Papers
Topics
Authors
Recent
Search
2000 character limit reached

Giskard : Byzantine Robust and Confidential Aggregation for Large-Scale Decentralized Learning

Published 17 Jun 2026 in cs.CR and cs.LG | (2606.19129v1)

Abstract: Dealing simultaneously with confidentiality and Byzantine behaviors in decentralized learning is a challenging problem. Indeed, in decentralized learning, clients train a machine learning model while keeping their data locally and share their model parameters or gradients with a set of neighbors. While enforcing confidentiality calls for hiding the exchanged model parameters/gradients (e.g., by using cryptographic techniques), dealing with Byzantine contributions often requires inspecting the latter. Hence, most research works address these objectives separately. A recent line of work proposes to employ secure multi-party computation (MPC) to implement robust aggregators against model poisoning, thereby enforcing both confidentiality and Byzantine resilience. However, these solutions scale badly: they either require all-to-all communication between participants or delegate the entire computation to a small subset, whose computational and communication load grows proportionally with the size of the network. In this paper, we present Giskard, a protocol for confidential and Byzantine-robust decentralized aggregation. Giskard organizes $n$ parties into a tree of committees of size $O(\log n)$ and evaluates a coordinate-wise approximate median via a committee-adapted distributed binary search over the value domain, using BGW-style MPC within each committee. We assess Giskard both theoretically by proving its security and confidentiality properties and experimentally through extensive experiments involving up to one million participants. Compared to its closest competitors, Giskard reduces per-party communication complexity asymptotically while exhibiting comparable model utility under up to $n/4$ Byzantine parties.

Summary

  • The paper introduces GISKARD, a scalable protocol that achieves both Byzantine robustness and confidentiality in decentralized learning using tree-based committee structures.
  • The paper details a methodology employing hierarchical committee formation and distributed binary search with secure MPC primitives to reduce per-party communication to sublinear levels.
  • The paper demonstrates through empirical evaluations on MNIST and CIFAR-10 that GISKARD maintains high test accuracy and resilience against various Byzantine attacks.

Byzantine-Robust and Confidential Aggregation for Decentralized Learning: An Analysis of GISKARD

Motivation and Context

The GISKARD protocol confronts a fundamental tension in decentralized learning: the simultaneous achievement of Byzantine robustness and confidentiality. Decentralized frameworks lack a centralized trusted aggregator, exposing model aggregation to both malicious manipulation (Byzantine attacks) and information leakage (gradient inversion, membership inference). Traditional robust aggregation techniques (e.g., coordinate-wise median, Krum, trimmed mean) necessitate cleartext inspection of individual inputs, while cryptographic mechanisms enforce input confidentiality at the expense of transparency. Prior attempts—mainly combining secure multi-party computation (MPC) with robust aggregation—suffer prohibitive O(n) per-party communication complexity and scalability constraints.

GISKARD addresses this gap by engineering a scalable, UC-secure, decentralized protocol capable of robust and confidential aggregation, with per-party communication cost scaling polylogarithmically in the network size.

Protocol Design and Technical Approach

GISKARD organizes n participants into a hierarchical tree of committees, each of size O(logn)O(\log n), leveraging scalable MPC primitives in the malicious setting (BGW verifiable secret sharing, secure multiplication, and resharing). Its robust aggregation mechanism reformulates coordinate-wise median computation as a distributed binary search: participating nodes compare their local model parameters against dynamically chosen pivots, secret-share binary results, and recursively aggregate counts up the tree. Verified input proofs bound malicious influence per iteration, ensuring formal robustness against f<n/4f < n/4 Byzantine nodes.

The protocol comprises three scalable and composable sub-protocols:

  • BUILDTREE: Secure, load-balanced committee formation with static corruption tolerance via union-bound on committee sizes, exploiting common random seeds for topology generation.
  • INPUTSHARE: Secure input comparison and binary proof of domain for each coordinate, combining VSS sharing with zero-knowledge validation.
  • RESHARE: Verifiable share redistribution across committee hierarchies, preserving consistency and bounding adversarial manipulation.

