Secure Hierarchical Asynchronous Federated Learning with Shuffle Model and Mask–DP

Abstract

Hierarchical asynchronous federated learning (HAFL) accommodates more real networking and ensures practical communications and efficient aggregations. However, existing HAFL schemes still face challenges in balancing privacy-preserving and robustness. Malicious training nodes may infer the privacy of other training nodes or poison the global model, thereby damaging the system’s robustness. To address these issues, we propose a secure hierarchical asynchronous federated learning (SHAFL) framework. SHAFL organizes training nodes into multiple groups based on their respective gateways. Within each group, the training nodes prevent inference attacks from the gateways and committee nodes via a mask–DP exchange protocol and employ homomorphic encryption (HE) to prevent collusion attacks from other training nodes. Compared with conventional solutions, SHAFL uses noise that can be eliminated to reduce the impact of noise on the global model’s performance, while employing a shuffle model and subsampling to enhance the local model’s privacy-preserving level. At global model aggregation, SHAFL considers both model accuracy and communication delay, effectively reducing the impact of malicious and stale models on system performance. Theoretical analysis and experimental evaluations demonstrate that SHAFL outperforms state-of-the-art solutions in terms of convergence, security, robustness, and privacy-preserving capabilities.

1. Introduction

Hierarchical asynchronous federated learning (HAFL) has been widely applied and studied across various academic and industrial scenarios [1,2,3,4,5]. HAFL can adapt to more realistic networking systems with hierarchical structures and be compatible with heterogeneous training nodes through an asynchronous update mechanism. Typical applications include the Internet of Vehicles (IoV) [6,7,8] and the Internet of Things (IoT) [9,10,11,12]. However, HAFL still faces FL-specific security issues, including single-point failure, data privacy, and Byzantine fault tolerance. Attackers may conduct inference attacks to reconstruct the training nodes’ datasets from their updated models [13,14]. Malicious nodes may launch Byzantine attacks to compromise system robustness by poisoning the model [15,16].

Centralized federated learning (FL) approaches always suffer from a single point of failure and untrusted aggregation [17,18]. Owing to features such as decentralization, immutability, traceability, and consensus mechanisms, Blockchain-based technologies offer effective solutions [6,18,19]. They use Blockchain to store the global model, computational metadata, and other relevant data generated during the training process, ensuring transparency, traceability, and tamper resistance. However, Blockchain-based FL still faces privacy-preserving problems, e.g., membership inference attacks [13,20], model inversion attacks [14], Byzantine attacks, e.g., poisoning the models [15,16], and label flipping [21,22].

Differential privacy (DP) has been widely used for privacy in FL [23,24,25]. Compared to homomorphic encryption (HE) [26,27,28] and secure multi-party computation (SMC) [29,30,31], DP has low computational overhead and is more suitable for multiple iterations of computation [32]. Central differential privacy (CDP) [33] inputs calibrated noise into the global model via a central server that aggregates the model. Local differential privacy (LDP) [34] eliminates the dependence on a trusted central server and allows each training node to add noise to the uploaded model. However, the accumulated noise may degrade the performance of the global model. Yuan et al. [35] proposed an adaptive perturbation scheme that adjusts the variance of the perturbation online to reduce the performance degradation. Sun et al. [24] combined LDP with a shuffle model to reduce noise variance and enlarge the privacy budget. However, they can only reduce, but not eliminate, the impact of noise.

To suppress Byzantine attacks, e.g., additive noise (AN) [36,37], A Little Is Enough (ALIE) [22], inner product manipulation (IPM) [38], sign flipping (SF) [39,40], and label flipping (LF) [21,41], numerous robust aggregation algorithms have been proposed, e.g., Euclidean distance-based methods [42,43,44,45], cosine similarity-based approaches [46,47], and median/mean-based statistical techniques [48]. These algorithms distinguished between honest and malicious nodes by leveraging geometric distances or statistical features in high-dimensional spaces.

However, in LDP-based HAFL, the geometric distances or statistical characteristics are disturbed by noise, making it hard to distinguish malicious and delay models. Designing an HAFL system that simultaneously ensures privacy-preserving and Byzantine robustness remains hard.

This study proposes a secure hierarchical asynchronous federated learning (SHAFL) framework that ensures both privacy preservation and Byzantine robustness. Our contributions are summarized as follows:

• SHAFL proposes a decentralized mask exchange protocol that uses eliminable noise to prevent the gateway from compromising the privacy of the training node and to reduce the impact of noise on global model performance. Based on HE, it prevents $N-1$ collusion attacks among training nodes.
• The SHAFL scheme introduces a novel mechanism for continuous layer subsampling and dummy-layer padding. Combining continuous-layer subsampling, dummy-layer padding, and a shuffle model, SHAFL enhances the privacy-preserving capability of local models during the server aggregation phase.
• SHAFL designs a secure aggregation scheme that leverages the upload model’s test accuracy to mitigate the impact of malicious nodes on system robustness.
• With an eliminable noise, SHAFL reduces the damage to system robustness caused by node offline before model shuffling in groups.
• Experiments on the MNIST, CIFAR-10, and Heart Disease datasets validate the privacy, convergence, and robustness of the proposed SHAFL.

The remainder of this study is organized as follows: Section 2 analyzes the related work; Section 3 discusses the system model; Section 4 presents the proposed SHAFL framework; Section 5 and Section 6 discuss the convergence and security of the proposed SHAFL; Section 7 presents an experimental analysis of the proposed SHAFL; and Section 8 is the conclusion.

2. Related Work

Xie et al. [49] proposed an asynchronous federated optimization algorithm (FedAsync) addressing the straggler issue. Miao et al. [50] proposed a time-weighted asynchronous PPFL that integrates stale models. Wu et al. [51] designed an aggregation method to control asynchronous aggregation errors. Chen et al. [52] proposed an adaptive semi-asynchronous federated learning (ASAFL) approach to balance learning latency and accuracy. However, the distributed architecture of FL makes it susceptible to privacy-preserving issues [13,14] and Byzantine attacks [22,36,37].

There are three typical privacy protection methods in FL: HE [26,27], DP [18,32,53,54], and SMC [29,30,31]. Compared with DP and SMC, HE-based methods exhibit higher computational complexity and overly conservative safety assumptions. For example, Yang et al. [26] proposed a secure FL scheme that prevents privacy attacks from external attackers and half-honest servers without requiring a shared homomorphic key. It can not defend against internal attacks from training nodes that share homomorphic keys. Miao et al. [27] proposed a privacy-preserving and Byzantine-robust FL framework with a fully homomorphic encryption (FHE) algorithm CKKS, assuming a trusted verifier. DP is widely used to preserve privacy in FL due to its quantifiable privacy loss and low computational overhead [18,32,53,54]. Wei et al. [53] proposed a Gaussian–DP-based privacy-preserving FL scheme. Jiang et al. [54] proposed a Laplace–DP-based algorithm to improve performance. Yan et al. [18] proposed a Laplace–DP-based asynchronous FL scheme for an IoT system, while analyzing the dropout tolerance of DP-based FL. However, the noise introduced by DP inherently degrades the model’s accuracy and utility and requires a larger privacy budget. In theory, Mask-based SMC schemes can eliminate the effects of noise. However, security concerns arise in the generation and aggregation of the mask/noise. For example, Feng et al. [29] proposed a Blockchain-enabled, horizontally decentralized FL with a mask that may be generated by a malicious node. Hiroki et al. [30] proposed a mask-based decentralized FL scheme; however, it cannot protect against collusion attacks. Shen et al. [31] proposed a LiPFed scheme in which each training node generates its own masks, thereby eliminating reliance on intermediate nodes for security. However, the divided model may result in insecure aggregation. Moreover, if the aggregation node cannot obtain all the noisy models, the mask/noise cannot be eliminated. In our proposed scheme, we introduce a mask-DP exchange protocol that, in theory, eliminates noise and improves performance when used with PBFT.

To address Byzantine attacks, it is necessary to distinguish between honest and malicious nodes using updated models [55,56]. With a consortium Blockchain, Yan et al. [18] adopt a Practical Byzantine Fault Tolerance (PBFT) protocol to ensure the credibility of aggregated results. Furthermore, Xu et al. [57] proposed a semi-asynchronous aggregation scheme resisting poisoning attacks, backdoor attacks, and Distributed Denial of Service (DDoS) attacks. Zhang et al. [56] proposed a robust and secure framework for FL with verifiable DP noise. However, their work is discussed in the context of synchronous FL but ignores the impact of asynchronous FL, particularly the effect of noise on the model accuracy of PBFT.

In addition, privacy amplification mechanisms, e.g., shuffler [58,59], subsampling [60], and dummy points [24], are introduced into FL to increase the privacy budget while reducing noise. The shuffling mechanism disrupts the correlation between the uploaded local models and the training nodes to enhance the LDP with anonymity [58,59,61]. Using the subsampling and dummy point algorithms, Sun et al. [24] proposed a privacy-enhancing DP-based FL, which amplified the privacy-preserving level of LDP at the aggregation stage. These methods can reduce the impact of DP noise. In our proposed scheme, we introduce a shuffling mechanism for asynchronous environments, reducing the impact of mask noise leakage on PBFT.

3. System Model

This section introduces the Blockchain-based hierarchical asynchronous federated learning, threat model, and privacy-preserving mechanism adopted by the SHAFL framework.

3.1. Blockchain-Based Hierarchical Asynchronous Federated Learning

Shown in Figure 1, our proposed SHAFL framework considers a Blockchain-based scenario that consists of two layers; In the first layer of the SHAFL framework, the training nodes have K groups $\left\{G_o\right\}$, each group has a header node called gateway $y_o$, and the size of group $G_o$ is $s_o$. In group $G_o$, each training node $c_i^o\in G_o$ has a dataset $D_{c_i^o}\in D$. The basic FL [62] is

$$F(w)=\sum _{c_i^o\in C}{\rho }_{c_i^o}{F}_{c_i^o}(w)$$

(1)

$$F_{c_i^o}(w)=\sum _{\xi \in D_{c_i^o}}{\rho }_{\xi }f(w,\xi )$$

(2)

where $F(w)$ is the task objective function, $F_{c_i^o}$ is the objective function of $c_i^o$, ${\rho }_{c_i^o}$ and ${\rho }_{\xi }$ are weights of model aggregation, and $f(w,\xi )$ is the loss function at $c_i^o$.

