Add default parameters for federated learning.

mindspore/ccsrc/fl/server/server.h

@@ -36,7 +36,7 @@ namespace fl {
 namespace server {
 // The sleeping time of the server thread before the networking is completed.
 constexpr uint32_t kServerSleepTimeForNetworking = 1000;
-constexpr uint64_t kDefaultReplayAttackTimeDiff = 60000;
+constexpr uint64_t kDefaultReplayAttackTimeDiff = 600000;
 // Class Server is the entrance of MindSpore's parameter server training mode and federated learning.
 class Server {
  public:

mindspore/ccsrc/ps/ps_context.h

@@ -246,7 +246,7 @@ class PSContext {
         root_second_ca_path_(""),
         pki_verify_(false),
         equip_crl_path_(""),
-        replay_attack_time_diff_(60000),
+        replay_attack_time_diff_(600000),
         scheduler_manage_port_(11202),
         config_file_path_(""),
         node_id_(""),

mindspore/python/mindspore/context.py

@@ -1064,6 +1064,18 @@ def set_fl_context(**kwargs):
         enable_ssl (bool): Set PS SSL mode enabled or disabled. Default: False.
         client_password (str): Password to decrypt the secret key stored in the client certificate. Default: ''.
         server_password (str): Password to decrypt the secret key stored in the server certificate. Default: ''.
+        pki_verify (bool): If True, the identity verification between server and clients would be turned on.
+            You should also download Root CA certificate, Root CA G2 certificate and Mobile Equipment CRL certificate
+            from https://pki.consumer.huawei.com/ca/. It should be noted that only when the client is an Android
+            environment with HUKS service, pki_verify can be True. Default: False.
+        root_first_ca_path (str): The file path of the Root CA certificate. It should be given when pki_verify
+            is True. Default: "".
+        root_second_ca_path (str): The file path of the Root CA G2 certificate. It should be given when
+            pki_verify is True. Default: "".
+        equip_crl_path (str): The file path of the Mobile Equipment CRL certificate. It should be given when
+            pki_verify is True. Default: "".
+        replay_attack_time_diff (int): The maximum tolerable error of certificate timestamp verification (ms).
+            Default: 600000.
 
     Raises:
         ValueError: If input key is not the attribute in federated learning mode context.

tests/st/fl/albert/cloud_train.py

@@ -70,6 +70,12 @@ def parse_args():
     parser.add_argument("--client_password", type=str, default="")
     parser.add_argument("--server_password", type=str, default="")
     parser.add_argument("--enable_ssl", type=ast.literal_eval, default=False)
+    parser.add_argument("--pki_verify", type=ast.literal_eval, default=False)
+    # parameters used for pki_verify=True
+    parser.add_argument("--root_first_ca_path", type=str, default="")
+    parser.add_argument("--root_second_ca_path", type=str, default="")
+    parser.add_argument("--equip_crl_path", type=str, default="")
+    parser.add_argument("--replay_attack_time_diff", type=int, default=600000)
     return parser.parse_args()
 
 
@@ -107,6 +113,11 @@ def server_train(args):
     client_password = args.client_password
     server_password = args.server_password
     enable_ssl = args.enable_ssl
+    pki_verify = args.pki_verify
+    root_first_ca_path = args.root_first_ca_path
+    root_second_ca_path = args.root_second_ca_path
+    equip_crl_path = args.equip_crl_path
+    replay_attack_time_diff = args.replay_attack_time_diff
 
