The Krum aggregator is a Byzantine-resilient aggregation rule that selects the single local model update geometrically closest to its n - f - 2 nearest neighbors, where n is the total number of clients and f is the estimated number of Byzantine adversaries. By discarding all other updates, it ensures the global model remains unaffected by arbitrary or malicious gradient manipulations.
Glossary
Krum Aggregator

What is Krum Aggregator?
A robust aggregation rule for distributed machine learning that selects a single local model update closest to its peers, effectively neutralizing Byzantine failures.
Introduced by Blanchard et al., Krum operates on the principle of majority-based similarity: for each candidate vector, it sums the squared Euclidean distances to its closest peers and selects the vector with the minimal score. This mechanism guarantees convergence even when up to f clients submit corrupted updates, making it a foundational defense against data poisoning and free-rider attacks in decentralized healthcare training pipelines.
Key Properties of Krum
Krum is a foundational aggregation rule in Byzantine fault-tolerant distributed learning. It operates on a simple geometric principle: select the single local model update that is closest to its neighbors, effectively isolating and discarding adversarial outliers.
Core Selection Mechanism
Krum selects the one local model update that minimizes the sum of squared Euclidean distances to its n - f - 2 closest peers, where n is the total number of clients and f is the maximum number of Byzantine adversaries. This distance-based scoring inherently isolates outliers, as malicious updates are geometrically distant from the honest majority.
Byzantine Fault Tolerance Guarantee
Krum provides provable convergence under the assumption that the number of Byzantine clients f satisfies 2f + 2 < n. Under this condition, the selected update will fall within the convex hull of the honest updates, ensuring the global model moves in a direction that reduces the loss function even when up to f clients are adversarial.
Computational Complexity
The algorithm has a time complexity of O(n² * d) where d is the dimensionality of the model update vector. For each of the n clients, Krum computes distances to all other clients. This quadratic scaling makes it most suitable for cross-silo federated learning with tens to hundreds of institutional participants rather than cross-device settings with millions of nodes.
Multi-Krum Variant
The standard Krum selects only a single update, discarding valuable information from other honest clients. Multi-Krum extends the algorithm by selecting the top m lowest-scoring updates and averaging them. This improves statistical efficiency and convergence speed while maintaining Byzantine resilience, trading a slight reduction in theoretical robustness for practical performance gains.
Limitations and Attack Vectors
Krum is vulnerable to tailored attacks where an adversary crafts updates that are geometrically close to one another but far from the honest cluster, forming a deceptive majority. Additionally, in high-dimensional spaces common in deep learning, the curse of dimensionality can degrade the effectiveness of Euclidean distance-based outlier detection, requiring careful dimensionality reduction or normalization strategies.
Frequently Asked Questions
Clear, technically precise answers to the most common questions about the Krum aggregation rule, its Byzantine-resilient selection mechanism, and its role in securing federated learning against adversarial model updates.
The Krum aggregator is a Byzantine-resilient aggregation rule designed to select a single local model update that is geometrically closest to its peers, effectively discarding outliers. It operates by computing, for each candidate gradient vector, the sum of squared Euclidean distances to its n - f - 2 nearest neighbors, where n is the total number of clients and f is the maximum number of expected Byzantine adversaries. The gradient with the smallest cumulative distance score is chosen as the global update. This mechanism ensures that even if up to f clients submit arbitrary or malicious updates, the selected vector remains within the cluster of honest contributions, preserving model convergence without requiring prior knowledge of which clients are compromised.
Enabling Efficiency, Speed & Accuracy
Intelligent Analysis, Decision & Execution
We build AI systems for teams that need search across company data, workflow automation across tools, or AI features inside products and internal software.
Talk to Us
Search across company data
Give teams answers from docs, tickets, runbooks, and product data with sources and permissions.
Useful when people spend too long searching or get different answers from different systems.

Automate internal workflows
Use AI to route work, draft outputs, trigger actions, and keep approvals and logs in place.
Useful when repetitive work moves across multiple tools and teams.