In the first layer of the SHAFL framework, in turn $t\le T$, each training node $c_i^o$ first receives a global model $w^{t-1}$ from Blockchain; then, locally and iteratively trains $w^{t-1}$ with $D_{c_i^o}$, and outputs $w_{c_i^o}^{t-{\tau }^o}$: $w_{c_i^o}^{t-{\tau }^o}\equiv w_{c_i^o}^{t-{\tau }^o,H}$, after H iterations. In iteration $h\le H$, the local update is

$$w_{c_i^o}^{t-{\tau }^o,h}=w_{c_i^o}^{t-{\tau }^o,h-1}-{\gamma }_{c_i^o}{g}_{c_i^o}^{t-{\tau }^o,h-1}(w_{c_i^o}^{t-{\tau }^o,h-1},D_{c_i^o})$$

(3)

$$g_{c_i^o}^{t-{\tau }^o,h}(w_{c_i^o}^{t-{\tau }^o,h},D_{c_i^o})={\displaystyle \frac{1}{|D_{c_i^o}|}}\sum _{\xi \in D_{c_i^o}}▽f(w_{c_i}^{t-{\tau }^o,h},\xi )$$

(4)

where $w_{c_i^o}^{t-{\tau }^o}$ is the local update, ${\tau }^o$ is the delay of group $G_o$ and gateway $y_o$, and $t-{\tau }^o$ is the start time of local training replacing synchronous tempo t; ${\gamma }_{c_i^o}$ is the learning rate.

It assumes that all local training within a group is synchronous, meaning that all $\tau$ in a group are the same and are marked with ${\tau }^o$. After collecting all local updates, the gateway $y_o$ obtains $w_{y_o}^{t-{\tau }^o}$:

$$w_{y_o}^{t-{\tau }^o}={\displaystyle \frac{{\displaystyle \sum _{c_i^o\in G_o}}{w}_{c_i^o}^{t-{\tau }^o}}{s_o}}$$

(5)

In the second layer of the SHAFL framework, all gateways can upload their updates to the Blockchain asynchronously, which means the primary committee node allows the gateways to have different delays ${\tau }^o$. After a period, the primary committee node downloads the updates from the Blockchain and aggregates the global model as [1]

$$w^t=(1-\alpha )w^{t-1}+\alpha {\displaystyle \frac{{\displaystyle \sum _{o=1}^{{\eta }_t}}{\rho }_{y_o}{w}_{y_o}^{t-{\tau }^o}}{{\displaystyle \sum _{o=1}^{{\eta }_t}}{\rho }_{y_o}}}$$

(6)

where $\alpha \in (0,1)$ is the hyperparameter weight of global update, ${\rho }_{y_o}$ is the weight of local update $w_{y_o}^{t-{\tau }^o}$, and ${\eta }_t$ is the number of local updates uploaded in turn t. Figure 2 shows the asynchronous time workflow of the SHAFL framework.

3.2. Threat Model

In this study, we assume that a gateway can be honest but curious, and a training/committee node might be potentially malicious. The potential threats caused by training nodes, gateways, and committee nodes are shown as follows.

• Training nodes: They try to extract other training nodes’ local data as much as possible from local updates, via launching inference attacks [13,14] and data reconstruction attacks [63,64,65]. Malicious training clients may engage in data poisoning or upload maliciously crafted local updates [66], which can lead to a degradation of the global model’s accuracy.
• Gateways: They follow predefined protocols and submit correct intermediate results. However, they are curious about the sensitive information contained in training nodes and may attempt to infer the training nodes’ private data, resulting in data leakage.
• Committee nodes: Malicious committee nodes may discard local updates from gateways or release a malicious global model, thus compromising the robustness of the system.
• collusion attacks: Malicious training nodes may collude to obtain the private model of the target node, such as attempting to remove the noise added to the target model. Furthermore, malicious training nodes could collude with gateways, or gateways could collude with malicious committee nodes to attack the training nodes’ privacy.

3.3. Privacy Preserving Mechanism

To tackle the privacy-preserving issues, the SHAFL framework introduces an LDP-based shuffle model, a mask–DP exchange protocol, and Paillier homomorphic encryption.

3.3.1. LDP Mechanism

Unlike CDP, an LDP-based FL allows the training node to add noise to the model locally to achieve decentralized privacy-preserving [32], which has no reliance on a trusted server.

Definition 1 

($({ϵ}_0,{\delta }_0)$-LDP [32]). A randomized algorithm $\mathcal{M}:D\to R$ satisfies $({ϵ}_0,{\delta }_0)$-LDP if for any two adjacent datasets $d,d^{\prime }\in D$ and for any subset of outputs $S\subseteq R$, it holds that

$$Pr[\mathcal{M}(d)\in S]\le e^{{ϵ}_0}Pr[\mathcal{M}(d^{\prime })\in S]+{\delta }_0$$

(7)

Gaussian mechanism extracts random noise from the Gaussian distribution and adds noise to the query function to satisfy $(ϵ,\delta )$-DP.

Definition 2 

(Gaussian Mechanism [32]). For a given query function f with sensitivity ${▵}_{2}f$. The randomized algorithm $\mathcal{M}=f(D)+\mathcal{N}(0,{\sigma }^2)$ satisfies $(ϵ,\delta )$-DP if

$$\sigma \ge {\displaystyle \frac{{▵}_{2}f}{ϵ}}log(2ln(1.25/\delta ))$$

(8)

where $\mathcal{N}(0,{\sigma }^2)$ is a Gaussian distribution with mean 0 and covariance ${\sigma }^2$, and ${▵}_{2}f$ is $l_2$ sensitivity of query function f.

3.3.2. LDP-Based Shuffle Model

The shuffle model disrupts the correlation between the local model and the training nodes through a confusion mechanism to provide anonymity to the local model [59,61]. A LDP-based shuffle model further enhances the privacy-preserving and anonymity [58,67]. The LDP shuffle model is shown in Figure 3 and defined as follows.

Definition 3 

(LDP-based shuffle model [24]). A randomized mechanism $\mathcal{M}$ is an LDP shuffle model if it includes three components: encoder $\mathcal{R}$, shuffler $\mathcal{S}$, and analyzer $\mathcal{A}$ [24]. Considering that the shuffler (gateway) takes n training nodes’ upload in group $G_o$:

• Encoder $\mathcal{R}:\mathcal{X}\to {\mathcal{Y}}^d$ is a randomized algorithm that runs on the training nodes’ side and converts local data $x_i\in \mathcal{X}$ into d messages.
• Shuffler $\mathcal{S}:{({\mathcal{Y}}^d)}^n\to {\widehat{\mathcal{Y}}}^{dn}$ collects the messages uploaded by n training nodes and processes the messages into a random permutation.
• Aggregator $\mathcal{A}:{\widehat{\mathcal{Y}}}^{dn}\to \mathcal{Z}$ aggregates the random permutation uploaded by training nodes to generate a model.

In summary, the shuffle DP can be denoted as

$$\begin{array}{cc}\hfill {\mathcal{M}}_{y_o}& \triangleq \mathcal{A}\circ \mathcal{S}\circ \mathcal{R}(\mathcal{X})\hfill \\ \hfill & =\mathcal{A}(\mathcal{S}(\mathcal{R}(x_1),\dots ,\mathcal{R}(x_n)))\hfill \\ \hfill & =\mathcal{A}(\mathcal{S}(y_{1,1},\dots ,y_{1,d},\dots ,y_{n,1},\dots ,y_{n,d}))\hfill \\ \hfill & =\mathcal{A}(\underset{n}{\underbrace{y_{1,1},\dots ,y_{z_1,1}}},y_{1,2},\dots ,y_{z_2,2},\dots ,y_{1,d},\dots ,y_{z_3,d})\hfill \\ \hfill & =\mathcal{Z}\hfill \end{array}$$

(9)

where ${\mathcal{M}}_{y_o}$ is the privacy-preserving mechanism, d is the number of messages, $z_1,z_2,z_3$ are random numbers, and $\mathcal{Z}$ is the uploaded model of the shuffler (gateway). Encoder $\mathcal{R}$ satisfies $({ϵ}_0,{\delta }_0)$-LDP.

3.3.3. Mask–DP Exchange Protocol

An eliminable noise [68], mask $\pi$, is generated through the Gaussian mechanism. In turn t, the mask exchange protocol is defined as detailed in [30]. The process is

• Input the number of training nodes n, the number of exchange noises $m,1<m<n$, and a set of privacy budgets $\left\{{ϵ}_{c_i}\right\}$.
• Each $c_i$ generates mask ${\pi }_{c_i}^t$ based on $\left\{{ϵ}_{c_i}\right\}$ and receives mask $\left\{{\pi }_{c_j}^t\right\}$ from $\mathcal{J}=\left\{c_j\right\},j=i+1,\dots ,i+mmodn$.
• After the exchange step, each $c_i$ aggregate received masks ${\pi }_i^t={\displaystyle \sum _{j\in \mathcal{J}}}{\pi }_{c_j}^t$.
• Each training node $c_i$ generates m multi-masks as follows:

  $$M_{i,k}^t=\left\{\begin{array}{cc}{w}_{c_i}^t-{\pi }_i^t,\hfill & ifk=0\hfill \\ {\pi }_{c_i}^t,\hfill & ifk=1,2,3,\dots ,m\hfill \end{array}\right.$$

  (10)
• Each $c_i$ sends m multi-masks to gateways.

