Privacy-Preserving Poisoning-Resistant Blockchain-Based Federated Learning for Data Sharing in the Internet of Medical Things

Abstract

The Internet of Medical Things (IoMT) creates interconnected networks of smart medical devices, utilizing extensive medical data collection to improve patient outcomes, streamline resource management, and guarantee comprehensive life-cycle security. However, the private nature of medical data, coupled with strict compliance requirements, has resulted in the separation of information repositories in the IoMT network, severely hindering protected inter-domain data cooperation. Although current blockchain-based federated learning (BFL) approaches aim to resolve these issues, two persistent security weaknesses remain: privacy leakage and poisoning attacks. This study proposes a privacy-preserving poisoning-resistant blockchain-based federated learning (PPBFL) scheme for secure IoMT data sharing. Specifically, we design an active protection framework that uses a lightweight $(t,n)$-threshold secret sharing scheme to protect devices’ privacy and prevent coordination edge nodes from colluding. Then, we design a privacy-guaranteed cosine similarity verification protocol integrated with secure multi-party computation techniques to identify and neutralize malicious gradients uploaded by malicious devices. Furthermore, we deploy an intelligent aggregation system through blockchain smart contracts, removing centralized coordination dependencies while guaranteeing auditable computational validity. Our formal security analysis confirms the PPBFL scheme’s theoretical robustness. Comprehensive evaluations across multiple datasets validate the framework’s operational efficiency and defensive capabilities.

1. Introduction

The Internet of Medical Things (IoMT)—a subset of the Internet of Things (IoT)—comprises interconnected smart medical devices, wearable health gadgets, and other medical hardware [1,2]. The widespread adoption of IoMT enables the continuous transfer and exchange of patient medical data among medical institutions, healthcare professionals, devices, and applications. However, due to competitive pressures, medical institutions are often reluctant to share their medical data with others. The transmission of patient health information, which includes sensitive personal and institutional details, poses risks to individual privacy, institutional security, and potentially national security. To overcome these challenges and harness the full potential of IoMT data, secure and trusted data sharing approaches are urgently needed.

Federated learning (FL) represents an innovative approach to machine learning that enables joint model development across decentralized datasets owned by multiple devices, while ensuring that the data are still stored on local devices [3]. This framework achieves knowledge exchange through the periodic aggregation of updated model parameters from participating devices. However, existing federated learning frameworks still face security vulnerabilities, particularly due to the centralized server architecture’s susceptibility to targeted attacks on critical nodes, which may result in unauthorized access to sensitive training datasets [4]. Blockchain’s decentralization, immutability, and traceability [5] have been leveraged for integration with FL frameworks for model parameter aggregation, replacing the traditional central server [6,7]. Blockchain-based federated learning (BFL) enhances the reliability and scalability of FL by mitigating single points of failure (SPFs) and improving communication efficiency [8,9]. Warnat-Herresthal et al. [10] introduced a BFL approach called Swarm Learning (SL), which combines blockchain and FL to collaboratively train models for the diagnosis of multiple diseases while safeguarding patient data privacy and security. However, maintaining gradient data as transactional entries within BFL systems can create security vulnerabilities. Studies have revealed that malicious actors infiltrating blockchain records could launch inference-based assaults to reconstruct sensitive training datasets from exposed gradients [11].

To mitigate these risks, privacy-preserving federated learning (PPFL) frameworks have gained substantial attention across research and industrial domains [12]. The PPFL framework predominantly employs three core methodologies: differential privacy (DP) mechanisms, homomorphic encryption (HE) protocols, and secure multi-party computation (MPC) techniques. Biscotti [13] combines DP with secure aggregation protocols [14] to fortify BFL architectures against both data poisoning attempts and gradient-based inference breaches. Chen et al. [15] illustrated how swarm learning updates can implement partial HE to safeguard BFL systems from inference threats, although this method suffers from operational inefficiencies due to computational complexities in cipher-text processing. MPC-based privacy preservation [16] achieves data indistinguishability through secret sharing mechanisms, but requires significant communication resources due to intensive client–server coordination demands. However, existing PPFL methods primarily ensure the indistinguishability of private information while often neglecting the threat of adversarially manipulated gradients. Attackers can craft malicious gradients to undermine aggregation results and disrupt the training process. Several aggregation rules have been developed to counteract poisoning attacks [17,18,19], which filter out malicious gradients by distinguishing them from legitimate ones. For example, Krum [17] identifies and excludes poisonous gradients by measuring their Euclidean distance from benign gradients. However, these poisoning defense strategies inherently conflict with privacy-preserving FL, which seeks to maintain the indistinguishability of private gradients.

To simultaneously address both poisoning attacks and privacy protection in FL, we propose a novel BFL framework specifically designed for secure medical data exchange within smart healthcare ecosystems. Our contributions are as follows:

• A robust global model is maintained through rigorous cosine similarity analysis to filter out harmful gradients, effectively mitigating the risks of data poisoning attacks. This approach enhances model integrity by systematically identifying and removing manipulated parameter updates during distributed training processes.
• We propose an actively secure MPC framework that maintains data confidentiality throughout FL processes, effectively addressing the inherent tension between data privacy preservation and robust defense against poisoning attacks.
• We establish a hierarchical framework to mitigate poisoning attacks and protect the data privacy of devices while using blockchain, in order to facilitate transparent processes and the enforcement of regulations. This innovative framework facilitates the formation of an autonomously coordinated learning alliance, eliminating the need for a central coordinating authority during model training processes.
• Through conducting rigorous evaluations across two widely-accepted benchmark datasets, our proposed framework exhibits superior performance compared to existing cutting-edge methodologies, in terms of operational stability and computational effectiveness.

The remainder of this paper is organized as follows: Section 2 introduces foundational concepts. Section 3 surveys the existing literature. Section 4 describes the proposed framework and its objectives. Section 5 elaborates on the developed approach. Section 6 and Section 7 examine security evaluation and efficiency assessment, respectively. Finally, Section 8 summarizes the key findings and conclusions of the study.

2. Background

Our work is closely related to data sharing in the IoMT, federated learning (FL), blockchain-based federated learning (BFL), and Actively Secure Evaluation Protocol, and we provide relevant background knowledge in this section.

2.1. Data Sharing in IoMT

The Internet of Medical Things (IoMT) facilitates the interconnection of communication-enabled medical-grade devices and their integration into wider-scale health networks in order to improve patients’ health. As shown in Figure 1, patient health data are continually transferred and exchanged between medical institutions, medical workers, medical devices, and medical applications in the IoMT context.

However, IoMT entities often lack sufficient trust, and there is some skepticism regarding IoMT data-sharing platforms. This mistrust creates huge obstacles for IoMT-based data sharing. Therefore, there is an urgent need for IoMT data sharing approaches to fully utilize the potential value of IoMT data.

2.2. Federated Learning (FL) for Data Sharing in the IoMT

As depicted in Figure 2, federated learning (FL) operates as a collaborative machine learning framework in which multiple edge devices jointly develop shared predictive models without having to exchange their private datasets.

Consider a network of N distributed nodes represented by $\{C_1,C_2,\dots ,C_N\}$, each possessing a distinct local training dataset $D_i$, $i=\{1,2,\dots ,N\}$. These participants aim to collaboratively optimize a shared global model w while maintaining strict data confidentiality for their respective information sources. During the $t^{\mathrm{th}}$ training cycle, the FL process unfolds through three sequential stages:

Step I:

The central server distributes the updated global model ${\mathbf{w}}^{(t-1)}$ to all participating devices through network transmission.

Step II:

Every participating device develops an individual model through training on its own dataset. In particular, the device $C_i$ solves an optimization problem ${\mathbf{w}}_i^{\left(t\right)}=argminL(D_i,{\mathbf{w}}^{(t-1)})$ to update the local model ${\mathbf{w}}_i^{\left(t\right)}$ using stochastic gradient descent, where $L(·)$ is the loss function. These edge devices subsequently transmit their local model updates ${\mathbf{g}}_i^{\left(t\right)}={\mathbf{w}}^{(t-1)}-{\mathbf{w}}_i^{\left(t\right)}$ to the central server.

