant\Theta+\lambda_{2}T\beta^{% 2}\\ +\lambda_{1}T\beta\mathbb{E}\{\|n\|\}+\lambda_{0}T\mathbb{E}\{\|n\|^{2}\},

(48)

Since we have $\sigma_{A}=\frac{\Delta fTc}{\epsilon}$ , we obtain

\mathbb{E}\{\|n\|\}=\frac{\Delta fTc}{\epsilon}\sqrt{\frac{2N}{\pi}}\text{ and% }\mathbb{E}\{\|n\|^{2}\}=\frac{\Delta f^{2}T^{2}c^{2}N}{\epsilon^{2}}.

(49)

Setting $\Delta f=2B\frac{\max\{p_{i}\}}{\max\{m_{i}\}}$ and substituting (49) into (48), we have

\begin{split}&\mathbb{E}\{{L(\tilde{x}^{(T)})-L(x^{*})}\}\leqslant\Theta+% \lambda_{2}T\beta^{2}\\ &+\frac{2\lambda_{1}T^{2}\beta Bc\max\{p_{i}\}}{\epsilon\max\{m_{i}\}}\sqrt{% \frac{2N}{\pi}}+\frac{4\lambda_{0}T^{3}B^{2}c^{2}{\max\{p_{i}\}}^{2}}{\epsilon% ^{2}{\max\{m_{i}\}}^{2}}\\ &=\Theta+k_{2}T+\frac{k_{1}T^{2}}{\epsilon}+\frac{k_{0}T^{3}}{\epsilon^{2}},% \end{split}

(50)

where $k_{2}=\lambda_{2}\beta^{2},k_{1}=\frac{2\lambda_{1}\beta Bc\max\{p_{i}\}}{\max% \{m_{i}\}}\sqrt{\frac{2N}{\pi}},\text{ and }k_{0}=\frac{4\lambda_{0}B^{2}c^{2}% {\max\{p_{i}\}}^{2}}{{\max\{m_{i}\}}^{2}}$ . This completes the proof. ∎

The last two terms in the right hand side of (46) depend directly on the amount of noise. lower $\epsilon$ values strengthen the privacy protection and adversely affect the convergence property. The first two terms, however, are the constant parts depending on the number of iterations. …

In the above analysis, we saw that by a wise choice of impact factors, $T$ , and $N$ we can be confident about the convergence of the FL algorithm while $(\epsilon,\delta)$ -DP is used. The number of clients involved in learning in the presented analysis should not necessarily be fixed through training, and this enhances the compatibility of the proposed approach. In the next section, we present the analysis of the same algorithm when impact factors adaptively change throughout the learning process.

V Convergence Analysis of
DP in FL with adaptive impact factors

In this section, we consider an extension to the previous part when impact factors are not fixed during the training. In fact, impacts assigned to clients can vary in each iteration based on the devises’ resources or network conditions. The calculated amount of Gaussian noise in section $3$ can still be utilized here, since iterations are independent in noise generation. However, the convergence analysis provided in the previous section needs to be more generalized.

Here, we change $p_{i}$ to $p_{i}^{(t)}$ to represent this adaptability in our equations. Without loss of generality, we assume the relation between two consecutive impact factors to be

p_{i}^{(t+1)}=p_{i}^{(t)}+\alpha_{i}^{(t)}\quad\forall i,

(51)

where $\alpha_{i}^{(t)}$ is the amount of change that the relative impact factor assigned to $i$ -th client undergoes for $(t+1)$ -th iteration. Hence, $|\alpha_{i}|\leqslant 1$ and $\sum_{i=1}^{N}\alpha_{i}^{(t)}=0$ .

In order to perform the analysis of the adaptive form, we first present an extension to lemma $2$ and then present the convergence upper bound in theorem $3$ .

Lemma 3 (Per-iteration expected increment: Extension).

The per-iteration expected increment in the value of the loss function, when adaptive $p_{i}$ is adopted, has the following upper limit:

\mathbb{E}\{L(\tilde{x}^{(t+1)})-L(\tilde{x}^{(t)})\}\leqslant\\ \lambda^{\prime}_{2}\|L(\tilde{x}^{(t)})\|^{2}+\lambda^{\prime}_{1}\mathbb{E}% \{\|n^{(t+1)}\|\}\|L(\tilde{x}^{(t)})\|\\ +\lambda^{\prime}_{0}\mathbb{E}\{\|n^{(t+1)}\|^{2}\}+\frac{1}{2}\max\{l_{i}\},

(52)

where

\lambda^{\prime}_{2}=-\frac{1}{\mu}+\frac{A^{\prime}}{\mu}\left(\gamma+\frac{% \rho(1+\gamma)}{\overline{\mu}}\right)+\frac{\rho{A^{\prime}}^{2}{(1+\gamma)}^% {2}}{2{\overline{\mu}}^{2}},

\lambda^{\prime}_{1}=1+\frac{\rho A^{\prime}(1+\gamma)}{\overline{\mu}},% \lambda^{\prime}_{0}=\frac{\rho}{2},

and $n^{(t)}=\sum_{i=1}^{N}p_{i}n_{i}^{(t)}+n_{s}^{(t)}$ is the aggregated noise of the clients and server in each cycle.

