BIG DATA MINING AND ANALYTICS

ISSN 2096-0654 10/14 pp189−213

DOI: 10.26599/BDMA.2024.9020053
Volume 8, Number 1, February 2025

BPS-FL: Blockchain-Based Privacy-Preserving and

Secure Federated Learning

Jianping Yu, Hang Yao, Kai Ouyang, Xiaojun Cao, and Lianming Zhang*

Abstract: Federated Learning (FL) enables clients to securely share gradients computed on their local data with
the server, thereby eliminating the necessity to directly expose their sensitive local datasets. In traditional FL,
the server might take advantage of its dominant position during the model aggregation process to infer
sensitive information from the shared gradients of the clients. At the same time, malicious clients may submit
forged and malicious gradients during model training. Such behavior not only compromises the integrity of the
global model, but also diminishes the usability and reliability of trained models. To effectively address such
privacy and security attack issues, this work proposes a Blockchain-based Privacy-preserving and Secure
Federated Learning (BPS-FL) scheme, which employs the threshold homomorphic encryption to protect the
local gradients of clients. To resist malicious gradient attacks, we design a Byzantine-robust aggregation
protocol for BPS-FL to realize the cipher-text level secure model aggregation. Moreover, we use a blockchain
as the underlying distributed architecture to record all learning processes, which ensures the immutability and
traceability of the data. Our extensive security analysis and numerical evaluation demonstrate that BPS-FL
satisfies the privacy requirements and can effectively defend against poisoning attacks.

Key words: Federated Learning (FL); blockchain; privacy-preserving; model poisoning attack; Byzantine-
robustness

1 Introduction for traditional centralized machine learning has become

Artificial intelligence techniques[1] have shown
tremendous advantages in areas, such as medical
prediction[2], natural language processing[3], and
intrusion detection[4]. The exceptional efficacy of
machine learning models hinges on the extensive
volumes of data. However, acquiring substantial data
Jianping Yu, Hang Yao, Kai Ouyang, and Lianming Zhang are
with College of Information Science and Engineering, Hunan
Normal University, Changsha 410081, China. E-mail:
increasingly difficult with increased privacy protection
awareness and the emergence of data barriers among
institutions. Recently, Federated Learning (FL)[5] has
been extensively explored to enable a distributed
machine learning paradigm. As shown in Fig. 1, each
client in FL has its local dataset and performs local
model training. During the training process, clients
only need to transmit the computed intermediate
parameters to the central server without disclosing their
local private dataset, which may contain sensitive

[email protected]; [email protected]; 202120293789 information. After receiving the intermediate
@hunnu.edu.cn; [email protected]. parameters from each participating client, the central
Xiaojun Cao is with Department of Computer Science, Georgia
server integrates these contributions to refine and
State University, Atlanta 30303, USA. E-mail: [email protected].
enhance the global model. This characteristic has
* To whom correspondence should be addressed.
Manuscript received: 2024-04-08; revised: 2024-07-22; garnered significant attention from both academia and
accepted: 2024-08-16 industry, contributing to the progress in the

© The author(s) 2025. The articles published in this open access journal are distributed under the terms of the
Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/).
 190
Central server
Global model Global model
Local model 1 Local model 2
… local model updates from clients as the direction for
Client 1 Client 2
Local database 1 Local database 2
Fig. 1 Framework of FL.
development of FL.
While FL has excellent potential in large-scale
distributed training, current systems may be threatened
by certain privacy and security risks[6, 7]. Although the
training data of each client are not directly exposed to
the server, the model updates are exposed to the servers
and may be to the public. This means that attackers
could reconstruct or infer the original training data by
analyzing the model updates uploaded by clients,
leading to privacy leakage[8, 9]. In addition, the
decentralized architecture of FL could expose the
system to model poisoning attacks. The server cannot
directly access the clients’ datasets and the joint
training process, which allows malicious clients to
potentially submit crafted gradients or maliciously
modify local data labels, severely impacting the
performance of the federated model[10].
To effectively protect clients’ privacy and prevent
data leakage, strategies, such as Secure Multi-party
Computation (SMC)[11, 12], Homomorphic Encryption
(HE)[13, 14], and Differential Privacy (DP)[15, 16], have
been proposed. SMC ensures privacy and accurate
computation through multiple interactions with clients,
but it requires significant communication costs and
demands clients to be constantly online. DP has the
capability of preventing data reconstruction by
injecting noise into gradient parameters, yet balancing
privacy protection with model quality remains a
challenge in deep learning tasks. Compared to SMC
and DP, HE allows for accurate aggregation of
gradients and permits clients to drop out during
training. It is worth noting that such privacy protection
mechanisms may increase the difficulty of identifying
model poisoning attacks, as malicious gradients
become difficult to observe or detect in ciphertext (e.g.,
from HE), providing cover for model poisoning
Big Data Mining and Analytics, February 2025, 8(1): 189−213
attacks.
To study the model poisoning attacks, researchers
have proposed various aggregation rules, such as
Krum[17], Detox[18], Trimmed-mean, and Median[19].
Global model
These rules aim to eliminate malicious gradients by
analyzing the distribution of gradients or by ranking
them. For instance, the Median rule uses the median of
Local model K
Client K
global model updates. However, the robustness of these
Local database K rules is not always reliable, and there is evidence that
algorithms, like Krum and Trimmed-mean, can be
susceptible to poisoning attacks[20]. It is important to
note that defense strategies against poisoning attacks
often require access to local gradients, which could
result in information leakage. This conflict between
privacy protection and poison attack detection makes
establishing a secure FL system challenging.
Additionally, FL schemes that rely on central
aggregators might face the issue of single-point
failures, further threatening the robustness of the FL
system.
In recent years, many researchers have proposed
solutions to privacy and security issues. For example,
Cao et al.[21] developed an FL framework, named
FLTrust, to counteract poisoning attacks. This
framework utilizes a small and clean root dataset, and
employs cosine similarity to identify malicious
gradients. However, its privacy measures during model
updates are relatively weak. To address the privacy
shortcomings in FLTrust, Dong et al.[22] designed
FLOD. FLOD uses a dual-server approach to protect
privacy during the aggregation phase and replaces the
cosine similarity used in FLTrust with Hamming
distance to prevent poisoning attacks better. However,
FLOD does not address the issue of single points of
failure in distributed systems like blockchain networks.
Ma et al.[23] proposed a scheme called Differential
Privacy Byzantine-robust Federated Learning
(DPBFL). DPBFL combines differential privacy with
RSA aggregation rules, which can defend against
Byzantine attacks while protecting privacy. However,
the introduction of noise in DPBFL adversely affects
the global model’s accuracy.
To effectively counteract poisoning attacks on
servers in FL and prevent potential malicious
behaviors, we propose an innovative Blockchain-based
Privacy-preserving and Secure Federated Learning
(BPS-FL) scheme. This scheme can effectively detect
 Jianping Yu et al.: BPS-FL: Blockchain-Based Privacy-Preserving and Secure Federated Learning
and defend against poisoning behaviors during joint
training while ensuring client privacy. In BPS-FL, we
utilize threshold Paillier homomorphic encryption
technology that allows computations on encrypted data,
where the results remain encrypted, enabling the secure
aggregation and analysis of local gradients without
violating any client privacy. To further resist model
poisoning attacks, we have established a federated
learning committee, composed of multiple members
who are responsible for interacting with the server and
executing protocols to obtain weighted scores of each
client’s local gradients without compromising their
privacy. These weighted scores can be used to identify
and penalize malicious client behaviors. By taking
advantage of the inherent features of blockchain, such
as transparency, immutability, and traceability, we
have designed a blockchain mechanism to store the
model update information of all participating clients.
Compared to the centralized federated learning where
clients communicate directly with a central server, this
mechanism not only removes the dependency on a
single server and provides a trustworthy record for
model contributors, but also effectively prevents
potential malicious tampering with the server, as well
as avoiding the risk of a single point of failure. Our
main contributions include:
● We propose BPS-FL scheme. This scheme
leverages the distributed architecture of blockchain to
enable traceability at any time and mitigate the risk of
single-point failures.
● We develop a Byzantine-robust aggregation
protocol that incorporates threshold Paillier encryption
to safeguard clients’ privacy. This innovative approach
aims to neutralize the effects of malicious gradients
and ensure the security of model aggregation at the
ciphertext level.
● Finally, we conduct a systematic evaluation
focusing on training accuracy and Byzantine
robustness. The results show that our scheme
successfully meets the goals of high fidelity, reliability,
and security.
The rest of the paper is organized as follows. Section
2 presents the related work. Section 3 discusses the
preliminaries. Section 4 describes the system model
and design goals. In Section 5, we provide a detailed
description of the BPS-FL system design. Sections 6
and 7 conduct the security analysis and performance
evaluation respectively. Finally, we conclude the paper
in Section 8.
191
2 Related Work
In this section, we briefly discuss the key research
work related to this paper and analyze the differences
between the existing solutions and the proposed
solution.
2.1 Secure FL
Google proposed FL in 2016 to improve input
prediction on mobile devices, such as keyboard
suggestions and voice recognition, while preserving the
user’s privacy[24]. In FL, aggregation schemes, such as
FedAvg and FedSGD[5], are susceptible to model
poisoning attacks. Model poisoning attacks can be
broadly divided into two main categories based on their
attack targets: untargeted attacks and targeted attacks.
The primary purpose of untargeted attacks[25, 26] is to
weaken the overall availability of the global model,
causing it to make incorrect predictions for a wide
range of test samples, thus reducing the model’s
general performance and trustworthiness. In contrast,
targeted attacks[27, 28] are more precise, aiming to
compromise the predictive integrity of the global
model in specific scenarios. Attackers carefully design
their attacks, so that the model makes incorrect
judgments with certain types of inputs while
maintaining high prediction accuracy with other types
of inputs. Such selective disruption is intended to
influence specific decisions or actions without raising
widespread suspicion.
To effectively defend against poisoning attacks
launched by malicious clients, researchers have
designed various complex aggregation rules to increase
the robustness of distributed learning systems.
Blanchard et al.[17] proposed a Byzantine-robust
distributed stochastic gradient descent algorithm called
Krum. The Krum algorithm ingeniously computes the
Euclidean distance between the local gradient of each
client and the local gradients of all other clients, using
the sum of these distances as a distance score. During
the model update process, the system selects only the
updates from clients with the lowest distance scores to
serve as the basis for the global model update. Building
on Krum, the Multi-Krum algorithm further improves
fault tolerance by not only searching for the single
best-scoring update but also selecting a set of the
lowest-scoring gradient updates from all submissions.
Specifically, the algorithm continuously selects the
lowest-scoring updates until a specified number of h
 192
local gradients have been accumulated. Once h local
gradients are selected, they are averaged to form the
final global gradient update. This method allows the
algorithm to withstand more outliers during the
aggregation process, thus significantly enhancing the
model’s robustness while maintaining its accuracy.
Similarly, Yin et al.[19] proposed two aggregation rules:
Median and Trimmed-mean. The Median method
reduces the impact of extreme values by taking the
median of each parameter from the local model updates
submitted by all clients. The Trimmed-mean method
sorts all submitted updates by parameter value,
removes the extremes, and calculates the mean of the
remaining values for the global model update, aiming
to mitigate the impact of outliers. Mhamdi et al.[29]
introduced the Bulyan method, a refined strategy that
combines the principles of Krum and Trimmed-mean.
The Bulyan algorithm first applies the Krum rule to
filter out a set of gradient updates and then aggregates
them using the Trimmed-mean rule. This two-stage
selection greatly enhances the algorithm’s resistance to
complex attack patterns, ensuring that the global
model’s updates maintain a high level of credibility
and accuracy even in highly adverse environments.
However, all these methods mentioned above involve
sending clients’ local updates directly to the server in
the form of plaintext model updates. On the server side,
these updates are analyzed and processed to be
incorporated into the global model. Such a model
update process presents notable privacy risks as the
clients’ model updates may contain sensitive data.
2.2 Private FL
In the context of FL, privacy is an evolving area of
research, particularly in preventing the central server
from misusing client dataset information. Bonawitz et
al.[30] innovated FL by introducing a protocol based on
secure multi-party computation, which uses Secret
Sharing (SS) and secure aggregation to ensure privacy
during model training. Their work maintains data
confidentiality and provides a robust method against
dishonest participants and network failures. Truex
et al.[31] extended FL’s privacy capabilities by
designing a new FL scheme combining differential
privacy and secure multi-party computation. This
scheme introduces differential privacy noise into the
model updates to prevent inference attacks on the
sensitive data of individual participants. The critical
contribution of this method is that it can maintain a
Big Data Mining and Analytics, February 2025, 8(1): 189−213
predictive accuracy of the model while ensuring a
higher level of privacy. Li et al.[32] proposed ChainFL,
which uses a chain structure and secure multi-party
computation to aggregate client gradient updates
securely. The core of ChainFL is its innovative chain
communication mechanism, which effectively reduces
the risk of privacy leakage due to multiple
communications while reducing the computational and
communication burden. Miao et al.[33] introduced the
CAFL model, which focuses on reducing
communication costs in large-scale FL deployments.
By compressing local model updates and integrating
adaptive differential privacy, the CAFL model
enhances client-side data protection, reduces
bandwidth requirements, and provides flexible levels of
privacy protection under different privacy budgets. Xu
et al.[34] proposed VerifyNet, which is a secure and
verifiable federated learning framework that combines
homomorphic encryption and secret sharing techniques
to ensure the confidentiality of local gradient updates
and the security of the overall training process. The
VerifyNet provides a novel verification mechanism
that allows participants to verify the correctness of the
aggregated results, thereby enhancing the
trustworthiness of the system.
However, the above approaches have limitations in
mitigating the risks posed by malicious or
compromised clients who may deliberately transmit
erroneous model updates, attempt to compromise the
integrity of the global model or engage in various
forms of adversarial attacks.
2.3 Secure and private FL
Privacy and security issues in FL have increasingly
attracted attention in recent research. So et al.[35]
introduced the first innovative framework, Byzantine
Robust Secure Aggregation (BRSA), to address
challenges in ensuring data privacy and model
robustness in secure federated learning. The core
concept of BRSA is that each client not only
independently updates its local model but also interacts
with all other clients to verify and ensure the accuracy
and security of the updates. In the BRSA framework,
each client uses homomorphic encryption to calculate
the distance between its local model update and those
of other clients while keeping the data encrypted. This
mechanism allows clients to detect and eliminate
outliers in model updates without revealing the
specifics of the update. Subsequently, the client sends
 Jianping Yu et al.: BPS-FL: Blockchain-Based Privacy-Preserving and Secure Federated Learning
the encrypted model updates and the calculated
distances to the central server for aggregation.
Although the BRSA framework effectively addresses
privacy protection and Byzantine fault tolerance issues,
it relies on a central server to coordinate and aggregate
all users’ local updates. This means that if the central
server fails, the entire federated learning process will
be disrupted. This reliance on a single server
architecture inevitably introduces a single point of
failure risk. Liu et al.[36] proposed a Privacy-Enhanced
Federated Learning (PEFL) framework based on linear
HE and packing techniques, which uses two non-
colluding servers and the Pearson correlation
coefficient to facilitate the detection of malicious
gradients. Nevertheless, PEFL cannot prevent server-
side malicious behaviors and single-point failures.
Zhao et al.[37] proposed a framework called SEAR,
which combines the trusted execution environment of
Intel SGX with efficient aggregation algorithms to
protect privacy while resisting Byzantine attacks.
However, this implementation is highly dependent on
specific hardware and such centralized design is prone
to a single point of failure. Zhang et al.[38] introduced
SAFELearning, an algorithm that supports backdoor
detection and privacy-preserving aggregation. The
approach randomly divides participants into several
sub-groups. It securely aggregates a sub-model for
each subgroup to filter out malicious sub-models rather
than individual models. However, when there are fewer
members in a subgroup, the privacy protection level of
the participants decreases. If there are too many
members in a subgroup, it becomes easier for an
attacker to hide their malicious models within honest
models. Moreover, the study also suggests revealing
some parameters of the sub-models, which raises a new
trade-off issue between privacy and security. Miao
et al.[39] proposed a new type of Privacy-preserving
Byzantine-robust Federated Learning scheme, called
PBFL. PBFL employs a new aggregation rule to defend
against poisoning attacks in FL while using
homomorphic encryption to ensure the privacy of client
data. The aggregation rule is inspired by the design
principle of FLTrust, where the server maintains a
small, sanitized baseline dataset to generate reliable
baseline gradients, thereby assessing whether the
gradient updates from clients could be maliciously
tampered with. Although the scheme enhances the
model’s ability to counter poisoning attacks with the
193
baseline dataset, there is a potential issue: If the sample
size of the baseline dataset is limited, its data
distribution can hardly align perfectly with the local
training samples of each client. This inconsistency in
distribution may cause global model updates to deviate
from the optimal update direction that accurately
reflects the client data distribution. In other words, if
the root dataset differs significantly from the client data
distribution, then even if the gradients uploaded by the
clients are not malicious, the global model may fail to
accurately capture the actual characteristics of the
client data, thereby affecting the performance of the
final model. Shayan et al.[40] proposed a system called
Biscotti. Biscotti combines the principles of blockchain
and cryptography to allow decentralized multi-party
machine learning while preserving privacy. Biscotti
protects the privacy of participants by introducing
differential privacy and multi-layer cryptographic
promises while employing Byzantine fault-tolerant
aggregation algorithms (e.g., Multi-Krum) to defend
against malicious attacks. Although the introduction of
noise may adversely affect the global accuracy of the
model, Biscotti avoids single points of failure through a
decentralized blockchain structure, ensuring a robust
and scalable system.
In this paper, we propose BPS-FL scheme. BPS-FL
adopts blockchain technology as the distributed
architecture for FL, where all learning processes can be
recorded in an immutable ledger, thereby preventing
malicious behaviors. Table 1 highlights the features of
the proposed BPS-FL scheme and some
aforementioned FL solutions.
3 Preliminary
In this section, we introduce the preliminaries related to
FL and threshold homomorphic encryption.
3.1 Federated learning
FL is a state-of-the-art distributed machine learning
framework that enables the training of algorithms on
multiple decentralized edge devices or servers. In FL,
the local data samples are not exchanged, which helps
in preserving privacy and reducing communication
overhead. This framework eliminates the need for
clients to send sensitive data to a central repository.
Instead, clients contribute to the learning process by
computing and sharing model updates in the form of
gradients derived from their local dataset. We consider
a network of N clients, collectively represented as
 194 Big Data Mining and Analytics, February 2025, 8(1): 189−213

