Privacy-Preserving Approach to Edge Federated Learning Based on Blockchain and Fully Homomorphic Encryption

Abstract

To address the issues of high single-point failure risk, weak privacy protection, and poor resistance to poisoning attacks in edge federated learning, an edge federated learning privacy protection scheme based on blockchain and fully homomorphic encryption is proposed. This scheme uses blockchain technology combined with the CKKS (Cheon–Kim–Kim–Song) fully homomorphic encryption scheme to encrypt computational parameters. This approach reduces the risk of privacy leakage and provides edge federated learning with features such as anti-tampering, resistance to single-point failure, and data traceability. In addition, an unsupervised mechanism for identifying model gradient parameter updates is designed. This mechanism uses the consistency of historical model gradient parameter updates from edge servers as the identification basis. It can effectively detect malicious updates from edge servers, improving the accuracy of the aggregated model. Experimental results show that the proposed method can resist poisoning attacks from 70% of malicious edge servers. It offers privacy protection, transparent model aggregation, and resistance to single-point failure. Furthermore, the method achieves high model accuracy and meets stringent security, accuracy, and traceability requirements in edge federated learning scenarios.

1. Introduction

Machine learning [1,2] has been widely used in many fields, such as medical diagnosis, image recognition, and speech recognition. Valuable knowledge can be extracted from massive data, analyzed, and processed to assist users in discovering patterns and making decisions using machine learning technology. However, a single data source can lead to insufficient data volume, but too many data sources can increase data volume and higher computational requirements in practice. Distributed machine learning [3,4] has been widely studied and applied to solve the above problems.

Distributed machine learning enables data and computational tasks to be processed collaboratively on multiple computing nodes, thus accelerating model training and data processing. Compared with traditional machine learning methods, distributed machine learning can break down data silos and access more data for more considerable model training. Federated learning [5,6], a novel framework for distributed machine learning, can unite multiple local devices to complete the collaborative training task of machine learning models by sharing local model parameters only, which can avoid the data leakage caused by the direct transmission of raw local data from local devices to the central server effectively. Although federated learning has provided a decentralized approach to data training and model aggregation, it is still susceptible to security and privacy breaches as the computing nodes are often in untrustworthy environments. To deal with the security and privacy threats, edge privacy-preserving FL (federated learning) schemes have been carried out in academia and industry [7,8] extensively, and three problems of existing edge privacy-preserving FL schemes [9,10] need to be solved.

The first problem is that poisoning attacks may still affect edge privacy-preserving FL schemes. Biggio et al. [11] attempted to disrupt the training performance of Support Vector Machine models in machine learning by flipping data labels. Based on Biggio’s research, Li et al. [12] demonstrated that poisoning attacks can also achieve better attack results in federated learning. In the case of a poisoning attack, a trained model may make incorrect predictions for specific categories while maintaining prediction accuracy for other categories (targeted attacks) [13,14,15], or global models may make wrong predictions for a large number of categories (non-targeted attacks) [16] mindlessly. Blanchard et al. [17] and Fung et al. [18] proposed Krum and FoolsGold, respectively. Although the above aggregation schemes can detect malicious gradients and malicious nodes by the difference in the gradient distribution of each participant and the consistency of the updates, over-reliance thresholds, an inability to handle conspiracy attacks, a lack of audibility, and privacy leakage due to the use of plaintext gradients for computation are still encountered. Therefore, how to provide a more reliable and accurate aggregation rule and identification mechanism becomes the first problem to be solved.

The second problem is that edge privacy-preserving FL schemes are vulnerable to malicious server aggregation and single-point-failure threats. Rathee et al. [19] proposed CrypTFlow2, an approach for implementing two-party secure inference. The approach is based on Secure Multi-Party Computing (SMC) [20], which enables two participants to infer a machine learning model jointly without disclosing each other’s private inputs. However, the interaction process of SMC can increase the communication load on nodes. In contrast, blockchain [21,22,23], with characteristics of decentralization, resistance to a single point of failure, and immutability, is becoming a more applicable solution.

The third problem is choosing privacy-preserving means in edge privacy-preserving FL schemes. It has been shown that some private information about participant data can be inverted by exploiting model parameters [24]. One of the most common privacy-preserving federated learning schemes is the Paillier semi-homomorphic encryption scheme [25,26], which encrypts the local gradient derived from the training of the local device. However, since Paillier can only encrypt integers and supports encryption only of a single piece of data, it is necessary to quantize the gradient and then encrypt it one by one, which greatly increases the computational and communication overhead. Meanwhile, Paillier’s accuracy loss will cause the aggregated global model to fail to achieve optimal aggregation in the decrypting process. In addition, the local differential privacy technique [27,28,29] is also one of the means of protection. Zhao et al. [27] added differential privacy noise to the features extracted from the convolutional layer before uploading them to the blockchain to protect the user’s private data in home scenarios. Lu et al. [28] and Qi et al. [29] applied the local differential privacy technique to blockchain federated learning by adding a noise perturbation to the original data to protect data privacy in industrial internet and smart traffic. However, the federated learning obtained by training with noisy data has low accuracy in the above schemes.

In summary, existing edge privacy-preserving FL schemes still fall short in resisting poisoning attacks, avoiding malicious aggregation of central servers, reducing single points of failure, and protecting privacy.

The paper proposes an edge federated learning privacy preservation scheme based on blockchain, and fully homomorphic encryption is proposed. The main contributions of this paper are as follows:

• Unsupervised model gradient parameter update identification mechanism: An identification mechanism based on the consistency of model historical gradient updates was designed to detect and remove malicious edge servers. This effectively resists the poisoning attack and improves the global model’s performance.
• Blockchain-based edge federated learning framework: By integrating blockchain technology with the ECDSA (Elliptic Curve Digital Signature Algorithm), the framework ensures transparency in the training aggregation process. The aggregation process and results can be audited, tracked, and distributed into storage to avoid a single point of failure as much as possible. Additionally, the framework randomly selects trusted edge servers based on a consensus protocol to perform tasks such as verification, aggregation, and block creation. This approach significantly reduces centralization and the risks of malicious aggregation.
• CKKS fully homomorphic encryption (FHE) scheme: The CKKS encryption method protects uploaded local model parameters, effectively preventing the central server and edge servers from cracking encrypted model parameters. Compared with other major privacy protection schemes, this method offers shorter encryption and decryption times with higher precision.

This paper is structured as follows. Section 2 introduces the work in related fields of our paper. Section 3 describes the system security threats, model architecture, workflow, and scheme algorithm design. Section 4 discusses the theoretical proof and analysis of the scheme algorithm. Section 5 contains the experimental process and result analysis. Section 6 is the conclusion.

2. Related Work

As the algorithm proposed in this paper progresses in several challenges of existing FL solutions, we focus on related work in the following two sub-topics of FL.

2.1. Federated Learning Against Poisoning Attacks

FedAvg [5] is a typical aggregation scheme in FL. However, FedAvg is vulnerable to poisoning attacks, which can undermine the global model’s trustworthiness and accuracy. To address the above issue, numerous alternative aggregation methods have been proposed [7,17,30,31].

