When Crowdsensing Meets Federated Learning: Privacy-Preserving Mobile Crowdsensing System
AARXIVE, VOL. ×× , NO. ×× , × × ×× When Crowdsensing Meets Federated Learning:Privacy-Preserving Mobile CrowdsensingSystem
Bowen Zhao, Ximeng Liu*,
Member, IEEE, and Weineng Chen,
Senior Member, IEEE,
Abstract —Mobile crowdsensing (MCS) is an emerging sensing data collection pattern with scalability, low deployment cost, anddistributed characteristics. Traditional MCS systems suffer from privacy concerns and fair reward distribution. Moreover, existingprivacy-preserving MCS solutions usually focus on the privacy protection of data collection rather than that of data processing. Totackle faced problems of MCS, in this paper, we integrate federated learning (FL) into MCS and propose a privacy-preserving MCSsystem, called C
ROWD
FL. Specifically, in order to protect privacy, participants locally process sensing data via federated learning andonly upload encrypted training models. Particularly, a privacy-preserving federated averaging algorithm is proposed to averageencrypted training models. To reduce computation and communication overhead of restraining dropped participants, discard andretransmission strategies are designed. Besides, a privacy-preserving posted pricing incentive mechanism is designed, which tries tobreak the dilemma of privacy protection and data evaluation. Theoretical analysis and experimental evaluation on a practical MCSapplication demonstrate the proposed C
ROWD
FL can effectively protect participants privacy and is feasible and efficient.
Index Terms —Crowdsensing, federated learning, privacy protection, incentive, federated averaging. (cid:70)
NTRODUCTION M OBILE crowdsensing (MCS) integrates the power ofboth wireless network communication and crowdintelligence to reduce the deployment cost and improvethe flexibility of wireless sensor network (WSN). MCS hasextensive applications in environmental sensing, intelligenttransport, indoor localization, behavior sensing, etc. Fur-thermore, MCS is considered a powerful technology insmart cities [1], which can improve the ability of sensing andprovide sufficient data. Compared to traditional WSN, MCSessentially outsources data collection tasks to participants.However, as sensing data is collected by humans (i.e.,participants), sensing data involves participants’ privateinformation, such as location, voiceprint, face, and activity[2]. Traditional MCS systems usually rely on a sensingplatform to aggregate and analyze sensing data collectedby participants [3] through machine learning [4], [5], [6].Nevertheless, the sensing platform assembling data is gen-erally untrusted [7]. For example, Facebook, as a centralizedplatform, collects users’ data and leaks personal data toCambridge Analytica. Moreover, participants usually com-municate with other entities of MCS through the wirelessnetwork [8]. Unfortunately, the wireless network connectionis unstable, in which participants frequently drop out. A • B. Zhao is with the School of Computing and Information Sys-tems, Singapore Management University, Singapore, Singapore. E-mail:[email protected] • X. Liu is with the College of Mathematics and Computer Science, FuzhouUniversity, Fujian, China, and Cyberspace Security Research Center,Peng Cheng Laboratory, Shenzhen. E-mail: [email protected] • W.-N. Chen are with the School of Computer Science and Engineering,South China University of Technology, Guangzhou, China. E-mail: [email protected] • Corresponding authors: Ximeng LiuManuscript received ×× , × × ×× ; revised ×× , ×× , × × × . participant consumes resources (e.g., data traffic, sensor)to participate in an MCS task, so an MCS system usuallyrequires to provide incentives for participants [9]. In brief,a robust MCS system needs to provide a fair incentive foreach participant and protect participants’ privacy.Arguably, if we can outsource data collection tasks toparticipants, we can also outsource data processing tasks toparticipants. Federated learning (FL) proposed by McMa-han et. al [10] is an effective method to outsource dataprocessing tasks to participants, which has become a hottopic in privacy protection and machine learning commu-nities. FederatedAveraing ( FedAvg ) algorithm has beenproved to be feasible and effective for FL [10]. AlthoughFL has advantages in privacy protection and solving dataislands [11], local training models still leak private informa-tion [5], [12], [13]. Furthermore, how to encourage more par-ticipants to participate is also a challenging task [11], [14].Moreover, FL likewise faces the challenges of participantdropouts [15]. In this paper, we research how to integratethe advantages of FL into MCS and solve facing challenges.From the perspective of existing work, it needs to tackle thefollowing challenges.
Privacy protection of participants.
Sensing data involvesparticipants’ private information [4], [16]. The online sens-ing platform, as a third party of data aggregation, is usuallyuntrusted [4], [7]. After knowing participants’ private data,an untrusted sensing platform may sell participants’ per-sonal information for business recommendations and politi-cal elections analysis. To protect the privacy of participants,existing solutions usually adopt technologies including dif-ferential privacy [7], [17], encryption [9], [18], and so on. Ad-mittedly, schemes [9], [18] based on encryption are effective a r X i v : . [ c s . CR ] F e b RXIVE, VOL. ×× , NO. ×× , × × ×× for privacy protection during data collection. However, theplatform or requester needs to efficiently process collectedsensing data through powerful data processing tools, suchas machine learning [4], [5], [6]. Privacy-preserving data ag-gregation [19] usually fails to handle complex computationsfor data processing. Besides, privacy-preserving machinelearning [12] and data analysis [20] may be feasible. Unfor-tunately, they require data to be stored in a central server,which compromises the participant’s right to be forgotten.Federated learning [11] enables data to be stored in local,however, model parameters may still disclose confidentialinformation [5], [21]. In short, how to simultaneously protectparticipants’ privacy and analyze sensing data remains to beexplored. Solutions against participants dropout.
Due to theinstability of wireless connection, participant dropouts inMCS are common [22], [23]. For both MCS and FL, droppedparticipants reduce the number of sensing data or localtraining models, which might bring insufficient sensing andunreliable aggregation results. In general, prior solutions [5],[15], [22] employ the secret-sharing technology to restrainparticipant dropouts. Specifically, to restrain one partici-pant (e.g., p i ) drops out, p i splits private information intomultiple fragments and shares those fragments with mul-tiple other participants. Admittedly, the secret-sharing canrecover a model parameter via those fragments providedby other participants. Apparently, if p i may loss networkconnection with a sensing platform, it is challenging for p i to maintain multiple stable network connections andshare fragments with other participants. Furthermore, whenprivate information to be shared is huge, participants bearan unbearable communication burden. In short, it still facesa challenge on how to keep robustness against droppedparticipants while reducing the overhead. Privacy-preserving Incentive Mechanism Design.
Auc-tion [24], [25] and posted pricing strategies [9], [26] are oftenused to design a fair incentive mechanism. The incentivemechanism based on auction usually requires participantsand a sensing platform to communicate multiple rounds todetermine a winner. However, if an MCS system lacks a dataevaluation mechanism, the winner might contribute sensingdata that does not match a bid. On the contrary, the incentivemechanism based on posted pricing strategy can providefair incentives for participants and determine participants’rewards based on participants’ data [27]. Unfortunately, toprotect privacy, sensing data is encrypted or obfuscated.Existing solutions [26], [27], [28] usually fail to protect dataprivacy and evaluate data quality simultaneously. Thus, itis challenging to set reasonable rewards for each participantwithout knowing participants sensing data.
To tackle the above challenges, we propose a privacy-preserving mobile crowdsensing system based on feder-ated learning [11], named C
ROWD FL . Different from tra-ditional MCS systems in which a sensing platform aggre-gates and processes participants sensing data, our proposedC ROWD
FL enables participants to store and process sensingdata in participants’ end-devices. Specifically, to prevent
1. C
ROWD
FL: mobile C
ROWD sensing based on Federated Learning
TABLE 1Functional Comparison between C
ROWD
FL and Prior Solutions
Functions [5] [6] [9] [15] [23] [29] C
ROWD
FLFunc 1 (cid:51) (cid:51) (cid:51) (cid:51) (cid:51) (cid:51) (cid:51)
Func 2 (cid:51) (cid:55) (cid:51) (cid:55) (cid:51) (cid:51) (cid:51)
Func 3 (cid:51) (cid:55) (cid:55) (cid:51) (cid:51) (cid:51) (cid:51)
Func 4 (cid:55) (cid:55) (cid:51) (cid:55) (cid:55) (cid:55) (cid:51)
Func 5 (cid:55)
N/A N/A (cid:55) (cid:55) (cid:55) (cid:51)
Note.
Func 1 and Func 2: privacy-preserving data aggregationand data processing, respectively; Func 3: robustness againstparticipants dropout; Func 4: privacy-preserving reward distri-bution; Func 5: low communication overhead. privacy leakage during data processing, we adopt federatedlearning to implement participants’ collaborative sensingand train. To protect model privacy, participants encryptlocal training models, and
FedAvg is executed in a ci-phertext field. Moreover, considering participant dropouts,discard and retransmission strategies are proposed. To seta reasonable reward for each participant and protect dataprivacy simultaneously, a privacy-preserving posted pricingincentive mechanism is designed. Table 1 shows a resultof functional comparisons between C
ROWD
FL and priorsolutions. From Table 1, we can see that the proposedC
ROWD
FL has advantages in privacy protection, rewarddistribution, and communication cost. The contributions ofthis paper can be summarized as follows. • Privacy preservation during data processing . Comparedwith the state-of-the-art, all sensing data collected byparticipants are stored in participants’ end-devices inour proposed C
ROWD
FL. Meanwhile, participants col-laboratively train a model for a specific sensing taskwith the local sensing data. Moreover, to protect modelprivacy, we propose a privacy-preserving federated av-eraging algorithm (
PriFedAvg ). • Robustness against participant dropouts . To keep therobustness of an MCS system against participantdropouts, we propose a discard strategy (C
ROWD
FL-D) and a retransmission strategy (C
ROD
FL-R), whereparticipants are not required to execute extra computa-tion and communication to avoid dropout. • Privacy-preserving reward distribution . To address thedilemma of data quality-ware and privacy protection,we design a privacy-preserving posted pricing incen-tive mechanism (
PriRwd ) based on participants’ en-crypted model parameters. Specifically, the greater con-tribution of a participant to the global average model,the more rewards the participant is.The rest of this paper is organized as follows. In Section2, we describe the problem formulation and preliminaries.We elaborate on the workflow of C
ROWD
FL in Section 3.In Section 4, we detail the proposed privacy-preservingfederated averaging algorithm (
PriFedAvg ). In section 5,we describe discard and retransmission strategies to keeprobustness for participant dropouts. We present our pro-posed privacy-preserving incentive mechanism in Section6. In Section 7, we give privacy analysis for the proposedC
ROWD
FL. The experimental evaluations are reported inSection 8. A conclusion is given in Section 9.
