Towards Privacy-Preserving and Verifiable Federated Matrix Factorization

Recent years have witnessed the rapid growth of federated learning (FL), an emerging privacy-aware machine learning paradigm that allows collaborative learning over isolated datasets distributed across multiple participants. The salient feature of FL is that the participants can keep their private datasets local and only share model updates. Very recently, some research efforts have been initiated to explore the applicability of FL for matrix factorization (MF), a prevalent method used in modern recommendation systems and services. It has been shown that sharing the gradient updates in federated MF entails privacy risks on revealing users' personal ratings, posing a demand for protecting the shared gradients. Prior art is limited in that they incur notable accuracy loss, or rely on heavy cryptosystem, with a weak threat model assumed. In this paper, we propose VPFedMF, a new design aimed at privacy-preserving and verifiable federated MF. VPFedMF provides for federated MF guarantees on the confidentiality of individual gradient updates through lightweight and secure aggregation. Moreover, VPFedMF ambitiously and newly supports correctness verification of the aggregation results produced by the coordinating server in federated MF. Experiments on a real-world moving rating dataset demonstrate the practical performance of VPFedMF in terms of computation, communication, and accuracy.



page 9


Privacy Threats Against Federated Matrix Factorization

Matrix Factorization has been very successful in practical recommendatio...

Secure Federated Matrix Factorization

To protect user privacy and meet law regulations, federated (machine) le...

LightFR: Lightweight Federated Recommendation with Privacy-preserving Matrix Factorization

Federated recommender system (FRS), which enables many local devices to ...

Two-Phase Multi-Party Computation Enabled Privacy-Preserving Federated Learning

Countries across the globe have been pushing strict regulations on the p...

Neural Tangent Kernel Empowered Federated Learning

Federated learning (FL) is a privacy-preserving paradigm where multiple ...

Federated Neural Collaborative Filtering

In this work, we present a federated version of the state-of-the-art Neu...

Federating Recommendations Using Differentially Private Prototypes

Machine learning methods allow us to make recommendations to users in ap...
This week in AI

Get the week's most popular data science and artificial intelligence research sent straight to your inbox every Saturday.

1 Introduction

Privacy-preserving machine learning has been gaining increased attentions from both academia and industry (e.g., Google and WeBank) in recent years because of the increased user privacy awareness in society and enforcement of data privacy laws such as the General Data Protection Regulation (GDPR, effective in May 2018) Europe (2016), California Privacy Rights Act (CPRA, effective in Jan. 2021) States (2020), and China Data Security Law (CDSL, effective in Sep. 2021) China (2021). Federated learning (FL) is one of the most popular paradigms in recent years for providing privacy protection in machine learning McMahan et al. (2017); Li et al. (2020); Zhang et al. (2021), and has demonstrated applicability for various application scenarios ranging from resource-limited mobile devices Gao et al. (2020) to resource-rich institutions, e.g., medical centers Xu et al. (2021). In FL, participants can keep their private datasets locally, yet are able to train a global model over the joint datasets Li et al. (2021). A centralized server coordinates the participants and aggregates their local model updates (instead of their raw private datasets) to iteratively update the global model.

The FL paradigm has seen successful applications in scenarios that deal with privacy-sensitive data. For example, in financial systems like open bank Long et al. (2020), FL can be leveraged to identify malicious clients with act of loan swindling and escaping from paying for the debt without exposing all clients’ financial information Yang et al. (2019)

. On the other hand, it is noted that most existing FL systems and services have been focused on deep neural networks

Nasr et al. (2019); Perifanis and Efraimidis (2022); Wang et al. (2020). Very recently, some research efforts have been initiated to explore the applicability of FL for matrix factorization Koren et al. (2009), a prevalent method that has seen wide use in recommendation systems for rating prediction, item ranking, item recommendation, and more Yu et al. (2017); Zhang et al. (2019); Yang et al. (2021). Generally, MF decomposes a user-item rating matrix into two latent representations or components: a user profile matrix and an item profile matrix, where a new prediction can be made with the combination of both matrices.

The conventional MF is performed in a centralized manner, which may easily cause violation of data privacy. Indeed, user ratings contains private information such as user behavior, preferences and social status Kosinski et al. (2013). Therefore, it is imperative to protect user privacy in MF while making quality recommendations. There are efforts towards addressing this concern. Berlioz et al. Berlioz et al. (2015) propose to utilize differential privacy Dwork et al. (2006) to obfuscate users’ raw data for the sake of securing model results after training by a centralized model with a trade-off of accuracy loss. Some works Nikolaenko et al. (2013); Kim et al. (2016); Bellare et al. (2012) resort to cryptographic techniques (like powerful yet expensive homomorphic encryption and garbled circuits). These works, however, still all fall within centralized training settings and lack scalability for practical deployment.