Cao et al. proposed FLTrust [32], a federated learning framework against poisoning attacks, which uses a trusted root dataset and cosine similarity as criteria for judging malicious gradients. However, forming a trusted root dataset is an unavoidable challenge. Blanchard et al. proposed Krum [17], a Byzantine-resilient algorithm for distributed stochastic gradient descent. Krum selects the most likely benign model in each iteration based on the Euclidean distance between the gradients. Similarly, Yin et al. introduced Trim-mean [30], where the central server first sorts the model parameters, removes the larger and smaller values, and then calculates the average of the remaining values to form the global model. However, these methods analyze and compute gradients in plaintext, leading to privacy leakage. To address this issue, Truex et al. proposed a federated learning system [7] that uses differential privacy (DP) and Secure Multi-Party Computation (SMPC) to protect data privacy. This approach prevents inference attacks on sensitive data during training and ensures high-precision models. However, the method in [7] remains vulnerable to malicious gradients, as encryption complicates the similarity calculation between local gradients. To solve this problem, Liu et al. proposed a Privacy-Enhanced Federated Learning (PEFL) framework [31], which utilizes homomorphic encryption and effective gradient data extraction through logarithmic functions to penalize malicious clients. However, PEFL cannot prevent malicious behavior from servers, and the servers can access intermediate parameters during training, potentially leading to inference attacks on clients.

2.2. Blockchain-Based Federated Learning

Traditional federated learning schemes rely heavily on server participation, which can lead to a single point of failure and malicious behaviors from the server. Blockchain has gained significant attention as a promising technology due to its decentralization and reliability. To address the risks associated with server-based systems, many solutions [21,22,32] have been proposed to replace the server with blockchain. This shift aims to eliminate the threat of a single point of failure and mitigate the potential for malicious server behavior.

Ramanan et al. [18] introduced a blockchain-based federated learning solution called BAFFLE, which uses smart contracts (SCs) to aggregate local models. Compared to traditional methods, BAFFLE eliminates the risk of a single point of failure and reduces gas costs for federated learning on the blockchain. Similarly, Kim et al. [33] proposed BlockFL, where local model updates are exchanged and verified through a pre-deployed smart contract on the blockchain. BlockFL addresses the single point of failure issue and encourages the participation of more devices and a more significant number of training samples by offering incentives based on the sample size. These solutions aggregate local models using smart contracts, which can lead to high computation and communication burdens on the blockchain nodes.

Additionally, they are unable to distinguish malicious gradients. To address these challenges, Li et al. [21] proposed a blockchain-based federated learning framework with committee consensus (BFLC), which reduces the computational burden of consensus and prevents malicious attacks. However, the criteria for selecting the committee remain a challenge that needs to be addressed.

Finally,

Table 1. Comparative summary between proposed algorithm and previous schemes.

Schemes	Fun1	Fun2	Fun3	Fun4
Krum [17]	Yes	No	Central server	Yes
Trim-Mean [30]	Yes	No	Central server	Yes
Scheme [7]	No	DP	Central server	No
PEFL [31]	Yes	Paillier	Central server	No
BAFFLE [22]	No	No	Blockchain	No
BlockFL [21]	No	No	Blockchain	No
BFLC [33]	Yes	No	Blockchain	Yes
Proposed algorithm	Yes	CKKS	Blockchain	Yes

Notes: Fun₁: Whether resisting poisoning attacks or not. Fun₂: Privacy-preserving mechanism. Fun₃: Central server or blockchain-based computation. Fun₄: Whether achieving lightweight computation or not.

compares the proposed algorithm with the above FL solutions. The results show that the solution not only resists poisoning attacks and avoids single points of failure but also has high privacy and computational efficiency.

3. System Architecture and Design

3.1. System Security Threats

According to the three existing problems with edge federated learning mentioned in Section 1, the security threats to edge federated learning are as follows:

• Threat 1: Poisoning attack. A malicious edge calculator can degrade the accuracy of the federated learning global model and corrupt the correct federated learning by submitting forged gradients carefully, using model parameters, or contaminating the local dataset.
• Threat 2: Single point failure attack. Edge federated learning is highly dependent on the central server. When it crashes down, the entire federated learning architecture will not operate.
• Threat 3: Data security. Only the central server records the overall data in edge federated learning. The centralized bookkeeping not only leads to low transparency and openness of the overall architecture, but it also cannot defend against malicious data tampering attacks on the central server. When an attacker cripples the central server, the integrity of the entire ledger is highly vulnerable.
• Threat 4: Privacy leakage. Edge federated learning transmits model parameters rather than raw data, but it has been shown that some private information about participant data can be inverted by exploiting model parameters [24]. Therefore, both model parameters and model-related data information must be strictly protected from being back-propagated into participant models and data.

3.2. System Architecture

Figure 1 shows the system architecture diagram. The scheme consists of a central server, a group of edge servers, a blockchain system, and three associated key pairs. The related technical scheme comprises three parts: the CKKS fully homomorphic encryption mechanism, the fusion architecture of blockchain and federated learning, and the unsupervised model gradient parameter update identification mechanism.

The secret keys held by the central server and the edge servers are all different from each other, and the keys of the same color in Figure 1 only indicate key pairs with the same usage. The edge servers in the edge server group are endpoints with certain computing and storage capabilities, and each edge server has a local dataset $D^j,j=1,2,\dots ,n$. All good edge servers and center servers are participants in the blockchain.

Furthermore, the scheme assumes that the central server is trustworthy and curious in the paper, and the complete training process can be summarized as follows:

• Step 1: The central server issues a training task to the edge server group, registers all edge servers with the blockchain system at the same time, and generates a unique signature key pair $(p{k}_z,s{k}_z)$ for each edge server based on the ECDSA digital signature algorithm, which is used to “trade” cryptographic model parameters and participate in blockchain transactions. The central server creates a genesis block based on the training task and synchronizes the blockchain. The genesis block contains information such as the global model initialization parameters $W_0$, the total number of training rounds $E$, the number of local training rounds $e$ for edge servers, the recording period of the history update $N$, and the public keys $p{k}_z^j$, which are held by all edge servers and used for digital signatures.
• Step 2: After synchronizing blockchain content, the edge server $j$ is trained on the local dataset $D^j$. After a certain number of iterations $e$, the CKKS homomorphic encryption is performed on the iterated model parameters using an encryption key pair $\left(p{k}_y,s{k}_y\right)$ to deal with threat 4 in part 1 of Section 3. The encryption and decryption key pairs are held by the edge server $j$ locally and not made public.
• Step 3: The edge server “trades” the encrypted model parameters to the central server in the form of a transaction and completes a digital signature, and the central server verifies the digital signature of the “transaction” according to the public key $p{k}_z^j$ in the genesis block and gives the corresponding account credits to the edge server as a reward if it passes the verification. The blockchain holds all the cryptographic model parameters of the edge server obtained through the transaction. However, it is impossible to decrypt the parameters to obtain the original text, which prevents the curious behavior of the server to some extent. This step could address threat 3 in part 1 of Section 3.
• Step 4: The server randomly selects one of the good edge servers and makes it act as the validator, aggregator, and block packer for this training round. The selected edge servers validate the above transactions again, perform the model parameter aggregation task, and finally generate a new block containing the latest global model. All edge servers will acquire the latest global aggregated model through the new block.
• Step 5: All edge servers acquire new global models from the new block. During the acquisition process, each edge server pays a deposit to the smart contract to ensure participation in the subsequent malicious edge server identification data upload. At the same time, the server will make predictions for the current gradient update of all edge servers based on the identification data of the previous $N$ round and the parameters $W_{i-1}$ of the previous global model and then compute the Hessian vector product ${\tilde{H}}_i\cdot (W_i-W_{i-1})$ for this round, which will be “traded” to all edge servers.
• Step 6: The smart contract automatically performs the computation and encryption procedures described below. The edge server obtains the new encrypted global model $⟦W_i{⟧}_{p{k}_y}$ and the Hessian vector product $H_i^j\cdot (W_i-W_{i-1})$ for this round. The edge server makes calculations based on Equation (7). And the result is called the prediction of model gradient update ${\tilde{g}}_i^j$. The edge server needs to calculate the Euclidean distance ${\tilde{d}}_i^j$ between the actual and the predicted model gradient updates. Finally, it should use an encryption key pair $\left(p{k}_x^j,s{k}_x^j\right)$ to encrypt the calculated results, local computation time, etc. The secret key pair differs from the other encryption key pair mentioned in step 2 above, which is pre-distributed and only held by the central server and the edge servers to deal with threat 4 in part 1 of Section 3. The smart contract automatically executes the computation and encryption process. The smart contract is supplemented by the proof-of-concept mechanism [34] of time consumption under the Intel SGX Trusted Hardware Technology, ensuring a real and reliable computation process and results.
• Step 7: The edge server, with the intervention of a smart contract, ‘trades’ the encrypted relevant computation results and local computation time to the central server. The above transactions are stored in the blockchain. After synchronizing the computation results through the block, the central server verifies the digital signature and computation time. Upon passing the verification, the central server refunds the deposit mentioned in step 5. Subsequently, the central server identifies the malicious model parameter updates to the computation results and removes the malicious edge server. This step could address threat 1 in part 1 of Section 3. The next round of training starts from step 2 until the model converges or the maximum number of training rounds is reached.

