Byzantine-Robust Federated Learning

Updated 26 January 2026

Byzantine-Robust Federated Learning is a distributed machine learning framework designed to mitigate malicious client updates using robust aggregation techniques.
It leverages methods such as distance-based filtering, coordinate-wise robust statistics, and adaptive weighting to defend against model poisoning and backdoor attacks.
Practical implementations integrate privacy-preserving protocols like TEE, MPC, and differential privacy while providing theoretical guarantees for both convergence and robustness.

Byzantine-robust federated learning (FL) encompasses methodologies, protocols, and system architectures designed to maintain correct and efficient collaborative model training across distributed clients, in the presence of an unknown and potentially large fraction of adversarial ("Byzantine") participants. These adversarial clients may submit arbitrary or malicious updates with the goal of destabilizing, biasing, or backdooring the global model. Ensuring robustness under such conditions, while preserving privacy and efficiency, is a central challenge in modern FL, especially for large-scale and practical deployments.

1. Adversary and System Models in Byzantine-Robust FL

Byzantine-robust FL frameworks typically assume a system model consisting of either a centralized server-client architecture or, increasingly, decentralized or serverless topologies. Clients possess local datasets (potentially non-IID and unbalanced), and participate in distributed optimization of a global loss, often over multiple synchronous rounds.

Threat models vary across the literature:

Byzantine adversaries may constitute up to a constant fraction $f < n/2$ of the $n$ clients (Hashemi et al., 2021, Ebron et al., 2023, Fan et al., 12 Jan 2025). They have full knowledge of aggregation protocols and may collude, crafting arbitrary or coordinated updates (including model poisoning, backdoor, or label-flipping).
Threats are not restricted to static or persistent Byzantine identities; some attacks involve Sybil entities (mass registration of fake clients) or temporally-varying malicious participation (Deshmukh, 2024, Li et al., 2021).
Beyond client-side threats, adversaries may include honest-but-curious servers or aggregation nodes who attempt privacy attacks (e.g., inversion) but do not deviate from the protocol (Hashemi et al., 2021, Fan et al., 12 Jan 2025).
In decentralized settings, Byzantine clients may send different malicious updates to different neighbors, leveraging control over local peer communications (Fang et al., 2024).

Assumptions often include:

Secure or encrypted communication (via TLS, Diffie-Hellman, or secure aggregation protocols);
The existence of majority honest clients or of a sufficiently large benign subset in each round;
Attestation of software/hardware integrity in trusted execution environments (TEE) where applicable (Hashemi et al., 2021).

2. Byzantine-Robust Aggregation Mechanisms

The core of Byzantine-robust FL lies in robust aggregation rules that filter, reweight, or adaptively combine client updates so that malicious contributions cannot dominate or derail global model optimization.

Mechanisms include:

Distance-based filtering: Algorithms such as Krum and Multi-Krum select those updates whose sum of distances to their nearest neighbors is minimal, tolerating up to $f < (n-2)/2$ Byzantines (Li et al., 2023, Hashemi et al., 2021). FABA and clustering-based methods further remove outliers via pairwise similarities (Euclidean/cosine).
Coordinate-wise robust statistics: Median and trimmed mean are applied per coordinate to discard largest (and smallest) entries, with breakdown points $< 50\%$ (Allouah et al., 2024, Li et al., 2023, Tao et al., 2023).
Geometric median: The update closest (in $L_2$ ) to all others, robust to up to $\lfloor (n-1)/2 \rfloor$ corruptions (Allouah et al., 2024, Li et al., 2023).
Performance-based approaches: FedGreed evaluates candidate updates (and their averages) on a trusted server-side reference dataset, greedily selecting those which monotonically reduce the reference loss (Kritharakis et al., 25 Aug 2025).
Clustering and spectral methods: Spectral clustering (PSA/BRFL) and spatial-temporal pattern analysis (STPA) identify clusters (by, e.g., Pearson correlation or cosine similarity) presumed honest, filtering outliers or minority-grouped putative Byzantines (Li et al., 2023, Li et al., 2021).
Adaptive weighting: Some methods optimize aggregation weights as trainable variables, e.g., via alternating minimization between model parameters and sparse, capped client weights (FedLAW), with provable Byzantine resilience (Parsa et al., 5 Nov 2025).
Credibility and anomaly assessment: Adaptive filtering combines anomaly scores (e.g., autoencoder reconstruction error), data-verification on shared test sets, and Bayesian participant blocking for dynamic client trust scoring (Zhai et al., 2021, Muñoz-González et al., 2019).