The local update $w_i^t-{\pi }_i^t$ satisfies $(ϵ,\delta )$-LDP. In a group $G_o$, ${\sum }_{i=1}^n{\sum }_{k=0}^m{M}_{i,k}^t={\sum }_{i=1}^n{w}_{c_i}^t$. The server can aggregate the global model without adding perturbation. Shown in Figure 4, in a group $G_o$, the number of training nodes is n, e.g., $n=4$, and the number of noises to be exchanged is $m=n-1=3$. Each training node generates noise $\{{\pi }_{c_1}^t,{\pi }_{c_2}^t,{\pi }_{c_3}^t,{\pi }_{c_4}^t\}$ based on its privacy budget $\{{ϵ}_{c_1},{ϵ}_{c_2},{ϵ}_{c_3},{ϵ}_{c_4}\}$. Following the mask exchange protocol, m multi-mask messages $\{M_{1,0}^t,\dots ,M_{4,3}^t\}$ are generated and transmitted to the gateway. The gateway then performs pre-aggregation as follows:

$$\begin{array}{cc}\hfill \sum _{i=1}^4\sum _{k=0}^3{M}_{i,k}^t& =M_{1,0}^t+M_{1,1}^t+M_{1,2}^t+M_{1,3}^t+\dots +M_{4,0}^t+M_{4,1}^t+M_{4,2}^t+M_{4,3}^t\hfill \\ \hfill & =w_{c_1}^t-{\pi }_1^t+{\pi }_{c_1}^t+{\pi }_{c_1}^t+{\pi }_{c_1}^t+\dots +w_{c_4}^t-{\pi }_4^t+{\pi }_{c_4}^t+{\pi }_{c_4}^t+{\pi }_{c_4}^t\hfill \\ \hfill & =w_{c_1}^t-{\pi }_{c_2}^t-{\pi }_{c_3}^t-{\pi }_{c_4}^t+3{\pi }_{c_1}^t+\dots w_{c_4}^t-{\pi }_{c_1}^t-{\pi }_{c_2}^t-{\pi }_{c_3}^t+3{\pi }_{c_4}^t\hfill \\ \hfill & =w_{c_1}^t+w_{c_2}^t+w_{c_3}^t+w_{c_4}^t\hfill \\ \hfill & =\sum _{i=1}^4{w}_{c_i}^t\hfill \end{array}$$

(11)

where $w_{c_i}^t$ denotes the local update of training node $c_i$. After pre-aggregation, the noise $\{{\pi }_{c_1}^t,{\pi }_{c_2}^t,{\pi }_{c_3}^t,{\pi }_{c_4}^t\}$ is eliminated. Therefore, the server can aggregate a global model without perturbation.

3.3.4. Paillier Homomorphic Encryption

Our scheme is based on Paillier homomorphic encryption (PHE) [69], which is an additive homomorphic encryption scheme. It consists of three algorithms.

• Key Generation: Select two large prime numbers, p and q. Calculate $n=pq$ and $\lambda =lcm(p-1,q-1)$; $lcm(·)$ denotes the least common multiple. Randomly select $g\in {\mathbb{Z}}_{n^2}^{*}$ satisfying $gcd(L(g^{\lambda }mod{n}^2),n)=1$; $gcd(·)$ denotes the greatest common divisor, $L(x)={\displaystyle \frac{x-1}{n}}$. Calculate $\mu ={(L(g^{\lambda }mod{n}^2))}^{-1}modn$. Output the public key $PK=(n,g)$ and keep the private key $SK=(\lambda ,\mu )$.
• Encryption: Input a plain text $m\in {\mathbb{Z}}_n$ and select a random number $r\in Z_n^{*}$. Output the cipher text $c=Enc(m)=g^m·r^{n}mod{n}^2$.
• Decryption: Input a cipher text $c\in {\mathbb{Z}}_{n^2}^{*}$. Output the plain text $m=Dec(c)=L(c^{\lambda }mod{n}^2)·\mu modn$.

4. Proposed Framework

This section introduces our proposed secure hierarchical asynchronous federated learning (SHAFL) scheme, including design goals, the SHAFL framework, the shuffle model, and the committee consensus mechanism.

Table 1. Nomenclature.

Notation	Description	Notation	Description
F	global loss	$c_i$,$c_i^o$	i-th trainer; i-th trainer in $G_o$
$\rho$	weights	$y_o$	gateway of $G_o$
f	loss function	$G_o$	o-th group
w	model & model parameters	h	h-th iteration
$w^t$	global model for t-th turn	t	t-th turn
$w_{c_i^o}^{t-{\tau }^o,h}$	local update for c in h-th iteration t-th turn	$\xi$	sample of dataset
$w_{y_o}^{t-{\tau }^o}$	local update for group $G_o$	${\tau }^o$	delay of group $G_o$
$M_{i,k}^{t-{\tau }^o}$	m-multi-masks	$R_{t,o}^{u_i}$	score of model $w_{y_o}^{t-{\tau }^o}$ generated by $u_i$
$x_{i,k}^{t-{\tau }^o,z}$	vector of $z-th$ layer of mask $M_{i,k}^{t-{\tau }^o}$	$v_z$	number of $x_{i,r}^{t-{\tau }^o,z}$
$u_q$	primary committee node	$u_i$	committee nodes
$D_{test}$	global datasets	$s_o$	size of group $G_o$
$D_{c_i^o}$	local dataset for $c_i^o$	C	set of training nodes
$\alpha$	hyperparameters of aggregation	U	set of committees
${\gamma }_{c_i^o}$	learning rate of training node $c_i^o$	N	number of training nodes
${\eta }_t$	number of $w_{y_o}^{t-{\tau }^o}$ collected in t-th turn	M	number of committee nodes
$\sigma$	variance of noise	m	number of exchange noises
${\pi }_{c_i}^{t-{\tau }^o}$	mask generated by $c_i^o$	K	number of groups
O	set of groups	Y	set of gateways
${\theta }^{t-{\tau }^o,z}$	$z-th$ layer of model $w_{y_0}^{t-{\tau }^o}$	$p_{i,0}^{t-{\tau }^o,z}$	$z-th$ dummy layer of model $w_{c_i^o}^{t-{\tau }^o}$
$H_{min}$	minimum training iteration	$H_{max}$	maximum training iteration

outlines the notation definitions in this study.

4.1. Design Goals

The design objectives of SHAFL are as follows:

• Prevent malicious training nodes, gateways, and committee nodes from compromising the local data privacy of training nodes.
• Solve the problem of $n-1$ collusion attacks among training nodes.
• Eliminate the impact of noise on global model performance.
• Prevent malicious training and committee nodes from compromising system robustness and global model performance.

4.2. Framework

The workflow of the SHAFL framework is shown in Figure 5. The SHAFL framework comprises four types of entities: task publishers, committee nodes U, training nodes C, and gateways Y. The task publisher initializes the global model $w^0$ (and rewards) in $bloc{k}_0$. The committee nodes share the same Paillier homomorphic key pair $upk/usk$ and act as aggregators. They receive messages from gateways, analyze and aggregate them, and then publish the global model $w^t$ and the hyperparameters. Gateways act as shufflers that receive m multi-masks from training nodes and upload the output $\mathcal{Z}/{\mathcal{M}}_{y_o}$ of the shuffle model to the Blockchain. Each training node has the same Paillier homomorphic key pair $cpk/csk$. The training nodes under the same gateway are called a group $G_o$, and the size of the group $G_o$ is $s_o$. The SHAFL framework is presented in Algorithm 1 with six steps:

Algorithm 1 Algorithm of SHAFL

Input: $w^{t-1},H,\left\{D_{c_i^o}\right\},{ϵ}_{c_i^o},{\delta }_{c_i^o},T,O,Y,C,U$ Output: $w^T$ 1: Task publisher initializes the global model $w^0$ (and rewards) in $bloc{k}_0$ 2: for  $t\le T$  do 3:    for each $c_i\in C,y_o\in Y$ do 4:      $G_o=\mathbf{Nodes}\mathbf{shuffling}(c_i,y_o)$ 5:    end for 6:    $u_q$ sends the signed messages to Blockchain 7:    for each $c_i^o\in G_o$ do 8:      According to ${ϵ}_{c_i^o},{\delta }_{c_i^o}$ and Gaussian Mechanism, $c_i^o$ calculates noise scale ${\sigma }_{c_i^o}$ 9:      ${\pi }_{c_i}^{t-{\tau }^o}$ = Mask generating$\mathcal{N}(0,{\sigma }_{c_i^o}^2)$ 10:      $c_i^o$ receives $\left\{{\pi }_{c_j}^{t-{\tau }^o}\right\}$ from other trainers 11:      $c_i^o$ downloads and decrypts signed messages from Blockchain 12:      $w_{c_i^o}^{t-{\tau }^o}$ = Local training($w^{t-1},D_{c_i^o},H,\gamma$) 13:      $\left\{M_{i,k}^{t-{\tau }^o}\right\}$ = Model masking($w_{c_i^o}^{t-{\tau }^o}$,${\pi }_{c_i}^{t-{\tau }^o}$,$\left\{{\pi }_{c_j}^{t-{\tau }^o}\right\}$) 14:      $c_i^o$ divides and encrypts $\left\{M_{i,k}^{t-{\tau }^o}\right\}$ to $En{c}_{upk}(\left\{x_{i,k}^{t-{\tau }^o,z}\right\})$ 15:    end for 16:    for each $y_o\in G_o\subset O$ do 17:      $w_{y_o}^{t-{\tau }^o}=\mathbf{Model}\mathbf{shuffling}(En{c}_{upk}(\left\{x_{i,k}^{t-{\tau }^o,z}\right\}))$ 18:      $y_0$ signs and saves $w_{y_o}^{t-{\tau }^o}$ in Blockchain. 19:    end for 20:    for each $u_i\in U$ do 21:      Select $u_q$ by $q=hash(bloc{k}_{t-1})modM$ 22:      $w^t,\left\{R_{t,o}^{u_q}\right\}$ = Committee consensus($U,w^{t-1}$,$\left\{w_{y_o}^{t-{\tau }^o}\right\}$) 23:    end for 24:    $u_q$ signs and saves $w^t,\left\{R_{t,o}^{u_q}\right\}$ in $bloc{k}_t$ 25: end for 26: $t=t+1$ 27: return Outputs