Table 2. Main symbols.

Parameter	Parameter Description
$n$	Total number of edge servers
$lr$	Edge server local training learning rate
$e$	Number of local training rounds for edge servers
$E$	Number of all training rounds
$i$	Current training round
$D^j$	Local dataset for the $j$th edge server
$C^j$	The $j$th edge server
$w_i^j$	Local model parameters for the $j$th edge server in round $i$
$W_i$	Global model parameters in round $i$
$g_i^j$	Local update gradient of the $j$th edge server in round $i$
${\tilde{g}}_i^j$	Prediction of update gradient from the central server to the edge server in round $i$
$G_i$	Global model gradient in round $i$
$T$	Trusted calculation time
${\tilde{H}}_i\cdot (W_i-W_{i-1})$	Approximate Hessian vector product in round $i$
$N$	The recording cycle of the historical gradient update identification mechanism
${\tilde{d}}_i^j$	Euclidean distance between the local model gradient update of the $j$th edge server and the prediction of model gradient update in round $i$
$s_i^j$	The mean value of ${\tilde{d}}_i^j$ in the last $N$ rounds for the $j$th edge server
$\left(p{k}_x^j,s{k}_x^j\right)$	Key used by the $j$th edge server to encrypt and decrypt identification data
$\left(p{k}_y^j,s{k}_y^j\right)$	Key used by the $j$th edge server to encrypt and decrypt model parameters
$\left(p{k}_z^j,s{k}_z^j\right)$	Key used by the $j$th edge server for digital signatures

shows the complete training process for one round and the main symbols used in the paper.

3.3. System Design

3.3.1. The CKKS Fully Homomorphic Encryption Mechanism

All edge servers need to upload model parameters or related computation results to the central server after local training is completed. They also need to perform privacy-preserving processing on the transmitted data to cope with threat 4 in part 1 of Section 3.

Researchers have proposed methods that add noise perturbations to the original data [28,29] to address the issue. Although the above methods can protect privacy, they still cause a large loss of global model accuracy, cannot identify malicious edge servers, and can only rely on robustness to reduce the impact of malicious edge servers.

Using Paillier [31] as a means of privacy protection is an alternative. However, since Paillier can only encrypt integers and supports encryption of individual data, it is necessary to quantify the target gradient or the target model parameters and then encrypt them one by one, which greatly increases the computation and communication overhead when decrypting. Due to Paillier’s accuracy problem, the aggregated global model will not be able to reach optimal aggregation due to accuracy loss. CKKS certainly offers a new possibility.

In this subsection, we can carry out a simple test to show why we chose CKKS. The model parameters are usually in the form of a tensor, and a high-dimensional tensor can be viewed as a collection of multiple vectors. Therefore, we use the TenSEAL(0.3.11) and the phe libraries in Python for encryption and decryption and use CKKS and Paillier to encrypt and decrypt vectors of lengths ranging from 100 to 1000 in order to briefly simulate the encryption and decryption of different model parameters. Finally, the time taken is compared separately. The results are shown in Figure 2. The results show that CKKS consumes significantly less time for both encryption and decryption. Thus, the CKKS algorithm is more efficient and suitable for handling large-scale vector and network models with multiple parameters.

Second, CKKS with homomorphic properties offers the possibility of model parameter aggregation, which enables different entities to encrypt data using different keys and permits to secure homomorphic computation without disclosing the keys.

Therefore, CKKS is used to encrypt the model parameters and computation results in steps 2 and 6 in part 2 of Section 3 to improve computational efficiency and provide privacy protection in the paper’s scheme.

3.3.2. Convergence Architecture for Blockchain and Federated Learning

In this subsection, the main part of the scheme architecture includes local training encryption, aggregation, and related applications of blockchain features. The architecture is shown in Figure 1.

• Local training encryption and aggregation: in the $i$th training round, each edge server participating in the training aggregation is trained with its local dataset $D^j,j=1,2,3,\cdots ,n$ and local model $w_i^j$ to obtain the local gradient $g_i^j$, which can be expressed by (1).

$$g_i^j=\nabla L(w_i^j,D^j)$$

(1)

where $L(w_i^j,D^j)$ is the empirical loss function and $\nabla$ is the derivation operation. After obtaining the local gradient and the local model parameters, the CKKS fully homomorphic encryption is performed on the local model parameters.

The specific local training and encryption algorithm is shown in Algorithm 1.

Algorithm 1: Local training and encryption algorithm

INPUT: Edge servers $C=\{C^1,C^2,\dots ,C^n\}$; Current training rounds $i$; Local dataset $D=\{D^1,D^2,\dots ,D^n\}$; Local training batch size $b$; Local training learning rate $lr$; Number of local training iterations $e$.

OUTPUT: Encrypted model parameters ${⟦w_i^j⟧}_{p{k}_y^j}$. 1:   for each $j\in \left\{C^1,C^2,\dots ,C^n\right\}$ do 2:           Get global model ${⟦W_{i-1}⟧}_{p{k}_y}$ from new blocks in blockchain; 3:           Decrypt the global model ${⟦W_{i-1}⟧}_{p{k}_y}$ using $s{k}_y^j$ to get $W_{i-1}$; 4:           $w_0\leftarrow W_{i-1}$; 5:           for each $l\in [1,e]$ do 6:                   Randomly select $b$ samples from $D^j$ to construct $D_b$; 7:                   $g_l\leftarrow \nabla L(w_{l-1},D_b)$; 8:                   $w_l\leftarrow w_{l-1}-lr\ast g_l$; 9:           end for 10:          $g_i^j\leftarrow g_l$; 11:          $w_i^j\leftarrow w_l$; 12:          Encrypt $w_i^j$ using $p{k}_y^j$ to get ${⟦w_i^j⟧}_{p{k}_y^j}$; 13:   end for 14:   return ${⟦w_i^j⟧}_{p{k}_y^j}$;

The above algorithm completes the edge server local training and model parameter encryption. The model parameter aggregation can be described by the following (2).

$${⟦W_i⟧}_{p{k}_y}={\displaystyle \frac{1}{\left|n\right|}}{\displaystyle {\sum }_{j=1}^{\left|n\right|}{⟦w_i^j⟧}_{p{k}_y^j}}$$

(2)

2.

