Search papers, labs, and topics across Lattice.
ZKFL-PQ, a novel federated learning protocol, is introduced to address vulnerabilities in medical AI model training, including gradient inversion attacks, Byzantine client poisoning, and quantum computing threats. The protocol employs a three-tiered cryptographic approach, combining ML-KEM for quantum-resistant key encapsulation, lattice-based zero-knowledge proofs for gradient integrity verification, and BFV homomorphic encryption for privacy-preserving aggregation. Evaluation on synthetic medical imaging data demonstrates ZKFL-PQ's ability to achieve 100% rejection of norm-violating updates while maintaining model accuracy, albeit with a 20x computational overhead deemed acceptable for clinical research.
Achieve 100% rejection of malicious gradient updates in federated learning with a quantum-resistant, zero-knowledge protocol, preventing catastrophic model degradation.
Federated Learning (FL) enables collaborative training of medical AI models across hospitals without centralizing patient data. However, the exchange of model updates exposes critical vulnerabilities: gradient inversion attacks can reconstruct patient information, Byzantine clients can poison the global model, and the \emph{Harvest Now, Decrypt Later} (HNDL) threat renders today's encrypted traffic vulnerable to future quantum adversaries.We introduce \textbf{ZKFL-PQ} (\emph{Zero-Knowledge Federated Learning, Post-Quantum}), a three-tiered cryptographic protocol that hybridizes (i) ML-KEM (FIPS~203) for quantum-resistant key encapsulation, (ii) lattice-based Zero-Knowledge Proofs for verifiable \emph{norm-constrained} gradient integrity, and (iii) BFV homomorphic encryption for privacy-preserving aggregation. We formalize the security model and prove correctness and zero-knowledge properties under the Module-LWE, Ring-LWE, and SIS assumptions \emph{in the classical random oracle model}. We evaluate ZKFL-PQ on synthetic medical imaging data across 5 federated clients over 10 training rounds. Our protocol achieves \textbf{100\% rejection of norm-violating updates} while maintaining model accuracy at 100\%, compared to a catastrophic drop to 23\% under standard FL. The computational overhead (factor $\sim$20$\times$) is analyzed and shown to be compatible with clinical research workflows operating on daily or weekly training cycles. We emphasize that the current defense guarantees rejection of large-norm malicious updates; robustness against subtle low-norm or directional poisoning remains future work.