• Node shuffling: In turn t, each training node $c_i\in C$ randomly selects a gateway as its shuffler. Training nodes under the same gateway $y_o$ form a group $G_o\subset O$.
• Mask generating: Training nodes process mask–DP exchange protocol. According to the differential privacy parameter ${ϵ}_{c_i^o},{\delta }_{c_i^o}$ and the Gaussian mechanism, $c_i^o$ calculates noise scale ${\sigma }_{c_i^o}$ based on Equation (8) and generates masks ${\pi }_{c_i}^{t-{\tau }^o}$ based on Gaussian distribution $\mathcal{N}(0,{\sigma }_{c_i^o}^2)$. Then, $c_i^o$ exchanges masks ${\pi }_{c_i}^{t-{\tau }^o}$ with other training nodes within a group $G_o$.
• Local training: All training nodes $\left\{c_i^o\right\}$ receive the signed and encrypted message from the gateway, decrypt $De{c}_{csk}(En{c}_{cpk}(w^{t-1},\gamma ,{\tau }_{max},H))$ with private key $csk$, obtain the global model $w^{t-1}$, set their learning rate $\gamma$, and train the global model $w^{t-1}$ with $D_{c_i^o}$ locally using Equations (3) and (4).
• Model masking: Training node $c_i^o$ subsamples its local update $\left\{w_{c_i^o}^{t-{\tau }^o}\right\}$ and performs $z-th$ dummy layer $\left\{p_{i,0}^{t-{\tau }^o,z}\right\}$ filling on the sampled model to restore the original model shape. Using the filled model $w_{c_i^o}^{*,t-{\tau }^o}$, masks ${\pi }_{c_i}^{t-{\tau }^o}$ and $\left\{{\pi }_{c_j}^{t-{\tau }^o}\right\}$, and the training node generates m multi-masks messages according to Equation (10). m multi-masks $\left\{M_{i,k}^{t-{\tau }^o}\right\}$ are further divided into d-layer vectors $\left\{x_{i,k}^{t-{\tau }^o,z}\right\},z\in [1,d]$, according to the shape of the global model. Then, training node $c_i^o$ encrypts these messages with the primary committee node’s public key $upk$ and sends the encrypted messages $En{c}_{upk}\left\{x_{i,k}^{t-{\tau }^o,z}\right\}$ to the gateway $y_o$. The subsample, dummy-layer filling, and model masking are proposed in Algorithm 2. It is worth noting that the masks are additive Gaussian noises; the encrypted model has the same shape and location information as the global model.
• Model shuffling: After the gateway receives all messages $En{c}_{upk}\left\{x_{i,k}^{t-{\tau }^o,z}\right\}$ from the training nodes, the gateway shuffles encrypted messages $En{c}_{upk}(x_{i,k}^{t-{\tau }^o,z})$ using Equation (9), and retains the location information of the layer. Then, the gateway generates a new model $w_{y_o}^{t-{\tau }^o}$ and sends it to the Blockchain with a delay ${\tau }^o$ asynchronously. If ${\tau }^o>{\tau }_{max}$, stale models are discarded.
• Committee consensus: Committee nodes U select a primary node $u_q$. Primary committee node $u_q$ downloads ${\eta }_t$ local updates $\left\{w_{y_o}^{t-{\tau }^o}\right\}$ from the Blockchain and decrypts them to obtain $\left\{w_{y_o}^{t-{\tau }^o,*}\right\}$. Then, $u_q$ scores the model $\left\{w_{y_o}^{t-{\tau }^o,*}\right\}$ and signs and broadcasts the scores $\left\{R_{t,o}^{u_q}\right\}$ to other committee nodes. Other committee nodes then re-score the models and reach a consensus on scores $\left\{R_{t,o}^{u_q}\right\}$. Once a consensus is reached, primary $u_q$ aggregates the local updates $\left\{w_{y_o}^{t-{\tau }^o,*}\right\}$ as

  $$w^t=(1-\alpha )w^{t-1}+\alpha {\displaystyle \frac{{\displaystyle \sum _{o=1}^{{\eta }_t}}{R}_{t,o}^{u_i}{w}_{y_o}^{t-{\tau }^o,*}}{{\displaystyle \sum _{o=1}^{{\eta }_t}}{R}_{t,o}^{u_i}}}$$

  (12)

  where $\alpha$ denotes the hyperparameter of secure aggregation, and ${\eta }_t$ is the number of local updates uploaded by gateways in turn t. Primary committee node $u_q$ encrypts and uploads the new global model $En{c}_{cpk}(w^t)$ to the Blockchain for the next turn $t+1$.

Algorithm 2 Model masking

Input: $w_{c_i^o}^{t-{\tau }^o},{\pi }_{c_i}^t,\left\{{\pi }_{c_j}^t\right\},ϵ,\phi$ Output: $En{c}_{upk}(x_{i,k}^{t-{\tau }^o,z})$ 1: for each $G_o\subset O$ do 2:    for each $c_i^o\in G_o$ do 3:      Calculated mask ${\pi }_i^{t-{\tau }^o}={\displaystyle \sum _{c_j\in G_o}}{\pi }_{c_j,i}^{t-{\tau }^o}$ 4:      for $z\le d$ do 5:         if $zmod\lceil {\displaystyle \frac{d}{s_o}}⌉=i$ then 6: $\mathrm{Dropped}{x}_{i,0}^{t-{\tau }^o,z}$ and evaluated σ by Equation (8) 7: $\mathrm{Generated}\mathrm{dummy}\mathrm{layers}{p}_{i,0}^{t-{\tau }^o,z}=\mathcal{N}(0,{\sigma }_{c_i}^2)$ 8: $x_{i,0}^{t-{\tau }^o,z}\leftarrow p_{i,0}^{t-{\tau }^o,z}$ 9: $\mathbf{end}\mathbf{if}$ 10: $z=z+1$ 11: $\mathbf{end}\mathbf{for}$ 12: $\mathrm{Generated}\mathrm{masks}\left\{M_{i,k}^{t-{\tau }^o}\right\}\mathrm{with}{w}_{c_i^o}^{*,t-{\tau }^o}$ by Equation (10) 13: $\mathrm{Divide}\mathrm{masks}\mathrm{as}\left\{x_{i,k}^{t-{\tau }^o,z}\right\}\leftarrow \left\{M_{i,k}^{t-{\tau }^o,z}\right\}$ 14: $\mathbf{for}z\le d\mathbf{do}$ 15: $x_{i,k}^{t-{\tau }^o,z}\leftarrow \lfloor \phi ·x_{i,k}^{t-{\tau }^o,z}\rfloor$ 16: $\mathbf{end}\mathbf{for}$ 17: $\mathrm{Encrypted}\left\{x_{i,k}^{t-{\tau }^o,z}\right\}\mathrm{to}En{c}_{upk}(x_{i,k}^{t-{\tau }^o,z})$ using primary committee’s public key upk 18: $\mathbf{end}\mathbf{for}$ 19: $\forall c_i^o\in G_o\mathrm{send}\mathrm{Encrypted}\mathrm{messages}En{c}_{upk}(x_{i,k}^{t-{\tau }^0,z})$ to gateway yo synchronous 20: $\mathbf{end}\mathbf{for}$ 21: return Outputs

Once t reaches the set parameter T or the global model $w^t$ converges, the FL ends.

4.3. Multi-Shuffle with Subsample and Dummy Layers

To enhance the LDP, the SHAFL framework introduces the shuffle model, which fills the subsample and dummy layers. These privacy-enhancing mechanisms reduce the required noise level in local updates while ensuring the performance preservation of models uploaded by training nodes [67]. However, the subsample will cause missing model layers, which makes it difficult for the committee node to combine and aggregate the local updates into an available model [24]. The SHAFL framework introduces dummy layers to ensure a valid model.

The subsample, dummy-layer filling, and model masking are shown in Figure 6 and Algorithm 2. After local training, the training node first performs continuous layer subsampling on its local updates $w_{c_i^o}^{t-{\tau }^o}$. All training nodes perform subsampling and drop some model layers. They then evaluate the variance $\sigma$ of the Gaussian noise using Equation (8), and fill the dropped layers $x_{i,0}^{t-{\tau }^o,z}$ with dummy layers $p_{i,0}^{t-{\tau }^o,z}$ generated from Gaussian noise $p_{i,0}^{t-{\tau }^o,z}=\mathcal{N}(0,\sigma )$, where

$$x_{i,0}^{t-{\tau }^o,z}\leftarrow p_{i,0}^{t-{\tau }^o,z},z=i+r⌈{\displaystyle \frac{d}{s_o}}⌉,r=0,1,2,\dots$$

(13)

The filled model is denoted as $w_{c_i^o}^{*,t-{\tau }^o}$. According to the mask–DP exchange protocol, the training node generates m multi-masks $\left\{M_{i,k}^{t-{\tau }^o}\right\}$ using masks ${\pi }_{c_i}^{t-{\tau }^o}$ and {${\pi }_{c_j}^{t-{\tau }^o}$}. It is worth noting that $k\in [0,m]$, and each training node generates $m+1$ multi-masks {$M_{i,k}^{t-{\tau }^o}$}.

Before uploading the masks $\left\{M_{i,k}^{t-{\tau }^o}\right\}$ to the gateway, the training node divides them layer by layer:

$$x_{i,k}^{t-{\tau }^o,z}=M_{i,k}^{t-{\tau }^o,z}$$

(14)

where $x_{i,k}^{t-{\tau }^o,z}$ denotes the $z-th$ layer vector of $M_{i,k}^{t-{\tau }^o,z}$, $i\in [1,s_o]$, and $k\in [0,m]$, $z\in [1,d]$. The value of $x_{i,k}^{t-{\tau }^o,z}$ is a float number, which can not be encrypted directly with PHE. Therefore, the value of layer vector $x_{i,k}^{t-{\tau }^o,z}$ should be expanded to an integer through quantization $x_{i,k}^{t-{\tau }^o,z}\leftarrow \lfloor \phi ·x_{i,k}^{t-{\tau }^o,z}\rfloor$, where $\phi$ denotes the scale of quantization. Then, using primary committee node $u_q$’s homomorphic public key $upk$, the training node encrypts the layer vector $x_{i,k}^{t-{\tau }^o,z}$ to $En{c}_{upk}\left\{x_{i,k}^{t-{\tau }^o,z}\right\}$ layer by layer and uploads $d{s}_o(m+1)$ messages to gateway $y_o$.

