Privacy-Preserving Data Aggregation Scheme Based on Federated Learning for IIoT

Abstract

The extensive application of the Internet of Things in the industrial field has formed the industrial Internet of Things (IIoT). By analyzing and training data from the industrial Internet of Things, intelligent manufacturing can be realized. Due to privacy concerns, the industrial data of various institutions cannot be shared, which forms data islands. To address this challenge, we propose a privacy-preserving data aggregation federated learning (PPDAFL) scheme for the IIoT. In federated learning, data aggregation is adopted to protect model changes and provide data security for industrial devices. By utilizing a practical Byzantine fault tolerance (PBFT) algorithm, each round selects an IIoT device from each aggregation area as the data aggregation and initialization node, and uses data aggregation to protect the model changes of a single user while resisting reverse analysis attacks from the industrial management center. The Paillier cryptosystem and secret sharing are combined to realize data security, fault tolerance, and data sharing. A security analysis and performance evaluation show that the scheme reduces computation and communication overheads while guaranteeing data privacy, message authenticity, and integrity.

1. Introduction

The extensive application of the Internet of Things in the industrial field has formed the industrial Internet of Things (IIoT), which greatly improves industrial productivity and efficiency [1]. Smart devices in the IIoT generate vast amounts of perceptual data that contain sensitive information, such as how devices are performing. Because these data play a vital role in troubleshooting and early security warnings, it is crucial to protect data privacy in the IIoT [2]. For example, on March 7, 2019, an attack on the computer system of Venezuela’s Guri hydroelectric power plant caused power outages in 21 states, affecting 30 million people. Thus, the privacy protection and security issues of the IIoT have attracted the attention of many researchers [3,4].

The industrial data generated by the IIoT are used to develop artificial intelligence (AI) through machine learning techniques, which can be applied to various fields such as smart communities, smart healthcare, smart grids, smart cities, and autonomous driving [5]. Analyzing and training data from the industrial Internet of Things to realize intelligent manufacturing [6] promotes the transformation of traditional industries into smart industries. Machine learning algorithms can help with the real-time data learning and model training of intelligent devices in the industrial Internet of Things. Smart devices constantly collect data, which helps learning models update in time. Therefore, machine learning is used for real-time processing and decision making after IIoT data collection. Traditional machine learning algorithms relying on central servers or third parties for data learning can lead to serious privacy issues, such as a data leakage that contains sensitive user information. These algorithms need to upload data to the central server to train the learning model. Although machine learning can improve prediction accuracy by training models, it is prone to privacy leaks because the raw data of the smart device are directly trained. Therefore, there is an urgent need for distributed machine learning in the IIoT to be able to train learning models while protecting data privacy.

Inspired by this issue, Google proposed federated learning (FL), a cryptographic distributed machine learning technique for data privacy protection and model collaborative training [7]. FL trains high-quality AI models by averaging local model updates aggregated from many IIoT devices. It eliminates the need for direct access to local data, reducing the risk of privacy breaches. Because FL collects data from many IIoT devices to train the AI model, the training model accuracy is significantly improved, which is not possible when training centralized traditional machine learning algorithms with fewer data [8]. Inspired by these attractive features, research activities that combine FL and the IIoT have been carried out [9,10,11]. However, these works only focused on some IIoT applications, but ignore IIoT privacy protection. In the federated learning model transmission process, there is also the risk of privacy information disclosure [12]. Therefore, it is challenging to design federated learning schemes that meet the privacy protection and information security requirements of the IIoT.

To address the above challenges, we propose a privacy-preserving data aggregation federated learning (PPDAFL) scheme for the IIoT, which combines secret sharing with federated learning to aggregate IIoT data.

The main contributions of this paper are as follows:

(1)

A privacy-preserving, multidimensional data aggregation scheme based on federated learning is proposed. This scheme enables multidimensional data aggregation for the IIoT. For federated learning, data aggregation is adopted to protect local model changes and resist reverse analysis attacks.

(2)

Through the PBFT algorithm, initialization and aggregation nodes are selected to achieve independence from any trusted entity. Secret sharing is used to achieve fault tolerance. Even if $K-L$ IIoT devices collude with each other or fail, the aggregation information from the IIoT can be obtained.

