Pigeon-SL+: Enhanced Robust Split Learning
- The paper presents a robust split learning framework that partitions clients into N+1 disjoint clusters and uses a validation-based selection to isolate adversarial effects.
- It enhances throughput by repeating training on the selected cluster, restoring the effective update count to match vanilla split learning's M client updates per round.
- Empirical tests on MNIST and CIFAR-10 demonstrate stable convergence and improved robustness under attacks like label flipping, activation, and gradient tampering.
Searching arXiv for the exact paper and closely related split-learning context. Pigeon-SL+ is the enhanced variant of Pigeon-SL, a robust split learning framework for edge intelligence under malicious clients, introduced to preserve the robustness benefits of cluster-based split learning while restoring the update throughput of vanilla SL. In the formulation of the underlying paper, an access point partitions clients into disjoint clusters when at most clients are adversarial, trains each cluster independently via vanilla SL, evaluates each resulting model on a shared validation dataset, and advances only the cluster with the lowest validation loss. Pigeon-SL+ adds repeated training on the selected cluster within the same global round, so that the effective number of sequential client updates matches standard SL while retaining the pigeonhole-principle guarantee that at least one cluster is entirely honest (Park et al., 4 Aug 2025).
1. Scope, nomenclature, and problem setting
The exact designation Pigeon-SL+ belongs to the split learning system presented in “Pigeon-SL: Robust Split Learning Framework for Edge Intelligence under Malicious Clients” (Park et al., 4 Aug 2025). This is distinct from unrelated arXiv systems that also use the name “PIGEON,” including the image geolocalization model “PIGEON: Predicting Image Geolocations” (Haas et al., 2023) and the object-navigation framework “PIGEON: VLM-Driven Object Navigation via Points of Interest Selection” (Peng et al., 17 Nov 2025). In technical usage, therefore, Pigeon-SL+ denotes the enhanced split-learning variant rather than a geolocation or embodied-navigation model.
The problem addressed by Pigeon-SL+ arises from the sequential dependency structure of vanilla split learning. In vanilla SL, training proceeds across clients in a single chain per global round, and each mini-batch update depends on the previous client’s output. The paper identifies this sequential update process as vulnerable to even a single malicious client, because adversarial perturbations at the cut layer or in backpropagated gradients can corrupt subsequent updates and significantly degrade model accuracy (Park et al., 4 Aug 2025).
The formal setting assumes clients, indexed by , with at most adversarial participants. Honest and adversarial clients form a partition of the client set. The access point orchestrates split training, collects cut-layer activations and gradients, and evaluates models on a shared validation dataset
which is sampled by the access point from and broadcast to all clients pre-training. Each client holds a local dataset
and training uses mini-batch SGD (Park et al., 4 Aug 2025).
2. Clustered split learning and the core Pigeon-SL mechanism
Pigeon-SL operates by replacing the single sequential client chain of vanilla SL with clustered training. In each global round 0, the access point partitions the clients into
1
disjoint clusters
2
typically of size 3 when divisibility permits. These clusters satisfy disjointness and coverage:
4
Each cluster is then trained independently via vanilla SL, sequentially over its members, for 5 local mini-batch updates per client per round (Park et al., 4 Aug 2025).
Let
6
denote the full model parameters, partitioned into client-side and access-point-side components. Within a cluster, a mini-batch update on batch 7 of size 8 from client 9 takes the form
0
1
After all clients in cluster 2 complete their sequential updates, the cluster yields candidate weights 3 (Park et al., 4 Aug 2025).
Selection is performed by shared validation. The access point computes, for each cluster,
4
and advances only the best cluster:
5
This selection rule is the operational center of the method: the access point keeps only the model that performs best on a shared reference set, thereby isolating clusters whose updates have likely been degraded by adversarial behavior (Park et al., 4 Aug 2025).
