Federated Averaging (FedAvg) is a decentralized machine learning algorithm that constructs a global model by computing a weighted average of local model updates trained independently on distributed client datasets. The central server never accesses raw data, only the resulting model weights or gradients, which are typically protected during transmission by secure aggregation protocols.
Glossary
Federated Averaging (FedAvg)

What is Federated Averaging (FedAvg)?
The foundational federated learning algorithm where a global model is updated by averaging the locally trained model weights from a sampled subset of clients, typically combined with secure aggregation to protect those updates.
The algorithm proceeds in communication rounds: a subset of clients downloads the current global model, trains locally on private data for several epochs, and transmits only the resulting weight deltas. The server aggregates these updates—weighted by local dataset size—to produce the next global model, leveraging gradient clipping and straggler mitigation to maintain robustness.
Key Characteristics of FedAvg
Federated Averaging (FedAvg) is defined by a specific set of algorithmic properties that distinguish it from traditional distributed training. These characteristics directly address the challenges of non-IID data, limited communication, and client heterogeneity.
Local Stochastic Gradient Descent (SGD)
The core mechanism of FedAvg. Instead of computing a single gradient step on a global batch, each selected client performs multiple epochs of local training on its private dataset. This involves running a standard optimizer like SGD or Adam locally. The server then averages the resulting model weight deltas (or the final weights), not the gradients themselves. This reduces the number of communication rounds required for convergence by a factor of 10–100x compared to naive gradient averaging.
Client Subsampling
In each communication round, the central server randomly selects only a fraction of available clients (e.g., 10–100 out of thousands) to participate. This is a practical necessity to manage stragglers and network load. The statistical implication is that the global update is a stochastic approximation of the true full-federation average. The subsampling rate is a critical hyperparameter that balances convergence speed against communication cost and client availability.
Non-IID Data Robustness
A defining challenge for FedAvg is that client data distributions are almost never independent and identically distributed (IID). A client's local dataset may represent a skewed subset of the global population. FedAvg's local SGD steps can cause client drift, where local models diverge from the global optimum. While FedAvg is empirically robust to moderate non-IIDness, severe skew can degrade accuracy or cause divergence, motivating extensions like FedProx and SCAFFOLD.
Weighted Aggregation
The server-side averaging is typically a weighted average, where each client's contribution is scaled by the size of its local dataset (n_k / n). This ensures that clients with more data have a proportionally larger influence on the global model. The formula is: w_{t+1} = Σ (n_k / n) * w^k_{t+1}. In the simplest case with equal dataset sizes, this reduces to a simple arithmetic mean. This weighting is a maximum likelihood estimator for the global objective under a uniform prior.
Communication Efficiency
FedAvg's primary advantage is a dramatic reduction in communication rounds. By performing multiple local epochs (E) with a given batch size (B), clients do significant computation before transmitting. Key parameters controlling this trade-off:
- E (Local Epochs): More epochs reduce communication but increase the risk of client drift on non-IID data.
- B (Batch Size): Larger batches provide more stable local updates.
- Fraction C: The fraction of clients selected per round. This computation-to-communication ratio is the central tuning knob for practical deployments.
Privacy by Architecture
FedAvg provides a baseline of data minimization by design: raw training data never leaves the client device. Only model updates (weights or deltas) are transmitted. However, these updates are not inherently private. Gradient leakage attacks can reconstruct training data from the updates alone. Therefore, FedAvg is almost always deployed in conjunction with a Secure Aggregation Protocol to hide individual updates from the server and/or Differential Privacy mechanisms to add calibrated noise, providing formal privacy guarantees.
Frequently Asked Questions
Clear, technically precise answers to the most common questions about the Federated Averaging algorithm, its relationship with secure aggregation, and its role in privacy-preserving machine learning.
Federated Averaging (FedAvg) is the foundational optimization algorithm for federated learning where a global model is trained by averaging the locally computed model weight updates from a sampled subset of distributed clients, without ever centralizing their raw data. The process works in iterative communication rounds: a central server initializes a global model and sends it to a random cohort of participating clients. Each client performs several epochs of local training—typically using stochastic gradient descent (SGD)—on its private dataset, producing an updated set of model weights. These local updates are then transmitted back to the server, which computes a weighted average of the received updates, with each client's contribution weighted proportionally to the size of its local dataset. This aggregated update becomes the new global model, and the cycle repeats. The core insight of FedAvg is that by increasing the number of local training epochs per round, the total number of communication rounds required for convergence can be dramatically reduced compared to naive federated SGD, making the protocol practical for real-world deployment where bandwidth is constrained and clients may be intermittently available.
FedAvg vs. Traditional Distributed Training
Key differences between Federated Averaging and conventional data-center distributed training paradigms.
| Feature | Federated Averaging (FedAvg) | Traditional Distributed Training | Secure Aggregation Context |
|---|---|---|---|
Data Locality | Data remains on client devices; never centralized | Data is partitioned across datacenter nodes with full access | Updates are aggregated without inspecting individual contributions |
Communication Pattern | Client-server with intermittent, high-latency rounds | All-reduce over high-bandwidth, low-latency interconnects | Server computes sum of masked updates via pairwise masking |
Client Participation | Sampled subset of 10-100 clients per round | All nodes participate synchronously in every step | Dropout resilience required for straggler mitigation |
Data Distribution | Non-IID, unbalanced, and heterogeneous across clients | IID and balanced via shuffling across homogeneous nodes | Gradient clipping bounds influence of statistical outliers |
Privacy Guarantee | Raw data never leaves the device | None; full data visibility on all nodes | Cryptographic guarantees against gradient leakage attacks |
Communication Overhead | High; full model weights transmitted per round | Low; gradients aggregated via efficient ring all-reduce | Secret sharing and PRG expansion add bandwidth overhead |
Convergence Rate | Slower; requires 100-1000x more communication rounds | Fast; synchronous SGD with large batch sizes | Quantized aggregation trades precision for communication efficiency |
Security Model | Semi-honest server with honest-but-curious assumption | Trusted datacenter with physical access controls | Malicious security achievable via zero-knowledge proofs |
Enabling Efficiency, Speed & Accuracy
Intelligent Analysis, Decision & Execution
We build AI systems for teams that need search across company data, workflow automation across tools, or AI features inside products and internal software.
Talk to Us
Search across company data
Give teams answers from docs, tickets, runbooks, and product data with sources and permissions.
Useful when people spend too long searching or get different answers from different systems.

