[Federal Learning + Blockchain] A Blockchain-based Decentralized Federated Learning Framework with Committee Consensus

---

Paper address : https://ieeexplore.ieee.org/abstract/document/9293091

---

1. Introduction

The article proposes a decentralized and autonomous FL architecture based on blockchain to deal with various challenges at this stage (the architecture is shown in Fig.1). In terms of FL node management, the architecture based on the consortium chain ensures the authority control of nodes. In terms of storage, the article designs a model and an updated on-chain storage mode, through which nodes can quickly obtain the latest model. Every verified update is recorded on the blockchain and remains tamper-proof. Considering the huge storage consumption on the blockchain, some nodes can give up historical blocks to free up storage space. In terms of block consensus mechanism, a novel committee consensus mechanism is proposed, which only increases a small amount of verification consumption and achieves higher stability under malicious attacks. In each round of FL, updates are validated and packaged by a small number of nodes (i.e. committees). The committee consensus mechanism allows the most honest nodes to complement each other and continuously improve the global model. A small number of incorrect or malicious node updates are ignored to avoid corrupting the global model. At the same time, BFLC (Blockchain-based Decentralized Federated Learning Framework with Committee Consensus) training community is flexible, and nodes can join or leave at any time without disrupting the training process. Combined with an effective incentive mechanism, the contributing nodes can get actual rewards, thus promoting the virtuous circle development of the entire training community.

The contribution of the article is summarized as follows: (1) A blockchain-based federated learning framework BFLC is proposed, which defines the model storage mode, training process and novel committee consensus mechanism in detail. (2) The scalability of BFLC is discussed technically, including community node management, analysis of malicious node attacks, and storage optimization. (3) The effectiveness of BFLC is demonstrated through experiments on real-world FL datasets, and the security of BFLC is also verified by simulating malicious attacks.

---

2. The proposed framework

The decentralized nature of the blockchain can replace the position of the central server of traditional federated learning, and its functions can be realized through smart contracts and driven by transactions on the blockchain. Participating nodes in BFLC perform FL through the blockchain, maintain the global model and update locally. Considering the communication cost of FL, a novel authorization consensus mechanism is utilized to solve the tasks of gradient selection and block generation.

A. Blockchain Storge

In order to achieve authority control, the storage of BFLC is an alliance blockchain system, and only authorized devices can access FL training content. Two different blocks are designed in the blockchain to store global models and local updates, collectively referred to as learning information. For simplicity, it is assumed that only one learning message is placed in a block.

First, the randomly initialized model is put into block #0, and then the 0th round of training starts. The node accesses the current model and trains it locally, and puts the verified local gradient into a new update block. When there are enough updated blocks, the smart contract triggers the aggregation to generate the next round of new models and upload them to the chain. It should be noted that FL training only depends on the latest model block, and stores historical blocks for failure rollback and block verification.

Denote the number of updates required per round as $k$ , and denote the number of rounds as$t$。# $t\times (k+1)$ block contains the$The\; model\; of\; round\; t$ is called model block. #$[t\times (k+1)+1]$ to #$[(t+1)\times (k+1)-1]$ block stores the model update of round t, which is called update block. A model block includes: block header, round number$t$ and the global model. An update block includes: block header, round number$t$ , local update gradient, uploader address, update score.

B. Committee Consensus Mechanism

The chain structure of the blockchain ensures that it cannot be tampered with. Therefore, appending the correct blocks to the chain is a critical part of how the consensus mechanism works. The competition-based consensus mechanism first appends the block to the chain, and then proceeds to consensus. Instead, a communication-based generation mechanism reaches consensus before appending blocks.

Considering the computational and communication costs of consensus, this paper proposes an efficient and secure Committee Consensus Mechanism (CCM) to verify local gradients before attaching them to the chain. In this setup, a small number of honest nodes will form a committee responsible for validating local gradients and generating blocks. Meanwhile, the remaining nodes perform local training and send local updates to the committee. The committee then validates and scores the update. Only eligible updates are packaged onto the blockchain. At the beginning of the next round, a new committee is elected based on the scores of the nodes in the previous round. It's worth noting that update verification is a key component of CCM. Therefore, committee members validate local updates by treating their data as a validation set, with validation accuracy as a score. No further action is required from the committee other than the basic ability to run the learned model. After combining the scores from each committee member, the median will be the score for this update.

BFLC has the following advantages: (1) High efficiency, only a few nodes will verify the model update instead of broadcasting to each node to reach a consensus. (2) K-fold cross-validation (K-fold cross-validation), committee members do not participate in this round of local training. Therefore, the committee's local data is used as the validation set. As committee members alternate each round, the validation set changes as well. In this setting, K-fold cross-validation on FL is implemented. (3) Anti-malicious (Anti-malevolence), according to the verification score, the smart contract will select a node with better performance and form a new committee for the next round of training. This means that the chosen local data distribution is gregarious and the nodes are not malicious.