The attacks considered in the experiments are three representative forms of client-side tampering. In label flipping, a label 6 is replaced by 7, exemplified in the paper by 8. In activation tampering, distorted cut-layer activations are sent according to
9
with 0 scaled to match norm. In gradient tampering, cut-layer gradients are reversed before local updates:
1
These attack models define the empirical threat surface against which Pigeon-SL and Pigeon-SL+ are evaluated (Park et al., 4 Aug 2025).
3. Pigeonhole-principle guarantee and selection integrity
The formal robustness argument is based on the pigeonhole principle. If there are at most 2 adversarial clients and the access point partitions the client set into 3 disjoint clusters, then at least one cluster must be entirely honest. The statement is given explicitly as:
“4 such that 5.”
The proof is immediate: if every cluster contained at least one adversary, then the system would require at least 6 adversarial clients, contradicting the assumption 7. The guarantee does not depend on equal cluster size; balanced partitions are recommended for throughput and fairness, but the existential honesty guarantee requires only disjointness and full coverage (Park et al., 4 Aug 2025).
This guarantee by itself ensures that one undisturbed training trajectory exists in every round, but the framework depends equally on the validation-based selection rule to identify a usable cluster. The paper’s rationale is that scoring all clusters on the same 8 makes malicious tampering increase validation loss on average, pushing corrupted clusters out of selection. This suggests that the robustness of the scheme is not purely combinatorial; it also depends on the discriminative quality of the shared validation dataset (Park et al., 4 Aug 2025).
The paper also addresses a more specific integrity issue: a malicious final client could attempt to reduce a cluster’s validation loss and then swap parameters. The described defense is a next-round consistency check on cut-layer activations using 9. If the first clients in the new clusters transmit 0 and the access point detects disagreement with the last honest 1, it rejects the tampered state and reverts to a different selected cluster. This mechanism is presented as discouraging tampering and protecting selection integrity (Park et al., 4 Aug 2025).
4. The “plus” enhancement: throughput restoration by repeated training
Pigeon-SL is robust, but it advances only one cluster’s weights per round. Since each cluster contains approximately 2 clients, the number of effective sequential client updates contributing to the next global state is reduced relative to vanilla SL. The paper formalizes this as update throughput:
3
This throughput reduction motivates Pigeon-SL+ (Park et al., 4 Aug 2025).
Pigeon-SL+ restores the update throughput of vanilla SL by repeating training on the selected cluster. After the access point chooses 4, it continues training only on 5 for an additional 6 subrounds within the same global round. The repeat count is
7
Because the selected cluster contains 8 clients, repeating its sequential pass 9 times yields
0
The result is that Pigeon-SL+ matches vanilla SL’s per-round client update count while retaining the cluster-selection robustness mechanism (Park et al., 4 Aug 2025).
A compact comparison is as follows.
| Method | Effective updates advanced per round | Selection mechanism |
|---|---|---|
| Vanilla SL | 1 | None |
| Pigeon-SL | 2 | Lowest validation-loss cluster |
| Pigeon-SL+ | 3 | Lowest validation-loss cluster, then repeated training on selected cluster |
The operational implication is precise. Pigeon-SL+ does not alter the criterion for cluster choice; it alters only the amount of training performed after a cluster has been chosen. This is why the paper characterizes it as an efficiency enhancement rather than a different robustness principle. The selected cluster is trained sequentially 4 times in the same round, and only that cluster’s weights continue to evolve during the repeated subrounds (Park et al., 4 Aug 2025).
5. Convergence, overhead, and analytical properties
The convergence analysis is stated under four standard non-convex stochastic assumptions. Each local loss 5 is assumed 6-smooth:
7
Stochastic gradients are unbiased:
8
Their variance is bounded:
9
Data heterogeneity is modeled through bounded gradient mismatch:
0
where
1
These assumptions allow non-IID data through the parameter 2 (Park et al., 4 Aug 2025).