Until very recently, Chai et al. Chai et al. (2020) initiate the study on how to bridge FL and MF, enabling MF to be conducted in a FL setting. MF in a FL setting updates the user profile matrix only at the user side while aggregating gradient information and updating the item profile matrix at the server side. This considers the fact that the user profile matrix encodes private preference information. In this context, Chai et al. analyze the privacy leakage in the context of Federated MF and find that user rating information could still be leaked when the server can see and analyze the gradient information uploaded by the users. As a solution, they apply additive homomorphic encryption (AHE) to protect the gradient information in aggregation and propose a design called FedMF. Despite that FedMF neither requires raw datasets from users nor leaks the gradient information through the use of AHE, it incurs significant performance overheads. Moreover, FedMF works under a relatively weak security model, and does not offer assurance on the computation integrity of aggregation against the server.

In light of the above, this work proposes VPFedMF, a new protocol for enabling privacy-preserving and verifiable matrix factorization. VPFedMF protects the confidentiality of gradient information of individual users throughout the whole process of federated matrix factorization, through an advanced masking-based secure aggregation technique with low overhead. In particular, in VPFedMF, users can provide encrypted gradient information through lightweight encryption, while the server is still able to perform aggregation of the encrypted gradient updates. This is in substantial contrast to the state-of-the-art work (SOTA) work Chai et al. (2020) which relies on the usage of heavy homomorphic cryptosystem. In the meantime, VPFedMF newly and ambitiously provides assurance on the integrity of aggregation against the server, achieving much stronger security than Chai et al. (2020). In particular, VPFedMF introduces a delicate verification mechanism that allows users to verify the correctness of the aggregation result received from the server in each iteration. An adversarial server that does not correctly perform the aggregation would be detected. We highlight our contributions as follows.

  • We present a new protocol VPFedMF, which provides cryptographic guarantees on the confidentiality of gradient information of individual users in federated matrix factorization, through masking-based lightweight and secure aggregation.

  • VPFedMF newly provides assurance on the integrity of aggregation against the server, under a stronger threat model that was overlooked by prior work. Through a delicate cryptographic verification mechanism, VPFedMF allows user-side verification of the correctness of aggregation results produced by the server.

  • We make an implementation of VPFedMF and perform a through performance evaluation on a real-world movie rating dataset MovieLens. Compared with the SOTA work FedMF

    Chai et al. (2020), VPFedMF is about faster. Experiments also validate that VPFedMF preserves the accuracy, matching that of plaintext-domain federated MF and conventional centralized MF.

The rest of the paper is organized as below. Section 2 provides necessary preliminaries. Section 3 elaborates on our system model, threat model, and the detailed construction, followed by the security analysis in Section 4. Section 5 provides the performance evaluation and comparison. Section 6 concludes the whole paper.

2 Technical Preliminaries

This section provides preliminaries related to the construction of VPFedMF. We firstly introduce matrix factorization in a federated learning setting. Then we describe several cryptographic primitives to be used later.

2.1 Federated Matrix Factorization

The MF Koren et al. (2009), Takács et al. (2008), Gemulla et al. (2011) technique has been popularly used in recommendation systems. Given a sparse rating matrix , MF aims to generate a user profile matrix and an item profile matrix with the same latent dimension , where is the number of users and is the number of items. The -th row of represents the profile of the -th user , and the -th row of represents the profile of the -th item . Let denote the rating value generated by user for item . The resulting matrices and after training can then be used to generate predictions for the rating values for all user/item pairs, i.e., , where

is the profile vector for user

and is the profile vector for item .

The computation of the user profile matrix and item profile matrix can be achieved by solving the following regularized least squares minimization problem:

where is the total number of ratings, and and

are small positive values in order to avoid overfitting. To solve this optimization problem, the method of stochastic gradient descent (SGD) is usually applied, which iteratively updates

and through the following rules in an iteration :

where and are gradient vectors that are computed based on the current user profile matrix and item profile matrix , as shown below:

where is also a small positive value to control the convergence speed and is the number of users providing ratings for item . generates gradient vectors for each item :

Conventionally, MF is performed in a centralized setting where all the ratings are collected by a server for processing. Recently, there have been research efforts on supporting MF in a distributed manner, particularly using the FL paradigm, for the purpose of reducing privacy risks by avoiding the exposure of raw rating values Chai et al. (2020). The process of Federated MF is detailed in the Algorithm 1. It is executed between a server and a set of users that hold their rating values locally. In each iteration , the server sends the current item profile matrix to all users. Note that in the first iteration, the server initializes and each user generates its user vector . Given , each user computes the gradient vector , which is used to update the user vector . Each user then computes a gradient vector for each item based on his ratings and the vector derived from . Each user uploads its gradient vector to the server, which aggregates these gradient vectors and produces an aggregate gradient vector . The aggregate gradient vector is used to update the item vector , through .

While performing MF under the federated learning paradigm avoids the sharing of raw ratings, the sharing of gradients has been shown to be subject to attacks which could infer the rating values, compromising the data privacy Chai et al. (2020). Hence, it is necessary to offer protection on the shared gradients in FedMF.