Automate internal workflows
Use AI to route work, draft outputs, trigger actions, and keep approvals and logs in place.
Useful when repetitive work moves across multiple tools and teams.

Add AI to products and internal tools
Build assistants, guided actions, or decision support into the software your team or customers already use.
Useful when AI needs to be part of the product, not a separate tool.
Related Terms
Core protocols and concepts that secure, optimize, and extend the foundational Federated Averaging algorithm in production environments.
Secure Aggregation (SecAgg)
A cryptographic protocol that allows the central server to compute the sum of model updates without inspecting any individual client's contribution. In a standard FedAvg round, the server would see each client's update; SecAgg ensures the server only learns the aggregate average, mathematically preventing gradient leakage. This is the primary privacy layer deployed on top of FedAvg in production systems.
Gradient Leakage
The primary privacy threat that FedAvg faces without secure aggregation. An adversary with access to individual model updates can apply gradient inversion attacks to reconstruct training data:
- Deep Leakage from Gradients (DLG): Iteratively optimizes dummy inputs to match observed gradients
- Inverting Gradients: Exploits the fully connected layer to recover pixel-perfect images
- Text Reconstruction: Recovers token sequences from language model gradients
This is why FedAvg is almost always paired with SecAgg or differential privacy in practice.
Dropout Resilience
A critical property for real-world FedAvg deployments where mobile devices or edge nodes frequently disconnect. A dropout-resilient protocol ensures the server can still compute the correct aggregate even when a subset of clients fails to complete the round. Techniques include:
- Secret sharing with threshold recovery: Only a subset of shares needed to reconstruct masks
- Timeout-based round advancement: Proceed without stragglers after a deadline
- Oversampling: Select more clients than needed, anticipating some dropout
Without this, a single disconnected phone could stall the entire training round.
Pairwise Masking
The core cryptographic technique enabling efficient secure aggregation. Each pair of clients agrees on a shared secret mask that is added to one client's update and subtracted from the other's. When the server sums all updates, these pairwise masks cancel out mathematically, revealing only the true aggregate. This is combined with Diffie-Hellman key agreement to establish the shared secrets and pseudorandom generators (PRGs) to expand short seeds into full mask vectors matching the model dimensions.
Straggler Mitigation
Techniques to prevent slow clients from becoming the bottleneck in synchronous FedAvg rounds. The global model update must wait for all selected clients, so a single slow device degrades wall-clock time. Mitigation strategies include:
- Coded computation: Redundant encoding allows recovery from a subset of responses
- Asynchronous FedAvg: Server updates the global model immediately upon receiving any update, without waiting for the full cohort
- Client selection based on hardware capability: Prefer devices with sufficient compute and battery
This is essential for cross-device FL with millions of heterogeneous phones.
Gradient Clipping
A robustness technique applied before aggregation to bound the L2 norm of each client's model update to a maximum threshold. This serves dual purposes:
- Differential privacy: Clipping bounds the sensitivity of each update, enabling meaningful privacy guarantees when noise is added
- Byzantine resilience: Limits the influence of any single malicious or outlier client on the global model
In FedAvg, clipping is typically applied as: update = update * min(1, C / ||update||₂) where C is the clipping threshold. This prevents a single corrupted update from dominating the average.

About the author
Prasad Kumkar
CEO & MD, Inference Systems
Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.
His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.
Partnered with leading AI, data, and software stack.
How We Work
Custom AI workflows for your Business
One-fit-all AI don't work for modern businesses. At Inferensys, we aim to understand your business & custom requirements; which we use to define most efficient agentic workflows, the data, and the tools for your business.
01
Review the use case
We understand the task, the users, and where AI can actually help.
Read more02
Pick the right approach
We define what needs search, automation, or product integration.
Read more03
Build the first useful version
We implement the part that proves the value first.
Read more04
Improve from there
We add the checks and visibility needed to keep it useful.
Read moreThe first call is a practical review of your use case and the right next step.
Talk to Us