F2ED-Learning: Good Fences Make Good Neighbors.

In this paper, we present F2ED-Learning, the first federated learning protocol simultaneously defending against both a semi-honest server and Byzantine malicious clients. Using a robust mean estimator called FilterL2, F2ED-Learning is the first FL protocol providing dimension-free estimation error against Byzantine malicious clients. Besides, F2ED-Learning leverages secure aggregation to protect the clients from a semi-honest server who wants to infer the clients' information from the legitimate updates. The main challenge stems from the incompatibility between FilterL2 and secure aggregation. Specifically, to run FilterL2, the server needs to access individual updates from clients while secure aggregation hides those updates from it. We propose to split the clients into shards, securely aggregate each shard's updates and run FilterL2 on the updates from different shards. The evaluation shows that F2ED-Learning consistently achieves optimal or sub-optimal performance under three attacks among five robust FL protocols.