RoPA: Robust Privacy-Preserving Forward Aggregation for Split Vertical Federated Learning

Split Vertical Federated Learning (Split VFL) is an increasingly popular framework for collaborative machine learning on vertically partitioned data. However, it is vulnerable to various attacks, resulting in privacy leakage and robust aggregation issues. Recent works have explored the privacy protection of raw data samples and labels, neglecting malicious attacks launched by dishonest passive parties. Since they may deviate from the protocol and launch embedding poisoning attacks and free-riding attacks, it will inevitably result in model performance loss. To address this issue, we propose a Robust Privacy-preserving forward Aggregation (RoPA) protocol, which can resist embedding poisoning attacks and free-riding attacks and protect the privacy of embedding vectors. Specifically, we first present a modified Secret-shared Non-Interactive Proofs (SNIP) algorithm to guarantee the integrity verification of embedding vectors. To prevent free-riding attacks, we also give a validity verification protocol using matrix commitment. In particular, we utilize probability checking and batch verification to improve the verification efficiency of the protocol. Moreover, we adopt arithmetic secret sharing to protect data privacy. Finally, we conduct rigorous theoretical analysis to prove the security of RoPA and evaluate the performance of RoPA. The experimental results show that the proof verification overhead of RoPA is approximately 8× lower than the original SNIP, and the model accuracy is improved by ranging from 3% to 15% under the above two malicious attacks.