{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,4,30]],"date-time":"2026-04-30T17:01:42Z","timestamp":1777568502742,"version":"3.51.4"},"reference-count":99,"publisher":"IEEE","license":[{"start":{"date-parts":[[2023,5,1]],"date-time":"2023-05-01T00:00:00Z","timestamp":1682899200000},"content-version":"stm-asf","delay-in-days":0,"URL":"https:\/\/doi.org\/10.15223\/policy-009"},{"start":{"date-parts":[[2023,5,1]],"date-time":"2023-05-01T00:00:00Z","timestamp":1682899200000},"content-version":"stm-asf","delay-in-days":0,"URL":"https:\/\/doi.org\/10.15223\/policy-001"}],"funder":[{"DOI":"10.13039\/100000028","name":"Semiconductor Research Corporation","doi-asserted-by":"publisher","id":[{"id":"10.13039\/100000028","id-type":"DOI","asserted-by":"publisher"}]}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2023,5]]},"DOI":"10.1109\/sp46215.2023.10179400","type":"proceedings-article","created":{"date-parts":[[2023,7,21]],"date-time":"2023-07-21T17:18:15Z","timestamp":1689959895000},"page":"453-476","source":"Crossref","is-referenced-by-count":76,"title":["RoFL: Robustness of Secure Federated Learning"],"prefix":"10.1109","author":[{"given":"Hidde","family":"Lycklama","sequence":"first","affiliation":[{"name":"ETH Zurich"}]},{"given":"Lukas","family":"Burkhalter","sequence":"additional","affiliation":[{"name":"ETH Zurich"}]},{"given":"Alexander","family":"Viand","sequence":"additional","affiliation":[{"name":"ETH Zurich"}]},{"given":"Nicolas","family":"K\u00fcchler","sequence":"additional","affiliation":[{"name":"ETH Zurich"}]},{"given":"Anwar","family":"Hithnawi","sequence":"additional","affiliation":[{"name":"ETH Zurich"}]}],"member":"263","reference":[{"key":"ref1","article-title":"Tonic RPC framework","year":"2021"},{"key":"ref2","article-title":"TensorFlow: Large-scale machine learning on heterogeneous systems","volume-title":"software available from tensorflow.org","author":"Abadi","year":"2015"},{"key":"ref3","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-642-24178-9_9"},{"key":"ref4","article-title":"Prio+: Privacy Preserving Aggregate Statistics via Boolean Shares","author":"Addanki","year":"2021","journal-title":"Cryptology ePrint Archive cryptoeprint:2021\/576"},{"key":"ref5","doi-asserted-by":"crossref","DOI":"10.1007\/978-3-030-84245-1_18","article-title":"Subtractive sets over cyclotomic rings: Limits of schnorr-like arguments over lattices","volume-title":"Cryptology ePrint Archive","author":"Albrecht","year":"2021"},{"key":"ref6","article-title":"Differential privacy has disparate impact on model accuracy","author":"Bagdasaryan","year":"2019","journal-title":"NeurIPS"},{"key":"ref7","first-page":"2938","article-title":"How To Backdoor Federated Learning","author":"Bagdasaryan","year":"2020","journal-title":"AISTATS"},{"key":"ref8","doi-asserted-by":"publisher","DOI":"10.1145\/3372297.3417885"},{"key":"ref9","first-page":"634","article-title":"Analyzing federated learning through an adversarial lens","author":"Bhagoji","year":"2019","journal-title":"ICML"},{"key":"ref10","first-page":"1467","article-title":"Poisoning Attacks against Support Vector Machines","author":"Biggio","year":"2012","journal-title":"ICML"},{"key":"ref11","first-page":"119","article-title":"Machine Learning with Adversaries: Byzantine Tolerant Gradient Descent","author":"Blanchard","year":"2017","journal-title":"NeurIPS"},{"key":"ref12","doi-asserted-by":"publisher","DOI":"10.1145\/62212.62222"},{"key":"ref13","article-title":"When the curious abandon honesty: Federated learning is not private","author":"Boenisch","year":"2021"},{"key":"ref14","first-page":"2147","article-title":"Secure Multi-party Computation of Differentially Private Median","volume-title":"29th USENIX Security Symposium (USENIX Security 