Blockchain-based privacy-preserving multi-tasks federated learning framework

Abstract

Federated learning (FL), as an effective method to solve the problem of “data island”, has become one of the hot and widespread concern topics in recent years. However, with the using of FL technology in the practical applications, an increasing number of FL tasks make the training management be more complex and the trade-off of multi-task becomes difficult. To overcome this weakness, this work proposes a privacy-preserving FL framework with multi-tasks using partitioned blockchain, which can run several different FL tasks by multiple requesters. First, a temporary committee is formed for an FL task to facilitating visualization, organization and management of security aggregation. Second, the proposed framework combines Paillier homomorphic encryption with Pearson correlation coefficient to protect users' privacy and ensure the accuracy of global model. Finally, a new blockchain-based reward method is presented to inspire participants to share their valuable data. The experimental results show that the global model accuracy of our proposed framework is able to reach 98.43$\mathrm{\%}$. Obviously, the proposed framework is more suitable for practical application environment, especially in industrial application field.

Keywords:

• Partitioned blockchain
• federated learning
• privacy-preserving
• multi-tasking

1. Introduction

Over the past decades, Artificial Intelligence (AI) has widely applied to various areas, such as Industrial Internet of Things (Hu et al., 2020; Kang et al., 2019; Zhang et al., 2021), Internet of Vehicles (Ayaz et al., 2022; Otoum et al., 2020), smart healthcare (Kumar et al., 2021; Yang et al., 2023) and smart cities (Ullah et al., 2020). In practical, AI derives valuable insights from large amounts of high-quality data scattered by different groups or individuals. However, these data generally contain private or sensitive information, which makes the data owner hesitant to expose or upload his data. Thus the development of AI has been hampered by that limitation. To overcome this weakness, Federated learning (FL) (Yang et al., 2021; Zhao et al., 2021), as a distributed machine learning framework, has attracted extensive interest of academic and industrial circles.

FL overcomes the problem of “data silos” and achieves data “available but invisible”, which allows a central server to create a shared global model using gradients instead of original data. Clearly, it is an effective way to enhance the use of data and the sharing of data. However, this central mode can lead to the overload of computation and communication with the number of clients and tasks. Besides, the central server may skew some clients for a certain benefit, which will lose the accuracy of global model. Blockchain (Kim et al., 2020; Ma et al., 2022; Majeed & Hong, 2019), as a decentralised technology, functions with some attractive properties like openness, autonomy, immutability and traceability, provides a solution (Qi et al., 2021; Wan et al., 2022a) to overcome these weaknesses. Nevertheless, the transparent blockchain enables every node to obtain participants' gradients and aggregate a valuable global model. It is the gradient leakage (Wang et al., 2021;  Wei et al.,  2020) issues that may obey the original intention of FL. Hence, it is urgent to protect the gradient of participants.

To avoid the leakage of gradients, a large number of FL frameworks with privacy-preserving have been proposed. These frameworks can be generally categorised into four types: Differential Privacy-based (DP), Secure Multi-Party Computation-based (SMPC), Random Mask-based (RM) and Homomorphic Encryption-based (HE). These methods have proven to be excellent and have made significant contributions to privacy protection in FL. Each has distinct advantages and disadvantages. DP protects the privacy of gradients by adding noise to the local gradient model, which has a negative effect on model accuracy (Geyer et al., 2017; He et al., 2023; Wei et al., 2020). SMPC distributes the local model parameters of each participant to others, and then encrypts and decrypts the data to ensure the confidentiality of the data during the calculation process. But SMPC requires heavy communication cost (Sayyad, 2020; Sotthiwat et al., 2021). RM adds a random number to local gradients, which may be at risk of going offline (Bonawitz et al., 2017; Kursawe et al., 2011; Li et al., 2021). HE encrypts the local model parameters and calculates the encrypted data directly to guarantee both data integrity and participants' local dataset privacy. In addition, HE allows clients disconnect without affecting the accuracy of the global model in FL environment (Phong et al., 2018; Zhang et al., 2020). All of the above preferred conclusions call for a balance between privacy and efficiency in the design of blockchain-based FL. Considering the privacy disclosure of participants and the poor convergence of the global model due to the low accuracy of the local model to be solved in this paper, we choose the Homomorphic encryption algorithm as the essential tool. This work proposes a privacy-preserving FL framework using the HE method.

Most recently, Hao et al. (2019) proposed an efficient FL scheme for privacy-preserve based on stochastic gradient descent (SGD) (Lian et al., 2017). This scheme employs lightweight additive HE technology and Laplace-based DP technology to enhance privacy. This scheme can tolerate users dropout and experimental results show that the global model has high accuracy. Mo et al. (2021) propose a privacy protection method using trusted execution environment (TEE). They proposed layer-wise training and aggregation in FL to solve the problem of limited memory in TEE. Kanagavelu et al. (2020) proposes a two-phase SMPC-enabled FL framework to protect privacy. The two-phase SMPC selects a subset of FL member to exchange secret shares of data. This method requires fewer secret sharing and exchange compared to traditional SMPC and improves the practicality of SMPC method. But there are two problems in these frameworks: single point failure and lack of reward mechanism.

To overcome these problems, a series of blockchain-based FL frameworks (Qi et al., 2021; Wan et al., 2022a) have been proposed. Bao et al. (2019) proposed FLchain, which includes a distribute trust mechanism. The trustworthy mechanism evaluates the reliability and contribution of local models for fair reward distribution to participants. Chai et al. (2021) propose a secure matrix factorization framework under the federated learning setting named FedMF. The core components in FedMF are a user-level distributed matrix factorization. Furthermore, they combine additive HE to increase the security. However, these frameworks do not consider the situation of malicious participants (Zhang et al., 2018) and unable resist data poisoning attacks. Later, Hao et al. (2020) propose to re-encrypt local models by BGV fully HE and additive HE to solve the problem. Specifically, the scheme embeds the ciphertext of gradients into augmented learning with error to achieve the noninteractive aggregation protocol. In 2021, Liu et al. (2021) proposed privacy enhanced federated learning scheme (PEFL), using HE technology, which can effectively resist two typical poisoning attacks in FL, label flipping and backdoor attacks. In recent years, Fu et al. (2022) proposed a method to protect user privacy in FL using Lagrange interpolation and blinding techniques. These frameworks provide various methods to protect model aggregation and greatly improved security and participant privacy protection.

The challenges faced by federated learning in industrial applications encompass two main categories: model training and system security. However, beyond these, there is an additional challenge that cannot be ignored. With the big data era approaching, there is a significant increase in data volume, making it necessary to consider multitasking scenarios. However, these frameworks only consider single FL task.

To solve the above-mentioned problems, this work proposes a privacy-preserving FL framework with multiple FL tasks based on blockchain. The proposed framework builds a group for each FL task, and system users are free to choose to be a role in the group. Meanwhile, multiple groups run simultaneously. The main contributions can be summarised as follows:

• The proposed blockchain-based FL privacy-preserving framework features flexibility and autonomy, which can perform multiple tasks in parallel.

• The proposed framework combines Paillier Homomorphic Encryption and the Pearson Correlation Coefficient (PCCs) to achieve a balance between privacy protection and high accuracy global models.

