Papers
Topics
Authors
Recent
Search
2000 character limit reached

DDP-SA: Scalable Privacy-Preserving Federated Learning via Distributed Differential Privacy and Secure Aggregation

Published 8 Apr 2026 in cs.CR and cs.LG | (2604.07125v1)

Abstract: This article presents DDP-SA, a scalable privacy-preserving federated learning framework that jointly leverages client-side local differential privacy (LDP) and full-threshold additive secret sharing (ASS) for secure aggregation. Unlike existing methods that rely solely on differential privacy or on secure multi-party computation (MPC), DDP-SA integrates both techniques to deliver stronger end-to-end privacy guarantees while remaining computationally practical. The framework introduces a two-stage protection mechanism: clients first perturb their local gradients with calibrated Laplace noise, then decompose the noisy gradients into additive secret shares that are distributed across multiple intermediate servers. This design ensures that (i) no single compromised server or communication channel can reveal any information about individual client updates, and (ii) the parameter server reconstructs only the aggregated noisy gradient, never any client-specific contribution. Extensive experiments show that DDP-SA achieves substantially higher model accuracy than standalone LDP while providing stronger privacy protection than MPC-only approaches. The proposed framework scales linearly with the number of participants and offers a practical, privacy-preserving solution for federated learning applications with controllable computational and communication overhead.

Summary

  • The paper introduces a two-stage protection mechanism, combining calibrated Laplace noise on client gradients with additive secret sharing to secure federated learning.
  • It leverages a multi-server architecture to ensure rigorous (ε, δ)-DP guarantees and scalable aggregation without isolating individual client updates.
  • Empirical results demonstrate that DDP-SA outperforms standalone LDP by delivering superior test loss and R² values while maintaining efficient communication and computation.

DDP-SA: Scalable Privacy-Preserving Federated Learning with Distributed Differential Privacy and Secure Aggregation

Motivation and Framework Design

The DDP-SA framework addresses persistent privacy vulnerabilities in federated learning (FL), notably privacy leakage from client updates due to inference attacks. While standard FL keeps local data on-device, adversaries have demonstrated significant leakage by attacking shared gradients or parameters. Conventional defense mechanisms fall short: local differential privacy (LDP) degrades model accuracy by adding noise, whereas secure multi-party computation (MPC) incurs computational and communication burdens and typically reveals aggregate gradients to the server. DDP-SA proposes to integrate client-side LDP and full-threshold additive secret sharing (ASS) in a multi-server architecture, ensuring robust end-to-end privacy with practical overhead.

DDP-SA introduces a two-stage protection mechanism: (1) clients perturb gradients with calibrated Laplace noise to guarantee (ϵ,δ)(\epsilon, \delta)-DP, then (2) encode these noisy gradients into additive secret shares and distribute them across mm intermediate servers. No single entity or communication channel can reconstruct any client’s specific update unless all intermediate servers are compromised. Figure 1

Figure 1: DDP-SA framework architecture, combining client-side local DP and secret sharing across multiple intermediate servers, highlighting two-stage privacy protection.

System Architecture and Workflow

The framework generalizes privacy-preserving aggregation via multi-server architecture supporting arbitrary mm and nn:

  • Clients: Locally compute gradients, clip â„“1\ell_1 norm, add Laplace noise (LDP), encode to fixed-point, generate mm secret shares, and upload to intermediate servers.
  • Intermediate servers: Each receives one share per client, aggregates them, and forwards the partial sum to the parameter server.
  • Parameter server: Reconstructs the global sum of noisy aggregates to update the global model, never isolating individual updates.

This architecture achieves linear scalability in nn and mm and offers flexible communication complexity by varying mm. The intermediate servers enable bandwidth offloading, straggler mitigation, and isolation of fault domains. Figure 2

Figure 2: DDP-SA workflow with nn clients, mm0 intermediate servers, and mm1-dimensional parameters, illustrating scalable and secure aggregation of locally DP-perturbed gradients.

Privacy Guarantees and Formal Analysis

DDP-SA preserves formal mm2-DP guarantees, leveraging the post-processing invariance of differential privacy. ASS provides cryptographic security: any strict subset of shares is independent of the secret. The parameter server reconstructs only aggregated, noisy gradients. End-to-end, the system’s privacy is governed by client-side LDP; secure aggregation introduces zero additional privacy loss.

Multi-round privacy accumulation is handled using basic and advanced DP composition theorems. Over mm3 rounds, basic composition yields mm4-DP; advanced composition achieves tighter bounds, e.g., mm5, providing practical guidance for privacy budgeting over the training horizon.