     # Replace some parameters with federated learning parameters.
     train_cfg.max_global_epoch = fl_iteration_num
@@ -139,7 +150,12 @@ def server_train(args):
         "config_file_path": config_file_path,
         "client_password": client_password,
         "server_password": server_password,
-        "enable_ssl": enable_ssl
+        "enable_ssl": enable_ssl,
+        "pki_verify": pki_verify,
+        "root_first_ca_path": root_first_ca_path,
+        "root_second_ca_path": root_second_ca_path,
+        "equip_crl_path": equip_crl_path,
+        "replay_attack_time_diff": replay_attack_time_diff
     }
 
     if not os.path.exists(output_dir):

tests/st/fl/albert/run_hybrid_train_server.py

@@ -50,6 +50,14 @@ parser.add_argument("--client_password", type=str, default="")
 parser.add_argument("--server_password", type=str, default="")
 parser.add_argument("--enable_ssl", type=ast.literal_eval, default=False)
 parser.add_argument("--config_file_path", type=str, default="")
+parser.add_argument("--pki_verify", type=ast.literal_eval, default=False)
+# parameters used for pki_verify=True
+# You can download root_first_ca, root_second_ca and equip_crl
+# from https://pki.consumer.huawei.com/ca/
+parser.add_argument("--root_first_ca_path", type=str, default="")
+parser.add_argument("--root_second_ca_path", type=str, default="")
+parser.add_argument("--equip_crl_path", type=str, default="")
+parser.add_argument("--replay_attack_time_diff", type=int, default=600000)
 
 args, _ = parser.parse_known_args()
 device_target = args.device_target
@@ -80,6 +88,11 @@ client_password = args.client_password
 server_password = args.server_password
 enable_ssl = args.enable_ssl
 config_file_path = args.config_file_path
+pki_verify = args.pki_verify
+root_first_ca_path = args.root_first_ca_path
+root_second_ca_path = args.root_second_ca_path
+equip_crl_path = args.equip_crl_path
+replay_attack_time_diff = args.replay_attack_time_diff
 
 if local_server_num == -1:
     local_server_num = server_num
@@ -121,6 +134,11 @@ for i in range(local_server_num):
     cmd_server += " --enable_ssl=" + str(enable_ssl)
     cmd_server += " --reconstruct_secrets_threshold=" + str(reconstruct_secrets_threshold)
     cmd_server += " --config_file_path=" + config_file_path
+    cmd_server += " --pki_verify=" + str(pki_verify)
+    cmd_server += " --root_first_ca_path=" + str(root_first_ca_path)
+    cmd_server += " --root_second_ca_path=" + str(root_second_ca_path)
+    cmd_server += " --equip_crl_path=" + str(equip_crl_path)
+    cmd_server += " --replay_attack_time_diff=" + str(replay_attack_time_diff)
     cmd_server += " > server.log 2>&1 &"
 
     import time

tests/st/fl/hybrid_lenet/run_hybrid_train_server.py

@@ -37,6 +37,14 @@ parser.add_argument("--client_batch_size", type=int, default=32)
 parser.add_argument("--client_learning_rate", type=float, default=0.1)
 parser.add_argument("--local_server_num", type=int, default=-1)
 parser.add_argument("--config_file_path", type=str, default="")
+parser.add_argument("--pki_verify", type=ast.literal_eval, default=False)
+# parameters used for pki_verify=True
+# You can download root_first_ca, root_second_ca and equip_crl
+# from https://pki.consumer.huawei.com/ca/
+parser.add_argument("--root_first_ca_path", type=str, default="")
+parser.add_argument("--root_second_ca_path", type=str, default="")
+parser.add_argument("--equip_crl_path", type=str, default="")
+parser.add_argument("--replay_attack_time_diff", type=int, default=600000)
 parser.add_argument("--encrypt_type", type=str, default="NOT_ENCRYPT")
 # parameters for encrypt_type='DP_ENCRYPT'
 parser.add_argument("--dp_eps", type=float, default=50.0)
@@ -79,6 +87,11 @@ dp_norm_clip = args.dp_norm_clip
 client_password = args.client_password
 server_password = args.server_password
 enable_ssl = args.enable_ssl
+pki_verify = args.pki_verify
+root_first_ca_path = args.root_first_ca_path
+root_second_ca_path = args.root_second_ca_path
+equip_crl_path = args.equip_crl_path
+replay_attack_time_diff = args.replay_attack_time_diff
 
