PPRD-FL: Privacy-Preserving Federated Learning Based on Randomized Parameter Selection and Dynamic Local Differential Privacy

Abstract

As traditional federated learning algorithms often fall short in providing privacy protection, a growing body of research integrates local differential privacy methods into federated learning to strengthen privacy guarantees. However, under a fixed privacy budget, with the increase in the dimensionality of model parameters, the privacy budget allocated per parameter diminishes, which means that a larger amount of noise is required to meet privacy requirements. This escalation in noise may adversely affect the final model’s performance. For that, we propose a privacy protection federated learning (PPRD-FL) approach. First, we design a randomized parameter selection strategy that combines randomization with importance-based filtering, effectively addressing the privacy budget dilution problem by selecting only the most crucial parameters for global aggregation. Second, we develop a dynamic local differential privacy-based perturbation mechanism, which adjusts the noise levels according to the training phase, not only providing robustness and security but also optimizing the dynamic allocation of the privacy budget. Finally, our experiments have demonstrated that the proposed approach maintains a high performance while ensuring strong privacy guarantees.

1. Introduction

The advancement of big data has propelled artificial intelligence to a new stage. To uncover the “secrets” hidden within massive datasets, it is essential to develop higher-precision learning models capable of capturing the inherent features of the data. How-ever, this requires a large amount of high-quality data as support. Recent studies have explored solutions through information fusion [1,2]. Nevertheless, high-quality data often contain participants’ private information. With the growing emphasis on personal privacy, many participants are disinclined to share their data, making information fusion even more difficult.

In this context, Google presented the idea of federated learning (FL) [3] in 2016. FL allows multiple entities to collaboratively develop a shared global model while keeping private data localized, thereby ensuring data confidentiality and safety. Although FL offers some degree of privacy protection, this is far from sufficient. Research [4,5,6,7,8] has shown that there remains a potential risk of privacy data leakage during parameter transmission. Some existing attack methods in machine learning, such as inference attacks, model inversion attack, and reconstruction attacks, can infer local data from intermediate parameters, potentially compromising sensitive local data, as shown in Figure 1. Reference [9] demonstrates that sensitive information from a individual dataset may be obtained through an individual trained model. Reference [10] shows that with certain attacks, raw data may be reconstructed using model parameters sent by FL participants, which can lead to privacy breaches. Therefore, strengthening the privacy protection of federated learning is an urgent challenge that must be resolved.

In recent years, various methods have emerged to address privacy issues in FL, which can generally be classified into two categories: cryptographic algorithms and differential privacy (DP). Most cryptographic algorithms use homomorphic encryption (HE) [11,12], which can provide a high standard of privacy protection by allowing calculations to be carried out on encrypted data. However, for complex data and operations, HE incurs significant computational overhead, which may adversely affect system performance. Compared to encryption algorithms, DP offers a clear lightweight advantage, making it more applicable and useful. DP, in general, requires the entire system or dataset to adhere to differential privacy constraints during aggregation, but without the presence of a trusted third party, it is not ideal for privacy protection in distributed architectures such as FL. Therefore, based on DP, local differential privacy (LDP) [13,14,15] has been introduced, where each data holder randomizes their data prior to transmission to the central server, thereby ensuring privacy protection, with data privacy protection occurring at the data source end. However, in LDP, as the dimensionality of the parameters increases, the privacy budget allocated to each parameter diminishes, resulting in a greater variance introduced by the perturbation mechanism. This increased variance may lead to instability during the model training process, impacting the model’s final performance.

Furthermore, current research on LDP predominantly focuses on fixed noise perturbation, where the noise remains constant across global iterations. This approach may result in an increased training or convergence time, potentially reducing model performance [16]. Alternatively, it is feasible to permit the variance of DP perturbation to adjust dynamically across multiple global aggregation rounds, thereby boosting the model performance of FL without affecting the level of privacy preserving. Specifically, at the initial phase of the FL process, a smaller perturbation noise is expected to facilitate convergence [17]. As the training progresses and the model approaches convergence, the noise can be gradually increased to maintain a high level of privacy protection while still ensuring efficient learning, and it can better adapt to the evolving needs of the training process. This dynamic adjustment helps mitigate the conflict between privacy protection and model performance, and is conducive to adjusting the allocation of the privacy budget, potentially enhancing both the learning efficiency and accuracy.

