Federated learning allows model training on distributed datasets without centralizing raw data. However, the process of sharing model updates, such as gradients or weights, can still inadvertently leak information about the training data used by individual participants. Standard federated approaches alone do not provide strong guarantees against determined adversaries attempting inference or reconstruction attacks.

This chapter focuses on methods to strengthen the privacy guarantees of federated learning systems. We will cover cryptographic and statistical techniques designed specifically to protect data during the training process. You will learn about:

• Differential Privacy (DP): Applying mechanisms, often involving calibrated noise addition ($\epsilon, \delta$), to individual updates or aggregated results to provide formal, quantifiable privacy protection. We'll discuss its application models (local vs. central) and managing the privacy budget across training rounds.
• Secure Multi-Party Computation (SMC): Using protocols, like those based on secret sharing, that enable the server to compute the sum of client updates ($\sum_{i=1}^{N} u_i$) without learning any individual update $u_i$.
• Homomorphic Encryption (HE): Employing encryption schemes that permit computations, specifically aggregation ($\text{Enc}(u_1) + \dots + \text{Enc}(u_N) = \text{Enc}(\sum u_i)$), directly on encrypted data, preventing the server from accessing plaintext updates.

We will also analyze potential privacy attacks relevant to federated settings and compare the practical trade-offs involving privacy levels, computational overhead, and communication costs associated with DP, SMC, and HE. The chapter includes practical implementation guidance, starting with adding differential privacy to the standard FedAvg algorithm.