Blockchain storage and transactions: The encrypted model parameters ${⟦w_i^j⟧}_{p{k}_y^j}$ must be uploaded and aggregated to obtain a new global model. However, traditional data uploading and storing methods are insufficient to provide security and have the disadvantages of losing data in the centralized ledger under a single point of failure and not being able to ensure the origin and integrity of the data. In contrast, the scheme proposed in this paper has the following advantages: The first advantage is a distributed ledger. As seen from the training process in Section 3.2 above, the initialization information, the public key for digital signatures, the ciphertext details of a particular transaction, and the aggregation result exist in the blockchain as blocks. All good edge servers and central servers are participants in the blockchain. All participants can view the details of the aggregation training process and have separate ledgers by synchronizing the blocks, which improves the transparency of the aggregation process and eliminates the effect of data loss in a centralized ledger with a single point of failure.

The second advantage is data security. The source and integrity of data for traditional federated learning cannot be guaranteed, and malicious edge servers will submit malicious model parameters multiple times or even pretend to be good edge servers to submit malicious gradient or model parameters to destroy the global model aggregation. ECDSA can solve this problem, which becomes the main way to verify the transactions in this paper. The core idea is to hash the raw data and then sign the hash using a private key. The receiver can use the public key to verify the validity of the signature. The proposed scheme utilizes the Secp256k1 elliptic curve. It selects an initial point $V$ and a random integer $k$ on this curve, whose corresponding private key is $K_0$, and the corresponding public key can be found by (3).

$$p=k\times V$$

(3)

where $p$ is denoted as a point on an elliptic curve, and the corresponding public key is $P_0$. The process of generating a digital signature is as follows:

• Step 1: regenerate a random number $k_1$, and use (3) to compute a point $p_1$ on the elliptic curve, where the transverse coordinates of the point are noted as $R$.
• Step 2: calculate the hash value for the data to be signed, denoted as $H$.
• Step 3: calculate according to (4), where $\rho$ is the base of the modal budget to be specified in advance.

  $$S=k_1^{-1}(H+K_0\times R)\mathrm{mod}\rho$$

  (4)
  The length of the signature is usually 40 bytes. The first 20 bytes are $R$. The next 20 bytes are $S$. The combination of both together is the final digital signature.
  The generated digital signature can be verified according to (5). If the transverse coordinate of $P$ is equal to $R$, then the signature is verified successfully, and the participation of the private key is not required at all in the process of signature verification.

  $$P=S^{-1}\times H\times V+S^{-1}\times R\times P_0$$

  (5)
  Therefore, the algorithm computes hash values based on the data to be signed, thus ensuring data integrity. All the participants in the blockchain can verify the uploaded data through the public key to ensure data source compliance.

3.

Consensus protocols: Traditional federated learning has several concerns about the central server, including the curious behavior of the central server and an over-reliance on the server to complete the aggregation, susceptible to a single point of failure. Although the CKKS fully homomorphic encryption mechanism in Section 3.3, prevents the central server from benefiting from curious behavior, researchers prefer to achieve decentralization of data aggregation by combining blockchain with federated learning.

Validation nodes in most schemes compete through computational power or the amount of cryptocurrency they hold, earning them the right to aggregate the global model and create new blocks. However, their schemes’ consensus protocols, PoW (Proof of Work) and PoS (Proof of Stake), face challenges such as a high energy consumption and complex structure. On this basis, the Proof of Authority consensus algorithm (PoA) will be more suitable for the federated learning architecture. Unlike traditional POA schemes, we prefer the central server to be the authoritative picker rather than the aggregator.

As can be seen from step 3 in Section 3.2, the edge server sends cryptographic model parameters as a “transaction” to the central server, which verifies the transaction. Although a participant in the transaction, the central server is only responsible for updating the ledger and does not participate in model aggregation. The central server chooses one of the good edge servers to make it the validator, aggregator, and block generator. While assuming an authority role, the central server has no right to aggregate local model parameters.

In contrast to traditional federated learning, the usage and ownership of uploaded model parameters are separated. Although PoA weakens blockchain’s decentralized nature, it brings higher throughput, lower energy loss, and lower transaction confirmation latency.

4.

Smart contract: From step 6 in Section 3.2, after obtaining a new block, the edge server must also to calculate a series of relevant data and upload them to the server to complete the malicious identification. In order to prevent malicious edge servers from uploading forged data and not uploading data randomly, a smart contract is introduced in the blockchain. The significance of the smart contract is that the edge server automatically performs the relevant calculations after synchronizing the new block, eliminating the possibility of human intervention. The relevant computational algorithms are described in Section 3.3.3. An edge server that uses tokens from its account as a deposit is considered to have signed a smart contract to participate in model aggregation. Finally, the consumption time proof mechanism [34] under the Intel SGX trusted hardware technology can be utilized to obtain a trusted calculation time $T$, and the calculation process can be bound to the calculation time to ensure that the calculation process and results are real and reliable.

The smart contract needs to obtain the encrypted global model ${⟦W_i⟧}_{p{k}_y}$ and the Hessian vector product ${\tilde{H}}_i\cdot (W_i-W_{i-1})$ for this round from the new block and decrypt them. Then, we can calculate the predicted model update ${\tilde{g}}_i^j$ and the Euclidean distance ${\tilde{d}}_i^j$ between the predicted model update ${\tilde{g}}_i^j$ and the actual model update $g_i^j$.

Finally, we can encrypt ${\tilde{d}}_i^j$ using keypair $\left(p{k}_x,s{k}_x\right)$ and upload the encrypted calculation result ${⟦{\tilde{d}}_i^j⟧}_{p{k}_x^j}$ along with the encrypted credible execution time ${⟦T⟧}_{p{k}_x^j}$.

The smart contract work algorithm is shown in Algorithm 2.

Algorithm 2: Smart contract work algorithm

INPUT: Encrypted global model ${⟦W_i⟧}_{p{k}_y}$; Actual gradient update $g_i^j$; The Hessian vector product ${\tilde{H}}_i\cdot (W_i-W_{i-1})$;.

OUTPUT: Encrypted Euclidean distance ${⟦{\tilde{d}}_i^j⟧}_{p{k}_x^j}$; Encrypted credible execution time ${⟦T⟧}_{p{k}_x^j}$ 1:     Create reliable isolation environment and initialize a trusted execution time $T$. 2:     Credible execution time $T$ start counting; 3:     Get the global models ${⟦W_{i-1}⟧}_{p{k}_y}$ and using $s{k}_y^j$ to get $W_{i-1}$; 4:     Get the Hessian vector product ${\tilde{H}}_i\cdot (W_i-W_{i-1})$; 5:     Calculate ${\tilde{g}}_i^j=g_{i-1}^j+{\tilde{H}}_i\cdot (W_i-W_{i-1})$; 6:     Calculate ${\tilde{d}}_i^j=\left[‖{\tilde{g}}_i^j-g_i^j‖\right]$; 7:     Encrypt ${\tilde{d}}_i^j$ using $p{k}_x^j$ to get ${⟦{\tilde{d}}_i^j⟧}_{p{k}_x^j}$; 8:     Credible execution time $T$ stop counting; 9:     Encrypt $T$ using $p{k}_x^j$ to get ${⟦T⟧}_{p{k}_x^j}$; 10:   return ${⟦{\tilde{d}}_i^j⟧}_{p{k}_x^j}$ and ${⟦T⟧}_{p{k}_x^j}$;

3.3.3. Unsupervised Model Gradient Parameter Update Identification Mechanism

The purpose of using an identification mechanism is to exclude local model gradient parameter updates that are detrimental to global model convergence. There are two reasons for the anomalies in the local model parameters: Firstly, the local dataset of the edge server suffers from attacks, such as scaling attacks [15], backdoor attacks [14], etc. Secondly, the local dataset of the edge server has a non-independent and non-identically distributed nature. The model parameters trained on the above significantly differ from those of a good edge server distributed independently and identically. Therefore, anomalous updates can be identified.