Step III:

The server synthesizes these distributed parameters through aggregation algorithms to formulate an enhanced global model ${\mathbf{g}}^{\left(t\right)}={\sum }_{i=1}^n{\displaystyle \frac{|D_i|}{S}}{\mathbf{g}}_i^{\left(t\right)}$, where $|D_i|$ is the size of the $i^{\mathrm{th}}$ device’s local training dataset, and S is the total number of training examples. Next, the server updates the global model via

$${\mathbf{w}}^{\left(t\right)}\leftarrow {\mathbf{w}}^{(t-1)}-\eta ·{\mathbf{g}}^{\left(t\right)},$$

(1)

where $\eta$ is the global learning rate. This global model is then redistributed to all connected devices for subsequent optimization cycles.

2.3. Blockchain-Based Federated Learning (BFL) for Data Sharing in IoMT

A key limitation of federated learning (FL) lies in its reliance on a central server, which significantly impacts the privacy and performance of all devices within the system. In order to address this issue by reducing the network’s dependence on a singular node and improving communication efficiency, blockchain-based federated learning (BFL) leverages blockchain technology to eliminate the necessity of a central server. Figure 3 illustrates how BFL handles model updates by treating them as data within a block, which is shared through a consensus mechanism.

The blockchain is initiated with a single block that includes the initial global model. On the device side, the local model is initialized with the global model ${\mathbf{g}}^{\left(t\right)}$ and trained on the data $D_i$ from the $i^{\mathrm{th}}$ device. Subsequently, the device uploads data to the blockchain by constructing a block comprising a header, the trained model, and the uploader’s identifier (ID). Devices engage directly with a group of miners to acquire the Merkle root of the data before transmitting the block. A smart contract (SC) on the blockchain enforces specific rules to decide when to update the global model. The aggregation mechanisms of BCFL employ an averaging function akin to federated averaging (FedAVG).

2.4. Cosine Similarity

To distinguish between truthful and deceitful gradient vectors, we employ cosine similarity—a widely used metric for quantifying the alignment between two vectors—to assess the directional consistency between a local model gradient (denoted as ${\mathbf{g}}_i^{\left(t\right)}$) and the aggregated sum gradient vector ${\mathbf{G}}_s^{\left(t\right)}={\sum }_{i=1}^N{\mathbf{g}}_i^{\left(t\right)}$. Namely,

$$c{s}_i^{\left(t\right)}=cos{\theta }_i^{\left(t\right)}={\displaystyle \frac{<{\mathbf{g}}_i^{\left(t\right)},{\mathbf{G}}_s^{\left(t\right)}>}{\left|\right|{\mathbf{g}}_i^{\left(t\right)}\left|\right|·\left|\right|{\mathbf{G}}_s^{\left(t\right)}\left|\right|}}=<{\displaystyle \frac{{\mathbf{g}}_i^{\left(t\right)}}{\left|\right|{\mathbf{g}}_i^{\left(t\right)}\left|\right|}},{\displaystyle \frac{{\mathbf{G}}_s^{\left(t\right)}}{\left|\right|{\mathbf{G}}_s^{\left(t\right)}\left|\right|}}>,$$

(2)

where ${\mathbf{G}}_s^{\left(t\right)}$ guides the global decent to an appropriate direction, $\left|\right|·\left|\right|$ denotes the $l_2$-norm, and $<,>$ signifies the dot product between vectors. The cosine similarity metric for ${\mathbf{G}}_s^{\left(t\right)}$ and the gradient ${\mathbf{g}}_i^{\left(t\right)}$ calculates the ratio of their inner product to the product of their respective magnitudes, mathematically expressed as $cos{\theta }_i^{\left(t\right)}={\displaystyle \frac{<{\mathbf{g}}_i^{\left(t\right)},{\mathbf{G}}_s^{\left(t\right)}>}{\left|\right|{\mathbf{g}}_i^{\left(t\right)}\left|\right|·\left|\right|{\mathbf{G}}_s^{\left(t\right)}\left|\right|}}$.

2.5. Actively Secure Evaluation Protocol

An MPC-based protocol can ensure the privacy of devices against Byzantine devices by utilizing the concepts of verifiable secret sharing [20] and Lagrange interpolation. Each device i divides the secret ${\mathbf{g}}_i$ into N committed shares locally and transmits each ${\left[\left[{\mathbf{g}}_i\right]\right]}_T^j$ to all other devices j ($j\in [1,N]$). Collaboration among devices enables secure computation of addition, multiplication by a constant, and multiplication. Addition and multiplication by a constant can be performed easily by each device through direct local operations. For the multiplication of two secrets, complex multiplication is transformed into local addition operations using multiplication triples, thereby reducing online overhead. Further elaboration on this protocol is provided below.

1.

Secret Sharing: Each participant i possesses a secret ${\mathbf{g}}_i$, allowing them to construct a polynomial

$$f_i\left(\theta \right)={\mathbf{g}}_i+\sum _{j=1}^T{\mathbf{r}}_{ij}{\theta }^j,$$

(3)

where the coefficients ${\left\{{\mathbf{r}}_{ij}\right\}}_{j\in [1,N]}$ are selected at random within the field ${\mathbb{F}}_p$, with the constructed polynomial maintaining a maximum degree of $T-1$. In particular, the polynomial’s degree remains within $T-1$ while its coefficients are randomly sampled from the finite field. Through the evaluation of $f_i\left(\theta \right)$ across multiple distinct points, participating entities can obtain

$${\left[\left[{\mathbf{g}}_i\right]\right]}_T=(f_i\left(1\right),\dots ,f_i\left(j\right),\dots ,f_i\left(N\right)).$$

(4)

Subsequently, participant i allocates the share ${\left[\left[{\mathbf{g}}_i\right]\right]}_T^j$ across all other devices j. To maintain the integrity of these distributed shares, participant i also broadcasts verifiable commitments regarding the polynomial coefficients of $f_i$, specifically defined as

$${\mathbf{c}}_{ij}=\left\{\begin{array}{c}{\psi }^{{\mathbf{g}}_i}forj=0\hfill \\ {\psi }^{{\mathbf{r}}_{ij}}forj=1,\dots ,T\hfill \end{array}\right..$$

(5)

Here, $\psi$ denotes a generator within the finite field ${\mathbb{F}}_p$, with all arithmetic operations being executed under the modulus $\lambda$. The prime $\lambda$ must be appropriately chosen such that $\lambda -1$ is divisible by p, ensuring the required algebraic structure for implementation.

Upon receiving the commitments in (2), each device $j\in [1,N]$ can verify the secret share ${\left[\left[{\mathbf{g}}_i\right]\right]}_T^j=f_i\left(j\right)$ by checking the equation:

$${\psi }^{{\left[\left[{\mathbf{g}}_i\right]\right]}_T^j}=\prod _{k=0}^T{\mathbf{c}}_{ik}^{{\theta }_j^k},$$

(6)

where all mathematical operations within this framework are executed using modulo $\lambda$ calculations. The cryptographic commitment protocol guarantees the accurate generation of confidential shares derived from Equation (2)’s polynomial expression, consequently establishing proof of their authenticity through verification processes.

2.

Computation: Three types of calculations are permitted in the protocol, as follows:

Addition: Given two confidential parameters ${\mathbf{g}}_1$ and ${\mathbf{g}}_2$, represented by their respective shares ${\left[\left[{\mathbf{g}}_1\right]\right]}_T$ and ${\left[\left[{\mathbf{g}}_2\right]\right]}_T$, participating devices collectively perform computations on these shared values:

$${\left[\left[{\mathbf{g}}_1\right]\right]}_T+{\left[\left[{\mathbf{g}}_2\right]\right]}_T={\left[[{\mathbf{g}}_1+{\mathbf{g}}_2]\right]}_T.$$

(7)

Multiply-by-constant: When provided with a constant $c\in {\mathbb{Z}}_p$ and the shared secret ${\left[\left[{\mathbf{g}}_1\right]\right]}_T$ corresponding to element $g_1$, all participating devices perform the multiplication operation to scale the threshold-shared value by the given scalar within the prime field:

$$c·{\left[\left[{\mathbf{g}}_1\right]\right]}_T={\left[[c·{\mathbf{g}}_1]\right]}_T.$$

(8)

Multiplication: For confidential parameters ${\mathbf{g}}_1$ and ${\mathbf{g}}_2$, represented as shared values ${\left[\left[{\mathbf{g}}_1\right]\right]}_T$ and ${\left[\left[{\mathbf{g}}_2\right]\right]}_T$, combined with precomputed randomized triples ${\left[\left[x\right]\right]}_T$, ${\left[\left[y\right]\right]}_T$, ${\left[\left[z\right]\right]}_T$ (satisfying $z=x·y$), the process is initiated by calculating ${\left[\left[{\mathbf{g}}_1\right]\right]}_T-{\left[\left[x\right]\right]}_T={\left[[{\mathbf{g}}_1-x]\right]}_T$. Participants then employ a reconstruction protocol to publicly reveal masked values $e={\mathbf{g}}_1-x$ and $d={\mathbf{g}}_2-y$, which maintain their statistical randomness. Through algebraic expansion, the product ${\mathbf{g}}_1{\mathbf{g}}_2$ equates to $z+e{\mathbf{g}}_2+d{\mathbf{g}}_1-ed$. This formulation enables distributed computation, where each device independently calculates the combined result using the pre-shared triple components and revealed values.

$${\left[\left[{\mathbf{g}}_1{\mathbf{g}}_2\right]\right]}_T={\left[\left[z\right]\right]}_T+e{\left[\left[{\mathbf{g}}_2\right]\right]}_T+d{\left[\left[{\mathbf{g}}_1\right]\right]}_T-ed.$$

(9)

3.