RXIVE, VOL. ×× , NO. ×× , × × ×× SP CSPRequester
ParticipantModelParticipantModel
KGC
Encrypted middle results
Fig. 1. System model of C
ROWD
FL.
ROBLEM F ORMULATION AND P RELIMINARIES
As depicted in Fig. 1, our proposed C
ROWD
FL involves fiveentities, namely, a requester, participants, an online sensingplatform (SP), an online computation server provider (CSP),and a key generation center (KGC). • Requester : A requester requests participants to collectsensing data and collaboratively train a model in afederated learning manner. Besides, the requester pro-vides rewards for participants who participate in datacollection and model training. Particularly, the modelaggregation is outsourced to an SP, and the requesteronly obtains a finally encrypted training model. • Participants : A participant collects sensing data witha mobile intelligent device and stores sensing datain her local device. After collecting sensing data, theparticipant trains a model with collected sensing dataand submits an encrypted training model to an SP. • SP : An SP is responsible for recruiting participantsand averaging participants’ encrypted training models.Moreover, the SP takes charge of paying rewards foreach participant. • CSP : A CSP provides computation services for theSP to assist to execute secure computation, such as
PriFedAvg and
PriRwd . • KGC : A KGC takes charge of distributing pub-lic/private keys to other entities.
In C
ROWD
FL, entities except for the KGC are consideredas honest-but-curious [5], [30] who follows protocols but triesto learn other entities private information. Specifically, SPand CSP may try to learn participants’ training modelsand a global average model. Participants might attempt toobtain other participants’ training models. A requester triesto learn participants’ training models and might refuse topay rewards for participants. Moreover, we assume that SPand CSP do not collude. One possible construction is that SPand CSP belong to different organizations or companies. Nocollusion assumption is widely used in secure computationscenarios [23], [29], [31], [32], such as the state-of-the-art ofprivacy-preserving Federated learning [23], [32]. To preventthe SP from obtaining participants’ and the requester’s private information, the requester and participants do notcollude with SP. The KGC is responsible for managing keysin C
ROWD
FL and is considered a trusted entity, such as atrusted third party (TA).
Federated average algorithm (
FedAvg ) is an iterative algo-rithm, and consists of local training and model aggregation[10]. Suppose n participants are indexed by i (each partici-pant i owns a data set D i ), B is the local minibatch size, E is the number of local epochs, and η is the learning rate. Ineach round iteration, FedAvg processes as follows:(1)
Local training:
Participants split D i into batches of size B denoted by B . For each local epoch i from 1 to E andbatch b ∈ B , participants calculate ω ← ω − η ∇ (cid:96) ( ω ; b ) , (1)where (cid:96) ( ω ; b ) denotes the loss of the prediction on ex-ample b made with model ω . After training, participantsupload the model ω to an aggregation server.(2) Model aggregation:
After receiving n training modelsof participants, an aggregation server compute a globalaverage model ¯ ω ← n (cid:88) i =1 δ i (cid:80) ni =1 δ i ω i , (2)where δ i = | D i | , i.e., the size of D i . PCTD is a variant of the Paillier cryptosystem [33]. Thekey idea of PCTD is to split the private key of the Pailliercryptosystem into two parts. Any single part cannot effec-tively decrypt a given ciphertext encrypted by the Pailliercryptosystem. PCTD comprises the following algorithms:
KeyGen : Let ζ be a security parameter and p, q be twolarge prime number with ζ bits. Compute N = p · q , λ =( p − · ( q − , and u = λ − mod N . Choose g = N + 1 .The public key is denoted by pk = ( g, N ) , and the privatekey is denoted by sk = ( λ, u ) .The private key λ is split into two parts denoted by sk = λ and sk = λ , s.t., λ + λ = 0 mod λ and λ + λ = 1 mod N . According to the Chinese remaindertheorem [34], we can calculate ε = λ + λ = λ · u mod ( λ · N ) to make ε = 0 mod λ and ε = 1 mod N hold simultaneously, where λ ∈ [1 , λ · u ] and λ = ε − λ . Encryption ( Enc ): Given a message m ∈ Z N , selecta random number r ∈ Z ∗ N , and the ciphertext of m isgenerated as (cid:74) m (cid:75) = g m · r N mod N = (1 + m · N ) · r N mod N . Decryption ( Dec ): Take a given ciphertext (cid:74) m (cid:75) and sk asinputs, compute m = L ( (cid:74) m (cid:75) λ mod N ) · u mod N, where L ( x ) = x − N . RXIVE, VOL. ×× , NO. ×× , × × ×× Partial Decryption ( PDec ): Take a cihpertext (cid:74) m (cid:75) andpartial private key sk i as inputs ( i ∈ { , } ), PDec calculatesas follows: M i = (cid:74) m (cid:75) λ i = r λ i · N · (1 + m · N · λ i ) mod N . Threshold Decryption ( TDec ): Take partial decryptedciphertexts (cid:104) M , M (cid:105) as inputs, TDec computes m = L ( M · M mod N ) . The only difference between the PCTD and the Pailliercryptosystem is the former sets two partial private keys λ and λ . If the Paillier cryptosystem is semantic secu-rity [33], the PCTD is also semantic security. Moreover,known one partial private key (e.g., λ ), it is not feasibleto calculate the others (i.e., λ ) due to λ being private.Thus, any adversary cannot decrypt a ciphertext by onlyone partial private key. The PCTD has additive homomor-phism and scalar-multiplication homomorphism properties.Specifically, given (cid:74) a (cid:75) , (cid:74) b (cid:75) , and c ∈ Z N , Dec ( (cid:74) a + b (cid:75) ) = Dec ( (cid:74) a (cid:75) · (cid:74) b (cid:75) ) and Dec ( (cid:74) c · a (cid:75) ) = Dec ( (cid:74) a (cid:75) c ) hold. VERVIEW OF C ROWD FL In this section, we first elaborate on the workflow ofC
ROWD
FL. Then, we present two building blocks used inC
ROWD
FL.
Fig. 2 shows the workflow of C
ROWD
FL. The detailedprocesses are listed as follows.(1)
Setup : A requester first setups sensing data collectiontasks and formulates data processing tasks into a federatedlearning task. Moreover, KGC generates a public/privatekey pair (cid:104) pk, sk (cid:105) and two partial decryption key pairs (cid:104) λ c , λ sc (cid:105) and (cid:104) λ p , λ sp (cid:105) . KGC distributes pk, λ p to partici-pants, pk, λ sc , λ sp to SP, and pk, λ c to CSP.(2) Local pre-training : Participants firstly collect sensingdata and locally train a model according to sensing tasksand data processing tasks. To protect privacy, participantsencrypt training models { ω , · · · , ω n } with pk , and send { (cid:74) ω (cid:75) , · · · , (cid:74) ω n (cid:75) } to SP.(3) Model aggregation : SP aggregates encrypted trainingmodels and carries out the proposed
PriAvgFed algorithmto generate an encrypted global average model (cid:74) ¯ ω (cid:75) , wherethe proposed PriAvgFed algorithm requires SP and CSPto jointly participate in a privacy-preserving manner. Afterthat, SP calculates one partially decrypted global averagemodel (cid:74) ¯ ω s (cid:75) and returns (cid:104) (cid:74) ¯ ω s (cid:75) , (cid:74) ¯ ω (cid:75) (cid:105) back to participants.(4) Local retraining : Participants decrypt the encryptedglobal average model (cid:74) ¯ ω (cid:75) to obtain another partially de-crypted global average model ¯ ω p . Participants take twopartially decrypted global average models (cid:74) ¯ ω s (cid:75) and (cid:74) ¯ ω p (cid:75) as inputs to calculate a decrypted global average model ¯ ω .Then, participants retrain new models based on collectedsensing data and ¯ ω , encrypt new training models, and sendencrypted models to SP. Steps (3) and (4) are repeated untilreaching maximum training times. The requester obtains thefinally encrypted global average model.(5) Reward distribution : SP and CSP jointly execute ourproposed privacy-preserving reward distribution protocol(
PriRwd ) to distribute rewards for each participant. … … (3) Local retraining (3) Model aggregation (5)Reward Distribution (5) Reward Calculation (1) Stepup (2) Local pre-training Fig. 2. Workflow of C
ROWD
FL.
Note that if a participant drops out due to networkconnection loss in Step (4), the SP adopts our proposeddiscard or retransmission strategies to handle it. The detailsare given in Section 5.
