Topology-Aware Privacy Amplification in Decentralized Learning: A Hybrid Chunking and Differential Privacy Approach Against Membership Inference Attacks
N.H.C. Tomassen (TU Delft - Electrical Engineering, Mathematics and Computer Science)
A. Athanasiou – Mentor (TU Delft - Electrical Engineering, Mathematics and Computer Science)
E.A. Markatou – Mentor (TU Delft - Electrical Engineering, Mathematics and Computer Science)
More Info
expand_more
Other than for strictly personal use, it is not permitted to download, forward or distribute the text or part of it, without the consent of the author(s) and/or copyright holder(s), unless the work is under an open content license such as Creative Commons.
Abstract
Decentralized learning allows data owners to collaboratively train machine learning models without relying on a central server, making it attractive for privacy sensitive and distributed environments. However, despite keeping data on-premises, model updates exchanged between peers can still leak private information about the underlying dataset. In particular, Membership Inference Attacks (MIAs) allow an adversary to determine whether a specific data sample was used in the training process, posing a significant privacy risk. Differential privacy (DP) is a common defense against this leakage, which injects carefully calibrated noise into model updates, but this inevitably hurts utility. Recent studies have shown that chunking, where model updates are split into chunks and only a subset of chunks is shared to neighboring nodes, can also mitigate leakage. Existing approaches include topology-aware chunking, where the number of chunks for a specific node is dependent on the communication topology, and topology-independent fixed-𝐾 chunking, where a fixed number of chunks 𝐾 is used for all nodes. However, it remains unclear how the underlying topology influences the effectiveness of such defenses.
This thesis investigates whether topology-aware chunking can improve the privacy-utility tradeoff compared to topology-independent chunking strategies. We study decentralized image classification on CIFAR-100 across several communication topologies, including ring, star, grid, fully connected, 𝑑-regular, and Erdős-Rényi graphs. Privacy leakage is measured through the accuracy of the MIA (Area Under the Curve), while utility is measured by global test accuracy. The results show that the effectiveness of topology-aware chunking is strongly influenced by the underlying
communication graph. Without defenses, MIA AUC remains high across all graph families (around 0.97-0.99). Topology-aware chunking reduces leakage significantly in dense graphs, for example, lowering AUC to 0.61 in the fully connected graph, but introduces uneven protection for sparse or heterogeneous topologies, where low-degree nodes remain vulnerable.
Compared to topology-aware chunking, topology-independent fixed-𝐾 chunking proves to be a stronger and more uniform graph-independent baseline. It often achieves equal or better privacy-utility tradeoffs, especially in utility-focused settings. To address the key limitation of topology-aware chunking, we propose ChunkDP, a defense that combines topology-aware chunking with degree-scaled DP noise. ChunkDP improves over DP-only by recovering a portion of the lost accuracy while keeping leakage close to random guessing performance (AUC 0.53). We show that ChunkDP can outperform fixed-𝐾 chunking in balanced privacy-utility settings.
Overall, the results show that topology-awareness alone does not guarantee a better privacy-utility tradeoff. Its effectiveness depends on graph density, node degree, and the desired privacy-utility balance. Fixed-𝐾 remains a robust defense, while the topology-aware ChunkDP can be useful in balanced privacy-utility scenarios.