 if local_server_num == -1:
     local_server_num = server_num
@@ -120,6 +133,11 @@ for i in range(local_server_num):
     cmd_server += " --server_password=" + str(server_password)
     cmd_server += " --enable_ssl=" + str(enable_ssl)
     cmd_server += " --dp_norm_clip=" + str(dp_norm_clip)
+    cmd_server += " --pki_verify=" + str(pki_verify)
+    cmd_server += " --root_first_ca_path=" + str(root_first_ca_path)
+    cmd_server += " --root_second_ca_path=" + str(root_second_ca_path)
+    cmd_server += " --equip_crl_path=" + str(equip_crl_path)
+    cmd_server += " --replay_attack_time_diff=" + str(replay_attack_time_diff)
     cmd_server += " > server.log 2>&1 &"
 
     import time

tests/st/fl/hybrid_lenet/test_hybrid_train_lenet.py

@@ -47,6 +47,12 @@ parser.add_argument("--client_learning_rate", type=float, default=0.1)
 parser.add_argument("--worker_step_num_per_iteration", type=int, default=65)
 parser.add_argument("--scheduler_manage_port", type=int, default=11202)
 parser.add_argument("--config_file_path", type=str, default="")
+parser.add_argument("--pki_verify", type=ast.literal_eval, default=False)
+# parameters used for pki_verify=True
+parser.add_argument("--root_first_ca_path", type=str, default="")
+parser.add_argument("--root_second_ca_path", type=str, default="")
+parser.add_argument("--equip_crl_path", type=str, default="")
+parser.add_argument("--replay_attack_time_diff", type=int, default=600000)
 parser.add_argument("--encrypt_type", type=str, default="NOT_ENCRYPT")
 # parameters for encrypt_type='DP_ENCRYPT'
 parser.add_argument("--dp_eps", type=float, default=50.0)
@@ -91,6 +97,11 @@ dp_norm_clip = args.dp_norm_clip
 client_password = args.client_password
 server_password = args.server_password
 enable_ssl = args.enable_ssl
+pki_verify = args.pki_verify
+root_first_ca_path = args.root_first_ca_path
+root_second_ca_path = args.root_second_ca_path
+equip_crl_path = args.equip_crl_path
+replay_attack_time_diff = args.replay_attack_time_diff
 
 ctx = {
     "enable_fl": True,
@@ -113,6 +124,11 @@ ctx = {
     "worker_step_num_per_iteration": worker_step_num_per_iteration,
     "scheduler_manage_port": scheduler_manage_port,
     "config_file_path": config_file_path,
+    "pki_verify": pki_verify,
+    "root_first_ca_path": root_first_ca_path,
+    "root_second_ca_path": root_second_ca_path,
+    "equip_crl_path": equip_crl_path,
+    "replay_attack_time_diff": replay_attack_time_diff,
     "share_secrets_ratio": share_secrets_ratio,
     "cipher_time_window": cipher_time_window,
     "reconstruct_secrets_threshold": reconstruct_secrets_threshold,