0:  Initialized user vector on the user side and item matrix on the server side.
0:  Trained user matrix and item matrix .
1:  for each iteration  do
2:     Users download latest item profile matrix from the server.
3:     for each user  do
4:        Compute gradient .
5:        Computed .
6:        Compute for each item .
7:        Send to the server.
8:     end for
9:     The server aggregates for each item from all .
10:     The server updates the item vectors: .
11:  end for
Algorithm 1 Federated MF in the Plaintext Domain

2.2 Homomorphic Hash Function

Homomorphic hash function enables to compress a vector by computing a hash of the vector, while preserving the addition property Bellare et al. (1994). It is based on the hardness of the discrete logarithm in groups of prime order. Let denote a cyclic group of prime order with generator , and represent distinct elements randomly chosen from . Given a -dimensional vector , which the -th element is denoted by , the homomorphic hash of is computed via

2.3 Commitment

A commitment scheme allows one to commit to a message ahead of time. Later, the message is revealed, and the commitment can be used to check whether the revealed message is indeed the one committed in the beginning. A secure commitment scheme guarantees that a message cannot be modified after being committed. Besides, the commitment can hide the underlying committed message. A commitment scheme proceeds in two phases: the commit phase and the decommit phase. In the commit phase, a commitment for a message is generated by , where is randomness. In the decommit phase, a message is revealed, and a function is run to check whether is the message underlying the commitment . The function outputs which indicates successful verification or indicating the verification failure.


3.1 Overview

The overview of our proposed VPFedMF system framework is illustrated in Fig. 1. VPFedMF enables matrix factorization in a federated learning setting, while preventing privacy leakages from the gradients by aggregating gradients in the ciphertext domain via secure aggregation techniques. In the meantime, it aims to enforce that the (secure) aggregation is correctly conducted by the server through the integration of a verification mechanism. We elaborate on the design rationale as follows.

Figure 1: The system overview of our proposed VPFedMF design.

Unlike the prior work Chai et al. (2020) that relies on heavy homomorphic encryption for secure aggregation, VPFedMF resorts to a newly developed masking-based lightweight secure aggregation technique Bonawitz et al. (2017) for encrypting each user’s gradient vector while supporting aggregation of the encrypted gradient vectors.

Specifically, in VPFedMF, each user will generate a tailored random masking vector for encrypting the gradient vector for each item . The random masking vector is generated based on each user’s secret key and public keys of other users in the system. And the generation process only requires the usage of a pseudorandom number generator and thus is fast compared with homomorphic encryption. Once the random masking vector is generated, encryption is achieved via fast modulo addition. In order to guarantee the integrity of aggregation result which could be potentially corrupted by the server, we take advantage of cryptographic techniques including homomorphic hash function and commitment to foster a verification mechanism in VPFedMF, inspired by the recent work Guo et al. (2020). Specifically, before sending the encrypted gradient vector to the server in an iteration, each user first commits to its gradient vector based on the homomorphic hash function and commitment scheme. The commitments are sent to all other users in the system, which will be used later to verify the integrity of the aggregation result received from the server. Based on the above insights, this paper presents the first design for verifiable and privacy-preserving federated matrix factorization.

Initialization (Phase 0, only once in iteration ): Key generation: User: Each generates its private key and public key . sends its public key to server. Server: Server receives public key from and broadcasts it to other . User: Each computes its shared key . Profile initialization: User: Each initializes the user vector . Server: Server prepares for initial item profile matrix . User Update (Phase 1): Each receives the latest item profile matrix from the server. Then, computes the user gradient vector and the item gradient vector for each item . The gradient vector is used to update locally the user profile vector to , via . The gradient vector for each item will enter the next secure aggregation phase. Secure Aggregation (Phase 2): Making commitments: User: Each computes and for item . sends its commitment to the server. Server: The server receives from and broadcasts it to other users . Masking gradient vectors: User: Each expands by a pseudorandom number generator PRG and to a -dimensional vector for masking. In particular, each computes for item , where if and if , and is a modulus defining the message space. Each sends to the server. Aggregating masked gradient vectors: Server: The server receives from users, and computes the aggregation result for all items, where it is derived that . The server broadcasts the aggregation result of each item (i.e., the updated ) to all users. Verification (Phase 3): Decommitting: User: Each sends to the server its decommitment strings, i.e., hashes and corresponding randomnesses . Server: The server receives from and broadcasts it to other users . Commitment verification: User: Each first checks for each item whether the received decommitment strings can pass a commitment verification, via checking whether , for each . If the equality test holds for every and every , moves to the next Aggregation Result Verification step. Otherwise, outputs and abort. Aggregation result verification: User: Each checks the integrity of the aggregation result for each item through the following equality test: HF(. If the equality holds for all items, accepts the updated item matrix and moves to next iteration. Otherwise, outputs and abort.

Figure 2: The full protocol of VPFedMF (in an iteration ).

3.2 Threat Model

In VPFedMF, we consider that the server may be compromised by an adversary. The adversary may attempt to infer the private gradient vectors of users, threatening the confidentiality of the raw rating values held by users locally. Besides, the adversary may instruct the server to not correctly perform the aggregation over the gradient vectors received from users in each iteration, threatening the integrity of aggregation result for matrix factorization. In addition, we consider that the adversary may corrupt a subset of users and know their gradient vectors. Our security goal is to ensure the confidentiality of individual honest users’ gradient vectors against other parties in the system as well as the integrity of the aggregation result against the server, throughout the whole VPFedMF procedure.

