Batch-verifiable federated learning against byzantine threats: a zero-knowledge-enabled additive-homomorphic approach

Heyi ZHANG , Jun WU , Qianqian PAN , Li DING

Front. Comput. Sci. ›› 2027, Vol. 21 ›› Issue (8) : 2108809

PDF (6980KB)
Front. Comput. Sci. ›› 2027, Vol. 21 ›› Issue (8) :2108809 DOI: 10.1007/s11704-026-51805-6
Information Security
RESEARCH ARTICLE
Batch-verifiable federated learning against byzantine threats: a zero-knowledge-enabled additive-homomorphic approach
Author information +
History +
PDF (6980KB)

Abstract

Federated learning (FL) has emerged as a privacy-preserving paradigm for distributed learning on mobile devices. Despite its widespread adoption, FL remains vulnerable to two major threats: untrusted clients launching Byzantine attacks to hinder convergence, and malicious aggregators manipulating results by excluding or biasing updates. While prior studies have made initial attempts to address these risks, fundamental limitations remain: 1) a narrow focus on either Byzantine attacks or verifiable aggregation, failing to provide comprehensive protection, 2) reliance on unrealistic assumptions, such as knowledge of adversary numbers, semi-honest clients, or server access to clean data, 3) excessive computational overhead, limiting real-world applicability and deployment on resource-constrained devices. To address these issues, we propose BVFL, a lightweight batch verifiable aggregation framework that tackles threats from both malicious clients and the aggregator. First, we introduce a zero-knowledge-based adaptive defense with random sampling techniques to mitigate Byzantine attacks efficiently without introducing additional assumptions. Second, unlike conventional verifiable aggregation protocols that verify commitments at the element level, we design PolyAgg, an efficient protocol enabling batch verification at the polynomial level via polynomial additive-homomorphic commitment, reducing computational overhead. Security analyses and experiments across diverse datasets, models, adversary fractions, and data heterogeneity demonstrate that our BVFL framework robustly defends against Byzantine attacks while achieving up to 9x faster performance than state-of-the-art methods.

Graphical abstract

Keywords

federated learning / verifiable aggregation / Byzantine robustness / zero knowledge proof / KZG commitment

Cite this article

Download citation ▾
Heyi ZHANG, Jun WU, Qianqian PAN, Li DING. Batch-verifiable federated learning against byzantine threats: a zero-knowledge-enabled additive-homomorphic approach. Front. Comput. Sci., 2027, 21 (8) : 2108809 DOI:10.1007/s11704-026-51805-6

登录浏览全文

4963

注册一个新账户 忘记密码

References

Publishing order | Descend order by publishing year | Descend order by cited within
[1]

Zhang Y, Zeng D, Luo J, Xu Z, King I. A survey of trustworthy federated learning with perspectives on security, robustness and privacy. In: Proceedings of the ACM Web Conference 2023. 2023, 1167–1176
[2]

Issa W, Moustafa N, Turnbull B, Sohrabi N, Tari Z . Blockchain-based federated learning for securing internet of things: a comprehensive survey. ACM Computing Surveys, 2023, 55( 9): 191
[3]

Miao Y, Yan X, Li X, Xu S, Liu X, Li H, Deng R H . RFed: Robustness-enhanced privacy-preserving federated learning against poisoning attack. IEEE Transactions on Information Forensics and Security, 2024, 19: 5814–5827
[4]

Zhang H, Liu Y, He X, Wu J, Cong T, Huang X. SoK: benchmarking poisoning attacks and defenses in federated learning. 2025, arXiv preprint arXiv: 2502.03801
[5]

Chu R, Fu X, Luo B, Shi J, Zhou X . Defense against data poisoning attacks in robot vision systems based on adversarial example detection. Frontiers of Computer Science, 2026, 20( 7): 2007335
[6]

Li B, Miao X, Zhang Y, Yin J . Gradient purification: defense against data poisoning attack in decentralized federated learning. Frontiers of Computer Science, 2026, 20( 9): 2009352
[7]

Roy Chowdhury A, Guo C, Jha S, van der Maaten L. EIFFeL: ensuring integrity for federated learning. In: Proceedings of 2022 ACM SIGSAC Conference on Computer and Communications Security. 2022, 2535–2549
[8]