Reconstruction: During the secret reconstruction phase, each participant i acquires a secret share of $\mathbf{g}$, denoted as ${\left[\left[\mathbf{g}\right]\right]}_T^i$. These shares are subsequently transmitted to the smart contract by all devices, enabling the recovery of $\mathbf{g}$ through Lagrange interpolation. More precisely, given a polynomial $f_{\mathbf{g}}\left(x\right)$ of degree $T-1$, the reconstruction employs the Lagrange basis expression $f_{\mathbf{g}}\left(x\right)={\sum }_{i\in C}{f}_{\mathbf{g}}\left(i\right){\gamma }_i\left(x\right)$. Here, $C\in {\mathbb{Z}}_p$ satisfies $\left|C\right|=T$, where ${\gamma }_i\left(x\right)$ represents a polynomial of degree $T-1$, defined as ${\gamma }_i\left(x\right)={\prod }_{j\in C,j\ne i}{\displaystyle \frac{x-j}{i-j}}$. The recombination vector may then be straightforwardly determined through the calculation of $r=\left\{r_i\right|i\in C\}$, defined by $r_i={\gamma }_i\left(0\right)$. Subsequently, the secret $\mathbf{g}$ is recovered as follows:

$$\mathbf{g}=\sum _{i\in C}{r}_i{f}_{\mathbf{g}}\left(i\right).$$

(10)

3. Related Work

This study investigates critical obstacles present in existing FL frameworks, with a concentrated analysis of three distinct research domains.

3.1. Blockchain-Based Federated Learning

Conventional federated learning architectures predominantly rely on centralized servers, introducing vulnerabilities such as single points of failure and possible server misconduct. The integrity of federated learning ecosystems becomes jeopardized when the central servers experience security breaches [21]. Emerging blockchain technology has attracted significant interest, due to its decentralized nature and robust security features. Blockchain-enhanced federated learning (BFL) systems utilize distributed ledger technology to eliminate central server dependencies and associated risks. The BAFFLE framework [22] implements smart contracts (SCs) to orchestrate model storage and monitor participant statuses, executing both model updates and aggregation processes through automated contractual agreements. This approach enhances system resilience against centralized failures while ensuring equitable client participation. Parallel innovations such as BlockFL [23] leverage blockchain-based smart contracts for secure model update exchanges and validation processes, simultaneously resolving single-point vulnerability issues and incentivizing broader device participation through sample-size proportional rewards. Within medical applications, Swarm Learning integrates FL with blockchain technology to enable collaborative disease diagnosis models while preserving patient data confidentiality [10]. Existing implementations nevertheless face challenges, as smart contract-mediated model aggregation generates considerable computational demands and network congestion for blockchain nodes, while lacking mechanisms to detect adversarial gradient contributions. To mitigate these limitations, researchers have proposed committee-consensus BFL frameworks [24] that streamline computational requirements and enhance security against malicious actors, although the determination of optimal committee formation criteria remains an open research question.

3.2. Privacy-Preserving Federated Learning

While existing research has explored various strategies for protecting privacy in federated learning and blockchain systems, the proposed solutions can be primarily grouped into three distinct approaches: 1. Differential Privacy (DP); 2. Homomorphic Encryption (HE); and 3. Secure Multi-Party Computation (MPC).

1.

Differential Privacy (DP): DP mechanisms safeguard blockchain-powered federated learning (BFL) systems through randomized data modification during information exchange. Learning Chain [25] implements such a mechanism by distorting local gradients through probabilistic noise injection based on exponential mechanisms prior to blockchain integration, disseminating these adjusted parameters throughout the BCFL framework. Blade-FL [26] adopts a dual-role architecture where participants simultaneously engage in computational validation and model refinement via decentralized peer-to-peer training, incorporating Gaussian-distributed perturbations during gradient preparation before cryptographic encapsulation. Biscotti [11] enhances BCFL security through a hybrid approach combining DP with multi-party computation techniques, effectively countering both adversarial manipulation and privacy inference attempts.

2.

Homomorphic Encryption (HE): Homomorphic encryption (HE) serves as a cryptographic method to enhance secure learning by allowing computations on cipher-texts without requiring prior decryption. For example, SL+HE [15] implements partial HE to encrypt swarm learning updates, thereby enhancing security against inference attacks in blockchain-based federated learning (BCFL). Similarly, additive HE can be applied in distributed learning systems to protect model updates and maintain gradient confidentiality, as detailed in [12]. Meanwhile, PBFL [27] leverages cosine similarity metrics to detect malicious gradients while employing fully HE for secure aggregation processes.

3.

Secure Multiparty Computation (SMC): This cryptographic technique safeguards the data of participants by producing randomized data points divergent from source information, which are then allocated across participating entities for decentralized processing. Within SMC frameworks, participant-held datasets remain indecipherable until aggregated computational outputs are synthesized through collaborative analysis. Illustrating this paradigm, the MPC-driven PPML framework [16] caters to single-server architectures, while SecureML [28] (alongside Securenn [29]) target distributed multi-server ecosystems requiring coordinated computation protocols.

3.3. Federated Learning Against Poisoning Attacks

Federated learning systems remain vulnerable to multiple poisoning attack variants, which researchers typically classify into two primary dimensions. From an objective perspective, attacks can be divided into non-targeted and targeted attacks. The former seeks to degrade model performance across all test data, while the latter selectively impairs recognition capabilities for specific inputs while maintaining normal prediction accuracy for other data. From another perspective (i.e., examining adversarial capabilities), attacks manifest as either data corruption or parameter manipulation. Malicious actors conducting data poisoning attacks tamper with local training datasets to indirectly influence parameter updates through contaminated samples. In contrast, model poisoning attacks involve direct manipulation of parameter updates on compromised devices through gradient alteration.

To address poisoning threats from malicious participants, various Byzantine-resilient aggregation techniques have been developed for federated learning systems. For example, Krum [17] counters these attacks by identifying gradient vectors with minimal Euclidean distance to their majority neighbors. Trim-mean [19] adopts a ranking approach, excluding extreme model updates before calculating the trimmed average of remaining gradients. RLR [30] offers an efficient defense against back door attempts by dynamically adjusting the server’s learning rate based on sign pattern analysis of client contributions. FLTrust [31] utilizes a curated reference set to generate baseline model updates, effectively neutralizing malicious inputs without relying on client majority assumptions. PEFL [32] achieves dual protection against data poisoning and privacy breaches through homomorphic encryption-based malicious behavior identification in encrypted gradient space. While traditional FL security solutions focus on centralized architectures, blockchain-integrated federated learning (BCFL) enhances security during aggregation through the use of consensus-aligned update validation mechanisms [33].

4. Problem Formulation

In this section, we formalize the problem definition and design goals.

4.1. Problem Definition

In this study, we consider a typical IoMT setting consisting of two types of participants—namely, edge nodes and IoMT devices—which cooperate to achieve the FL training task. The knowledge and capabilities of k malicious IoMT devices in a total of N devices are defined as follows:

• Malicious devices can hold their own toxic data, but cannot access the local data of other honest IoMT devices.
• Malicious devices can obtain the global model. However, local model updates uploaded by a single honest devices cannot be observed.
• Malicious devices can collude and share a common goal to amplify the impact of their malicious attacks.
• Malicious devices can launch either targeted or non-targeted attacks.