3.3 Detailed Construction

The proposed protocol in VPFedMF for verifiable and privacy-preserving federated matrix factorization detailed in Fig. 2. It proceeds in four phases: Initialization, User Update, Secure Aggregation, and Verification. The initialization phase is performed only once at the start of the protocol, while the other three phases run sequentially in an iteration. In what follows, we introduce the processing in each phase.

3.3.1 Initialization

At the beginning, each generates a key pair utilized the same group in , where is the secret key randomly choosed from and is the public key which is computed by . Then sends the public key to the server, which then broadcasts it to other users in the system. Each user initializes his user vector and generates corresponding shared key with other users’ public key , which is denoted as . While on the server side, server initializes the item matrix .

3.3.2 User Update

In the -th iteration, each user generates two types of gradient vectors: (i) for himself and (ii) for the item vector update. Here, is utilized for updating the corresponding user vector to produce , while item vectors from the last iteration and will be adequately encrypted and submitted to the server in the next phase.

3.3.3 Secure Aggregation

In this phase, secure aggregation is performed to securely aggregate each item ’s gradient vectors collected from the users, so as to produce an updated vector for each item . Besides, in order to simultaneously ensure the integrity of the aggregation at the server side, VPFedMF also enforces a verification mechanism based on the cryptographic techniques including commitment and homomorphic hash function, as mentioned above. The secure aggregation phase in VPFedMF runs as follows.

Firstly, each calculates for each item , which will serve as his input in the secure aggregation.

Then, generates commitments for his inputs, through:

User then sends the commitments to the server, which then broadcasts them to other users. The input messages and randomnesses to the commitments are kept locally. Subsequently, each generates an encrypted gradient vector based on lightweight masking. In particular, computes a masking vector from the shared key , based on the delicate use of a pseudorandom number generator PRG, as seen in Algorithm 2. The way of mask generation ensures that the masking vectors will cancel out once the sum of masked gradient vectors are formed. After performing masking, produces , which are sent to the server. The server receives from users, and computes the aggregation result for all items. The server then broadcasts the aggregation result of each item (i.e., the updated ) to all users.

3.3.4 Verification

This phase runs when each receives the updated item matrix from the server. At the beginning, each sends the commitment inputs to the server, which then forwards them to other users . Next, each proceeds in a two-step verification process. Firstly, performs a commitment verification for each :

If the equality does not hold any , outputs and aborts. Otherwise, moves on to the next step for verifying the integrity of the aggregation result. In particular, performs the following equality test:

If the equality holds for all items, accepts the updated item matrix and moves to next iteration. Otherwise, outputs and aborts.

3.4 Remarks

The presented VPFedMF design not only preserves the confidentiality of items’ gradient information from users but also provides strong verification for the aggregation results. In comparison with the prior art Chai et al. (2020) that relies on heavy homomorphic encryption for encrypting gradient vectors and supporting privacy-preserving aggregation, VPFedMF newly resorts to lightweight masking-based cryptographic techniques for protecting the privacy of gradient vectors in aggregation. For privacy-preserving aggregation, users only need to perform some lightweight hashing operations and arithmetic operations. For verifiability, the use of homomorphic hash function allows to greatly compress the high-dimensional vectors into constant-sized elements, facilitating the computation of commitments. The security of homomorphic hash function and commitment ensures that the underlying plaintext gradient vectors of an individual user are strongly protected against the server and other users in the system.

4 Security Analysis

VPFedMF guarantees the integrity of the aggregation as well as individual user privacy. Hereafter, we analysis its security to justify the security guarantees. To ease the description, we denote by the cloud server, by the subset of honest users, and by the subset of users corrupted by the adversary. Also, since we only need to prove the security for an iteration, we omit the notation in our description.

Theorem 1.

Assuming the security of the underlying masking-based secure aggregation and commitment techniques, VPFedMF ensures the confidentiality of the gradient vectors of individual honest users in the system.


The proof is mostly similar to Theorem 6.3 in Bonawitz et al. (2017), which indicates that the masking mechanism in secure aggregation protects the confidentiality of the gradient vectors of individual honest users, due to the existence of a simulator SIM for simulating the masked gradient vectors. On the other hand, we need to additionally consider simulation for the messages related to the verification. Firstly, we need to consider the hashes from which are committed in the Making commitments step. Here note that the simulator SIM does not know the real inputs of honest users by the time it needs to compute the hash and the commitment. For this, it can generate a dummy vector, hash it, and compute the commitment. Given the security of the masking technique and the hiding property of commitment, the joint view of and is indistinguishable from that in real protocol execution.

Secondly, we need to consider the verification phase. In particular, we need to show that the joint view of users in and is indistinguishable from that in the real protocol execution. The subtlety here is that SIM commits to dummy hashes in the beginning, which are different from the hashes of vectors sampled by SIM after seeing the aggregation result. Fortunately, due to the equivocal property of commitment, in the common reference string (CRS)-hybrid model Lindell (2017), SIM can obtain a trapdoor for the commitment scheme, which can be used to equivocate the simulated commitments to the hashes of vectors sampled by it on behalf of honest users, based on the aggregation result of honest users. The simulated hashes in the verification phase thus can successfully pass the commitment verification, followed by the aggregation result integrity verification. Hence, there also exists a simulator for the verification phase. This completes the proof.