20)","author":"B\u00f6hler"},{"key":"ref15","doi-asserted-by":"publisher","DOI":"10.1145\/3133956.3133982"},{"key":"ref16","doi-asserted-by":"publisher","DOI":"10.1109\/SP40001.2021.00048"},{"key":"ref17","doi-asserted-by":"crossref","DOI":"10.1007\/978-3-030-56880-1_16","article-title":"A non-PCP approach to succinct Quantum-Safe Zero-Knowledge","volume-title":"Cryptology ePrint Archive","author":"Bootle","year":"2020"},{"key":"ref18","article-title":"Federated Learning: Collaborative Machine Learning without Centralized Training Data","author":"Brendan McMahan","year":"2017"},{"key":"ref19","doi-asserted-by":"publisher","DOI":"10.1016\/j.ijmedinf.2018.01.007"},{"key":"ref20","doi-asserted-by":"publisher","DOI":"10.1109\/sp.2018.00020"},{"key":"ref21","article-title":"Leaf: A benchmark for federated settings","author":"Caldas","year":"2018"},{"key":"ref22","article-title":"Proof systems for general statements about discrete logarithms","volume":"260","author":"Camenisch","year":"1997","journal-title":"Technical report\/Dept. of Computer Science, ETH Z\u00fcrich"},{"key":"ref23","doi-asserted-by":"publisher","DOI":"10.1109\/SECPRI.2002.1004361"},{"key":"ref24","article-title":"The Secret Sharer: Evaluating and Testing Unintended Memorization in Neural Networks","author":"Carlini","year":"2019","journal-title":"USENIX Security"},{"key":"ref25","article-title":"Extracting training data from large language models","author":"Carlini","year":"2021","journal-title":"USENIX Security"},{"key":"ref26","doi-asserted-by":"publisher","DOI":"10.1145\/1525856.1525858"},{"key":"ref27","first-page":"902","article-title":"DRACO: byzantine-resilient distributed training via redundant gradients","volume-title":"ICML","author":"Chen","year":"2018"},{"key":"ref28","article-title":"Targeted backdoor attacks on deep learning systems using data poisoning","author":"Chen","year":"2017"},{"key":"ref29","first-page":"259","article-title":"Prio: private, robust, and scalable computation of aggregate statistics","author":"Corrigan-Gibbs","year":"2017","journal-title":"USENIX NSDI"},{"key":"ref30","article-title":"Protecting Privacy by Splitting Trust","volume-title":"Ph.D. dissertation","author":"Corrigan-Gibbs","year":"2019"},{"key":"ref31","article-title":"Rust Bulletproofs Library","author":"Cryptography","year":"2020"},{"key":"ref32","article-title":"Rust Curve25519 Library","author":"Cryptography","year":"2020"},{"key":"ref33","doi-asserted-by":"crossref","first-page":"643","DOI":"10.1007\/978-3-642-32009-5_38","article-title":"Multiparty computation from somewhat homomorphic encryption","volume-title":"Advances in Cryptology \u2013 CRYPTO 2012.","author":"Damg\u00e5rd","year":"2012"},{"key":"ref34","doi-asserted-by":"publisher","DOI":"10.1145\/3563766.3564089"},{"key":"ref35","first-page":"207","article-title":"P4P: Practical Large-Scale Privacy-Preserving distributed computation robust against malicious users","volume-title":"USENIX Security","author":"Duan","year":"2010"},{"key":"ref36","doi-asserted-by":"publisher","DOI":"10.1007\/3-540-39568-7_2"},{"key":"ref37","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-642-31284-7_33"},{"key":"ref38","first-page":"1605","article-title":"Local model poisoning attacks to Byzantine-robust federated learning","author":"Fang","year":"2020","journal-title":"USENIX Security"},{"key":"ref39","doi-asserted-by":"publisher","DOI":"10.1145\/3357713.3384290"},{"key":"ref40","first-page":"2881","article-title":"What neural networks memorize and why: Discovering the long tail via influence estimation","author":"Feldman","year":"2020","journal-title":"NeurIPS"},{"key":"ref41","first-page":"186","article-title":"How to Prove Yourself: Practical Solutions to Identification and Signature Problems","author":"Fiat","year":"1987","journal-title":"CRYPTO"},{"key":"ref42","article-title":"Robbing the fed: Directly obtaining private data in federated learning with modified models","author":"Fowl","year":"2021"},{"key":"ref43","article-title":"Mitigating