Table 1 Comparison between our work and previous imbalanced data. The aggregated gradient produces a
works. global gradient, which is used to update the global
Scheme Fun1 Fun2 Fun3 Fun4 model parameters to W t+1 using a suitable learning
[17]
Blanchard et al. Yes ✘ Single No rate η .
Yin et al.[19] Yes ✘ Single No
Cao et al.[21] Yes ✘ Single No 3.2 Threshold Paillier encryption
[29]
Mhamdi et al. Yes ✘ Single No Homomorphic encryption is a type of encryption that
Miao et al.[39] No DP Single No enables computations to be performed on ciphertexts.
Xu et al.[34] No Secret sharing Single No The encrypted result obtained from these computations
So et al.[35] Yes Secret sharing Single No can be decrypted to match the result of the same
Liu et al.[36] Yes Paillier Dual No operations performed on the plaintext. This unique
[37]
Zhao et al. Yes Intel SGX Single No feature allows data to remain encrypted throughout the
Zhang et al.[38] Yes Secret sharing Single No processing phase, making it a valuable tool for
Shayan et al.[40] Yes DP Single Yes enhancing privacy and security in different
Ours Yes Paillier Single Yes computational environments. The commonly used
Notes: Fun1 : It denotes whether resisting poisoning attacks or homomorphic encryption algorithms currently include
not, Fun2 : It denotes whether providing privacy protection or Paillier[41], Cheon−Kim−Kim−Song (CKKS)[42], and
not, Fun3 : It denotes whether single server or dual server, and Somewhat Homomorphic Encryption (SHE)[43].
Fun4 : It denotes whether capable of preventing single-point
failures or not. Paillier encryption supports efficient additive
homomorphic operations. In contrast, the main
C = {C1 , C2 , . . . , C N } . Each client Ci has a private advantage of CKKS and SHE lies in their support for
dataset Di , where i ranges from 1 to N . The multiplicative homomorphic operations, though this
collaborative training process between the central typically results in higher computational and storage
server and clients involves multiple rounds, each overhead. For applications that only require additive
consisting of the following key phases: homomorphic operation, Paillier encryption is more
● Global model synchronization: The process efficient. The core procedures of the Paillier encryption
scheme can be summarized as follows:
begins with the central server distributing the latest
● Paillier.KeyGen (p, q) → (pk, sk) : The input
version of the global model, denoted as W , to all
parameters p and q are two large primes and p , q .
participating clients. This step ensures that each client
The public key pk is n = p · q , the private key sk is
starts training with the latest model, maintaining
(p, q) , and λ = lcm (p − 1, q − 1) , where lcm ( ) is the
consistency across the network.
least common multiple function. A positive integer
● Local training: During each iteration t , the clients
g = 1 + n ∈ Z∗n is chosen, such that µ=
engage in local model training. Each client Ci receives (L(gλ mod n2 ))−1 mod n exists, where Z∗n denotes the
the current global model W t and uses its dataset Di to multiplicative group of modules n , L (x) = (x − 1)/n ,
perform the training. The objective is to optimize the mod means modulo operation, x denotes a variable.
model by minimizing a predefined loss function, which ● Paillier.Enc (m, pk) → [[m]]pk : Given a plaintext
measures the prediction error of the model. After m ∈ Zn , a randomly chosen r is chosen to satisfy
training, each client computes the gradient of the loss 1 ⩽ r < n and gcd (r, n) = 1 , where gcd ( ) is the greatest
function with respect to the model parameters, common divisor function, Zn denotes the set of
resulting in a local gradient. This gradient contains the integers modulo n . the ciphertext is generated:
necessary updates based on the client’s unique dataset [[m]]pk = (n + 1)m × rn mod n2 .
and is securely transmitted to the central server to ● Paillier.Dec ([[m]]pk , sk) → m : For a ciphertext
protect the confidentiality of the raw data. [[m]]pk ∈ Z∗n , the plaintext can be obtained as
● Model aggregation: The central server aggregates m = L (cλ mod n2 ) · µ mod n , where c is ciphertext.
the local gradients received from all clients. This The (Z, T ) threshold Paillier encryption[44] has not
aggregation is performed according to predefined rules, only additive homomorphism but also threshold
which may include methods such as simple averaging properties. Each party holds a uniform public key pk ,
or more complex strategies to mitigate the effects of while the private key is split into Z shares
 Jianping Yu et al.: BPS-FL: Blockchain-Based Privacy-Preserving and Secure Federated Learning
(sk1 , sk2 , . . . , skZ ) , which requires the cooperation of at
least T participants for the cooperative decryption. The
procedure of threshold Paillier encryption is as follows:
● T-Paillier.KeyGen (p, q) → (pk, sk) : Two large
prime numbers p and q are randomly picked first and
let n = pq , then two more primes p′ , q′ that satisfy
p = 2p′ + 1 , q = 2q′ + 1 , and gcd (n, φ (n)) = 1 , are
identified, φ (n) is the Euler function. Let n′ = p′ · q′ ,
and choose a random β ∈ Z∗n , (a, b) ∈ Z∗n × Z∗n . Let
g = (1 + n)a · bn mod n2 , θ = a · n′ · β mod n . The public
key pk consists of n, g , and θ , and the private key
sk = n′ · β . This private key sk is further partitioned via
the Shamir secret sharing scheme to obtain
(sk1 , sk2 , . . . , skZ ) . Specifically, t−1 values
(a1 , a2 , . . . , at−1 ) are randomly chosen among
∑
{0, 1, . . . , n · n′ − 1} and a polynomial f (x) = t−1i=0 ai · x
is constructed, where a0 = sk . The secret share received
by the i -th participant is ski = f (i) mod n · n′ .
● T-Paillier.Enc (m, pk) → [[m]]pk : Given a plaintext
m , a number r ∈ Z∗n is chosen randomly, and the
plaintext is encrypted using the public key pk as
follows:
[[m]]pk = gm · rn mod n2
● T-Paillier.ShareDec ([[m]]pk , ski ) → [[m]]i : The
participant holding the secret share ski gets the
decryption share by
[[m]]i = [[m]]2Z!sk
pk
i
mod n2
● T-Paillier.CollaborativeDec (Q, pk) → m : If the set
Q receives at least T decryption shares, collaborative
decryption can be performed to obtain the plaintext m ,
( )
∏ Q
2µ0,
m=L [[m]] j j
mod n × 4Z!12 θ mod n
2
(3)
j∈Q
∏ ′
where Q
µ0, = Z! × j′ ∈Q\{ j} −j j ∈ Z , Q denotes set of
j
participants involved in the cooperative decryption
process, j is the index of the current participant, and j′
is the index of other participants in set Q except j.
Given two ciphertexts [[m1 ]]pk and [[m2 ]]pk , and a
constant l ∈ Zn , the homomorphic property can be
described as
[[m1 ]]pk · [[m2 ]]pk = [[m1 + m2 ]]pk
[[m1 ]]lpk = [[l · m1 ]]pk
When multiple ciphertext computations are involved,
Threshold Paillier encryption allows multiple
participants to jointly decrypt the data, with each
195
participant possessing only a portion of the decryption
key. This threshold decryption mechanism enhances
the security and fault tolerance of the system and
ensures that cryptographic models from clients can be
securely aggregated, thus effectively protecting client
privacy.
4 Problem Formulation
In this section, we present the system model, the threat
model, and design goals.
4.1 System model
Figure 2 illustrates the architecture of the proposed
BPS-FL, which is a novel integration of FL with
blockchain technology designed to enhance data
i privacy and model security across a distributed
network. The system model consists of five major
entities, each with a distinct role in the federated
learning process:
● Key Generation Center ( KGC ): KGC is the
trusted entity responsible for generating and
distributing system keys for clients and committee
members. These keys ensure that sensitive information,
(1) such as local model updates, is protected throughout
the learning process.
● Clients: Clients are the nodes in the network that
own local datasets. All authorized clients possess the
( )
same pair of asymmetric keys pkx, skx provided by
(2) KGC. In iteration t , each client Ci computes locally on
its dataset Di to generate the local gradient Gti . To
protect the privacy of the local dataset during the
learning process, clients encrypt the local gradients
using the committee’s public key. The encrypted
gradients are sent to the blockchain network for
storage.
● Cloud Server ( CS ): CS serves as an aggregator in
the BPS-FL system. Its main role is to collect
encrypted gradients from all participating clients and
calculate the updated global model. Additionally, the
CS collaborates with the committee to mitigate and
defend against potential model poisoning attacks.
● Committee ( COMM ): Members of COMM are
blockchain nodes that are set by default in the system
(4) and do not accept external registrations. The number of
members is set based on the number of all participating
(5)
nodes. The initial COMM is authorized based on their
social entity reputation value. Each member of the
committee possesses a public key pkc generated by
KGC and their own secret share skci . They are
 196
Public/Private key
Committee
Encrypted
intermediate result
Block
Block
Block
Smart contract
Encrypted
global model
Encrypted
intermediate result
Cloud server
Fig. 2 BPS-FL system model.
responsible for the collaborative decryption of
encrypted data, and cooperate with CS to implement
secure defense strategies.
● Blockchain system: The blockchain stores some
encrypted intermediate results of the cloud server’s
interaction with the committee as well as the encrypted
local gradients and encrypted global models. The
encrypted intermediate results mainly include
obfuscated encrypted gradients and encrypted model
updates. In addition, all clients jointly maintain the
blockchain ledger. Therefore, the blockchain provides
a secure and reliable storage and verification
mechanism for FL. This means that no entity can deny
its submitted updates, and any malicious attempts to
tamper with stored data can be detected.
In our system, the entities carry out steps roughly as
follows:
(1) Key generation and distribution: At the
beginning of the FL task, KGC generates and
distributes keys for the clients and the committee. Each
client gets the same pair of public and private keys
( )
pkx, skx for encrypting and decrypting messages.
(2) Initialization and encryption: CS initializes the
global model and encrypts it using the client’s public
key pkx . The encrypted global model is uploaded to the
blockchain. All authorized clients can decrypt the
global model from the blockchain using the private key