Based on the assumptions regarding the knowledge and behavior of the malicious devices, it is obvious that malicious IoMT devices can direct the global model in the wrong direction. Due to the poisoning attack of one or more malicious IoMT devices, the accuracy and reliability of the global model may be greatly reduced, thereby leading to the global model’s distrust of honest IoMT devices.

4.2. Design Goals

Our primary aim is to design a blockchain-driven federated learning system (PP-BFL) that integrates data privacy safeguards and robust defense mechanisms against adversarial interference. This architecture seeks to mitigate data poisoning threats while simultaneously optimizing computational efficiency and ensuring model integrity. Key objectives encompass: developing attack-resistant algorithms, implementing lightweight cryptographic protocols, and establishing decentralized verification processes that maintain confidentiality while reducing resource consumption.

• Privacy: The primary goal involves securing IoMT device data against breaches while maintaining the privacy of their gradient information. This framework prevents unauthorized entities—whether malicious devices or external actors—from gaining entry to or deducing sensitive details contained within these gradients.
• Robustness: The proposed framework should be robust against malicious attacks, which means that the accuracy of the global model should not be affected by malicious IoMT devices.
• Efficiency: The proposed framework must prioritize operational efficiency by minimizing both computational demands and data transmission costs while maintaining system performance.
• Accuracy: The proposed framework maintains high accuracy levels while ensuring data confidentiality and mitigating adversarial data manipulation. This balance is achieved through cryptographic privacy preservation techniques combined with anomaly detection mechanisms that identify and neutralize malicious input patterns without degrading model performance.
• Reliability: All operations must be comprehensively documented to safeguard against potential denial attempts by malicious devices, ensuring accountability throughout system interactions.

5. Proposed Approach and System

This section presents our proposed privacy-preserving, poisoning-defending, blockchain-based federated learning (PPBFL) scheme. First, we present an overview of the system architecture. Next, we discuss the various components of our proposed framework in detail.

Table 1. Main notation used in this study.

Notation	Description
$D_i$	Training datasets of the device $C_i$
${\mathbf{w}}_i^{\left(t\right)}$	Local model of the device $C_i$ in the $t^{\mathrm{th}}$ iteration
$\eta$	Global learning rate
$\delta$	Local learning rate
${\mathbf{g}}_i^{\left(t\right)}$	Gradient of the device $C_i$ in the $t^{\mathrm{th}}$ iteration
${\mathbf{G}}_s^{\left(t\right)}$	Sum of the gradients in the $t^{\mathrm{th}}$ iteration
$c{s}_i^{\left(t\right)}$	Cosine similarity between ${\mathbf{g}}_i^{\left(t\right)}$ and ${\mathbf{G}}_s^{\left(t\right)}$
$S_i^{\left(t\right)}$	Score of the device $C_i$ in the $t^{\mathrm{th}}$ iteration
$b/e/l$	Batch size/Global iterations/Local iterations
${\left[\left[{\mathbf{g}}_i^{\left(t\right)}\right]\right]}_T^j$	$j^{\mathrm{th}}$ share of the secret ${\mathbf{g}}_i^{\left(t\right)}$

systematically organizes key terms and symbolic representations for reference.

5.1. System Architecture

Figure 4 depicts our proposed framework, which consists of four primary components: 1. Task Publisher; 2. Trusted Authority; 3. IoMT Edge Nodes; and 4. IoMT Devices, supported by 5. blockchain Infrastructure. The roles and interactions of these components are elaborated below.

1.

Task Publisher: To address IoMT application needs, the task publisher (TP) designs the FL model training task, implements it through a blockchain smart contract (SC), and pays a fee as a bonus pool. IoMT devices that meet the requirements can apply to participate in the task. Then, the TP will initialize the model parameters and upload them to the blockchain by way of transactions.

2.

Trusted Authority: The trusted authority (TA) initializes the system by generating and distributing public/private key pairs for IoMT edge nodes.

3.

IoMT Edge Nodes: Edge nodes, functioning as blockchain clients, possess public/private key pairs $(p{k}_m,s{k}_m)$ issued by the Trusted Authority (TA). Their responsibilities encompass: (a) registering with the Smart Contract (SC), (b) downloading the global model from the blockchain, (c) collecting secret shares of all gradients and computing partial similarities between these secret shares, and (d) partially aggregating the secret shares of gradients from the selected models.

4.

IoMT Devices: Devices are responsible for: (a) locally training the model, quantizing, and securely sharing gradients each round; (b) broadcasting gradient secret shares to all edge nodes; and (c) downloading the global model from an edge node to update local model parameters.

5.

Blockchain: In the Internet of Medical Things (IoMT), blockchain technology substitutes the traditional federated learning (FL) parameter server. Its responsibilities are: (a) verifying the public keys of registered nodes; (b) gathering secret shares of similarities from these nodes and reconstructing the similarities between local model updates; (c) collecting secret shares of aggregated gradients from all nodes and reconstructing the aggregated gradients.

5.2. Threat Model

Within our security framework, we acknowledge potential scenarios in which medical IoT devices could engage in adversarial behaviors by transmitting manipulated parameter updates to undermine the integrity of the aggregated model. Our analysis distinguishes between two critical vulnerabilities—namely, data exposure risks and model corruption attempts—which are thoroughly examined in subsequent sections.

1.

Privacy leakage: In federated learning processes, compromised IoMT equipment may be able to deduce confidential data from legitimate participants. These adversarial actors could access gradient data submitted by compliant devices through blockchain records to reverse-engineer sensitive parameters. Contrary to protocol-following passive devices, maliciously active participants might alter intermediate computations within secure multiparty protocols. Furthermore, coordinated groups of IoMT devices could cooperate maliciously, amplifying their capacity to compromise the confidentiality of data.

2.

Poisoning attacks: In the training phase, external adversaries might exploit compromised IoMT devices to initiate poisoning attacks. Attackers could potentially intercept sensitive details regarding localized training datasets and parameter adjustments from hijacked nodes. Simultaneously, they might intentionally distort the devices’ optimization gradients to impede the collaborative learning model’s stabilization process and degrade its predictive performance.

We outline the workflow of the proposed protocol in Algorithm 1.

Algorithm 1: Privacy-Preserving Poisoning-Defending BCFL

5.3. Initialization

The blockchain-based federated learning (FL) system is established by initializing system parameters and publishing public parameters on the blockchain. Each device must register as a legitimate participant before engaging in training. The specific processes are executed as follows:

1.

Task Publish: During initialization, system participants (e.g., IoMT devices and edge nodes) establish connections to create a peer-to-peer network. A TP initiates a FL task by implementing an SC on the blockchain network, and pays a fee as a bonus pool. Within the deployed SC, the TP sets the initial public parameter $ipp=({\mathbf{w}}^{\left(0\right)},\delta ,b)$, where ${\mathbf{w}}^{\left(0\right)}$, $\delta$, and b represent the initial weights, learning rate, and training batch size, respectively. Subsequently, other authenticated devices can synchronize with it.

2.

System Initialization: The Trusted Authority (TA) initially selects a security parameter $\alpha$ and two large safe prime numbers, p and q, where $\left|p\right|=\left|q\right|=\alpha$. Subsequently, the TA computes $M=pq$ and $\lambda =lcm(p-1,q-1)$. A generator h of order $(p-1)(q-1)/2$ is then chosen by TA; for example, $h=-a^{2M}$, where a is a random number in ${\mathbb{Z}}_{M^2}^{*}$. Following this, the TA picks N unique elements ${\left\{{\theta }_i\right\}}_{i\in [1,N]}$ from ${\mathbb{F}}_p$. Each device $i(1\le i\le N)$ requests the TA for $(h,p,q)$ and N distinct elements ${\left\{{\theta }_i\right\}}_{i\in [1,N]}$.

3.

Edge Node Register: Let there be m nodes in the system. Each node i$(1\le i\le M)$ randomly chooses a private key $s{k}_i\in {\mathbb{Z}}_q^{*}$ and calculates their public key as $p{k}_i=h^{s{k}_i}$. In order to demonstrate the validity of $s{k}_i$, a common non-interactive zero-knowledge (NIZK) proof, $proo{f}_{s{k}_i}$, is generated [34]. The NIZK proving and verification processes are represented by $prove(s{k}_i,p{k}_i)$ and $verify(p{k}_i,proo{f}_{s{k}_i})$, respectively, as outlined in Algorithms 2 and 3. Subsequently, each node publishes their public key $p{k}_i$ along with the corresponding $proo{f}_{s{k}_i}$ on the blockchain.