Theorem 2.

Assuming the security of the underlying homomorphic hash function and commitment techniques, VPFedMF ensures the integrity of aggregation on the server side. In particular, in a certain iteration, an honest user will accept the received updated item vector derived from aggregation if and only if it is correctly produced by the server.


Assume that there exists a PPT adversary which can produce a forged aggregation result (), and make an honest user accept the forged aggregation result. Firstly, since does not output , the decommitment strings from the users in

should be able to pass the commitment verification phase. Here, it is noted that due to the binding property of the commitment technique, the commitment verification will fail with a non-negligible probability if the users in

instructed by the adversary send malformed decommitment strings. So once the hash values have been committed, the users in cannot change them without having an honest user output . If the adversary manages to have an honest user accept the forged aggregation result , it is required that , i.e.,

However, given that , this will happen with negligible probability, given the collision resistance property of the homomorphic hash function. Therefore, the assumption in the beginning does not hold. The adversary cannot have an honest user accept a forged aggregation result in VPFedMF.

5 Experiments

5.1 Setup

We implement VPFedMF in Python. In particular, the homomorphic hash function is realized via elliptic curve NIST-P256. The commitment scheme is realized via hash commitments instantiated via SHA-256. For pseudo-random number generator, we use AES in CTR mode. For key agreement, we use Diffie-Hellman key exchange over elliptic curve NIST-P256. In addition, we set the modulus . We use a real-world movie rating dataset MovieLens Harper and Konstan (2015), which consists of 610 users rating on 9712 movies. We adopt a common trick for scaling floating-point numbers up to integers as required by cryptographic computation Wang et al. (2013); Zheng et al. (2018), where a large scaling factor is used. The server process and user process are deployed on a laptop equipped with a 4-core Intel i5-8300H CPU (2.3GHz) and 8GB RAM.

5.2 Offline Optimization

VPFedMF aims to be utilized in a setting where multiple users want to collaboratively train a joint model for personalized recommendation so as to benefit each other, while keeping their privacy preserved. Hence, we consider all users are willing to participate in each iteration. Namely, in the setting considered by VPFedMF, the participants are not limited with computation resource or network bandwidth, as opposed to the IoT setting. In such context, we perform the following offline processing for performance optimization. Recall that the computation of the homomorphic hash function is within the cyclic group , which needs to produce the element in each dimension of the input vector via expensive exponentiation. In order to circumvent the latency from such expensive computation in the group, our idea is to pre-generate a set of group elements in an offline phase. When the actual learning process takes place, the computation of can be simply converted to the fast searching over a set of elements.

User Items Phase 1 Phase 2 Phase 3
0 1 2 0 1 2
100 60 User 1 ms 14 ms 27 ms 0 ms 22 ms 208 ms
Server 1 ms 49 ms 1 ms
240 User 3 ms 29 ms 52 ms 0 ms 50 ms 706 ms
Server 2 ms 167 ms 7 ms
640 User 11 ms 52 ms 71 ms 0 ms 123 ms 1870 ms
Server 11 ms 251 ms 19 ms
300 60 User 2 ms 14 ms 69 ms 0 ms 49 ms 451 ms
Server 3 ms 151 ms 5 ms
240 User 6 ms 32 ms 151 ms 0 ms 140 ms 1249 ms
Server 11 ms 459 ms 20 ms
640 User 9 ms 53 ms 205 ms 0 ms 272 ms 2430 ms
Server 27 ms 722 ms 54 ms
Table 1: VPFedMF’s Computation Performance in the PartText Setting
User Items Phase 1 Phase 2 Phase 3
0 1 2 0 1 2
100 60 User 3 ms 41 ms 315 ms 0 ms 61 ms 505 ms
Server 1 ms 205 ms 1 ms
240 User 13 ms 168 ms 1235 ms 0 ms 232 ms 1975 ms
Server 3 ms 760ms 7 ms
640 User 63 ms 437 ms 3305 ms 0 ms 580 ms 5159 ms
Server 10 ms 1962 ms 19 ms
300 60 User 44 ms 41 ms 918 ms 0 ms 166 ms 1346 ms
Server 3 ms 634 ms 5 ms
240 User 86 ms 163 ms 3833 ms 0 ms 748 ms 5448 ms
Server 11 ms 2476 ms 24 ms
640 User 168 ms 441 ms 10034 ms 0 ms 1881 ms 14539 ms
Server 28 ms 6273 ms 65 ms
Table 2: VPFedMF’s Computation Performance in the FullText Setting

5.3 Computation Overhead of Each Iteration

In this section, we first analyze fine-grained time consumption in each step of a single iteration when training over the Movielens dataset in VPFedMF. Then we evaluate the computation overhead for each iteration and compare with the results reported in FedMF Chai et al. (2020). In addition, time consumption as a function of the dimension size (i.e., the dimension of the latent user profile and item profile) is evaluated.

Following FedMF Chai et al. (2020), we evaluate two rating settings: PartText and FullText. These two settings have slight difference when users submit vectors to the server. In the PartText setting, users are allowed to only upload gradient vectors for items which have been rated. As for the FullText setting, users submit gradient vectors from all items. For items that a user has not rated, the corresponding elements in the gradient vector are set to 0.