(3)

Compared with existing schemes, PPDAFL has lower communication and computational overheads, faster execution, and higher efficiency. It is well suited for data aggregation in the IIoT.

The rest of this paper is organized as follows: The related work is discussed in Section 2. Section 3 describes the preliminary concepts, and Section 4 presents the system model. The PPDAFL scheme is described in Section 5, a security analysis is conducted in Section 6, and the model’s performance is evaluated in Section 7. Section 8 is a summary of the paper.

2. Related Work

In recent years, the study of federal learning and the industrial Internet of Things has attracted much attention.

Initially proposed by McMahan et al. [13], FL is a decentralized, private data training method. The robustness of FL was verified and FL was further explored. Subsequently, some researchers combined federated learning with homomorphic encryption to protect user privacy. Zhang et al. [14] proposed a non-IID FL optimization target alignment and method of unified feature learning to improve the FL model performance. The feature representation difference between clients is reduced by the opponent module, and the two consensus losses are applied from two perspectives to reduce the inconsistency of the optimization goal. In [15], a multi-secret sharing, secure aggregation scheme based on the fast Fourier transform was proposed, which has robustness, efficient communication, and a low computational cost. The authors in [16] presented an efficient secret-sharing, privacy-preserving data aggregation scheme based on FL. The scheme achieves fault tolerance and attack resistance, and the model of user training is aggregated without disclosing individual user information. These schemes [14,15,16] can resist most attacks, but the first two schemes fail to defend against reverse attacks and the latter cannot resist replay attacks. Zhou et al. [17] proposed a federated learning scheme combining Shamir secret sharing and homomorphic cryptography for multiparty entity matching. A logistic regression algorithm is used to realize the user’s exit in vertical federated learning and privacy protection model training. However, this scheme assumes that the key generation center is the trusted entity that distributes the secret key.

In recent years, some researchers have investigated federated learning and applied it to the IIoT. Liu et al. [18] designed a deep anomaly detection framework based on federated learning and a convolutional neural network/long short-term memory model. The scheme protects data privacy through FL, and the LSTM learning model detects device failures in the IIoT. In this scheme, the cloud aggregator is a trusted authority that initializes and distributes secret keys to the system. This solution assumes that the cloud aggregator is a trusted entity. Zhang et al. [19] proposed a deep reinforcement learning-assisted FL algorithm for IIoT device selection to improve model accuracy, verifying the effectiveness of the proposed algorithm. The scheme sets the central server as a trusted authority, which selects a device in the IIoT as the initialization and aggregation node. In [20], the authors proposed a multiple data aggregation scheme of differential privacy and homomorphic encryption, which was designed as a federated learning IIoT application model based on blockchain, and achieved model sharing and data sharing while protecting the privacy of the data. However, the scheme does not achieve a secure exchange of industrial data. Qu et al. [21] designed a decentralized framework of big-data-driven cognitive computing by combining federated learning and blockchain for Industry 4.0 networks. An optimization model was developed using the improved Markov decision-making process to conduct poisoning attacks. Fu et al. [22] proposed a privacy-protected, verifiable federated learning VFL for the industrial Internet of Things. Lagrange interpolation was used to set interpolation points to verify the correctness of the aggregation gradient. The scheme assumes that the public key generator is a trusted entity, which is used to initialize and generate keys and parameters. Qu et al. [23] proposed a federated blockchain-based learning scheme, which allows local learning updates to be sent to terminal devices via a blockchain-based global learning model, and they are verified by miners. The PoW consensus mechanism of blockchain is adopted to realize decentralization and autonomous machine learning.

At present, although there have been some achievements in the research on the IIoT frameworks and schemes based on federated learning, these ideas are still in the initial stage and have many deficiencies.

3. Preliminary Concepts

3.1. Federated Learning

FL is a distributed machine learning model that trains local models on the user side and aggregates them with a central manager [24]. The large-scale distributed training of local data iteratively aggregates the data into a global model, which helps protect the privacy of the data [25]. FL keeps private data local and only shares the model parameters. FL allows devices to collaboratively train shared models without having to exchange their local private data [26].