skx .
Big Data Mining and Analytics, February 2025, 8(1): 189−213
Key generation center
Intermediate
result
Encrypted global model Public/
Private key
Encrypted
gradient vector Honest Honest
client client
Honest Malicious Malicious
client client client
(3) Local gradient encryption and uploading: The
client computes the local gradient locally and then uses
the committee’s public key pkx to encrypt it and
upload it to the blockchain, thus protecting its privacy
during transmission.
(4) Aggregation and weight calculation of
encrypted gradients: CS downloads all encrypted
local gradients from the blockchain and utilizes the
additive property of homomorphic encryption to
compute the difference between each client’s local
gradient and the average gradient. To protect the
privacy of the clients, CS performs multiple rounds of
communication with COMM to compute the weight
scores of each local gradient. The results of these
computations are stored on the blockchain.
(5) Global model generation and re-encryption:
CS aggregates the encrypted local gradients based on
the weight scores to obtain an encrypted global
gradient. CS communicates with COMM to protect the
client’s privacy while obtaining a global model
encrypted with the client’s public key pkx and saves it
to the blockchain.
To improve the system’s security and credibility, the
clients, the CS, and the COMM all need to pay a
certain deposit using the smart contract.
4.2 Threat model
CS and COMM are assumed not to collude with each
 Jianping Yu et al.: BPS-FL: Blockchain-Based Privacy-Preserving and Secure Federated Learning
other. They are characterized as “curious but honest”
entities, indicating that they faithfully carry out the
tasks established by the protocol but may be driven by
curiosity to extract or infer additional information. It is
important to note that, in practice, CS and COMM may
engage in such curious behavior driven by commercial
interests and attempt to access clients’ private data.
That means its members are semi-trustworthy. In BPS-
FL, we have defined two types of clients: honest client
and malicious client.
Definition 1 (Honest client) An honest client Ci
refers to those who upload an unbiased estimate of the
true gradient Gi calculated on their private dataset Di
in accordance with the protocol.
The main goal of these clients is to jointly optimize
and enhance the performance of the global model by
contributing true local gradient updates.
Definition 2 (Malicious client) A malicious client
Ci∗ refers to those who may be controlled by attackers
and upload harmful gradients to compromise the
accuracy of the FL model.
Malicious clients may intentionally submit distorted
gradients in order to execute precise model poisoning
attacks or contribute arbitrary gradients to compromise
the precision of the global model. Although these
malicious clients have their own datasets containing
potentially poisoned datasets, they are unable to
directly access the local datasets of other honest clients.
They can access the encrypted global model and
decrypt it, but they cannot independently observe the
model updates of honest clients. Moreover, malicious
clients may collude, amplifying the impact of their
attacks by sharing strategies and objectives. They are
capable of launching targeted or Untargeted attacks to
disrupt the learning process of the model.
In response to such behavior, we propose the
definition of a model poisoning attack:
Definition 3 (Model poisoning attack) A model
poisoning attack is a strategy where a malicious client
Ci∗ uploads poisoned gradients to manipulate and
misdirect the update process of the global model,
thereby reducing the model’s performance.
The objective of malicious clients is to solve the
following optimization problem:
argmax S (W − W ∗ ) (6)
Wi ∈ [1, N]
where S represents the transposed column vector of the
signs of the global model updates before the attack, W
197
is the global model before the attack, and W ∗ is the
global model after the attack.
In the BPS-FL, we focus on the following potential
threats:
(1) Data leakage: The local gradients of a client can
reflect the statistical characteristics of their local
dataset, which attackers might exploit to leak data and
obtain sensitive raw data.
(2) Poisoning attacks: Malicious clients may
conduct poisoning attacks on the global model by
uploading carefully crafted gradient updates, causing
the model to learn inaccurate information and thus
reducing its performance.
(3) Inference attacks: During the aggregation of
local updates to update the global model, CS and
COMM need to exchange some intermediate
computational results. Malicious entities might exploit
this exchange process to extract or infer sensitive
information, further violating client privacy.
4.3 Design goals
Our goal is to develop a blockchain-based privacy-
preserving and secure federated learning scheme that
can ensure data privacy while effectively defending
against model poisoning attacks from malicious clients.
To achieve this goal, the proposed scheme must
integrate Byzantine fault-tolerance mechanisms to
enhance system robustness while ensuring data
privacy. Furthermore, we strive to design a scheme
that, while ensuring security, can achieve or approach
the accuracy level of standard federated learning
algorithms, like Federated Averaging (FedAvg) or
Federated Stochastic Gradient Descent (FedSGD). Our
scheme focuses on security and privacy protection
through blockchain and homomorphic encryption.
Distinct from FedAVG, where the entire set of model
parameters is sent to the server for aggregation to form
a global model, in FedSGD, only gradients are
transmitted each time. The server averages these
gradients and subsequently updates the global model. It
is relatively straightforward to implement, control
variables in experiments, and employ it as a benchmark
model to verify the security and robustness of the
scheme. To this end, our FL scheme is designed to
achieve the following three core design goals:
● Fidelity. The scheme must ensure that the
accuracy of the global model is not compromised.
Specifically, we aim to train a highly accurate global
 198
model equivalent to FedSGD, with privacy protection
provided by carefully designed optimization
algorithms.
● Security. The scheme should satisfy dual security
goals: (1) protect the privacy of client data during
model training, preventing data leakage and inference
of sensitive information by other participants; and (2)
design effective mechanisms to resist malicious
attacks, ensuring that malicious clients cannot
influence the accuracy of the global model by
submitting anomalous gradients.
● Reliability. The scheme should ensure that all
operations in the FL system are reliably recorded, and
the behavior of all participating entities can be
comprehensively and accurately tracked and audited,
thus maintaining the transparency and fairness of the
system.
5 System Design
In this section, we present the technical details of the
setup phase, local training phase, and robust
aggregation phase in BPS-FL. Table 2 presents the
main notations and symbols used.
5.1 Setup phase
During the setup phase as shown in Algorithm 1, KGC
performs key distribution, and CS uploads the initial
global model to the blockchain.
(1) Key distribution: KGC generates the same pair
of asymmetric keys for Paillier homomorphic
encryption for all authorized clients, and generates the
public and private keys of threshold Paillier
homomorphic encryption for the committee. The
Table 2 Involved notations.
Notation Description
pkx Public key of the client
skx Private key of the client
pkc Public key of the committee
skci Private key share of COMMi
Di Training dataset of the client Ci
Wt Global model at iteration t
Gti Local gradient of client Ci at iteration t
Ḡt Average gradient at iteration t
dti Distance vector of the client Ci at iteration t
dit Distance value of the client Ci at iteration t
σ (d̂it ) Weight of the local gradient of client Ci at iteration t
[[m]]pk Ciphertext of plaintext m encrypted with public key pk
η Learning rate
Big Data Mining and Analytics, February 2025, 8(1): 189−213
Algorithm 1 Setup
Input: (1) Large prime numbers p, q, p̂, and q̂ ;
(2) N clients {C1 , C2 , . . . , C N } ;
(3) Committee {COMM1 , COMM2 , . . . , COMMK } .
Output: System keys pkx, skx, pkc, skc1 , skc2 , . . . , skcK .
1: /*Key distribution*/
2: KGC generates ( pkx, skx ) ← Paillier.KeyGen (p, q) ;
3: KGC generates ( pkc, skc ) ← T-Paillier.KeyGen ( p̂, q̂) ;
4: skc is split into K shares (skc1 , skc2 , . . . , skcK ) using Shamir
secret sharing technique;
5: for Ci ∈ [1, N] ∈ C do
6: Ci ← (pkx, skx) ;
7: end for
8: KGC distributes pkc and skci to COMMi ∈ [1, K] ;
9: /*Global model upload*/
10: CS initializes global model W init ;
11: [[W init ]]pkx ← Paillier.Enc (W init , pkx) from CS;
12: CS sends [[W init ]]pkx to blockchian;
13: return pkx, skx, pkc, skc1 , skc2 , . . . , skcK .
committee’s private key generates a secret share via the
Shamir secret sharing technique, which is then
distributed to each member of the committee. Since
individual members may try to tamper with data or
perform malicious operations, and key leakage or
destruction may also occur, the security of the entire
system will be threatened if it relies only on a single
member for decryption, and it also faces the risk of a
single point of failure. By requiring multiple members
to participate in decryption, the threshold mechanism
can effectively prevent the malicious behavior of a
single member and also prevent the single point of
failure problem. Therefore, the committee can
collaboratively decrypt the ciphertext only if the owned
secret share is not less than T .
(2) Model upload: At the beginning of the FL task,
CS first randomly initializes the parameters of the
global model, denoted as W init . To protect the privacy
of the model, CS encrypts W init with the public key pkx
of the participating clients. The encryption ensures that
only authorized clients can decrypt and use the global
model. Once the encryption is complete, CS uploads
the encrypted global model [[W init ]]pkx to the
blockchain. As a decentralized platform, the
blockchain ensures the safety of the global model as
data storage and protects it from unauthorized access
during the federated learning process, providing a
collaborative and secure environment for the
 Jianping Yu et al.: BPS-FL: Blockchain-Based Privacy-Preserving and Secure Federated Learning 199