Sybils in Federated Learning Poisoning","author":"Fung","year":"2018"},{"key":"ref44","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-642-22444-7_15"},{"key":"ref45","article-title":"Inverting Gradients - How Easy is It to Break Privacy in Federated Learning?","author":"Geiping","year":"2020","journal-title":"NeurIPS"},{"key":"ref46","article-title":"Differentially Private Federated Learning: A Client Level Perspective","author":"Geyer","year":"2017"},{"key":"ref47","doi-asserted-by":"publisher","DOI":"10.1007\/11496137_32"},{"key":"ref48","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-642-03356-8_12"},{"key":"ref49","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-662-49896-5_11"},{"key":"ref50","article-title":"Badnets: Identifying vulnerabilities in the machine learning model supply chain","author":"Gu","year":"2017"},{"key":"ref51","doi-asserted-by":"publisher","DOI":"10.1109\/cvpr.2016.90"},{"key":"ref52","doi-asserted-by":"publisher","DOI":"10.1162\/neco.1997.9.8.1735"},{"key":"ref53","doi-asserted-by":"publisher","DOI":"10.1145\/3243734.3243757"},{"key":"ref54","doi-asserted-by":"publisher","DOI":"10.1561\/2200000083"},{"key":"ref55","article-title":"Federated Learning: Strategies for Improving Communication Efficiency","volume-title":"NeurIPS Workshop on Private Multi-Party Machine Learning","author":"Kone\u010dn\u00fd"},{"key":"ref56","article-title":"Learning multiple layers of features from tiny images","author":"Krizhevsky","year":"2009"},{"key":"ref57","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-642-22263-4_10"},{"key":"ref58","article-title":"LeNet-5, convolutional neural networks","author":"LeCun","year":"2015"},{"key":"ref59","article-title":"Measuring the Intrinsic Dimension of Objective Landscapes","author":"Li","year":"2018","journal-title":"ICLR"},{"key":"ref60","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2018.23291"},{"key":"ref61","article-title":"TimeCrypt: Encrypted Data Stream Processing at Scale with Cryptographic Access Control","author":"Burkhalter","year":"2020","journal-title":"USENIX NSDI"},{"key":"ref62","article-title":"Zeph: Cryptographic Enforcement of End-to-End Data Privacy","author":"Burkhalter","year":"2021","journal-title":"USENIX OSDI"},{"key":"ref63","article-title":"Communication-Efficient learning of deep networks from decentralized data","author":"McMahan","year":"2017","journal-title":"AIS-TATS"},{"key":"ref64","article-title":"Learning differentially private recurrent language models","volume-title":"6th International Conference on Learning Representations, ICLR 2018","author":"McMahan"},{"key":"ref65","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2016.23175"},{"key":"ref66","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2022.23054"},{"key":"ref67","first-page":"1641","article-title":"Justinian\u2019s GAAvernor: Robust Distributed Learning with Gradient Aggregation Agent","author":"Pan","year":"2020","journal-title":"USENIX Security"},{"key":"ref68","article-title":"Eluding secure aggregation in federated learning via model inconsistency","author":"Pasquini","year":"2021"},{"key":"ref69","doi-asserted-by":"publisher","DOI":"10.1007\/3-540-46766-1_9"},{"key":"ref70","article-title":"Differentially-Private \u201dDraw and Discard\" Machine Learning","author":"Pihur","year":"2018"},{"key":"ref71","doi-asserted-by":"publisher","DOI":"10.2307\/2006496"},{"key":"ref72","doi-asserted-by":"publisher","DOI":"10.1145\/2046707.2046781"},{"key":"ref73","article-title":"Detox: A redundancy-based framework for faster and more robust gradient aggregation","author":"Rajput","year":"2019","journal-title":"NeurIPS"},{"key":"ref74","article-title":"Federated Learning for Emoji Prediction in a Mobile Keyboard","author":"Ramaswamy","year":"2019"},{"key":"ref75","article-title":"Turning HATE Into LOVE: Compact Homomorphic