• Our framework proposes an incentive mechanism related to quality detection results, which guarantee the reward fairness to encourage clients to actively participate in FL.

The remaining sections are organised as follows. Section 2 introduces the related work. In Section 3, we describe the related technologies used in our framework. Section 4 presents the system model and security requirements in FL. Then the details of the system design are presented in Section 5. Section 6 describes the security analysis of the framework. Section 7 presents the experiment and performance analysis. Finally, the conclusion of this paper can be found in Section 8.

Table 1. Notations.

Notation	Description
P	The publisher
$U_i$	The client
$E{N}_j$	The endorsement node
$p{k}_i$	The public key of $U_i$
$s{k}_i$	The private key of $U_i$
$c_i$	The ciphertext using $p{k}_i$
Hpk	The public key of P
Hsk	The private key of P
t	The t iteration
m	The number of endorsement node
k	The number of client
${\omega }_G^t$	global model after t iteration
${\omega }_i^t$	local model of $U_i$ in t iteration
$\left[\right[\cdot ]{]}_{\mathrm{Hpk}}$	the ciphertext using Hpk
ρ	Pearson correlation coefficient
θ	Reward proportion of the clients

2. Related work

The FL framework faces a lot of challenges, and a key challenge among them is privacy. To address this issue, Xu et al. (2019) proposed HybridAlpha, which implements SMC by introducing a trusted third party and adopts functional encryption. Hao et al. (2020) propose PEFL to enhance FL privacy protection, which is a noninteractive secure aggregation protocol that utilises improved BGV HE to encrypt local model gradients and embed ciphertext into augmented learning with error (A-LWE) term. Fang et al. (2022) propose a nondestructive accuracy compression method and a secure aggregation protocol with privacy protection by integrating verifiable secret sharing, polynomial commitment and gradient mask techniques. In addition, So et al. (2023) propose Multi-RoundSecAgg to avoid multiple rounds of privacy leakage in FL by introducing a new metric to capture long-term privacy. The experimental results show that Multi-RoundSecAgg provides better long-term privacy protection while ensuring the global model accuracy (Table 2).

Table 2. Comparison of schemes of introduction and related work section.

Scheme	Privacy Protection techniques	Whether distributed	Whether contain reward mechanism	Has the malicious gradient been filtered	Whether support user disconnection	Accuracy	Security
Qi et al. (2021)	DP	√	x	√	√	–	High
Wan et al. (2022a)	DP	√	√	x	x	98.59$\mathrm{\%}$	Moderate
Hao et al. (2019)	Additive HE + DP	x	x	x	√	98.5$\mathrm{\%}$	Moderate
FLchain Wang et al. (2022)	Paillier HE + DP	√	√	√	x	97.95$\mathrm{\%}$	Moderate
PEFL Liu et al. (2021)	BGV fully HE + DP	x	x	x	x	95.70$\mathrm{\%}$	High
BPFL Bao et al. (2019)	RM	√	√	√	√	90.42$\mathrm{\%}$	Moderate
VFL Fu et al. (2022)	Lagrange interpolation + blinding techniques	x	x	√	x	93.70$\mathrm{\%}$	High
Ours	Paillier HE	√	√	√	√	98.42$\mathrm{\%}$	High

These schemes include a centralised server, which may lead to the single point of failure. Furthermore, the data owner is reluctant to participate in FL tasks due to the consideration that training local models will consume computation and communication resources (Fang et al., 2014) of local devices. The blockchain technology, which functions as a distributed ledger system that incorporates a reward mechanism presents a suitable resolution for these issues. At the same time, the openness and transparency of blockchain enable any node to access the data on the chain, thereby the FL framework based on blockchain has a higher demand for privacy protection.

To cope the challenge, Wan et al. (2022b) proposed an FL privacy-preserving scheme based on blockchain for B5G-Driven edge computing, which protects the FL local model parameters privacy through the integration of Wasserstein Generative Adversarial Network and DP. Qi et al. (2021) use DP to protect vehicle location to prevent errors or low-quality models uploaded by malicious clients. In addition, they effectively protect user privacy by introducing encryption mechanisms.

Encrypting the gradients of local models effectively protects user privacy, but it also brings the drawback that the aggregator cannot identify the accuracy of local models contributed by participants. That's in FL, the accuracy of local models is closely related to the accuracy of the global model, and even worse, large portions of low accuracy local models can lead to global model convergence failure.

Considering lazy clients may upload a fake local model, Rückel et al. (2022) use a non-interactive zero-knowledge proof to enable clients to verify whether other clients are actually training on their local data set. Based on the assumption that participants are dishonest, Bao et al. (2019) purpose federated learning chain (FLchain). FLchain removes incorrect calculations by recording the information about the trainer and FL models and comparing it with computation result on-chain. Wang et al. (2022) propose the double local disturbance localised differential privacy (DLD-LDP) algorithm, which achieves the balance between data quality loss and resource consumption while protecting privacy. At the same time, they propose a reputation calculation algorithm (Sig-RCU) to select high reputation clients to improve global model accuracy. In 2019, Zhao et al. (2019) proposed an exponential-based trust and reputation evaluation system called ETRES to weaken malicious attacks within the wireless sensor networks. Recently, Wang et al. (2022) propose a blockchain-based privacy-preserving federated learning scheme named BPFL, which adopts a variant of the Byzantine resilient aggregation rule Krum Multi-Krum technology to filter out malicious updates. BPFL contains a set of validation nodes and several aggregation nodes, where the validation nodes filter out the local models with malicious updates, while the aggregation nodes aggregate the global models.

In the light of the abundance of data generated every day, these data relate to various domains. Different industries also take the significant advantages of FL to serve themselves. Consequently, the quantity of tasks associated with FL is increasing rapidly, with complex and interlaced aspects. Therefore, an FL framework capable of multi-task in parallel is urgently needed. However, the above frameworks have not taken this critical requirement into consideration.

To solve the above-mentioned problems, this paper proposes a public blockchain-based FL framework. We personalise the selection committee and clients for each FL task and establish a solitary group with the publisher. When selecting group members, we took the user's wishes into consideration and built a flexible and free FL system.

3. Preliminary

In this section, we present the techniques of our framework for the clear statement, including blockchain, homomorphic encryption, the Pearson correlation coefficient and the function for add noisy.

3.1. Blockchain

The blockchain is a distributed record-keeping ledger that comprises a sequence of blocks. Blockchains can be classified into three types: public blockchains, consortium blockchains and private blockchains. Our framework is specifically designed for use with public blockchains.

In our framework, the blockchain storage space is divided into two areas: the publish area and the client area (as shown in Figure 1). Users are granted varying permissions based on their respective roles in different areas. The publish area is designated for the storage of FL task parameters that are published by the publisher, whereas the client area is intended for saving local model parameters that are uploaded by the clients. We enable users to participate in collaborative training in FL more efficiently by splitting the areas, while also better organising multiple parallel FL tasks. For different system users, users who want to obtain a global model can publish FL task and reward details in the publish area. Of course, for users who want to get rewards by participating in training with local datasets, they can view and choose to participate in certain FL tasks from the publish area. More importantly, users who want to receive rewards but do not want to involve local datasets can campaign for committee members, using only local computing and communication resources to achieve their goals. This approach can mobilise the subjective initiative of system users and significantly enhance the flexibility of the system.

