Differential privacy in federated learning creates a false sense of security: it hides backdoor signals from detection systems, making attacks more effective rather than less. Defenders face a fundamental trade-off between privacy and security.
This paper reveals that differential privacy in federated learning doesn't protect against backdoor attacks as previously thought. The authors show that privacy mechanisms actually mask malicious updates, making them harder to detect, and propose RING—an attack that exploits this masking effect to inject backdoors while evading defenses with 90% success rates.