To prevent training models from leaking privacy and re-alize quality-aware in a privacy-preserving manner, wepropose two critical building blocks secure division protocol(
SDIV ) and secure multiplication protocol (
SMUL ) to con-struct a privacy-preserving federated averaging algorithm(
PriFedAvg ) and privacy-preserving reward distributionmechanism (
PriRwd ). SDIV ) Algorithm 1
SDIV ( (cid:74) x (cid:75) , (cid:74) y (cid:75) ) → (cid:74) x ÷ y (cid:75) Require:
SP has (cid:74) x (cid:75) and (cid:74) y (cid:75) , where x, y ∈ (0 , κ ) ; SP:(a). X ← (cid:74) x (cid:75) r · (cid:74) y (cid:75) rα + e and Y ← (cid:74) x (cid:75) r , where α and e are random numbers with σ bits and κ bits,respectively, and r is a random composite numberin [2 κ +1 , log N − κ − σ − ) ;(b). X ← PDec ( X, λ sc ) and Y ← PDec ( Y, λ sc ) ;(c). Send (cid:104) ( X, X ) , ( Y, Y ) (cid:105) to CSP. CSP:(a). X ← PDec ( X, λ c ) and Y ← PDec ( Y, λ c ) ;(b). x (cid:48) ← TDec ( X , X ) and y (cid:48) ← TDec ( Y , Y ) ;(c). (cid:74) x (cid:48) ÷ y (cid:48) (cid:75) ← Enc ([ x (cid:48) ÷ y (cid:48) ] , pk ) ;(d). Send (cid:74) x (cid:48) ÷ y (cid:48) (cid:75) to SP. SP:(a). (cid:74) α (cid:75) ← Enc ( α, pk ) and (cid:74) e ÷ r (cid:75) ← Enc ([ e ÷ r ] , pk ) ;(b). (cid:74) x ÷ y (cid:75) ← (cid:74) x (cid:48) ÷ y (cid:48) (cid:75) · (cid:74) α (cid:75) N − L · (cid:74) e ÷ r (cid:75) N − . SDIV needs cooperation between SP and CSP. Particu-larly, SP and CSP do not know each other’s private infor-mation. Specifically, SP has (cid:74) x (cid:75) and (cid:74) y (cid:75) , where x, y ∈ (0 , κ ) and κ is the number of bits on the upper bound of x, y , suchas κ = 32 . The goal of SP is to obtain (cid:74) x ÷ y (cid:75) . If x ÷ y is decimal, we use a rounding factor L to transform x ÷ y into an integer, i.e., [ x ÷ y ] ← (cid:98) x ÷ y · L (cid:99) . For simplify, (cid:74) [ x ÷ y ] (cid:75) is denoted by (cid:74) x ÷ y (cid:75) . Let σ be the statistical securityparameter, such as σ = 80 . The processes of SDIV arebriefly described below. (1) SP obscures x and y by addingrandom noises in the ciphertexts. After that, SP partiallydecrypts X, Y into X , Y with a partial key λ sc , and sends (cid:104) ( X, X ) , ( Y, Y ) (cid:105) to CSP. (2) CSP calls PDec and
TDec toobtain x (cid:48) and y (cid:48) . Next, CSP calculates x (cid:48) ÷ y (cid:48) . It is easy toverify that x (cid:48) ÷ y (cid:48) = x ÷ y + α + e ÷ y . CSP sends the encrypted RXIVE, VOL. ×× , NO. ×× , × × ×× (cid:74) x (cid:48) ÷ y (cid:48) (cid:75) to SP. (3) SP disposes noise [ α ] and [ e ÷ r ] . Moredetails of SDIV are shown in Algorithm 1.According to the property of floor function, we have [ x ÷ y + α + e ÷ r ] = (cid:40) [ x ÷ y ] + [ α ] + [ e ÷ r ] + 1 , [ x ÷ y ] + [ α ] + [ e ÷ r ] . Thus, we can learn that [ x (cid:48) ÷ y (cid:48) − α − e ÷ r ] = (cid:40) [ x ÷ y ] + 1 , for x mod y + e mod r ≥ x ÷ y ] , for x mod y + e mod r < . And since < < · · · < κ − κ − and er ≤ κ − κ +1 , we have x mod y + e mod r < κ − κ − κ − κ +1 < . Hence, we can learn that [ x (cid:48) ÷ y (cid:48) − α − e ÷ r ] = [ x ÷ y ] alwaysholds. SMUL ) The goal of
SMUL is to enable SP that has (cid:74) x (cid:75) and (cid:74) y (cid:75) toobtain (cid:74) x · y (cid:75) . As the Paillier cryptosystem only supportsadditive homomorphism and scalar-multiplication homo-morphism, SMUL needs the assist of CSP. To prevent CSPfrom learning x and y , SP adds random noise to protect x, y . The steps of SMUL are briefly described below. (1) SPfirst adds random noises r , r into (cid:74) x (cid:75) and (cid:74) y (cid:75) to obscure x, y . Then, SP partially decrypts ciphertexts added noisesand sends (cid:104) ( X, X ) , ( Y, Y ) (cid:105) to CSP. (2) CSP calls PDec and
TDec to obtain x (cid:48) and y (cid:48) and calculate x (cid:48) · y (cid:48) . After that, CSPencrypts x (cid:48) · y (cid:48) and sends (cid:74) x (cid:48) · y (cid:48) (cid:75) to SP. It easily verifies that x (cid:48) · y (cid:48) = x · y + r x + r y + r r . (3) To obtain (cid:74) x · y (cid:75) for given (cid:74) x (cid:48) · y (cid:48) (cid:75) , SP first calculates (cid:74) r · x (cid:75) , (cid:74) r · y (cid:75) , and (cid:74) r · r (cid:75) .Finally, SP uses the additive homomorphism and scalar-multiplication homomorphism to obtain (cid:74) x · y (cid:75) . Algorithm2 shows more details of SMUL . Algorithm 2
SMUL ( (cid:74) x (cid:75) , (cid:74) y (cid:75) ) → (cid:74) x · y (cid:75) Require:
SP has (cid:74) x (cid:75) and (cid:74) y (cid:75) , where x, y ∈ ( − κ , κ ) ; SP:(a). X ← (cid:74) x (cid:75) · (cid:74) r (cid:75) and Y ← (cid:74) y (cid:75) · (cid:74) r (cid:75) , where r , r arerandom numbers with σ bits;(b). X ← PDec ( X, λ sc ) and Y ← PDec ( Y, λ sc ) ;(c). Send (cid:104) ( X, X ) , ( Y, Y ) (cid:105) to CSP. CSP:(a). X ← PDec ( X, λ c ) and Y ← PDec ( Y, λ c ) ;(b). x (cid:48) ← TDec ( X , X ) and y (cid:48) ← TDec ( Y , Y ) ;(c). (cid:74) x (cid:48) · y (cid:48) (cid:75) ← Enc ( x (cid:48) · y (cid:48) , pk ) ;(d). Send (cid:74) x (cid:48) · y (cid:48) (cid:75) to SP. SP:(a). (cid:74) r · x (cid:75) ← (cid:74) x (cid:75) r , (cid:74) r · y (cid:75) ← (cid:74) y (cid:75) r , and (cid:74) r · r (cid:75) ← Enc ( r · r , pk ) ;(b). (cid:74) x · y (cid:75) ← (cid:74) x (cid:48) · y (cid:48) (cid:75) · (cid:74) r · x (cid:75) N − · (cid:74) r · y (cid:75) N − · (cid:74) r · r (cid:75) N − . RIVACY - PRESERVING F EDERATED A VERAGING
In this section, we detail our proposed privacy-preservingfederated averaging algorithm (
PriFedAvg ). Given en-crypted training models,
PriFedAvg requires SP and CSPto jointly calculate an encrypted global average model, where either SP or CSP cannot obtain the global aver-age model alone. Specifically, the additive homomorphismproperty of PCTD is used to compute the sum of encryptedtraining models. Besides, the proposed
SDIV is used tocalculate the average of encrypted training models.
The Paillier cryptosystem only works on the integer field,that is, a message m to be encrypted should be an elementof Z N . However, ω i may be decimal. To tackle this problem,we introduce a rounding factor L that is larger than themaximum number of decimal places of ω i . Formally, [ ω i ] ←(cid:98) ω i · L (cid:99) . For example, suppose the maximum number ofdecimal places is 5 and L = 6 ( L > ), given a decimal a = − . , [ a ] = − . · = − . Particularly, if a = 1 . and L = 6 , [ a ] = 1234567 .In C ROWD
FL, we assume all decimals are denoted bythe fixed-point number and the decimal places is (cid:96) . Givena decimal number a with finite decimal places and therounding factor L ( L > (cid:96) ), a is encrypted into (cid:74) [ a ] (cid:75) (in thispaper, (cid:74) [ a ] (cid:75) is abbreviated to (cid:74) a (cid:75) ). Noted that if [ a ] = − and N = 21 , (cid:74) [ a ] (cid:75) = (cid:74) (cid:75) . Moreover, suppose L = 6 and h = Dec ( (cid:74) (cid:75) ) , h denotes the decimal . . PriFedAvg
Design
Algorithm 3
PriFedAvg ( {(cid:104) (cid:74) δ i · ω i (cid:75) , (cid:74) δ i (cid:75) (cid:105)} ni =1 ) → (cid:74) ¯ ω T (cid:75) Require:
SP has {(cid:104) (cid:74) δ i · ω i (cid:75) , (cid:74) δ i (cid:75) (cid:105)} ni =1 , participants have { D i } ni =1 , and the requester obtains (cid:74) ¯ ω T (cid:75) ; Participants train initial models and upload encryptedtraining models messages {(cid:104) (cid:74) δ i · ω i (cid:75) , (cid:74) δ i (cid:75) (cid:105)} ni =1 to SP; for j = 1 to T do SP initializes M = (cid:74) δ · ω (cid:75) and D = (cid:74) δ (cid:75) ; for i = 2 to n do SP calculates
M ← M · (cid:74) δ i · ω i (cid:75) and D ← D · (cid:74) δ i (cid:75) ; end for SP and CSP jointly execute (cid:74) ¯ ω j (cid:75) ← SDIV ( M , D ) ; if j equals to T then SP sends (cid:74) ¯ ω T (cid:75) to the requester and exits algorithm; end if SP computes (cid:74) ¯ ω j, (cid:75) ← PDec ( (cid:74) ¯ ω j (cid:75) , λ sp ) and sends (cid:104) (cid:74) ¯ ω j (cid:75) , (cid:74) ¯ ω j, (cid:75) (cid:105) to participants; Participants calculates (cid:74) ¯ ω j, (cid:75) ← PDec ( (cid:74) ¯ ω j (cid:75) , λ p ) and ¯ ω j ← TDec ( (cid:74) ¯ ω j, (cid:75) , (cid:74) ¯ ω j, (cid:75) ) ; Participants take ¯ ω j and sensing data set { D i } ni =1 as inputs and retrain new models. Next, partici-pants send encrypted training models messages {(cid:104) (cid:74) δ i · ω i (cid:75) , (cid:74) δ i (cid:75) (cid:105)} ni =1 to SP; end for Based on the proposed
SDIV , we can design a privacy-preserving federated average algorithm (
PriFedAvg ),which enables SP and CSP to jointly calculate an encryptedglobal average model. In
PriFedAvg , SP and CSP do nothave knowledge of the global average model.