Figure 1. Blockchain.

We adopt a committee consensus mechanism to validate, detect and aggregate local models. The members of the committee are composed of endorsement nodes. The selection of endorsement nodes adopts the delegated proof of stake (DPOS) (Xu et al., 2020) election mechanism. During the FL task process, committee members need to reach an internal consensus, which can be achieved when more than 1/2 of endorsement nodes agree.

3.2. Federated learning

Federated learning is a distributed machine learning model proposed to address the issue of data owner privacy leakage caused by directly sending local datasets. It achieves “data immutable model movement”, thereby eliminating privacy concerns of data owners and connecting data silos. The multi-task FL in our paper refers to the presence of multiple FL tasks executing simultaneously in our system, as shown in Figure 2. There are four FL tasks executing in parallel at time t2.

Figure 2. Multi-task federated learning execution time graph.

3.3. Homomorphic encryption

Homomorphic encryption, which supports ciphertext computation, is often used for privacy protection. Our framework adopts Paillier homomorphic encryption (Paillier, 1999) to realise the privacy protection of clients. The Paillier encryption algorithm consists of the following three parts:

• $\mathrm{HE}.\mathrm{KeyGen}\left(\mathcal{L}\right)\to (\mathrm{Hpk},\mathrm{Hsk})$ We let $\mathcal{L}$ represent the safety parameter. Randomly select two large prime p, q , where p and q have the same bit length $\mathcal{L}$. We compute $n=p\ast q$ and $\lambda =\mathrm{lcm}(p-1,q-1)$. The function $\mathrm{lcm}(.)$ is typically used to calculate the least common multiple of two integers. We randomly select $g\in {\mathbb{Z}}_{n^2}^{\ast }$. The homomorphic private key $\mathrm{Hsk}=\left(\lambda \right)$ and homomorphic public key $\mathrm{Hpk}=(n,g)$.

• $\mathrm{HE}.\mathrm{Enc}(\mathrm{Hpk},x)\to c$. Enc is an encryption function. c is the ciphertext encrypted by HPK and x is the plaintext corresponding to c. User selects a random number r and encrypt x according to the following formula: (1) $\begin{array}{r}\left[\right[x]{]}_{\mathrm{Hpk}}=g^x{r}^n\mathrm{mod}{n}^2.\end{array}$(1)

• $\mathrm{HE}.\mathrm{Dec}(\mathrm{Hsk},c)\to x$. Dec is a decryption function. We define $L\left(d\right)=\left(d-1\right)/n$. Upon receiving the encrypted data c, the user with Hsk can directly decrypt it to obtain x: (2) $\begin{array}{r}x=\left(L\right(c^{\lambda }\mathrm{mod}{n}^2\left)/L\right(g^{\lambda }\mathrm{mod}{n}^2\left)\right)\mathrm{modn}\end{array}$(2)

Paillier homomorphic encryption has the linear property of formula (3a(3a) $\begin{array}{rl}\left[\right[x_1]{]}_{\mathrm{Hpk}}\cdot [\left[x_2\right]{]}_{\mathrm{Hpk}}& =\left[\right[x_1+x_2]{]}_{\mathrm{Hpk}}\end{array}$(3a) ), that is, given two plaintexts $x_1$ and $x_2$, a random number r and a public key Hpk, we have (3a) $\begin{array}{rl}\left[\right[x_1]{]}_{\mathrm{Hpk}}\cdot [\left[x_2\right]{]}_{\mathrm{Hpk}}& =\left[\right[x_1+x_2]{]}_{\mathrm{Hpk}}\end{array}$(3a) (3b) $\begin{array}{rl}\left[\right[x_1]{]}_{\mathrm{Hpk}}^r& =\left[\right[r{x}_1]{]}_{\mathrm{Hpk}}\end{array}$(3b)

3.4. Pearson correlation coefficient

The Pearson Correlation Coefficient ( PCC) is a statistical measure used to evaluate the linear correlation between two variables X and Y, where the coefficient value falls between −1 and 1. Its calculation formula is presented in Formula (4(4) $\begin{array}{r}\rho (X,Y)=\frac{\mathrm{Cov}(X,Y)}{\sigma \left(X\right)\sigma \left(Y\right)}\end{array}$(4) ). In our work, we employ the Pearson correlation coefficient to assess the correlation between the local gradient model and the global model. (4) $\begin{array}{r}\rho (X,Y)=\frac{\mathrm{Cov}(X,Y)}{\sigma \left(X\right)\sigma \left(Y\right)}\end{array}$(4)

3.5. Function for add noisy

We define function $\mathcal{A}(.)$ and $\mathcal{B}(.)$ as noise-adding functions based on additive homomorphic encryption and multiplicative homomorphic encryption, respectively. The specific calculation of function $\mathcal{A}(.)$ and $\mathcal{B}(.)$ is shown in the formula (5) $\begin{array}{rl}\mathcal{A}(c,r)& =c\cdot \left[\right[r]{]}_{\mathrm{Hpk}}=[[x+r]{]}_{\mathrm{Hpk}}=\left[\right[\hat{x}]{]}_{\mathrm{Hpk}}\end{array}$(5) (6) $\begin{array}{rl}\mathcal{B}(c,r)=c^r& =\left[\right[\mathrm{rx}]{]}_{\mathrm{Hpk}}=[\left[\tilde{x}\right]{]}_{\mathrm{Hpk}}\end{array}$(6) where r is a random number, c is the ciphertext homomorphic encrypted corresponding to plaintext m, that is, c and m satisfied $c=\left[\right[x]{]}_{\mathrm{pk}}$. We denote $\hat{x}$ and $\tilde{x}$ as the noised result additive noisy and multiplicative noisy respectively. $\mathcal{A}$ is used in the global model aggregation phase, and $\mathcal{B}$ is used in the quality detection phase. More details will be given in Section 5. We have $\rho \left(\right[\left[\tilde{X}\right]{]}_{\mathrm{Hpk}},\left[\right[\tilde{Y}\left]{]}_{\mathrm{Hpk}}\right)=\rho \left(\right[\left[X\right]{]}_{\mathrm{Hpk}},\left[\right[Y\left]{]}_{\mathrm{Hpk}}\right)$. The correctness proof is as follows