In response to the issues outlined above, this article proposes an LDP-based privacy-preserving FL approach. This is particularly crucial for applications in sensitive fields such as healthcare, finance, and IoT, where ensuring privacy is essential for protecting personal information while still enabling the benefits of collaborative data usage. Specifically, we employ a randomized parameter selection strategy in conjunction with the dynamic LDP mechanism to enhance the privacy protection of participants in the FL. The main contributions of this paper are outlined as follows:

• We propose a novel randomized parameter selection strategy (R-PSS), which selects parameters for global aggregation based on their importance in the network, while incorporating controlled randomness to further enhance the process. This strategy effectively mitigates privacy budget dilution, improving the trade-off between privacy and model usability;
• We introduce a dynamic local differential privacy mechanism, where the standard deviation of the perturbation mechanism varies dynamically with global aggregation. This adaptive approach ensures robust privacy protection while minimizing noise, addressing the key privacy challenges in federated learning;
• We conducted a comprehensive privacy analysis to demonstrate the feasibility of the proposed approach. Compared to existing methods, the proposed approach achieves better privacy protection while preserving model performance.

2. Related Work

2.1. Privacy-Preserving Techniques in Federated Learning

Federated learning requires participants to upload model parameters for global optimization, which can lead to privacy risks during data transmission. To address these concerns, privacy-preserving techniques like secure aggregation [18], homomorphic encryption [19], and differential privacy [20] have been proposed. Wang et al. [21] propose VOSA, a verifiable and oblivious secure aggregation protocol that utilizes aggregator oblivious encryption and dynamic group management to protect local gradients, ensure result verifiability, and tolerate user dropouts in federated learning. Xu et al. [22] propose PPFDL, a privacy-preserving federated deep learning framework that uses homomorphic encryption to protect data confidentiality and mitigate the impact of low-quality data from irregular users. Chen et al. [23] propose PDLHR, a privacy-preserving deep learning model using homomorphic re-encryption to enhance efficiency and security in robot systems while protecting data privacy. Guo et al. [24] propose an improved differential privacy algorithm for federated learning, utilizing Fast Fourier Transform and Privacy Loss Distribution to enhance privacy protection, minimize resource limitations, and balance privacy and utility during model training. Shen et al. [25] propose PEDPFL, a differential privacy-based federated learning algorithm that improves model robustness against DP noise using a classifier-perturbation regularization method. However, secure aggregation primarily focuses on aggregating encrypted model updates but may still expose sensitive information during the aggregation process. Homomorphic encryption provides strong security guarantees but suffers from high computational complexity and inefficiency, especially for large-scale models. Differential privacy offers a robust privacy framework but it relies on a trusted third party for the aggregation of data.

2.2. Challenges and Applications in Local Differential Privacy

LDP achieves privacy protection by performing noise addition locally. With the in-creasing interest in LDP, many scholars have conducted in-depth research. Zhao et al. [26] integrates FL and LDP for IoV, proposing efficient mechanisms to enhance privacy, reduce costs, and maintain utility. Liu et al. [27] introduced the FedSel algorithm, which selects only the most significant dimensions to add noise, reducing the variance of LDP noise. Chen et al. [28] introduced a layer-wise LDP method, which perturbs each layer of the local model based on the privacy budget assigned to the clients. Kang et al. [29] introduced a novel DP-based FL scheme (NBAFL), which adds artificial noise to client parameters prior to aggregation. Chen et al. [13] proposes SPM to enhance privacy and accuracy in federated learning by reducing noise variance under smaller privacy budgets. However, in practice, deep learning models often produce a considerable number of high-dimensional parameters. In the LDP mechanism, as the dimensionality of the parameters increases, the total privacy budget required to maintain consistent privacy protection across all parameters also expands. This implies that, under a fixed privacy budget, a higher dimensionality of parameters requires injecting larger noise into each dimension.

In addition, Recent studies have also paid attention to the issue of parameter dimensionality. Shin et al. [30] addressed the parameter dependence issue using dimensionality reduction techniques. However, this method randomly discards certain parameters, even those that may have a significant contribution to the model, which could greatly impact the final model effectiveness. Sun et al. [31] combines NF-DP (Noise-Free Differential Privacy) with model distillation to effectively manage the balance between confidentiality and performance. Sun et al. [32] addressed the issue of dimensionality in federated learning by introducing a method that splits and shuffles model updates. Song et al. [33] introduced ASPFL, which is an efficient federated learning approach that combines adaptive sparsity-based pruning with differential privacy. Wang et al. [34] proposed PPeFL, which uses three LDP mechanisms to reduce privacy budget growth, improve performance, and enhance the communication efficiency. However, the effectiveness of their method in achieving its intended purpose requires further examination, and they take fixed DP noise perturbations into account more, which can require long training or convergence times.

Therefore, we aim to propose a privacy-preserving method that avoids the drawbacks mentioned above, ensuring that the training accuracy is not significantly compromised. In comparison to existing privacy-preserving federated learning models, our approach maintains an excellent model performance while ensuring a higher level of privacy protection. The relevant symbols and parameters presented in this paper are shown in

Table 1. Relevant symbols and parameters.