PriFedAvg is shown in Algorithm 3. δ i is the amount of a participant i owning training data items, i.e., δ i = | D i | . T denotes themaximum training rounds. A brief description of Algorithm3 is given below. RXIVE, VOL. ×× , NO. ×× , × × ×× Participants train local models based on collected sens-ing data and the aggregated global average model, andencrypt and upload encrypted training models to SP (Line1 and Line 13). To generate a global average model in aprivacy-preserving manner, after aggregating participants’encrypted training models, SP first calculates the sum ofencrypted training models (Lines 3-6). Next, SP and CSPjointly carry out the proposed
SDIV to compute the globalaverage model in a ciphertext field (Line 7). In general, eachparticipant needs to obtain a global average model to traina new model before reaching maximum training rounds. Tothis end, SP partially decrypts the encrypted average model,and then the participant can compute the global averagemodel by using
PDec and
TDec in turn (Lines 11-12).Arguably, given (cid:80) ni =1 δ i π ω i ( π = (cid:80) ni =1 δ i ), a participant i that only knows ω i , δ i fails to learn other participantsmodel parameters. Moreover, SP and CSP jointly calculatethe global average model in the ciphertext field. Thus, PriFedAvg does not disclose participants model privacy.
TRATEGY A GAINST D ROPOUT
To the best of our knowledge, existing solutions [5], [15] usu-ally adopt the reconstruction capability of threshold secretsharing to keep robustness against dropped participants.Unfortunately, a solution based on the threshold secret shar-ing requires more computation and network connections.If a participant may lose a network connection, it may bean unrealistic countermeasure to require the participant tobuild more network connections to restrain the networkconnection loss. To relieve this dilemma, we propose discardand retransmission strategies against participant dropouts.
The key idea of discard strategy is that even though oneparticipant disconnects, other online participants can stillcollaboratively produce a global average model.
Definition 1 (Discard Strategy) . Considering unstable wirelessnetwork connections, SP sets a time interval, e.g., [ t , t + t ∆ ] .Participants’ training models only submitted in the time range [ t , t + t ∆ ] are considered a valid training model. Participants’training models submitted beyond the time range [ t , t + t ∆ ] arediscarded. Suppose participants’ training model collection
Ω = { ω , · · · , ω n } , where each participant i trains a model ω i .According to Algorithm 3 ( PriFedAvg ), n training modelscan generate a global average model as follow ¯ ω ( n ) = (cid:80) ni =1 δ i · ω i (cid:80) ni =1 δ i . (3)Without loss of generality, we assume that the partic-ipant n drops out during model aggregation. Apparently, n − participants’ training models can still produce a globalaverage model, i.e., ¯ ω ( n − = (cid:80) n − i =1 δ i · ω i (cid:80) n − i =1 δ i . (4)Let ∆ = Eq. (4) − Eq. (3), we have ∆ = (cid:80) n − i =1 δ i · ω i (cid:80) n − i =1 δ i − (cid:80) ni =1 δ i · ω i (cid:80) ni =1 δ i = δ n · (¯ ω ( n ) − ω n ) (cid:80) n − i =1 δ i . (5) As ¯ ω ( n ) is the average model of n participants’ trainingmodels, ω n is close to ¯ ω ( n ) . Therefore, when δ n (cid:80) n − i =1 δ i issufficiently large, ∆ will be extremely small. Particularly,if ω n is far from ¯ ω ( n ) , n − participants’ training modelswill be closer to ¯ ω ( n − when ω n is discarded. Hence,the influence of a discarded training model on the globalaverage model is limited.Now, considering k participants may drop out, we canlearn that ¯ ω ( n − k ) = (cid:80) n − ki =1 δ i · ω i (cid:80) n − ki =1 δ i . (6)Let ∆ = Eq. (6) − Eq. (3), we can derive ∆ = (cid:80) n − ki =1 δ i · ω i (cid:80) n − ki =1 δ i − (cid:80) ni =1 δ i · ω i (cid:80) ni =1 δ i = (cid:80) ni = n − k +1 δ i · (¯ ω ( n ) − ω i ) (cid:80) n − ki =1 δ i . (7)Since ¯ ω ( n ) is the global average model of n participants’training models, ω i ( n − k + 1 ≤ i ≤ n ) is close to ¯ ω ( n ) .Thus, when (cid:80) ni = n − k +1 δ i (cid:80) n − ki =1 δ i is big enough, ∆ will be very small.Besides, if k dropped participants’ training models are farfrom ¯ ω ( n ) , n − k participants’ training models are closerto ¯ ω ( n − k ) . Thus, discarded training models have limitedinfluences on the global average model.Take together, it is not difficult for us to observe thateven though dropped participants’ training models are dis-carded, online participants can still produce a global averagemodel which is close to that all participants are online toproduce. The key idea of a retransmission strategy is that a new globalaverage model can be recalculated when a calculated globalaverage model and a retransmitted model are given.
Definition 2 (Retransmission Strategy) . Considering unstablewireless network connections, SP allows a dropped participant toresubmit a training model ω n via connecting again. Specifically,given a global average model ¯ ω ( n − of n − participants andthe reuploaded training model ω n , SP recalculates a new globalaverage model and sends the new average model to all onlineparticipants. Without loss of generality, we assume that the partici-pant n drops out but resubmits a training model. Accordingto our proposed PriFedAvg , we can learn that SP has (cid:74) (cid:80) n − i =1 δ i · ω i (cid:75) . Given (cid:104) (cid:74) δ n · ω n (cid:75) , (cid:74) δ n (cid:75) (cid:105) , SP can calculate (cid:74) n (cid:88) i =1 δ i (cid:75) = (cid:74) n − (cid:88) i =1 δ i (cid:75) · (cid:74) δ n (cid:75) , (8) (cid:74) n (cid:88) i =1 δ i · ω i (cid:75) = (cid:74) n − (cid:88) i =1 δ i · ω i (cid:75) · (cid:74) δ n · ω n (cid:75) . (9)After that, SP and CSP can jointly execute SDIV ( (cid:74) (cid:80) ni =1 δ i · ω i (cid:75) , (cid:74) (cid:80) ni =1 δ i (cid:75) ) to obtain (cid:74) ¯ ω ( n ) (cid:75) . After that, SP calculates ¯ ω ( n )1 ← PDec ( (cid:74) ¯ ω ( n ) (cid:75) , λ sp ) and sends (cid:104) ¯ ω ( n ) , ¯ ω ( n )1 (cid:105) to allonline participants. Once receiving (cid:104) ¯ ω ( n ) , ¯ ω ( n )1 (cid:105) , partici-pants can calculate ¯ ω ( n )2 ← PDec ( (cid:74) ¯ ω ( n ) (cid:75) , λ p ) and ¯ ω ( n ) ← RXIVE, VOL. ×× , NO. ×× , × × ×× TDec (¯ ω ( n )1 , ¯ ω ( n )2 ) . Therefore, participants can obtain a globalaverage model of n training models. Note that if SP hasalready sent the global average model to participants, thedropped participant’s training model is still discarded. RIVACY - PRESERVING R EWARD D ISTRIBUTION
Incentive mechanism design is a significant research field inboth MCS [26], [35], [36]. To achieve the incentive mecha-nism’s truthfulness and fairness, we adopt a “posted pric-ing” mechanism [9], [26], which has been proved that istruthfulness and fairness [37]. The challenge of a “postedpricing” mechanism is to set a reasonable price for eachparticipant.C
ROWD
FL adopts a federated learning approach to out-sources data process to participants, which requires partic-ipants to train models multiple times until the global aver-age model converging or reaching the maximum numberof iterations T . Besides, a participant might drop out ineach round of model aggregation, which fails to submita training model. Thus, in each round model aggregation,our proposed reward distribution mechanism pays rewardsfor participants. Particularly, if a participant drops out inone round model aggregation, the participant can submither training model in the next round model aggregation toobtain a reward.In C ROWD
FL, a requester takes a final global averagemodel ¯ ω as a sensing result. Arguably, if a participant’straining model ω i is closer to ¯ ω , the participant’s trainingmodel ω i is more effective. Therefore, the participant shouldobtain more rewards. In general, the participant collect moresensing data, the participant consumes more resources.Thus, an effective reward distribution should consider theamount of collected sensing data. We propose a rewarddistribution mechanism as follows w i = δ i (cid:80) ni =1 δ i · (cid:80) ni =1 d ( ω i , ¯ ω ) d ( ω i , ¯ ω ) + (cid:15) ,µ i = b t · w i (cid:80) ni =1 w i , (10)where w i and µ are the model weight and the reward of aparticipant i , respectively, and b t is a budget constraint inone round model aggregation. d is to quantize the distancebetween ω i and ¯ ω . Formally, d ( ω i , ¯ ω ) = ( ω i − ¯ ω ) . (cid:15) is a con-trol parameter that ensures d ( ω i , ¯ ω ) + (cid:15) (cid:54) = 0 (In C ROWD
FL, (cid:15) = L ). From Eq. (10), we can see that a training modelis closer to the global average model, the larger the model’sweight is and the more the model’s reward is. Besides, if ω i = ω j and δ i > δ j , µ i > µ j .To prevent privacy leakage during reward distribution,we design a privacy-preserving reward distribution mech-anism ( PriRwd ) based on the proposed
SMUL . The goalof
PriRwd is to calculate Eq. (10) in the ciphertext field.