Correctness proof: The covariance of $\tilde{X}$ and $\tilde{Y}$ $\mathrm{Cov}(\tilde{X},\tilde{Y})$ can be transformed as follows: $\begin{array}{rl}\mathrm{Cov}(\tilde{X},\tilde{Y})& =\mathrm{Cov}(r_1\cdot X,r_2\cdot Y)\\ & =E\left[(r_1\cdot X-\overline{r_1\cdot X})(r_2\cdot Y-\overline{r_2\cdot Y})\right]\\ & =r_1{r}_{2}E\left[(X-\overline{X})(Y-\overline{Y})\right]\\ & =r_1{r}_2\mathrm{Cov}(X,Y)\end{array}$where $E(\cdot )$ denotes the expectation and $\overline{X}$ is the average of variable X. At the same time, the standard deviation $\sigma \left(\overline{X}\right)$ of $\overline{X}$ has $\begin{array}{rl}\sigma \left(\overline{X}\right)& =\sigma \left(r_{1}X\right)\\ & =\sqrt{E\left(\right(r_{1}X{)}^2)-(E\left(r_{1}X\right){)}^2}\\ & =r_1\sqrt{E\left(\right(X{)}^2)-(E\left(X\right){)}^2}\\ & =r_1\sigma \left(X\right)\end{array}$Similarly, we can get $\sigma \left(\overline{Y}\right)=r_2\sigma \left(Y\right)$. Combining the above derivation, we can obtain $\begin{array}{rl}\rho (\tilde{X},\tilde{Y})& =\frac{\mathrm{Cov}(\tilde{X},\tilde{Y})}{\sigma \left(\tilde{X}\right)\sigma \left(\tilde{Y}\right)}\\ & =\frac{r_1{r}_{2}Cov(X,Y)}{r_1\sigma \left(X\right)r_2\sigma \left(Y\right)}\\ & =\frac{\mathrm{Cov}(X,Y)}{\sigma \left(X\right)\sigma \left(Y\right)}\\ & =\rho (X,Y)\end{array}$We combine Paillier and Pearson coefficients and apply them to our scheme. We take the random numbers r1 and r2 as noise and add noise to the parameters by using the homomorphic property of Paillier. Consequently, we can get $\rho \left(\right[\left[\tilde{X}\right]{]}_{\mathrm{Hpk}},\left[\right[\tilde{Y}\left]{]}_{\mathrm{Hpk}}\right)=\rho \left(\right[\left[X\right]{]}_{\mathrm{Hpk}},\left[\right[Y\left]{]}_{\mathrm{Hpk}}\right)$. More details on the application of this formula will be shown in Section 5.

4. System model and security requirement

In this section, we first present the system model of our proposed system and describe the threat model of FL task. Then, we introduce the design goals. Table 1 lists the notations used in our paper.

4.1. System model

We propose a blockchain-based FL secure aggregation framework to protect the privacy of clients' datasets. Figure 3 shows our system model that includes three roles: publisher, client and committee.

Figure 3. Framework.

Publisher: The publisher P is responsible for publishing the FL task and paying for the reward. When P has a requirement to get a global model, he will submit a request to the publish area in the blockchain. Besides, P also helps committee to compute some data. After FL complete, P gets a global model.

Client: Client $U_i$ trains local model gradient parameters using his local datasets. Finally, $U_i$ will receive rewards after FL task complete. Users download the training task from the publish area, select the task they want join and submit intentions to client area.

Committee: The committee detects the quality of local model and aggregates the global model. The committee contains a set of endorsement nodes. In the proposed framework, we use DPOS contract mechanism to select endorsement nodes. According to the previous record of participating performance in FL tasks, nodes with stable network connections and high reputation will be selected as endorsement nodes.

It is worth noting that the three roles of users in the system are registered users of our system. Our system assigns different identities to each user according to their different needs.

4.2. Threat model

Based on the framework in Zamani et al. work (Melis et al., 2019; Nasr et al., 2019; Zamani et al., 2018), the purpose of an adversary is to reduce the accuracy of the global model and even make the global model fail to converge or gain user privacy. The most common method they use is to carry out various attacks on user local models or local data sets. In our proposed framework, we assume that the system users are semi-honest. They will honestly perform all processes, such as encryption and decryption, as well as uploading and sending. However, they want to obtain the dataset features or meaningful information of the other user. Our proposed framework follows the standard threat model in many blockchain systems (Cai et al., 2019; Zamani et al., 2018), where at least 2/3 of all users are assumed to be honest. For the committee members selected from the blockchain, we assume that more than 2/3 of them will perform their work properly. Certainly, as a core part of conducting the FL aggregation global model work, they are vulnerable to attacks. The committee members who have been successfully attacked will result in incorrect calculations. We assume that even if committee members are attacked, more than half of them still perform normally. Similar to committee members, some clients may be attacked. As the global model owner, we assume the publisher is honest for a high-accuracy model. Here we assume that there is no collusion between the committee, the publisher and the client. Additionally, we assume clients and committee members can securely obtain the correct initialization global model parameters. By assuming these conditions, we can design and implement effective countermeasures against potential security threats in FL.

4.3. Security requirements

The security requirements of federated learning in applications mainly include the following:

• Resistance to gradient leakage attack: FL was originally proposed to prevent privacy leakage caused by direct transmission of local data. However, some studies have shown that the attacker can obtain privacy and sensitive information from the local model parameter upload by client. Therefore, the FL framework should take further measures to prevent privacy leakage.

• Safeguard global model accuracy: The global model is the result of work and pull together, which involves mass communication and computational overhead. However, the adversary is able to attack some clients' computers and inject wrong data or marked data (Bagdasaryan et al., 2020; Nuding & Mayer, 2020) into their local datasets. This will affect the accuracy of the local model and results in an unavailable global model. An FL framework should avoid this kind of malignant result.

• Confidentiality: In our framework, the global model is not shared and is purchased by the publisher, so final only the publisher is available. Therefore, in the process of collaboration among all users, we need to ensure this. In addition, if the publisher obtains the local model gradients of each participant, there is also a risk of privacy leakage for the client. Therefore, we need to ensure the confidentiality of the data during transmission, and only specific individuals can obtain the original data.

• System Robustness: Users may be disconnected in FL learning process, the cloud server responsible for aggregation may consciously favour some participants and malicious users may exist. These will affect the accuracy of the global model, so it is necessary to ensure the stability and correctness of the framework.

5. The proposed framework

This section describes the process of our FL framework.

5.1. System setup

Step 1: The publisher P generates homomorphic private key $\mathrm{Hsk}=\left(\lambda \right)$ and the corresponding public key $\mathrm{Hpk}=(n,g)$ using $\mathrm{HE}.\mathrm{KeyGen}\left(\right)$. After that, P calculates a signature $S_P=\mathrm{Sign}(s{k}_P,\mathrm{Inf})$, where $\mathrm{Inf}=\left(\mathrm{Hpk}||\mathrm{address}||m||k||{\omega }_G^0||{\mathrm{Max}}_t||\mathrm{money}||\theta \right)$, where address is the address of P, m and k represent the number of endorsement nodes and clients respectively, ${\omega }_G^0$ represents initialise the global model, $\mathrm{Ma}{x}_t$ represents the maximum number of iterations, money and θ represent the amount to be paid and the reward proportion of the clients, respectively. Finally, P submits a requirement $\mathrm{Req}=(\mathrm{Inf},S_P)$ to publish area of blockchain.

