FORTA: Fourier-Based Aggregation in Federated Learning
- FORTA is a federated learning secure aggregation framework that uses Fourier techniques to maintain privacy and defend against Byzantine attacks.
- It employs DFT codes for analog secret sharing combined with a Krum-based outlier detection method enhanced by decoder feedback.
- FORTA operates in the real domain to avoid quantization issues, ensuring robust and precise aggregation even under adversarial conditions.
FORTA is a federated learning secure aggregation framework whose stated goal is to keep individual client updates private while preserving robustness against Byzantine users that corrupt the aggregation. In the formulation introduced in "FORTA: Byzantine-Resilient FL Aggregation via DFT-Guided Krum" (Shahul et al., 19 Jul 2025), the framework operates entirely in the real domain, uses Discrete Fourier Transform (DFT) codes for privacy, and employs Krum-based outlier detection for robustness, with a further modification in which feedback from the DFT decoder is used to refine Krum. The framework is positioned against finite-field secure aggregation approaches that quantize real-valued model updates, and it is explicitly motivated by the tension between secure aggregation, which hides individual updates, and Byzantine-robust aggregation, which ordinarily relies on geometric access to pairwise distances between updates (Shahul et al., 19 Jul 2025).
1. Problem setting and motivation
FORTA is studied in a standard cross-device federated learning setup with users and a central server. At round , the server broadcasts the current global model , user computes a local update
and the server updates the global model by aggregating user contributions: The two security objectives are secure aggregation and Byzantine robustness. Secure aggregation requires that the server should not learn each individual user’s update, and that up to colluding users should also not be able to reconstruct another user’s update. Byzantine robustness requires that up to users may be malicious, may poison model updates, and may manipulate the exchanged shares used for secure aggregation (Shahul et al., 19 Jul 2025).
The central motivation is that these objectives conflict. Krum and related robust aggregation rules need some notion of access to pairwise distances between user updates, because they identify outliers geometrically. Secure aggregation, by contrast, tries to hide those updates. The paper therefore presents FORTA as a construction for the difficult middle ground: privacy against an honest-but-curious server and colluding users, together with robustness against Byzantine users, without forcing real-valued model updates into finite-field arithmetic (Shahul et al., 19 Jul 2025).
The paper positions prior finite-field and secret-sharing approaches, especially the one by So et al., as limited by quantization mismatch, overflow or wraparound risk, accuracy loss, and a field-size tradeoff. In that framing, FORTA is intended to operate directly over the real domain and thereby avoid discretization, modular overflow issues, and the fidelity loss induced by representing floating-point vectors in a finite field (Shahul et al., 19 Jul 2025).
2. System model and real-domain coding construction
FORTA stands for Fourier-Based Outlier-Resilient Trust Aggregation. Its construction combines two ingredients: DFT-based coding or analog secret sharing for privacy, and Krum-based outlier detection for Byzantine resilience. The DFT component comes from evaluating secret-sharing polynomials at roots of unity, so the received evaluations form codewords of an DFT code (Shahul et al., 19 Jul 2025).
The threat model assumes up to Byzantine users, an honest-but-curious server, and up to 0 colluding users. The server is not modeled as actively deviating from the protocol; Byzantine behavior is attributed to users. Privacy is intended against the server and against coalitions of up to 1 users (Shahul et al., 19 Jul 2025).
Each user 2 holds a local update 3. The server and users agree on 4 evaluation points
5
where 6. User 7 forms a degree-8 secret-sharing polynomial
9
where 0 are i.i.d. random masks, each entry satisfies
1
and 2 models finite precision noise from floating-point computation. The share sent from user 3 to user 4 is
5
Because the polynomial has degree 6, fewer than 7 users cannot reconstruct 8 (Shahul et al., 19 Jul 2025).
