Marvin Xhemrishi

Marvin Xhemrishi, Alexandre Graell i Amat, Balázs Pejó

Federated learning with secure aggregation enables private and collaborative learning from decentralised data without leaking sensitive client information. However, secure aggregation also complicates the detection of malicious client behaviour and the evaluation of individual client contributions to the learning. To address these challenges, QI (Pejo et al.) and FedGT (Xhemrishi et al.) were proposed for contribution evaluation (CE) and misbehaviour detection (MD), respectively. QI, however, lacks adequate MD accuracy due to its reliance on the random selection of clients in each training round, while FedGT lacks the CE ability. In this work, we combine the strengths of QI and FedGT to achieve both robust MD and accurate CE. Our experiments demonstrate superior performance compared to using either method independently.

Marvin Xhemrishi, Johan Östman, Antonia Wachter-Zeh et al.

We propose FedGT, a novel framework for identifying malicious clients in federated learning with secure aggregation. Inspired by group testing, the framework leverages overlapping groups of clients to identify the presence of malicious clients in the groups via a decoding operation. The clients identified as malicious are then removed from the model training, which is performed over the remaining clients. By choosing the size, number, and overlap between groups, FedGT strikes a balance between privacy and security. Specifically, the server learns the aggregated model of the clients in each group - vanilla federated learning and secure aggregation correspond to the extreme cases of FedGT with group size equal to one and the total number of clients, respectively. The effectiveness of FedGT is demonstrated through extensive experiments on the MNIST, CIFAR-10, and ISIC2019 datasets in a cross-silo setting under different data-poisoning attacks. These experiments showcase FedGT's ability to identify malicious clients, resulting in high model utility. We further show that FedGT significantly outperforms the private robust aggregation approach based on the geometric median recently proposed by Pillutla et al. in multiple settings.

Marvin Xhemrishi, Alexandre Graell i Amat, Eirik Rosnes et al.

We propose a privacy-preserving federated learning (FL) scheme that is resilient against straggling devices. An adaptive scenario is suggested where the slower devices share their data with the faster ones and do not participate in the learning process. The proposed scheme employs code-based cryptography to ensure \emph{computational} privacy of the private data, i.e., no device with bounded computational power can obtain information about the other devices' data in feasible time. For a scenario with 25 devices, the proposed scheme achieves a speed-up of 4.7 and 4 for 92 and 128 bits security, respectively, for an accuracy of 95\% on the MNIST dataset compared with conventional mini-batch FL.

Kathrin Garb, Marvin Xhemrishi, Ludwig Kürzinger et al.

In order to protect devices from physical manipulations, protective security enclosures were developed. However, these battery-backed solutions come with a reduced lifetime, and have to be actively and continuously monitored. In order to overcome these drawbacks, batteryless capacitive enclosures based on Physical Unclonable Functions (PUFs) have been developed that generate a key-encryption-key (KEK) for decryption of the key chain. In order to reproduce the PUF-key reliably and to compensate the effect of noise and environmental influences, the key generation includes error correction codes. However, drilling attacks that aim at partially destroying the enclosure also alter the PUF-response and are subjected to the same error correction procedures. Correcting attack effects, however, is highly undesirable as it would destroy the security concept of the enclosure. In general, designing error correction codes such that they provide tamper-sensitivity to attacks, while still correcting noise and environmental effects is a challenging task. We tackle this problem by first analyzing the behavior of the PUF-response under external influences and different post-processing parameters. From this, we derive a system model of the PUF-based enclosure, and construct a wiretap channel implementation from q-ary polar codes. We verify the obtained error correction scheme in a Monte Carlo simulation and demonstrate that our wiretap channel implementation achieves a physical layer security of 100 bits for 306 bits of entropy for the PUF-secret. Through this, we further develop capacitive PUF-based security enclosures and bring them one step closer to their commercial deployment.

Georg Maringer, Marvin Xhemrishi, Sven Puchinger et al.

Cryptographic algorithms rely on the secrecy of their corresponding keys. On embedded systems with standard CMOS chips, where secure permanent memory such as flash is not available as a key storage, the secret key can be derived from Physical Unclonable Functions (PUFs) that make use of minuscule manufacturing variations of, for instance, SRAM cells. Since PUFs are affected by environmental changes, the reliable reproduction of the PUF key requires error correction. For silicon PUFs with binary output, errors occur in the form of bitflips within the PUFs response. Modelling the channel as a Binary Symmetric Channel (BSC) with fixed crossover probability $p$ is only a first-order approximation of the real behavior of the PUF response. We propose a more realistic channel model, refered to as the Varying Binary Symmetric Channel (VBSC), which takes into account that the reliability of different PUF response bits may not be equal. We investigate its channel capacity for various scenarios which differ in the channel state information (CSI) present at encoder and decoder. We compare the capacity results for the VBSC for the different CSI cases with reference to the distribution of the bitflip probability according a work by Maes et al.