tests/st/fl/mobile/run_mobile_server.py

@@ -37,6 +37,12 @@ parser.add_argument("--client_batch_size", type=int, default=32)
 parser.add_argument("--client_learning_rate", type=float, default=0.1)
 parser.add_argument("--local_server_num", type=int, default=-1)
 parser.add_argument("--config_file_path", type=str, default="")
+parser.add_argument("--pki_verify", type=ast.literal_eval, default=False)
+# parameters used for pki_verify=True
+parser.add_argument("--root_first_ca_path", type=str, default="")
+parser.add_argument("--root_second_ca_path", type=str, default="")
+parser.add_argument("--equip_crl_path", type=str, default="")
+parser.add_argument("--replay_attack_time_diff", type=int, default=600000)
 parser.add_argument("--encrypt_type", type=str, default="NOT_ENCRYPT")
 # parameters for encrypt_type='DP_ENCRYPT'
 parser.add_argument("--dp_eps", type=float, default=50.0)
@@ -77,6 +83,11 @@ if __name__ == "__main__":
     dp_delta = args.dp_delta
     dp_norm_clip = args.dp_norm_clip
     encrypt_type = args.encrypt_type
+    pki_verify = args.pki_verify
+    root_first_ca_path = args.root_first_ca_path
+    root_second_ca_path = args.root_second_ca_path
+    equip_crl_path = args.equip_crl_path
+    replay_attack_time_diff = args.replay_attack_time_diff
     client_password = args.client_password
     server_password = args.server_password
     enable_ssl = args.enable_ssl
@@ -119,6 +130,11 @@ if __name__ == "__main__":
         cmd_server += " --dp_norm_clip=" + str(dp_norm_clip)
         cmd_server += " --client_password=" + str(client_password)
         cmd_server += " --server_password=" + str(server_password)
+        cmd_server += " --pki_verify=" + str(pki_verify)
+        cmd_server += " --root_first_ca_path=" + str(root_first_ca_path)
+        cmd_server += " --root_second_ca_path=" + str(root_second_ca_path)
+        cmd_server += " --equip_crl_path=" + str(equip_crl_path)
+        cmd_server += " --replay_attack_time_diff=" + str(replay_attack_time_diff)
         cmd_server += " --enable_ssl=" + str(enable_ssl)
         cmd_server += " --encrypt_type=" + str(encrypt_type)
         cmd_server += " > server.log 2>&1 &"

tests/st/fl/mobile/test_mobile_lenet.py

@@ -44,6 +44,14 @@ parser.add_argument("--client_batch_size", type=int, default=32)
 parser.add_argument("--client_learning_rate", type=float, default=0.1)
 parser.add_argument("--scheduler_manage_port", type=int, default=11202)
 parser.add_argument("--config_file_path", type=str, default="")
+parser.add_argument("--pki_verify", type=ast.literal_eval, default=False)
+# parameters used for pki_verify=True
+# You can download root_first_ca, root_second_ca and equip_crl
+# from https://pki.consumer.huawei.com/ca/
+parser.add_argument("--root_first_ca_path", type=str, default="")
+parser.add_argument("--root_second_ca_path", type=str, default="")
+parser.add_argument("--equip_crl_path", type=str, default="")
+parser.add_argument("--replay_attack_time_diff", type=int, default=600000)
 parser.add_argument("--encrypt_type", type=str, default="NOT_ENCRYPT")
 # parameters for encrypt_type='DP_ENCRYPT'
 parser.add_argument("--dp_eps", type=float, default=50.0)
@@ -84,6 +92,11 @@ dp_eps = args.dp_eps
 dp_delta = args.dp_delta
 dp_norm_clip = args.dp_norm_clip
 encrypt_type = args.encrypt_type
+pki_verify = args.pki_verify
+root_first_ca_path = args.root_first_ca_path
+root_second_ca_path = args.root_second_ca_path
+equip_crl_path = args.equip_crl_path
+replay_attack_time_diff = args.replay_attack_time_diff
 client_password = args.client_password
 server_password = args.server_password
 enable_ssl = args.enable_ssl
@@ -111,6 +124,11 @@ ctx = {
     "client_learning_rate": client_learning_rate,
     "scheduler_manage_port": scheduler_manage_port,
     "config_file_path": config_file_path,
+    "pki_verify": pki_verify,
+    "root_first_ca_path": root_first_ca_path,
+    "root_second_ca_path": root_second_ca_path,
+    "equip_crl_path": equip_crl_path,
+    "replay_attack_time_diff": replay_attack_time_diff,
     "dp_eps": dp_eps,
     "dp_delta": dp_delta,
     "dp_norm_clip": dp_norm_clip,