Proof.

From (15) we have

\sum_{i=1}^{N}p_{i}^{(t)}\|\nabla l_{i}(x^{(t)})\|\leqslant\|\nabla L(x^{(t)})% \|A.

(53)

Adding $\sum_{i=1}^{N}\alpha_{i}^{(t)}\|\nabla l_{i}(x^{(t)})\|$ to both sides of (53) yields

\sum_{i=1}^{N}p_{i}^{(t+1)}\|\nabla l_{i}(x^{(t)})\|\leqslant\\ \sum_{i=1}^{N}\alpha_{i}^{(t)}\|\nabla l_{i}(x^{(t)})\|+\|\nabla L(x^{(t)})\|A

(54)

Hence, we have

\sum_{i=1}^{N}p_{i}^{(t+1)}\|\nabla l_{i}(x^{(t)})\|\leqslant\|\nabla L(x^{(t)% })\|A^{\prime},

(55)

where

A^{\prime}=\frac{\sum_{i=1}^{N}\alpha_{i}^{(t)}\|\nabla l_{i}(x^{(t)})\|}{\|% \nabla L(x^{(t)})\|}+A.

(56)

Therefore, we can bound $\|\tilde{x}^{(t+1)}-\tilde{x}^{(t)}\|$ as

\begin{split}\|\tilde{x}^{(t+1)}&-\tilde{x}^{(t)}\|=\|x^{(t+1)}+n^{(t+1)}-% \tilde{x}^{(t)}\|\\ &\leqslant\|x^{(t+1)}-\tilde{x}^{(t)}\|+\|n^{(t+1)}\|\\ &=\left\|\sum_{i=1}^{N}p_{i}^{(t+1)}(x_{i}^{(t+1)}-\tilde{x}^{(t)})\right\|+\|% n^{(t+1)}\|\\ &\leqslant\sum_{i=1}^{N}p_{i}^{(t+1)}\|x_{i}^{(t+1)}-\tilde{x}^{(t)}\|+\|n^{(t% +1)}\|\\ &\leqslant\sum_{i=1}^{N}p_{i}^{(t+1)}\left(\frac{1+\gamma}{\overline{\mu}}\|% \nabla l_{i}(\tilde{x}^{(t)})\|\right)+\|n^{(t+1)}\|\\ &\leqslant\frac{A^{\prime}(1+\gamma)}{\overline{\mu}}\|\nabla L(\tilde{x}^{(t)% })\|+\|n^{(t+1)}\|.\end{split}

(57)

Summation of (26) multiplied with $p_{i}^{(t)},\forall i$ yields

\begin{split}&\sum_{i=1}^{N}p_{i}^{(t)}l_{i}(\tilde{x}^{(t+1)})\sum_{i=1}^{N}p% _{i}^{(t)}l_{i}(\tilde{x}^{(t)})\\ &+\sum_{i=1}^{N}p_{i}^{(t)}\nabla l_{i}(\tilde{x}^{(t)})^{\top}(\tilde{x}^{(t+% 1)}-\tilde{x}^{(t)})\\ &+\frac{\rho}{2}\|\tilde{x}^{(t+1)}-\tilde{x}^{(t)}\|^{2}\sum_{i=1}^{N}p_{i}^{% (t)}.\end{split}

(58)

Considering (51), we have

\begin{split}&L(\tilde{x}^{(t+1)})-L(\tilde{x}^{(t)})\leqslant\sum_{i=1}^{N}% \alpha_{i}^{(t)}l_{i}(\tilde{x}^{(t+1)})\\ &+\left\langle\nabla L(\tilde{x}^{(t)}),(\tilde{x}^{(t+1)}-\tilde{x}^{(t)})% \right\rangle+\frac{\rho}{2}\{\|\tilde{x}^{(t+1)}-\tilde{x}^{(t)}\|^{2}\}.\end% {split}

(59)

Without loss of generality, we assume $\mathbb{E}\{l_{i}(x^{(t)})\}=\frac{1}{N}l_{i}(x^{(t)})$ , and therefore

\begin{split}\mathbb{E}\left\{\sum_{i=1}^{N}\alpha_{i}^{(t)}l_{i}(x^{(t)})% \right\}&=\sum_{i=1}^{N}\alpha_{i}^{(t)}\mathbb{E}\left\{l_{i}(x^{(t)})\right% \}\\ &=\sum_{i=1}^{N}\alpha_{i}^{(t)}\left(\frac{1}{N}l_{i}(x^{(t)})\right)\\ &\leqslant\frac{1}{2}\max\{l_{i}(x^{(t)})\}\end{split}

(60)

Then, (59) and (60) gives

\mathbb{E}\left\{L(\tilde{x}^{(t+1)})-L(\tilde{x}^{(t)})\right\}\leqslant\\ \frac{1}{2}\max\{l_{i}\}+\mathbb{E}\left\{\left\langle\nabla L(\tilde{x}^{(t)}% ),(\tilde{x}^{(t+1)}-\tilde{x}^{(t)})\right\rangle\right\}\\ +\frac{\rho}{2}\mathbb{E}\left\{\|\tilde{x}^{(t+1)}-\tilde{x}^{(t)}\|^{2}% \right\}.