Wang Z, Dong N, Sun J, Knottenbelt W, Guo Y . zkFL: zero-knowledge proof-based gradient aggregation for federated learning. IEEE Transactions on Big Data, 2025, 11( 2): 447–460
[9]

Zhu Y, Gong J, Zhang K, Qian H . Malicious-resistant non-interactive verifiable aggregation for federated learning. IEEE Transactions on Dependable and Secure Computing, 2024, 21( 6): 5600–5616
[10]

Zhang H, Wu J, Pan Q, Bashir A K, Omar M . Toward byzantine-robust distributed learning for sentiment classification on social media platform. IEEE Transactions on Computational Social Systems, 2025, 12( 3): 1319–1329
[11]

Gu X, Li M, Xiong L. DP-BREM: differentially-private and byzantine-robust federated learning with client momentum. In: Proceedings of the 34th USENIX Security Symposium. 2025, 3065–3082
[12]

Blanchard P, El Mhamdi E M, Guerraoui R, Stainer J. Machine learning with adversaries: byzantine tolerant gradient descent. In: Proceedings of the 31st International Conference on Neural Information Processing Systems. 2017, 118–128
[13]

McMahan B, Moore E, Ramage D, Hampson S, Arcas B A Y. Communication-efficient learning of deep networks from decentralized data. In: Proceedings of the 20th International Conference on Artificial Intelligence and Statistics. 2017, 1273–1282
[14]

Yin D, Chen Y, Kannan R, Bartlett P. Byzantine-robust distributed learning: towards optimal statistical rates. In: Proceedings of the 35th International Conference on Machine Learning. 2018, 5650–5659
[15]

Karimireddy S P, He L, Jaggi M. Byzantine-robust learning on heterogeneous datasets via bucketing. In: Proceedings of the 10th International Conference on Learning Representations. 2022, 1–13
[16]

Karimireddy S P, He L, Jaggi M. Learning from history for byzantine robust optimization. In: Proceedings of the 38th International Conference on Machine Learning. 2021, 5311–5319
[17]

Xu G, Li H, Liu S, Yang K, Lin X . VerifyNet: secure and verifiable federated learning. IEEE Transactions on Information Forensics and Security, 2020, 15: 911–926
[18]

Guo X, Liu Z, Li J, Gao J, Hou B, Dong C, Baker T . VeriFL: Communication-efficient and fast verifiable aggregation for federated learning. IEEE Transactions on Information Forensics and Security, 2021, 16: 1736–1751
[19]

So J, He C, Yang C S, Li S, Yu Q, E. Ali R, Guler B, Avestimehr S. LightSecAgg: a lightweight and versatile design for secure aggregation in federated learning. In: Proceedings of the 5th Conference on Machine Learning and Systems. 2022, 694–720
[20]

Ghodsi Z, Javaheripi M, Sheybani N, Zhang X, Huang K, Koushanfar F. zPROBE: zero peek robustness checks for federated learning. In: Proceedings of 2023 IEEE/CVF International Conference on Computer Vision. 2023, 4837–4847
[21]

Wang C, Mi Z, Yin Z, Guo B . Enhancing poisoning attack mitigation in federated learning through perturbation-defense complementarity on history gradients. Frontiers of Computer Science, 2025, 19( 12): 1912371
[22]

Wang C, Wu Z, Gao J, Zhang J, Xia J, Gao F, Guan Z, Chen Z . FedTop: a constraint-loosed federated learning aggregation method against poisoning attack. Frontiers of Computer Science, 2024, 18( 5): 185348
[23]

Zhang H, Wu J, Pan Q. Byzantine-resilient differentially private federated learning: a dual-phase group-wise aggregation approach. In: Proceedings of the 19th International Conference on Wireless Artificial Intelligent Computing Systems and Applications. 2025, 194–204
[24]

Nguyen T, Thai M T . Preserving privacy and security in federated learning. IEEE/ACM Transactions on Networking, 2024, 32( 1): 833–843
[25]

Lycklama H, Burkhalter L, Viand A, Küchler N, Hithnawi A. RoFL: robustness of secure federated learning. In: Proceedings of 2023 IEEE Symposium on Security and Privacy (SP). 2023, 453–476
[26]

Zhang Y, Yu H. Towards verifiable federated learning. In: Proceedings of the 31st International Joint Conference on Artificial Intelligence. 2022, 5686–5693
[27]