It is known that the edge server computes the model gradient update $g_i^j$ according to (1), and the following (6) is obtained based on the Cauchy Median Theorem [35].

$$g_i^j=g_{i-1}^j+H_i^j\cdot (W_i-W_{i-1})$$

(6)

where the Hessian matrix $H_i^j={\displaystyle {\int }_0^1{H}_j}(W_{i-1}+x(W_i-W_{i-1}))dx$, (6) shows the consistency between edge server data updates $g_i^j$ and $g_{i-1}^j$. However, the computation of $H_i^j$ is difficult in practice, and the scheme in this paper adopts the L-BFGS algorithm [36] to approximate the integral Hessian matrix, and the approximation of $H_i^j$ is computed in each training round, denoted as ${\tilde{H}}_i^j$. Specifically, we assume that the global model difference and global model update difference in the $i$th training round are denoted by $\Delta W_i=W_i-W_{i-1}$ and $\Delta G_i=G_i-G_{i-1}$, where the global model update is aggregated from the model update of the edge servers, and the computation of $\Delta W_i$ and $\Delta G_i$ becomes more and more complex as the number of training rounds increases.

To reduce the computation and storage cost, a history period $N$ is defined to regulate the size of the computation. This is why the proposed algorithm enables lightweight calculation.

We assume that the training has been carried out for a certain number of rounds when the number of training rounds $i$ is greater than $N$. In this case, a certain size of historical data is already available in the server, and the only things that are involved in the computation are the $N$ rounds of global model differences and global model difference gradient updates between training round $i-N$ and training round $i-1$, which can be denoted by $\Delta {\tilde{W}}_{\mathrm{i}}=\{\Delta W_{i-N},\dots ,\Delta W_{i-1}\}$ and $\Delta {\tilde{G}}_{\mathrm{i}}=\{\Delta G_{i-N},\dots ,\Delta G_{i-1}\}$, respectively. Combining the above two with the L-BFGS algorithm results in the following Algorithm 3.

Algorithm 3: L-BFGS computational Hessian vector product algorithm

INPUT: Global model update $\Delta {\tilde{W}}_{\mathrm{i}}$; Global model update discrepancies $\Delta {\tilde{G}}_i$; Vector $v=W_i-W_{i-1}$; Historical recording period $N$.

OUTPUT: Hessian vector product ${\tilde{H}}_{i}v$. 1:    Calculate $\Delta {{\tilde{W}}_{\mathrm{i}}}^T\Delta {\tilde{W}}_{\mathrm{i}}$; 2:    Calculate $\Delta {{\tilde{W}}_{\mathrm{i}}}^T\Delta {\tilde{G}}_{\mathrm{i}}$ and obtain the diagonal matrix $D_i$ and the lower triangular submatrix $L_i$; 3:    Calculate $\sigma =\Delta G_{i-1}^T\Delta W_{i-1}/(\Delta W_{i-1}^T\Delta W_{i-1})$; 4:    Calculate $\sigma \Delta {{\tilde{W}}_{\mathrm{i}}}^T\Delta {\tilde{W}}_{\mathrm{i}}+L_i{D}_i{L}_i^T$ to get $J_i{J}_i^T$; 5:    Calculate $q={\left[\begin{array}{cc}-D_i^{1/2}& D_i^{1/2}{L}_i^T\\ 0& J_i^T\end{array}\right]}^{-1}{\left[\begin{array}{cc}{D}_i^{1/2}& 0\\ D_i^{-1/2}{L}_i^T& J_i\end{array}\right]}^{-1}\left[\begin{array}{c}\Delta {{\tilde{G}}_{\mathrm{i}}}^{T}v\\ \Delta {{\tilde{W}}_{\mathrm{i}}}^{T}v\end{array}\right]$; 6:    return $\sigma v-[\begin{array}{cc}\Delta {\tilde{G}}_{\mathrm{i}}& \sigma \Delta {\tilde{W}}_{\mathrm{i}}\end{array}]q$;

Therefore, it is predictable that the edge server will be updated and iterated according to (7) in the $i$th round of training.

$${\tilde{g}}_i^j=g_{i-1}^j+{\tilde{H}}_i\cdot (W_i-W_{i-1})$$

(7)

where ${\tilde{g}}_i^j$ is the predicted gradient update for the edge server $j$. The predicted gradient update ${\tilde{g}}_i^j$ is closer to the actual gradient update $g_i^j$ for good edge servers. But it is a far cry for malicious edge servers.

The specific situation is shown in Figure 3.

As shown in Figure 3, the algorithm predicts the gradient update in round $i$ at round $i-1$ based on the historical update data of the previous $N$ rounds. If an edge server suffers a poisoning attack at this point and the dataset is contaminated, the gradient update will be vastly different from the prediction of the gradient update. There is no consistency of updates between them.

There are many ways to measure update consistency, such as FLTrust [32], a federated learning framework against poisoning attacks, which uses a trusted root dataset and cosine similarity as criteria for judging malicious gradients. However, cosine similarity can only determine the similarity and difference in update directions and cannot detect the length of gradient updates.

In this paper, the scheme uses Euclidean distance to measure the consistency between the predicted gradient update ${\tilde{g}}_i^j$ and the actual gradient update $g_i^j$. ${\tilde{d}}_i^j$ is used to define the Euclidean distance vector of the $j$th edge servers in the $i$th round of training, and the following (8) can be obtained.

$${\tilde{d}}_i^j=\left[{‖{\tilde{g}}_i^j-g_i^j‖}_2\right]$$

(8)

From Section 3.3.2, it can be seen that the calculations of Formulas (7) and (8)are completed with the involvement of smart contracts. The edge server encrypts ${\tilde{d}}_i^j$ using keypair $\left(p{k}_x,s{k}_x\right)$ and uploads the encrypted calculation result ${⟦{\tilde{d}}_i^j⟧}_{p{k}_x^j}$ along with the encrypted credible execution time ${⟦T⟧}_{p{k}_x^j}$. The central server receives them and performs a decryption operation on them using they key $\left(p{k}_x,s{k}_x\right)$.

And it is normalized to merge model update consistency changes between iterations.

Finally, the average of the normalized Euclidean distance obtained by the $j$th edge server over the last $N$ iterations is denoted by $s_i^j$, which yields the following (9).

$$s_i^j={\displaystyle \frac{1}{N}}{\displaystyle \sum _{r=0}^{N-1}{\tilde{d}}_{i-r}^j}$$

(9)

The gap statistic is then used on the mean value $s_i^j$ to determine the number of clusters. If the edge servers can be grouped into more than one cluster based on the Gap statistic, then K-means will be used to classify them into two clusters based on their mean value $s_i^j$.

The details are shown in Algorithm 4 below.

Algorithm 4: Gap data statistical algorithm

INPUT: European distance average $s_i^j$; Number of random samples $B$; Maximum number of clusters $K$; Number of edge servers $n$.