FL model training is divided into three phases [27]. First, data are locally collected and trained. Second, the local model is uploaded and aggregated. Finally, the aggregation forms a global model, which is then distributed to local devices.

3.2. Secret Sharing

Shamir proposed a secret-sharing scheme based on the Lagrange interpolation formula [1], which requires a distributor to divide the secret into n pieces and secretly send one copy to each user. This formula requires at least L (N ≥ L) secret holders to participate in the reconstruction of the secret, as L − 1 participants cannot reconstruct the secret. Therefore, the problem of sharing secrets among n users is solved [28].

The following polynomial was chosen to split a secret:

$$F\left(y\right)=\alpha +p_{1}y+p_2{y}^2+\cdots +p_{L-1}{y}^{L-1}$$

(1)

where $\alpha$ is a secret, and L is a threshold value.

The following formula can be obtained via the Lagrange interpolation polynomial:

$$F\left(y\right)={{\displaystyle \sum }}_{k=1}^L\left({{\displaystyle \prod }}_{j=1,j\ne k}^L\frac{y_j-y}{y_j-y_k}\right)F\left(y_k\right)$$

(2)

$${\gamma }_{y_j}={{\displaystyle \prod }}_{k=1,k\ne j}^L\frac{y_k}{y_k-y_j}$$

(3)

Then, $\alpha$ is calculated as follows:

$$\begin{array}{ll}{\displaystyle \sum }_{j=1}^{L}F\left(y_j\right){\gamma }_{y_j}& ={\displaystyle \sum }_{k=1}^{L}F\left(y_k\right)·{\gamma }_{y_{k }}\\ & ={\displaystyle \sum }_{k=1}^{L}F\left(y_k\right)·\left({\displaystyle \prod }_{j=1,j\ne k}^L\frac{y_j}{y_j-y_k}\right) \\ & ={\displaystyle \sum }_{k=1}^L\left({\displaystyle \prod }_{j=1,j\ne k}^L\frac{y_j}{y_j-y_k}\right)F\left(y_k\right)\end{array}$$

(4)

Let y = 0 in Equation (2).

$$\begin{array}{ll}F\left(0\right)& ={\displaystyle \sum }_{k=1}^L\left({\displaystyle \prod }_{j=1,j\ne k}^L\frac{y_j-0}{y_j-y_k}\right)F\left(y_k\right)\\ & ={\displaystyle \sum }_{k=1}^L\left({\displaystyle \prod }_{j=1,j\ne k}^L\frac{y_j}{y_j-y_k}\right)F\left(y_k\right)\end{array}$$

(5)

Let y = 0 in Equation (1).

$$F\left(0\right)=a$$

Equation (4) equals Equation (5); thus, the following equation holds:

$$\alpha =F\left(0\right)={{\displaystyle \sum }}_{j=1}^{L}F\left(y_j\right){\gamma }_{y_j}$$

(6)

3.3. Paillier Cryptosystem

The Paillier cryptosystem [29] is an additive homomorphic, asymmetric encryption algorithm with the following steps:

(1)

Key generation. Randomly select two primes $p$ and $q$, and calculate $\lambda =lcm\left(p-1,q-1\right)$. Define $L\left(x\right)=\frac{x-1}{N}$, where $N=pq$. Choose a generator $g\in Z_{N^2}^{*}$, and calculate $\mu ={(L\left(g^{\lambda }\mathit{mod} N^2\right))}^{-1} \mathrm{mod} \mathrm{n}$. The public and private keys are $\left(N,g\right)$ and $\left(\lambda ,\mu \right)$, respectively.

(2)

Encryption. Choose $r\in Z_N^{*}$, $\mathit{gcd}(r,N)=1$, given a message $X\in Z_N$. The ciphertext is calculated as $C=g^X\cdot r^N\mathit{mod} N^2$.

(3)

Decryption. Decrypt with the private key using $Dec\left(C\right)=L\left(C^{\lambda }\mathit{mod} N^2\right)\cdot \mu \mathit{mod} N$.