Algorithm 2: NIZK Prove Function

Input:  $s{k}_i$, $p{k}_i$ Output:  $proo{f}_{s{k}_i}$ 1: function prove($s{k}_i$,$p{k}_i$) 2:     $r_i{\in }_R{\mathbb{Z}}_p^{*}$ 3:     $t_i\leftarrow h^{r_i}modp$ 4:     $c_i\leftarrow H\left(h\right||p{k}_i\left|\right|t_i)$ 5:     $s_i\leftarrow r_i-c_i·x_i$ 6:     $proo{f}_{s{k}_i}=<t_i,c_i,s_i>$ 7:     return $proo{f}_{s{k}_i}$ 8: end function

Algorithm 3: NIZK Verify Function

5.4. Local Computation

Local computation comprises model updating, local training, normalization, and secret sharing. The processes of LocalComputation are outlined in Algorithm 1. Below, we elaborate on these components.

1.

Model update: Device $C_i$ retrieves the most recent global model ${\mathbf{w}}^{(t-1)}$ from an edge node. Subsequently, the local model ${\mathbf{w}}_i^{\left(t\right)}$ is updated using Equation (7), where $\delta$ represents the local learning rate. If the devices’ objective function converges, the training process concludes; otherwise, $C_i$ proceeds to the next iteration.

$${\mathbf{w}}_i^{\left(t\right)}={\mathbf{w}}^{(t-1)}-\delta {\mathbf{g}}_i^{(t-1)}.$$

(11)

The specifics of updating the local models are elucidated by invoking ModelUpdate, as defined in Algorithm 4.

Algorithm 4: ModelUpdate

2.

Local training: During the $t^{\mathrm{th}}$ iteration of training, each device $C_i$ involved in FL leverages its local dataset $D_i$ ($i\in [1,N]$) and local model ${\mathbf{w}}_i^{\left(t\right)}$ to compute the local gradient ${\mathbf{g}}_i^{\left(t\right)}$, as defined in Equation (12).

$${\mathbf{g}}_i^{\left(t\right)}=\nabla L({\mathbf{w}}_i^{\left(t\right)},D_i),$$

(12)

where $L({\mathbf{w}}_i^{\left(t\right)},D_i)$ denotes the empirical loss function, with ∇ representing the derivative operation.

3.

Normalization and quantization: For device $C_i$, we employ Equation (13) to normalize the local gradients as follows:

$${\tilde{\mathbf{g}}}_i^{\left(t\right)}={\displaystyle \frac{{\mathbf{g}}_i^{\left(t\right)}}{\left|\right|{\mathbf{g}}_i^{\left(t\right)}\left|\right|}},$$

(13)

where ${\tilde{\mathbf{g}}}_i^{\left(t\right)}$ represents the unit vector. For any integer $q\ge 1$, we introduce a stochastic rounding function, defined as:

$$Q_q\left(x\right)=\left\{\begin{array}{c}{\displaystyle \frac{⌊qx⌋}{q}}withprob.1-(qx-⌊qx⌋)\hfill \\ {\displaystyle \frac{⌊qx⌋+1}{q}}withprob.qx-⌊qx⌋\hfill \end{array}\right.,$$

(14)

where $⌊qx⌋$ denotes the largest integer less than or equal to x. It is important to note that this function is unbiased; that is, ${\mathbb{E}}_Q\left[Q_q\left(x\right)\right]=x$. The parameter q serves as a tuning parameter corresponding to the quantization level. The variance of $Q_q\left(x\right)$ diminishes with increasing q. Subsequently, we define the quantized gradient as:

$${\overline{\mathbf{g}}}_i^{\left(t\right)}:=\varphi (q·Q_q\left({\tilde{\mathbf{g}}}_i^{\left(t\right)}\right)),$$

(15)

where the function $Q_q$ from Equation (9) is applied element-wise and a mapping function $\varphi :\mathbb{R}\to {\mathbb{F}}_p$ is specified to represent a negative integer in the finite field using the two’s complement representation.

$$\varphi \left(x\right)=\left\{\begin{array}{c}\hfill xifx\ge 0\\ \hfill p-xifx<0\end{array}\right..$$

(16)

4.

Secret sharing: Each device $C_i$ within the range of $[1,N]$ produces secret shares of the quantized gradient ${\overline{\mathbf{g}}}_i^{\left(t\right)}$ by creating a random polynomial $f_i:{\mathbb{F}}_p\to {\mathbb{F}}_p^d$ of degree T:

$$f_i\left(\theta \right)={\overline{\mathbf{g}}}_i^{\left(t\right)}+\sum _{m=1}^T{\mathbf{r}}_{im}{\theta }^m,$$

(17)

where the vectors ${\mathbf{r}}_{im}$ are randomly generated from ${\mathbb{F}}_p^d$ by device i. Subsequently, device i transmits the secret shares:

$${\left[\left[{\overline{\mathbf{g}}}_i^{\left(t\right)}\right]\right]}_T^m=f_i\left({\theta }_m\right)$$

(18)

to edge node m within the range of $[1,M]$. In order to ensure the verifiability of these shares, device i also publicly discloses the commitments ${\left\{{\mathbf{c}}_{im}\right\}}_{m\in [1,M]}$ to the coefficients of $f_i$ to all edge nodes. These commitments are defined as:

$${\mathbf{c}}_{im}=\left\{\begin{array}{c}{\psi }^{{\overline{\mathbf{g}}}_i^{\left(t\right)}}form=0\hfill \\ {\psi }^{{\mathbf{r}}_{im}}form=1,\dots ,T\hfill \end{array}\right.,$$

(19)

where $\psi$ represents a generator of ${\mathbb{F}}_p$, and all computations are performed modulo $\lambda$, with $\lambda$ defined as a large prime such that p divides $\lambda -1$.

5.5. Secure Similarity Computation

Algorithm 1 outlines the similarity computation processes as follows:

1.

Partial similarity computation: In our privacy-preserving similarity computation method, each edge node calculates partial similarities using the secret shares of gradients provided by all devices. Specifically, edge node m computes the partial similarities as

$${\left[\left[{\overline{cs}}_i^{\left(t\right)}\right]\right]}_T^m={\left[\left[{\overline{\mathbf{g}}}_i^{\left(t\right)}\right]\right]}_T^m\odot \sum _{i=1}^T{\left[\left[{\overline{\mathbf{g}}}_i^{\left(t\right)}\right]\right]}_T^m,$$

(20)

where ${\left[\left[{\overline{\mathbf{g}}}_i^{\left(t\right)}\right]\right]}_T^m$ represents the normalized gradient of each device $C_i$, and ${\sum }_{i=1}^T{\left[\left[{\overline{\mathbf{g}}}_i^{\left(t\right)}\right]\right]}_T^m$ denotes the sum of all gradients.

2.

Publication: Each edge node m publicly discloses the partial similarities ${\left\{{\left[\left[{\overline{cs}}_i^{\left(t\right)}\right]\right]}_T^m\right\}}_{i\in [1,N]}$ on the blockchain.

3.

Similarity reconstruction: Upon receiving adequate partial similarities from multiple edge nodes, the smart contract is activated to reconstruct the quantized similarities ${\overline{cs}}_i^{\left(t\right)}$ using Lagrange interpretation. Subsequently, the smart contract converts ${\overline{cs}}_i^{\left(t\right)}$ from the finite field to the real domain.

$$c{s}_i^{\left(t\right)}={\displaystyle \frac{{\varphi }^{-1}\left({\overline{cs}}_i^{\left(t\right)}\right)}{q^2}}$$

(21)

for $i\in [1,N]$, where q is the integer parameter in Equation (17) and the de-mapping function ${\varphi }^{-1}:{\mathbb{F}}_p\to \mathbb{R}$ is defined as follows:

$${\varphi }^{-1}\left(\overline{x}\right)=\left\{\begin{array}{c}\hfill \overline{x}if0\le \overline{x}\le {\displaystyle \frac{p-1}{2}}\\ \hfill \overline{x}-pif{\displaystyle \frac{p-1}{2}}\le \overline{x}\le p\end{array}\right..$$

(22)

The variable $c{s}_i^{\left(t\right)}$ quantifies the alignment between the normalized gradient ${\tilde{\mathbf{g}}}_i^{\left(t\right)}$ of each device i and the total gradient sum ${\sum }_{i=1}^N{\tilde{\mathbf{g}}}_i^{\left(t\right)}$. A negative value of $c{s}_i^{\left(t\right)}$ indicates an opposite direction between ${\tilde{\mathbf{g}}}_i^{\left(t\right)}$ and ${\sum }_{i=1}^N{\tilde{\mathbf{g}}}_i^{\left(t\right)}$, which can detrimentally impact the global model. To filter out adversarial gradients during aggregation, the rectified linear unit (ReLU) function is employed:

$$ReLU\left(x\right)=\left\{\begin{array}{c}\hfill xifx>0\\ \hfill 0ifx\le 0\end{array}\right..$$

(23)

This allows us to compute the score $S_i^{\left(t\right)}=ReLU\left(c{s}_i^{\left(t\right)}\right)$ for each device j. Subsequently, the smart contract broadcasts ${\{S_i^{\left(t\right)}=ReLU\left(c{s}_i^{\left(t\right)}\right)\}}_{i\in [1,N]}$ to all edge nodes.