OUTPUT: Number of clusters $k$. 1:   for $k=1,2,\dots ,K$ do 2:        Use k-means to classify $S_i^j$ to obtain clusters $\left\{C^j\right\}$ and means $\left\{{\mu }^j\right\}$; 3:        Calculate $V_{kb}^{\ast }={{\displaystyle {\sum }_{j=1}^k{\displaystyle {\sum }_{x_i\in C^j}‖x_i-{\mu }^j‖}}}^2$; 4:        for $k=1,2,\dots ,K$ do 5:            Sample $n$ points uniformly in $[0,1]$; 6:            Perform K-means; 7:            Calculate $V_{kb}^{\ast }={{\displaystyle {\sum }_{j=1}^k{\displaystyle {\sum }_{x_{ib}\in C^{jb}}‖x_{ib}-{\mu }^{jb}‖}}}^2$; 8:        end for 9:        Calculate $Gap(k)={\displaystyle \frac{1}{B}}{\displaystyle {\sum }_{j=1}^{B}log(V_{kb}^{\ast })}-log(V_k)$; 10:      Calculate ${\upsilon }^{\prime }={\displaystyle \frac{1}{B}}{\displaystyle {\sum }_{j=1}^B\log (V_{kb}^{\ast })}$; 11:      Calculate $sd(k)={\left({\displaystyle \frac{1}{B}}{\displaystyle {\sum }_{j=1}^B(\log (V_{kb}^{\ast })}-{\upsilon }^{\prime }{)}^2\right)}^{1/2}$; 12:      Calculate $s_k^{\prime }={(B/(1+B))}^{1/2}sd(k)$; 13:   end for 14:   Calculate $\widehat{k}=min(Gap(k)-Gap(k+1)+{s^{\prime }}_{k+1}\ge 0)$; 15:   return $\widehat{k}$;

Finally, the edge server with the larger mean value in the cluster is classified as malicious. The central server removes this malicious edge server and starts the next round of training. The operational flow of this identification mechanism is shown in Algorithm 5.

Algorithm 5: Identification mechanism algorithm

INPUT: The recording cycle of the identification mechanism $N$; Total training rounds $E$; Total number of edge servers $n$;

OUTPUT: Malicious clients list or none. 1:   for $i=1,2,\dots ,E$ do 2:       Calculate ${\tilde{H}}_i=L-BFGS(\Delta W_i,\Delta G_i)$; 3:       for $j=1,2,\dots ,n$ do 4:            Calculate ${\tilde{g}}_i^j=g_{i-1}^j+{\tilde{H}}_i\cdot (W_i-W_{i-1})$; 5:       end for 6:       Calculate ${\tilde{d}}_i=\left[{‖{\tilde{g}}_i^1-g_i^1‖}_2,{‖{\tilde{g}}_i^2-g_i^2‖}_2,\dots ,{‖{\tilde{g}}_i^n-g_i^n‖}_2\right]$; 7:       Calculate ${d_i}^{\prime }={{\tilde{d}}_i/‖{\tilde{d}}_i‖}_1$; 8:       Calculate $s_i^j={\displaystyle \frac{1}{N}}{\displaystyle \sum _{r=0}^{N-1}{\tilde{d}}_{i-r}^j}$; 9:       Determine the number of clusters $k$ by Gap statistics. 10:     if $k>1$ then 11:          Perform k-means clustering based on the suspicious scores with $k=2$; 12:          return The clients in the cluster with larger average score as malicious; 13:      end if 14:   end for 15:   return None;

4. Theoretical Proofs and Analyses

4.1. Homomorphism Proof

Theorem 1.

The encryption method of this proposed scheme satisfies the homomorphic property.

Proof of Theorem 1.

In the scheme of this paper, for any two plaintexts $u$ and $u^{\prime }$, they are encrypted to obtain the following $Enc(u)=c=(c_0,c_1)$, $Enc(u^{\prime })=c=({c_0}^{\prime },{c_1}^{\prime })$. If equations $Dec〈Enc(u)+Enc(u^{\prime })〉\approx u+u^{\prime }$, $Dec〈Enc(u)·Enc(u^{\prime })〉\approx u·u^{\prime }$ all hold, then the encryption method of this paper scheme is considered to satisfy the homomorphic property. □

In the case of additive homomorphisms, it follows from the property that $c+c^{\prime }=c_{add}=(c_0+{c_0}^{\prime },c_1+{c_1}^{\prime })=(c_{add0},c_{add1})$; when $c_{add}=(c_{add0},c_{add1})$ is decrypted, the decryption process can be represented as the following equation $Dec(c_{add})=c_0+{c_0}^{\prime }+(c_1+{c_1}^{\prime })\cdot s\approx u+u^{\prime }$. $s$ is a random number that participates in generating the private key, and the result can prove the additive homomorphism property.

In the case of multiplicative homomorphisms, it follows from the property that $c\cdot c^{\prime }=c_{mult}=(c_0\cdot {c_0}^{\prime },c_1\cdot {c_1}^{\prime })=(c_{mult0},c_{mult1})$; when $c_{mult}=(c_{mult0},c_{mult1})$ is decrypted, the decryption process can be represented as the following equation $Dec(c_{mult})=c_0\cdot {c_0}^{\prime }+(c_1\cdot {c_1}^{\prime })\cdot s\approx u\cdot u^{\prime }$, and the result enables one to prove the multiplicative homomorphism property.

In summary, both additive homomorphism and multiplicative homomorphism have been proved as above, indicating that the encryption method of the proposed scheme in this paper satisfies the homomorphic property. The homomorphic property provides a theoretical basis for model aggregation in Section 3.2.

4.2. Encryption and Decryption Correctness Proof

Theorem 2.

The results of the encryption and decryption operations of the scheme in this paper are correct.

Proof of Theorem 2.

In the scheme of this paper, a homomorphic encryption or decryption is considered correct if $Dec(sk,c)\approx m^{\prime }$ holds for $Enc(pk,m)\to c$, for the public–private key pair $(pk,sk)$ generated by $KeyGen(\lambda )$, any plaintext $m$ in the plaintext domain $M$, and the ciphertext $c$ obtained by encryption. For the decryption process of encrypting a ciphertext once, it can be expressed by $m=〈c,sk〉\mathrm{mod}Q=(e\cdot r+m+e_0+e_1\cdot s)\mathrm{mod}Q\approx m^{\prime }$. □

And because the rescaling process of the CKKS fully homomorphic encryption algorithm can make the error $e\cdot r+e_0+e_1\cdot s$ small enough compared to $Q$, the error is completely negligible.

In summary, the correctness of the encryption and decryption operations of the CKKS fully homomorphic encryption algorithm is verified, indicating that the encryption and decryption methods of the scheme are correct.

4.3. Privacy Protection Proof

Theorem 3.

A malicious edge server cannot obtain sensitive information about all edge servers.

Proof of Theorem 3.

In the proposed scheme, the blockchain discloses transaction details and aggregated models to all edge servers, where the key information is protected by the CKKS fully homomorphic encryption scheme. The sum of its aggregated local models can be denoted as $w{s}_i=w_i^1+w_i^2+\dots +w_i^n$. Since the edge servers are not fully colluding with each other, the model parameter $w_i^j$ of a good edge server $j$ cannot be derived speculatively, where $j\in \left[1,n\right]$. Assuming that the $k(k<n)$ malicious edge servers carry out the conspiracy attack, it can be found that ${w{s}_i}^{\prime }=w{s}_i-w_i^1-w_i^2-\dots -w_i^k$. When $k=n-1$, then the model parameters of good edge servers can be derived inversely. However, there are still the following two points to note. □

• The presence of $n$ malicious edge server among $n-1$ edge servers is unrealistic because such an edge federated learning task is meaningless.
• Assuming the existence of $n-1$ malicious edge servers and theoretically possessing $n-1$ pairs of local encryption key pairs $\left(p{k}_y,s{k}_y\right)$, the encryption model parameters of a good edge server $j$ can be inverted, but the local encryption key pairs $\left(p{k}_y^j,s{k}_y^j\right)$ of the good edge servers remain inaccessible, so the model parameter ciphertexts cannot be deciphered.

In summary, the privacy-preserving nature of the scheme in this paper is proved and it can provide a strong privacy-preserving effect in the application.