Each committee acts as a locus for MPC operations, distributing computational burden and minimizing per-node bandwidth requirements. Aggregated counts are ultimately revealed at the tree root, permitting pivot update and median dissemination without exposing individual contributions.

Security and Robustness Analysis

GISKARD is formally proven UC-secure in the Universal Composability framework: each sub-protocol (BGW primitives, secure input sharing, verifiable resharing) UC-realizes its respective ideal functionality, ensuring security against static malicious adversaries corrupting f<n/4f < n/4 nodes. The output leakage is restricted to the global median; individual shares and intermediate counts remain cryptographically hidden.

Robustness is characterized through (f,K)(f,K)-Byzantine resistant aggregation, matching coordinate-wise median guarantees. Under bounded precision qq, GISKARD ensures output bracketed between honest order statistics, and its convergence preserves utility even as attackers craft malicious updates with full knowledge of honest contributions. The resilience follows from domain-proofed binary search aggregation, limiting adversarial injection to ff per iteration.

Communication Complexity and Scalability

A principal innovation is GISKARD's asymptotic reduction in per-party communication and computational cost. Compared to fully connected (A2A, O(n2)O(n^2)), or committee-based (A2C, O(nlog2n)O(n \log^2 n)) MPC frameworks, the tree-based committee system enables O(log3n)O(\log^3 n) per-party cost per median-search iteration. Each node participates in up to O(logn)O(\log n) committees per round, distributing encode/aggregate operations.

Empirical evaluation on MNIST and CIFAR-10 demonstrates that GISKARD's per-node communication is reduced by up to 3 orders of magnitude versus state-of-the-art competitors, with competitive robustness and convergence properties. For f<n/4f < n/40 up to f<n/4f < n/41, GISKARD maintains practical latency and bandwidth budgets, unlike A2A and A2C which become intractable at scale.

Utility and Robustness under Attacks

GISKARD’s binary-search median aggregator maintains test accuracy under classical Byzantine attacks (label flipping, sign flipping, ALIE, IPM) within 0.4%-2.7% of cleartext robust aggregators on benchmark datasets, affirming its theoretical robustness properties. The number of binary search iterations (f<n/4f < n/42) admits a sharp threshold: below this, accuracy collapses; above, additional iterations yield no gain, enabling precise provisioning of protocol parameters for optimal cost/robustness.

Implications and Future Directions

The protocol’s scalability and compositionality position it as a practical foundation for decentralized learning systems at cross-device scale, where privacy and robustness are critical. GISKARD’s tree-based aggregation model generalizes to other robust statistics, and may be adapted for heterogeneous network architectures or further cryptographic optimizations (e.g., computational assumptions, efficient masking). Future work can extend GISKARD to asynchronous networks, dynamic committee selection, and hybrid threat models, as well as integrating differential privacy mechanisms.

The theoretical guarantees achieved via information-theoretic MPC primitives provide strong security and verifiability, suggesting that increasingly large deployments can utilize robust decentralized learning without sacrificing efficiency or privacy. This advances both the practical deployment of federated-style learning in hostile/heterogeneous networks, and the broader theory of secure distributed optimization.

Conclusion

GISKARD systematically advances decentralized collaborative learning by reconciling Byzantine robustness and confidentiality at scale. Through hierarchical committee-based MPC and median-search reduction, it achieves sublinear per-party communication, formal UC-security, and resilience to model poisoning, while retaining practical convergence and model utility. This protocol is an important step toward scalable, trustworthy decentralized learning and opens new directions for cryptographically robust distributed AI.

Paper to Video (Beta)

No one has generated a video about this paper yet.

Whiteboard

No one has generated a whiteboard explanation for this paper yet.

Open Problems

We haven't generated a list of open problems mentioned in this paper yet.

Collections

Sign up for free to add this paper to one or more collections.