The protocol is organized into three phases per federated learning round: real-domain secret sharing, reconstruction of pairwise differences and outlier detection using DFT-guided Krum, and secure aggregation of the selected users. This decomposition is central to the architecture because the same DFT-coded machinery is later reused both for pairwise-distance recovery and for final aggregation (Shahul et al., 19 Jul 2025).
3. Pairwise differences, DFT decoding, and secure aggregation
To compute the pairwise distances needed by Krum without revealing raw updates, user 9 computes, for every pair 0,
1
For pair 2, the corresponding difference polynomial is
3
The server receives evaluations at the roots of unity and arranges them as
4
with scalar coordinate codewords
5
Each such vector is interpreted as a noisy codeword from an 6 DFT code. The server DFT-decodes each scalar codeword, recovers the polynomial coefficients, and evaluates at 7 to obtain the desired difference coordinate up to precision or decoding error (Shahul et al., 19 Jul 2025).
The reconstructed squared pairwise distance used by Krum is written as
8
This approximate rather than exact recovery is the core source of difficulty in FORTA. The abstract explicitly states that the DFT decoder is error-free under infinite precision, whereas finite precision introduces numerical perturbations that can distort distance estimates and allow malicious updates to evade detection (Shahul et al., 19 Jul 2025).
A further component is a joint decoding strategy based on Gaussian Mixture Models. The visible version states that this decoder aggregates evidence across many codewords and produces a frequency profile
9
where 0 records how often user 1 was flagged as adversarial during DFT decoding or error localization across codewords. The paper also states that full technical details will be provided in the extended journal version, so the role of the joint decoder is specified more clearly than its full implementation (Shahul et al., 19 Jul 2025).
After outlier detection chooses a user subset 2, each user 3 computes
4
and sends 5 to the server. These are evaluations of the polynomial corresponding to the sum of selected users’ updates, and the server DFT-decodes them to reconstruct
6
The global model update is then
7
This means that FORTA uses the DFT-coded sharing mechanism both for secure pairwise-difference computation and for secure final aggregation (Shahul et al., 19 Jul 2025).
4. DFT-guided Krum and resilience analysis
Standard Krum assigns each user 8 the score
9
where 0 is the set of the 1 closest users to 2. The intuition is that honest users should be relatively close to one another, so small Krum scores indicate likely honesty. In FORTA, however, the distances supplied to Krum are reconstructed from DFT-decoded share differences and therefore are subject to finite precision perturbations and adversarial share corruption (Shahul et al., 19 Jul 2025).
The paper’s principal modification is to feed decoder-side information back into Krum. From the decoder-derived frequency profile 3, FORTA constructs soft weights
4
together with the stabilized baseline
5
The modified Krum score is then
6
The server selects the 7 users with the smallest modified scores. In the paper’s interpretation, the decoder’s statistical evidence acts as a second signal that stabilizes or corrects purely geometric Krum scoring; this is the sense in which FORTA is "DFT-guided" (Shahul et al., 19 Jul 2025).
The theoretical analysis adapts Byzantine-resilience guarantees to the secure-aggregation-induced noisy setting. The paper recalls the standard 8-Byzantine resilience notion, under which
9
It models noisy reconstructed pairwise differences as
0
with the decomposition
1
This yields surrogate noisy updates
2
with
3
and
4
Under 5 and
6
where
7
the Krum function is 8-Byzantine resilient with
9
The modified Krum theorem introduces decoder-derived random variables and provides the bound
0
with
1
The paper further gives the sufficient condition
2
In the paper’s terms, this expresses when modified Krum improves on ordinary Krum (Shahul et al., 19 Jul 2025).
5. Empirical results, trade-offs, and limitations
The experimental evaluation compares FedAvg, original Krum, and modified Krum. The reported setup uses i.i.d. MNIST and CIFAR-10, with 3 users, collusion threshold 4, Byzantine users 5, and 6 selected updates per round. Byzantine users launch model poisoning attacks by adding noise or scaling their updates, and also inject noise into secret shares to corrupt pairwise distance estimation (Shahul et al., 19 Jul 2025).