Symbol	Definitions
$N$	The number of participants
$K_i$	The i-th participant
$D,D^{\prime }$	The dataset differing by one element
$D_i$	The dataset of the i-th participant
$F_i(w)$	The local loss function of the i-th participant
$F(w)$	Global loss function
$w^{*}$	$\mathrm{Optimization} \mathrm{of} \mathrm{the} \mathrm{global} \mathrm{loss} \mathrm{function} F(w)$
$w(t)$	The global model parameters at the t-th iteration
$w_i(t)$	The local model parameters of the i-th participant
$\epsilon$	Privacy budget
$\delta$	Maximum allowable probability of privacy leakage
$\Delta f$	Sensitivity
$C$	Parameter Clipping Threshold

.

3. Preliminaries

3.1. Federated Learning

FL architectures usually involve two primary roles: the server and the participants. Assume there are $N$ participants, each holding an independent dataset $D_i$ with the same set of features, while the network model architecture used during training is also identical. In FL, each participant $K_i$($i\in \{1,2,\dots ,N\}$) builds a model from their local dataset without sharing the local data. The objective of these participants to train a convergent model that meets the requirements of multiple parties, which involves finding an optimal model parameter to achieve the minimization of the given loss function [3]. The optimization process can be described as follows:

The local loss function $F_i(w_i)$ corresponding to the participant $K_i$ can be written as

$$F_i(w_i)={\displaystyle \frac{1}{D_i}}{\displaystyle \sum _{j=1}^{D_i}{f}_j(x_j,w_i)}$$

(1)

where $w_i$ represents the model parameters of participant $K_i$; $D_i$ denotes the size of the dataset belonging to participant $K_i$; and $f_j(x_j,w_i)$ denotes the loss function for each sample $x_j$ in participant $K_i^{\prime }s$ dataset.

The global loss function $F(w)$ at the server side is defined as the weighted mean of the local loss functions across all participants:

$$F(w)={\displaystyle \sum _{i=N}\frac{D_i}{D}{F}_i(w_i)}$$

(2)

where $w$ represents the global model parameters and $D={\displaystyle {\sum }_{i=1}^N{D}_i}$ represents the aggregate number of samples across all participants.

Therefore, FL aims to optimize the global model parameters $w^{\ast }$ by minimizing the global loss function $F(w)$. The optimization objective is defined as

$$w^{*}=\arg \underset{w}{\min }F(w)$$

(3)

In FL, participants engage in multiple rounds of model parameter exchanges with the server, where each round is called a global iteration. The following describes the process:

Step 1: model initialization: the server generates the global model’s initial parameters $w_0$ and distributes these parameters to all the participants.

Step 2: participant-side training: In this phase, each participant initializes their local model $w_i(t)$ using the global model parameters $w(t)$ provided by the server. Subsequently, multiple iterations of training are performed on their respective local datasets $D_i$.

Step 3: parameter upload: after completing local training, each participant submits the newly trained model parameters ${w^{\prime }}_i(t)$ to the server for aggregation.

Step 4: parameter aggregation: following the receival of updated model parameters from all participants, the server undertakes the task of aggregating these parameters to compute a new global model $w(t+1)$.

Step 5: parameter distribution: the server redistributes the newly aggregated results $w(t+1)$ to all participants.

Step 6: continue iterating through steps 2 to 5 until the global model converges or the maximum training iterations are completed.

3.2. Potential Threats

We assume that the server operates under the premise of being honest yet curious; while it strictly adheres to the FL training protocol, there remains a potential risk of obtaining the participants’ private information. In addition, external attackers may attempt to acquire the participants’ sensitive information. Although users of the FL can locally retain and train their dataset, the local model parameters communicated between participants and the server may jeopardize user privacy [35]. The following are possible threats:

• An attacker can eavesdrop on the communication in the system to obtain sensitive data from participants;
• A compromised server may attempt to reconstruct participant data regarding the participants from the parameters uploaded by them;
• Participants controlled by attackers may try to extract private data about fellow participants from the perturbed data.

3.3. Local Differential Privacy

Differential privacy [36] serves as a robust framework for mitigating the risk of information leakage, capable of ensuring the protection of personal data during both analysis and sharing. By incorporating rigorous mathematical mechanisms, differential privacy guarantees that the results of data queries do not compromise the privacy of any single participant’s information, thus fostering a secure environment for data sharing and publication. Local differential privacy (LDP) [37] represents a decentralized adaptation of differential privacy, suitable for distributed data collection and analysis scenarios. In LDP, data are perturbed on the user’s side before being sent to the data collector. By implementing such local perturbation, LDP enhances the security of sensitive information and mitigates the risk of privacy violations in decentralized environments. Next, this article briefly introduces the concepts of differential privacy.

Definition 1.