Step 2: The smart contract(SC) of blockchain computes $\mathrm{Ver}(P{K}_P,\mathrm{Inf})\stackrel{?}{=}\mathrm{true}$, if the signature is correct, SC checks the account balance of P, if it is enough to pay, SC freezes the account of the prepaid, selects committee members (endorsement nodes) $E{N}_j$ and clients $U_i$ as the following condition (7a(7a) $\begin{array}{r}P\cap U_i=\mathrm{\varnothing }.\end{array}$(7a) ). Otherwise, SC rejects the requirement. (7a) $\begin{array}{r}P\cap U_i=\mathrm{\varnothing }.\end{array}$(7a) (7b) $\begin{array}{r}P\cap E{N}_j=\mathrm{\varnothing }.\end{array}$(7b) (7c) $\begin{array}{r}{U}_i\cap E{N}_j=\mathrm{\varnothing }.\end{array}$(7c) Finally, SC assigns a unique FL task identification serial number FID to the task and set task state FID.signal = 0, Where FID.signal is 0 or 1, which respectively represent FID in progress and completed. Later, SC publishes $\mathrm{FL}=(\mathrm{FID}||\mathrm{FID}.\mathrm{signal}||P||\mathrm{Req})$ to the publish area. Figure 4 shows the comprehensible system setup process.

Figure 4. System setup.

5.2. Training phase

Step 1: If iteration t = 1, $U_i,i\in [1,k]$ downloads the global model ${\omega }_G^0$ from the publish area. Otherwise, $U_i$ receives the global model ciphertext $\left[\right[{\omega }_G^{t-1}]{]}_{p{k}_i}$ from P. $U_i$ decrypts $\left[\right[{\omega }_G^{t-1}]{]}_{p{k}_i}$ with $s{k}_i$, obtains the global model ${\omega }_G^{t-1}$, trains on the local dataset and gets the local model ${\omega }_i^t$.

Step 2: $U_i$ executes $\mathrm{HE}.\mathrm{Enc}(\mathrm{Hpk},{\omega }_i^t)$ and gets $\left[\right[{\omega }_i^t]{]}_{\mathrm{Hpk}}$. Later, $U_i$ selects a random number a and calculates $A=g^a$. $U_i$ calculates $c_i=\left[\right[{\omega }_i^t]{]}_{\mathrm{Hpk}}\oplus H(\mathrm{CP}{K}^a)$, where ⊕ denotes xor operation. Then $U_i$ calculates signature $S_i=\mathrm{Sign}(s{k}_i,c_i)$. Finally, $U_i$ sends $\mathrm{Mode}{l}_i=\left(S_i||c_i||A\right)$ to committee.

5.3. Quality detect

Step 1: Committee computes $\mathrm{Ver}(p{k}_i,c_i)\stackrel{?}{=}\mathrm{true}$, if the verification fails, committee discard $\mathrm{Mode}{l}_i$. Otherwise, committee calculates $\left[\right[{\omega }_i^t]{]}_{\mathrm{Hpk}}=c_i\oplus H(A^{\mathrm{CSK}})$. Where $A^{\mathrm{CSK}}=\mathrm{CP}{K}^a=g^{\mathrm{aCSK}}$. CPK and CSK represent a public and private key pair generated by the committee and satisfy $\mathrm{CPK}=g^{\mathrm{CSK}}$.

Step 2: Committee detects the quality to ${\omega }_i^t$ by computing PCCs. The specific calculation process is as follows:

1. Add noise to $\left[\right[{\omega }_i^t]{]}_{\mathrm{Hpk}}$: Committee randomly selects a nonzero integer $r_i$ and executes $\mathcal{A}\left(\right[\left[{\omega }_i^t\right]{]}_{\mathrm{Hpk}},r_i)$ get $\left[\right[\widehat{{\omega }_i^t}]{]}_{\mathrm{Hpk}}$, where $\mathcal{A}\left(\right)$ is defined in Section 3.4.

2. Committee sends noised result $\left[\right[\widehat{{\omega }_i^t}]{]}_{\mathrm{Hpk}}$ to P.

3. P decrypts and gets noised result $\widehat{{\omega }_i^t}$ and calculates the average $\widehat{\mathrm{Ave}}$.

4. P encrypts with Hpk (show in Equation 1(1) $\begin{array}{r}\left[\right[x]{]}_{\mathrm{Hpk}}=g^x{r}^n\mathrm{mod}{n}^2.\end{array}$(1) ) and sends ciphertext $\left[\right[\widehat{\mathrm{Ave}}]{]}_{\mathrm{Hpk}}$ to committee.

5. Committee eliminates noise (show in Equation 8(8) $\begin{array}{r}\left[\right[\mathrm{Ave}]{]}_{\mathrm{Hpk}}=[\left[\widehat{\mathrm{Ave}}\right]{]}_{\mathrm{Hpk}}\cdot {\left[\left[\frac{1}{k}\sum _{i=1}^k{r}_i\right]\right]}_{\mathrm{Hpk}}^{-1}\end{array}$(8) ) gets ciphertext of average $\left[\right[\mathrm{Ave}]{]}_{\mathrm{Hpk}}$. (8) $\begin{array}{r}\left[\right[\mathrm{Ave}]{]}_{\mathrm{Hpk}}=[\left[\widehat{\mathrm{Ave}}\right]{]}_{\mathrm{Hpk}}\cdot {\left[\left[\frac{1}{k}\sum _{i=1}^k{r}_i\right]\right]}_{\mathrm{Hpk}}^{-1}\end{array}$(8) Algorithm 1 describes the details of the average compute process.

Step 3: P assists committee to calculate PCCs. The process details are as follows:

1. Add noise to $\left[\right[\mathrm{Ave}]{]}_{\mathrm{Hpk}}$ and $\left[\right[{\omega }_i^t]{]}_{\mathrm{Hpk}}$. Committee randomly selects two nonzero integers $r_1$ and $r_2$ and executes $\mathcal{B}\left(\right[\left[\mathrm{Ave}\right]{]}_{\mathrm{Hpk}},r_1)$ and $\mathcal{B}\left(\right[\left[{\omega }_i^t\right]{]}_{\mathrm{Hpk}},r_2)$ to get $\left[\right[\widetilde{\mathrm{Ave}}]{]}_{\mathrm{Hpk}}$ and $\left[\right[\widetilde{{\omega }_i^t}]{]}_{\mathrm{Hpk}}$ respectively, where $\mathcal{B}\left(\right)$ is defined in Section 3.4.

2. Committee sends $\left[\right[\widetilde{\mathrm{Ave}}]{]}_{\mathrm{Hpk}}$, $\left[\right[\widetilde{{\omega }_i^t}]{]}_{\mathrm{Hpk}}$ to P.

3. P decrypts $\left[\right[\widetilde{\mathrm{Ave}}]{]}_{\mathrm{Hpk}}$ and $\left[\right[\widetilde{{\omega }_i^t}]{]}_{\mathrm{Hpk}}$ with Hsk and gets $\widetilde{\mathrm{Ave}}$ and $\widetilde{{\omega }_i^t}$.

4. Later, P calculates the PCCs ${\rho }_i$ between $\widetilde{\mathrm{Ave}}$ and $\widetilde{{\omega }_i^t}$, then uploads transaction $\mathrm{TRA}=\left\{t||\right(p{k}_1,{\rho }_1\left)||\right(p{k}_2,{\rho }_2)||\cdots ||(p{k}_k,{\rho }_k\left)\right\}$ to client area.