C. Model Training

Nodes other than the committee are trained locally every round. In FL, for security and privacy reasons, raw data will be kept in local nodes, which only upload gradients to the blockchain. Besides, there are two main challenges: (1) The local data distribution is non-IID. (2) Equipment is not always available.

To solve the first challenge, only a certain number of local updates are required in each round, and the committee consensus mechanism can maximize the generalization ability of the global model by validating local updates through the data distribution of committee members. To solve the second problem, an active local learning process is designed for nodes. Nodes can actively obtain the current global model at any time and perform local training. Gradients will be sent to the committee and validated. When eligible updates are packaged on the blockchain, tokens can be attached to them as a reward.

As mentioned above, each round requires a certain number of valid updates. Thus, the aggregation process is activated when sufficient local updates are validated by the committee. These validated updates are aggregated by committee into a new global model. Aggregation can be performed on local gradients or local models, and the network transfer cost of these two methods is equal. After the new global model is packaged on the blockchain, the committee will be elected again and the next round of training will begin.

---

3. Discussion

A. Node management and incentive

The training process of BFLC relies on the mutual promotion of nodes, and node management is also a key part of BFLC. Participating nodes can not only access the global model, but also upload updates to affect the global model. In order to control permissions, we designate the initial nodes that make up the training community to be responsible for node management, that is, managers. Each device must be verified by a manager before joining the training community. This verification works in a blacklist mode: if a device is kicked out of the community for inappropriate behavior (e.g. submitting misleading updates, propagating private models), the device will be rejected.

According to the proposed blockchain storage structure, new nodes can quickly find the latest global model on the chain after joining. Nodes can immediately use the model to complete local tasks, or use local data to update the model and get on-chain scores after verification by the consensus committee. It is worth noting that each round of aggregation only requires a certain number of valid updates, and only some nodes are online to participate. Therefore, as long as the node actively submits the update, it is possible to participate in the global model update and get the score. At the same time, some offline nodes will not hinder the progress of FL.

Nodes in the community can always use the model without submitting updates, so effective incentives are needed to encourage nodes to provide updates to the global model. To solve this problem, an incentive mechanism called profit sharing by contribution is proposed. (1) Permission fee (Permission fee): Each device needs to pay the access fee of the global model, and these fees are reserved by the administrator. Nodes then have unlimited access to the latest models in the community. (2) Profit sharing: After each round of aggregation, managers distribute rewards to corresponding nodes according to the updated scores submitted. Therefore, providing frequent updates can get more rewards, and the constantly updated global model will attract more nodes to participate. This incentive mechanism is highly scalable and can be adapted to different real-world applications. The allocation of licensing fees, profit sharing ratios or dividend distribution models are all worthy of study.

B. Committee Election

​ At the end of each round, a new committee is elected from among the verified update providers. In a decentralized training setting, this election can significantly affect the performance of the global model, as the committee decides which local updates will be aggregated. Committee election methods include the following categories: (1) Random election: New committee members are randomly selected from verified nodes. From a machine learning perspective, this approach improves model generalization and reduces overfitting. However, malicious nodes masquerading as normal nodes are less resistant to malicious attacks. (2) Election by score: The provider with the highest verification score forms a new committee. This may exacerbate the inhomogeneity of the sample distribution due to the lack of some nodes in the committee. But for malicious node attacks, this method significantly increases the attack cost and brings more security and stability. (3) Multi-factor optimization: This method considers multiple factors of the device (ie, network transmission rate) and verification scores to make the optimal selection. But this optimization comes with additional computational overhead. Therefore, the method should be applied according to actual scenarios and related requirements.

C. Malicious Nodes

Malicious nodes are defined as nodes that submit incorrect malicious model updates. In the original FL setting, FedAvg aggregates all updates into a new global model. If there are malicious updates, the global model is poisoned and gets lower performance. As mentioned above, according to the committee consensus mechanism, updates will be verified by the committee before being aggregated. In this subsection, we theoretically analyze the factors of malicious attacks and the probability of success.

Record the number of all nodes as $N$ , where the number of committee members is$M$ , the remaining$N-M$ nodes are training nodes. Obviously, if and only if more than$\frac{M}{2}$Malicious updates will only be accepted if all committee members cooperate. However, this committee member was the best performing $M$ , which means that the updates of these malicious members are overridden by other M 2 \frac{M}{2}in the previous committee$\frac{M}{2}$accepted by malicious nodes. This is an infinite dependency cycle, so as long as there are more than M 2 \frac{M}{2} in the first committee$\frac{M}{2}$honest nodes, no malicious node can enter the committee and compromise the global model.