participants. training, client Ci initiates the process by decrypting

the encrypted global model [[W t ]]pkx using the
5.2 Local training phase
Paillier.Dec function. The decrypted model parameters
During the local gradient training phase, clients are are then used by client Ci to perform computations on
responsible for learning and uploading their model its own dataset Di , resulting in an updated local
training results locally. Specifically, each client first gradient as
downloads the t -th round securely encrypted global
Gti = ∇L (W t , Di ) (7)
model from the blockchain. After decrypting the
encrypted global model using its own private key skx , Central to these computations is the empirical loss
the clients get the plaintext of the global model and can function ∇L (W t , Di ) , which quantifies the divergence
train on their own dataset. In this process, the clients between the global model predictions and the actual
use the Stochastic Gradient Descent (SGD) algorithm observations in Di . The gradient operator ∇ is critical
to optimize the model parameters to get local gradient in directing the optimization process, indicating how
updates. After the training is completed, the clients do the model weights should be changed to minimize the
not directly disclose their training results. To prevent loss function, and thus improve the predictive accuracy
potential data leakage and protect personal privacy, the of the model.
clients encrypt the locally updated models. This step (2) Gradients upload: To ensure the confidentiality
critically ensures the confidentiality and integrity of the of data during the t -th training iteration, the client
information during the upload process. Finally, the needs to encrypt the model parameters before
encrypted training results are securely uploaded back to uploading the local gradients to the blockchain.
the blockchain, awaiting further aggregation and global Specifically, the client needs to encrypt the local
gradient [[Gti ]]pkc with the public key pkc of the
model updates. As shown in Algorithm 2, each client
conducts the following steps: committee by calling the function T-Paillier.Enc ,
where [[Gti ]]pkc = {[[gti1 ]]pkc , [[gti2 ]]pkc , . . . , [[gtiz ]]pkc } and gt
(1) Local training: During the t -th iteration of
denotes the element in the local gradients, and z is the
Algorithm 2 Local_Training dimension of the local gradient. It is worth noting that
Input: (1) Client Ci ∈ [1, N] ; malicious clients may launch model poisoning attacks.
(2) Local training dataset Di ∈ [1, N] ; They can craft poisonous local gradients and encrypt
(3) Local learning rate η ; them using public keys, then send these encrypted
(4) Local epochs e ; poisonous gradients to the blockchain. If the CS
(5) System keys skx and pkc . unconsciously integrates these poisonous gradients and
Output: Encrypted local gradients. updates the global model, it may lead to a decrease in
1: /*Local model training*/ model performance, or even make the model
2: for Ci ∈ [1, N] ∈ C do completely ineffective, posing a threat to the security
3: Ci get the global model [[W t ]]pkx from blockchain; and effectiveness of the entire system. Therefore,
W t ← Paillier.Dec ([[W t ]]pkx , skx) ;
encryption provides concealment for model poisoning
4:
attacks. To efficiently identify and process these
5: for j ∈ [1, e] do
encrypted poisonous gradients, CS employs a series of
6: Take a random batch D′ from samples Di ;
7: /*Gradient descent*/
multiple rounds of interactions with COMM. These
interactions occur within a carefully designed security
8: Gti ← ∇L (W t , D′ ) ;
protocol that aims to minimize the adverse effects of
9: W t+1 ← W t − ηGti ; poisonous gradients on the global model.
10: end for
5.3 Robust aggregation phase
11: [[Gti ]]pkc ← T-Paillier.Enc (Gti , pkc) ;
12: /*Gradient upload*/ In this phase, CS needs to extract all encrypted local
gradients from the blockchain and utilize them for
13: Ci sends [[Gti ]]pkc to blockchain;
14: end for
model aggregation. If CS decrypts these local gradients
directly, the client’s privacy may be violated. To
15: return [[Gti ]]pkc .
address this, we design a protocol with Byzantine-
 200
robust aggregation, where CS and COMM interact to
perform secure aggregation of models at the ciphertext
level while effectively preventing malicious clients
from poisoning attacks. We compute the deviation of
each client’s local gradient from the average gradient
and determine the weight of each local gradient in the
aggregation based on this deviation. In this way, we
can effectively weaken the impact of malicious
gradients.
(1) Distance calculation: CS gets the encrypted
local gradients {[[Gti ]], i ∈ [1, N]} uploaded by the
clients from the blockchain. We use {[[Gti ]]pkc }i=N
i=1 to
denote the set of N local gradients. The encrypted
average gradient can be computed according to the
additive homomorphic property of the Paiilier
algorithm of Eqs. (4) and (5),
 N  N1
∏  ∏
N
1
[[Ḡ ]]pkc =  [[Gi ]]pkc  =
t t
[[ Gti ]]pkc
i=1
N i=1
Equation (9) calculates the distance between the local
gradient and the average gradient for each client, where
ḡt denotes the element in the average gradient,
[[dit ]]pkc =[[Gti ]]pkc · [[Ḡt ]]−1
pkc =
{[[gti1 ]]pkc · [[ḡt1 ]]−1 t −1
pkc , [[gi2 ]]pkc · [[ḡ2 ]]pkc , . . . ,
t
[[gtiz ]]pkc · [[ḡtz ]]−1
pkc } =
{[[gti1 − ḡt1 ]]pkc , [[gti2 − ḡt2 ]]pkc , . . . , [[gtiz − ḡtz ]]pkc }
Similar to the previous notation for sets of local
gradients, we use {[[dti ]]pkc }i=N i=1 to denote a set of
distances, where each element represents the distance
of the local gradient from the average gradient for each
client. Here, it is important to specify that dti is a
vector. In order to obtain the l2 -norm of the vector
without directly revealing dti , we propose the security
protocol SecDist. Specifically, we assume that
[[dti ]]pkc = {[[xi1
t ]]
pkc , [[xi2 ]]pkc , . . . , [[xiz ]]pkc }
t t
and four
algorithms are designed into the protocol, each of
which plays its own role to ensure modularity and
clarity throughout the safe distance calculation process.
Below are the specific roles of each algorithm:
(a) Preprocessing and obfuscation: This algorithm
is responsible for the preprocessing and obfuscation of
the input encrypted distance vectors. Its main function
is to introduce randomness to maintain the encryption
state and protect the privacy of the original data during
subsequent calculations. The specific steps involve
multiplying the ciphertext [[xit j ]]pkc of each element in
Big Data Mining and Analytics, February 2025, 8(1): 189−213
the distance vector [[dit ]]pkc by the ciphertext [[ri ]]pkc of
a randomly sampled value to achieve obfuscation,
[[ x̄it j ]]pkc = [[xit j ]]pkc · [[ri ]]pkc (10)
We represent the result of multiplying [[xit j ]]pkc and
[[ri ]]pkc as [[ x̄it j ]]pkc . The encrypted vector [[Rti ]]pkc =
{[[ x̄i1
t ]]
pkc , [[ x̄i2 ]]pkc , . . . , [[ x̄iz ]]pkc } is processed in this
t t
manner and then sent to the blockchain for subsequent
distance calculations. The steps involved in Algorithm
3 illustrate this process.
(b) Decryption and squares summation: The
algorithm downloads and processes obfuscated
encrypted vectors from the blockchain. Its primary
responsibility is to implement a collaborative
decryption process by calling the functions
T-Paillier.ShareDec and T-Paillier.CollaborativeDec .
The goal is to recover the plaintext value of each
(8) element in the encrypted vector [[Rti ]]pkc . Note that the
success of the decryption operation relies on the secret
shares held privately by at least T committee members,
which ensures the security and distributed nature of the
decryption. Once decryption is complete, the algorithm
calculates the sum of the squares of each element in the
Rti vector. To further protect the privacy of the data, the
committee must re-encrypt the sum of squares using
the T-Paillier.Enc function and the committee’s public
key. This step prevents any possible data leakage
(9)
during data transfer and storage. Finally, these
encrypted sum of squares are sent to the blockchain for
storage. Algorithm 4 provides detailed steps for this
process.
Algorithm 3 Preprocessing and obfuscation
Input: Encrypted distance vectors {[[d1t ]]pkc , [[d2t ]]pkc , . . . ,
[[dNt ]]pkc } .
Output: Obfuscated distance vectors {[[Rti ]]pkc }i=N i=1 .
1: for i = 1 to N do
{ }
2: [[dit ]]pkc = [[xi1
t ]]
pkc , [[xi2 ]]pkc , . . . , [[xiz ]]pkc ;
t t
3: /*Randomly select a nonzero integer ri */
4: for j = 1 to z do
5: [[ x̄it j ]]pkc = [[xit j ]]pkc · [[ri ]]pkc = [[xit j + ri ]]pkc ;
6: end for
{ }
7: [[Rti ]]pkc = [[ x̄i1
t ]]
pkc , [[ x̄i2 ]]pkc , . . . , [[ x̄iz ]]pkc ;
t t
8: end for
9: Send {[[Rti ]]pkc }i=N
i=1 to blockchain;
10: return {[[Rti ]]pkc }i=N
i=1 .
 Jianping Yu et al.: BPS-FL: Blockchain-Based Privacy-Preserving and Secure Federated Learning 201

Algorithm 4 Decryption and square summation that leverage the homomorphic properties of
Input: Obfuscated distance vectors {[[Rt1 ]]pkc , [[Rt2 ]]pkc , ..., encryption, enabling mathematical operations to be
[[Rti ]]pkc } . performed on encrypted data without revealing any
Output: A set of encrypted squared sums {[[Sumti ]]pkc }i=N original information. Once these homomorphic
i=1 .
1: for i = 1 to N do calculations are completed, the encrypted distance
values are sent to the blockchain in preparation for the
2: Download [[Rti ]]pkc from blockchain;
final decryption step. The steps involved in this process
3: for j = 1 to T do
are described in Algorithm 5.
4: [[Rti ]] j ← T-Paillier.ShareDec ([[Rti ]]pkc , skc j ) ; (d) Final decryption and distance calculation: The
5: end for algorithm is responsible for downloading the final
j=T
6: Rti ← T-Paillier.CollaborativeDec ({[[Rti ]] j } j=1 , pkc) ; encrypted distance value from the blockchain. Similar
to the previous decryption, this process also requires
7: /*Sum the elements in Rti */
( )2 ( )2 ( )2 the secret shares held by at least T committee members
8: t
Sumti = x̄i1 + x̄i2
t + · · · + x̄iz
t
; to collaboratively decrypt and calculate the final
9: [[Sumti ]]pkc ← T-Paillier.Enc (Sumti , pkc) ; distance value. After decryption, the algorithm
10: end for performs a square root operation on the decrypted
distance values to recover the original measurements.
11: Send {[[Sumti ]]pkc }i=N
i=1 to blockchain;
These measurements are then uploaded to the
12: return {[[Sumti ]]pkc }i=N
i=1 . blockchain for storage, and can be used directly in
subsequent weight calculations. It is worth noting that
(c) Encrypted distance generation: This algorithm the privacy of these distance values does not need to be
performs further processing on the previously protected. Even if the distance values are disclosed to
calculated encrypted sum of squares. The specific the public, the client’s privacy is not compromised.
operation involves multiplying the encrypted sum of The relevant steps are shown in Algorithm 6.
squares [[Sumti ]]pkc and [[2 · ri · Σxiz + z · ri2 ]]−1
pkc to The security protocol SecDist is formed by
eliminate noise and calculate the final encryption combining these four algorithms into one. Each
distance value [[dit ]]pkc . That’s because algorithm is an independent module. CS and COMM
call the corresponding algorithm to complete specific
∑
z
t 2
( x̄i1 ) +( x̄i2
t 2
) + · · · + ( x̄izt )2 = (xit j + ri )2 = tasks, while ensuring the security and privacy of the
j=1 entire protocol. Algorithm 7 describes the SecDist
∑
z [ ] protocol. Additionally, Fig. 3 provides the sequence
(xit j )2 + 2ri xit j + ri2 = diagram of SecDist.
j=1
(2) Weight calculation: We assign a weight to each
∑
z
t 2
(xi1 ) + (xi2
t 2
) + · · · + (xizt )2 + 2ri xit j + zri2 (11)
local gradient to mitigate the effect of malicious
j=1 gradients. This weight depends on how far the client’s

Equation (11) is expressed in homomorphic Algorithm 5 Encrypted distance generation

encryption as Input: A set of encrypted squared sums {[[Sumti ]]pkc }i=N
i=1 .

[[Sumti ]]pkc = [[(xi1

t 2
) + (xi2 ) + · · · + (xizt )2 +
t 2 Output: Encrypted distance values {[[dit ]]pkc }i=N
i=1 .
1: /*Remove the random noise ri */
∑ z
2ri xit j + zri2 ]]pkc (12) 2: for i = 1 to N do
j=1
3: Download [[Sumti ]]pkc from blockchain;
In order to get the distance value, we have 4: [[dit ]]pkc = [[(xi1
t )2 + (xt )2 + · · · + (xt )2 ]]
pkc =
i2 iz

[[dit ]]pkc = [[(xi1

t 2
) + (xi2
t 2
) + · · · + (xizt )2 ]]pkc = [[Sumti ]]pkc · [[2ri Σxiz + zri2 ]]−1
pkc ;

[[Sumti ]]pkc · [[2ri Σxiz + zri2 ]]−1

pkc (13) 5: end for

6: Send {[[dit ]]pkc }i=N

i=1 to blockchain;
Note that the distance dit is a value and not a vector.
7: return {[[dit ]]pkc }i=N
i=1 .
This process involves a series of arithmetic operations
 202 Big Data Mining and Analytics, February 2025, 8(1): 189−213

Algorithm 6 Final decryption and distance calculation

Input: Encrypted distance values {[[dit ]]pkc }i=N .
{ } i=1
Output: Distance values d1 , d2 , . . . , dN .
t t t
Cloud server Committee
1: for i = 1 to N do Preprocessing and obfuscation

2: Download [[dit ]]pkc from blockchain;