Under mini-batch SGD within each cluster and selection by minimum validation loss, the paper gives a convergence theorem stating that for step size
3
the expected squared gradient norm satisfies an upper bound containing terms due to objective decrease, heterogeneity 4, and stochastic variance 5. With
6
the rate becomes
7
plus lower-order terms reflecting 8 and 9. The paper emphasizes that, despite clustering and selection, the rate matches standard non-convex SGD rates (Park et al., 4 Aug 2025).
The framework also incurs explicit communication and computation overheads. If 0 is the cut-layer dimension, 1 the client-side parameter count, 2 the client-side cost per forward+backward, and each client has approximately 3 training samples, then the total per-global-epoch overheads are:
- Vanilla SL Communication:
4
Computation:
5
- Pigeon-SL Communication:
6
Computation:
7
- Pigeon-SL+ Communication:
8
Computation:
9
These formulas clarify the central trade-off. Pigeon-SL incurs validation overhead because all clusters must be scored on the shared dataset, and Pigeon-SL+ adds extra training on the selected cluster to recover throughput. The paper’s interpretation is that both methods exchange moderate overhead for robustness, with Pigeon-SL+ explicitly paying additional compute to regain vanilla-SL-level progress per round (Park et al., 4 Aug 2025).
6. Experimental behavior, implementation details, and limitations
The empirical evaluation uses MNIST and CIFAR-10. For MNIST, the model is a CNN with two convolutional layers with 2 and 4 filters of size 0 with padding 2, followed by a 32-node fully connected cut layer and a 10-node output layer. For CIFAR-10, the model is a CNN with three convolutional layers with 32, 64, and 128 filters of size 1, followed by four fully connected layers of sizes 256, 128, 64, and 10, with the first fully connected layer serving as the cut layer (Park et al., 4 Aug 2025).
The reported training settings are explicit. On MNIST:
- 2, 3, 4, 5, 6, 7
- 8 and therefore 9
On CIFAR-10:
- 0, 1, 2, 3, 4, 5
- 6 and therefore 7
The SplitFed baseline is trained with a learning rate scaled by a factor of 10 to match SL’s speed: 8 for MNIST and 9 for CIFAR-10 (Park et al., 4 Aug 2025).
The paper reports qualitative outcome patterns rather than a single aggregate score. Under MNIST with 00, vanilla SL exhibits large accuracy fluctuations under label flipping and gradient tampering, whereas Pigeon-SL and Pigeon-SL+ train stably and converge faster with higher final accuracy than SplitFed. Under activation tampering, vanilla SL converges initially, but Pigeon-SL+ reaches better final accuracy due to robustness. Under CIFAR-10 with 01, activation tampering causes vanilla SL to fail to learn, while Pigeon-SL and Pigeon-SL+ succeed. Across attacks, SplitFed learns very slowly, and Pigeon-SL+ is described as consistently faster and more accurate. Across all tested values of 02, performance degrades as 03 increases, but Pigeon-SL+ retains stability (Park et al., 4 Aug 2025).
Several practical constraints qualify these results. The framework recommends random balanced partitioning, although the honesty guarantee itself does not require equal-sized clusters. The cluster count should be set to
04
If 05 is overestimated, training slows because overhead increases; if it is underestimated so that the actual number of adversaries exceeds 06, the honest-cluster guarantee can fail. The shared validation set 07 must be representative and sufficiently large to distinguish honest from tampered updates. Training remains sequential within each cluster, so stragglers affect cluster latency, although cluster-level parallelism can still be exploited at the access point. The theoretical analysis accommodates non-IID data through 08, and the paper notes that validation-based selection empirically helps counteract skewed local updates (Park et al., 4 Aug 2025).
In this sense, Pigeon-SL+ is best understood as a robustness-through-selection architecture with an explicit throughput compensation layer. Its distinctive contribution is not merely the observation that clustered SL can tolerate malicious clients, but the more specific claim that repeating training on the selected cluster restores the per-round update count of vanilla SL without abandoning the pigeonhole-principle protection that makes the original Pigeon-SL scheme robust (Park et al., 4 Aug 2025).