4. System Model

4.1. Communication Model

As shown in Figure 1, the system consists of an industrial control center (ICC) and many IIoT devices (IIDs).

(1)

IID: IIDs collect IIoT data using P2P communication. An IID is selected from the aggregation area as the data aggregation and initialization node (DN) by using the PBFT algorithm. IIDs may stop reporting data from attacks or failures. They are assumed to be honest but curious.

(2)

ICC: The ICC reads the aggregated IIoT data. Assume the ICC is not trusted. The ICC is assumed to be honest but curious. The HMC is considered to be untrusted, and the SD is semitrusted.

4.2. Adversary Model

In our model, the ICC is untrusted, and the IID is honest but curious. Data collection and utilization can bring economic value to IIDs and the ICC; therefore, the IIDs in each aggregation area need to comply with the agreement. We have the following assumptions:

(1)

The ICC wants to infer the information of a single user from the collected data.

(2)

The IID does not tamper with its industrial data. Still, it is curious about the private information of others, and tries to collude with other IIDs in the aggregated area to infer the information of others.

4.3. Design Goals

(1)

Privacy protection. The scheme protects against internal and external attacks. No entity can access industrial data from a single IID.

(2)

Data security. Industrial data can be securely aggregated. Even if the ciphertext of the IIoT data aggregation collected by IIDs is intercepted, the IIoT data of a single IID cannot be recovered.

(3)

Fault tolerance. If an IID is maliciously attacked or fails to collect IIoT data, the utility of the system is significantly compromised. Even if some IIDs do not work properly, the system can still aggregate IIoT data from other IIDs.

5. The Proposed Scheme

In this section, we introduce the PPDAFL scheme. The notations are listed in

Table 1. Notations.

Symbol	Quantity
$g_0,g_1$	A generator of G
$ICC$	Industrial control center
$II{D}_{ij}$	The j-th IIoT device in the i-th aggregation area
$DN$	Data aggregation and system initialization node
$d_{ij}$	Industrial data of $S{D}_{ij}$
$X$	Aggregated industrial data
$X_i$	The i-th aggregated industrial data
$H_0,H_1$	Hash functions: $H_0, H_1:{\{0,1\}}^{*}\to G_1$
$H_2$	Hash functions: $H_2$: ${\{0,1\}}^{*}$→$Z_N^{*}$
$K$	Number of smart devices in each aggregation area
$M$	Number of aggregation areas
$R$	Data length
‖	Concatenation operation

.

5.1. Initialization

Suppose each aggregation area has $K$ $SDs$ recorded as a set, $S_g=\left\{S{D}_1,S{D}_2,\dots ,S{D}_K\right\}$. Some $IIDs$ have been attacked or are malfunctioning, and thus, they do not participate in IIoT data aggregation. Suppose there are at least L SDs on the line participating in aggregation. These $IIDs$ constitute $S_{on}\subseteq S_g$. Each round of IIoT data aggregation uses the PBFT algorithm to select an $IID$ from $S_g$ as the data aggregation and system initialization node ($DN$).

$DN$ runs the Paillier cryptosystem to generate $(q,g_0,G_1,G_2,e)$, $e:G_1\times G_1\to G_2$, and calculates key pairs $\left\{(N,g),(\lambda ,\mu )\right\}$, $g_0\in G_1$, $g_1\in Z_{N^2}^{*}$.

$DN$ chooses a sequence $\overrightarrow{b}=(b_1,b_2,\cdots ,b_M)$, where $b_i\in Z^{+}$, for $i=1,2,\cdots ,M$. Then, $DN$ calculates $(g_1,g_2,\cdots ,g_M)$, where $g_i=g^{b_i}$, for $i=1,2,\cdots ,M$.

$DN$ chooses three hash functions $H_0,H_1 \mathrm{and} H_2$, where $H_0,H_1:{\{0,1\}}^{*}\to G_1, H_2:{\{0,1\}}^{*}$$\to Z_N^{*}$.

$DN$ publishes the parameter $\left\{q,g,g_0,G_1,G_2,e,N,(g_1,g_2,\cdots ,g_L),H_0,H_1,H_2\right\}$.