(61)

Defining $h(\cdot)$ as (30) and Summation of (31) multiplied with $p_{i}^{(t+1)},\,\forall i$ yields

\sum_{i=1}^{N}p_{i}^{(t+1)}\nabla h(x_{i}^{(t+1)};\tilde{x}^{(t)})=\sum_{i=1}^% {N}p_{i}^{(t+1)}\nabla l_{i}(x_{i}^{(t+1)})\\ +\mu\sum_{i=1}^{N}p_{i}^{(t+1)}(x_{i}^{(t+1)}-\tilde{x}^{(t)})=\sum_{i=1}^{N}p% _{i}^{(t+1)}\nabla l_{i}(x_{i}^{(t+1)})\\ +\mu\sum_{i=1}^{N}p_{i}^{(t+1)}x_{i}^{(t+1)}-\mu\tilde{x}^{(t)}

(62)

and therefore,

\begin{split}&\tilde{x}^{(t+1)}-\tilde{x}^{(t)}=\sum_{i=1}^{N}p_{i}^{(t+1)}x_{% i}^{(t+1)}+n^{(t+1)}-\tilde{x}^{(t)}\\ &=\frac{1}{\mu}\left[\sum_{i=1}^{N}p_{i}^{(t+1)}\left(\nabla h(x_{i}^{(t+1)};% \tilde{x}^{(t)})-\nabla l_{i}(x_{i}^{(t+1)})\right)\right]\\ &+n^{(t+1)}.\end{split}

(63)

Substituting (63) into (61), we obtain

\begin{split}&\mathbb{E}\{L(\tilde{x}^{(t+1)})-L(\tilde{x}^{(t)})\}\leqslant% \mathbb{E}\Bigg{\{}\frac{1}{\mu}\Big{\langle}\nabla L(\tilde{x}^{(t)}),\\ &\sum_{i=1}^{N}p_{i}^{(t+1)}\left(\nabla h(x_{i}^{(t+1)};\tilde{x}^{(t)})-% \nabla l_{i}(x_{i}^{(t+1)})\right)\Big{\rangle}\\ &+\left\langle\nabla L(\tilde{x}^{(t)}),n^{(t+1)}\right\rangle\Bigg{\}}+\frac{% \rho}{2}\mathbb{E}\left\{\|\tilde{x}^{(t+1)}-\tilde{x}^{(t)}\|^{2}\right\}\\ &+\frac{1}{2}\max\{l_{i}\}=\mathbb{E}\Bigg{\{}\frac{1}{\mu}\Big{\langle}\nabla L% (\tilde{x}^{(t)}),\\ &\sum_{i=1}^{N}p_{i}^{(t+1)}\left(\nabla h(x_{i}^{(t+1)};\tilde{x}^{(t)})-% \nabla l_{i}(x_{i}^{(t+1)})\right)\\ &+\sum_{i=1}^{N}p_{i}^{(t)}\nabla l_{i}(\tilde{x}^{(t)})-\sum_{i=1}^{N}p_{i}^{% (t)}\nabla l_{i}(\tilde{x}^{(t)})\Big{\rangle}\\ &+\Big{\langle}\nabla L(\tilde{x}^{(t)}),n^{(t+1)}\Big{\rangle}\Bigg{\}}+\frac% {\rho}{2}\mathbb{E}\left\{\|\tilde{x}^{(t+1)}-\tilde{x}^{(t)}\|^{2}\right\}\\ &+\frac{1}{2}\max\{l_{i}\}=-\frac{1}{\mu}\|\nabla L(\tilde{x}^{(t)})\|^{2}+% \mathbb{E}\Bigg{\{}\frac{1}{\mu}\Big{\langle}\nabla L(\tilde{x}^{(t)}),\\ &\sum_{i=1}^{N}p_{i}^{(t+1)}\nabla h(x_{i}^{(t+1)};\tilde{x}^{(t)})-\nabla L(x% _{i}^{(t+1)})\\ &+\nabla L(\tilde{x}^{(t)})\Big{\rangle}\Bigg{\}}+\mathbb{E}\left\{\Big{% \langle}\nabla L(\tilde{x}^{(t)}),n^{(t+1)}\Big{\rangle}\right\}\\ &+\frac{\rho}{2}\mathbb{E}\left\{\|\tilde{x}^{(t+1)}-\tilde{x}^{(t)}\|^{2}% \right\}+\frac{1}{2}\max\{l_{i}\}\end{split}