Decryption and squares summation
3: for j = 1 to T do
SecDist Encrypted distance generation
4: [[dit ]] j ← T-Paillier.ShareDec ([[dit ]]pkc , skc j ) ;
5: end for Final decryption and distance calculation
j=T
6: dit ← T-Paillier.CollaborativeDec ({[[dit ]] j } j=1 , pkc) ;
√
7: dit ← dit ; Time Time
8: end for
Fig. 3 Sequence diagram of interaction between CS and
9: Send {dit }i=N
i=1 to blockchain;
COMM.
10: return {d1t , d2t , . . . , dN
t }.
the above steps, we can calculate how much each
client’s local gradient deviates from the average
Algorithm 7 SecDist
gradient. Finally, we normalize {d̂it }i=N
i=1 using the
Input: Encrypted distance vectors {[[d1t ]]pkc , d2t ]]pkc , . . . ,
Softmax function, which is described as
[[dNt ]]pkc } .
{ }
e−d̂i
t
Output: Distance values d1 , d2 , . . . , dN .
t t t
σ (d̂it ) =
1: CS: ∑
N −d̂t (15)
e j
j=1
2:Preprocessingandobfuscation ([[d1t ]]pkc , d2t ]]pkc , . . . , [[dNt ]]pkc )
t
→ {[[Rti ]]pkc }i=N
i=1 ; After normalization, a smaller value of d̂i indicates
3: COMM: that the client’s training dataset and model updates are
4: Decryption and squares summation ({[[Rti ]]pkc }i=N
i=1
)→ more accurate and reliable and should be given a
{[[Sumti ]]pkc }i=N
i=1 ; higher weight. Conversely, a larger value of d̂it
5: CS: indicates that the client’s local gradient is significantly
6: Encrypted distance generation ({[[Sumti ]]pkc }i=N
i=1
)→ different from the average gradient, which could be due
{[[dit ]]pkc }i=N
i=1 ; to the uniqueness of its dataset or intentionally
7: COMM: uploaded abnormal gradients by malicious clients. In
8: Final decryption and distance calculation ({[[dit ]]pkc }i=N ) such cases, a lower weight should be assigned. The
i=1
→ {dit , di+1
t , . . . , dt } ; influence of malicious gradients can be effectively
{ N
}
d
9: return i i+1
t , dt , . . . , dt
N .
controlled, and the robustness of the model can be
enhanced through the adjustment of weights.
(3) Model update: After obtaining a set of weights
local gradient deviates from the average gradient. First,
{σ (d̂it )}i=N
i=1 , CS updates the global model as
CS obtains the distance between the client’s local
gradient and the average gradient in the blockchain, N σ (d̂ t )G t
∑ i i
W t+1 ← W t − η
and we assume dt = {dit , di+1 i=1 ∑
t , . . . , dt } N (16)
N . The malicious σ (d̂tj )
clients may upload local gradients with large j=1

magnitudes to amplify their impacts, which can cause Algorithm 8 shows the proposed security protocol
the average gradient to deviate from the normal range. SecAgg, which enables secure aggregation without
t
Therefore, we take the median value of dt to dmed and making Gti public. Specifically, using the additive
compute homomorphic property of homomorphic encryption,
CS is able to compute the ciphertext [[W t+1 ]]pkc of the
d̂it = |dit − dmed
t | (14)
global model, as shown in Line 3. Next, CS multiplies
We use d̂it as a criterion for similarity. According to this encrypted global model with the ciphertext of the
 Jianping Yu et al.: BPS-FL: Blockchain-Based Privacy-Preserving and Secure Federated Learning 203

Algorithm 8 SecAgg Algorithm 9 BPS-FL

Input: (1) Local gradients {[[Gti ]]pkc , [[Gti+1 ]]pkc , . . . , [[GtN ]]pkc } ; Input: (1) Client Ci ∈ [1, N] ;
(2) Local training dataset Di ∈ [1, N] ;
(2) Weights {σ (d̂it ), σ (d̂i+1
t ), . . . , σ (d̂ t )} ;
N
(3) Local learning rate η ;
t
(3) Global model [[W ]]pkc ;
(4) Local epochs e ;
(4) Systems keys pkx, pkc, skc1 , skc2 , . . . , skcK .
(5) Global epochs E .
Output: Encrypted global model.
Output: Encrypted global model.
1: CS: 1: KGC distributes system keys & CS initializes global models
2: /*Model update*/ using Setup ( · );
∏N σ (d̂it )Gti −1
2: for i = 1 to E do
3: [[W t+1 ]]pkc = [[W t ]]pkc · ( i=1 [[η ∑Nj=1 σ (d̂t ) ]]pkc ) ;
j 3: for i = 1 to N do
4: /*Randomly select a nonzero integer r′ */ 4: Ci calls Local_Traing ( Di , η, e );
5: [[R]]pkc = [[W t+1 ]]pkc · [[r′ ]]pkc ; 5: end for
6: Send [[R]]pkc to blockchain; 6: CS downloads {[[Gti ]]pkc }i=N
i=1 from blockchain;
7: COMM:
7: CS obtains encrypted distance vectors {[[dti ]]pkc }i=N
i=1 by Eqs.
8: Download [[R]]pkc from blockchain; (8) and (9);
9: for j = 1 to T do SecDist ({[[dti ]]pkc }i=N ) → {dit , di+1
t , . . . , dt } ;
8: i=1 N
10: [[R]] j ← T-Paillier.ShareDec ([[R]]pkc , skc j ) ; t
9: CS get the median dmed of {dit , di+1
t , . . . , dt } ;
N
11: end for
10: for i = 1 to N do
j=T
12: R ← T-Paillier.CollaborativeDec ({[[R]] j } j=1 , pkc) ;
CS computes d̂i = |di − dmed | ;
t t t
11:
13: [[R]]pkx ← Paillier.Enc (R, pkx) ; 12: end for
14: Send [[R]]pkx to blockchain; 13: CS calculates weights {σ (d̂it ), σ (d̂i+1
t ), . . . , σ (d̂ t )} by
N
15: CS:
Eq. (15);
16: Download [[R]]pkx from blockchain;
14: SecAgg ({[[Gti ]]pkc }i=N , {σ (d̂it )}i=N , [[W t ]]pkc )→ [[W t+1 ]]pkx ;
17: /*Remove the random noise r′ */
i=1 i=1
15: end for
18: [[W t+1 ]]pkx = [[R]]pkx · [[r′ ]]−1
pkx ; 16: return [[W t+1 ]]pkx .
19: Send [[W t+1 ]]pkx to blockchain;
20: return [[W t+1 ]]pkx . the federated learning task starts. If any entity
misbehaves, the relevant evidence can be submitted to
randomly sampled value r and sends the result, which the blockchain, and then its deposit will be forfeited.
is the obfuscated value, to the blockchain. Then,
6 Theoretical Analysis
COMM can download these values from the
blockchain and collaboratively decrypt them, encrypt In this section, we analyze the security of BPS-FL as
the decrypted values with the client’s public key pkx , well as its computational and communication
and upload the ciphertext to the blockchain. CS can complexity.
download the ciphertext, apply the additive
6.1 Security analysis
homomorphic property to remove the noise, and obtain
the ciphertext [[W t+1 ]]pkx for the global model, which The functional privacy and semantic security of Paillier
will be uploaded to the blockchain in Lines 18 and 19. homomorphic encryption and threshold Paillier
Algorithm 9 shows the overall processes of the homomorphic encryption are building blocks for the
proposed BPS-FL. In BPS-FL, the training process strong security in BPS-FL. In this section, we present a
ends when the client’s objective function converges. hybrid argument[44] that utilizes a simulator to further
Otherwise, the client repeats the subsequent execution demonstrate BPS-FL does not disclose any sensitive
of the local training phase, as well as the robust information about the local gradient.
aggregation phase by CS and COMM. It is worth Definition 4 (BPS-FL security) Given a security
noting that the clients, CS and COMM have to submit a parameter κ , an arbitrary subset of clients C and
κ
certain amount of deposit to the smart contract before G = {CS, COMM} . Let REALC, G be the random
 204
variable representing the joint view of the parties to G
of the above protocol during its actual execution. BPS-
FL security holds if there exists a Probabilistic
Polynomial Time (PPT) simulator SIM , and the output
of SIM is computationally indistinguishable from
κ
REALC, G ,
κ κ
REALC, ≡ SIMC, ,
G G
where “ ≡ ” means computationally indistinguishable.
Theorem 1 (Data confidentiality) Based on
Paillier security, BPS-FL achieves security according
to Definition 4.
Proof We use a standard hybrid argument to prove
this theorem. Our aim is to show that the joint view of
the output of SIM is indistinguishable from REALC,
Our argument is divided into several consecutive parts,
denoted by Hybi . In each part, we make some safe
modifications so that we can prove the computational
indistinguishability.
Hyb1: In this hybrid, we initialize a series of random
variables whose distribution is indistinguishable from
κ
the joint view REALC, G
G of the parties in .
Hyb2: In this hybrid, we change the behavior of
simulated honest clients Ci ∈ C . Each Ci client encrypts
a randomly chosen vector βi using the public key pkc
instead of the original local gradient Gti . Under the
decision composite residual assumption, since we only
change the content of the ciphertext, the two non-
colluding CS and COMM cannot distinguish the view
of βi from the view of Gti using the
INDistinguishability under Chosen Plaintext Attack
(IND-CPA) security property of HE. Thus the IND-
CPA security property of HE ensures that the hybrid is
indistinguishable from the previous hybrid.
Hyb3: In this hybrid, we simulate CS using [[θi ]]pkc
instead of [[dit ]]pkc to change the input for CS and
COMM to execute the SecDist protocol, where θi is a
randomly chosen vector. At the same time, instead of
[[x]]pkc · [[r]]pkc , we simulate CS perturbing θi with a
random uniformly sampled noise ζi . Since the
parameters added by the uniform random numbers are
also uniformly random, and the noise ζ is sampled
from the same uniform distribution, they have the same
stochastic properties. The IND-CPA security property
of HE, as well as the two non-colluding CS and
COMM settings ensure that the hybrid is
indistinguishable from the previous hybrid.
Hyb4: In this hybrid, instead of [[W t ]]pkc and [[Gti ]]pkc ,
Big Data Mining and Analytics, February 2025, 8(1): 189−213
[[ξt ]]pkc and [[θi ]]pkc are used to change the inputs of the
protocol SecAgg executed by CS and COMM. Since
only the content of the ciphertext is changed, the IND-
CPA security of HE and the two non-colluding CS and
COMM settings ensure that the hybrid is
indistinguishable from the previous hybrid.
Hyb5: In this hybrid, we use [[ξt+1 ]]pkc · [[ζ]]pkc instead
of [[W t+1 ]]pkc · [[r]]pkc to re-encrypt the parameters. Even
though COMM can decrypt the above ciphertext, the
hybrid has the same distribution as [[W t+1 + r]]pkc .
Therefore, this hybrid is indistinguishable from the
previous one.
Combining all the above hybrid from 1 to 5, we
conclude that there exists a simulator SIM sampled
κ
G . from the above distributions, making its output
computationally indistinguishable from that of REAL .
■
6.2 Complexity analysis
To evaluate the efficiency of BPS-FL, we analyze the
communication and computation overhead of BPS-FL.
Let N denote the number of clients, z denote the
dimension of the local gradient, T tr denote the time
overhead of local model training, T enc denote the time
overhead of homomorphic encryption, T dec denote the
time overhead of homomorphic decryption, and T mul
denote the time overhead of multiplication.
During the local training phase, each client Ci trains
its own local gradient using the local training dataset
and then encrypts its own local gradient [[Gti ]]pkc .
Therefore, its computational cost increases linearly
with the number of model parameters during the
training and encryption processes, which is
O (T tr + zT enc ) . The communication complexity is
O (z|Xenc |) , where |Xenc | is the communication
complexity of the encrypted numbers. In the SedDist
process, the complexity mainly depends on the number
of clients N and the dimension of the local gradient z .
The computational complexity is O (N · z (T dec + T mul ))
and the communication complexity is O (4N · z |Xenc |) .
In the SedAgg process, the computational complexity is
O (z (T enc + T dec + T mul )) and the communication
complexity is O (3z |Xenc |) .
7 Performance Evaluation
In this section, we present the evaluation of our
proposed BPS-FL through a series of experiments on
real datasets. The experimental setup consisted of a
 Jianping Yu et al.: BPS-FL: Blockchain-Based Privacy-Preserving and Secure Federated Learning 205

machine running the Ubuntu 20.04 operating system, potentially compromise the data integrity of machine
powered by an Intel (R) Xeon (R) Platinum 8338C learning models. To simulate an untargeted attack, we
CPU clocked at 2.60 GHz and complemented by an randomly relabel local training samples held by
NVIDIA RTX 3090 GPU for enhanced computational malicious clients to the wrong classes, then use these
performance. relabeled samples to generate local poisonous
gradients. To replicate the targeted attack, malicious
7.1 Experimental setup
clients deliberately mislabel data samples from class
(1) Dataset and settings: To evaluate the performance “1” to class “7”, ensuring that there are no
of BPS-FL, we conduct experiments using four well- misclassifications for other classes, thereby generating
known datasets: MNIST, Fashion MNIST, CIFAR-10, poisonous gradients.
and CIFAR-100. The MNIST dataset serves as a (3) FL settings: In our evaluation, we employ the
benchmark in the realm of machine learning, cross-entropy loss function within a cross-silo
comprising a collection of 60 000 training samples and federated learning setup. Specifically, we set the
10 000 test samples of handwritten digits ranging from number of clients to n = 10 , selecting all clients for
0 to 9, each represented as a 28 by 28-pixel grayscale participation during each iteration of the training
image. The Fashion MNIST dataset, providing a process. To train the model, we consider four distinct
comparable structure to MNIST, increases the architectural structures. Firstly, depending on the
complexity by featuring grayscale images across 10 content complexity of the dataset, we utilize a
distinct categories of fashion items, such as shirts, MultiLayer Perceptron (MLP) structure, which consists
sweaters, and skirts. Additionally, the CIFAR-10 of three fully connected layers with Relu activation
functions to ensure the capacity for non-linear
dataset introduces a broader set of 60 000 32 pixel ×
expression. The detailed architecture of the MLP is
32 pixel color images, divided into 10 classes with
presented in Table 3. Secondly, we consider a
6000 images each, offering a more challenging
Convolutional Neural Network (CNN) structure,
scenario for image recognition. The CIFAR-100
composed of two convolutional layers followed by a
dataset is further subdivided into 100 fine-grained
fully connected layer, designed to capture the spatial
classes on CIFAR-10, and the similarity between hierarchical features of image data. The specific
image classes is higher, which puts higher architecture of the CNN is delineated in Table 4. For
requirements on the model feature extraction
capability. Table 3 MLP architecture for MNIST.
Serial Number of
To simulate the blockchain environment integral to Layer Value
number params
our BPS-FL, we use the Ganache tool to orchestrate a 1 Input (784, ) 0
local private Ethereum blockchain network. Ganache is 2 FC1 (784, 256) 200 960
specifically tailored for blockchain development and 3 Relu – 0
testing, offering a streamlined and accessible platform 4 FC2 (256, 128) 32 896
for emulating the complex dynamics of a blockchain 5 Relu – 0
network. The smart contracts, which are central to our 6 FC3 (128, 10) 1290
BPS-FL system, are implemented using Solidity—a
statically typed programming language designed for Table 4 CNN architecture for FashionMNIST.
creating smart contracts that run on the Ethereum Serial Number of
Layer Value
Virtual Machine (EVM). Solidity’s syntax, similar to number params
1 Input (1, 28, 28) 0
JavaScript, facilitates the crafting of complex
2 conv1 (1, 16, 3, 1, 1) 160
contractual agreements within the blockchain.
3 Relu – 0
Moreover, our BPS-FL system’s machine learning
4 maxpool (2, 2) 0
training model is constructed utilizing the advanced
5 conv2 (16, 32, 3, 1, 1) 4640
capabilities of PyTorch 1.13.0—a leading open-source
6 Relu – 0
machine learning library—and Python 3.10.
7 maxpool (2, 2) 0
(2) Poisoning attacks in BPS-FL: In our research,
8 flatten (1568, ) 0
we explore two typical types of poisoning attacks:
9 FC1 (1568, 10) 15 690
untargeted attacks and targeted attacks. These attacks
 206 Big Data Mining and Analytics, February 2025, 8(1): 189−213