5.6. Secure Model Aggregation

1.

Local gradient aggregation: Each edge node m locally aggregates the secret shares, weighted by their corresponding scores.

$${\left[\left[{\overline{\mathbf{g}}}^{\left(t\right)}\right]\right]}_T^m={\displaystyle \frac{1}{sum}}\sum _{i=0}^N{S}_i^t·{\left[\left[{\overline{\mathbf{g}}}_i^{\left(t\right)}\right]\right]}_T^m,$$

(24)

where $sum={\sum }_{i=1}^N{S}_i^t$. The entity then publishes ${\left[\left[{\overline{\mathbf{g}}}^t\right]\right]}_T^i$ to the blockchain for public verification.

2.

Reconstruction of the global gradients: Upon receiving computation results from a sufficient number of devices, the smart contract is activated to reconstruct the quantized global gradients ${\overline{\mathbf{g}}}^{\left(t\right)}$ through Lagrange interpretation. Subsequently, the smart contract converts ${\overline{\mathbf{g}}}^{\left(t\right)}$ from the finite field to the real domain as follows:

$${\mathbf{g}}^{\left(t\right)}={\displaystyle \frac{{\varphi }^{-1}\left({\overline{\mathbf{g}}}^{\left(t\right)}\right)}{q^2}}.$$

(25)

6. Security Analysis

As outlined in Section 3.2, our threat model encompasses two types of security threats: privacy leakage and poisoning attacks. In this section, we concentrate solely on privacy protection, specifically ensuring the confidentiality of IoMT device gradients originating from edge nodes and blockchain systems. Indeed, the security of our PPBFL is based on our actively secure evaluation protocol, which not only ensures privacy protection in an information-theoretic sense, but also resists malicious attacks carried out by the participants (i.e., it provides active security). First, each IoMT device uploads only committed shares of its local gradients to edge nodes throughout the entire training process. Based on the security provided by verifiable Shamir’s secret sharing, even if at most $T-1$ nodes collude with one another, neither the edge nodes nor blockchain can infer any useful information about the devices from these committed shares or forge them. All operations conducted on edge nodes and within the blockchain are executed under a secure multiparty computation (MPC) framework, thus ensuring the confidentiality of device gradients. Next, we present a proof for our scheme using a hybrid approach [35].

Theorem 1.

Assuming there exists a set of malicious edge nodes, denoted as ${\mathbf{E}}_{Att}\subset \{E_1,\dots ,E_M\}$ holding $|{\mathbf{E}}_{Att}|<T<M/3+1$, it is always possible to identify a simulator $\mathbf{SIM}$ with adequate computational power such that, given parameters p, T, and M, indistinguishability between simulator and real protocol can be assured in an information-theoretic sense—even when edge nodes belonging to ${\mathbf{E}}_{Att}$ collaborate with one another.

$${\mathbf{SIM}}_{{\mathbf{E}}_{Att}}^{p,T,M}\equiv {\mathbf{REAL}}_{{\mathbf{E}}_{Att}}^{p,T,M}.$$

(26)

Proof. 

Considering REAL’s input of ${\mathbf{G}}_N=({\mathbf{g}}_1,\dots ,{\mathbf{g}}_n,\dots ,{\mathbf{g}}_N)$ and SIM’s input of ${\mathbf{G}}_N^{\prime }=({\mathbf{g}}_1^{\prime },\dots ,{\mathbf{g}}_n^{\prime },\dots ,{\mathbf{g}}_N^{\prime })$ with identical distributions, we demonstrate the indistinguishability between ${\mathbf{REAL}}_{{\mathbf{E}}_{Att}}^{p,T,M}$ and ${\mathbf{SIM}}_{{\mathbf{E}}_{Att}}^{p,T,M}$ as well as the unforgeability against active edge nodes throughout the entire execution process of our scheme, as follows.

${\mathbf{STEP}}_{\mathbf{1}}$

 In this step, each edge node $P_m$ receives the committed shares of device gradients. Each node $P_m$ in the real protocol takes the shares denoted by ${\left\{\left[{\overline{\mathbf{g}}}_n\right]\right]}_T^m{\}}_{n\in \left[N\right]}$, while each node $P_m$ in the simulator utilizes ${\left[\left[{\overline{{\mathbf{g}}^{\prime }}}_n\right]\right]}_T^m$. Consequently, indistinguishability between ${\mathbf{REAL}}_{{\mathbf{E}}_{Att}}^{p,T,M}$ and ${\mathbf{SIM}}_{{\mathbf{E}}_{Att}}^{p,T,M}$ is assured.

${\mathbf{STEP}}_{\mathbf{2}}$

 In this step, each edge node $P_m$ computes ${\left\{{\left[\left[{\overline{cs}}_n^{\left(t\right)}\right]\right]}_T^m\right\}}_{n\in \left[N\right]}$. Each node $P_m$ in the real protocol calculates ${\left\{{\left[\left[{\overline{cs}}_n^{\left(t\right)}\right]\right]}_T^m\right\}}_{n\in \left[N\right]}$ while simultaneously calculating ${\left\{{\left[\left[{\overline{c{s}^{\prime }}}_n^{\left(t\right)}\right]\right]}_T^m\right\}}_{n\in \left[N\right]}$ in the simulator. Given that ${\left\{{\left[\left[{\overline{cs}}_n^{\left(t\right)}\right]\right]}_T^m\right\}}_{n\in \left[N\right]}$ and ${\left\{{\left[\left[{\overline{c{s}^{\prime }}}_n^{\left(t\right)}\right]\right]}_T^m\right\}}_{n\in \left[N\right]}$ share an identical distribution due to properties inherent to Shamir’s secret sharing and Lagrange interpolation techniques, we can guarantee their indistinguishability.

${\mathbf{STEP}}_{\mathbf{3}}$

 In this step, each edge node $P_m$ transmits the ${\left[\left[{\overline{cs}}_i^{\left(t\right)}\right]\right]}_T^m$ to the smart contract for reconstruction of $c{s}_i^{\left(t\right)}$. In the real protocol, each node $P_m$ sends ${\left[\left[{\overline{cs}}_i^{\left(t\right)}\right]\right]}_T^m$ to the smart contract, while in the simulator it sends ${\left[\left[{\overline{c{s}^{\prime }}}_i^{\left(t\right)}\right]\right]}_T^m$ to reconstruct ${c{s}^{\prime }}_i^{\left(t\right)}$. Leveraging the properties of Lagrange interpolation, it can be ensured that only the final reconstructed result is disclosed. Consequently, indistinguishability between ${\mathbf{REAL}}_{{\mathbf{E}}_{Att}}^{p,T,M}$ and ${\mathbf{SIM}}_{{\mathbf{E}}_{Att}}^{p,T,M}$ is guaranteed.

${\mathbf{STEP}}_{\mathbf{4}}$

 In this step, each edge node $P_m$ computes ${\left[\left[\overline{\mathbf{g}}\right]\right]}_T^m$. Each node performs this calculation as follows: in the real protocol, it calculates ${\left[\left[\overline{\mathbf{g}}\right]\right]}_T^m$ while, in the simulator, it computes ${\left[\left[\overline{{\mathbf{g}}^{\prime }}\right]\right]}_T^m$. Given that both ${\left[\left[\overline{\mathbf{g}}\right]\right]}_T^m$ and ${\left[\left[\overline{{\mathbf{g}}^{\prime }}\right]\right]}_T^m$ share identical distributions due to Shamir’s secret sharing and Lagrange interpolation properties, their indistinguishability can be assured.