5.3.1 Fine-Grained Time Consumption of Each Step

The computation overhead for each protocol step as detailed in Fig. 2 is comprehensively evaluated and summarized in Table 1 with respect to PartText and Table 2 with respect to FullText. Specifically, we fix the number of users to be 100 and 300 in both PartText and FullText settings but vary the number of items for all users to evaluate computation performance. Note that the computation overhead of users reported in this work is actually the average time consumption in each step per user.

As we can see from Table 1 and Table 2, most time is consumed in secure aggregation phase for the reason that each user needs to utilize , item id and iteration as the input for PRG function on the user side while the server needs to aggregate all these masked vectors for each item rated by users. Besides, for the verification phase, in the Aggregation result verification step each user needs to verify all the updated item vectors from the server based on . Consider 300 users and 640 rated items as an example. The computation overhead for a user in the Masking gradient vectors step is 205 ms in PartText and 10034 ms in FullText. Besides, at the end of the iteration, each user needs to spend 272 ms and 2430 ms in PartText, 1881 ms and 14539 ms in FullText, for the Commitment verification and Aggregation result verification steps respectively. These three steps dominate the whole overall consumption in each iteration on the user side. As for the server, time consumption in the Aggregating masked gradient vectors step takes up over 90% on server side, exactly 722 ms in PartText and 6273 ms in FullText. Consequently, time consumption by users and the server induced by other steps can be comparatively neglected

5.3.2 Overall Time Consumption and Comparison

Items 60 80 160 320 640 1280 2560
Ratings 9497 12087 20512 32371 47883 65728 81786
Table 3: Different Rating Settings for Training

Figure 3: Time consumption of each iteration as a function of number of items held by each user.

Figure 4: Time consumption of each iteration as a function of number of items held by each user.

In FedMF Chai et al. (2020), gradient updates are protected by additive homomorphic encryption, and the aggregation is performed over the resulting ciphertexts. Although it can thwart privacy data leakage, homomorphic encryption is too costly to be efficient enough in practice. To make an apple-to-apple comparison, we follow the same setting as Chai et al. (2020), where the number of users is fixed to 610 for training. The dimension is set to 100. Table LABEL:Table:time_consumption_for_each_iteration summarizes the varying number of ratings in our implementation.

As shown in Fig. 3 and Fig. 4, the time consumption of VPFedMF for each iteration is significantly less than the counterpart FedMF, under both PartText and FullText settings. More specifically, the time consumption in FedMF is about higher than the VPFedMF with the item number varying from 60 to 2560. For example, VPFedMF costs 296.2 seconds in the FullText setting to train 2560 items, compared with 5786.1 seconds in FedMF. As for the PartText setting, VPFedMF only costs 17.3 seconds when training 2560 items, in contrast to 334.8 seconds in FedMF.

Users Items Phase 1 Phase 2 Phase 3
0 1 2 0 1 2
100 60 User 5.09 KB 131.34 KB 5.23 KB
Server 146.58 KB 140.63 KB 150.95 KB
240 User 19.71 KB 509.13 KB 20.26 KB
Server 399.34 KB 562.50 KB 411.18 KB
640 User 47.68 KB 1233.16 KB 49.09 KB
Server 711.12 KB 1500.00 KB 732.22 KB
300 60 User 5.09 KB 131.34 KB 5.23 KB
Server 419.32 KB 140.63 KB 431.69 KB
240 User 19.71 KB 509.13 KB 20.31 KB
Server 1174.58 KB 562.50 KB 1209.46 KB
640 User 47.68 KB 1233.16 KB 49.09 KB
Server 2062.71 KB 1500.00 KB 2123.61 KB
Table 4: Outgoing communication overhead for each step in the PartText setting
Users Items Phase 1 Phase 2 Phase 3
0 1 2 0 1 2
100 60 User 5.45 KB 140.63 KB 5.63 KB
Server 539.47 KB 140.63 KB 555.49 KB
240 User 21.80 KB 562.50 KB 22.48 KB
Server 2157.88 KB 562.50 KB 2221.93 KB
640 User 58.13 KB 1500.00 KB 59.91 KB
Server 5754.37 KB 1500.00 KB 5924.74 KB
300 60 User 5.45 KB 140.63 KB 5.63 KB
Server 1629.31 KB 140.63 KB 1677.55 KB
240 User 21.80 KB 562.50 KB 22.48 KB
Server 6517.26 KB 562.50 KB 6709.67 KB
640 User 58.13 KB 1500.00 KB 59.91 KB
Server 17379.37 KB 1500.00 KB 17893.42 KB
Table 5: Outgoing communication overhead for each step in the FullText setting

5.3.3 Scalability with Respect to the Dimension

Matrix factorization decomposes the sparse rating matrix into the user profile matrix and the item profile matrix, where each row vector in both matrices is of the same latent dimension . Time consumption differs for varying latent dimension due to various sizes of user profile matrix and item profile matrix. To evaluate how the dimension size affects the time consumption of VPFedMF, we fix the user number to be 610 and item number to be 320, and vary the dimension for evaluation. The results are detailed in Fig. 5 and Fig. 6. With the dimension increasing, the computation cost of the whole system increases approximately linearly. Compared to the FullText setting, each iteration exhibits less time consumption in PartText setting (about to in our experiments).