The gateway (shuffler) receives messages from training nodes and shuffles them by layer. Specifically, the gateway will collectively shuffle the order of the layer vectors $En{c}_{upk}\left\{x_{i,k}^{t-{\tau }^o,z}\right\}$ from all clients at the same layer. After shuffling, according to the hierarchical relationship, the encrypted layer vectors are stored in order to form a new local update $w_{y_o}^{t-{\tau }^o}$. Then, the gateway uploads it to the Blockchain. The local update $w_{y_o}^{t-{\tau }^o}$ before aggregating is denoted as

$$\begin{array}{cc}\hfill {\mathcal{M}}_{y_o}& =w_{y_o}^{t-{\tau }^o}\hfill \\ & =\mathcal{A}\circ \mathcal{S}\circ {\mathcal{R}}^{d{s}_o(m+1)}(X)\hfill \\ & =\mathcal{A}(S_{y_o}(R_1^{d(m+1)}(X),\dots ,R_{s_o}^{d(m+1)}(X)))\hfill \\ & =\mathcal{A}(S_{y_o}(R_1^{d(m+1)}(En{c}_{upk}(M_{1,0}^{t-{\tau }^o},M_{1,1}^{t-{\tau }^o},\dots ,\hfill \\ & M_{1,m}^{t-{\tau }^o})),\dots ,R_{s_o}^{d(m+1)}(En{c}_{upk}(M_{s_o,0}^{t-{\tau }^o},\dots ,\hfill \\ & M_{s_o,m}^{t-{\tau }^o}))))\hfill \\ & =\mathcal{A}(S_{y_o}(En{c}_{upk}(x_{1,0}^{t-{\tau }^o,1},\dots ,x_{1,0}^{t-{\tau }^o,d},\dots ,x_{1,m}^{t-{\tau }^o,1},\hfill \\ & \dots ,x_{1,m}^{t-{\tau }^o,d},\dots ,x_{s_o,0}^{t-{\tau }^o,1},\dots ,x_{s_o,0}^{t-{\tau }^o,d},\dots ,x_{s_o,m}^{t-{\tau }^o,1},\hfill \\ & \dots ,x_{s_o,m}^{t-{\tau }^o,d})))\hfill \\ & =\mathcal{Z}\hfill \end{array}$$

(15)

where m is the number of multi-masks, and $x_{s_o,m}^{t-{\tau }^o,z}$ is the $z-th$ layer vector of mask $M_{s_o,m}^{t-{\tau }^o}$ in turn t before encryption. The number of training node messages is $d(m+1)$. The $z-th$ layer of the new local update $w_{y_o}^{t-{\tau }^o}$ is

$${\theta }^{t-{\tau }^o,z}=\prod _{i=1}^{s_o}\prod _{k=0}^{m}En{c}_{upk}(x_{i,k}^{t-{\tau }^o,z})$$

(16)

Due to homomorphism, $Dec({\theta }^{t-{\tau }^o,z})={\displaystyle \sum _{i=1}^{s_o}}{\displaystyle \sum _{k=0}^m}(x_{i,k}^{t-{\tau }^o,z})$

The SHAFL framework uses the gateways as shufflers. The shuffling and pre-aggregation of model $w_{y_o}^{t-{\tau }^o}$ are shown in Figure 6 and Algorithm 3.

Algorithm 3 Model shuffling

Input: $Y,En{c}_{upk}(x_{i,k}^{t-{\tau }^o,z})$ Output: $w_{y_o}^{t-{\tau }^o}$ 1: for each $y_o\subset Y$ do 2:    Receives the encrypted messages $\left\{En{c}_{upk}(x_{i,k}^{t-{\tau }^o,z})\right\}$ 3:    for $z\in [0,d]$ do 4:      Shuffles $\left\{En{c}_{upk}(x_{i,k}^{t-{\tau }^o,z})\right\}$ by Equation (9) 5:      ${\theta }^{t-{\tau }^o,z}={\displaystyle \prod _{i=1}^{s_o}}{\displaystyle \prod _{k=0}^m}En{c}_{upk}(x_{i,k}^{t-{\tau }^o,z})$ 6:      $w_{y_o}^{t-{\tau }^o,z}\leftarrow {\theta }^{t-{\tau }^o,z}$ 7:    end for 8:    $y_o$ uploads local update $w_{y_o}^{t-{\tau }^o}$ to Blockchain asynchronous 9: end for 10: return Outputs

4.4. Committee Consensus

The committee consensus is shown in Algorithm 4. In the $t-th$ round of the SHAFL framework, the primary committee node $u_q$ first downloads an ${\eta }_t$ encrypted local update $\left\{w_{y_o}^{t-{\tau }^o}\right\}$ from the Blockchain and decrypts it using a homomorphic private key $usk$ layer by layer. Since the layer vectors $\left\{x_{i,k}^{t-{\tau }^o,z}\right\}$ are quantized during encryption, mapping floating-point numbers to integers, it is necessary to dequantize the decrypted layer vectors $\left\{{\theta }^{t-{\tau }^o,*,z}\right\}$ to restore them to their original floating-point format. According to the hierarchical relationship, the layer vectors $\left\{{\theta }^{t-{\tau }^o,*,z}\right\}$ are reconstructed into a decrypted local update $w_{y_o}^{t-{\tau }^o,*}$. Then, the primary committee node $u_q$ tests each local update $w_{y_o}^{t-{\tau }^o,*}$ and global model $w^{t-1}$ using the committee nodes’ local dataset $D_{test}$ to obtain the accuracy $A_L$ and $A_G$. By using $A_L$, $A_G$, and the delay ${\tau }^o$, $u_q$ calculates the score $R_{t,o}^{u_q}$ for each local update $w_{y_o}^{t-{\tau }^o,*}$ as

$$R_{t,o}^{u_q}=({\displaystyle \frac{A_L}{{(A_L+A_G)}^{\tau }}})$$

(17)

After scoring, the primary committee node $u_q$ sends the scores of local updates $\left\{R_{t,o}^{u_q}\right\}$ to other committee nodes $\left\{u_i\right\}$. $\left\{u_i\right\}$ downloads $w_{y_o}^{t-{\tau }^o,*}$ and re-scores them, and uses a consensus mechanism, PBFT, to reach a consensus on scores $\left\{R_{t,o}^{u_q}\right\}$. Once a consensus is reached, $u_q$ aggregates the local updates $\left\{w_{y_o}^{t-{\tau }^o,*}\right\}$ to obtain a new global model $w^t$ through secure aggregation using (12). Then, $u_q$ encrypts and uploads $En{c}_{cpk}(w^t)$ to $bloc{k}_t$.

Algorithm 4 Committee consensus

Input: $U,\left\{w_{y_o}^{t-{\tau }^o}\right\},w^{t-1},D_{test},s_o,\phi$ Output: $w^t,\left\{R_{t,o}^{u_q}\right\}$ 1: Primary committee node $u_q$ downloads ${\eta }_t$ local updates $\left\{w_{y_o}^{t-{\tau }^o}\right\}$ from Blockchain and decrypts it 2: for  $o\le {\eta }_t$do 3:    for $z\le d$ do 4:      ${\theta }^{t-{\tau }^o,*,z}=De{c}_{usk}({\theta }^{t-{\tau }^o,z})= {\displaystyle \sum _{i=1}^{s_o}}{\displaystyle \sum _{k=0}^m}(x_{i,k}^{t-{\tau }^o,z})$ 5:      Dequantization: 6:      ${\theta }^{t-{\tau }^o,*,z}={\displaystyle \frac{{\theta }^{t-{\tau }^o,*,z,}}{s_o·\phi }}$ 7:      $w_{y_o}^{t-{\tau }^o,*,z}\leftarrow {\theta }^{t-{\tau }^o,*,z}$ 8:      $z=z+1$ 9:    end for 10:    Obtain the decrypted local update $w_{y_o}^{t-{\tau }^o,*}$ of gateway $y_o$ 11:    $o=o+1$ 12: end for 13:    Tests the accuracy of global model $w^{t-1}$ by $D_{test}$ to obtain $A_G$ 14:    for $o\le {\eta }_t$ do 15:      $u_q$ test the accuracy of $w_{y_o}^{t-{\tau }^o,*}$ by $D_{test}$ to obtain $A_L$ 16:      Calculates score $R_{t,o}^{u_q}$ of model $w_{y_o}^{t-{\tau }^o,*}$ by Equation (17) 17:      $o=o+1$ 18:    end for 19:    Sent scores to all committee node $u_i$ 20:    for $u_i\in U$ do 21:      Re-score each local update $w_{y_o}^{t-{\tau }^o,*}$ by $D_{t}est$ 22:      Sent scores $\left\{R_{t,o}^{u_i}\right\}$ to other committee node 23:    end for 24:    All $u_i\in U$ reach a consensus on scores $\left\{R_{t,o}^{u_q}\right\}$ 25:    Pirmary node $u_q$ process secure aggregation by Equation (12) 26:    $u_q$ encrypts the global model to $En{c}_{cpk}(w^t)$ by training nodes’ public key 27:    Uploads $En{c}_{cpk}(w^t)$ to $bloc{k}_t$  28: return Outputs

5. Convergence Analysis

In this section, we present the theorem and proof for the convergence analysis of the SHAFL framework.

Definition 4 

(L-smooth [1]). Function f is L-smooth if $\forall x,y\in {\mathbb{R}}^N,x\ne y$ exists:

$$f(y)\le f(x)+(y-x)\nabla f(x)+{\displaystyle \frac{L}{2}}{\Vert y-x\Vert }^2$$

(18)

Definition 5 

($\mu$-strongly convex [1]). Function f is μ-strongly convex if $\forall x,y\in {\mathbb{R}}^N,x\ne y$ exists:

$$f(y)\ge f(x)+(y-x)\nabla f(x)+{\displaystyle \frac{\mu }{2}}{\Vert y-x\Vert }^2$$

(19)

Theorem 1. 

