Krum operates on the geometric intuition that honest gradient updates from non-IID data will cluster together in vector space, while Byzantine (arbitrarily malicious) updates will appear as outliers. For each candidate update among n participants, the algorithm computes the sum of squared distances to its n - f - 2 nearest neighbors, where f is the maximum number of tolerated Byzantine workers. The update minimizing this local distance score is selected as the global model for that round, inherently discarding poisoned or erratic vectors without requiring prior knowledge of the attack strategy.
Glossary
Krum

What is Krum?
Krum is a Byzantine-resilient aggregation rule for distributed machine learning that selects a single local update as the global model by identifying the vector with the minimal sum of squared Euclidean distances to its closest neighbors, effectively filtering out malicious gradients.
The algorithm provides provable Byzantine resilience under the assumption that the honest gradients are concentrated around a common mean and that 2f + 2 < n. Unlike Federated Averaging (FedAvg), which is vulnerable to a single malicious update skewing the mean, Krum's selection-based mechanism guarantees convergence even when up to f workers are adversarial. Variants like Multi-Krum extend this by averaging the top m closest updates to improve statistical efficiency, trading a marginal increase in vulnerability for faster convergence in high-dimensional, non-convex federated learning environments.
Frequently Asked Questions
Clear, technical answers to the most common questions about the Krum Byzantine-resilient aggregation rule, its mechanism, and its role in securing federated learning against malicious actors.
The Krum aggregation rule is a Byzantine-resilient algorithm designed to select a single honest gradient update from a set of n local updates, even when up to f of those updates are malicious. It operates by calculating, for each local update vector V_i, the sum of squared Euclidean distances to its n - f - 2 closest neighboring vectors. The update with the minimum sum of distances is selected as the global model's update for that round. This mechanism assumes that honest updates will naturally cluster together in the parameter space, while arbitrary or adversarial Byzantine gradients will appear as geometric outliers. By selecting the vector that is closest to its neighbors, Krum effectively filters out poisoned updates without requiring prior knowledge of the attack strategy, providing a foundational defense in federated learning security.
Key Properties of Krum
Krum is a foundational aggregation rule for distributed machine learning that selects a single, representative model update from a cluster, effectively neutralizing the influence of malicious or arbitrarily faulty nodes without requiring prior knowledge of the attack.
Distance-Based Selection Logic
Krum operates on a simple geometric intuition: a benign gradient update will be close to many other benign updates, while a malicious one will be an outlier. The algorithm computes the sum of squared Euclidean distances from each local update to its n - f - 2 closest neighbors, where n is the total number of nodes and f is the maximum number of tolerated Byzantine nodes. The update with the smallest cumulative distance score is selected as the global model update for that round, effectively ignoring poisoned or erratic vectors.
Byzantine Fault Tolerance Guarantee
Krum provides a formal resilience guarantee against Byzantine failures in synchronous distributed systems. The algorithm is proven to converge under the assumption that the number of malicious nodes f satisfies 2f + 2 < n. This means Krum can tolerate up to (n-3)/2 adversarial nodes. Unlike median-based aggregation, Krum's selection of a single, complete update vector prevents an attacker from shifting the aggregate even slightly by injecting a carefully crafted malicious gradient.
Computational Complexity Profile
The time complexity of Krum is O(n² * d), where n is the number of workers and d is the dimensionality of the gradient vector. This quadratic scaling with the number of nodes arises from the need to compute pairwise distances between all submitted updates. While this is computationally heavier than simple averaging, it is a necessary trade-off for the strong Byzantine resilience. For very large d, the distance computation dominates, making Krum most practical in cross-silo settings with a moderate number of high-value nodes.
Multi-Krum Variant
A key limitation of the original Krum is that it discards all but one update, wasting the computational work of benign nodes. Multi-Krum addresses this by iteratively applying the Krum selection rule. After the first vector is selected, it is removed from the candidate pool, and the process repeats to select m vectors. The final global update is the arithmetic mean of these m selected vectors. This variant improves statistical efficiency and convergence speed while retaining strong Byzantine resilience.
Vulnerability to Dimensionality Attacks
Krum's Euclidean distance metric becomes less discriminative in high-dimensional spaces, a phenomenon known as the curse of dimensionality. In very deep neural networks with millions of parameters, the distance between any two gradient vectors can become nearly uniform, making it harder to distinguish outliers. Furthermore, a sophisticated adversary can craft omniscient attacks that generate a malicious gradient appearing closer to the benign cluster than some legitimate updates, potentially subverting the selection process in extreme high-dimensional regimes.
Practical Deployment in Federated Learning
Krum is particularly suited for cross-silo federated learning scenarios with a small, known number of institutional participants (e.g., hospitals or banks) where the trust model is adversarial. In these settings, the O(n² * d) complexity is manageable, and the strong Byzantine guarantee is critical. It is less suited for cross-device settings with thousands of mobile devices due to the quadratic scaling and the assumption that the server can identify and enumerate all potential nodes to compute the n - f - 2 neighborhood size.
Krum vs. Other Aggregation Rules
Comparative analysis of Krum against other aggregation rules used in federated learning to tolerate Byzantine failures and malicious gradient updates.
| Feature | Krum | Multi-Krum | Trimmed Mean | Median | Bulyan |
|---|---|---|---|---|---|
Core Mechanism | Selects single vector with minimal sum of squared distances to n-f-2 closest neighbors | Averages m Krum-selected vectors iteratively | Removes fraction of extreme values per coordinate then averages | Computes coordinate-wise median of all updates | Combines Krum selection with trimmed mean for enhanced resilience |
Byzantine Tolerance (f attackers) | Up to f < n/2 | Up to f < n/2 | Up to f < n/2 | Up to f < n/2 | Up to f < n/4 |
Computational Complexity | O(n² · d) | O(m · n² · d) | O(n · d · log n) | O(n · d) | O(n² · d + n · d · log n) |
Output Type | Single local update | Averaged vector | Averaged vector | Coordinate-wise median | Averaged vector |
Vulnerability to Dimensional Attacks | Resilient via Euclidean distance | Resilient via Euclidean distance | Vulnerable to per-coordinate manipulation | Vulnerable to per-coordinate manipulation | Resilient via Krum pre-filtering |
Convergence Rate | Slower due to single-update selection | Improved over Krum | Comparable to FedAvg | Comparable to FedAvg | Slower due to two-stage filtering |
Statistical Efficiency | Low; discards majority of updates | Moderate; uses m updates | High; retains most updates | Moderate; discards extremes | Moderate; discards outliers then trims |
Hyperparameter Sensitivity | Low; only requires f estimate | Moderate; requires f and m | Moderate; requires trimming fraction β | None | High; requires f, m, and trimming fraction |
Enabling Efficiency, Speed & Accuracy
Intelligent Analysis, Decision & Execution
We build AI systems for teams that need search across company data, workflow automation across tools, or AI features inside products and internal software.
Talk to Us
Search across company data
Give teams answers from docs, tickets, runbooks, and product data with sources and permissions.
Useful when people spend too long searching or get different answers from different systems.