(($\epsilon ,\delta$)-differential privacy). A randomized algorithm $M$ satisfies ($\epsilon ,\delta$)-differential privacy if, for any two neighboring datasets $D$ and $D^{\prime }$ differing in at most one element, and for any subset of outputs $S$, it holds that

$$\mathrm{Pr}[M(D)\in S]\le e^{\epsilon }\mathrm{Pr}[M(D^{\prime })\in S]+\delta$$

(4)

where $\epsilon$ represents the privacy loss parameter, measuring the degree of privacy safeguarding. A smaller $\epsilon$ results in closer output probabilities between two datasets, indicating enhanced privacy protection and increasing the difficulty for an attacker to ascertain the origin of the data. The parameter $\delta$ delineates the probability of breaching differential privacy. When $\delta =0$, the algorithm strictly adheres to the principles of differential privacy, signifying a higher standard of privacy assurance.

Definition 2.

(Sensitivity). Sensitivity describes the maximum impact that a change in a single element of the dataset can have on the output of a given function. The Gaussian mechanism ensures differential privacy by introducing noise, and sensitivity determines the magnitude of the noise required to maintain privacy protection. For a given function $R$ and two neighboring datasets $D$ and $D^{\prime }$, the sensitivity of $R$ is given by

$$\Delta f={\max }_{D,D^{\prime }}\left|\right|R(D)-R(D^{\prime })\left|\right|$$

(5)

where $R(•)$ is the generic function in $D$ and $D^{\prime }$, and $\left|\right|\cdot \left|\right|$ denotes the ${\mathcal{l}}_2$-norm. Higher sensitivity results in a greater amount of noise being added to the parameters for a given privacy budget.

The Gaussian mechanism [38] is a commonly used method in differential privacy, employed to process data while ensuring privacy. It controls the risk of sensitive information leakage by adding noise that follows a normal distribution to the query results.

Definition 3.

(Gaussian mechanism). The output $M^{\prime }(D)$ of the query function $M:D\to {ℝ}^d$ is perturbed by adding Gaussian noise $z$. It is defined as

$$M^{\prime }(D)=M(D)+z$$

(6)

where $z\sim N(0,{\sigma }^2)$ denotes Gaussian noise with a mean of 0 and a variance of ${\sigma }^2$.

4. Method

4.1. PPRD-FL

In PPRD-FL, we begin by assuming the presence of $N$ participants, each of whom possesses a certain amount of private data and initial model with the same architecture. Initially, the server initializes the model parameters, after which it systematically disseminates these parameters to all participants in the network. Subsequently, each participant $K_i$ engages in a series of iterative updates leveraging their respective local dataset, enabling each local model to effectively reflect the characteristics of the local data. Once the updates are complete, participants send the model parameters they trained to be aggregated by the server. During this process, the protection of local model parameters is ensured through the use of R-PSS and dynamic LDP methods, effectively mitigating potential attack threats. Ultimately, the server conveys the results of the aggregation back to the all participants, enabling the next iteration of updates, and this iterative cycle persists until the defined training objectives are satisfactorily achieved. The architecture of PPRD-FL is schematically represented in Figure 2.

The implementation of PPRD-FL features two modules: the aggregation module and the local training module.

Aggregation module: Similarly to traditional federated aggregation, after each participant $K_i$ performs $c$ iterations of updates on its local dataset, the server collects and aggregates the trained model parameters from all participants. We also use the Federated Averaging algorithm to perform the aggregation operation. After the global aggregation process, the server proceeds to transmit the averaged model parameters to all participants, ensuring that each participant receives the updated information necessary for subsequent iterations of the federated learning protocol.

Local training module: Upon receiving the latest weights $w(t)$, each participant $K_i$ iteratively updates their model using their local dataset. First, participant $K_i$ performs $c$ rounds of updates, applying the Adam optimization algorithm [39] to the data in each round. After $c$ updates, participant $K_i$ obtains the updated local parameters $w_i(t+1)$. Subsequently, to safeguard privacy, randomized noise is injected into the updated local parameters. Due to the large number of model parameters, it is not a sensible approach to directly use the LDP algorithm to perturb the model. Therefore, it is crucial to filter the parameters beforehand, focusing the privacy budget on key parameters to minimize noise and enhance the model’s accuracy.

Algorithm 1 offers a comprehensive explanation of the overall execution process of PPRD-FL.

Algorithm 1 PPRD-FL

Input: the number $N$ of participants, the global model’s initial parameter $w(t)$, global training rounds $T$, local iteration rounds $c$ of participants, the sum $\left|D\right|$ of all participant datasets, and the size $\left|D_i\right|$ of the participant’s local dataset, learning rate $\eta$.