Assume the global loss function F is L-smooth and μ-strongly convex. For the group $G_o$, let the learning rate be $\gamma <{\displaystyle \frac{1}{L}}$ and the local iterations be $H\in [H_{min},H_{max}]$. For $\forall w\in R^d,\forall \xi \in D$, the expected square norm of the gradients is bounded:

$$E_{\xi \in D}{\Vert \nabla f(w,\xi )\Vert }^2\le Q$$

(20)

For the initial global model $w^0$ and optimization model $w^{*}$

$$F(w^0)-F(w^{*})\ge {(1-\alpha )}^T{\displaystyle \frac{\gamma }{2}}HQ$$

(21)

After T turns, the convergence bond of the global loss function is

$$\begin{array}{cc}\hfill E& [F(w^T)-F(w^{*})]\hfill \\ & \le F(w^0)-F(w^{*})+[1-{(1-\alpha )}^T]{\displaystyle \frac{\gamma }{2}}HQ\hfill \end{array}$$

(22)

Proof of Theorem 1. 

Since prior studies [1,70] have established convergence analysis for hierarchical asynchronous federated learning frameworks, we specifically focus on presenting several distinct components in this study. For a training node $c_i^o$ in an arbitrary group $G_o$, after performing H a local update, the convergence bound is

$$\begin{array}{cc}\hfill E& [F(w_{c_i^o}^{t-{\tau }^o,H})-F(w^{*})]\hfill \\ & \le F(w_{c_i^o}^{t-{\tau }^o,0})-F(w^{*})-{\displaystyle \frac{\gamma }{2}}HQ\hfill \end{array}$$

(23)

where $w_{c_i^o}^{t-{\tau }^o,H}$ is derived from $w_{c_i^o}^{t-{\tau }^o,0}$ by H iterations. Then, the committee nodes will aggregate ${\eta }_t$ local updates $\left\{w_{y_o}^{t-{\tau }^o}\right\}$ from the gateway to obtain a new global model $w^t$. Thus, the convergence bound of the SHAFL framework after t turns is

$$\begin{array}{cc}\hfill E& [F(w^t)-F(w^{*})]\hfill \\ & \le (1-\alpha )F(w^{t-1})+\alpha E\left[F({\displaystyle \frac{{\displaystyle \sum _{o=1}^{{\eta }_t}}{R}_{t,o}^{u_i}{w}_{y_o}^{t-{\tau }^o}}{{\displaystyle \sum _{o=1}^{{\eta }_t}}{R}_{t,o}^{u_i}}})\right]-F(w^{*})\hfill \\ & \le (1-\alpha )F(w^{t-1})+\alpha {\displaystyle \sum _{o=1}^{{\eta }_t}}{\displaystyle \frac{R_{t,o}^{u_i}F(w_{y_o}^{t-{\tau }^o})}{{\displaystyle \sum _{o=1}^{{\eta }_t}}{R}_{t,o}^{u_i}}}-F(w^{*})\hfill \\ & \le (1-\alpha )F(w^{t-1})+\alpha E\left[F(w_{y_o}^{t-{\tau }^o})\right]-F(w^{*})\hfill \\ & \le (1-\alpha )F(w^{t-1})+\alpha E\left[F({\displaystyle \frac{{\displaystyle \sum _{i=1}^{s_o}}\left|D_{c_i^o}\right|{\displaystyle \sum _{k=1}^m}{M}_{i,k}^{t-{\tau }^o}}{{\displaystyle \sum _{i=1}^{s_o}}\left|D_{c_i^o}\right|}})\right]-F(w^{*})\hfill \\ & \le (1-\alpha )F(w^{t-1})+\alpha E\left[F({\displaystyle \frac{{\displaystyle \sum _{i=1}^{s_o}}\left|D_{c_i^o}\right|w_{c_i^o}^{t-{\tau }^o}}{{\displaystyle \sum _{i=1}^{s_o}}\left|D_{c_i^o}\right|}})\right]-F(w^{*})\hfill \\ & \le (1-\alpha )F(w^{t-1})+\alpha E\left[F(w_{c_i^o}^{t-{\tau }^o})\right]-F(w^{*})\hfill \\ & \le (1-\alpha )[F(w^{t-1})-F(w^{*})]+\alpha E[F(w_{c_i^o}^{t-{\tau }^o})-F(w^{*})]\hfill \end{array}$$

(24)

Using Equations (23) and (24), after performing T global turns, the convergence bound of the SHAFL framework is

$$\begin{array}{cc}\hfill E& [F(w^T)-F(w^{*})]\hfill \\ & \le (1-\alpha )[F(w^{T-1})-F(w^{*})]+\alpha E[F(w_{c_i^o}^{T-{\tau }^o})-F(w^{*})]\hfill \\ & \le (1-\alpha )\left[(1-\alpha )[F(w^{T-2})-F(w^{*})]+\alpha E[F(w_{c_i^o}^{T-1-{\tau }^o})-F(w^{*})]\right]\hfill \\ & +\alpha E[F(w_{c_i^o}^{T-{\tau }^o})-F(w^{*})]\hfill \\ & \le (1-\alpha )(1-\alpha )[F(w^{T-2})-F(w^{*})]+(1-\alpha )\alpha E[F(w_{c_i^o}^{T-1-{\tau }^o})-F(w^{*})]\hfill \\ & +\alpha E[F(w_{c_i^o}^{T-{\tau }^o})-F(w^{*})]\hfill \\ & \le {(1-\alpha )}^T[F(w^0)-F(w^{*})]+[\alpha +(1-\alpha )\alpha +\dots +(T-1)(1-\alpha )\alpha ]E[F(w_{c_i^o}^{t-{\tau }^o,H})\hfill \\ & -F(w^{*})]\hfill \\ & \le {(1-\alpha )}^T[F(w^0)-F(w^{*})]+[1-{(1-\alpha )}^T][F(w_{c_i^o}^{t-{\tau }^o,0})-F(w^{*})-{\displaystyle \frac{\gamma }{2}}HQ]\hfill \\ & \le {(1-\alpha )}^T[F(w^0)-F(w^{*})]+[1-{(1-\alpha )}^T][F(w^0)-F(w^{*})-{\displaystyle \frac{\gamma }{2}}HQ]\hfill \\ & \le F(w^0)-F(w^{*})+[1-{(1-\alpha )}^T]{\displaystyle \frac{\gamma }{2}}HQ]\hfill \end{array}$$

(25)

Thus, Theorem 1 derives the convergence bound after T turns. □

6. Security Analysis

This section describes the security analysis of the SHAFL framework as follows: privacy-preserving analysis, system robustness analysis, and model security analysis.

6.1. Privacy-Preserving Analysis

Lemma 1 

(Amplification by shuffling [58]). Let $\mathcal{R}$ be an ${ϵ}_0$-LDP mechanism. Then, the shuffle model $\mathcal{M}(x_1,\dots ,x_n):=\mathcal{A}\circ \mathcal{S}\circ (R(x_1),\dots ,R(x_n))$ satisfies $(ϵ,\delta )$-DP, where

• If

  $${ϵ}_0\le {\displaystyle \frac{log(n/log(2/\delta ))}{2}}$$

  (26)
  for any $\delta >0$, it has

  $$ϵ=\mathcal{O}(min\{{ϵ}_0,1\}{e}^{{ϵ}_0}\sqrt{{\displaystyle \frac{log(1/\delta )}{n}}}).$$

  (27)

Lemma 2 

(Amplification by subsampling [60]). If $\mathcal{M}:{\mathbb{X}}^n\to \mathbb{Y}$ satisfies $(ϵ,\delta )$-DP with the relationship on the set n, then ${\mathcal{M}}^{\prime }:{\mathbb{X}}^m\to \mathbb{Y}$ satisfies $(log(1+(n/m)(e^{ϵ}-1)),(n/m)\delta )$-DP.

Theorem 2. 

In the SHAFL framework, the training node employs the Gaussian mechanism-based $({ϵ}_l,{\delta }_l)$-LDP to preserve data privacy. Through the integration of the shuffle model and subsample, the privacy parameters of the local model satisfy

$$\begin{array}{cc}\hfill {ϵ}_c=& \mathcal{O}(min\{log(1+(\lceil {\displaystyle \frac{d}{s_o}}\rceil -1)(e^{{ϵ}_l}-1)),1\}[1+(\lceil {\displaystyle \frac{d}{s_o}}\rceil -1)(e^{{ϵ}_l}\hfill \\ & -1)]\sqrt{{\displaystyle \frac{log(1/(\lceil \frac{d}{s_o}\rceil -1){\delta }_l)}{(m+1)d}}})\hfill \end{array}$$

(28)

$${\delta }_c=(\lceil {\displaystyle \frac{d}{s_o}}\rceil -1){\delta }_l$$

(29)

Equations (28) and (29) demonstrate the conversion relationship between local privacy parameters $({ϵ}_l,{\delta }_l)$ and central differential privacy parameters $({ϵ}_c,{\delta }_c)$.

Proof of Theorem 2. 