PriRwd is shown in Algorithm 4 whose brief description isgiven below.The first for loop (Lines 1-6) is to calculate the dis-tance between ω i and ¯ ω . Specifically, the ciphertexts of (cid:80) ni =1 d ( ω i , ¯ ω ) and ( (cid:80) ni =1 δ i ) · ( d ( ω i , ¯ ω ) + (cid:15) ) are calculatedthrough the proposed SMUL , where (cid:15) is set as − L . Thesecond for loop (Lines 7-9) is to calculate the ciphertexts ofmodel weights w i and b t · w i . Specifically, the algorithm calls Algorithm 4
PriRwd ( { (cid:74) ω i (cid:75) , (cid:74) δ i (cid:75) } ni =1 , (cid:74) ¯ ω (cid:75) , (cid:74) b t (cid:75) ) → { (cid:74) µ i (cid:75) } ni =1 Require:
SP has { (cid:74) ω i (cid:75) , (cid:74) δ i (cid:75) } ni =1 , (cid:74) ¯ ω (cid:75) , (cid:74) b t (cid:75) ; for i = 1 to n do SP calculates (cid:74) d i (cid:75) = (cid:74) ω i (cid:75) · (cid:74) ¯ ω (cid:75) N − ; SP and CSP jointly execute
SMUL to obtain (cid:74) d i (cid:75) ← SMUL ( (cid:74) d i (cid:75) , (cid:74) d i (cid:75) ) ; SP calculates (cid:74) d (cid:48) i (cid:75) ← (cid:74) d i (cid:75) · (cid:74) (cid:75) , (cid:74) π (cid:75) ← (cid:81) ni =1 (cid:74) δ i (cid:75) , and (cid:74) Ω (cid:75) ← (cid:81) ni =1 (cid:74) d i (cid:75) ; SP and CSP jointly run
SMUL to calculate (cid:74) w ↓ i (cid:75) ← SMUL ( (cid:74) π (cid:75) , (cid:74) d (cid:48) i (cid:75) ) ; end for for i = 1 to n do SP and CSP jointly compute (cid:74) w ↑ i (cid:75) ← SMUL ( (cid:74) δ i (cid:75) , (cid:74) Ω (cid:75) ) , (cid:74) w i (cid:75) ← SDIV ( (cid:74) w ↑ i (cid:75) , (cid:74) w ↓ i (cid:75) ) , and (cid:74) b t · w i (cid:75) ← SMUL ( (cid:74) b t (cid:75) , (cid:74) w i (cid:75) ) ; end for SP calculates (cid:74) W (cid:75) ← ( (cid:81) ni =1 (cid:74) w i (cid:75) ) L ; for i = 1 to n do SP and CSP jointly execute
SDIV to obtain (cid:74) µ i (cid:75) ← SDIV ( (cid:74) b t · w i (cid:75) , (cid:74) W (cid:75) ) ; end for the proposed SDIV and
SMUL to compute (cid:74) w i (cid:75) and (cid:74) b t · w i (cid:75) ,respectively. The last for loop is to calculate (cid:74) µ i (cid:75) by usingthe proposed SDIV .After obtaining (cid:74) µ i (cid:75) , SP can calculate (cid:74) µ i, (cid:75) ← PDec ( (cid:74) µ i (cid:75) , λ sp ) and sends (cid:104) (cid:74) µ i (cid:75) , (cid:74) µ i, (cid:75) (cid:105) to the participant i .Once receiving (cid:104) (cid:74) µ i (cid:75) , (cid:74) µ i, (cid:75) (cid:105) , the participant i can compute (cid:74) µ i, (cid:75) ← PDec ( (cid:74) µ i (cid:75) , λ p ) . Finally, the participant can obtainher reward µ i by using the TDec to decrypt (cid:104) (cid:74) µ i, (cid:75) , (cid:74) µ i, (cid:75) (cid:105) .From Algorithm 4, we can see that only the participant canobtain her reward µ i . Particularly, to prevent the requesterfrom refusing to pay rewards for participants, the PriRwd requires the requester to pay rewards to SP in advance.
RIVACY A NALYSIS
In this section, we firstly demonstrate that our proposed
SDIV and
SMUL do not leak input data privacy. Then,we prove that the proposed
PriFedAvg and
PriRwd canprotect model privacy and reward privacy.
Theorem 1. In SDIV , given (cid:74) x (cid:75) and (cid:74) y (cid:75) , SP and CSP withoutcollusion cannot learn x , y , and x ÷ y .Proof. As the Paillier cryptosystem is semantic-security,given (cid:74) x (cid:75) , (cid:74) y (cid:75) , and (cid:74) x ÷ y (cid:75) , SP without a private key λ failsto obtain x , y , and x ÷ y .CSP can obtain the intermediate results of computations,i.e., rx + ( rα + e ) · y , ry , and x ÷ y + α + e ÷ y . However, asthere is no a known efficient, non-quantum integer factor-ization algorithm to factorize a sufficiently larger compositenumber, CSP cannot factorize ry into a product of smallerintegers. Formally, Pr[ ry = q · q · · · q m | ry ] < ε , where ε is a negligible probability. Even though CSP can learna factor q i , he cannot determine whether q i is a factorof r or that of y . In other words, even if CSP can learn q , q , · · · , q m , he fails to obtain the factorization of y , i.e., y = q (cid:48) · q (cid:48) · · · q (cid:48) n ( q (cid:48) i ∈ { q , q , · · · , q m } ). Thus, given ry , CSPhas no knowledge of y . Similarly, CSP cannot learn r . RXIVE, VOL. ×× , NO. ×× , × × ×× Given rx + ( rα + e ) · y and x ÷ y + α + e ÷ r , as ( rα + e ) · y and α + e ÷ r are random, and the binary length of ( rα + e ) · y is larger than rx as well as that of α + e ÷ r is lager than x ÷ y , rx + ( rα + e ) · y and x ÷ y + α + e ÷ r are indistinguishablefrom random values. As a matter of fact, when ( rα + e ) · y and α + e ÷ r are sufficiently larger, in the view of CSP, rx + ( rα + e ) · y and x ÷ y + α + e ÷ r are encrypted byone-time pad. Hence, CSP has no knowledge of rx and x ÷ y .Taken together, SP and CSP without collusion cannotlearn x , y , and xy . Theorem 2. In SMUL , given (cid:74) x (cid:75) and (cid:74) y (cid:75) , SP and CSP withoutcollusion cannot learn x , y , and xy .Proof. As the Paillier cryptosystem is semantic-security,given (cid:74) x (cid:75) , (cid:74) y (cid:75) , and (cid:74) xy (cid:75) , SP without private key λ fails tolearn x , y , and xy .CSP can obtain the intermediate computation results, i.e., x + r and y + r . However, as long as σ > (cid:96) , in the view ofCSP, x + r and y + r are indistinguishable from randomvalues. In essence, x + r and y + r are encrypted by one-time pad. One-time pad has been proved that is perfectlysecret [38]. Therefore, even though CSP can obtain x + r , y + r , and ( x + r ) · ( y + r ) , he has no knowledge of x , y ,and xy .Taken together, SP and CSP without collusion cannotlearn x , y , and xy . Theorem 3.
The proposed
PriFedAvg does not leak a partici-pant’s training model to other entities.Proof.
As the proposed
SDIV can prevent SP and CSP fromlearning input data and the calculation result, SP and CSPfail to obtain a participant’s training model.Each participant can obtain ¯ ω = (cid:80) ni =1 δ i · ω i (cid:80) ni =1 δ i , however, asthe participant fails to learn (cid:80) ni =1 δ i · ω i and (cid:80) ni =1 δ i , theparticipant cannot learn other participants’ training models.Similarly, although a requester can get ¯ ω , the requestercannot learn participants’ training models.Taken together, no entity except for the participant her-self can learn the participant’s training model. Theorem 4.
The proposed
PriRwd does not leak a participantreward.Proof.
According to Theorem 1 and Theorem 2, the
SDIV and the
SMUL do not leak input data and calculation results.Thus, SP and CSP fail to obtain a participant reward.Besides, the participant is only given (cid:104) (cid:74) µ i (cid:75) , (cid:74) µ i, (cid:75) (cid:105) ,hence, the participant only obtains her reward.Taken together, only the participant can learn her re-ward. ERFORMANCE E VALUATION
In this section, we evaluate the effectiveness and efficiencyof the proposed C
ROWD
FL from the views of theoreticalanalysis and experimental testing.