   Algorithm 2 describes the detailed of compute PCCs.

5.4. Filter out unqualified local models

Committee downloads TRA and calculates the weight ${\mathbf{W}}_i$ (show in Equation 9(9) $\begin{array}{r}{\mathbf{W}}_i=max\{0,ln\left(\frac{1+{\rho }_i}{1-{\rho }_i}\right)-0.5\}\end{array}$(9) ) of $U_i$. (9) $\begin{array}{r}{\mathbf{W}}_i=max\{0,ln\left(\frac{1+{\rho }_i}{1-{\rho }_i}\right)-0.5\}\end{array}$(9) It is not difficult to find that PCCs and weight are positively related. Here we denote the minimum value of ${\mathbf{W}}_i$ as 0. If ${\mathbf{W}}_i<0$, we think that the accuracy of ${\omega }_i^t$ is too low and the quality detection is unqualified. ${\omega }_i^t$ will not take part in the global model aggregation, and $U_i$ will not be rewarded in this iteration. Later, committee uploads $\mathrm{Si}{g}_W=(\mathrm{CSK},\mathrm{Wlist})$ to client area, where $\mathrm{Wlist}=(t||W_1||W_2||\cdots ||W_k)$.

5.5. Aggregate local model

The committee aggregates the local model and get $\left[\right[{\omega }_{\mathrm{sum}}^t]{]}_{\mathrm{Hpk}}$. The calculation of the aggregate process is shown in Equation (10(10) $\begin{array}{r}\left[\right[{\omega }_{\mathrm{sum}}^t]{]}_{\mathrm{Hpk}}=\prod _{i=1}^k[\left[{\omega }_i^t\right]{]}_{\mathrm{Hpk}}({\mathbf{W}}_i\ne 0).\end{array}$(10) ). (10) $\begin{array}{r}\left[\right[{\omega }_{\mathrm{sum}}^t]{]}_{\mathrm{Hpk}}=\prod _{i=1}^k[\left[{\omega }_i^t\right]{]}_{\mathrm{Hpk}}({\mathbf{W}}_i\ne 0).\end{array}$(10) Then, committee generates the signature $S_c=\mathrm{Sign}(\mathrm{CSK},[\left[{\omega }_{\mathrm{sum}}^t\right]{]}_{\mathrm{Hpk}}$) and submits $S_c$ and $\left[\right[{\omega }_{\mathrm{sum}}^t]{]}_{\mathrm{Hpk}}$ to client area.

5.6. Update phase

P validates the signature $S_c$ and downloads $\left[\right[{\omega }_{\mathrm{sum}}^t]{]}_{\mathrm{Hpk}}$, executes $\mathrm{Dec}(\mathrm{Hsk},[\left[{\omega }_{\mathrm{sum}}^t\right]{]}_{\mathrm{Hpk}})$ and gets ${\omega }_{\mathrm{sum}}^t$. Then P updates the global model ${\omega }_G^t$ according to formula (11(11) $\begin{array}{r}{\omega }_G^t={\omega }_G^{t-1}-\eta \frac{{\omega }_{\mathrm{sum}}^t}{k_1}\end{array}$(11) ), where $k_1$ denotes the number of ${\mathbf{W}}_i>0,i\in [1,k]$. Later, P evaluates the accuracy of ${\omega }_G^t$. If the accuracy requirements are satisfied or $t=\mathrm{Ma}{x}_t$, P set FID.signal = complete, SC executes the reward distribute. Otherwise, P calculates $\left[\right[{\omega }_G^t]{]}_{p{k}_i}=\mathrm{Enc}(p{k}_i,{\omega }_G^t),i\in [1,k]$ and sent it to $U_i$. Finally, P sets t = t + 1 and turn to the training phase. (11) $\begin{array}{r}{\omega }_G^t={\omega }_G^{t-1}-\eta \frac{{\omega }_{\mathrm{sum}}^t}{k_1}\end{array}$(11)

5.7. Reward distribute phase

After the FL task is complete, both clients and the committee members should get the reward. For different identities, we adopt different allocation schemes. Clients should allocate the rewards according to the weight ratio in each iteration. $U_i$ gets rewards $\mathrm{Re}{w}_i$ shown in Equation (12(12) $\begin{array}{rl}\mathrm{Re}{w}_i& =\frac{\mathrm{money}\cdot \theta \cdot {\mathrm{\Sigma }}_{t=0}^T{\mathbf{W}}_i}{{\mathrm{\Sigma }}_{i=1}^k{\mathrm{\Sigma }}_{t=0}^T{\mathbf{W}}_i}(i=1,2,\dots ,k)\end{array}$(12) ). Here, we ignore the consume of compute and communicate and the differences between their datasets. We take the correlation between Ave and ${\omega }_i^t$ as the unique standard for reward distribution. For the committee members $E{N}_j$, the workload of each is same, so the reward should be distributed equally. $E{N}_j$ get rewards $\mathrm{Re}{w}_j$ shown in Equation (13(13) $\begin{array}{rl}\mathrm{Re}{w}_j& =\frac{\mathrm{money}\cdot (1-\theta )}{m}(j=1,2,\dots ,m)\end{array}$(13) ). T indicates the total number of iterations. (12) $\begin{array}{rl}\mathrm{Re}{w}_i& =\frac{\mathrm{money}\cdot \theta \cdot {\mathrm{\Sigma }}_{t=0}^T{\mathbf{W}}_i}{{\mathrm{\Sigma }}_{i=1}^k{\mathrm{\Sigma }}_{t=0}^T{\mathbf{W}}_i}(i=1,2,\dots ,k)\end{array}$(12) (13) $\begin{array}{rl}\mathrm{Re}{w}_j& =\frac{\mathrm{money}\cdot (1-\theta )}{m}(j=1,2,\dots ,m)\end{array}$(13) Algorithm 3 describes the details of SC distribute reward, where $T_x$ represents the reward distribution transaction and $T_x=(\mathrm{sender},\mathrm{receiver},\mathrm{value})$.

6. Security analysis

Resistance to gradient leakage attack:

Theorem

Our scheme for system users will not disclose any information about the local model gradient ${\omega }_i^t$.

Proof.

We use the encryption method that combines the Paillier HE and hash functions for local model gradient ${\omega }_i^t$. Client sends ciphertext $c_i$ to committee, $c_i=\left[\right[{\omega }_i^t]{]}_{\mathrm{Hpk}}\oplus H(\mathrm{CP}{K}^a)$. The committee can easily obtain $\left[\right[{\omega }_i^t]{]}_{\mathrm{Hpk}}$. But if the committee wants to get ${\omega }_i^t$, it must solve the hardness of large integer decomposition problem of the Paillier HE (Zhou et al., 2015). So our scheme provides CPA-secure. As a result, committee members are unable to obtain any explicit information. Furthermore, hash functions have collision resistance and irreversibility. These features prevent publisher $\mathcal{P}$ from knowing any information in ${\omega }_i^t$.