Automate internal workflows
Use AI to route work, draft outputs, trigger actions, and keep approvals and logs in place.
Useful when repetitive work moves across multiple tools and teams.

Add AI to products and internal tools
Build assistants, guided actions, or decision support into the software your team or customers already use.
Useful when AI needs to be part of the product, not a separate tool.
Related Terms
Understanding Krum requires familiarity with the broader ecosystem of Byzantine-resilient aggregation and the threats it mitigates. These related concepts define the attack surface and defensive toolkit for secure decentralized training.
Non-IID Data
Non-Independently and Identically Distributed data is a fundamental challenge in federated learning that complicates Byzantine detection. When local datasets are statistically heterogeneous, honest client updates naturally diverge from each other. This increases the variance of benign gradients, making it harder for distance-based rules like Krum to distinguish between a malicious outlier and a client with genuinely unique local data, potentially leading to false positives.

About the author
Prasad Kumkar
CEO & MD, Inference Systems
Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.
His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.
Partnered with leading AI, data, and software stack.
How We Work
Custom AI workflows for your Business
One-fit-all AI don't work for modern businesses. At Inferensys, we aim to understand your business & custom requirements; which we use to define most efficient agentic workflows, the data, and the tools for your business.
01
Review the use case
We understand the task, the users, and where AI can actually help.
Read more02
Pick the right approach
We define what needs search, automation, or product integration.
Read more03
Build the first useful version
We implement the part that proves the value first.
Read more04
Improve from there
We add the checks and visibility needed to keep it useful.
Read moreThe first call is a practical review of your use case and the right next step.
Talk to Us