Output: global model parameters $w(t+1)$

1 Parameter server generates global model weights $w(t)$;

2 The weight $w(t)$ is broadcast to all participants;

3 Global training:

4   for global epoch $t=1,2,\dots ,T$ do:

5     for $K_i(i=1,2,\mathrm{\dots }N)$ do:

6       Accept global weight $w(t)$;

7       Perform $c$ rounds of local updates using Adam optimization;

8         for epoch $j=1,2,\dots ,c$ do

9           Update the parameters of participant $K_i$:

10            $w_i(t)=w_i(t-1)-\eta \nabla f(w_i(t-1))$;

11         Clip the parameters of participant $K_i$:

12            $w_i(t)=w_i(t)/\max (1,||w_i(t)||/C)$

13       Apply R-PSS to filter parameters: $w_i^f(t)\leftarrow Filtering(w_i(t))$;

14       Add dynamic LDP noise: $\widetilde{w_i^f(t)}=w_i^f(t)+z_i$;

15       Send the noised local weight $\widetilde{w_i^f(t)}$ to the server;

16     End

17     Global model aggregation:

18       Collect the added noise weights $\widetilde{w_i^f(t)}$ for all participants;

19       Calculate global model weights:

20           $w(t+1)={\displaystyle \sum _{i=1}^N\frac{\left|D_i\right|}{\left|D\right|}}\widetilde{w_i^f(t)}$

21   End

22 return $w(t+1)$

4.2. Filtering Using Randomized Parameter Selection Strategy

In FL, training complex neural network models typically necessitates multiple iterations, resulting in the creation of a substantial quantity of parameters. When LDP is employed on every parameter, the privacy budget allocated to each one decreases due to the composability property of differential privacy, resulting in the injection of larger noise with each successive iteration, the cumulative effect of noise can further diminish the utility of the model, making it more difficult to balance privacy protection and model ac-curacy. This trade-off poses a significant challenge, especially when training large-scale models that require precise parameter updates to achieve a good performance.

As noted in [40], weights that are zero or close to zero signify that these connections do not affect the network, as no signals are transmitted through them. In order to achieve privacy protection while mitigating the impact of privacy dilution on model performance, we do not apply LDP to all parameters but instead use the R-PSS for filtering and select the parameters that better reflect the characteristics of local data for perturbation. First, we sort the parameters based on their absolute values to form a sequence. Then, we filter out the parameters with weights close to zero (assuming a parameter threshold $z$ of 1 × 10⁻⁶ close to zero) and directly select a portion of parameters with relatively higher absolute values based on a certain proportion. Finally, to prevent attackers from inferring the participants’ sensitive information by observing changes in specific parameters, we introduce a Bernoulli distribution [41] into the selection process of the remaining parameters to inject randomness. To control the count of selected parameters, we introduce a constraint parameter p for adjustment. The process is described in Algorithm 2. While the weight parameters w can be either positive or negative, we take their absolute values $\left|w\right|$ to ensure uniform perturbation. This simplifies the process and prevents complications arising from the sign of the weights. In machine learning models, the sign of a weight indicates the direction of its influence on the model’s output: positive weights contribute positively to the prediction, while negative weights contribute negatively. For example, in a linear model, if $w_1=0.5$ and $w_2=-0.3$, the feature corresponding to $w_1$ has a positive effect, whereas the feature corresponding to $w_2$ has a negative effect. By using $\left|w\right|$, we focus on the magnitude of the weights, ensuring that the perturbation process is consistent and unbiased, regardless of the direction of influence.

Algorithm 2 R-PSS

Input: the weight parameter $w_i$ of the participant $K_i$, a filter threshold $p$, near zero threshold

Output: Weight parameters $w_f$ after final filtering

1 Initialize a $w_f$ with the same structure as $w_i$;

2 Obtain the absolute values of all parameters of $w_i$ and arrange them in descending order to obtain a list $L_w$;

3 Calculate the value $c$ which is the value of the last parameter in the top 50% of $L_w$ based on absolute values;

4 for $w\in w_i$ do:

5   If $\left|w\right|\ge c$, then:

6     Mark $w$ as $w^{\prime }$ and add $w^{\prime }$ to the corresponding position of $w_f$;

7   Else if $\left|w\right|<c$ and $\left|w\right|>z$, then:

8     Generate a random binary $b~Bernoulli(p)$;

9     If $b=1$, then:

10      Mark $w$ as $w^{\prime }$ and add $w^{\prime }$ to the corresponding position of $w_f$;

11    If $b=1$, then:

12      Do not process $w$, and add $w$ to the corresponding position of $w_f$;

13 Else if $\left|w\right|<z$, then:

14    Do not process $w$, and add $w$ to the corresponding position of $w_f$;

15 End

16 Return $w_f$

Initially, the algorithm sorts and filters out parameters close to zero, retaining only those parameters with a significant impact on the model. With each iteration, the selected parameters increasingly reflect the key characteristics of the data. After several iterations, the parameter set stabilizes, meaning that the parameters with higher weights undergo minimal changes. This process ensures that the model converges quickly while maintaining high accuracy.