Dataset.
Considering a practical MCS application thatrecognizes human activity through MCS [39], we utilizeActitracker dataset [40] released by WISDM lab. The sensingdata is collected by 36 participants using smartphones intheir pockets. Moreover, participants are responsible for
TABLE 2The Distribution of Training Data
Jogging Walking Upstairs Downstairs Sitting Standing518 693 200 176 92 85 processing collected data in end-devices. In our experi-ments, we set 36 participants according to the Actitrackerdataset, and each participant owns 13230 data records (eachdata record represents one acceleration in three spatial co-ordinates, and each activity consists of 270 data records).To evaluate the effectiveness, participants’ sensing data isset as training data, which accounts for 70% of the totalexperimental data. The remaining 30% of data is used astest data. The distribution of six activities is shown in Table2, and each activity depends on the acceleration of threespatial coordinates. As illustrated in Table 2, the trainingdata is unbalanced.
Configuration.
We implement C
ROWD
FL in Java andadopt Deeplearning4j to train a three-layer neural network.We utilize a Windows 10 desktop, with an Intel(R) Core(TM)i7-8700 CPU @3.20GHz and 16.0GB RAM, to serve as SPand CSP. Moreover, we deploy an Android 10 smartphone,with HUAWEI Kirin 980 and 8.0GB RAM, to simulate 36participants. We set the security parameter of the PCTD as ζ = 1024 and use a Shamir’s Secret Sharing algorithm overGF(256) from Maven Repository to split training models. Weset up parameters in C ROWD
FL as follows. The learning rateis η = 0 . , the batch size is B = 50 , epochs are E = 30 ,the number of input nodes, output nodes, and hidden nodesis , , and , respectively. In this section, we demonstrate the proposed C
ROWD
FLis effective. The C
ROWD
FL consists of the
PriFedAvg ,strategies against participant dropouts, and the
PriRwd .Arguably, if all of the components of the C
ROWD
FL areeffective, the C
ROWD
FL can be considered as effective.To demonstrate the effectiveness of the
PriFedAvg ,we firstly compare the
PriFedAvg , non-federated neuralnetwork (NN), and
FedAvg from accuracy, precision, recall,and F1 Score. The comparison results are shown in Table 3.Table 3 shows that the difference between
FedAvg and NNreduces through multiple interactions. When the number ofiterations reaches a certain number (e.g., 5), the accuracydifference is lower than 0.01, and the difference in the recallis lower than 0.03. The difference between the MAD (MeanAbsolute Deviation) of
FedAvg
PriFedAvg has the same results in accuracy,precision, recall, and F1 Score with the
FedAvg when the
PriFedAvg is iterated five times. Thus, we can concludethat the
PriFedAvg is as effective as the
FedAvg .Figs. 3(a) and 3(b) show the results of comparison ofaccuracy and F1 score among NN, C
ROWD
FL-D (C
ROWD
FLwith a discard strategy), and C
ROWD
FL-R (C
ROWD
FL witha retransmission strategy) in different dropout rates. Par-ticularly, we assume that training models of 50% dropped
2. https://deeplearning4j.org/
RXIVE, VOL. ×× , NO. ×× , × × ×× TABLE 3Comparison between NN and CrowdFL
Schemes Accuracy Precision Recall F1 Score MADNN 0.7778 0.6891 0.6961 0.6825 –
FedAvg
FedAvg
FedAvg
FedAvg
FedAvg PriFedAvg
Note.
MAD: Mean Absolute Deviation. The subscript numberof
FedAvg is the number of iterations.
PriFedAvg iterates fivetimes.
Accuracy
R a t e o f d r o p o u t
N N C r o w d F L _ D C r o w d F L _ R (a) Comparison of accuracy
F1 Score
R a t e o f d r o p o u t
N N C r o w d F L _ D C r o w d F L _ R (b) Comparison of F1 score
Fig. 3. Comparison of accuracy and F1 score in different dropout rates. participants are retransmitted in C
ROWD
FL-R. As depictedin Fig. 3, we can learn that C
ROWD
FL has better per-formance in accuracy and F1 score than non-federatedNN. Moreover, as dropped participants’ training models inC
ROWD
FL-R are retransmitted, C
ROWD
FL-R is generallymore accurate than C
ROWD
FL-D, and has a larger F1 scorethan C
ROWD
FL-D. According to the results of Fig. 3, itis not difficult to conclude that the proposed strategiesagainst participant dropouts in C
ROWD
FL are feasible. Fur-thermore, the C
ROWD
FL-R might be more robust againstdropped participants than the C
ROWD
FL-D.If an average model is considered as an effective model,a participant’s training model is closer to the average modeland is more efficient. In our proposed reward distributionmechanism, if a participant’s training model is closer to theaverage model (i.e., d ( ω i , ¯ ω ) is less), the participant’s modelweight (i.e., w i ) is larger and receives more rewards (i.e., µ i ).Fig. 4 shows experimental results of reward distributions.Particularly, we randomly choose the second iteration andthe fourth iteration to illustrate our proposed reward dis-tribution mechanism’s feasibility, and the incentive budgetof each iteration is set as b = b = $36 . According toFigs. 4(a) and 4(b), we can see that the less d ( ω i , ¯ ω ) is, thelarger w i is. Besides, multiple iterations can reduce d ( ω i , ¯ ω ) meaning that a training model is closer to an average model,the training model is more effective. From Figs. 4(b) and4(c), we can learn that µ i is positively correlated with w i .In other words, the larger w i is, the more µ i is. Takentogether, it can be concluded that the proposed rewarddistribution mechanism can motivate participants to traina more effective model. Model Weights
D i s t a n c e s (a) w i vs d ( ω i , ¯ ω ) in the seconditeration Rewards ($)
M o d e l W e i g h t s (b) µ i vs w i in the second itera-tion Model Weights
D i s t a n c e s (c) w i vs d ( ω i , ¯ ω ) in the fourthiteration Rewards ($)
M o d e l W e i g h t s (d) µ i vs w i in the fourth itera-tion Fig. 4. Incentive mechanism.
1) Theoretically Analysis:
Table 4 shows the comparison be-tween C
ROWD
FL and PPFDL [23]. Compared to PPFDL,our proposed C
ROWD
FL provides privacy-preserving fed-erate average (
PriFedAvg ) and privacy-preserving rewarddistribution (
PriRwd ). Similar to PPFDL, the C
ROWD
FLadopts two servers to support privacy-preserving trainingmodels aggregation, but the difference between PPFDL andC
ROWD
FL is that any server in C
ROWD
FL does not hasa private key of a requester. From Algorithm 3, we cansee that the proposed
PriFedAvg requires SP to execute n − times PAdd to obtain (cid:74) (cid:80) ni =1 δ i · ω i (cid:75) and (cid:74) (cid:80) ni =1 δ i (cid:75) .After that, SP and CSP jointly perform the proposed SDIV to obtain (cid:74) (cid:80) ni =1 δ i · ω i (cid:80) ni =1 δ i (cid:75) . Although the computation cost ofa participant in PriFedAvg is lightly larger than that ofa participant in PPFDL, the
PriFedAvg avoids executingsecure multiplication protocols between SP and CSP, whichreduces computation costs of SP and CSP. Besides, PPFDLneeds perform the
SecDiv for multiple times, while the
PriFedAvg only requires to execute the
SDIV for once.The
SecDiv requires not only needs two servers, but alsotwo servers to build a garbled circuit. Contrasted to the
SecDiv , the
SDIV only requires two servers to executesecure computations. Thus, it can be said that our proposed
SDIV is more efficient. From Table 4, we can observe that thecomputation cost of
PriFedAvg and
PriRwd is even lowerthat of PPFDL. One possible explanation is that PPFDLrequires to multiple iterations to generate an average model.Suppose the binary length of a ciphertext encryptedby the Paillier cryptosystem be L , Table 5 comparescommunication overhead and communication round be-tween C ROWD
FL and PPFDL. Comparing PPFDL with
PriFedAvg , it is easy to see that the communication costand communication round of two servers in C
ROWD
FLare less than that of two servers in PPFDL. Note that
RXIVE, VOL. ×× , NO. ×× , × × ×× TABLE 4Comparison of Computation Overhead between C
ROWD
FL and PPFDL
Scheme Computation costSP CSP ParticipantsPPFDL [23] K ((4 n − · PAdd + 2 n SMUL + ( n + 1) · SecDiv + n PMul ) + ( n − PAdd + PMul K (2 n SMUL + ( n + 1) · SecDiv ) Enc + DecPriFedAvg (2 n − PAdd + SDIV SDIV Enc + PMul + PDec + TDecPriRwd (4 n − · PAdd + n PMul + 4 n SMUL + 2 n SDIV n SMUL + 2 n SDIV Enc
Note. n is the number of participants. PAdd and
PMul denotes one Paillier homomorphic addition (i.e., (cid:74) x + y (cid:75) ← (cid:74) x (cid:75) · (cid:74) y (cid:75) ) and one Paillier homomorphic multiplication (i.e., (cid:74) xy (cid:75) ← (cid:74) y (cid:75) x ), respectively. SecDiv is a secure multiplicationprotocol proposed by PPFDL [23]. K denotes the iteration times of PPFDL. the communication cost of a participant in C ROWD
FL isslightly higher than that of a participant in PPFDL. Onepossible explanation is that the participant in C
ROWD
FL isresponsible for computing (cid:74) δ i · ω i (cid:75) instead of SP and CSP.The participant who knows δ i and ω i has less computationcost to obtain (cid:74) δ i · ω i (cid:75) than SP only knowing (cid:74) δ i (cid:75) and (cid:74) ω i (cid:75) .During reward distribution (see Algorithm 4), as PriRwd needs to execute secure computation protocols multipletimes, communication cost and communication round of SPand CSP increase. Even so, when K > , the communicationcost and communication round of PPFDL are larger thanthat of C ROWD
FL.To keep robustness against participant dropouts, tra-ditional solutions usually employ secret sharing, such asShamir secret sharing, which is able to recover a secretthrough multiple shares. In essence, it is to recover thesecret through redundant information. Formally speaking,suppose a secret s , to recover s , s is firstly split multipleshares (i.e., n shares). Then, s can be recovered by t of n shares (in this paper, we set ( t, n ) = (3 , ). Thus, the com-putation overhead of PPFL [15] that adopts secret sharingto restrain dropped participants, is to execute one secretsharing. Besides, PPFL [15] requires a participant to commu-nicate with n other participants and share shares with theserver to recover a model. In contrast to PPFL, a droppedparticipant’s training model in the proposed C ROWD
FL iseither discarded or retransmitted. The participant does notneed to execute extra computation. The sensing platformrequires to perform twice homomorphic addition and one
SDIV . When C
ROWD
FL utilizes the discard strategy, thereis no additional communication between a participant andthe requester. When the retransmission strategy is adopted,a participant needs to resubmit her training model to SP.Meanwhile, if SP receives the dropped participant’s trainingmodel before sending the encrypted global average modelto participants, there is still no additional communicationfor the SP. The above analyses are listed in Table 6.