2.5 2.5
the more complex CIFAR-10 and CIFAR-100 datasets, FedSGD FedSGD
2.0 2.0
we trained with the standard ResNet-18 and VGG-16 BPS-FL BPS-FL
1.5 1.5

Test loss
Test loss
models to take advantage of their deep structure for
richer image features. 1.0 1.0

For the MNIST and FashionMNIST datasets, we 0.5 0.5

evenly distribute the data samples among each client, 0 10 20 30 40 50 0 10 20 30 40 50

with each client handling approximately 6000 samples Number of epochs Number of epochs
(a) MNIST MLP (b) MNIST CNN
to ensure a balanced data distribution. For the CIFAR-
2.5 2.5
10 and CIFAR-100 datasets, we process about 5000 FedSGD FedSGD
2.0 BPS-FL 2.0 BPS-FL
samples per client to ensure a balanced data
1.5 1.5

Test loss
Test loss
distribution. Additionally, we set the number of global
1.0 1.0
iterations to epoch = 50 , allowing the model sufficient
0.5 0.5
training iterations to learn the features of the data. The
learning rate is established at η = 0.001 , a setting 0 10 20 30 40 50 0 10 20 30 40 50
Number of epochs Number of epochs
intended to balance training speed with convergence
(c) FashionMNIST MLP (d) FashionMNIST CNN
performance, thereby avoiding issues like gradient
explosion or vanishing during the training phase. The Fig. 4 Convergences of the proposed BPS-FL and FedSGD
use of the cross-entropy loss function enables us to on MNIST and FashionMNIST datasets.
quantify the discrepancy between the probability 6 6
FedSGD FedSGD
distribution of the model’s output and the actual label 5 BPS-FL 5 BPS-FL
distribution, thereby guiding the model to adjust its
Test loss

Test loss
4 4
parameters more effectively throughout the iterations. 3 3

7.2 Experimental results 2 2

1 1
(1) Fidelity evaluation: To validate the fidelity 0 10 20 30 40 50 0 10 20 30 40 50
performance of our proposed scheme, we conduct a Number of epochs Number of epochs
(a) CIFAR-10 VGG (b) CIFAR-10 RESNET
comparative analysis with FedSGD[5] and BPS-FL. In 6 6
this series of experiments, the possibility of model FedSGD FedSGD
5 BPS-FL 5 BPS-FL
poisoning attacks is not considered. We perform tests
Test loss

Test loss

on four model structures: MLP, CNN, RESNET18, and
VGG16. Figures 4 and 5 display the convergence
comparison between BPS-FL and FedSGD on the
MNIST, FashionMNIST, CIFAR-10, and CIFAR-100
datasets. The results show that the convergence of our
scheme is very similar to that of FedSGD. Therefore,
regarding convergence, our scheme does not adversely
affect the performance of the model.
Additionally, to further examine the impact of our
scheme on model accuracy, we compare the accuracy
of FedSGD with BPS-FL. Figure 6 illustrates the
accuracy outcomes of our proposed scheme and
FedSGD on the MNIST, FashionMNIST, CIFAR-10,
and CIFAR-100 datasets. The comparison indicates
that there is no significant difference in accuracy
between our scheme and FedSGD, and our approach
maintains model accuracy while preserving model
convergence. In summary, the results confirm that our
scheme achieves the goal of fidelity.
(2) Security evaluation: To evaluate the security of
4 4
3 3
2 2
1 1
0 10 20 30 40 50 0 10 20 30 40 50
Number of epochs Number of epochs
(c) CIFAR-100 VGG (d) CIFAR-100 RESNET
Fig. 5 Convergences of the proposed BPS-FL and FedSGD
on CIFAR-10 and CIFAR-100 datasets.
our proposed solution exactly, we compare the defense
effectiveness of BPS-FL with traditional FedSGD
against both targeted and untargeted attacks under
scenarios involving malicious clients on several
distinct datasets. Specifically, we examine the
performance of several approaches when the proportion
of malicious clients is set at 10%, 30%, and 50%.
Figure 7 presents the accuracy comparison between our
solution and FedSGD under untargeted attacks across
these varying percentages of malicious clients. The
results indicate that at a lower proportion of malicious
 Jianping Yu et al.: BPS-FL: Blockchain-Based Privacy-Preserving and Secure Federated Learning 207

100 FedSGD with a sharp drop in accuracy. In contrast, our solution

BPS-FL
demonstrates higher accuracy and enhanced robustness
80
against Byzantine attacks. The superiority of our
Accuracy (%)

60 approach stems from its core design, which utilizes a

median strategy as the baseline for accuracy, and
40
effectively assigns weights to each client’s local
20 gradient, thereby minimizing the negative impact
potentially brought about by malicious clients. This
0
method not only promotes the overall security of the
io IS LP

-1 10 T

00 T
N

R NN

IF RE G

G
E

E
IF MN ML
N CN

VG
M TM

IF FA SN

AR SN

model but also ensures the robustness and accuracy of

-1 T C

00 V
T
Fa nM T

E
IS

IS

AR IS

AR R-

-1

the model in highly uncertain attack environments.

N

0
M

I
io

Similarly, we present the comparison between our

C
sh

sh
Fa

scheme and FedSGD in a targeted attack scenario, as

Fig. 6 Accuracies of BPS-FL and FedSGD. shown in Fig. 8. The experimental results show that
there is no significant difference in accuracy between
clients, such as 10%, the accuracy of our solution is the two approaches. Specifically, the experiments
nearly indistinguishable from that of FedSGD. simulate a specific attack where a malicious client
However, as the proportion of malicious clients mislabels some of the data belonging to class “1” to
increases, especially reaching 50%, a significant class “7”. It is important to note that this attack is
degradation in performance is observed in FedSGD, limited to manipulating only a small subset of the
MNIST FashionMNIST CIFAR-10 CIFAR-100
100 100 100 100
90 90 90 FedSDG MLP 90 FedSDG MLP
80 80 80 FedSDG CNN 80 FedSDG CNN
Accuracy (%)

Accuracy (%)

Accuracy (%)

Accuracy (%)
70 70 70 BPS-FL MLP 70 BPS-FL MLP
BPS-FL CNN BPS-FL CNN
60 60 60 60
50 50 50 50
40 FedSDG MLP 40 FedSDG MLP 40 40
30 FedSDG CNN 30 FedSDG CNN 30 30
20 BPS-FL MLP 20 BPS-FL MLP 20 20
10 BPS-FL CNN 10 BPS-FL CNN 10 10
0 10 20 30 40 50 0 10 20 30 40 50 0 10 20 30 40 50 0 10 20 30 40 50
Number of epochs Number of epochs Number of epochs Number of epochs
(a) 10% malicious (b) 10% malicious (c) 10% malicious (d) 10% malicious

MNIST FashionMNIST CIFAR-10 CIFAR-100

100 100 100 100
90 90 90 FedSDG MLP 90 FedSDG MLP
80 80 80 FedSDG CNN 80 FedSDG CNN
Accuracy (%)

Accuracy (%)

Accuracy (%)

Accuracy (%)

70 70 70 BPS-FL MLP 70 BPS-FL MLP

60 60 60 BPS-FL CNN 60 BPS-FL CNN
50 50 50 50
40 FedSDG MLP 40 FedSDG MLP 40 40
30 FedSDG CNN 30 FedSDG CNN 30 30
20 BPS-FL MLP 20 BPS-FL MLP 20 20
10 BPS-FL CNN 10 BPS-FL CNN 10 10
0 10 20 30 40 50 0 10 20 30 40 50 0 10 20 30 40 50 0 10 20 30 40 50
Number of epochs Number of epochs Number of epochs Number of epochs
(e) 30% malicious (f) 30% malicious (g) 30% malicious (h) 30% malicious

MNIST FashionMNIST CIFAR-10 CIFAR-100

100 100 100 100
90 90 90 FedSDG MLP 90 FedSDG MLP
80 80 80 FedSDG CNN 80 FedSDG CNN
Accuracy (%)

Accuracy (%)

Accuracy (%)

Accuracy (%)

70 70 70 BPS-FL MLP 70 BPS-FL MLP

60 60 60 BPS-FL CNN 60 BPS-FL CNN
50 50 50 50
40 FedSDG MLP 40 FedSDG MLP 40 40
30 FedSDG CNN 30 FedSDG CNN 30 30
20 BPS-FL MLP 20 BPS-FL MLP 20 20
10 BPS-FL CNN 10 BPS-FL CNN 10 10
0 10 20 30 40 50 0 10 20 30 40 50 0 10 20 30 40 50 0 10 20 30 40 50
Number of epochs Number of epochs Number of epochs Number of epochs
(i) 50% malicious (j) 50% malicious (k) 50% malicious (l) 50% malicious

Fig. 7 Accuracies of the proposed BPS-FL and FedSGD under untargeted attacks.
 208 Big Data Mining and Analytics, February 2025, 8(1): 189−213

MNIST FashionMNIST CIFAR10 CIFAR100

100 100 100 100
90 90 90 FedSDG MLP 90 FedSDG MLP
80 80 80 FedSDG CNN 80 FedSDG CNN
Accuracy (%)

Accuracy (%)

Accuracy (%)

Accuracy (%)
BPS-FL MLP BPS-FL MLP
70 70 70 BPS-FL CNN 70 BPS-FL CNN
60 60 60 60
50 50 50 50
40 40 40 40
FedSDG MLP FedSDG MLP 30 30
30 FedSDG CNN 30 FedSDG CNN
20 BPS-FL MLP 20 BPS-FL MLP 20 20
10 BPS-FL CNN 10 BPS-FL CNN 10 10
0 10 20 30 40 50 0 10 20 30 40 50 0 10 20 30 40 50 0 10 20 30 40 50
Number of epochs Number of epochs Number of epochs Number of epochs
(a) 10% malicious (b) 10% malicious (c) 10% malicious (d) 10% malicious
MNIST FashionMNIST CIFAR10 CIFAR100
100 100 100 100
90 90 90 FedSDG MLP 90 FedSDG MLP
80 80 80 FedSDG CNN 80 FedSDG CNN
Accuracy (%)

Accuracy (%)

Accuracy (%)

Accuracy (%)
BPS-FL MLP 70 BPS-FL MLP
70 70 70 BPS-FL CNN BPS-FL CNN
60 60 60 60
50 50 50 50
40 FedSDG MLP 40 FedSDG MLP
40 40
30 FedSDG CNN 30 FedSDG CNN 30 30
20 BPS-FL MLP 20 BPS-FL MLP 20 20
10 BPS-FL CNN 10 BPS-FL CNN 10 10
0 10 20 30 40 50 0 10 20 30 40 50 0 10 20 30 40 50 0 10 20 30 40 50
Number of epochs Number of epochs Number of epochs Number of epochs
(e) 30% malicious (f) 30% malicious (g) 30% malicious (h) 30% malicious
MNIST FashionMNIST CIFAR10 CIFAR100
100 100 100 100
90 90 90 FedSDG MLP 90 FedSDG MLP
80 80 80 FedSDG CNN 80 FedSDG CNN
Accuracy (%)

Accuracy (%)

Accuracy (%)

Accuracy (%)
70 BPS-FL MLP 70 BPS-FL MLP
70 70 BPS-FL CNN BPS-FL CNN
60 60 60 60
50 50 50 50
40 FedSDG MLP 40 FedSDG MLP 40 40
30 FedSDG CNN 30 FedSDG CNN 30 30
20 BPS-FL MLP 20 BPS-FL MLP 20 20
10 BPS-FL CNN 10 BPS-FL CNN 10 10
0 10 20 30 40 50 0 10 20 30 40 50 0 10 20 30 40 50 0 10 20 30 40 50
Number of epochs Number of epochs Number of epochs Number of epochs
(i) 50% malicious (j) 50% malicious (k) 50% malicious (l) 50% malicious