3. Privacy-Preserving Byzantine-Robust FL

Byzantine-robust FL frameworks increasingly integrate rigorous privacy guarantees to mitigate not only model corruption but also information leakage (Nie et al., 2024, Zhang et al., 19 Dec 2025, Hashemi et al., 2021). Principal approaches include:

Trusted execution environments (TEE): Client gradients are encrypted and only decrypted inside attested TEEs, which perform privacy-preserving encoding (e.g., constant-offset Gaussian masking), then offload Byzantine checks to untrusted accelerators using noise-encoded vectors. This yields theoretical bounds on leakage based on information capacity (parallel Gaussian channel) and allows GPU acceleration for pairwise distance computation (Hashemi et al., 2021).
Secure multi-party computation (MPC): Secret-sharing protocols (e.g., ABY) enable joint computation of robust aggregation/filtering rules without any server observing raw updates. Efficiency is achieved via aggressive low-dimensional random projection preserving inter-update distances (ABBR framework), achieving 50–600 $\times$ speedup over full-dimensional secure computation (Zhang et al., 19 Dec 2025).
Differential privacy: Sparse, momentum-averaged, locally clipped client updates are subjected to Gaussian noise, guaranteeing $(\epsilon,\delta)$ -DP at the client-level. Variance-reduction and sparsification can reduce both the privacy cost and adversarial impact without degrading convergence (Zhang et al., 2023).
Zero-knowledge proofs and homomorphic encryption: Protocols like ByzSFL and BPFL represent the state-of-the-art, where clients mask their updates with a jointly negotiated random vector (via Paillier HE or threshold masking), and supply non-interactive zk-SNARKs attesting to obedience of similarity constraints or correct weight computation (for FLTrust-style weighting). The server only sees masked, bounded, and Poly-combinatorially proven contributions, enabling high efficiency (constant-size proofs, $O(n)$ aggregate compute) and robust verification under encrypted aggregation (Fan et al., 12 Jan 2025, Nie et al., 2024).

4. Theoretical Guarantees, Statistical Rates, and Convergence

Modern Byzantine-robust FL frameworks rigorously quantify both statistical efficiency and robustness.

Statistical rates: Under strong convexity and $L$ -smoothness, optimal error bounds of the form

$\|w^T-w^*\|_2 \le (1-\tfrac{\lambda}{L+\lambda})^T\|w^0-w^*\|_2 + O\left(\sigma\sqrt{\frac{\epsilon}{n} + \frac{d}{mn}}\right)$

are achievable via bucketing (median-of-means) and robust-mean estimation, where $\epsilon$ is the Byzantine fraction, $n$ per-client sample size, $m$ clients, $d$ dimension, and $\sigma$ controls gradient noise (Zhu et al., 2022).

Residual bias: In robust FL, the final (non-vanishing) bias is proportional to the effective fraction of Byzantines in the sampled set, and can be further dampened by increasing local SGD steps or averaging rounds (Allouah et al., 2024). However, diminishing-returns appear: beyond a problem-dependent threshold for clients-per-round, further communication does not reduce error due to this lower bound.
Convergence in nonconvex settings: Stochastic, robust aggregation rules ( $(\hat n,\hat b,\kappa)$ -robust) can achieve

$\frac1T\sum_{t}\mathbb E\|\nabla F(x^t)\|^2 \le O(1/\sqrt{nT}) + O(\hat b/\hat n)$

where $\hat n$ is clients-subsampled per round and $\hat b$ their adversarial tolerance (Allouah et al., 2024).

Decentralized and serverless guarantees: Algorithms like BALANCE provide strong theoretical convergence (linear for strongly convex, $O(1/\sqrt{T})$ for nonconvex) in fully decentralized settings, matching classical SGD under honest-majority per-neighborhood (Fang et al., 2024).
Clustered FL: In settings with disjoint clusters (non-IID by task), coordinate-wise median/trimmed mean within clusters guarantees per-cluster error bounds that scale sublinearly with dimension and adversary rate (Tao et al., 2023).