Discussion.
To restrain a participant dropout, it is un-advisable to require the participant to build more connec-tions are unadvisable. Firstly, if a participant may dropout, the participant is likely to fail to establish multipleconnections with other participants due to an unstableconnection. Besides, if a participant can maintain multiplestable connections with other participants, it is more feasiblefor the participant to establish one stable connection withSP. Furthermore, the latter requires less computation and
Time (s)
P a r t i c i p a n t s
C r o w d F L _ I P P F D L _ I C r o w d F L _ A P P F D L _ A (a) Training model time
Time (102 s)
N u m b e r o f P a r t i c i p a n t s
C r o w d F L F F P D L (b) Encrypting model time
Fig. 5. Comparisons of training model time and encrypting model time. communication overhead.
2) Experimental Results:
Next, we give experimental re-sults to illustrate the efficiency of C
ROWD
FL. In the aboveexperiment setting, time comparisons of the training modeland encrypting model between C
ROWD
FL and PPFDL areshown in Fig. 5, where the suffix “ I” means the initialtraining, and the suffix “ A” indicates the training againgiven an average model. Fig. 5(a) shows that the timeof initial training is less than that of training again. Onepossible explanation is that the latter requires to load theaverage model. Besides, for the same model parameters andtraining machine, C
ROWD
FL and PPFDL have the sametraining time. As depicted in Fig. 5(b), we can observe thatencrypting model time of C
ROWD
FL is almost the sameas that of PPFDL. Compared to PPFDL, C
ROWD
FL onlyrequires to extra encrypt δ i , i.e., (cid:74) δ i (cid:75) . The amount of extraencryption is much less the number of training model pa-rameters to be encrypted. Thus, as the Paillier cryptosystemis efficient, the increased encryption time of C ROWD
FL isalmost negligible.As depicted in Fig. 6, we can see comparison results ofaveraging model time and decrypting model time betweenC
ROWD
FL and PPFDL [23]. To be fair in comparison, weset K = 1 and use SDIV to instead of
SecDiv . From Fig.6(a), it is easy to observe that the averaging model time ofC
ROWD
FL is far less than that of PPFDL, which is consistentwith the results of theoretical analysis in Table 4. Unlike the
FedAvg , PPFDL requires to calculate participants’ weightsbefore averaging training models, which increases the com-putational cost of averaging models. Thus, it can be said thatC
ROWD
FL is more efficient than PPFDL to average trainingmodels. Fig. 6(b) shows decrypting average model time,
RXIVE, VOL. ×× , NO. ×× , × × ×× TABLE 5Comparison of Communication Overhead between C
ROWD
FL and PPFDL
Scheme Communication cost Communication roundSP CSP Participant SP CSP ParticipantsPPFDL [23] K ((11 n + 3) L + ( n + 1)( (cid:107) GC (cid:107) + 5 h )) K ((9 n + 3) L + ( n + 1)( (cid:107) GC (cid:107) + 5 h )) 2 L K (10 n + 4) K (8 n + 4) PriFedAvg (4 n + 5) L L L n + 2 PriRwd n L n L L n n Note. n is the number of participants. L is the binary length of a ciphertext encrypted by the Paillier cryptosystem. h is the binarylength of garbled values in the Garbled Circuits. (cid:107) GC (cid:107) indicates the binary length of the Garbled Circuits that takes x + h x , y + h y , r , h x , and h y as inputs, and outputs x/y − r . TABLE 6Comparison of Computation and Communication Overhead againstParticipants Dropout
Schemes Computation overhead Communications roundParticipant SP CSPC
ROWD
FL-D – 0 0 0C
ROWD
FL-R 12.3 S S m + 1 t – Time (102 s)
N u m b e r o f p a r t i c i p a n t s
C r o w d F L P P F D L (a) Averaging model time
Time (102 s)
N u m b e r o f p a r t i c i p a n t s
C r o w d F L P P F D L C r o w d F L _ s m a l l (b) Decrypting model time
Fig. 6. Comparisons of averaging model time and decrypting model time. where “C
ROWD
FL small” denotes that the participant takes λ p = 2 as the decryption parameter to decrypt the averagemodel. From Fig. 6(b), we can see that if λ sp ∈ [1 , λu ] and λ p = ε − λ sp , the decrypting model time of C ROWD
FL isabout double that of PPFDL. One possible explanation isthat the binary length of λ p is double that of λ . AlthoughC ROWD
FL requires the participant to decrypt the averagemodel through using
PDec and
TDec , the computation costof
PDec and
TDec is same with
Dec , i.e., executing one
PMul , one multiplication, one subtraction, and one division.In C
ROWD
FL, to protect privacy, the participant does notown the private key, which prevents one participant fromfilching other participants’ encrypted models. According toPCTD, we can learn that as long as ε = λ p + λ sp , theparticipant can decrypt the average model. Thus, we can seta small λ sp (i.e., λ sp = 2 ) to reduce the computation time.From the experiment result shown in Fig. 6(b), C ROWD
FLwith a small λ sp has less computation time than PPFDL.Fig. 7 shows the reward distribution and its runningtime. Specifically, “Reward Rndi” means the reward distri-bution in i -th round model average, and “Reward Sum” istotal rewards in five rounds model aggregation. From Fig.7(a), we can learn that if the participant can generate a moreefficient training mode based on collected sensing data (i.e.,the participant receives more rewards in one round model Rewards ($)
P a r t i c i p a n t s
R e w a r d _ R n d 2 R e w a r d _ R n d 3 R e w a r d _ R n d 4 R e w a r d _ S u m (a) Reward distribution
Time (102 s)
N u m b e r o f p a r t i c i p a n t s
R e w a r d _ R n d 2 R e w a r d _ R n d 4 (b) Running time
Fig. 7. Reward distribution and its running time. aggregation), rewards for the participant will increase roundby round, whereas, rewards for the participants will reduceround by round. Fig. 7(b) gives the running time for rewarddistribution. Combining with Fig.6 (a) and Fig. 7(b), it canbe seen that the running time of
PriFedAvg and
PriRwd approximately equals to that of the averaging model inPPFDL with one-time iteration. Thus, it can be concludedthat
PriRwd is efficient.
ONCLUSION
In this paper, we propose a privacy-preserving mobilecrowdsensing (MCS) system based on federated learning,called C
ROWD
FL. In C
ROWD
FL, we outsource data col-lection and data processing to participants. Specifically,we propose a privacy-preserving federated averaging algo-rithm (
PriFedAvg ) to enable participants to locally processsensing data and protect training model privacy. Besides,we present discard and retransmission strategies to keep ro-bustness against dropped participants and reduce the com-putation and communication overhead. Finally, to encour-age participation, we design a privacy-preserving rewarddistribution mechanism (
PriRwd ) based encrypted trainingmodel. Experimental evaluations over a real-world datasetdemonstrate that our proposed C
ROWD
FL is feasible andefficient. In future work, we will focus on how to preventparticipants from cheating in a privacy-preserving manner. A CKNOWLEDGMENTS
This work was supported in part by the National Nat-ural Science Foundation of China (Grant Nos. 62072109,U1804263, 61702105, and 61632013) and the Peng ChengLaboratory Project of Guangdong Province PCL2018KP004.