5. Experimental Procedure and Result Analysis

5.1. Experimental Setup

• Hardware configurations: the experiments were conducted under Ubuntu 20.04 with the hardware configuration of an Intel E5-2640 CPU (Intel Corporation, Santa Clara, CA, USA), six GTX1080T GPUs (NVIDIA Corporation, Santa Clara, CA, USA), and 256G of RAM.
• Software configurations: The software was developed using Python. Python 3.8.5 and Pytorch 1.11.0 were used to train the deep learning models. The TenSEAL(0.3.11) library and the phe library in Python were used to simulate encryption and decryption. The smart contract was developed using the Solidity programming language and deployed on the private blockchain using Truffle.
• Benchmark model: the experimental benchmark model architecture was a convolutional neural network structure, which mainly consisted of three convolutional layers, two pooling layers, and one fully connected layer.
• Datasets: The experimental dataset used the MNIST dataset and the Fashion-MNIST dataset, which is a handwritten dataset containing 60,000 training samples and 10,000 test samples, each of which is a gray scale image with labels from 0 to 9. The Fashion-MNIST dataset contains 60,000 training samples and 10,000 test samples, with a total of 10 categories corresponding to different types of clothing and accessories. These exclusive categories include T-shirts/tops, trousers, pullovers, skirts, jackets, sandals, shirts, trainers, bags, and ankle boots. The labels are numbers from 0 to 9, corresponding to each of the ten categories mentioned above.
• FL settings: In the experiments, it was assumed that there were 100 edge servers in the system, and the training samples were randomly and uniformly divided into 100 copies for the edge servers as the local dataset. The batch size of the edge servers for local training was 50, the number of rounds $e$ for local training was 3, the period of the history update record $N$ was 3, the number of training rounds $E$ was 50, and the learning rate $lr$ of edge server models was 0.01.
• Experimental resource consumption: this experiment’s CPU utilization rate was about 28%, the memory utilization rate was about 30%, and the GPU utilization rate was about 99%. The experimental time was about 2 h.

5.2. Homomorphic Encryption and Decryption Runtime

The runtime of homomorphic encryption and decryption in arithmetic-constrained edge servers is the key to whether the overall framework can operate or not, and too lengthy encryption and decryption times will lead to new problems, such as degradation of the usage experience, heat generation of edge servers, and wastage of power resources. In this subsection, we compare the encryption and decryption time in a single round for running on the MNIST dataset and Fashion-MNIST dataset, respectively, with the Paillier and the CKKS homomorphic encryption techniques. The results are shown in Figure 4.

As can be seen from Figure 4, the encryption and decryption time required by CKKS is much smaller than by Paillier for different numbers of devices and datasets, and the difference in encryption and decryption speed between the two is larger as the number of devices increases.

In the MNIST dataset, CKKS improves the encryption and decryption speeds by about 53%, 50%, 46%, 45%, and 49% compared to Paillier, with a number of edge servers of 20, 40, 60, 80, and 100, respectively.

In the Fashion-MNIST dataset, CKKS improves the encryption and decryption speeds by about 45%, 40%, 37%, 40%, and 40% compared to Paillier, with a number of edge servers of 20, 40, 60, 80, and 100, respectively.

Therefore, it can be concluded that the CKKS homomorphic encryption algorithm is more efficient and more suitable for dealing with large-scale vector and network models with multiple parameters and also at the same time more suitable for the field of large-scale edge server privacy protection.

5.3. Throughput and Communications Costs

System throughput TPS refers to the number of transactions processed per second by the blockchain and is an important factor for evaluating the performance of the blockchain. From Section 3.2, the processing flow of the blockchain includes two phases: consensus verification and malicious identification. The average time consumed by consensus verification and malicious identification, respectively, in each training round is counted under different numbers of edge servers, as shown in Figure 5. The consensus verification phase corresponds to step 4 in the training flow of part 2 of Section 3, and the malicious identification phase corresponds to step 7.

As can be seen from Figure 5, the average time consumed in the consensus verification phase is much larger than the average time consumed in the malicious identification phase, and both increase with the number of devices, but the time consumed in the consensus verification phase is more susceptible to the number of devices. This is because more transactions need to be verified, and larger blocks are generated with an increasing number of devices.

To reflect the impact of malicious identification on blockchain $TPS$, we calculate the $TPS$ without and after adding malicious identification at different numbers of devices.

Specifically, the equation for calculating $TP{S}_1$ without adding the malicious identification mechanism is as follows (10).

$$TP{S}_1={\displaystyle \frac{\mathrm{Number} \mathrm{of} \mathrm{devices}}{\mathrm{Consensus} \mathrm{Verification} \mathrm{Time}}}$$

(10)

Similarly, the $TP{S}_2$ calculation equation after adding the malicious identification mechanism is as follows (11).

$$TP{S}_2={\displaystyle \frac{\mathrm{Number} \mathrm{of} \mathrm{devices}}{\mathrm{Consensus} \mathrm{verification} \mathrm{time}+\mathrm{Malicious} \mathrm{identification} \mathrm{time}}}$$

(11)

The calculation results are shown in

Table 3. Impact of consensus verification mechanism on blockchain $TPS$.

Number of Devices	MNIST			FASHION-MNIST
	$\mathit{T}\mathit{P}{\mathit{S}}_1$	$\mathit{T}\mathit{P}{\mathit{S}}_2$	Drop Rate	$\mathit{T}\mathit{P}{\mathit{S}}_1$	$\mathit{T}\mathit{P}{\mathit{S}}_2$	Drop Rate
20	3.89	3.21	0.18	3.07	2.60	0.15
40	3.91	3.47	0.11	3.14	2.84	0.10
60	3.79	3.51	0.08	3.10	2.87	0.07
80	3.93	3.67	0.06	3.08	2.89	0.06
100	3.97	3.73	0.06	3.15	2.97	0.06

.

As seen from Table 3, although the malicious identification mechanism’s inclusion affects the blockchain’s TPS, the drop rate remains within acceptable limits. When the number of devices is 100, the drop rate is 6%. The security of federated learning is strengthened at the cost of sacrificing part of the TPS.

Meanwhile, the algorithm of this paper is compared with the single round communication costs of FedAvg, and the edge servers are all 100. The calculation results are shown in Figure 6.

As can be seen from Figure 6, the communication spend of the algorithm in this paper is large, and the reasons for the increased communication cost mainly lie in the length of the ciphertext, the thickness of the blockchain ledger, and the total number of edge servers. It can be seen that the CKKS fully homomorphic encryption scheme, the blockchain, and other factors will improve security, but at the same time, it will not be possible to avoid increasing the communication costs.

Therefore, the algorithm in this paper is suitable for scenarios with higher security requirements, better channels, and higher communication budget.

5.4. Recognition Accuracy and Model Accuracy

Malicious edge clients perform poisoning attacks on the central server when aggregating global models.

Poisoning attacks are classified into non-targeted and targeted attacks. This subsection uses uploading arbitrary updates to simulate non-targeted attacks and label reversal attacks and backdoor attacks to simulate targeted attacks. Specifically, in a label reversal attack, the source label “2” in the samples is changed to “7”, and in a backdoor attack, local triggers are added to target samples, and multiple local triggers are combined together to become global triggers to attack the model.

In this subsection, FedAvg, which is not under attack, is selected as the baseline algorithm, and Krum [17] and FLTrust [32] are used as the comparison algorithms. The number of root datasets for FLTrust is 600, which represents 1% of the total number of datasets.

The overall training is carried out for 50 rounds, and the poison attack is carried out in the 10th round.

Firstly, the proportion of malicious edge servers is set to 10%, 30%, 50%, and 70%. Twenty experiments are conducted to take the average value.

Table 4. MNIST malicious edge server recognition accuracy.

Attack Type	Percentage of Malicious Edge Servers
	10%	30%	50%	70%
Untargeted attack	100	100	100	100
Label reversal attack	100	100	100	100
Backdoor attack	100	100	100	100

gives the results of the malicious edge server identification accuracy on the MNIST training dataset under multiple attacks with different proportions of malicious edge servers.