5.2. Advertise Keys (Round 0)

IID:

(1)

Request the ICC to update data.

(2)

$II{D}_{ij}$ selects $s_{ij}\in Z_q^{*}$ to compute the public key $P_{ij}=s_{ij}\cdot g_0$; then, it sends $P_{ij}$ to the ICC.

ICC:

(1)

$ICC$ collects at least L messages from $II{D}_{ij}$ of the i-th aggregation area.

(2)

Set the number of IIDs to $K$ and the threshold to L when dividing each aggregation area.

(3)

Broadcast the list of received public keys to the IIDs in $S_{on}$.

5.3. Share Generation (Round 1)

IID:

(1)

Receive global parameters from the ICC. Verify that $\left|S_{on}\right|\ge L$.

(2)

$II{D}_{ij}$ generates its polynomial $F(y_j)=\alpha +p_1{y}_j+p_2{y}_j{}^2+\cdots +p_{L-1}{y}_j{}^{L-1}$, ${\gamma }_{y_j}={\displaystyle \prod }_{k\ne j}^L\frac{y_k}{y_k-y_j}$, then sends $F(y_j){\gamma }_{y_j}\parallel Ts$ to $ICC$.

ICC:

(1)

Forward the received shares to the IIDs in $S_{on}$.

5.4. Generate Ciphertext and Signature Verification (Round 2)

IID:

(1)

$II{D}_{ij}$ generates $d_{ij}$ at $Ts$, and computes $H_2(T):{\{0,1\}}^{*}\to Z_N^{*}$; next, it selects $r\in Z_N^{*}$ to generate the ciphertext:

$$C_{ij}=g_i^{d_{ij}}\cdot r^N\cdot H_2{(Ts)}^{F(y_j){\gamma }_{y_j}}\mathit{mod} N^2$$

(7)

(2)

$II{D}_{ij}$ generates the signature ${\sigma }_{ij}=s_{ij}\cdot H_1(C_{ij}\parallel P_{ij}\parallel H_1(F(y_j){\gamma }_{y_j}\parallel Ts))$.

(3)

$II{D}_{ij }$ sends $C_{ij}\parallel P_{ij}\parallel H_0(F(y_j){\gamma }_{y_j}\parallel Ts)\parallel {\sigma }_{ij}$ to $ICC$ and $DN$.

ICC:

(1)

The ICC verifies $K$ signatures after receiving $C_{ij}\parallel P_{ij}\parallel H_0(F(y_j){\gamma }_{y_j}\parallel Ts)\parallel {\sigma }_{ij}$. If $e({\sigma }_{ij},g_0)=e(H_1(C_{ij}\parallel P_{ij}\parallel H_0(F(y_j){\gamma }_{y_j}\parallel Ts)),P_{ij})$, then the validation is successful; otherwise, it fails. If it holds, the signature is valid. Next, send the signature verification results to $DN$, and $DN$ will accept $II{D}_{ij}$’s ciphertext. Otherwise, the DN will not accept the ciphertext of $II{D}_{ij}.$

(2)

To make the verification more efficient, after receiving $C_{ij}\parallel P_{ij}\parallel H_0(F(y_j){\gamma }_{y_j}\parallel T{s}_j)\parallel {\sigma }_{ij}$, obtain $\mathrm{the} ICC$ batch verification signature.

$$\begin{array}{ll}e({\displaystyle {\displaystyle \sum }_{i=1}^M}{\displaystyle {\displaystyle \sum }_{j=1}^K}{\sigma }_{ij},g_0)& =e({\displaystyle {\displaystyle \sum }_{i=1}^M}{\displaystyle {\displaystyle \sum }_{j=1}^K}{s}_{ij}\cdot H_1(C_{ij}\parallel P_{ij}\parallel H_1(F(y_j){\gamma }_{y_j}\parallel Ts)),g_0)\\ & ={\displaystyle {\displaystyle \prod }_{i=1}^M}{\displaystyle {\displaystyle \prod }_{j=1}^K}e(s_{ij}\cdot H_1(C_{ij}\parallel P_{ij}\parallel H_1(F(y_j){\gamma }_{y_j}\parallel Ts)),g_0)\\ & ={\displaystyle {\displaystyle \prod }_{i=1}^M}{\displaystyle {\displaystyle \prod }_{j=1}^K}e\left(H_1\left(C_{ij}\parallel P_{ij}\parallel H_1\left(F\left(y_j\right){\gamma }_{y_j}\parallel Ts\right)\right),s_{ij}\cdot g_0\right)\end{array}$$

(8)

(3)

Forward the batch signature verification results to $DN$.