RXIVE, VOL. ×× , NO. ×× , × × ×× R EFERENCES [1] V. Sucasas, G. Mantas, J. Bastos, F. Damiao, and J. Rodriguez, “Asignature scheme with unlinkable-yet-accountable pseudonymityfor privacy-preserving crowdsensing,”
IEEE Transactions on MobileComputing , vol. 19, no. 4, pp. 752–768, 2020.[2] M. S. Ryoo, B. Rothrock, C. Fleming, and H. J. Yang, “Privacy-preserving human activity recognition from extreme low resolu-tion,” in
Proceedings of AAAI Conference on Artificial Intelligence ,2017, pp. 4255–4262.[3] H. Jin, L. Su, H. Xiao, and K. Nahrstedt, “Incentive mechanismfor privacy-aware data aggregation in mobile crowd sensing sys-tems,”
IEEE/ACM Transactions on Networking , vol. 26, no. 5, pp.2019–2032, 2018.[4] A. Capponi, C. Fiandrino, B. Kantarci, L. Foschini, D. Kliazovich,and P. Bouvry, “A survey on mobile crowdsensing systems: Chal-lenges, solutions, and opportunities,”
IEEE communications surveys& tutorials , vol. 21, no. 3, pp. 2419–2465, 2019.[5] Y. Liu, Z. Ma, X. Liu, S. Ma, S. Nepal, and R. Deng, “Boosting pri-vately: Privacy-preserving federated extreme boosting for mobilecrowdsensing,” arXiv preprint arXiv:1907.10218 , 2019.[6] Y. Liu, H. Li, J. Xiao, and H. Jin, “FLoc: Fingerprint-based indoorlocalization system under a federated learning updating frame-work,” in
Proceedings of IEEE Conference on Mobile Ad-Hoc andSensor Networks (MSN) , 2019, pp. 113–118.[7] Z. Wang, J. Li, J. Hu, J. Ren, Z. Li, and Y. Li, “Towards privacy-preserving incentive for mobile crowdsensing under an untrustedplatform,” in
Proceedings of IEEE Conference on Computer Communi-cations (INFOCOM) . IEEE, 2019, pp. 2053–2061.[8] S. Chessa, A. Corradi, L. Foschini, and M. Girolami, “Empoweringmobile crowdsensing through social and ad hoc networking,”
IEEE Communications Magazine , vol. 54, no. 7, pp. 108–114, 2016.[9] B. Zhao, S. Tang, X. Liu, and X. Zhang, “PACE: Privacy-preserving and quality-aware incentive mechanism for mobilecrowdsensing,”
IEEE Transactions on Mobile Computing , in press.[Online]. Available: https://doi.org/10.1109/TMC.2020.2973980[10] B. McMahan, E. Moore, D. Ramage, S. Hampson, and B. A. y Ar-cas, “Communication-efficient learning of deep networks fromdecentralized data,” in
Proceedings of International Conference onArtificial Intelligence and Statistics (AISTATS) , 2017, pp. 1273–1282.[11] Q. Yang, Y. Liu, T. Chen, and Y. Tong, “Federated machine learn-ing: Concept and applications,”
ACM Transactions on IntelligentSystems and Technology , vol. 10, no. 2, pp. 1–19, 2019.[12] M. Nasr, R. Shokri, and A. Houmansadr, “Comprehensive privacyanalysis of deep learning: Passive and active white-box inferenceattacks against centralized and federated learning,” in . IEEE, 2019, pp. 739–753.[13] M. Song, Z. Wang, Z. Zhang, Y. Song, Q. Wang, J. Ren, and H. Qi,“Analyzing user-level privacy attack against federated learning,”
IEEE Journal on Selected Areas in Communications , vol. 38, no. 10,pp. 2430–2444, 2020.[14] H. Yu, Z. Liu, Y. Liu, T. Chen, M. Cong, X. Weng, D. Niyato,and Q. Yang, “A fairness-aware incentive scheme for federatedlearning,” in
Proceedings of the AAAI/ACM Conference on AI, Ethics,and Society (AIES) , 2020, pp. 393–399.[15] K. Bonawitz, V. Ivanov, B. Kreuter, A. Marcedone, H. B. McMahan,S. Patel, D. Ramage, A. Segal, and K. Seth, “Practical secure aggre-gation for privacy-preserving machine learning,” in
Proceedings ofACM SIGSAC Conference on Computer and Communications Security(CCS) , 2017, pp. 1175–1191.[16] C. Miao, W. Jiang, L. Su, Y. Li, S. Guo, Z. Qin, H. Xiao, J. Gao,and K. Ren, “Privacy-preserving truth discovery in crowd sensingsystems,”
ACM Transactions on Sensor Networks , vol. 15, no. 1, pp.1–33, 2019.[17] L. Wang, D. Zhang, D. Yang, B. Y. Lim, X. Han, and X. Ma, “Sparsemobile crowdsensing with differential and distortion locationprivacy,”
IEEE Transactions on Information Forensics and Security ,vol. 15, pp. 2735–2749, 2020.[18] C. Miao, L. Su, W. Jiang, Y. Li, and M. Tian, “A lightweightprivacy-preserving truth discovery framework for mobile crowdsensing systems,” in
Proceedings of IEEE Conference on ComputerCommunications (INFOCOM) , 2017, pp. 1–9.[19] C. Jiang, L. Gao, L. Duan, and J. Huang, “Data-centric mobilecrowdsensing,”
IEEE Transactions on Mobile Computing , vol. 17,no. 6, pp. 1275–1288, 2018.[20] L. Ma, X. Liu, Q. Pei, and Y. Xiang, “Privacy-preserving reputationmanagement for edge computing enhanced mobile crowdsens- ing,”
IEEE Transactions on Services Computing , vol. 12, no. 5, pp.786–799, 2019.[21] Y. Aono, T. Hayashi, L. Wang, S. Moriai et al. , “Privacy-preservingdeep learning via additively homomorphic encryption,”
IEEETransactions on Information Forensics and Security , vol. 13, no. 5, pp.1333–1345, 2018.[22] G. Xu, H. Li, and R. Lu, “Practical and privacy-aware truthdiscovery in mobile crowd sensing systems,” in
Proceedings ofACM SIGSAC Conference on Computer and Communications Security(CCS) , 2018, p. 2312–2314.[23] G. Xu, H. Li, Y. Zhang, S. Xu, J. Ning, and R. Deng, “Privacy-preserving federated deep learning with irregular users,”
IEEETransactions on Dependable and Secure Computing , in press. [Online].Available: https://doi.org/10.1109/TDSC.2020.3005909[24] Y. Wen, J. Shi, Q. Zhang, X. Tian, Z. Huang, H. Yu, Y. Cheng, andX. Shen, “Quality-driven auction-based incentive mechanism formobile crowd sensing,”
IEEE Transactions on Vehicular Technology ,vol. 64, no. 9, pp. 4203–4214, 2015.[25] J. Wang, J. Tang, D. Yang, E. Wang, and G. Xue, “Quality-awareand fine-grained incentive mechanisms for mobile crowdsensing,”in
Processing of IEEE International Conference on Distributed Comput-ing Systems (ICDCS) . IEEE, 2016, pp. 354–363.[26] Y. Qu, S. Tang, C. Dong, P. Li, S. Guo, H. Dai, and F. Wu, “Postedpricing for chance constrained robust crowdsensing,”
IEEE Trans-actions on Mobile Computing , vol. 19, no. 1, pp. 188–199, 2020.[27] K. Han, H. Huang, and J. Luo, “Quality-aware pricing for mobilecrowdsensing,”
IEEE/ACM Transactions on Networking , vol. 26,no. 4, pp. 1728–1741, 2018.[28] S. Yang, F. Wu, S. Tang, X. Gao, B. Yang, and G. Chen, “Ondesigning data quality-aware truth estimation and surplus sharingmethod for mobile crowdsensing,”
IEEE Journal on Selected Areasin Communications , vol. 35, no. 4, pp. 832–847, 2017.[29] Y. Zheng, H. Duan, and C. Wang, “Learning the truth privatelyand confidently: Encrypted confidence-aware truth discovery inmobile crowdsensing,”
IEEE Transactions on Information Forensicsand Security , vol. 13, no. 10, pp. 2475–2489, 2018.[30] X. Liu, K.-K. R. Choo, R. H. Deng, R. Lu, and J. Weng, “Effi-cient and privacy-preserving outsourced calculation of rationalnumbers,”
IEEE Transactions on Dependable and Secure Computing ,vol. 15, no. 1, pp. 27–39, 2016.[31] P. Mohassel and Y. Zhang, “Secureml: A system for scalableprivacy-preserving machine learning,” in
Proceedings of IEEE Sym-posium on Security and Privacy (SP) . IEEE, 2017, pp. 19–38.[32] G. Xu, H. Li, S. Liu, K. Yang, and X. Lin, “Verifynet: Secureand verifiable federated learning,”
IEEE Transactions on InformationForensics and Security , vol. 15, pp. 911–926, 2020.[33] P. Paillier, “Public-key cryptosystems based on composite degreeresiduosity classes,” in
International conference on the theory andapplications of cryptographic techniques . Springer, 1999, pp. 223–238.[34] D. Pei, A. Salomaa, and C. Ding,
Chinese remainder theorem: appli-cations in computing, coding, cryptography . World Scientific, 1996.[35] M. Karaliopoulos, I. Koutsopoulos, and L. Spiliopoulos, “Optimaluser choice engineering in mobile crowdsensing with boundedrational users,” in
Proceedings of IEEE Conference on ComputerCommunications (INFOCOM) . IEEE, 2019, pp. 1054–1062.[36] Y. Zhao, M. Li, L. Lai, N. Suda, D. Civin, and V. Chandra, “Feder-ated learning with non-IID data,” arXiv preprint arXiv:1806.00582 ,2018.[37] A. Singla and A. Krause, “Truthful incentives in crowdsourcingtasks using regret minimization mechanisms,” in
Proceedings ofInternational conference on World Wide Web , 2013, pp. 1167–1178.[38] J. Katz and Y. Lindell,
Introduction to modern cryptography . CRCpress, 2020.[39] L. Lyu, X. He, Y. W. Law, and M. Palaniswami, “Privacy-preserving collaborative deep learning with application to humanactivity recognition,” in
Proceedings of ACM on Conference on Infor-mation and Knowledge Management (CIKM) , 2017, p. 1219–1228.[40] J. W. Lockhart, T. Pulickal, and G. M. Weiss, “Applications ofmobile activity recognition,” in