(64)

$\rho$ -Lipschitzity of local loss functions leads to have a $\rho$ -Lipschitz global loss function. Hence,

\|\nabla L(\tilde{x}^{(t)}-\nabla L(x_{i}^{(t+1)})\|\leqslant\rho\|\tilde{x}^{% (t)}-x_{i}^{(t+1)}\|

(65)

Therefore, using triangle inequality, (55), and (65) we obtain

\begin{split}&\left\|\sum_{i=1}^{N}p_{i}^{(t+1)}\nabla h(x_{i}^{(t+1)};\tilde{% x}^{(t)})+\nabla L(\tilde{x}^{(t)})-\nabla L(x_{i}^{(t+1)})\right\|\\ &\leqslant\left\|\sum_{i=1}^{N}p_{i}^{(t+1)}\nabla h(x_{i}^{(t+1)};\tilde{x}^{% (t)})\right\|+\left\|\sum_{i=1}^{N}p_{i}^{(t+1)}\left(\nabla L(\tilde{x}^{(t)}% )\right.\right.\\ &\left.\left.-\nabla L(x_{i}^{(t+1)})\right)\right\|\leqslant\left(A^{\prime}% \gamma+\frac{\rho A^{\prime}(1+\gamma)}{\overline{\mu}}\right)\|\nabla L(% \tilde{x}^{(t)})\|\end{split}

(66)

Substituting (66) and (64) into (34) yields

\begin{split}&\mathbb{E}\{L(\tilde{x}^{(t+1)})-L(\tilde{x}^{(t)})\}\leqslant-% \frac{1}{\mu}\|\nabla L(\tilde{x}^{(t)})\|^{2}\\ &+\left(\frac{A^{\prime}\gamma}{\mu}+\frac{\rho A^{\prime}(1+\gamma)}{\mu% \overline{\mu}}\right)\|\nabla L(\tilde{x}^{(t)})\|^{2}\\ &+\mathbb{E}\{\|\nabla L(\tilde{x}^{(t)})\|\|n^{(t+1)}\|\}\\ &+\frac{\rho}{2}\mathbb{E}\left\{\left[\frac{A^{\prime}(1+\gamma)}{\overline{% \mu}}\|\nabla L(\tilde{x}^{(t)})\|+\|n^{(t+1)}\|\right]^{2}\right\}\\ &+\frac{1}{2}\max\{l_{i}\}.\end{split}

(67)

And, we get

\mathbb{E}\{L(\tilde{x}^{(t+1)})-L(\tilde{x}^{(t)})\}\leqslant\\ \lambda^{\prime}_{2}\|L(\tilde{x}^{(t)})\|^{2}+\lambda^{\prime}_{1}\mathbb{E}% \{\|n^{(t+1)}\|\}\|L(\tilde{x}^{(t)})\|\\ +\lambda^{\prime}_{0}\mathbb{E}\{\|n^{(t+1)}\|^{2}\}+\frac{1}{2}\max\{l_{i}\},

(68)

where

\lambda^{\prime}_{2}=-\frac{1}{\mu}+\frac{A^{\prime}}{\mu}\left(\gamma+\frac{% \rho(1+\gamma)}{\overline{\mu}}\right)+\frac{\rho{A^{\prime}}^{2}{(1+\gamma)}^% {2}}{2{\overline{\mu}}^{2}},

\lambda^{\prime}_{1}=1+\frac{\rho A^{\prime}(1+\gamma)}{\overline{\mu}},% \lambda^{\prime}_{0}=\frac{\rho}{2}.

This completes the proof. ∎

Theorem 3 (Convergence upper bound of adaptive personalized ….).

Using adaptive $p_{i}$ assignment, the upper limit of the difference between the $T$ -th and the optimal loss function values defined as the convergence property is given by

\begin{split}&\mathbb{E}\{{L(\tilde{x}^{(T)})-L(x^{*})}\}\leqslant\Theta+k^{% \prime}_{2}T+\frac{k_{1}^{\prime}T^{2}}{\epsilon}+\frac{k_{0}^{\prime}T^{3}}{% \epsilon^{2}},\end{split}

(69)

where $k^{\prime}_{2}=\lambda^{\prime}_{2}\beta^{2}+\frac{\max\{l_{i}\}}{2},\,k^{% \prime}_{1}=\frac{2\lambda^{\prime}_{1}\beta Bc\max\{p_{i}\}}{\max\{m_{i}\}}% \sqrt{\frac{2N}{\pi}},\text{ and }k^{\prime}_{0}=\frac{4\lambda^{\prime}_{0}B^% {2}c^{2}{\max\{p_{i}\}}^{2}}{{\max\{m_{i}\}}^{2}}$ .