Consider another extreme case: malicious nodes conspire to impersonate normal nodes to win committee seats. The attack begins when malicious nodes occupy half of the seats. To analyze this attack mode, the number of participating nodes is denoted as $A$，$The\; percentage\; of\; malicious\; nodes\; in\; A$ is$q\in (0,1)$ , the percentage of the committee is$p\in (0,1)$ . The attack goal is to have A × p 2 \frac{A\times p}{2}in the committee$\frac{A\times p}{2}$more than one seat. Each node is assumed to perform similarly. Therefore, the attack success probability can be calculated as the probability of the event: choose $A\times p$ nodes come from all nodes, more than half of them come from$A\times q$ (malicious node). By fixing$A=1000$ , plotted in Figure 3 along$p$ and$The\; probability\; of\; q$ changing. It should be noted that only when the malicious percentage is greater than 50%, the attack success probability will be significantly greater than 0. This conclusion is similar to the 51% attack in the PoW blockchain system. In other words, in a decentralized community, malicious nodes should hold 51% of the computing resources to attack the system, and the cost is far greater than the benefit. Additionally, historical models and updates are stored on the blockchain, so failback is always an option after an attack.

D. Storge Optimization

In practical applications, storage overhead is an important factor in determining hardware requirements for training devices. Based on the above blockchain storage scheme, the latest global model can be quickly found. Historical models and updates, while providing disaster recovery capabilities, also take up huge storage space. Here, we give a simple and feasible solution to reduce storage overhead: nodes with insufficient capacity can delete historical blocks locally, and only keep the latest model and updates of this round. This can solve the problem of insufficient storage space for some nodes, while retaining the capabilities of disaster recovery and block verification on the core nodes. But the disadvantages of this method are also obvious. The trustworthiness of the blockchain decreases as nodes are removed. In a training community that does not trust each other, each node may not use this scheme for security reasons.

Therefore, trusted and reliable third-party storage may be a better solution. The blockchain only maintains a record of the network address where each model or update file is located and the modification operation. Other nodes interact with the centralized storage, fetching the latest models or uploading updates. This centralized storage will be responsible for disaster recovery backups and distributed file storage services.

---

4. Experiment

A. Settings and Normal Training

BFLC is compared with a basic FL framework (fedAvg) and a stand-alone training framework as a baseline. Each framework implements the classic image classification model AlexNet as a global model and fixes a set of model hyperparameters to ensure fairness. In the experimental setting, the proportion of active nodes in each round is defined as $k$ %, 40% of which will be elected as committee members of the BFLC in the next round. The training node ratio of Basic FL is also$k$ %. Meanwhile, stand-alone training will utilize the entire dataset. in different$Under\; the\; condition\; of\; k$ value, we record their performance in TABLE 1.

It can be seen from TABLE 1 that as the proportion of active nodes increases, the performance of BFLC is constantly approaching the effect of the basic FL framework, with only a slight loss compared with the stand-alone training of the complete data set. It is worth mentioning that BFLC can significantly reduce the consumption of consensus through the committee consensus mechanism. For example, if the number of training nodes is $P$ , the committee size is$Q$ , the active node is$P+Q.$ _ For BFLC, the calculation amount of each round of consensus can be expressed as$P\times Q$ , while broadcasting is$(P+Q{)}^2$ . Compared with independent training, BFLC also has the privacy data protection function of federated learning, and does not require a trusted central server to manage, thus significantly reducing the risk of privacy leakage.

B. Under Malicious Attack

Malicious nodes in the training community can generate harmful updates that, if integrated, can significantly degrade the performance of the global model. We simulate a malicious node attack to demonstrate how the proposed BFLC, basic FL and CwMed will be affected by different malicious ratios in active nodes. It is assumed that the attack pattern of malicious nodes is random disturbance with point-like Gaussian random noise.

basic FL does not perform any defenses and will integrate model updates generated by randomly selected active nodes. CwMed constructs a global gradient where each entry is the median of entries in the local gradient with the same coordinates. BFLC relies on the aforementioned committee consensus to defend against attacks. Each update gets a score (i.e., the median local prediction accuracy) from the committee.

To enhance the effectiveness of the attack, it is assumed that malicious nodes are colluding, i.e. members of the malicious committee will give random high scores (e.g., 90%-100%) to malicious updates. The proportion of active nodes is fixed at 10%, of which 20% will be elected to the next round of committees. As shown in Figure 4, BFLC is able to resist a higher proportion of malicious nodes compared to the comparative method. This illustrates the effectiveness of the BFLC with the help of the committee mechanism.