Safeguard global model accuracy: In our framework, we assume that the attackers have successfully attacked some clients's local datasets and tampered with them. In addition, these clients will train local models with low accuracy or error and send them to the committee. However, in our framework, quality detection is achieved through PCCs, and we believe that there is a significant difference between the local model generated by the tampered dataset and the normal dataset. It will be filtered out during the quality inspection phase. With the help of publishers, the committee directly calculates based on homomorphic ciphertext, and only the calculation results that reach consensus can be recognised. Therefore, committee members cannot forge detection results. Therefore, local models with low accuracy or errors will inevitably be filtered out, effectively preventing their impact on the accuracy of the global model. Therefore, the accuracy of the global model is guaranteed.

Confidentiality: The confidentiality of the local model of the client has been explained in the resistance to gradient leakage attack section. Here, we consider the confidentiality of the global model. From the details of the local model stage aggregation, it can be seen that the committee directly calculates homomorphic ciphertext. This means that throughout the entire calculation process, the committee cannot obtain any information about the global model. Security provided by Paillier HE.

System robustness: For the case of user disconnection, our framework supports the disconnected user to join again. For malicious users and poisoning attacks, our framework can effectively screen them for quality detection to ensure global model accuracy. The behaviour of some malicious members of the committee intends to affect the accuracy of the global model, we adopt a consensus mechanism to prevent malicious results. The robustness of our framework is guaranteed through these mechanisms.

Through the above security analysis of the framework, we know that our framework meets the security requirements in FL.

7. Experiment and performance analysis

7.1. Experimental methodology

Our framework is proposed based on the Ethereum public chain. The operating mechanism of the blockchain has not been modified in our framework, we only modify the operation content (SC, committees, etc.). And we focus on privacy protection for FL. Therefore, we only test FL performance here in experiment.

We use PyTorch (version 1.9.1+cu111) and python (version 3.9.11) to build an FL running environment. After local model training, each participant uploads the local model parameters, then the committee calculates PCCs and weight and aggregate global model. After updating the global model, each participant uses the new global model to train the local model.

Experiments are conducted on Windows 11 with a GeForce MX250 2GB GPU and 8GB of RAM. In our experiments, we use the image dataset MNIST of handwritten digits as experiment dataset. MNIST contains 60,000 training samples and 10,000 test samples. We first randomly divided the training dataset into 100 parts. Then we assign each part to a participant as the participant's local dataset. Thus each participant has 600 training samples. We randomly selected 1, 2, 3, 4, 5, 6, 7, 8, 9 and 10 participants from 100 participants for the experiment. We use a Convolutional Neural Network (CNN) as the training model, which consists of a convolutional layer, pooling layer, dropout layer, and fully connected layer. We use the Stochastic Gradient Descent (SGD) algorithm. The learning rate η is set as 0.01 and the momentum set as 0.5. We also perform 10, 20, 30 and 40 iterations, and each participant trains with 600 training samples to get local gradient model parameters and tests accuracy with 128 randomly selected test samples.

7.2. Performance evaluation

We evaluate the performance of FL from two aspects: execution time and accuracy. Table 3 presents detailed experimental data.

Table 3. Execution time and global model accuracy for different iterations with different number of clients.

Number of participants			1	2	3	4	5	6	7	8	9	10
Execution time(s)	Iteration	10	59.84	73.33	98.41	118.70	142.52	177.43	201.62	231.07	254.62	282.53
		20	82.28	124.08	185.38	224.75	286.30	356.80	395.68	440.80	465.71	587.80
		30	101.17	174.53	265.20	323.17	390.98	530.30	572.68	650.45	716.79	815.26
		40	125.95	233.47	349.44	488.24	583.18	664.28	797.08	875.20	979.06	1123.59
Global model accuracy		10	95.91$\mathrm{\%}$	96.49$\mathrm{\%}$	96.48$\mathrm{\%}$	96.60$\mathrm{\%}$	96.33$\mathrm{\%}$	96.45$\mathrm{\%}$	96.90$\mathrm{\%}$	96.80$\mathrm{\%}$	96.60$\mathrm{\%}$	96.33$\mathrm{\%}$
		20	96.94$\mathrm{\%}$	97.55$\mathrm{\%}$	97.27$\mathrm{\%}$	97.47$\mathrm{\%}$	97.71$\mathrm{\%}$	97.76$\mathrm{\%}$	97.64$\mathrm{\%}$	97.72$\mathrm{\%}$	97.89$\mathrm{\%}$	97.66$\mathrm{\%}$
		30	97.10$\mathrm{\%}$	97.97$\mathrm{\%}$	97.85$\mathrm{\%}$	98.12$\mathrm{\%}$	98.10$\mathrm{\%}$	98.13$\mathrm{\%}$	98.03$\mathrm{\%}$	98.11$\mathrm{\%}$	98.10$\mathrm{\%}$	98.20$\mathrm{\%}$
		40	97.59$\mathrm{\%}$	97.93$\mathrm{\%}$	98.20$\mathrm{\%}$	97.97$\mathrm{\%}$	98.29$\mathrm{\%}$	98.39$\mathrm{\%}$	98.34$\mathrm{\%}$	98.17$\mathrm{\%}$	98.29$\mathrm{\%}$	98.42$\mathrm{\%}$

Evaluate execution time: The execution time includes the training time and testing time of the model. Experiments perform FL with multiple participants (i.e. clients) for 10, 20, 30 and 40 iterations respectively (as shown in the upper portion of Table 3). From the data in the table, it can be seen that when the six participants perform 10, 20, 30 and 40 iterations respectively, the execution time requires 177.43 s, 356.80 s, 530.30 s and 664.28 s. When the number of participants is the same and the number of iterations increases, the longer the execution time required, and the execution time is linear positively correlated with the number of iterations. Figure 5 provides an visual histogram of the execution time of different numbers of participants under distinct iterations. It is not difficult to find that the more iterations, the larger the slope of the line graph for execution time.

Figure 5. Execution time cost of participants.

Evaluate the global model accuracy: We evaluated the global model accuracy of different numbers of participants running different iterations, and the experimental data is shown in the lower portion of Table 3. First, we compare the data in the same column, for example, with 3 participants, and perform 10, 20, 30 and 40 iterations respectively. The accuracy of the global model is 96.48$\mathrm{\%}$, 97.27$\mathrm{\%}$, 97.85$\mathrm{\%}$ and 98.20$\mathrm{\%}$. Similarly, comparing data from other columns, it is not difficult to find that when the number of participants is constant, the global model accuracy increases with the number of iterations. When 10 participants conducted 40 iterations, the global model accuracy reached the highest value of 98.42 %. Second, we compare the data listed between columns. Compare the three columns with 1, 4 and 10 participants (coloured columns in Table 3), we found that the global model accuracy improves with the increase of the number of participants. Although a few specific experimental data do not conform to this pattern, such as when the number of iterations is 30, the global model accuracy trained by 6 participants is 98.13$\mathrm{\%}$, while the global model accuracy trained by 7 participants is only 98.03$\mathrm{\%}$, with a decrease of 0.10$\mathrm{\%}$. However, scan widely all experimental data, along with the number of participants and iterations increase, the accuracy of the global model shows an upward trend.