Proof.

The proof can be easily extended from the proof for Theorem $2$ and using lemma $3$ . ∎

VI Simulation Results

In this section we evaluate our approach against different privacy budgets and impact factors. We present four scenarios to study the effect of noise and impact factors on convergence bound and accuracy of the models.

VI-A Experimental Setting

We evaluate our approach on the real-world Modified National Institute of Standards and Technology (MNIST) dataset [38]. MNIST is a widely used dataset for handwritten digit identification which is consisted of 60000 training and 10000 testing samples. We use a multi-layer perceptron (MLP) neural network in local clients and the model weights are communicated with the server for aggregation at each cycle. The designed MLP model classifies the input images using a ReLU activation function in the hidden layer and softmax of 10 classes in the output layer. To proceed the SGD algorithm in the local optimizers, we set the learning rate equal to $0.02$ .

We stablish our evaluation using four scenarios listed in Table I. A small randomly chosen subset of the MNIST is distributed between the clients non-identically in each scenario between $60$ clients. The dataset is purposely reduced in size to avoid overfitting. The personalized DP noise is injected in both the client-side and server-side, and the affect of non-identical impact factors during the aggregation process is checked for each scenario. We set $\delta=0.01$ for the privacy budget, and choose different protection levels ( $\epsilon$ ) throughout this experiment for $30$ global iterations. We further discuss each scenario in the following section.

Table I: Simulation Scenarios

	number of
Scenario	clients ( $N$ )	Description
		Part $1:$ $20$ clients with severe noisy data
1	$60$	Part $2:$ $20$ clients with moderate noisy data
		Part $3:$ $20$ clients without noise
		Part $1:$ $20$ clients with severe noisy data
2	$60$	Part $2:$ $35$ clients with slight noisy data
		Part $3:$ $5$ clients without noise
		Part $1:$ $20$ clients with $50$ samples
3	$60$	Part $2:$ $20$ clients with $120$ samples
		Part $3:$ $20$ clients with $271$ samples
		$t\leqslant 10$ :
4	$60$	Part $1:$ $20$ clients with severe noisy data
		Part $2:$ $20$ clients with moderate noisy data
		Part $3:$ $20$ clients with slight noisy data
		$10<t\leqslant 30$ :
		Part $1:$ $20$ clients with slight noisy data
		Part $2:$ $20$ clients with moderate noisy data
		Part $3:$ $20$ clients with severe noisy data

VI-B Numerical Results

After distributing the dataset between $60$ clients, we randomly divide clients into three parts. In the following items, the details of each scenario are presented, respectively.

1.

scenario $1$ : In the first scenario, we apply the presented privacy protection scheme on clients with heterogeneous data quality. Clients are identical in terms of dataset size, or $m=150$ for all parts, and we deliberately add salt-and-pepper noise with various densities to each part to change data quality between the clients. We first set different impact factors in the non-private mode for comparison. Fig. 3 depicts the importance of impact factors in FL model performances. As it is shown, equal $p_{i}$ (the green curve) leads to the worst accuracy. The sequence of numbers dedicated to each curve in Fig. 3 represents the relations between impact factors of the three parts. For instance, “0-1-2” means that we have set $p_{i}$ equal to $0,\,\frac{1}{N},\text{and}\frac{2}{N}$ for the first, second, and third part, respectively.

Considering “0-1-2” as the optimal ratio between the impact factors, Fig. 3 compares the results after applying DP. Here, Gaussian noise is injected using (8) and (13) for protection levels $\epsilon=5$ and $\epsilon=20$ with non-identical impacts. As expected from (46), values of the loss function decrease for higher privacy protection levels. In this experiment, we also compare the results when identical $p_{i}$ is adopted for $\epsilon=20$ . As shown in Fig. 3, the model performance using identical $p_{i}$ is even worse than a higher protection level $\epsilon=5$ , when personalized DP is used.

Figure 2: The comparison of loss function values in the non-private mode for five different ways of assigning impact factors to clients of each part in the first scenario.

Figure 3: The comparison of loss function values for protection levels $\epsilon=5$ and $\epsilon=20$ when impact factors of the first, second, and third parts in the first scenario are set as $0$ , $\frac{1}{60}$ , and $\frac{1}{30}$ , respectively. The loss value of the model with identical impacts is also presented for $\epsilon=20$ as a reference.
2.

scenario $2$ : In this scenario, we go further and change clients’ distributions in addition to data quality. Hence, we divide clients into three parts of $20$ , $35$ , and $5$ clients each, and deliberately add salt-and-pepper noise to them based on densities in Table I. Fig. 5 depicts the loss function values in the non-private mode using different impact factor assignments. As shown, equal $p_{i}$ cannot be a right choice in the presence of heterogeneities. In this case, weighting clients is based on a balance between involving a sufficient number of clients in learning and exploiting the most accurate samples. The red curve related to “0-2-1” impact assignment sets impact factors of the first, second and third parts equal to $0$ , $\frac{8}{5N}$ , and $\frac{4}{5N}$ , respectively.