Kate A, Zaverucha G M, Goldberg I. Constant-size commitments to polynomials and their applications. In: Proceedings of the 16th International Conference on the Theory and Application of Cryptology and Information Security. 2010, 177–194
[28]

Goldwasser S, Micali S, Rackoff C. The knowledge complexity of interactive proof-systems. In: Proceedings of the 17th Annual ACM Symposium on Theory of Computing. 1985, 291–304
[29]

Liu T, Xie X, Zhang Y. zkCNN: zero knowledge proofs for convolutional neural network predictions and accuracy. In: Proceedings of 2021 ACM SIGSAC Conference on Computer and Communications Security. 2021, 2968–2985
[30]

Weng C, Yang K, Xie X, Katz J, Wang X. Mystique: efficient conversions for zero-knowledge proofs with applications to machine learning. In: Proceedings of the 30th USENIX Security Symposium. 2021, 501–518
[31]

Sasson E B, Chiesa A, Garman C, Green M, Miers I, Tromer E, Virza M. Zerocash: decentralized anonymous payments from Bitcoin. In: Proceedings of 2014 IEEE Symposium on Security and Privacy. 2014, 459–474
[32]

Groth J. On the size of pairing-based non-interactive arguments. In: Proceedings of the 35th Annual International Conference on the Theory and Applications of Cryptographic Techniques. 2016, 305–326
[33]

Aztec A G, Williamson Z J, Ciobotaru O. PLonK: permutations over lagrange-bases for oecumenical noninteractive arguments of knowledge. Cryptology ePrint Archive, 2019
[34]

Zhang H, Wu J, Ding L. Lightweight and scalable secure aggregation for federated learning. In: Proceedings of the 10th IEEE International Conference on Smart Cloud (SmartCloud). 2025, 44–49
[35]

Huang C, Wang J, Chen H, Si S, Huang Z, Xiao J. zkMLaaS: a verifiable scheme for machine learning as a service. In: Proceedings of GLOBECOM 2022-2022 IEEE Global Communications Conference. 2022, 5475–5480
[36]

Lecun Y, Bottou L, Bengio Y, Haffner P . Gradient-based learning applied to document recognition. Proceedings of the IEEE, 1998, 86( 11): 2278–2324
[37]

Xiao H, Rasul K, Vollgraf R. Fashion-MNIST: a novel image dataset for benchmarking machine learning algorithms. 2017, arXiv preprint arXiv: 1708.07747
[38]

Krizhevsky A, Hinton G. Learning multiple layers of features from tiny images. See scirp.org/reference/referencespapers?referenceid=3680969 website, 2009
[39]

Zhang Z, Cao X, Jia J, Gong N Z. FLDetector: defending federated learning against model poisoning attacks via detecting malicious clients. In: Proceedings of the 28th ACM SIGKDD Conference on Knowledge Discovery and Data Mining. 2022, 2545–2555
[40]

Biggio B, Nelson B, Laskov P. Poisoning attacks against support vector machines. In: Proceedings of the 29th International Coference on International Conference on Machine Learning. 2012, 1467–1474
[41]

Fung C, Yoon C J M, Beschastnikh I. The limitations of federated learning in sybil settings. In: Proceedings of the 23rd International Symposium on Research in Attacks, Intrusions and Defenses. 2020, 301–316
[42]

Bhagoji A N, Chakraborty S, Mittal P, Calo S. Analyzing federated learning through an adversarial lens. In: Proceedings of the 36th International Conference on Machine Learning. 2019, 634–643
[43]

Baruch M, Baruch G, Goldberg Y. A little is enough: circumventing defenses for distributed learning. In: Proceedings of the 33rd International Conference on Neural Information Processing Systems. 2019, 775
[44]

Pillutla K, Kakade S M, Harchaoui Z . Robust aggregation for federated learning. IEEE Transactions on Signal Processing, 2022, 70: 1142–1154
[45]

Hsu T M H, Qi H, Brown M. Measuring the effects of non-identical data distribution for federated visual classification. 2019, arXiv preprint arXiv: 1909.06335

RIGHTS & PERMISSIONS

Higher Education Press

PDF (6980KB)

Supplementary files

Highlights

157

Accesses

0

Citation

Detail
Sections
Recommended

/