The principal empirical finding is that FedAvg performs poorly under attack, original Krum is better than FedAvg, and modified Krum outperforms original Krum, with the paper emphasizing improved robustness and more accurate aggregation than standard Krum. The visible result plots report test accuracy over training rounds on MNIST and CIFAR-10 rather than a broader battery of efficiency or ablation metrics (Shahul et al., 19 Jul 2025).
The paper also describes several trade-offs. Privacy is provided against an honest-but-curious server and up to 7 colluding users; Byzantine resilience is provided against up to 8 malicious users; and the protocol operates in the real domain rather than through finite-field quantization. At the same time, finite precision sensitivity still exists, communication overhead can be high because users exchange shares over a fully connected topology, and computation overhead can be substantial because the server decodes
9
scalar DFT codewords. Implementation complexity is therefore materially higher than in standard Krum or plain secure aggregation (Shahul et al., 19 Jul 2025).
The paper is explicit about what is not yet specified in detail. The visible version does not provide detailed model architectures, communication or computation timing, exact attack magnitudes, ablations over precision, code parameters, 0, or number of Byzantine users, comparisons against finite-field secure aggregation baselines, or full algorithmic details of the GMM-based joint decoder. It also identifies future work on reducing communication and computation overhead and on establishing convergence guarantees for modified Krum under adversarial conditions (Shahul et al., 19 Jul 2025).
6. Terminological ambiguity across literatures
The uppercase acronym FORTA refers, in the federated learning literature considered here, to "Fourier-Based Outlier-Resilient Trust Aggregation" (Shahul et al., 19 Jul 2025). The same letter sequence also appears in unrelated literatures, and the overlap is substantive enough that disambiguation is often necessary.
| Term in source | Domain | Role in the cited paper |
|---|---|---|
| FORTA | Federated learning | DFT-guided, Byzantine-resilient secure aggregation (Shahul et al., 19 Jul 2025) |
| Forta | Web3 / DeFi security | Existing Web3 security tool or baseline (Behfar et al., 2023, Cai et al., 28 Apr 2026) |
| FoRA | PEFT for LLMs | Fisher-orthogonal Rank Adaptation; “FORTA” is very likely a misspelling or variant (Park et al., 28 May 2026) |
In "Architecture of Smart Certificates for Web3 Applications Against Cyberthreats in Financial Industry" (Behfar et al., 2023), Forta is mentioned only briefly and explicitly in two places, grouped with Certik, Slither, and Securify as an example of "code scanning" or "application security testing tools" that the authors contrast with their proposed smart-certificate architecture. That paper does not integrate, implement, evaluate, or formally model Forta; it uses the name only as part of background and comparison language (Behfar et al., 2023).
In "GenDetect: Generalizing Reactive Detection for Resilience Against Imitative DeFi Attack Cascade" (Cai et al., 28 Apr 2026), Forta appears as a baseline in DeFi attack detection. On the benchmark cross-validation set reported there, Forta has F1 1, FPR 2, FNR 3, Accuracy 4, and Recall 5, while GenDetect reports F1-score 6, FPR 7, FNR 8, Accuracy 9, and Recall 0 (Cai et al., 28 Apr 2026). This is a distinct usage from the federated learning system named FORTA.
In the parameter-efficient fine-tuning literature, "FoRA: Fisher-orthogonal Rank Adaptation for Parameter-Efficient Fine-Tuning" (Park et al., 28 May 2026) is unrelated to either of the foregoing meanings. The supplied record explicitly states that “FORTA” is very likely a misspelling or variant of FoRA, and that all evidence points to FoRA being the intended reference in that context. This suggests that FORTA is not a stable single referent across machine learning and blockchain security literatures, but rather an acronym collision whose resolution depends on domain context (Park et al., 28 May 2026).