Considering “0-2-1” as the basis ratio between the impact factors, model performances in the private mode is compared in Fig. 5. It is clear from Fig. 5 that a wise choice of $p_{i}$ significantly improves model accuracy in distributed architectures, especially while using DP.

Figure 4: The comparison of loss function values in the non-private mode for five different ways of assigning impact factors to clients of each part in the second scenario.

Figure 5: The comparison of loss function values for protection levels $\epsilon=5$ and $\epsilon=20$ when impact factors of the first, second, and third parts in the second scenario are set as $0$ , $\frac{2}{75}$ , and $\frac{1}{75}$ , respectively. The loss value of the model with identical impacts is also presented for $\epsilon=20$ as a reference.
3.

scenario $3$ : The third scenario is designed to see the effect of the dataset size and impact factors on the convergence performance of FL model. As given in Table I, we set $m$ equal to $50$ , $120$ , and $271$ in clients of part $1$ , $2$ , and $3$ respectively, and as depicted in Fig. 7, setting higher weights to the third part (clients with larger datasets) yields to better results. The common method defining impact factors based on dataset size, or setting $p_{i}=\frac{m_{i}}{m}$ , is probably developed from this assumption. But it can adversely affect the global model accuracy in heterogeneous structures.

Reducing clients’ training samples increases sensitivity and the amount of noise required for preserving DP. Fig. 7 compares the results after Gaussian noise is added for protection levels $\epsilon=5$ and $\epsilon=20$ . As it is shown for $\epsilon=20$ , the accuracy of the model when identical $p_{i}$ is set for all parts is still worse than assigning impact factors proportional to $1$ , $3$ , and $5$ for part $1$ , $2$ , and $3$ , respectively. This result has been achieved in spite of the fact that more noise is added due to a higher sensitivity in the latter experiment.

Figure 6: The comparison of loss function values in the non-private mode for three different ways of assigning impact factors to clients of each part in the third scenario.

Figure 7: The comparison of loss function values for protection levels $\epsilon=5$ and $\epsilon=20$ when impact factors of the first, second, and third parts in the third scenario are set as $\frac{1}{180}$ , $\frac{1}{60}$ , and $\frac{1}{36}$ , respectively. The loss value of the model with identical impacts is also presented for $\epsilon=20$ as a reference.
4.

scenario $4$ : We have designed the forth scenario to compare convergence properties when adaptive impact factors are used. As presented in Table I, the quality of clients’ datasets are changed after the $10$ -th aggregation round, and therefore, $p_{i}$ of each part should be changed to obtain the best model performance. Fig. 9 depicts the results of three types of impact factor assignments. The green curve which belongs to the experiment giving the heaviest weight to slight noisy datasets yields to the fastest and the most accurate result. Considering the green curve as the basis for the private mode, we compare loss function values for protection levels of $\epsilon=5$ and $\epsilon=20$ in Fig. 9.

Figure 8: The comparison of loss function values in the non-private mode for three different ways of assigning impact factors to clients of each part in the forth scenario.

Figure 9: The comparison of loss function values for protection levels $\epsilon=5$ and $\epsilon=20$ when impact factors of the first, second, and third parts in the forth scenario are respectively set as $0$ , $\frac{1}{60}$ , and $\frac{1}{30}$ for $t\leqslant 10$ , and $\frac{1}{30}$ , $\frac{1}{60}$ , and $0$ for $10<t\leqslant 30$ .

VII Conclusion

In this paper, we presented a personalized privacy preserving approach in federated learning models. Considering the systems and statistical heterogeneities in distributed architectures, we have first focused on the roles that impact factors play in obtaining the best model performance. We further clarified that the impacts are not necessarily fixed during training the global model and undergo changes. Hence, the influence each client has on learning can increase, decrease, or become zero while $\sum_{i=1}^{N}p_{i}=1$ applies. Then, we have proposed the requirements for preserving $(\epsilon,\delta)$ -DP in both clients and the server, when personalized aggregation is applied. We have developed the convergence analysis of the proposed scheme for both fixed and time-varying impact factors. Our simulation results on four scenarios helps understanding the importance of assigning non-identical impact factors to compensate the weaknesses of local datasets, clients, links, and the server.