Fig. 8 Accuracies of the proposed BPS-FL and FedSGD under targeted attacks.

dataset, thus having a limited impact on the overall
performance of the model. In addition, in Fig. 9, we
analyze the Attack Success Rate (ASR), which
measures the proportion of samples that the attacker
successfully misleads into a specific error class. Our
scheme is consistently lower than FedSGD in terms of
ASR, indicating its superior robustness against
accuracy attacks. It is worth noting that despite the
challenges posed by malicious clients, our scheme
leverages advanced defense strategies to effectively
identify and mitigate the impact of malicious samples,
thereby maintaining a high level of accuracy for the
model. In addition, all data processing steps are
performed in an encrypted environment, ensuring the
privacy and security of the data while providing a
strong guarantee for processing sensitive information.
(3) Comparative analysis: In our study, we conduct
a comparative analysis of the BPS-FL scheme with
other federated learning approaches such as Krum[17],
Trimmed-mean[19], ChainFL[32], PEFL[36], PBFL[39]
and Biscotti[40]. The analysis is performed on the
MNIST and FashionMNIST datasets, using an MLP
model architecture and fixing the number of global
iterations at 50 for adequate model training. Table 5
shows a comparison of the accuracy of different
learning schemes under untargeted attacks. We observe
that when the proportion of malicious clients is 10%,
the performance of the other schemes is similar to the
BPS-FL approach. However, as the proportion of
malicious clients increases, BPS-FL consistently
outperforms the other approaches in accuracy,
demonstrating its superior performance maintenance.
In particular, at a malicious client ratio of 50% on the
FashionMNIST dataset, the accuracy of the other
schemes drops below 80%. At the same time, BPS-FL
maintains an accuracy rate above this level,
demonstrating its robustness in scenarios with a high
proportion of malicious clients. In addition, Table 6
illustrates the accuracy performance of the schemes
under targeted attack scenarios. The results show that
 Jianping Yu et al.: BPS-FL: Blockchain-Based Privacy-Preserving and Secure Federated Learning 209

MNIST FashionMNIST CIFAR10 CIFAR100

6 6 100 100
FedSDG MLP FedSDG MLP FedSDG MLP FedSDG MLP
5 FedSDG CNN 5 FedSDG CNN 80 FedSDG CNN 80 FedSDG CNN
BPS-FL MLP BPS-FL MLP BPS-FL MLP BPS-FL MLP
4 4
ASR (%)

ASR (%)

ASR (%)

ASR (%)
BPS-FL CNN BPS-FL CNN BPS-FL CNN BPS-FL CNN
60 60
3 3
40 40
2 2
1 1 20 20

0 10 20 30 40 50 0 10 20 30 40 50 0 10 20 30 40 50 0 10 20 30 40 50
Number of epochs Number of epochs Number of epochs Number of epochs
(a) 10% malicious (b) 10% malicious (c) 10% malicious (d) 10% malicious
MNIST FashionMNIST CIFAR10 CIFAR100
100 100 100 100
FedSDG MLP FedSDG MLP FedSDG MLP FedSDG MLP
80 FedSDG CNN 80 FedSDG CNN 80 FedSDG CNN 80 FedSDG CNN
BPS-FL MLP BPS-FL MLP BPS-FL MLP BPS-FL MLP
ASR (%)

ASR (%)

ASR (%)

ASR (%)
BPS-FL CNN BPS-FL CNN BPS-FL CNN BPS-FL CNN
60 60 60 60
40 40 40 40
20 20 20 20

0 10 20 30 40 50 0 10 20 30 40 50 0 10 20 30 40 50 0 10 20 30 40 50
Number of epochs Number of epochs Number of epochs Number of epochs
(e) 30% malicious (f) 30% malicious (g) 30% malicious (h) 30% malicious

MNIST FashionMNIST CIFAR10 CIFAR100

100 100 100 100
FedSDG MLP FedSDG MLP FedSDG MLP FedSDG MLP
80 FedSDG CNN 80 FedSDG CNN 80 FedSDG CNN 80 FedSDG CNN
BPS-FL MLP BPS-FL MLP BPS-FL MLP BPS-FL MLP
ASR (%)

ASR (%)

ASR (%)

ASR (%)
BPS-FL CNN BPS-FL CNN BPS-FL CNN BPS-FL CNN
60 60 60 60
40 40 40 40
20 20 20 20

0 10 20 30 40 50 0 10 20 30 40 50 0 10 20 30 40 50 0 10 20 30 40 50
Number of epochs Number of epochs Number of epochs Number of epochs
(i) 50% malicious (j) 50% malicious (k) 50% malicious (l) 50% malicious

Fig. 9 Values of ASR of BPS-FL and FedSGD under targeted attack.

Table 5 Accuracies of different schemes under untargeted Table 6 Accuracies of different schemes under targeted
attack with different proportions of malicious clients (the attack with different proportions of malicious clients (the
best results are marked in bold). best results are marked in bold).
(%) (%)
MNIST FashionMNIST MNIST FashionMNIST
Algorithm Algorithm
10% 30% 50% 10% 30% 50% 10% 30% 50% 10% 30% 50%
Krum 93.02 89.82 88.09 82.28 81.14 79.61 Krum 92.97 92.84 92.98 81.84 82.08 82.33
Trimmed-mean 92.97 91.22 87.15 82.01 81.50 79.43 Trimmed-mean 93.00 93.09 92.92 82.44 82.29 81.98
ChainFL 93.11 86.32 80.57 82.13 75.73 61.23 ChainFL 92.85 89.83 87.66 80.79 79.21 77.43
Biscotti 92.57 89.79 87.35 81.09 80.46 79.23 Biscotti 92.77 92.43 92.13 81.23 81.09 79.88
PEFL 93.22 90.91 88.77 82.21 81.29 79.56 PEFL 92.95 92.85 92.26 82.42 82.23 82.22
PBFL 92.72 90.45 70.31 82.29 81.43 64.54 PBFL 93.22 93 92.22 82.85 82.27 82.39
Ours 93.11 91.83 89.40 82.21 81.97 80.62 Ours 92.77 93.21 93.03 82.30 82.44 82.41

BPS-FL maintains excellent performance even at
higher ratios of malicious clients, effectively
countering targeted attacks without significantly
compromising the accuracy of the model’s output.
Overall, the BPS-FL scheme demonstrates a significant
advantage in defending against malicious attacks in
both untargeted and targeted scenarios. These results
not only validate the effectiveness of the BPS-FL
scheme but also provide a robust safeguard for the
security of federated learning environments.
Table 7 demonstrates that the proposed BPS-FL
approach significantly outperforms other comparative
schemes in terms of ASR under targeted attack. The
superiority of BPS-FL stems from its unique strategy to
 210 Big Data Mining and Analytics, February 2025, 8(1): 189−213

Table 7 Values of ASR of different schemes under targeted 300

attack with different proportions of malicious clients (the Encryption time
250 Decryption time
best results are marked in bold).
(%) 200

Time (s)
MNIST FashionMNIST
Algorithm 150
10% 30% 50% 10% 30% 50%
Krum 0.09 1.41 2.73 0 0.10 1.80 100

Trimmed-mean 0.26 1.15 3.08 0 0.30 1.50 50

ChainFL 0.73 1.95 10.23 1.45 2.54 3.24
Biscotti 0.18 1.43 4.12 0.21 0.76 1.51
PEFL 0.09 1.32 3.70 0 0.70 0.30
PBFL 0.26 1.06 9.25 0 0.40 2.50
Ours 0.09 0.88 1.94 0.10 0.10 0.20
mitigate malicious attacks. The Krum algorithm selects
the most appropriate gradient vectors from all
submissions for model updating and excludes the rest.
Such a method may discard valuable gradients
containing useful information during defense against
malicious attacks, potentially ignoring data that could
benefit model training, especially when attackers are
numerous. In contrast, the Trimmed-mean approach
updates the model by averaging the remaining
gradients after excluding a certain proportion of the
highest and lowest vectors. Although this method
mitigates the impact of extreme values, it can still
result in the loss of important data by removing part of
the gradient information. Conversely, the BPS-FL
strategy uses a median-based aggregation approach that
effectively reduces the influence of malicious gradients
on global model updates while integrating more
participating parameters. This approach significantly
improves model robustness to a high proportion of
malicious clients by preserving useful information. In
addition, all computational processes within the BPS-
FL scheme are performed in ciphertext, ensuring
privacy and further protecting the system from single-
point server failures and potential malicious tampering
by recording all learning outcomes on a blockchain.
Overall, these designs not only maintain model
0
MLP CNN
Model
Fig. 10 Encryption and decryption times.
comparison of the time cost for data encryption and
decryption between the MLP model and the CNN
model. The specific data show that the MLP model
requires 254.24 s for encryption and 117.54 s for
decryption. In comparison, the CNN model requires
only 22.69 s for encryption and 10.44 s for decryption.
The significant difference observed is mainly due to
the number of parameters and the complexity of the
network structure of the models. The time required for
encryption and decryption operations increases linearly
with the number of parameters. Considering that the
number of parameters of the MLP model is 11.5 times
higher than the CNN model, it is natural that the MLP
requires a longer time for both encryption and
decryption.
In an experimental setup using a CNN model with a
variable number of client participants, we conduct a
detailed evaluation of the processing time required for
distance computation, weight computation, and model
updating during the robust aggregation phase. As
shown in Fig. 11, the time cost for distance and weight
computation shows a clear linear increase with the
addition of more client participants in the computation.
500
Calculating distance and weight
Updating model
400
300
Time (s)