${\mathbf{STEP}}_{\mathbf{5}}$

 In this step, each edge node $P_m$ submits ${\left[\left[\overline{\mathbf{g}}\right]\right]}_T^m$ to the smart contract for the reconstruction of $\mathbf{g}$. Specifically, in the real protocol context, every node $P_m$ sends its respective ${\left[\left[\overline{\mathbf{g}}\right]\right]}_T^m$ to facilitate reconstruction of $\mathbf{g}$ while, during simulation, they send ${\left[\left[\overline{{\mathbf{g}}^{\prime }}\right]\right]}_T^m$ instead for reconstructing ${\mathbf{g}}^{\prime }$. Based on the principles of Lagrange interpolation, only information pertaining to the final reconstructed results may be revealed. Thus, we ensure indistinguishability between ${\mathbf{REAL}}_{{\mathbf{E}}_{Att}}^{p,T,M}$ and ${\mathbf{SIM}}_{{\mathbf{E}}_{Att}}^{p,T,M}$.

□

7. Experimental Setup

We implemented our scheme on a private Ethereum blockchain setup. The smart contract (SC) layer was developed using the Solidity programming language and deployed on the private blockchain utilizing Truffle. Our experiments were conducted using PyTorch version 2.6.0 running on a workstation equipped with Ubuntu 20.04 OS, an AMD Ryzen Threadripper 3970X (32 cores, 64 threads, 3.7 GHz), an RTX 3090 Ti GPU, and 256 GB of RAM. Simultaneously, we simulated edge nodes using independent threads, with each thread implementing a real-world PyTorch classifier. Additionally, mobile phones (Huawei nova 7, 2.6 GHz, 8 cores, and 8 GB RAM) were employed as model Internet of Medical Things (IoMT) devices. Furthermore, our scheme operated within a finite field ${\mathbb{Z}}_p$, with the secure framework based on a $(T,N)$-threshold multi-party computation (MPC)-based protocol. The protocol utilized threshold multi-party computation (MPC), with the parameter p configured as $2^{26}-5$ to avoid data overflow. Standard threshold parameters were predefined as $T=4$ and $N=10$ in this framework.

7.1. Datasets and Settings

To evaluate the performance of our privacy-preserving blockchain federated learning (PP-BFL), we conducted experiments on two widely used datasets: PathMNIST [36] and OCTMNIST [37]. Details regarding these datasets are presented in

Table 2. Descriptions of datasets.

Dataset	Training Set	Class	Test Set	Data Type
PathMNIST	$80,000$	9	$10,000$	image
OCTMNIST	$90,000$	4	$10,000$	image

. The PathMNIST dataset comprises $80,000$ non-overlapping image patches from hematoxylin and eosin-stained histological images, including a test dataset of $10,000$ image patches from a different clinical center. The dataset is comprised of 9 types of tissues, and each image has dimensions of $3\times 28\times 28$ pixels. The OCTMNIST dataset comprises $90,000$ valid optical coherence tomography (OCT) images for retinal diseases. The dataset is comprised of four diagnosis categories, and each image is resized to $1\times 28\times 28$ pixels.

7.2. Poisoning Attacks

In this experiment, we considered both targeted and non-targeted attacks. For non-targeted attacks, our analysis presumed that adversarial devices transmit randomized parameter updates, designed to undermine the global model’s reliability. Conversely, for targeted attacks—specifically assessing two prominent variants: class-redirection and covert-channel—we emulated class-redirection tactics by reassigning the original training labels and produced covert-channel instances through the deliberate insertion of activation patterns into unprocessed training data. Expanded methodological particulars are presented in the subsequent sections.

• Label-flipping: We conducted a label-flipping attack on the PathMNIST dataset, where compromised devices relabeled the training dataset’s labels from 2 to 4 to simulate this type of attack.
• Backdoor: To construct backdoor examples, we reassigned labels for DRUSEN exhibiting white horizontal stripes as diabetic macular edema (DME) on the OCTMNIST dataset.

7.3. Evaluation Metrics

We utilized test accuracy and test error rate as indicators for models trained on various datasets. The primary objective of our approach was to enhance the accuracy of the global model. Swarm Learning (SL) [10] serves as a widely recognized method in non-adversarial settings within Blockchain Federated Learning (BFL). Consequently, we evaluated the SL scheme without attacks as a baseline comparison against Krum [17], while also presenting results from our proposed scheme under varying numbers of malicious devices.

7.4. FL Settings

In our evaluation setup, we configured the number of devices at $n=10$, selecting all devices during each iteration throughout training. Our training model was based on a Convolutional Neural Network (CNN) with the following architecture: $Input\to Conv\to Maxpool\to FullyConnected\to Output$. The weight and bias parameters for each layer were defined as follows: for the Conv layer, $w1=(10,1,3,3)$ and $b1=(10,1)$; Fully Connected layer, $w2=(1960,128)$ and $b2=(1,128)$; and the Output layer, $w3=(128,10)$ and $b3=(1,10)$. Additional training parameters are summarized in

Table 3. Training configuration.

Parameter	Value
No. of iterations	1500
No. of epochs	1
Learning rate	$0.5$
Minimal batch size	64

.

Data allocation per device was performed equally, with each device containing 8000 uniformly distributed data points from the PathMNIST dataset and 9000 from the OCTMNIST dataset. We examined different scenarios regarding the proportion of malicious devices ranging from $10\%$ to $50\%$. Our scheme was compared against both the SL and Krum methodologies. The batch size was set at $b=128$. Furthermore, we observed that the loss function generally converged after approximately 50 rounds; thus, we established the number of training epochs at $e=50$.

8. Experimental Results

In this section, based on extensive experimental results, we analyze the performance of our scheme from two perspectives: (1) Defensive effectiveness against both targeted and non-target attacks; and (2) computational and communication overheads.

8.1. Defense Effectiveness

To assess the defensive effectiveness of our PPBFL, we conducted simulations of both non-targeted and targeted attacks on the PathMNIST and OCTMNIST datasets. The experiments were analyzed from the perspective of varying attack proportions and different iterations. Additionally, we provide an accuracy comparison with the baseline scheme (SL) [10], as well as state-of-the-art methods such as Krum [17]. Figure 5 and Figure 6 illustrate the training processes over 50 iterations for the PathMNIST and OCTMNIST datasets, respectively. Specifically, despite varying numbers of attackers, our PP-BFL maintained an accuracy rate consistent with that of the baseline under both non-targeted and targeted attacks, thereby achieving robustness alongside high accuracy.

8.2. Overhead of Our Scheme

The computational efficiency of PPBFL is closely tied to its operational performance. We evaluated its resource consumption by measuring computational and communication demands, tracking how these metrics evolve as more devices join the network. Figure 7 demonstrates substantially reduced processing requirements on devices compared to edge servers—a difference stemming from their distinct operational roles. While devices primarily distribute gradient shares, edge nodes shoulder the majority of secure computational tasks. Communication patterns reveal similar disparities, as illustrated in Figure 8. Devices maintain leaner communication channels, mainly transmitting gradient shares to edge nodes and receiving aggregated weight updates. Conversely, edge infrastructure manages denser data exchanges to facilitate effective similarity calculations, requiring multiple coordination steps between network components.

In parallel, we conducted comparative analyses between our PPBFL framework and the MPC-based PPML approach [16], evaluating computational and communication costs across device and edge node operations. The experimental results presented in Figure 7 reveal that PPBFL demonstrated superior performance in terms of computational efficiency, which was particularly noticeable on devices. Notably, our solution maintained stable computational demand regardless of growth in the quantity of devices, while PPML exhibited a quadratic growth pattern in resource consumption with an increasing number, as can be seen from Figure 7a. Corresponding server-side analyses, as shown in Figure 7b, confirmed analogous efficiency advantages. This performance gap stems from PPBFL’s optimized computational architecture, compared to PPML’s more complex operational requirements. The communication metrics illustrated in Figure 8 further highlight PPBFL’s technical superiority, achieving reduced data transmission requirements through minimized interaction rounds between devices and edge nodes. Unlike PPML’s intensive communication protocols requiring multi-party coordination and cloud server mediation, our framework implements streamlined data exchange mechanisms. Additionally, PPML’s architecture demands supplementary communication resources to handle device disconnections, whereas PPBFL inherently maintains operational stability without requiring such compensatory measures.