DDP-SA’s hybrid statistical and cryptographic guarantees exceed those of standalone LDP or MPC. Unlike pure LDP, gradients are never transmitted in cleartext, and unlike pure MPC, client contributions receive formal statistical privacy protection.

Empirical Results: Efficiency, Accuracy, and Scalability

Extensive experiments demonstrate that DDP-SA delivers:

  • Communication rounds to convergence: MPC and No-Private require ~2070 rounds, LDP and DDP-SA require ~2440 rounds with identical optimizer and noise settings, confirming that aggregation strategy does not dominate convergence rate. Figure 3

    Figure 3: Communication rounds to convergence under various defense mechanisms.

  • Parameters uploaded per client: In DDP-SA and MPC, each client uploads mm6 parameters (mm7 in experiments), scaling linearly with mm8. In contrast, LDP and No-Private require only mm9 parameters, validating scalability of the intermediate server architecture. Figure 4

    Figure 4: Parameter upload per client for different mechanisms (mm0).

  • Total time to convergence: DDP-SA incurs modest overhead compared to LDP (203 vs 172 minutes), well within practical bounds. Figure 5

    Figure 5: Time to convergence for varying privacy mechanisms.

  • Average time per training round: DDP-SA rounds require only 10s, versus 8.4s for LDP, remaining efficient even as mm1 increases. Figure 6

    Figure 6: Average round training time.

Component-wise analysis identifies gradient clipping as the primary bottleneck. Communication overhead scales as mm2, but per-client bandwidth can be minimized by increasing mm3; system ingress bandwidth to the parameter server becomes mm4, enabling scalability to large mm5.

Model Utility and Privacy-Utility Tradeoff

Model accuracy was evaluated via test loss and test mm6. DDP-SA consistently outperformed standalone LDP: with mm7, DDP-SA achieves test loss of mm8 and mm9, while LDP yields nn0 loss and nn1. No-Private and MPC provide near-perfect values (nn2 loss, nn3 nn4).

Increasing the privacy budget nn5 improves both LDP and DDP-SA utility; DDP-SA maintains a superior trajectory, enabling lower privacy budgets for a given target accuracy. As the client count nn6 increases, noise averaging further boosts accuracy, with DDP-SA scaling robustly.

Privacy Protection Strength and Attack Mitigation

DDP-SA resists inference attacks through dual protection:

  • Membership/property/training data attacks: Locally perturbed gradients coupled with secret sharing mitigate reconstruction risks.
  • Strict-subset indistinguishability: Any subset of fewer than nn7 shares yields zero mutual information about client data; compromise probability decays exponentially with nn8.
  • Resilience to server compromise: Parameter server cannot reconstruct any client’s gradient given only aggregated values.

These properties apply across multiple rounds due to DP composition and the immutable cryptographic protection from ASS. DDP-SA outperforms pure LDP or MPC in terms of end-to-end privacy, especially when adversaries have physical link access or compromise subsets of servers.

Implications and Future Directions

DDP-SA demonstrates that hybrid privacy architectures are feasible for scalable FL systems, delivering stronger privacy protections without catastrophic accuracy loss or prohibitive overhead. In practice, DDP-SA provides a tunable privacy-utility tradeoff and robustness to communication and computation scalability. The architecture supports integration with dropout-tolerant aggregation and is extensible to heterogeneous or non-IID client datasets.

Future work may focus on:

  • Adaptive privacy budget allocation across rounds and clients, leveraging advanced DP mechanisms.
  • Generalization to more sophisticated model architectures or non-IID partitions.
  • Optimization of secure aggregation to further minimize communication and computation bottlenecks.
  • Integration with privacy amplification techniques (e.g., shuffling) and robustness to active adversaries.

Conclusion

DDP-SA establishes a principled, scalable foundation for privacy-preserving federated learning by combining local DP and secure aggregation. Empirical and theoretical analysis confirms that DDP-SA achieves superior privacy protection compared to standalone LDP or MPC, with only moderate and controllable tradeoffs in accuracy and efficiency. The results demonstrate that hybrid designs are key for practical FL deployments confronting stringent privacy requirements and scalability demands (2604.07125).

Paper to Video (Beta)

No one has generated a video about this paper yet.

Whiteboard

No one has generated a whiteboard explanation for this paper yet.

Open Problems

We haven't generated a list of open problems mentioned in this paper yet.

Collections

Sign up for free to add this paper to one or more collections.