performance but also significantly improve data

security and system reliability. 200
(4) Evaluation of processing time: We evaluate the
time efficiency of the data encryption and decryption 100
processes on the client side. To ensure data security
0
during transmission, we implement the Paillier 2 4 6 8 10
Number of client participants
encryption algorithm and set its security parameter to a
length of 2048 bits to maintain high-security standards. Fig. 11 Processing time of one iteration of BPS-FL in the
Under this configuration, Figure 10 demonstrates a robust aggregation phase.
 Jianping Yu et al.: BPS-FL: Blockchain-Based Privacy-Preserving and Secure Federated Learning
This trend can be attributed to the SecDist algorithm,
where the computational cost is directly proportional to
the number of client participants. Specific data show
that with only two client nodes involved, the time
required to compute distances and weights is 86.25 s.
However, as the number of client nodes increases to
ten, the cost escalates to 431.26 s. For model update,
the time increases from 76.24 s with two client nodes
to 102.13 s with ten client nodes. Overall, the
additional computational overhead introduced by the
BPS-FL to enhance privacy protection in federated
learning is quite reasonable. The increase in
computational cost remains within acceptable limits
and does not have a significant impact on overall
system performance.
8 Conclusion
In this paper, in order to effectively address the privacy
and security threats faced by Federated Learning, we
have proposed BPS-FL scheme. The scheme can
effectively protect the client’s data privacy while
providing effective protection against model poisoning
attacks. BPS-FL scheme encrypts the local gradient
through the threshold homomorphic encryption to
ensure the privacy and security of client data. This
encryption allows gradient aggregation in an encrypted
state without disclosing the gradient information of the
client. To achieve robust aggregation, in BPS-FL, we
have developed a Byzantine-robust aggregation
protocol that minimizes the impacts from malicious
gradients and ensures a secure aggregation of models at
the ciphertext level. This protocol can effectively
aggregate client-side gradients to achieve global model
updating while ensuring data privacy. The BPS-FL
scheme also utilizes a blockchain as the underlying
distributed architecture to further improve the
reliability of the system, preventing the single-point-of-
failure, and ensuring data immutability as well as
traceability and transparency of the model training
process. The performance of the BPS-FL scheme has
been validated on different datasets through extensive
analysis and experiments. The results have shown that
our scheme exhibits robustness to poisoning attacks
and maintains high classification accuracy even in the
existence of a large number of malicious participants.
Acknowledgment
This work was supported by the National Natural Science
211
Foundation of China (No. 62472170), the Hunan
Provincial Natural Science Foundation of China (Nos.
2021JJ30455, 2022JJ30398, and 2022JJ40277), the
Hunan Provincial Degree and Postgraduate Teaching
Reform Research Project of China (No. 2023JGSZ060),
and the Scientific Research Fund of Hunan Provincial
Education Department of China (No. 22A0056).
References
[1] L. Deng and D. Yu, Deep learning: Methods and
applications, Found. Trends® Signal Process., vol. 7, nos.
3&4, pp. 197–387, 2014.
[2] L. Peng, N. Wang, N. Dvornek, X. Zhu, and X. Li, FedNI:
Federated graph learning with network inpainting for
population-based disease prediction, IEEE Trans. Med.
Imag., vol. 42, no. 7, pp. 2032–2043, 2023.
[3] Z. Li, X. Wang, W. Yang, J. Wu, Z. Zhang, Z. Liu, M.
Sun, H. Zhang, and S. Liu, A unified understanding of
deep NLP models for text classification, IEEE Trans. Vis.
Comput. Graph., vol. 28, no. 12, pp. 4980–4994, 2022.
[4] R. Zhao, Y. Wang, Z. Xue, T. Ohtsuki, B. Adebisi, and G.
Gui, Semisupervised federated-learning-based intrusion
detection method for Internet of Things, IEEE Internet
Things J., vol. 10, no. 10, pp. 8645–8657, 2023.
[5] B. McMahan, E. Moore, D. Ramage, S. Hampson, and
B.A. y Arcas, Communication-efficient learning of deep
networks from decentralized data, in Proc. of 20th Int.
Conf. on Artificial Intelligence and Statistics, Ft.
Lauderdale, FL, USA, 2017, pp. 1273–1282.
[6] X. Guo, Z. Liu, J. Li, J. Gao, B. Hou, C. Dong, and T.
Baker, VeriFL: communication-efficient and fast
verifiable aggregation for federated learning, IEEE Trans.
Inf. Forensics Secur., vol. 16, pp. 1736–1751, 2021.
[7] H. Zhou, G. Yang, H. Dai, and G. Liu, PFLF: Privacy-
preserving federated learning framework for edge
computing, IEEE Trans. Inf. Forensics Secur., vol. 17, pp.
1905–1918, 2022.
[8] R. Shokri, M. Stronati, C. Song, and V. Shmatikov,
Membership inference attacks against machine learning
models, in Proc. IEEE Symp. on Security and Privacy, San
Jose, CA, USA, 2017, pp. 3–18.
[9] M. Al-Rubaie and J. M. Chang, Privacy-preserving
machine learning: Threats and solutions, IEEE Secur.
Priv., vol. 17, no. 2, pp. 49–58, 2019.
[10] X. Cao, J. Jia, and N. Z. Gong, Provably secure federated
learning against malicious clients, Proc. AAAI Conf. Artif.
Intell., vol. 35, no. 8, pp. 6885–6893, 2021.
[11] Y. Li, H. Li, G. Xu, T. Xiang, X. Huang, and R. Lu,
Toward secure and privacy-preserving distributed deep
learning in fog-cloud computing, IEEE Internet Things J.,
vol. 7, no. 12, pp. 11460–11472, 2020.
[12] J. H. Bell, K. A. Bonawitz, A. Gascón, T. Lepoint, and M.
Raykova, Secure single-server aggregation with (poly)
logarithmic overhead, in Proc. 2020 ACM SIGSAC Conf.
Computer and Communications Security, Virtual Event,
2020, pp.1253–1269.
 212
[13] K. Nandakumar, N. Ratha, S. Pankanti, and S. Halevi,
Towards deep neural network training on encrypted data,
in Proc. IEEE/CVF Conf. Computer Vision and Pattern
Recognition Workshops, Long Beach, CA, USA, 2019, pp.
40–48.
[14] L. T. Phong, Y. Aono, T. Hayashi, L. Wang, and S.
Moriai, Privacy-preserving deep learning via additively
homomorphic encryption, IEEE Trans. Inf. Forensics
Secur., vol. 13, no. 5, pp. 1333–1345, 2018.
[15] L. Yu, L. Liu, C. Pu, M. E. Gursoy, and S. Truex,
Differentially private model publishing for deep learning,
in Proc. IEEE Symp. on Security and Privacy, San
Francisco, CA, USA, 2019, pp. 332–349.
[16] K. Wei, J. Li, M. Ding, C. Ma, H. H. Yang, F. Farokhi, S.
Jin, T. Q. S. Quek, and H. Vincent Poor, Federated
learning with differential privacy: Algorithms and
performance analysis, IEEE Trans. Inf. Forensics Secur.,
vol. 15, pp. 3454–3469, 2020.
[17] P. Blanchard, E. M. El Mhamdi, R. Guerraoui, and J.
Stainer, Machine learning with adversaries: Byzantine
tolerant gradient descent, in Proc. 31st Int. Conf. Neural
Information Processing Systems, Long Beach, CA, USA,
2017, pp. 118 – 128.
[18] S. Rajput, H. Wang, Z. Charles, and D. Papailiopoulos,
DETOX: A redundancy-based framework for faster and
more robust gradient aggregation, arXiv preprint arXiv:
1907.12205, 2019.
[19] D. Yin, Y. Chen, R. Kannan, and P. Bartlett, Byzantine-
robust distributed learning: Towards optimal statistical
rates, in Proc. 35th Int. Conf. on Machine Learning,
Stockholm, Sweden, 2018, pp. 5650– 5659.
[20] M. Fang, X. Cao, J. Jia, and N. Z. Gong, Local model
poisoning attacks to Byzantine-robust federated learning,
arXiv preprint arXiv: 1911.11815, 2019.
[21] X. Cao, M. Fang, J. Liu, and N. Z. Gong, FLTrust:
Byzantine-robust federated learning via trust
bootstrapping, arXiv preprint arXiv: 2012.13995, 2020.
[22] Y. Dong, X. Chen, K. Li, D. Wang, and S. Zeng, FLOD:
Oblivious defender for private Byzantine-robust federated
learning with dishonest-majority, in Proc. 26th European
Symposium on Research in Computer Security, Darmstadt,
Germany, 2021. pp. 497–518,
[23] X. Ma, X. Sun, Y. Wu, Z. Liu, X. Chen, and C. Dong,
Differentially private Byzantine-robust federated learning,
IEEE Trans. Parallel Distrib. Syst., vol. 33, no. 12, pp.
3690–3701, 2022.
[24] A. Hard, K. Rao, R. Mathews, S. Ramaswamy, F.
Beaufays, S. Augenstein, H. Eichner, C. Kiddon, and D.
Ramage, Federated learning for mobile keyboard
prediction, arXiv preprint arXiv: 1811.03604, 2018.
[25] Z. Wu, Q. Ling, T. Chen, and G. B. Giannakis, Federated
variance-reduced stochastic gradient descent with
robustness to Byzantine attacks, IEEE Trans. Signal
Process., vol. 68, pp. 4583–4596, 2952.
[26] X. Gong, Y. Chen, Q. Wang, and W. Kong, Backdoor
attacks and defenses in federated learning: State-of-the-art,
taxonomy, and future directions, IEEE Wirel. Commun.,
vol. 30, no. 2, pp. 114–121, 2023.
Big Data Mining and Analytics, February 2025, 8(1): 189−213
[27] B. Hou, J. Gao, X. Guo, T. Baker, Y. Zhang, Y. Wen, and
Z. Liu, Mitigating the backdoor attack by federated filters
for industrial IoT applications, IEEE Trans. Ind. Inform.,
vol. 18, no. 5, pp. 3562–3571, 2022.
[28] E. Bagdasaryan, A. Veit, Y. Hua, D. Estrin, and V.
Shmatikov, How to backdoor federated learning, in Proc.
of Twenty Third Int. Conf. on Artificial Intelligence and
Statistics, Virtual Event, 2020, pp. 2938−2948.
[29] E. M. E. Mhamdi, R. Guerraoui, and S. Rouault, The
hidden vulnerability of distributed learning in Byzantium,
in Proc. of the 35th Int. Conf. on Machine Learning,
Stockholm, Sweden, 2018, pp. 3521−3530.
[30] K. Bonawitz, V. Ivanov, B. Kreuter, A. Marcedone, H. B.
McMahan, S. Patel, D. Ramage, A. Segal, and K. Seth,
Practical secure aggregation for privacy-preserving
machine learning, in Proc. 2017 ACM SIGSAC Conf.
Computer and Communications Security, Dallas, TX,
USA, 2017 pp. 1175–1191.
[31] S. Truex, N. Baracaldo, A. Anwar, T. Steinke, H. Ludwig,
R. Zhang, and Y. Zhou, A hybrid approach to privacy-
preserving federated learning, in Proc. 12th ACM
Workshop on Artificial Intelligence and Security, London,
UK, 2019, pp. 1–11.
[32] Y. Li, Y. Zhou, A. Jolfaei, D. Yu, G. Xu, and X. Zheng,
Privacy-preserving federated learning framework based on
chained secure multiparty computing, IEEE Internet
Things J., vol. 8, no. 8, pp. 6178–6186, 2021.
[33] Y. Miao, R. Xie, X. Li, X. Liu, Z. Ma, and R. H. Deng,
Compressed federated learning based on adaptive local
differential privacy, in Proc. 38th Annual Computer
Security Applications Conference, Austin, TX, USA,
2022, pp. 159–170.
[34] G. Xu, H. Li, S. Liu, K. Yang, and X. Lin, VerifyNet:
Secure and verifiable federated learning, IEEE Trans. Inf.
Forensics Secur., vol. 15, pp. 911–926, 2020.
[35] J. So, B. Güler, and A. S. Avestimehr, Byzantine-resilient
secure federated learning, IEEE J. Sel. Areas Commun.,
vol. 39, no. 7, pp. 2168–2181, 2021.
[36] X. Liu, H. Li, G. Xu, Z. Chen, X. Huang, and R. Lu,
Privacy-enhanced federated learning against poisoning
adversaries, IEEE Trans. Inf. Forensics Secur., vol. 16, pp.
4574–4588, 2021.
[37] L. Zhao, J. Jiang, B. Feng, Q. Wang, C. Shen, and Q. Li,
SEAR: Secure and efficient aggregation for Byzantine-
robust federated learning, IEEE Trans. Dependable Secure
Comput., vol. 19, no. 5, pp. 3329–3342, 2022.
[38] Z. Zhang, J. Li, S. Yu, and C. Makaya, SAFELearning:
Enable backdoor detectability in federated learning with
secure aggregation, arXiv preprint arXiv: 2102.02402,
2021.
[39] Y. Miao, Z. Liu, H. Li, K.-K R. Choo, and R. H. Deng,
Privacy-preserving Byzantine-robust federated learning
via blockchain systems, IEEE Trans. Inf. Forensics Secur.,
vol. 17, pp. 2848–2861, 2022.
[40] M. Shayan, C. Fung, C. J. M. Yoon, and I. Beschastnikh,
Biscotti: A blockchain system for private and secure
federated learning, IEEE Trans. Parallel Distrib. Syst.,
vol. 32, no. 7, pp. 1513–1525, 2021.
 Jianping Yu et al.: BPS-FL: Blockchain-Based Privacy-Preserving and Secure Federated Learning
[41] P. Paillier, Public-key cryptosystems based on composite
degree residuosity classes, in Proc. Int. Conf. on the
Theory and Applications of Cryptographic Techniques,
Prague, Czech Republic, 1999, pp. 223–238.
[42] J. H. Cheon, A. Kim, M. Kim, and Y. Song,
Homomorphic encryption for arithmetic of approximate
numbers, in Proc. ASIACRYPT 2017: 23rd International
Conference on the Theory and Applications of Cryptology
and Information Security, Hong Kong, China, 2017, pp.
409–437.
Jianping Yu received the BEng degree in
computer science and technology and the
PhD degree in computer application
technology from Hunan University,
Changsha, China in 2003 and 2008,
respectively. He is currently an associate
professor at College of Information
Science and Engineering, Hunan Normal
University, China. He is a senior member of the China
Computer Federation, and a very active reviewer for many
international journals and conferences including the IEEE
Communication Magazine, etc. He has authored more than 30
related papers. His research interests include blockchain
technology, deep learning, IoTs, and artificial intelligence.
Kai Ouyang is currently a master student
in computer science and technology at
Hunan Normal University, China, after
obtaining the BEng degree from Nanchang
University, China in 2021. His research
interests include federated learning and
blockchain technology.
Lianming Zhang received the BEng and
MEng degrees from Hunan Normal
University, China in 1997 and 2000,
respectively, and the PhD degree from
Central South University, China in 2006.
He is currently a professor and doctoral
supervisor at Hunan Normal University,
China, and a distinguished member of the
China Computer Federation. His research interests include IoT,
intelligent networks, edge computing, and machine learning.
213
[43] G. Bonnoron, C. Fontaine, G. Gogniat, V. Herbert, V.
Lapôtre, V. Migliore, and A. Roux-Langlois,
Somewhat/fully homomorphic encryption: Implementation
progresses and challenges, in Proc. Int. Conf. on Codes,
Cryptology, and Information Security, doi: 10.1007/978-3-
319-55589-8_5.
[44] G. Xu, H. Li, Y. Zhang, S. Xu, J. Ning, and R. H. Deng,
Privacy-preserving federated deep learning with irregular
users, IEEE Trans. Dependable Secure Comput., vol. 19,
no. 2, pp. 1364–1381, 2022.
Hang Yao is currently a master student in
computer technology at Hunan Normal
University, China, after obtaining the
BEng degree from Dalian Minzu
University, China in 2022. His research
interests include federated learning and
blockchain technology.
Xiaojun Cao received the BEng degree
from Tsinghua University and the MEng
degree from Chinese Academy of
Sciences, China in 1996 and 1999,
respectively, and the PhD degree in
computer science and engineering from the
State University of New York at Buffalo,
USA in 2004. Currently, he is a professor
at Department of Computer Science, Georgia State University,
USA. He is a distinguished lecturer of the IEEE ComSoc
(2019—2020) and served as the chair for IEEE ComSoc Optical
Networking Technical Committee (ONTC). His research
interests include modeling, analysis, protocols/algorithms
design, as well as data processing for intelligent networks and
cyber-physical systems.