References

[1] B. McMahan, E. Moore, D. Ramage, S. Hampson, and B. A. y Arcas, “Communication-efficient learning of deep networks from decentralized data,” in AISTATS, vol. 54, 2017, pp. 1273–1282.
[2] V. Smith, C. Chiang, M. Sanjabi, and A. S. Talwalkar, “Federated multi-task learning,” in NIPS, 2017, pp. 4424–4434.
[3] K. A. Bonawitz, H. Eichner, W. Grieskamp, D. Huba, A. Ingerman, V. Ivanov, C. Kiddon, J. Konečný, S. Mazzocchi, B. McMahan, T. V. Overveldt, D. Petrou, D. Ramage, and J. Roselander, “Towards federated learning at scale: System design,” in MLSys, 2019.
[4] Q. Yang, Y. Liu, T. Chen, and Y. Tong, “Federated machine learning: Concept and applications,” ACM Trans. Intell. Syst. Technol., vol. 10, no. 2, pp. 12:1–12:19, 2019.
[5] J. Qian, S. P. Gochhayat, and L. K. Hansen, “Distributed active learning strategies on edge computing,” in CSCloud/EdgeCom. IEEE, 2019, pp. 221–226.
[6] T. Li, A. K. Sahu, A. Talwalkar, and V. Smith, “Federated learning: Challenges, methods, and future directions,” IEEE Signal Process. Mag., vol. 37, no. 3, pp. 50–60, 2020.
[7] A. Agarwal and J. C. Duchi, “Distributed delayed stochastic optimization,” in CDC. IEEE, 2012, pp. 5451–5452.
[8] K. Wei, J. Li, M. Ding, C. Ma, H. H. Yang, F. Farokhi, S. **, T. Q. S. Quek, and H. V. Poor, “Federated learning with differential privacy: Algorithms and performance analysis,” IEEE Trans. Inf. Forensics Secur., vol. 15, pp. 3454–3469, 2020.
[9] M. Talaei and I. Izadi, “Comments on “federated learning with differential privacy: Algorithms and performance analysis”,” arXiv preprint arXiv:2406.05858, 2024.
[10] B. McMahan, E. Moore, D. Ramage, S. Hampson, and B. A. y Arcas, “Communication-efficient learning of deep networks from decentralized data,” in AISTATS, ser. Proceedings of Machine Learning Research, vol. 54. PMLR, 2017, pp. 1273–1282.
[11] S. Salehkaleybar, A. Sharif-Nassab, and S. J. Golestani, “One-shot federated learning: Theoretical limits and algorithms to achieve them,” J. Mach. Learn. Res., vol. 22, pp. 189:1–189:47, 2021.
[12] Y. Du, S. Yang, and K. Huang, “High-dimensional stochastic gradient quantization for communication-efficient edge learning,” IEEE Trans. Signal Process., vol. 68, pp. 2128–2142, 2020.
[13] N. Shlezinger, M. Chen, Y. C. Eldar, H. V. Poor, and S. Cui, “Uveqfed: Universal vector quantization for federated learning,” IEEE Trans. Signal Process., vol. 69, pp. 500–514, 2021.
[14] A. Reisizadeh, A. Mokhtari, H. Hassani, A. Jadbabaie, and R. Pedarsani, “Fedpaq: A communication-efficient federated learning method with periodic averaging and quantization,” in AISTATS, ser. Proceedings of Machine Learning Research, vol. 108. PMLR, 2020, pp. 2021–2031.
[15] H. Wang, S. Sievert, S. Liu, Z. B. Charles, D. S. Papailiopoulos, and S. J. Wright, “ATOMO: communication-efficient learning via atomic sparsification,” in NeurIPS, 2018, pp. 9872–9883.
[16] N. Strom, “Scalable distributed DNN training using commodity GPU cloud computing,” in INTERSPEECH. ISCA, 2015, pp. 1488–1492.
[17] T. Nishio and R. Yonetani, “Client selection for federated learning with heterogeneous resources in mobile edge,” in ICC. IEEE, 2019, pp. 1–7.
[18] L. Ye and V. Gupta, “Client scheduling for federated learning over wireless networks: A submodular optimization approach,” in CDC. IEEE, 2021, pp. 63–68.
[19] A. Ghosh, J. Hong, D. Yin, and K. Ramchandran, “Robust federated learning in a heterogeneous environment,” CoRR, vol. abs/1906.06629, 2019.
[20] B. Recht, C. Ré, S. J. Wright, and F. Niu, “Hogwild: A lock-free approach to parallelizing stochastic gradient descent,” in NIPS, 2011, pp. 693–701.
[21] T. Li, S. Hu, A. Beirami, and V. Smith, “Federated multi-task learning for competing constraints,” CoRR, vol. abs/2012.04221, 2020.
[22] X. Li, K. Huang, W. Yang, S. Wang, and Z. Zhang, “On the convergence of fedavg on non-iid data,” in ICLR. OpenReview.net, 2020.
[23] T. Li, A. K. Sahu, M. Zaheer, M. Sanjabi, A. Talwalkar, and V. Smith, “Federated optimization in heterogeneous networks,” Proceedings of Machine Learning and Systems, vol. 2, pp. 429–450, 2020.
[24] V. Mothukuri, R. M. Parizi, S. Pouriyeh, Y. Huang, A. Dehghantanha, and G. Srivastava, “A survey on security and privacy of federated learning,” Future Gener. Comput. Syst., vol. 115, pp. 619–640, 2021.
[25] N. Carlini, C. Liu, Ú. Erlingsson, J. Kos, and D. Song, “The secret sharer: Evaluating and testing unintended memorization in neural networks,” in USENIX Security Symposium. USENIX Association, 2019, pp. 267–284.
[26] M. Nasr, R. Shokri, and A. Houmansadr, “Comprehensive privacy analysis of deep learning: Stand-alone and federated learning under passive and active white-box inference attacks,” CoRR, vol. abs/1812.00910, 2018.
[27] C. Dwork and A. Roth, “The algorithmic foundations of differential privacy,” Found. Trends Theor. Comput. Sci., vol. 9, no. 3-4, pp. 211–407, 2014.
[28] M. Talaei and I. Izadi, “Adaptive differential privacy in federated learning: A priority-based approach,” arXiv preprint arXiv:2401.02453, 2024.
[29] K. Wei, J. Li, M. Ding, C. Ma, H. H. Yang, F. Farokhi, S. **, T. Q. S. Quek, and H. V. Poor, “Federated learning with differential privacy: Algorithms and performance analysis,” IEEE Trans. Inf. Forensics Secur., vol. 15, pp. 3454–3469, 2020.
[30] O. Thakkar, G. Andrew, and H. B. McMahan, “Differentially private learning with adaptive clip**,” CoRR, vol. abs/1905.03871, 2019.
[31] X. Liu, H. Li, G. Xu, R. Lu, and M. He, “Adaptive privacy-preserving federated learning,” Peer-to-Peer Netw. Appl., vol. 13, no. 6, pp. 2356–2366, 2020.
[32] M. Gong, K. Pan, Y. Xie, A. K. Qin, and Z. Tang, “Preserving differential privacy in deep neural networks with relevance-based adaptive noise imposition,” Neural Networks, vol. 125, pp. 131–141, 2020.
[33] R. Hu, Y. Guo, H. Li, Q. Pei, and Y. Gong, “Personalized federated learning with differential privacy,” IEEE Internet Things J., vol. 7, no. 10, pp. 9530–9539, 2020.
[34] B. Recht, C. Ré, S. J. Wright, and F. Niu, “Hogwild: A lock-free approach to parallelizing stochastic gradient descent,” in NIPS, 2011, pp. 693–701.
[35] B. McMahan, E. Moore, D. Ramage, S. Hampson, and B. A. y Arcas, “Communication-efficient learning of deep networks from decentralized data,” in AISTATS, ser. Proceedings of Machine Learning Research, vol. 54. PMLR, 2017, pp. 1273–1282.
[36] M. Chen, D. Gündüz, K. Huang, W. Saad, M. Bennis, A. V. Feljan, and H. V. Poor, “Distributed learning in wireless networks: Recent progress and future challenges,” IEEE J. Sel. Areas Commun., vol. 39, no. 12, pp. 3579–3605, 2021.
[37] T. Li, A. K. Sahu, M. Zaheer, M. Sanjabi, A. Talwalkar, and V. Smith, “Federated optimization in heterogeneous networks,” in MLSys. mlsys.org, 2020.
[38] Y. LeCun, L. Bottou, Y. Bengio, and P. Haffner, “Gradient-based learning applied to document recognition,” Proc. IEEE, vol. 86, no. 11, pp. 2278–2324, 1998.

