Krum is a Byzantine fault-tolerant aggregation algorithm designed for distributed machine learning environments where a subset of worker nodes may behave arbitrarily or maliciously. The core mechanism operates by computing, for each candidate gradient vector, the sum of squared Euclidean distances to its n - f - 2 closest neighbors, where n is the total number of clients and f is the maximum number of tolerated Byzantine workers. The vector minimizing this local distance score is selected as the global model update, effectively isolating outliers that deviate from the geometric consensus.
Glossary
Krum

What is Krum?
Krum is a robust aggregation rule for distributed Stochastic Gradient Descent (SGD) that selects a single model update from a set of client vectors which is closest to a majority of its neighbors, effectively tolerating Byzantine failures without requiring a trusted server.
Unlike median-based or coordinate-wise averaging defenses, Krum guarantees convergence under the theoretical assumption that the honest gradient estimators are concentrated around the true gradient. The algorithm's primary trade-off is computational cost, requiring O(n^2 * d) distance calculations per round, where d is the parameter dimensionality. Multi-Krum, a variant that averages the m vectors with the lowest scores, improves statistical efficiency by reducing the variance of the aggregated update while maintaining resilience against a minority of adversarial nodes.
Key Characteristics of Krum
Krum is a robust aggregation rule for distributed stochastic gradient descent (SGD) that selects a single model update from a set of client vectors, effectively tolerating Byzantine failures without requiring a trusted server.
Core Selection Mechanism
Krum operates by computing a local sum of squared Euclidean distances for each client's gradient vector to its n - f - 2 closest neighbors, where n is the total number of clients and f is the maximum number of Byzantine workers. The algorithm selects the single vector with the minimum cumulative distance score as the global update. This geometric approach assumes that honest gradients cluster together in vector space, while malicious updates appear as outliers. The selection rule is deterministic and computationally efficient, requiring only pairwise distance calculations.
Byzantine Fault Tolerance Guarantee
Krum provides a provable convergence guarantee under the assumption that the number of Byzantine workers f satisfies 2f + 2 < n. This means Krum tolerates up to (n-3)/2 malicious clients. The theoretical proof demonstrates that the selected gradient lies within a bounded distance of the true average of honest gradients, even when adversaries collude to send arbitrary vectors. This resilience holds under the standard assumption of bounded variance among honest gradients and a Lipschitz-smooth objective function, making Krum suitable for non-convex deep learning optimization.
Multi-Krum Variant
The original Krum selects only a single vector per round, discarding information from other honest clients. Multi-Krum extends the algorithm by selecting the m vectors with the smallest distance scores and averaging them to form the global update. This variant improves statistical efficiency by incorporating more honest gradients while maintaining Byzantine resilience. The selection parameter m is typically set to n - f, ensuring that all likely-honest updates contribute. Multi-Krum achieves faster convergence in practice while preserving the same theoretical fault tolerance bounds as the single-vector version.
Limitations and Attack Vectors
Krum is vulnerable to sophisticated attacks where Byzantine clients craft gradients that appear close to a targeted subset of honest vectors while pulling the selected update toward a malicious objective. The little is enough attack exploits Krum's reliance on local neighborhoods by sending gradients with amplified magnitudes in directions orthogonal to the honest variance, gradually steering convergence. Additionally, Krum's assumption of independent and identically distributed (IID) data across clients weakens in heterogeneous federated settings, where honest gradients naturally diverge, reducing the clustering assumption's validity.
Comparison to Median and Trimmed Mean
Unlike coordinate-wise robust aggregators such as median or trimmed mean, Krum operates in the full vector space using Euclidean distances. This makes Krum resistant to omniscient Byzantine attacks that corrupt specific coordinates while leaving others intact. Coordinate-wise methods can be defeated by adversaries who inject large values into a minority of dimensions across many clients. Krum's vector-level selection avoids this vulnerability but at the cost of higher computational complexity: O(n²d) for pairwise distance calculations, where d is the gradient dimensionality, compared to O(nd) for coordinate-wise methods.
Practical Deployment Considerations
Krum is implemented in major federated learning frameworks and is often combined with gradient clipping and differential privacy mechanisms for defense-in-depth. In production, the n - f - 2 neighborhood size parameter must be carefully tuned: setting it too small increases sensitivity to outliers, while setting it too large risks including Byzantine vectors in the distance calculation. Krum is most effective when Byzantine clients constitute a minority of the total population and when honest data distributions are reasonably homogeneous. For highly non-IID settings, variants like Bulyan combine Krum with trimmed mean for stronger guarantees.
Frequently Asked Questions
Explore the mechanics, threat models, and practical considerations of the Krum aggregation rule, a foundational defense against Byzantine failures in distributed machine learning.
The Krum aggregation rule is a Byzantine-resilient algorithm designed to select a single robust model update from a set of n client updates in a distributed learning system, of which up to f may be arbitrary (Byzantine) failures. It functions by computing a score for each update based on the sum of its squared Euclidean distances to its n - f - 2 closest neighbors. The update with the minimum score is selected as the global model update for that round. This mechanism assumes that honest updates will cluster together in the parameter space, while malicious updates will be geometric outliers, effectively isolating them without requiring prior knowledge of the attack strategy. The core intuition is that a benign gradient will be close to a majority of other benign gradients, making it the most 'centrally located' candidate.
Krum vs. Other Robust Aggregation Methods
A technical comparison of Krum against other prominent robust aggregation rules used to defend federated learning against malicious client updates.
| Feature | Krum | Trimmed Mean | Median |
|---|---|---|---|
Core Mechanism | Selects one update minimizing sum of squared distances to n-f-2 closest neighbors | Discards largest and smallest values per coordinate, averages remainder | Computes coordinate-wise median of all client updates |
Byzantine Tolerance (max faulty clients f) | f < n/2 - 1 | f < n/2 | f < n/2 |
Output Type | Single client vector | Synthetic averaged vector | Synthetic median vector |
Computational Complexity | O(n² · d) per round | O(n · d · log n) per round | O(n · d) per round |
Resilience to High-Dimensional Attacks | Strong (distance-based selection) | Moderate (coordinate-wise vulnerable) | Weak (coordinate-wise vulnerable) |
Convergence Guarantee | Proven under i.i.d. assumptions | Proven under bounded variance | Proven under bounded variance |
Information Loss | High (discards n-1 updates) | Moderate (trims extremes) | Moderate (ignores distribution shape) |
Optimal Statistical Efficiency on Clean Data |
Enabling Efficiency, Speed & Accuracy
Intelligent Analysis, Decision & Execution
We build AI systems for teams that need search across company data, workflow automation across tools, or AI features inside products and internal software.
Talk to Us
Search across company data
Give teams answers from docs, tickets, runbooks, and product data with sources and permissions.
Useful when people spend too long searching or get different answers from different systems.