Operations executed through the smart contract were processed as Ethereum transactions, prompting us to quantify computational expenses through analyzing the gas units consumed during EVM instruction execution. Therefore, on-chain activities were evaluated through systematic gas utilization assessments, which aligned with transaction processing requirements. Under EIP-1559 specifications, the maximum block gas capacity has been raised from 15 million units to 30 million, although standard operational targets are typically maintained at approximately 15 million units. Moreover, the gas consumption caused by the transactions mined in one block cannot exceed the block gas limit. To avoid reaching the gas limit, we split the submit() and aggregate() functions up and imposed restrictions on the number of gradients published in one transaction to 200. As shown in

Table 4. Gas cost of each function in TrainFL smart contract.

Function	Gas
construct()	3602173
setEligible()	209906
register()	157970
submit()	17224780
similarity()	20643343
aggregate()	26843542

, we measured each operation’s computational consumption in gas.

The deployment of the smart contract necessitates an expenditure of $3,602,173$ gas units. The framework initially configures authorized addresses within the permissioned blockchain network to restrict unauthorized participation, requiring $208,906$ gas units for this setup phase. Prospective participants must complete blockchain registration by submitting cryptographic public keys, accompanied by Non-Interactive Zero-Knowledge (NIZK) validation credentials, with the blockchain’s verification and storage of these keys demanding $157,970$ gas per registration instance. The subsequent phase involves devices transmitting gradient data to the blockchain network, with transaction processing capacities handling batches of up to 200 gradients at a gas expenditure of $17,224,780$ per computational transaction. Following complete cipher-text submissions from all participants, the blockchain executes aggregation operations to derive global gradient parameters, with each aggregation transaction consuming $26,843,542$ gas units.

9. Discussion

In this section, we first assess the functionality of our proposed scheme by comparing it with several related works. Subsequently, we summarize the performance of our PPBFL.

9.1. Functionality

First, the functionality of our PPBFL was evaluated in comparison to several state-of-the-art approaches, including SL [10], BFLC [24], Krum [17], FLTrust [31], Bift [33], LearningChain [25], SL+HE [15], PPML [16], and Securenn [29]. As illustrated in

Table 5. A comparative summary between our scheme and previous schemes.

Schemes	Resisting	Privacy	Poisoning	Light-	Security
	Against SPOF	Protection	Defense	Weight Comp.	Level
SL	√	×	×	−	−
[10]	(Blockchain)
SL+HE	√	√	×	×	Passive
[15]	(Blockchain)	(Paillier)
Learning	√	√	√	√	Passive
Chain [25]	(Blockchain)	(DP)
PPML	√	√	×	−	Passive
[16]	(Single-Server)	(SMC)
Securenn	√	√	×	×	Passive
[29]	(Triple-Server)	(SMC)
Krum	×	×	√	−	−
[17]	(Single-Server)
FLTrust	×	×	√	−	−
[31]	(Single-Server)
BFLC	√	×	√	−	−
[24]	(Blockchain)
Bift	√	×	√	−	−
[33]	(Blockchain)
Our	√	√	√	√	Active
Scheme	(Blockchain)	(SMC)

, SL [10] replaces the traditional server with a blockchain framework to mitigate the risks associated with single points of failure (SPFs), as well as potential malicious behaviors exhibited by servers.

Note that the security level includes passive security and active security; here, passive security refers to ensuring the security of the devices when the attackers are honest-but-curious (i.e., the attacker only performs passive attacks such as inference attacks), while active security refers to ensuring the security of devices when the attackers are malicious-and-curious (i.e., the attacker not only carries out passive attacks, but also actively performs malicious behaviors such as poisoning attacks). The DP-based LearningChain [25], HE-based SL+HE [15], and MPC-based schemes [16,29] consistently safeguard device privacy through their secure frameworks. Obviously, the above schemes can be categorized as passive security, as they do not consider of defending against poisoning attacks. Meanwhile, the Krum [17], FLTrust [31], and Bift [33] frameworks are capable of defending against poisoning attacks but cannot protect device privacy. Therefore, these schemes cannot be categorized as either passive or active security. In contrast to all of the above-mentioned schemes, our PPBFL employs our MPC-based actively secure evaluation protocol to achieve active security, not only protecting the privacy of devices but also preventing poisoning attacks.

Furthermore, as our actively secure evaluation protocol utilizes $(T,N)$-threshold MPC to construct our secure framework, our PPBFL can resist collusion between at most $T-1$ edge nodes, as well as supporting edge node dropout up to a level of $N-T$.

9.2. Performance

As discussed in Section 8, we conducted a series of experiments to evaluate the efficacy of our PPBFL. Based on the empirical results, the following conclusions can be drawn.

• Privacy of Device Data: The PPBFL allows each IoMT device to collaboratively train the FL model locally with their local data. The PPBFL method is unlike the centralized machine learning approach, where the IoMT devices need to send their local data to the cloud for the learning process. Therefore, the proposed FL approach can ensure the privacy of these devices’ sensitive data.
• Robustness of Local and Global Model: In our scenario, we consider adversaries that perform poisoning attacks on the IoMT device’s datasets. Such a poisoning attack will lead to a faulty local model and a poisoned global model. Our PPBFL utilizes the cosine similarity to detect and eliminate poisoned local model updates during the aggregation process. Judging from the experimental results, our PPBFL can effectively mitigate the influence of poisoned local model updates. From this result, our PPBFL can guarantee the robustness of both the local and global models.
• Privacy of Local Model: In a traditional FL framework, attackers can perform a membership inference attack on the local device models, thus leaking sensitive data from the model. Therefore, we leverage the MPC-based secret sharing protocol, which maintains data confidentiality throughout FL processes, effectively addressing the inherent tension between data privacy preservation and robust defense against poisoning attacks. As the local gradient is protected, model inversion attacks and parameter stealing cannot be performed on the local model by an attacker.
• MPC-based Secure Aggregation: In traditional FL approaches, the local models of devices are collected and aggregated into a global model. The aggregation process is the core step of FL to achieve a learning model with higher accuracy. As the aggregation is performed in the blockchain node using MPC-based actively secure evaluation protocol, adversaries cannot tamper with the aggregation process, thus maintaining the model’s accuracy.
• Verifiability of the Global Model: As a decentralized technology, blockchain can maintain the integrity of data. In our PPBFL, we leverage blockchain to store the latest global model after the secure aggregation process. The decentralized process makes it impossible for adversaries to tamper with or alter the global model, as this will change the hash value. Later, the global model stored in the blockchain will be sent to the IoMT devices. Moreover, the devices can verify the integrity of the global model by checking the signatures and hashes before they use it.

10. Conclusions

In this study, we proposed a privacy-preserving blockchain-based federated learning (BFL) framework that protects against poisoning attacks, thus promoting safe data sharing in the IoMT context. In particular, the PPBFL was constructed to address the contradictory issues of privacy protection and poisoning defense in BFL. Based on the actively secure evaluation protocol and hierarchical framework, our PPBFL is characterized by its security, utility, robustness, and efficiency, effectively satisfying the demands of practical IoMT.

In the proposed framework, we provide a privacy-preserving training mechanism using a $(T,N)$-threshold MPC-based scheme, which ensures low computation and communication overheads. To resist poisoning attacks, we provide a robust global model by filtering out the harmful gradients using the cosine similarity. Our key insight is that the cosine similarity can be calculated homomorphically, based on our actively secure evaluation protocol, thus making it feasible to simultaneously ensure privacy protection and poisoning defense in FL. Furthermore, the blockchain is used to facilitate transparent processes and the enforcement of regulations, eliminating the need for a central coordinating authority during model training processes. Experiments were carried out on two medical datasets—PathMNIST [36] and OCTMNIST [37] —allowing for comparison of the proposed approach with Swarm Learning (SL) [10] and Krum [17]. The experimental results demonstrated that the proposed scheme can resist model poisoning attacks and achieve high global model accuracy.

In the future, we plan to develop an efficient consensus mechanism for PPBFL, in order to reduce computational and energy resources, as well as an incentive mechanism for PPBFL, in order to drive participants to actively and honestly take part in FL training tasks. Meanwhile, we plan to broaden the scope of PPBFL in the future in order to better support heterogeneous models in blockchain-based federated learning (BFL) for data sharing in IoMT.