High-level view between IID and ICC in our scheme can be seen in Figure 2.

5.5. Aggregate Ciphertext and Reconstruct Secret (Round 3)

IID:

(1)

$DN$ aggregates the ciphertext of IIDs.

$$\begin{array}{ll}C& ={\displaystyle {\displaystyle \prod }_{i=1}^M}{\displaystyle {\displaystyle \prod }_{j=1}^K}{g}_i^{d_{ij}}\cdot r^N\cdot H_2{(Ts)}^{F\left(y_j\right){\gamma }_{y_j}} \\ & ={\displaystyle {\displaystyle \prod }_{i=1}^M}{g}_i^{{\displaystyle \sum }_{j=1}^K{d}_{ij}}\cdot r^N\cdot H_2{(Ts)}^{F\left(y_j\right){\gamma }_{y_j}}{}^{ }{ \mathrm{mod} \mathrm{N}}^2\\ & =g_1^{{\displaystyle \sum }_{j=1}^K{d}_{1j}}\cdot g_2^{{\displaystyle \sum }_{j=1}^K{d}_{2j}}\cdot \cdots \cdot g_M^{{\displaystyle \sum }_{j=1}^K{d}_{Mj}}\cdot r^N\cdot H_2{(Ts)}^0{ \mathrm{mod} \mathrm{N}}^2\\ & =g^{b_1{\displaystyle \sum }_{j=1}^K{d}_{1j}+b_2{\displaystyle \sum }_{j=1}^K{d}_{2j}+\cdots +b_M{\displaystyle \sum }_{j=1}^K{d}_{Mj}}\cdot r^N{ \mathrm{mod} \mathrm{N}}^2 \end{array}$$

(9)

(2)

$DN$ sends $C$ to $ICC$.

ICC:

(1)

After the signatures are verified,$ICC$ chooses L shares of $F\left(y_j\right){\gamma }_{y_{j }}$ from the received $K$ shares of $F\left(y_j\right){\gamma }_{y_j}$ to reconstruct the secret.

$$\begin{gathered} \beta =F\left(0\right)={{\displaystyle \sum }}_{j=1}^{L}F\left(y_j\right){\gamma }_{y_j}. \\ \mathrm{Let} \beta =0; \mathrm{thus}, {{\displaystyle \sum }}_{j=1}^{L}F\left(y_j\right){\gamma }_{y_j}=0. \end{gathered}$$

5.6. Ciphertext Decryption (Round 4)

Firstly, $ICC$ uses (λ, μ) to decrypt the aggregated data from the IIoT.

$$\begin{array}{ll}X=Dec\left(C\right)& =\frac{L\left(g^{\left(b_1{{\displaystyle \sum }}_{j=1}^K{d}_{1j}+b_2{{\displaystyle \sum }}_{j=1}^K{d}_{2j}+\cdots +b_M{{\displaystyle \sum }}_{j=1}^K{d}_{Mj}\right)\lambda }{\mathrm{mod} \mathrm{N}}^2{}^{ }\right)}{L\left(g^{\lambda }{ \mathrm{mod} \mathrm{N}}^2{}^{ }\right)}\mathrm{mod} \mathrm{N}\\ & =b_1{\displaystyle {\displaystyle \sum }_{j=1}^K}{d}_{1j}+b_2{\displaystyle {\displaystyle \sum }_{j=1}^K}{d}_{2j}+\cdots +b_M{\displaystyle {\displaystyle \sum }_{j=1}^K}{d}_{Mj}\end{array}$$

(10)

Finally, by using Algorithm 1, $DN$ can recover the total power consumption data of each aggregation area $\left(X_1,X_2,\cdots ,X_L\right)$, where $X_i={{\displaystyle \sum }}_{j=1}^K{d}_{ij}$ represents the data aggregation value for the i-th aggregation area.