Add AI to products and internal tools
Build assistants, guided actions, or decision support into the software your team or customers already use.
Useful when AI needs to be part of the product, not a separate tool.
Krum vs. Other Robust Aggregation Methods
Comparative analysis of Krum against alternative robust aggregation rules for defending federated learning against Byzantine adversaries.
| Feature | Krum | Trimmed Mean | Median | Multi-Krum |
|---|---|---|---|---|
Core mechanism | Selects single update closest to n-f-2 neighbors by Euclidean distance | Removes k largest and smallest values per coordinate then averages remainder | Computes coordinate-wise median of all submitted updates | Averages m updates with lowest Krum scores |
Byzantine tolerance (max f) | f ≤ (n-2)/2 | f < n/2 (with sufficient trimming) | f < n/2 | f ≤ (n-2)/2 |
Dimensionality handling | Aggregates full vector as single unit; robust in high dimensions | Operates coordinate-wise; may miss cross-dimension attacks | Operates coordinate-wise; vulnerable to coordinated per-dimension poisoning | Same as Krum; full-vector distance computation |
Computational complexity | O(n²·d) per round | O(n·d log n) per round | O(n·d) per round | O(n²·d + m·n·d) per round |
Convergence guarantee under attack | ||||
Handles non-IID client data | ||||
Output type | Single client update (deterministic selection) | Coordinate-wise average of trimmed subset | Coordinate-wise median vector | Average of m selected client updates |
Information loss risk | Discards n-1 updates; high information loss | Moderate; retains central bulk per coordinate | High; discards distribution tails entirely | Lower than Krum; retains m updates |
Related Terms
Explore the core concepts surrounding the Krum aggregator, a foundational defense mechanism against adversarial updates in decentralized machine learning pipelines.
Data Poisoning Defense
Krum acts as a direct countermeasure against data poisoning and model poisoning attacks. In these threats, an adversary manipulates local training data or directly crafts malicious gradient updates to corrupt the global model. By treating all updates as points in a high-dimensional space, Krum identifies the 'safest' point. It discards updates that are geometrically distant from the dense cluster of honest contributions, preventing a backdoor or targeted misclassification from being injected into the final model.
Multi-Krum Variant
An extension of the original algorithm that improves convergence speed and resilience. Instead of selecting a single update, Multi-Krum selects the top-m candidates with the lowest outlier scores and averages them. This leverages the computational work of multiple honest clients rather than discarding it. The selection mechanism remains identical to standard Krum, but the final aggregation step combines the chosen vectors, providing a smoother and more stable global model update.
Curse of Dimensionality
A significant limitation of Krum in modern deep learning. The algorithm relies on Euclidean distance to measure similarity between high-dimensional gradient vectors. In extremely high-dimensional spaces (millions of parameters), distance metrics become less meaningful as all points appear equally far apart. This can degrade Krum's ability to distinguish between honest and malicious updates, requiring dimensionality reduction techniques or alternative robust aggregation methods for very large models.
Gradient Leakage Prevention
While Krum secures against Byzantine attacks, it does not inherently provide privacy guarantees. The selected update is still shared with the central server in plaintext, making it vulnerable to gradient leakage or model inversion attacks that reconstruct private training data. For a complete security posture, Krum must be combined with cryptographic techniques like Secure Aggregation or Differential Privacy to ensure the chosen update remains confidential.

About the author
Prasad Kumkar
CEO & MD, Inference Systems
Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.
His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.
Partnered with leading AI, data, and software stack.
How We Work
Custom AI workflows for your Business
One-fit-all AI don't work for modern businesses. At Inferensys, we aim to understand your business & custom requirements; which we use to define most efficient agentic workflows, the data, and the tools for your business.
01
Review the use case
We understand the task, the users, and where AI can actually help.
Read more02
Pick the right approach
We define what needs search, automation, or product integration.
Read more03
Build the first useful version
We implement the part that proves the value first.
Read more04
Improve from there
We add the checks and visibility needed to keep it useful.
Read moreThe first call is a practical review of your use case and the right next step.
Talk to Us