In Algorithm 2, $d/\lceil {\displaystyle \frac{d}{s_o}}\rceil$ layers of the model are dropped and replaced with dummy layers $\left\{p_{i,0}^{t-{\tau }^o,z}\right\}$. Therefore, the SHAFL framework samples $d-d/\lceil {\displaystyle \frac{d}{s_o}}\rceil$ layers from the model parameter space. According to Lemma 2, the local model satisfies

$$\begin{array}{cc}\hfill {ϵ}_{sub}& =log(1+{\displaystyle \frac{d-d/\lceil \frac{d}{s_o}\rceil }{d}}(e^{{ϵ}_l}-1))\hfill \\ & =log(1+(\lceil {\displaystyle \frac{d}{s_o}}\rceil -1)(e^{{ϵ}_l}-1))\hfill \end{array}$$

(30)

$$\begin{array}{cc}\hfill {\delta }_{sub}& ={\displaystyle \frac{d-d/\lceil \frac{d}{s_o}\rceil }{d}}{\delta }_l\hfill \\ & =(\lceil {\displaystyle \frac{d}{s_o}}\rceil -1){\delta }_l\hfill \end{array}$$

(31)

where ${\displaystyle \frac{d-d/\lceil \frac{d}{s_o}\rceil }{d}}$ is the subsampling rate. After subsampling, the local model satisfies $({ϵ}_{sub},{\delta }_{sub})$-DP. Since the training nodes send the subsampled model to the gateway, the gateway performs a random permutation on the subsampled model. According to Lemma 1, the local model processed with subsampling and shuffling satisfies

$$\begin{array}{cc}\hfill {ϵ}_c& =\mathcal{O}(min\left\{{ϵ}_{sub},1\right\}{e}^{{ϵ}_{sub}}\sqrt{{\displaystyle \frac{log(1/{\delta }_{sub})}{(m+1)d}}})\hfill \\ & =\mathcal{O}(min\left\{{ϵ}_{sub},1\right\}{e}^{{ϵ}_{sub}}\sqrt{{\displaystyle \frac{log(1/(\lceil \frac{d}{s_o}\rceil -1){\delta }_l)}{(m+1)d}}})\hfill \\ & =\mathcal{O}(min\{log(1+(\lceil {\displaystyle \frac{d}{s_o}}\rceil -1)(e^{{ϵ}_l}-1)),1\}[1+(\lceil {\displaystyle \frac{d}{s_o}}\rceil -1)(e^{{ϵ}_l}\hfill \\ & -1)]\sqrt{{\displaystyle \frac{log(1/(\lceil \frac{d}{s_o}\rceil -1){\delta }_l)}{(m+1)d}}})\hfill \end{array}$$

(32)

$$\begin{array}{cc}\hfill {\delta }_c& ={\delta }_{sub}\hfill \\ & =(\lceil {\displaystyle \frac{d}{s_o}}\rceil -1){\delta }_l\hfill \end{array}$$

(33)

as shown in Theorem 2. □

6.2. System Robustness Analysis

The SHAFL framework introduces a novel secure aggregation algorithm. Before the committee nodes aggregate a new global model $w^t$, the primary committee node $u_q$ evaluates the test accuracy of each local update $\left\{w_{y_o}^{t-{\tau }^o}\right\}$ using a globally shared test dataset $D_{test}$. The algorithm then calculates a score for each model based on its accuracy and delay ${\tau }^o$, which serves as the aggregation weight of $\left\{w_{y_o}^{t-{\tau }^o}\right\}$. A suboptimal model uploaded by a malicious training node will achieve low test accuracy and therefore receive a low aggregation weight. The SHAFL framework mitigates the impact of malicious training nodes on the global model’s performance using the secure aggregation algorithm described above. In the latter rounds of training, the accuracy of both the global model and the local models becomes high and similar. The aggregation weight of the model uploaded by $y_o$ with a high delay is significantly lower than that of normal models, thereby mitigating the detrimental impact of stale models on the performance of the global model.

In the event of node disconnections after the mask–DP exchange protocol, the mask–DP introduced by the SHAFL framework is equivalent to a Gaussian noise-based DP. When training node $c_i^o$ is offline, each training node generates noise with a variance of

$$\sigma ={\displaystyle \frac{m{\sigma }_{c_i^o}}{s_o-1}}+{\displaystyle \frac{{\displaystyle \sum _{n=i}^{i+m}}{\sigma }_{c_n}}{m+1}}$$

(34)

where $\sigma$ is the variance of noises $\pi$, and m is the number of exchange masks.

6.3. Model Security Analysis

The proposed SHAFL framework employs a combination of consortium Blockchain technology, HE, and DP-based masks to ensure the privacy and security of local data for training nodes. The consortium Blockchain, as a private chain, restricts data access to authorized nodes only, thereby mitigating privacy threats from external nodes.  Within the SHAFL framework, all committee nodes and training nodes each possess homomorphic key pairs $<upk,usk>,<cpk,csk>$. When committee nodes distribute the global model to training nodes via an intermediate gateway node, they encrypt the global model with the training node’s homomorphic public key $cpk$. Except for the training node, no one else can access the global model. Before sending local updates to the gateway, all training nodes encrypt their messages using the committee nodes’ homomorphic public key $upk$, preventing the gateway and the training nodes from extracting any original model information. The gateway shuffles received messages from training nodes and disrupts the mapping between messages and training nodes. The committee nodes can only receive the shuffled model from the gateway, not the original model from the training node. If the gateway and committee nodes collude, they can use the committee node’s private $usk$ key to decrypt the local updates uploaded by the training nodes. However, since the local updates uploaded by the training nodes are masked, they cannot obtain the original local updates of the training nodes.

7. Experiments

7.1. Experimental Setting

7.1.1. Benchmarks

The baseline algorithms used in the experiments are introduced as follows.

• FedAvg [62], as the canonical synchronous federated learning framework, was adopted as the baseline comparative scheme in our experiments. This implementation deliberately excludes privacy-preserving mechanisms and Byzantine fault tolerance capabilities.
• DP–FedAvg [71] is a privacy-preserving federated learning framework based on LDP. By injecting noise into their local models, training nodes ensure that the uploaded local models satisfy LDP requirements, thereby defending against inference attacks from the server.
• FedSDP [24] is a synchronous privacy-preserving federated learning framework designed for the Internet of Vehicles (IoV), which enhances privacy and improves data utility through a tripartite mechanism that combines Top-k gradient subsampling, virtual point padding, and shuffle-based anonymization.
• MSFL [61] is a privacy-preserving federated learning framework that synergistically integrates multi-stage shuffling mechanisms and Byzantine-resilient consensus algorithms. It enhances privacy by shuffling training nodes and local updates.
• PBFL [27] is a synchronous, centralized privacy-preserving federated learning framework that achieves privacy-preserving through HE and ensures Byzantine fault tolerance via cosine similarity-based gradient validation.
• PPAFL [18] is an asynchronous privacy-preserving federated learning framework that implements LDP via the Laplace mechanism.
• RAFLS [34] is an RDP-based adaptive FL scheme. It uses the sensitivity of different layers’ weights to determine the amount of noise injected into the model, adopts a model-parameter shuffling mechanism to achieve local model anonymity, and proposes a fine-grained model-weight aggregation scheme.

Table 2. Computational complexity.

Scheme	Local Train	Aggregation	Privacy Preserving
FedAvg [62]	$\mathcal{O}(|w|·|D|·N·H·T)$	$\mathcal{O}(|w|·N·T)$	−
DP-FedAvg [71]	$\mathcal{O}(|w|·|D|·N·H·T)$	$\mathcal{O}(|w|·N·T)$	$\mathcal{O}(|w|·N·T)$
FedSDP [24]	$\mathcal{O}((\left|w\right|+d)·|D|·N·H·T)$	$\mathcal{O}(|w|·N·T)$	$\mathcal{O}((d·N·H+N)·T)$
MSFL [61]	$\mathcal{O}(|w|·|D|·N·H·T)$	$\mathcal{O}(|w|·N·T)$	$\mathcal{O}((N+d)·N·T)$
PBFL [27]	$\mathcal{O}(|w|·|D|·N·H·T)$	$\mathcal{O}(ndlog{(n)}^2)$	$\mathcal{O}(ndlog{(n)}^3)$
PPAFL [18]	$\mathcal{O}(|w|·|D|·N·H·T)$	$\mathcal{O}(|w|·N·T·M)$	$\mathcal{O}(|w|·N·T)$
RAFLS [34]	$\mathcal{O}(|w|·|D|·N·H·T)$	$\mathcal{O}((\left|w\right|+d)·N·T)$	$\mathcal{O}((\left|w\right|+d)·N·T)$
Proposed	$\mathcal{O}(|w|·|D|·N·H·T)$	$\mathcal{O}(|w|·N·T·logn)$	$\mathcal{O}((\left|w\right|+\left|w\right|·log(n)+d)·m·N·T)$

compares the computational complexity of the evaluated schemes from three aspects: local training, aggregation, and privacy preserving. The FedSGP scheme’s marginally higher local training loss is a consequence of the additional Tok sparsification operation performed locally. Regarding aggregation and privacy preservation, due to the use of homomorphic encryption, PBFL and SHAFL exhibit significantly higher computational complexity than other schemes.

7.1.2. Datasets and Models

Three benchmark datasets were rigorously employed in our experiments: MNIST [72], CIFAR-10 [73], and a Heart Disease dataset [74]. The MNIST dataset is a classic handwritten digital image dataset, comprising a training set of 60,000 grayscale images and a test set of 10,000 grayscale images, each standardized to a resolution of 28 × 28 pixels. The test set of 10,000 grayscale images is used to form $D_{test}$. The committee nodes utilize $D_{test}$ to evaluate the accuracy of local updates uploaded by the gateways and assign aggregation weights to each gateway’s local updates based on their accuracy. The training set comprising 50,000 images is evenly distributed across the training nodes. The training nodes then conduct training using their allocated subsets of the training data. The model used on the MNIST dataset is a two-layer CNN. The CIFAR-10 dataset includes 60,000 labeled RGB images (32 × 32 pixels) across 10 object classes, which are divided into 50,000 training images and 10,000 test images. For the CIFAR-10 dataset, the partitioning method for $D_{test}$ and the training dataset is the same as that for the MNIST dataset. The model architecture employed on the CIFAR-10 dataset is ResNet-18. The Heart Disease dataset is a real-world IoMT dataset. The dataset contains approximately 37,000 heart activity samples, each with a 50-dimensional feature vector including heart rate, body mass index, glucose levels, and a label indicating coronary heart disease. There are 1,500 heart health samples across these sample nodes. For the Heart Disease dataset, the model and dataset partitioning scheme are adopted from Reference [74].