Figure 5: Computation overhead under the PartText setting as a function of dimension size .

Figure 6: Computation overhead under the FullText setting as a function of dimension size .

5.4 Outgoing Communication Overhead

We evaluate the outgoing communication overhead for both PartText and FullText settings. Particularly, the overhead from the server is outgoing communication sent from the server to a single user. When concerning on the communication channel from user to server, we measure the maximum sizes of the packets transmitted by a particular user as the communication overhead in each step on the user side. Table 4 and Table 5 summarize communication overhead for each iteration in our VPFedMF under PartText and FullText settings, respectively. The setup is same as Section 5.3.1. In the secure aggregation phase, most communication consumption is spent in the Masking gradient vectors step on the user side, where each user needs to send all the masked gradient vectors to serve. As for the server, it spends most in the Making commitments and Aggregating masked gradient vectors steps. When the user number is fixed, the communication overhead grows approximately linearly in FullText with the increasing item number. Note that between the two settings, the gap of communication cost in Making commitments and Decommitting steps on the server side enlarges when item number increases. This is because that in the FullText setting, the server needs to broadcast the {}, {} for all items to users even given that the rating matrix is sparse, while in the PartText setting the server only needs to broadcast them for the rated items provided by corresponding users.

5.5 Accuracy

Figure 7: RMSE as a function of varying user numbers.

Figure 8: RMSE as a function of varying item numbers.

Root Mean Squared Error (RMSE) is a common accuracy metric used in recommender systems to evaluate the training performance Koren et al. (2009). Therefore, we utilize RMSE to examine the accuracy of VPFedMF in both PartText and FullText settings, which is compared with FedMF, PlainFedMF—federated MF in plaintext domain as described in Algorithm 1—and the conventional centralized MF abbreviated as RegularMF. We set the iteration number to 50 so that the training processes of these four schemes converge. In Fig. 7 we fix the item number to be 300 and in Fig. 8 we fix the user number to be 300. Both figures illustrate the RMSE of each aforementioned MF scheme by varying the number of users and items, respectively. These four schemes show almost the same RMSE with negligible gap.

6 Conclusion

In this paper, we propose VPFedMF, a new protocol for privacy-preserving and verifiable federated matrix factorization. VPFedMF provides protection for the individual gradient updates through masking-based lightweight secure aggregation, which allows the server to perform aggregation to update the item profile matrix without seeing the gradient updates. Simultaneously, VPFedMF allows users to have cryptographic verification on the correctness of the aggregation result produced by the server in each iteration, building on techniques including homomorphic hash function and commitment. VPFedMF is tested over a real-world movie rating dataset for federated matrix factorization. The evaluation results demonstrate the practicality of VPFedMF, as well as the performance advantage over prior art (in addition to the security advantage).


  • M. Bellare, O. Goldreich, and S. Goldwasser (1994) Incremental cryptography: the case of hashing and signing. In Proc. of CRYPTO, Cited by: §2.2.
  • M. Bellare, V. T. Hoang, and P. Rogaway (2012) Foundations of garbled circuits. In Proc. of ACM CCS, Cited by: §1.
  • A. Berlioz, A. Friedman, M. A. Kaafar, R. Boreli, and S. Berkovsky (2015) Applying differential privacy to matrix factorization. In Proc. of ACM RecSys, Cited by: §1.
  • K. Bonawitz, V. Ivanov, B. Kreuter, A. Marcedone, H. B. McMahan, S. Patel, D. Ramage, A. Segal, and K. Seth (2017) Practical secure aggregation for privacy-preserving machine learning. In Proc. of ACM CCS, Cited by: §3.1, §4.
  • D. Chai, L. Wang, K. Chen, and Q. Yang (2020) Secure federated matrix factorization. IEEE Intelligent Systems. Cited by: item 3, §1, §1, §2.1, §2.1, §3.1, §3.4, §5.3.2, §5.3, §5.3.
  • China (2021) China data security law. Note: chinas-data-security-law-in-effect-sept-1-2021/Accessed Sep 21, 2021 Cited by: §1.
  • C. Dwork, F. McSherry, K. Nissim, and A. D. Smith (2006) Calibrating noise to sensitivity in private data analysis. In Proc. of TCC, Cited by: §1.
  • Europe (2016) General data protection regulation. Note: Feb 05, 2021 Cited by: §1.
  • Y. Gao, M. Kim, S. Abuadbba, Y. Kim, C. Thapa, K. Kim, S. A. Camtep, H. Kim, and S. Nepal (2020) End-to-end evaluation of federated learning and split learning for internet of things. In Proc. of IEEE SRDS, Cited by: §1.
  • R. Gemulla, E. Nijkamp, P. J. Haas, and Y. Sismanis (2011) Large-scale matrix factorization with distributed stochastic gradient descent. In Proc. of ACM SIGKDD, Cited by: §2.1.
  • X. Guo, Z. Liu, J. Li, J. Gao, B. Hou, C. Dong, and T. Baker (2020) V eri fl: communication-efficient and fast verifiable aggregation for federated learning. IEEE Transactions on Information Forensics and Security 16, pp. 1736–1751. Cited by: §3.1.
  • F. M. Harper and J. A. Konstan (2015) The movielens datasets: history and context. ACM Transactions on Interactive Intelligent Systems 5 (4), pp. 1–19. Cited by: §5.1.
  • S. Kim, J. Kim, D. Koo, Y. Kim, H. Yoon, and J. Shin (2016) Efficient privacy-preserving matrix factorization via fully homomorphic encryption. In Proc. of ACM AsiaCCS, Cited by: §1.
  • Y. Koren, R. Bell, and C. Volinsky (2009) Matrix factorization techniques for recommender systems. Computer 42 (8), pp. 30–37. Cited by: §1, §2.1, §5.5.
  • M. Kosinski, D. Stillwell, and T. Graepel (2013) Private traits and attributes are predictable from digital records of human behavior. Proceedings of the National Academy of Sciences 110 (15), pp. 5802–5805. Cited by: §1.
  • Q. Li, Z. Wen, Z. Wu, S. Hu, N. Wang, Y. Li, X. Liu, and B. He (2021) A survey on federated learning systems: vision, hype and reality for data privacy and protection. IEEE Transactions on Knowledge and Data Engineering. Cited by: §1.
  • T. Li, A. K. Sahu, A. Talwalkar, and V. Smith (2020) Federated learning: challenges, methods, and future directions. IEEE Signal Processing Magazine 37 (3), pp. 50–60. Cited by: §1.
  • Y. Lindell (2017) How to simulate it - A tutorial on the simulation proof technique. In Tutorials on the Foundations of Cryptography, Y. Lindell (Ed.), pp. 277–346. Cited by: §4.
  • G. Long, Y. Tan, J. Jiang, and C. Zhang (2020) Federated learning for open banking. In Federated learning, pp. 240–254. Cited by: §1.
  • B. McMahan, E. Moore, D. Ramage, S. Hampson, and B. A. y Arcas (2017) Communication-efficient learning of deep networks from decentralized data. In Proc. of AISTATS, Cited by: §1.
  • M. Nasr, R. Shokri, and A. Houmansadr (2019)