Automate internal workflows
Use AI to route work, draft outputs, trigger actions, and keep approvals and logs in place.
Useful when repetitive work moves across multiple tools and teams.

Add AI to products and internal tools
Build assistants, guided actions, or decision support into the software your team or customers already use.
Useful when AI needs to be part of the product, not a separate tool.
Related Terms
Krum is a foundational algorithm in the robust aggregation family. These related concepts define the threat landscape, alternative defenses, and the cryptographic context in which Krum operates to secure distributed learning.
Byzantine Fault Tolerance
The distributed systems property that Krum is designed to achieve. A system is Byzantine Fault Tolerant if it can reach correct consensus despite an arbitrary subset of nodes exhibiting malicious or arbitrary failures. In the context of federated learning, a Byzantine client may send arbitrary, crafted gradient updates to corrupt the global model. Krum provides BFT by selecting a single update that is geometrically closest to a majority of its neighbors, effectively ignoring outliers that deviate from the consensus.
FoolsGold
A complementary defense that identifies malicious clients by analyzing the diversity of their historical gradient updates. FoolsGold operates on the insight that sybil attackers—a single adversary controlling multiple fake clients—often produce highly similar, low-diversity gradient contributions. By assigning lower learning rates to clients with mutually similar update histories, FoolsGold neutralizes sybil-based poisoning. While Krum focuses on geometric consensus, FoolsGold targets the behavioral fingerprint of the attacker.
Gradient Clipping
A fundamental defensive technique that caps the L2-norm of individual per-example gradients during training. By enforcing a maximum magnitude, clipping bounds the influence any single data point or client can exert on the model update. This is a prerequisite for Differential Privacy SGD (DP-SGD) and provides a lightweight first line of defense against poisoning. While Krum operates at the server-aggregation level, gradient clipping is applied locally at each client before updates are shared.
Multi-Krum
A direct extension of the original Krum algorithm that selects multiple updates instead of a single one to improve convergence speed. While Krum picks the single most central update, Multi-Krum iteratively selects the m updates closest to their neighbors and averages them. This trades a slight reduction in Byzantine resilience for significantly faster convergence, as more client information is retained in each round. The selection criterion remains the same: minimizing the sum of squared distances to the nearest n - f - 2 neighbors.

About the author
Prasad Kumkar
CEO & MD, Inference Systems
Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.
His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.
Partnered with leading AI, data, and software stack.
How We Work
Custom AI workflows for your Business
One-fit-all AI don't work for modern businesses. At Inferensys, we aim to understand your business & custom requirements; which we use to define most efficient agentic workflows, the data, and the tools for your business.
01
Review the use case
We understand the task, the users, and where AI can actually help.
Read more02
Pick the right approach
We define what needs search, automation, or product integration.
Read more03
Build the first useful version
We implement the part that proves the value first.
Read more04
Improve from there
We add the checks and visibility needed to keep it useful.
Read moreThe first call is a practical review of your use case and the right next step.
Talk to Us