4.3. Dynamic Perturbation Mechanism

Within the framework of differential privacy, the privacy budget is used to measure the effectiveness of privacy protection. In federated learning, participants consume a privacy budget for parameter protection in each global round. If the privacy budget is evenly allocated to each round, this may lead to the poorer protection of parameters in later stages. In other words, since the model is usually simpler in the early stages and has limited capacity to represent data, it requires less noise. As training progresses, the model gradually captures more local data characteristics, meaning that privacy protection for the model parameters in the later stages should be given more attention. Moreover, introducing smaller noise in the early stages of training can facilitate faster convergence [17]. Accordingly, we have designed a logarithmic scale-based dynamic LDP method that applies varying levels of noise based on different phases.

To satisfy ($\epsilon ,\delta$)-differential privacy, the Gaussian mechanism requires adding noise with a standard deviation of σ to the output of the function f(D), where

$$\sigma \ge {\displaystyle \frac{\Delta f}{\epsilon }}\sqrt{2\ln {\displaystyle \frac{1.25}{\delta }}}$$

(7)

Based on the statistical properties of the Gaussian mechanism and the privacy protection requirements at different stages, the standard deviation $\sigma (m)$ in the m-th global aggregation round is defined as

$$\sigma (m)=(1+{\displaystyle \frac{\ln (m)}{a}}){\displaystyle \frac{\Delta f}{\epsilon }}\sqrt{2\ln {\displaystyle \frac{1.25}{\delta }}}$$

(8)

where $\sigma$ is the initial standard deviation of noise and $a$ > 0 is the adjustable parameter controlling the noise growth rate.

Lemma 1.

The proposed method satisfies ($\epsilon ,\delta$)-differential privacy by carefully controlling the noise added to the model parameters in each global aggregation round. The noise is dynamically adjusted based on the training phase, ensuring that the cumulative privacy budget remains within the global constraint.

Proof of Lemma 1.

By employing the clipping technique, the local model parameters are constrained such that $\left|\right|w_i\left|\right|\le C$, where $w_i$ denotes the noise-free local model parameters for the participant $K_i$ and $C$ is the constrained threshold for the $\left|\right|w_i\left|\right|$. The sensitivity can be bounded as $\Delta f={\displaystyle \frac{2C}{\left|D_i\right|}}$. Finally, by applying the given sensitivity $\Delta f$, logarithmically varying noise is added to each global aggregation. □

In the Gaussian mechanism, the accumulation of the privacy budget must satisfy the constraint of a global privacy budget. To analyze and approximate the cumulative privacy budget, we use an integral approximation to show that the total privacy budget is finite.

The privacy budget for a single Gaussian mechanism, denoted as ${\epsilon }_m$, is defined as

$${\epsilon }_m={\displaystyle \frac{\Delta f\sqrt{2\ln (1/\delta )}}{\sigma (m)}}$$

(9)

$${\epsilon }_m={\displaystyle \frac{\Delta f\sqrt{2\ln (1/\delta )}}{(1+\frac{\ln (m)}{a})\sigma }}$$

(10)

$${\epsilon }_m={\displaystyle \frac{\epsilon }{(1+\frac{\ln (m)}{a})}}$$

(11)

The privacy budget for the entire process is the aggregate of the privacy budgets for all single iterations:

$${\epsilon }_{total}={\displaystyle \sum _{m=1}^M{\epsilon }_m}={\displaystyle \sum _{m=1}^M\frac{\epsilon }{(1+\frac{\ln (m)}{a})}}$$

(12)

Since ${\epsilon }_m$ is a monotonically decreasing function, the cumulative sum can be approximated using an integral:

$${\epsilon }_{total}\approx {\displaystyle {\int }_1^M\frac{\epsilon }{(1+\frac{\ln (m)}{a})}dm}$$

(13)

To simplify the computation of the integral, we use a substitution. Letting $u=1+{\displaystyle \frac{\ln (m)}{a}}$, the integral becomes

$${\epsilon }_{total}\approx {\displaystyle {\int }_1^{1+\frac{\ln (m)}{a}}\frac{\epsilon a{e}^{a(u-1)}}{u}du}\le {\displaystyle {\int }_1^{1+\frac{\ln (m)}{a}}\frac{\epsilon a}{u}du}\approx \epsilon a\ln (1+{\displaystyle \frac{\ln (M)}{a}})$$

(14)

From this result, it is evident that the total privacy budget ${\epsilon }_{total}$ grows at a rate governed by the logarithmic function $\ln$. Even as the total number of iterations $M$ becomes very large, the growth of ${\epsilon }_{total}$ remains slow and controlled. Therefore, by selecting an appropriate parameter $a$, it is possible to effectively limit the growth of the total privacy budget and ensure that it satisfies the global privacy budget constraint.

