Pigeon-SL: Robust Split Learning Framework
- Pigeon-SL is a split learning framework that employs clustering based on the pigeonhole principle to ensure at least one entirely honest client cluster.
- It integrates independent vanilla split learning within clusters with a shared validation set to select the best update, safeguarding against label flipping, activation, and gradient attacks.
- Pigeon-SL+ enhances throughput by repeating training on the selected cluster, matching the update rate of standard split learning while maintaining robustness.
Pigeon-SL is a robust split learning framework for edge intelligence under malicious clients that addresses the vulnerability of sequential split learning updates to even a single adversarial participant. The method is grounded in the pigeonhole principle: among total clients, if at most are malicious, partitioning the population into disjoint clusters guarantees that at least one cluster is entirely honest. In each global round, an access point trains all clusters independently via vanilla split learning, evaluates their validation losses on a shared dataset, and retains only the cluster with the lowest loss as the global model update. Its enhancement, Pigeon-SL+, repeats training on the selected cluster to match the update throughput of standard split learning while preserving the robustness conferred by cluster selection (Park et al., 4 Aug 2025).
1. Problem formulation and design objective
Pigeon-SL is situated in split learning (SL), a framework described as privacy-preserving and communication-efficient for distributed learning at the network edge. The motivating problem is that SL’s sequential update process is vulnerable to even a single malicious client, and such a client can significantly degrade model accuracy. Pigeon-SL is proposed to isolate and discard malicious updates without relying on outlier detection or reputation systems (Park et al., 4 Aug 2025).
The framework assumes total clients and an unknown adversarial set satisfying . Its objective is not to identify malicious clients individually, but to ensure that training can proceed by selecting an update trajectory generated by at least one entirely honest cluster. This design choice makes the method cluster-centric rather than client-centric: the selection primitive is a validation loss over independently trained clusters rather than a direct estimate of per-client trustworthiness.
The abstract situates the approach in future intelligent wireless networks and evaluates it under three representative attack models: label flipping, activation manipulation, and gradient manipulation. Within that scope, the central claim is robustness under malicious clients while maintaining the communication-efficient structure of split learning (Park et al., 4 Aug 2025).
2. Pigeonhole principle and robustness guarantee
The theoretical core of Pigeon-SL is a clustering rule based on
The clients are partitioned into disjoint clusters , each of size
0
with 1 assumed integer (Park et al., 4 Aug 2025).
Let 2 denote the unknown adversarial set with 3. The guarantee is that at least one cluster contains no adversarial client. The proof is by contradiction. If every cluster contained at least one adversarial client, then
4
Since there are 5 clusters, this would imply at least 6 distinct adversaries and hence
7
contradicting the assumption 8. Therefore,
9
The paper explicitly casts this as a pigeonhole argument: 0 adversaries are the “pigeons,” and 1 clusters are the “holes,” so at least one hole is empty of pigeons (Park et al., 4 Aug 2025).
A common misunderstanding is to interpret this result as implying that most clusters are honest. The guarantee is weaker and more precise: it ensures the existence of at least one entirely honest cluster, not a majority of honest clusters. The framework then converts that existential guarantee into an operational defense by evaluating all clusters and retaining only the one with the lowest validation loss. This suggests that the method’s robustness depends jointly on the combinatorial clustering argument and on the discriminative power of the shared validation set.
3. Cluster formation and intra-cluster split learning
At the beginning of each global round 2, the access point performs random cluster partitioning. With 3 and 4, it randomly permutes the list of clients and slices it into consecutive blocks: 5 Each cluster model is then initialized to the current global parameters 6 (Park et al., 4 Aug 2025).
Within each cluster 7, training follows vanilla SL in sequence. The global parameter vector before round 8 is written as
9
where 0 resides on the client side, 1 resides on the access-point side, and the cut-layer has dimension 2 (Park et al., 4 Aug 2025).
For each client 3, the protocol repeats 4 mini-batch steps of size 5. On the forward pass, for each sample 6,
7
the client sends 8 and 9 to the access point, and the loss 0 is computed. On the backward pass, the access point computes 1 and the cut-layer gradient
2
returns 3 to the client, and the client computes 4. Parameter updates use learning rate 5: 6 After all 7 clients in cluster 8 finish their local 9 updates sequentially, the cluster output is
0
This preserves the standard split-learning execution pattern within each cluster while moving robustness to the inter-cluster level (Park et al., 4 Aug 2025).
4. Validation-based selection and the Pigeon-SL+ enhancement
After cluster-level training, the access point evaluates each cluster using a small shared validation set 1 of size 2. For cluster 3, the validation loss is
4
The selected cluster is
5
and only its parameters are retained: 6 The method therefore treats validation loss as the sole selection criterion; no outlier detection or reputation mechanism is introduced (Park et al., 4 Aug 2025).