    Comprehensive privacy analysis of deep learning: passive and active white-box inference attacks against centralized and federated learning

    In Proc. of IEEE S&P, Cited by: §1.
  • V. Nikolaenko, S. Ioannidis, U. Weinsberg, M. Joye, N. Taft, and D. Boneh (2013) Privacy-preserving matrix factorization. In Proc. of ACM CCS, Cited by: §1.
  • V. Perifanis and P. S. Efraimidis (2022) Federated neural collaborative filtering. Knowledge-Based Systems, pp. 108441. Cited by: §1.
  • U. States (2020) California privacy rights act. Note: Feb 05, 2021 Cited by: §1.
  • G. Takács, I. Pilászy, B. Németh, and D. Tikk (2008) Investigation of various matrix factorization methods for large recommender systems. In Proc. of IEEE ICDM Workshops, Cited by: §2.1.
  • C. Wang, K. Ren, J. Wang, and Q. Wang (2013) Harnessing the cloud for securely outsourcing large-scale systems of linear equations. IEEE Transactions on Parallel and Distributed Systems 24 (6), pp. 1172–1181. Cited by: §5.1.
  • H. Wang, Z. Kaplan, D. Niu, and B. Li (2020)

    Optimizing federated learning on non-iid data with reinforcement learning

    In Proc. of IEEE INFOCOM, Cited by: §1.
  • J. Xu, B. S. Glicksberg, C. Su, P. Walker, J. Bian, and F. Wang (2021) Federated learning for healthcare informatics. Journal of Healthcare Informatics Research 5 (1), pp. 1–19. Cited by: §1.
  • E. Yang, Y. Huang, F. Liang, W. Pan, and Z. Ming (2021) FCMF: federated collective matrix factorization for heterogeneous collaborative filtering. Knowledge-Based Systems 220, pp. 106946. Cited by: §1.
  • Q. Yang, Y. Liu, T. Chen, and Y. Tong (2019) Federated machine learning: concept and applications. ACM Transactions on Intelligent Systems and Technology 10 (2), pp. 1–19. Cited by: §1.
  • Y. Yu, C. Wang, H. Wang, and Y. Gao (2017) Attributes coupling based matrix factorization for item recommendation. Applied Intelligence 46 (3), pp. 521–533. Cited by: §1.
  • C. Zhang, Y. Xie, H. Bai, B. Yu, W. Li, and Y. Gao (2021) A survey on federated learning. Knowledge-Based Systems 216, pp. 106775. Cited by: §1.
  • S. Zhang, L. Liu, Z. Chen, and H. Zhong (2019) Probabilistic matrix factorization with personalized differential privacy. Knowledge-Based Systems 183, pp. 104864. Cited by: §1.
  • Y. Zheng, H. Duan, and C. Wang (2018) Learning the truth privately and confidently: encrypted confidence-aware truth discovery in mobile crowdsensing. IEEE Transactions on Information Forensics and Security 13 (10), pp. 2475–2489. Cited by: §5.1.