The work in reference [34] also points out that, based on the post-processing invariance of differential privacy, provided that the local perturbation algorithm adheres to LDP, attackers cannot deduce participants’ private information from the intermediate parameters. Moreover, even if a server or participant is compromised, they can only access the perturbed parameters, not the original private data. Therefore, as long as the proposed mechanism satisfies LDP, the entire architecture can ensure privacy protection. The dynamic perturbation mechanism designed in the text is adjusted based on the initial standard deviation, while still satisfying the differential privacy definition.

Although the proposed perturbation mechanism results in a higher noise magnitude being added to the selected parameters in each round, for neural networks with millions of parameters, it is possible to choose an appropriate noise adjustment magnitude. By adding noise to only a selected subset of key parameters, as opposed to all parameters, the mechanism can significantly reduce the cumulative impact of noise on the global model while maintaining the same level of privacy protection.

5. Results

5.1. Experimental Setting

Experiment environment: The proposed approach was implemented in Python 3.10 using PyTorch 2.2.2 and tested on a single GPU. The experiments were carried out on a Windows 11 machine equipped with a 12th Gen Intel(R) Core(TM) i5-12500H CPU(Intel Corporation, Santa Clara, CA, USA), 16 GB of RAM, and an NVIDIA GeForce RTX 3050 Laptop GPU(NVIDIA Corporation, Santa Clara, CA, USA).

Datasets:

• MNIST Dataset: Consists of 70,000 grayscale images of hand-written digits ranging from 0 to 9, each with a resolution of 28 × 28 pixels. Among these, 60,000 images are used for training and 10,000 for testing. It is a widely adopted benchmark for evaluating image classification algorithms;
• Fashion-MNIST: The dataset contains 70,000 grayscale images across 10 fashion-related categories, such as clothing and shoes. The dataset is divided into 60,000 training images and 10,000 testing images, with each image sized at 28 × 28 pixels. It is designed as a more challenging and advanced alternative to the MNIST dataset;
• CIFAR-10 Dataset: The dataset includes 60,000 color images divided into 10 classes, with each image having a resolution of 32 × 32 pixels. It is split into 50,000 training images and 10,000 testing images. This dataset is widely used in deep learning for object recognition and image classification tasks.

Network model: This paper employs a Convolutional Neural Network (CNN) architecture for all datasets. For the MNIST and Fashion-MNIST datasets, which are composed of grayscale images, this study implemented a CNN comprising two convolutional layers with max-pooling layers after each, followed by two fully connected layers. For the CIFAR-10 dataset, made up of color images, this study used a similar CNN architecture but adjusted the input channels to accommodate the RGB format. Both network architectures used the Adam optimization algorithm with a learning rate of 0.001. Each participant performed 3 local rounds, while the global training comprised 10 rounds. Based on multiple experimental results, we set the parameter selection range to 80% and the growth factor of the dynamic perturbation mechanism to 75.

5.2. Result Evaluation and Analysis

The most objective criterion for evaluating the quality of a proposed scheme is its performance on datasets. Therefore, we tested the proposed scheme on different datasets and used the average results of multiple experiments as the final outcome.

5.2.1. Component-Wise Performance Analysis of PPRD-FL

To assess the contribution of each component to the model, we compared the performance of the methods without R-PSS, without D-LDP, and with Full PPRD-FL under the same privacy budget. As shown in Figure 3, even when using a single technique (such as R-PSS or D-LDP) independently, the overall training process exhibits a smooth and stable convergence trend. However, when R-PSS is excluded, the model’s overall performance is inferior to that of Full PPRD-FL due to the noise added to all parameters, resulting in noise accumulation that degrades the model’s performance. When D-LDP is excluded, although the model performs better, the privacy protection may be uneven under a fixed privacy budget, with certain rounds having excessive privacy protection while others are insufficient. Full PPRD-FL combines R-PSS and D-LDP, which reduces noise accumulation and provides balanced privacy protection, thus achieving optimal performance in both privacy protection and model accuracy.

5.2.2. Evaluation on Privacy Budget $\epsilon$

First, we analyze the changes in accuracy and loss on the MNIST dataset. As can be seen from Figure 4a,b, when the privacy budget $\epsilon \ge 0.3$, the overall trend of the model remains relatively stable, and the accumulation of noise does not significantly affect the training trend of the model. Moreover, as the privacy budget increases, the performance of the model gradually improves, which is consistent with expectations. Most importantly, when the privacy budget $\epsilon$ is 0.4, the accuracy of our proposed method is comparable to that of the model without differential privacy, reaching about 97%. Following this, Figure 5a,b present the experimental results of the model on the Fashion-MNIST dataset, which features more complex data compared to MNIST. A similar trend is observed: higher privacy budgets result in increased accuracy and reduced loss values, further confirming the method’s effectiveness across datasets with varying complexity. Finally, Figure 6a,b illustrate the performance of the model on the CIFAR-10 dataset. Considering the complexity of the dataset and its sensitivity to noise, this paper increases the baseline of the privacy budget. The results continue to show that increasing the privacy budget can improve accuracy and reduce loss, thereby verifying the robustness and scalability of the proposed PPRD-FL method on different datasets.