Enhancing Federated Learning with Adaptive Differential Privacy and Priority-Based Aggregation

Abstract

Index Terms:

I Introduction

II Preliminaries

II-A Federated Learning

II-B Differential Privacy

Definition 1 ((ϵ,δ)italic-ϵ𝛿(\epsilon,\delta)( italic_ϵ , italic_δ )-DP).

III Personalized Differential Privacy in Federated Learning

III-A Threat Model and Design Goals

III-B Proposed Privacy-Preserving Scheme

Client-side DP

Server-side DP

Theorem 1 (server-side DP).

Proof.

IV Convergence Analysis of the Personalized DP in FL

Assumption 1.

Lemma 1 (A𝐴Aitalic_A-local dissimilarity).

Proof.

Lemma 2 (Per-iteration expected increment).

Proof.

Theorem 2 (Convergence upper bound of personalized ….).

Proof.

V Convergence Analysis of DP in FL with adaptive impact factors

Lemma 3 (Per-iteration expected increment: Extension).

Proof.

Theorem 3 (Convergence upper bound of adaptive personalized ….).

Proof.

VI Simulation Results

VI-A Experimental Setting

VI-B Numerical Results

VII Conclusion

References

Definition 1 ( $(\epsilon,\delta)$ -DP).

IV Convergence Analysis of the
Personalized DP in FL

Lemma 1 ( $A$ -local dissimilarity).

V Convergence Analysis of
DP in FL with adaptive impact factors