In vanilla Pigeon-SL, only one of the 7 clusters’ updates is kept per epoch. Since each cluster contains 8 clients, the retained trajectory contributes 9 updates, whereas vanilla SL uses 0 updates. Pigeon-SL+ is introduced to match throughput. It first runs the 1 clusters in parallel as in Pigeon-SL and selects the best cluster 2. It then repeats vanilla SL steps on cluster 3 for 4 additional sub-rounds. The total number of updates on 5 becomes
6
which restores the same number of client updates per global iteration while preserving the robustness conferred by cluster selection (Park et al., 4 Aug 2025).
A plausible implication is that Pigeon-SL and Pigeon-SL+ differ not in their robustness primitive, which remains loss-based cluster selection, but in the amount of optimization progress extracted from the selected honest trajectory per global round. The data expressly states that Pigeon-SL+ “recovers full update throughput” and “matches vanilla SL’s throughput” (Park et al., 4 Aug 2025).
5. Communication, computation, and convergence characteristics
The complexity analysis is stated per global epoch. Let each client have 7 total samples, so that 8 mini-batches are processed. Let 9 denote the FLOPs for one client-side forward+backward pass, and let 0 denote the client-side model size (Park et al., 4 Aug 2025).
| Configuration | Communication overhead | Client-side computation cost |
|---|---|---|
| Vanilla SL (all 1 clients) | 2 | 3 |
| Pigeon-SL (total clients) | 4 | 5 |
| Pigeon-SL+ (total clients) | 6 | 7 |
The interpretation supplied in the source is that Pigeon-SL adds the extra cost of validating 8 clusters on 9 samples, with two transmissions per sample, and that Pigeon-SL+ repeats training on the selected cluster 0 more times to match the total of 1 client updates (Park et al., 4 Aug 2025).
The framework’s stated strengths include provable robustness via pigeonhole clustering, absence of outlier detection or reputation systems, and recovery of full update throughput in Pigeon-SL+. The source also states a convergence rate of
2
under standard smoothness and bounded-variance assumptions (Park et al., 4 Aug 2025). This places the method within the standard nonconvex stochastic optimization regime commonly used to characterize distributed learning procedures, although no further derivation is given in the provided material.
6. Threat models, empirical evaluation, and limitations
The evaluation covers three attack models mounted by malicious clients during their turn. In label flipping, attackers replace the true label 3 with 4. In activation tampering, instead of forwarding the cut-layer activation 5, they send
6
In gradient tampering, they invert the cut-layer gradient returned by the server: 7 These three threat models define the paper’s operational notion of malicious behavior (Park et al., 4 Aug 2025).
The experimental setup uses MNIST and CIFAR-10. For MNIST, the model is two convolutional layers followed by a 32-unit cut layer and a 10-way output; 8, 9, 0, and 1. For CIFAR-10, the model is three convolutional layers followed by four fully connected layers with a 256-dimensional cut; 2, 3, 4, and 5. The shared validation set has 6 (Park et al., 4 Aug 2025).
The reported quantitative outcomes under 7 or 8 adversaries are as follows:
| Setting | Reported outcome |
|---|---|
| Label flipping on MNIST with 9 | Vanilla SL oscillates around 70–80% and never stabilizes; SplitFed Learning converges slowly to 00; Pigeon-SL reaches 01 rapidly; Pigeon-SL+ reaches 02 and matches vanilla SL’s throughput |
| Activation tampering on CIFAR-10 with 03 | Vanilla SL fails at 04 random-guessing; SplitFed reaches 05 in 200 rounds; Pigeon-SL reaches 06; Pigeon-SL+ reaches 07 |
| Gradient tampering | Pigeon-SL+ consistently outperforms baselines by 20–30 percentage points in final accuracy |
These results are presented as evidence of significant improvements in accuracy and resilience over baseline SL methods in the specified settings (Park et al., 4 Aug 2025). A common misconception would be to treat the guarantee of one honest cluster as by itself sufficient to ensure good performance. The reported workflow makes clear that empirical robustness also depends on the validation-and-selection stage and on the presence of a shared validation dataset 08.
The stated limitations and future directions are equally specific. Pigeon-SL incurs extra communication for validation samples and assumes a known upper bound 09 on the number of malicious clients; adaptive 10 estimation is left open. Additional directions include extending the approach to fully asynchronous split learning or non-IID data distributions, integrating differential privacy or cryptographic validation to guard the shared set 11, and exploring hierarchical cluster selections or dynamic cluster sizing (Park et al., 4 Aug 2025). These limitations delineate the current scope of the method: it is lightweight and theoretically grounded, but its guarantees are parameterized by prior knowledge of the adversarial budget and by the availability of a trusted validation resource.