5.2.3. Model Performance Under Different Privacy Protection Schemes

We compared our results with related works. First, as illustrated in Figure 7, an increase in the privacy budget $\epsilon$ leads to a certain degree of improvement in the model accuracy under the same conditions, which is consistent with our practical expectations. This is because a smaller $\epsilon$ results in a larger discrepancy between the initial parameters and the perturbed parameters, leading to stronger privacy protection but poorer model performance; conversely, a large $\epsilon$ results in the opposite effect. Second, our proposed approach maintains a superior accuracy when $\epsilon \ge 0.4$, making it highly competitive compared to other related schemes. From Figure 7, it is evident that, even under conditions of a small privacy budget, the accuracy of PPRD-FL surpasses that of LDP-FL and DPM-EU. Furthermore, in previous research [32,34], the optimal accuracy on the MNIST dataset was achieved with a privacy budget of 5 and 0.5, but we were able to obtain comparable results using a privacy budget of only 0.4, thereby providing better privacy protection. Overall, our scheme demonstrates improved privacy protection while ensuring superior performance compared to other approaches.

6. Discussion

The proposed PPRD-FL method, which combines randomized parameter selection and dynamic local differential privacy, offers significant advancements in privacy-preserving federated learning. This approach is particularly valuable in privacy-sensitive domains where data confidentiality is paramount. In medical data sharing, the PPRD-FL method allows multiple healthcare institutions to collaboratively train models while ensuring that patient data remain private and secure. The dynamic adjustment of noise levels and parameter selection helps in maintaining the model’s utility while safeguarding sensitive health information. Financial institutions can use this approach to develop collaborative models without sharing customers’ private financial data. The method ensures strong privacy protection, even with complex financial datasets, which may otherwise be vulnerable to inference or reconstruction attacks.

The practical implementation of PPRD-FL in mobile or edge computing environments presents both opportunities and challenges. The increasing computational capabilities of mobile devices make them suitable candidates for federated learning. However, PPRD-FL must be optimized to handle resource constraints, such as processing power, memory, and battery life. The dynamic LDP mechanism, which adjusts the noise levels throughout the training process, could reduce the computational burden in the early stages of training by allowing less noise and faster convergence. However, care must be taken to ensure that the privacy budget does not exceed the mobile device’s capabilities. Edge devices typically operate in distributed environments with heterogeneous computational resources. Implementing PPRD-FL on such devices requires balancing the privacy budget allocation across devices with varying capabilities. The method’s ability to dynamically allocate the privacy budget ensures that edge devices can perform local computations securely without compromising the global model’s accuracy. However, challenges remain in terms of the network bandwidth and latency during global aggregation, which could impact performance.

While PPRD-FL provides a robust privacy solution for federated learning, several limitations and open challenges remain. The method is well suited for moderate-sized datasets, but as the number of participants or the dataset dimensionality increases, the effectiveness of the randomized parameter selection strategy may diminish. There is a need for further optimization techniques that can efficiently handle large-scale data while maintaining the privacy guarantees. Although the dynamic adjustment of noise helps mitigate the privacy–utility trade-off, there is still a challenge in finding the optimal balance. The selection of parameters for noise perturbation and the adjustment of the privacy budget throughout training should be fine-tuned for specific applications to avoid compromising model accuracy.

7. Conclusions

In this paper, we propose a new FL approach that employs the dynamic LDP algorithm to provide robust privacy protection for the weight parameters of each participant, preventing adversaries from inferring participants’ private information through intermediate shared data. Specifically, we introduced the R-PSS strategy for parameter selection, which addresses the issue of parameter dimensionality dependence when integrating LDP and FL. The experimental results indicate that our scheme attains a higher accuracy with a smaller privacy budget compared to other approaches, effectively addressing privacy concerns in FL. While the proposed scheme can achieve high accuracy and stability in model training with limited training data, its applicability in large-scale data scenarios remains constrained. In future work, we plan to conduct more extensive experiments to evaluate the scalability and robustness of PPRD-FL in large-scale federated learning networks. Additionally, we aim to explore customized privacy protection mechanisms tailored to the privacy requirements of different participants, allowing for a more flexible balance between privacy and performance across participants in the federated learning system. Furthermore, we will extend the application of PPRD-FL to new domains, such as personalized recommendation systems and collaborative fraud detection, to explore its potential in these areas.