Table 5. MNIST global model accuracy.

Scheme (Attack Type)	Percentage of Malicious Edge Servers
	10%	30%	50%	70%
Krum (Untargeted attack)	94.120	95.940	0.600	0.560
FLTrust (Untargeted attack)	96.960	96.860	96.830	96.730
Proposed algorithm (Untargeted attack)	97.050	97.020	97.030	96.970
Krum (Label reversal attack)	94.190	94.000	94.030	85.690
FLTrust (Label reversal attack)	96.950	96.850	96.730	96.180
Proposed algorithm (Label reversal attack)	97.060	97.030	97.010	97.000
Krum (Backdoor attack)	94.580	94.240	94.310	88.180
FLTrust (Backdoor attack)	96.890	96.870	96.770	96.700
Proposed algorithm (Backdoor attack)	97.040	97.030	97.030	96.970

gives the model accuracy results on the MNIST training dataset.

Table 4 shows that in the scenarios tested with the MNIST dataset, the percentage of malicious edge servers is set to 10%, 30%, 50%, and 70%, respectively. One can achieve 100% malicious edge server identification accuracy in the case of non-targeted attacks, label reversal attacks, or backdoor attacks.

Table 5 shows that when the proportion of malicious edge servers does not exceed 50%, Krum’s test correctness is stable at around 94%, and FLTrust’s test correctness is stable at around 96%. When the percentage of malicious edge servers equals or exceeds 50%, the Krum test correctness rate performs poorly, and the FLtrust test correctness rate is stable at around 96%. Under non-targeted attacks, the Krum test correctness is even lower than 1%, and under label reversal attacks and backdoor attacks, the Krum test correctness drops by more than 5%. On the other hand, the proposed algorithm’s accuracy rate is 97% under different attacks and different percentages of malicious edge servers. The resistance to poisoning attacks is even better compared to the former two.

Compared to FLTrust, the scheme in this paper even performs better in label reversal attacks and backdoor attacks. This is mainly due to the robustness of FLTrust and the inconsistent size of the trusted root dataset in the experiments. The scheme in this paper is an identification screening algorithm. When a malicious client is identified, we do not want that client to continue to participate in subsequent training. FLTrust is an algorithm that relies on the trusted dataset for update correction. It can rely more on the update correction capability when anomalous updates are encountered. Compared with the algorithm in this paper, FLTrust is more tolerant of anomalous updates, but this means that the ability to identify malicious clients is not as strong as the algorithm in this paper. Second, the size of the trusted root dataset set by FLTrust in the experiment is only 1% of the total dataset. The size of the trusted root dataset [32] is closely related to the updating and correction ability of FLTrust. A larger trusted root dataset can obtain a higher accuracy rate of the experiment. To ensure the objectivity of the experiment, the typical value of 1% [32] is used to construct the trusted root dataset in this paper.

The details of the accuracy rate are shown in Figure 7.

Figure 7 shows that Krum cannot respond to a large-scale, non-targeted attack. Krum’s test accuracy is compromised in large-scale label reversal attacks and backdoor attacks. At 70% of malicious edge servers, Krum and FLTrust show jitter in correctness. This is because Krum’s “half limit” and the small FLTrust root dataset both reduce Krum’s and FLTrust’s ability to identify and resist malicious edge servers.

Table 6. Fashion-MNIST malicious edge server recognition accuracy.

Attack Type	Percentage of Malicious Edge Servers
	10%	30%	50%	70%
Untargeted attack	100	100	100	100
Label reversal attack	100	100	100	100
Backdoor attack	100	100	100	100

gives the results of the malicious edge server identification accuracy on the Fashion-MNIST training set under multiple attacks with different proportions of malicious edge servers, and

Table 7. Fashion-MNIST global model accuracy.

Scheme (Attack Type)	Percentage of Malicious Edge Servers
	10%	30%	50%	70%
Krum (Untargeted attack)	77.810	78.090	1.700	1.380
FLTrust (Untargeted attack)	78.780	78.640	78.590	78.290
Proposed algorithm (Untargeted attack)	78.100	77.900	77.750	77.630
Krum (Label reversal attack)	77.500	77.380	71.490	71.780
FLTrust (Label reversal attack)	78.630	78.550	78.570	78.300
Proposed algorithm (Label reversal attack)	78.670	78.810	78.770	77.720
Krum (Backdoor attack)	77.510	77.940	76.220	74.130
FLTrust (Backdoor attack)	78.650	78.630	78.490	78.330
Proposed algorithm (Backdoor attack)	78.130	77.980	77.860	77.830

gives the results of the model accuracy on the Fashion-Mnist training set under multiple attacks with different proportions of malicious edge servers.

Table 6 shows that in the scenarios tested with the Fashion-MNIST dataset, the percentage of malicious edge servers is set to 10%, 30%, 50%, and 70%, respectively, and 100% malicious edge server identification accuracy can be achieved under non-targeted attacks, label reversal attacks, or backdoor attacks.

Table 7 shows that when the proportion of malicious edge servers does not exceed 50%, Krum’s test correctness is stable at around 77%, and FLTrust’s test correctness is stable at around 78%. When the percentage of malicious edge servers equals or exceeds 50%, the Krum test correctness rate performs poorly, and the FLtrust test correctness rate is stable at around 78%. Under non-targeted attacks, the Krum test is correct by even less than 2 percent, while under label reversal attacks and backdoor attacks, the Krum test correctness drops by up to about 6%. On the other hand, the proposed algorithm’s accuracy rate is 77% under different attacks and different percentages of malicious edge servers.

The details of the accuracy rate are shown in Figure 8.

Based on the experiments described above, the proposed algorithm resists poisoning attacks. Krum’s resistance capability significantly drops when the proportion of malicious edge servers reaches or exceeds 50%. In untargeted attack tests, Krum’s global model accuracy drops to 2% when facing a high proportion of malicious edge servers. Krum’s performance is significantly inferior to other algorithms in label-flipping and backdoor attacks. FLTrust shows generally stable results in various experiments but experiences inevitable fluctuations during poisoning attacks because it relies on a trusted root dataset for update corrections. When facing a high proportion of malicious edge servers, the increased proportion of contaminated data poses a significant challenge to FLTrust’s correction capability. A large volume of trusted root datasets [32] is required for training to improve FLTrust’s testing accuracy and reduce fluctuations. The proposed algorithm performs similarly to FLTrust and FedAvg in accuracy tests. Unlike Krum, the proposed algorithm overcomes the “half limit” and can handle a high proportion of malicious edge servers. Compared to FLTrust, although the proposed algorithm experiences brief accuracy fluctuations at the onset of a poisoning attack, it subsequently identifies and removes malicious edge servers, leading to a steady recovery in accuracy. Additionally, the proposed algorithm does not require assembling a large trusted dataset, thus reducing storage and privacy demands.

6. Conclusions

This paper proposes an edge federated learning privacy protection method based on blockchain and fully homomorphic encryption and evaluates its performance using different datasets. The key difference in this method is the design of an unsupervised model gradient parameter update identification mechanism to detect and remove malicious edge servers. The overall framework combines blockchain technology with ECDSA to make the training aggregation process transparent, enabling the aggregation process and results to be audited and traced. The relevant aggregation model parameters are protected using the CKKS fully homomorphic encryption scheme to minimize the risk of privacy leakage. The experimental results show that the proposed algorithm has excellent resistance to poisoning attacks and privacy protection capabilities, achieving accuracy close to that of the non-attack FedAvg scheme without additional construction of trusted datasets. Future research will focus on designing federated learning privacy protection schemes with lower communication costs and higher security.