5. Practical Implementation and Empirical Performance

Empirical results support the efficacy and trade-offs of advanced Byzantine-robust FL techniques:

Efficiency and overhead: Hybrid TEE–GPU designs reduce per-round time by $4\times-8\times$ compared to TEE-only (Hashemi et al., 2021). ABBR achieves $50-100\times$ communication reduction by working in $O(\log n)$ -dimensional projected spaces (Zhang et al., 19 Dec 2025). ByzSFL is $85\times$ faster than FHE-based solutions thanks to PHE plus ZKP for aggregation (Fan et al., 12 Jan 2025).
Robustness under strong attacks: Spectral clustering methods (BRFL/PSA) and FCA-based dynamic weighting (FedTruth) maintain $>85\%$ accuracy for up to $50\%$ Byzantine clients, outperforming Krum, median, trimmed mean, and older clustering-based schemes, especially under non-IID data and sign-flipping attacks (Li et al., 2023, Ebron et al., 2023).
Limitations with data heterogeneity: All robust aggregation methods, including ClippedClustering and even coordinate-median, degrade significantly under strongly non-IID data, as the "honest cluster" assumption is violated—performance can fall to near-random (Li et al., 2023). Recent methods have shown improvements via additional signal (shared data verification, anomaly detection, or dynamic weighting) but universal robustness remains elusive.
Privacy trade-offs: Techniques ensuring both privacy and robustness (e.g., ABBR, BPFL, ByzSFL) preserve main-task accuracy, backdoor resistance, and TPR/TNR rates nearly indistinguishable from plaintext baselines, while soundly defeating inversion and inference attacks (Zhang et al., 19 Dec 2025, Nie et al., 2024, Fan et al., 12 Jan 2025, Zhang et al., 2023).

6. System Architectures and Emerging Frameworks

A range of Byzantine-robust FL system designs is represented in recent work:

TEE-accelerated aggregation: Construction of noise-encoded gradient vectors inside hardware attested enclaves, with distance checks delegated to untrusted compute for scalability (Hashemi et al., 2021).
Blockchain-based federated learning (BRFL): Combines aggregation node selection (via Pearson correlation), spectral clustering for robust aggregation, and an incentive/traceability layer through blockchain smart contracts, supporting up to $50\%$ adversarial clients with on-chain evidence and penalties (Li et al., 2023).
Decentralized/serverless architectures: BALANCE and BRACE demonstrate peer-to-peer or ring-all-reduce communication topologies, with local similarity-based filtering (BALANCE) or coordinate-wise consensus on quantized gradients (BRACE), achieving robust convergence and bandwidth efficiency (Fang et al., 2024, Fang et al., 29 Jan 2025).
Clustered tasks: Robust clustered FL, with alternate cluster assignment and robust within-cluster aggregation, enables learning across multiple heterogeneous tasks while tolerating adversarial attacks on specific clusters (Tao et al., 2023).

7. Limitations, Attacks, and Future Directions

Despite major advances, several open challenges and vulnerabilities persist:

Sybil attacks on secure aggregation: Methods like RoFL enforce per-client norm bounds but cannot prevent adversaries from scaling their impact via many Sybils or by manipulating the norm-median bound over time, enabling backdoor injection or inflation attacks (Deshmukh, 2024).
Scalability and practical cost: Efficiency remains a challenge for secure aggregation, especially as robust rules require $O(n^2)$ pairwise distance computations or large-scale MPC for high client counts (Zhang et al., 19 Dec 2025, Nie et al., 2024).
Non-IID and partial participation: No method to date has fully closed the robustness gap under data heterogeneity, strong non-IID splits, and partial participation; adaptive methods (e.g., FedTruth, BRCA) and suitable privacy-preserving filters show promise but require further theoretical and empirical study (Ebron et al., 2023, Zhai et al., 2021).
Hybrid approaches and integration: Combining robust aggregation, cryptographic proofs of validity, identity management, and privacy noise is necessary for end-to-end Byzantine resistance in practical FL deployments (Deshmukh, 2024, Fan et al., 12 Jan 2025, Nie et al., 2024).
Open questions: Achieving minimax-optimal rates with a simple, universal algorithm; practical linear-time robust estimation matching theoretical lower bounds; and deploying robust FL in serverless, asynchronous, or large-scale heterogeneous ecosystems.

Byzantine-robust federated learning is a rapidly evolving subfield, where new algorithmic, statistical, and systems advances aim to unify privacy, efficiency, and resilience guarantees for trustworthy distributed machine learning in adversarial environments.