In cross-institutional privacy-preserving federated learning (PPFL), Non-IID data are highly vulnerable to data poisoning attacks, while existing methods struggle to simultaneously ensure robustness and strong privacy guarantees. To address this, we propose a category-prototype-based PPFL framework. Our method replaces model parameters with lightweight category prototypes as the client-side upload unit; introduces a dual-server collaborative secure aggregation protocol to achieve Byzantine resilience and rigorous differential privacy; and provides theoretical convergence analysis that explicitly characterizes the trade-off between privacy budget and poisoning resistance. Extensive experiments on standard Non-IID poisoning benchmarks across multiple public datasets demonstrate that our approach significantly improves both model accuracy and robustness over state-of-the-art PPFL methods, achieves superior poisoning resistance, and satisfies stringent end-to-end privacy requirements.

Privacy-Preserving Federated Learning (PPFL) allows multiple clients to collaboratively train a deep learning model by submitting hidden model updates. Nonetheless, PPFL is vulnerable to data poisoning attacks due to the distributed training nature of clients. Existing solutions have struggled to improve the performance of cross-silo PPFL in poisoned Non-IID data. To address the issues, this paper proposes a privacy-preserving federated prototype learning framework, named PPFPL, which enhances the cross-silo FL performance in poisoned Non-IID data while effectively resisting data poisoning attacks. Specifically, we adopt prototypes as client-submitted model updates to eliminate the impact of tampered data distribution on federated learning. Moreover, we utilize two servers to achieve Byzantine-robust aggregation by secure aggregation protocol, which greatly reduces the impact of malicious clients. Theoretical analyses confirm the convergence of PPFPL, and experimental results on publicly available datasets show that PPFPL is effective for resisting data poisoning attacks with Non-IID conditions.