Ad Hoc Threshold Encryption for Scalable MPC","volume-title":"Cryptology ePrint Archive, Report 2018\/997","author":"Reyzin","year":"2018"},{"key":"ref76","doi-asserted-by":"publisher","DOI":"10.1145\/2046556.2046564"},{"key":"ref77","doi-asserted-by":"publisher","DOI":"10.1038\/s41746-020-00323-1"},{"key":"ref78","doi-asserted-by":"publisher","DOI":"10.1145\/3341301.3359660"},{"key":"ref79","doi-asserted-by":"publisher","DOI":"10.1145\/3131672.3131697"},{"key":"ref80","doi-asserted-by":"publisher","DOI":"10.1109\/SP46214.2022.9833647"},{"key":"ref81","doi-asserted-by":"publisher","DOI":"10.1038\/s41598-020-69250-1"},{"key":"ref82","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-030-11723-8_9"},{"key":"ref83","doi-asserted-by":"crossref","first-page":"508","DOI":"10.1145\/2991079.2991125","article-title":"Auror: Defending against poisoning attacks in collaborative deep learning systems","author":"Shen","year":"2016","journal-title":"ACM ACSAC"},{"key":"ref84","article-title":"Privacy-preserving aggregation of time-series data","author":"Shi","year":"2011","journal-title":"NDSS"},{"key":"ref85","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2017.41"},{"key":"ref86","article-title":"Can you really backdoor federated learning?","author":"Suresh","year":"2019","journal-title":"Federated learning workshop at NeurIPS"},{"key":"ref87","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-030-58951-6_24"},{"key":"ref88","doi-asserted-by":"publisher","DOI":"10.1145\/3378679.3394533"},{"key":"ref89","article-title":"The Devil is in the Tails: Fine-grained Classification in the Wild","author":"Van Horn","year":"2017"},{"key":"ref90","first-page":"16 070","article-title":"Attack of the Tails: Yes, You Really Can Backdoor Federated Learning","author":"Wang","year":"2020","journal-title":"NeurIPS"},{"key":"ref91","article-title":"Thinking two moves ahead: Anticipating other users improves backdoor attacks in federated learning","author":"Wen","year":"2022"},{"key":"ref92","article-title":"DBA: Distributed Backdoor Attacks against Federated Learning","author":"Xie","year":"2020","journal-title":"ICLR"},{"key":"ref93","first-page":"261","article-title":"Fall of empires: Breaking byzantine-tolerant SGD by inner product manipulation","volume":"115","author":"Xie","year":"2020","journal-title":"UAI"},{"key":"ref94","article-title":"Byzantine-Robust Distributed Learning: Towards Optimal Statistical Rates","author":"Yin","year":"2019","journal-title":"ICML"},{"key":"ref95","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR46437.2021.01607"},{"key":"ref96","article-title":"BatchCrypt: Efficient Homomorphic Encryption for Cross-Silo Federated Learning","author":"Zhang","year":"2020","journal-title":"USENIX ATC"},{"key":"ref97","doi-asserted-by":"publisher","DOI":"10.1145\/3446776"},{"key":"ref98","first-page":"26 429","article-title":"Neurotoxin: Durable backdoors in federated learning","volume-title":"ICML","volume":"162","author":"Zhang","year":"2022"},{"key":"ref99","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR.2014.122"}],"event":{"name":"2023 IEEE Symposium on Security and Privacy (SP)","location":"San Francisco, CA, USA","start":{"date-parts":[[2023,5,21]]},"end":{"date-parts":[[2023,5,25]]}},"container-title":["2023 IEEE Symposium on Security and Privacy (SP)"],"original-title":[],"link":[{"URL":"http:\/\/xplorestaging.ieee.org\/ielx7\/10179215\/10179280\/10179400.pdf?arnumber=10179400","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2024,7,20]],"date-time":"2024-07-20T05:17:20Z","timestamp":1721452640000},"score":1,"resource":{"primary":{"URL":"https:\/\/ieeexplore.ieee.org\/document\/10179400\/"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2023,5]]},"references-count":99,"URL":"https:\/\/doi.org\/10.1109\/sp46215.2023.10179400","relation":{},"subject":[],"published":{"date-parts":[[2023,5]]}}}