In particular, FL degenerates into traditional machine learning when only one participant is training, since all datasets are sourced from the same place and it is unnecessary for the model aggregates with other participants. It can be seen from the experiment that the more participants, the more samples can be used for training, and the model will have more effective features, so the accuracy will increase accordingly. Figure 6 shows the variation of global model accuracy in the form of a line graph.

Figure 6. Global model accuracy of participants.

7.3. Overhead analysis

We analyse the computational overhead and communication overhead complexity from the perspective of different system user roles. Note: In this part, we neglect the disconnected users and carry out complexity analysis with the number of online clients as n. The description of the symbols we use is shown in Table 4.

Table 4. Sample of computational overhead analysis.

Sample	Description
${\mathcal{T}}_{\mathrm{HEn}}$	Paillier encryption
${\mathcal{T}}_{\mathrm{HDe}}$	Paillier decryption
${\mathcal{T}}_{\mathrm{HA}}$	Paillier HE addition
${\mathcal{T}}_{\mathrm{HM}}$	Paillier HE multiplication
${\mathcal{T}}_{\exp }$	Exponentiation operation
${\mathcal{T}}_{\mathrm{xor}}$	Xor operation
${\mathcal{T}}_{\mathrm{hash}}$	Hash operation
${\mathcal{T}}_{\mathrm{sig}}$	Digital signature
${\mathcal{T}}_{\mathrm{vsig}}$	Signature verification
${\mathcal{T}}_{\mathrm{ECC}}$	Elliptic curve encryption
${\mathcal{T}}_{\mathrm{DECC}}$	Elliptic curve decryption

Computation overhead:

Publisher: In quality detect phase, publisher $\mathcal{P}$ decrypts the local model gradient separately. So, the computation cost of $\mathcal{P}$ is $3n{\mathcal{T}}_{\mathrm{HDe}}+{\mathcal{T}}_{\mathrm{HEn}}$. And in update phase, $\mathcal{P}$ has ${\mathcal{T}}_{\mathrm{vsig}}+{\mathcal{T}}_{\mathrm{HDe}}+n{\mathcal{T}}_{\mathrm{ECC}}$ computation cost. Therefore, the computational overhead of $\mathcal{P}$ can be expressed as $(3n+1){\mathcal{T}}_{\mathrm{HDe}}+n{\mathcal{T}}_{\mathrm{ECC}}+{\mathcal{T}}_{\mathrm{HEn}}+{\mathcal{T}}_{\mathrm{vsig}}$.

Client: The client needs to decrypt the updated global model before starting a new iteration and then conduct local training. Afterwards, encrypt the local model and send it to the committee. The total computational cost is ${\mathcal{T}}_{\mathrm{DECC}}+{\mathcal{T}}_{\mathrm{HEn}}+{\mathcal{T}}_{\exp }+{\mathcal{T}}_{\mathrm{hash}}+{\mathcal{T}}_{\mathrm{xor}}+{\mathcal{T}}_{\mathrm{sig}}$.

Committee: Committee members act as a link in the FL task. They need to interact with both the publisher $\mathcal{P}$ and the client. When interacting with clients, the computational cost is $n({\mathcal{T}}_{\mathrm{vsig}}+{\mathcal{T}}_{\exp }+{\mathcal{T}}_{\mathrm{hash}}+{\mathcal{T}}_{\mathrm{xor}})$. And in quality detection phase, the computational cost when interacting with the $\mathcal{P}$ is $n{\mathcal{T}}_{\mathrm{HA}}+(2n+1){\mathcal{T}}_{\mathrm{HM}}+{\mathcal{T}}_{\mathrm{sig}}$. Furthermore, the total computational cost of committee is $n({\mathcal{T}}_{\mathrm{vsig}}+{\mathcal{T}}_{\exp }+{\mathcal{T}}_{\mathrm{hash}}+{\mathcal{T}}_{\mathrm{xor}}+{\mathcal{T}}_{\mathrm{HA}})+(2n+1){\mathcal{T}}_{\mathrm{HM}}+{\mathcal{T}}_{\mathrm{sig}}$.

Communication overhead:

We suppose that the homomorphic ciphertext length is ${\mathcal{C}}_{\mathrm{HE}}$ bits, the signature length is ${\mathcal{C}}_{\mathrm{sig}}$ bits, and the length of A in training phase is ${\mathcal{C}}_A$ bits. Then the communication cost to send for each client is ${\mathcal{C}\mathcal{R}}_{\mathrm{cli}}=m({\mathcal{C}}_{\mathrm{HE}}+{\mathcal{C}}_{\mathrm{sig}}+{\mathcal{C}}_A)$. The total communication cost consists of two parts: send cost and receive cost. So the total communication cost of clients can be expressed as ${\mathcal{C}\mathcal{T}}_{\mathrm{cli}}=n\left(\right(m+1){\mathcal{C}}_{\mathrm{HE}}+m({\mathcal{C}}_{\mathrm{sig}}+{\mathcal{C}}_A\left)\right)$. ${\mathcal{C}\mathcal{S}}_{\mathrm{com}}$ represents the communication cost to receive of the committee. We have ${\mathcal{C}\mathcal{S}}_{\mathrm{com}}=(3n+2){\mathcal{C}}_{\mathrm{HE}}$. The total communication of committee ${\mathcal{C}\mathcal{T}}_{\mathrm{com}}=\mathrm{nm}({\mathcal{C}}_{\mathrm{HE}}+{\mathcal{C}}_{\mathrm{sig}}+{\mathcal{C}}_A)+(3n+2){\mathcal{C}}_{\mathrm{HE}}$. Similarly, we can deduce that the total communication cost for publishers ${\mathcal{C}\mathcal{T}}_{\mathrm{pub}}$ is ${\mathcal{C}}_{\mathrm{HE}}+n{\mathcal{C}}_{\mathrm{ECC}}$. ${\mathcal{C}}_{\mathrm{ECC}}$ represents the bit length of ECC output.

The above-mentioned computational and communication complexity analyses are aimed at once FL iteration. FL task contains T iterations.

8. Conclusion

This article proposes a multi-task FL framework for privacy protection based on blockchain. This framework achieves synchronous execution of multiple FL tasks through SC. In addition, we combined Paillier HE and PCCs to achieve privacy protection and quality detection, while integrating incentive mechanism functions. We construct a group for each FL task, consisting of three types of roles that collaborate to complete the learning process, and all members are sourced from system users. Unlike many previous frameworks that pursue FL privacy protection and secure aggregation, we are more concerned with building an FL system that enables user collaboration and sharing. We only formulate rules and do not participate in any FL learning process. We have analysed the security of the system, and the analysis results prove that our framework complies with FL's security requirement. The experimental results conducted on MINST show that the accuracy of the global model can reach up to 98.03$\mathrm{\%}$, and our analysis of computational and communication complexity shows that these costs are acceptable to users.

Disclosure statement

No potential conflict of interest was reported by the author(s).

Additional information

Funding

This work was supported by National Natural Science Foundation of China[62202390]Science and Technology Fund of Sichuan Province[2022NSFSC0556]Science and Technology Fund of Sichuan Province[2023YFG0306]National Natural Science Foundation of China[62177019].