7.1.3. Experimental Parameters

The experiment was implemented with Python 3.9 and PyTorch 2.1.0 on a computer equipped with an Intel CPU i5-12400F (Santa Clara, CA, USA) and a NVIDIA GPU 3060Ti (Santa Clara, CA, USA). The random seed was 42, and the key size was 2048-bit, as referenced in [75]. Different experimental parameters were adopted for the three datasets, as shown in

Table 3. Hyperparameter notations on MNIST.

Param	Value	Param	Value
$\mathit{N}$	20	$\mathit{M}$	10
H	20	batchsize	64
$\chi$	{0, 0.2, 0.4}	$\lambda$	0.1
$\mathit{T}$	50	$\gamma$	0.08
$\alpha$	0.3	$ϵ$	{0.5, 0.8, 1}
${\tau }_{max}$	3	$\delta$	$1\times {10}^{-3}$

,

Table 4. Hyperparameter notations on CIFAR-10.

Param	Value	Param	Value
$\mathit{N}$	20	$\mathit{M}$	10
H	20	batchsize	32
$\chi$	{0, 0.2, 0.4}	$\lambda$	0.03
$\mathit{T}$	50	$\gamma$	0.001
$\alpha$	0.85	$ϵ$	{0.5, 0.8, 1}
${\tau }_{max}$	3	$\delta$	$1\times {10}^{-3}$

,

Table 5. Hyperparameter notations on Heart Disease dataset.

Param	Value	Param	Value
$\mathit{N}$	20	$\mathit{M}$	10
H	20	batchsize	500
$\chi$	{0, 0.2, 0.4}	$\lambda$	0.03
$\mathit{T}$	50	$\gamma$	0.01
$\alpha$	0.85	$ϵ$	{0.5, 0.8, 1}
${\tau }_{max}$	3	$\delta$	$1\times {10}^{-3}$

, where $\mathit{N}$ denotes the number of training nodes, $\mathit{M}$ denotes the number of committee nodes, $\mathit{H}$ denotes number of local iterations, $\chi$ denotes the proportion of malicious nodes within the training node set, $\lambda$ denotes the aggregation hyperparameter of FedAvg [62], $\mathit{T}$ denotes number of global iterations, $\gamma$ denotes learning rate, $\alpha$ denotes the aggregation hyperparameter of SHAFL, $ϵ,\delta$ denotes differential privacy parameters, and ${\tau }_{max}$ denotes the maximum aggregation delay.

7.2. Experimental Result

7.2.1. Performance Analysis

In the absence of malicious nodes,

Table 6. Model accuracy.

$\mathit{\chi }=0$, $\mathit{ϵ}=1$, $\mathit{\delta }=1\times {10}^{-3}$, subsampling rate = 90%
Dataset	FedAvg	DP-FedAvg	FedSDP	MSFL	RAFLS	Proposed
MNIST	93.01	92.46	87.66	92.46	90.07	92.77
CIFAR-10	77.61	77.70	55.98	75.51	75.25	77.75
Heart Disease Dataset	100	99.63	90.00	99.45	97.99	99.82

presents the model accuracy of each scheme across three datasets. Except for the non-privacy-preserving baseline scheme FedAvg, all other schemes employ a privacy budget of $ϵ=1$ and $\delta =1\times {10}^{-3}$, coupled with a subsampling rate of $0.9$. As evidenced by Table 6, under identical privacy budget conditions, the proposed scheme achieved superior model accuracy across all three datasets compared to other schemes, with the exception of the non-privacy-preserving baseline FedAvg.

Figure 7 illustrates the global model performance of five schemes across three datasets. As observed in Figure 7a on the MNIST dataset, the proposed SHAFL framework achieved comparable accuracy to the non-privacy-preserving baseline FedAvg, with a marginal difference of merely 0.26%. Furthermore, after the 40th training iteration, SHAFL, MSFL, and FedAvg all showed convergence in model accuracy. This demonstrates that the SHAFL framework maintains strong model utility and convergence properties under identical privacy budget constraints. Similarly, as depicted in Figure 7b,c, the SHAFL framework demonstrates robust performance on both the CIFAR-10 dataset and the Heart Disease dataset. Notably, on CIFAR-10, the model accuracy of the SHAFL framework surpasses FedAvg by a narrow margin of 0.06%, which can be attributed to the enhanced generalization capability enabled by the minimal noise injection. Additionally, SHAFL, FedAvg, and DP-FedAvg all converged around the 40th training iteration, collectively demonstrating stable optimization trajectories. After the 10th round, both MSFL and RAFLS exhibited persistent oscillations. This occurs because, as the model approaches convergence, excessive noise injection causes the model parameters to fluctuate around the optimum. In contrast, the SHAFL scheme employs eliminable noise, thereby effectively mitigating the occurrence of oscillations. On the Heart Disease dataset, the SHAFL framework exhibited 0.18% lower model accuracy than the non-privacy-preserving baseline FedAvg, yet outperformed all other comparative schemes. Additionally, the SHAFL framework demonstrated a marginally faster convergence rate than the remaining approaches. In conclusion, compared with the baseline approach, FedAvg and the SHAFL framework achieved comparable model accuracy while providing enhanced privacy protection for local data on training nodes. Compared with other privacy-preserving schemes under the same privacy budget, the SHAFL framework achieved higher model accuracy and superior convergence properties.

7.2.2. Impact of Sampling Strategies on Model Accuracy

We evaluated the impact of three subsampling strategies on model accuracy. In the experiments, the model fixed the local noise variance and adjusted the scheme’s privacy budget to control the sampling rate. Three privacy budget values, $ϵ=0.5,0.8$, and 1, were selected, corresponding to sampling rates of $63\%,70\%$, and $90\%$, respectively. Figure 8 and Figure 9 illustrate the impact of different sampling strategies on model performance across datasets. As shown in Figure 8 and Figure 9, under privacy budgets of $ϵ=0.5$ and $0.8$, the layer sampling proposed by the SHAFL framework achieved a significant improvement in model accuracy compared to other schemes, while exhibiting smaller oscillation amplitudes. At $ϵ=1$, the accuracy of layer sampling outperforms sequential sampling and matches the baseline FedAvg scheme without sampling.

7.2.3. Analysis of Byzantine Attack Resistance

To evaluate the Byzantine attack resistance of the models, it compared model accuracy across several schemes at varying proportions of malicious nodes. FedAvg served as the baseline to reflect the Byzantine robustness of other schemes in asynchronous environments. In the experiments, it set the maximum number of delay rounds ${\tau }_{max}=3$ and the privacy budget $ϵ=1$. As shown in Figure 10 and Figure 11, all schemes experienced a significant drop in model accuracy at Turn 4. For instance, FedAvg in Figure 10 achieved an accuracy of 72.73% at Turn 6, but this plummeted to 49.18% at Turn 7, marking a 48.18% decline. These results indicate that the participation of stale models in aggregation during early training stages degrades accuracy more severely than the impact of a limited number of malicious nodes. From Figure 10 on the MNIST dataset, when $\chi =0$, the accuracy of the SHAFL framework is 1.37% lower than FedAvg but 1.42% higher than PBFL. At $\chi =0.2$, the SHAFL framework outperforms FedAvg, PBFL, and PPAFL by 4.59%, 8.35%, and 0.52%, respectively. When $\chi =0.4$, the accuracy of the SHAFL framework surpasses FedAvg, PBFL, PPAFL and RAFLS by 12.75%, 34.26%, 16.62%, and 5.07%, respectively. Similarly, as shown in Figure 11, when $\chi =0.2$, the accuracy of the SHAFL framework surpasses FedAvg, PBFL, PPAFL and RAFLS by 71.81%, 67.36%, 24.54%, and 67.09%, respectively. Figure 11 demonstrates that the SHAFL framework achieves higher accuracy than other schemes in environments with malicious nodes. Notably, when $\chi =0.4$, the accuracy of the SHAFL framework exceeds FedAvg and PBFL by 43.37% and 39.19%, respectively. This superiority stems from the SHAFL framework’s mechanism: it evaluates each gateway-uploaded model’s accuracy on a test dataset before computing aggregation weights. This approach assigns lower aggregation weights to models from gateways that contain malicious nodes, thereby minimizing their influence on the global model.

7.2.4. Privacy Enhancement Analysis

As demonstrated in Figure 12, the correlation between local and central privacy across varying sampling rates shows that the local privacy budget of training nodes is significantly reduced by the subsampling mechanism and the shuffling model. This substantiates SHAFL’s inherent privacy-enhancing capability. Furthermore, the experimental results show that SHAFL’s privacy amplification effect strengthens as the subsampling rate decreases. This phenomenon occurs because lower sampling rates inherently retain fewer model parameters during aggregation, thereby containing a correspondingly lower amount of sensitive information susceptible to privacy leakage.

8. Conclusions

This study proposes a secure asynchronous hierarchical federated learning (SHAFL) framework. In the first layer, it introduces a decentralized mask–DP exchange protocol. Under a gateway, training nodes generate masks using the Gaussian mechanism and exchange them according to the protocol. Each training node then constructs a set of messages using its locally generated mask and those received from other nodes, such that their aggregation recovers the original local model without noise perturbation. To prevent gateways and training nodes from inferring private information from uploaded messages, it employs homomorphic encryption. At the gateway, a shuffling mechanism is applied to disrupt the order of uploaded messages, further enhancing the privacy-preserving level for the local models. In the second layer, it implements an accuracy-based, committee-consensus scoring mechanism, where the primary committee node uses a global test dataset to evaluate and score models uploaded by gateways, thereby determining their aggregation weights. This reduces the impact of malicious nodes on the global model. Theoretical analysis and experimental results demonstrate that our proposed SHAFL achieves superior performance in privacy-preserving and Byzantine-robustness. However, as our scheme employs the Paillier homomorphic encryption algorithm to resist collusion attacks, it incurs relatively high computational overhead. Additionally, our experimental results are obtained using an IID dataset, without considering the impact of Non-IID datasets on the convergence of model aggregation. In future work, we plan to explore ways to reduce computational cost under the existing security assumptions, while also accounting for the effects of non-IID datasets when designing the aggregation scheme.