Algorithm 1. Recover aggregated reports for each aggregation area.

1. procedure Input:$\overrightarrow{ b}=\left(b_1,b_2,\cdots ,b_M\right)$ and $X$ Input: $\left(X_1,X_2,\cdots ,X_M\right)$

2. Set $D_M=X$

3. for $w=M \mathrm{to} 2 \mathrm{do}$

4.   $D_{w-1}=D_w \mathrm{mod} b_w$

5.   $X_w=\frac{D_w-D_{w-1}}{b_w}={{\displaystyle \sum }}_{j=1}^w{d}_{wj}$

6. end for

7.   $X_1=D_1={{\displaystyle \sum }}_{j=1}^w{d}_{1j}$

8. return $\left(X_1,X_2,\cdots ,X_M\right)$

9. end procedure

6. Security Analysis

The schemes of [14,15,16,17] were compared with the security of our scheme, as shown in

Table 2. Comparison of features between PPDAFL and other related schemes.

Features	[14]	[15]	[16]	[17]	PPDAFL
Privacy preservation	√	√	√	√	√
Fault tolerance	×	√	√	√	√
Dropout	√	√	√	√	√
Round efficiency	√	×	√	√	√
No expensive operations	×	√	√	√	√
No trusted entity	×	×	√	×	√
Resist reverse attacks	×	×	√	√	√
Resilience against reply attacks	×	×	×	×	√
Defense against collusion attacks	×	×	√	√	√

.

6.1. Privacy Preservation

Attackers are divided into internal attackers and external attackers. The internal attacker is $IIDs$ or $ICC$ of the aggregation area, and the external attacker is an entity outside the aggregation area.

Resist internal attacks.$II{D}_{ik}$ ($k\ne j$) could not successfully extract $d_{ij}$ from $C_{ij}$, because it does not know $H_0{(Ts)}^{E\left(y_j\right){\gamma }_{y_j}}$. Even if the malicious IIoT users obtained $H_0{(Ts)}^{E\left(y_j\right){\gamma }_{y_j}}$ of $II{D}_{ij}$, they still could not obtain the plaintext of $II{D}_{ij}$ because $\lambda$ is not known. The ICC does not know $H_2{(Ts)}^{E\left(y_j\right){\gamma }_{y_j}}$ of $II{D}_{ij}$ and cannot derive the data of $S{D}_{ij}$. The ICC can obtain the aggregated data of $IIDs$. Therefore, the PPDAFL scheme can defend against internal attacks.

Defend against external attacks. When an external attacker invades $II{D}_{ij}$, the ciphertext $C_{ij}=g_i^{d_{ij}}\times r^N\times H_2{(Ts)}^{F\left(y_j\right){\gamma }_{y_j}}\mathit{mod} N^2$ of $II{D}_{ij}$ can be obtained. Since the attacker does not know the shared keys of $L-1$ $IIDs$ and $\lambda$, the attacker cannot obtain the plaintext of $II{D}_{ij}$. Therefore, the PPDAFL scheme can resist external attacks.

6.2. Data Integrity

The PPDAFL scheme adopts BLS to sign for the aggregate data and private data of the IIDs.

For the message $C_{ij}\parallel P_{ij}\parallel H_0\left(F\left(y_j\right){\gamma }_{y_j}\right)\parallel Ts\parallel {\sigma }_{ij}$ sent by $II{D}_{ij}$, the ICC first checks $P_j \mathrm{and} H_1\left(T{s}_j\parallel E\left(y_j\right){\gamma }_{y_j}\right)$, and then verifies the integrity of the message by checking whether $e\left({{\displaystyle \sum }}_{i=1}^M{{\displaystyle \sum }}_{j=1}^K{\sigma }_{ij},g_0\right)={{\displaystyle \prod }}_{i=1}^M{{\displaystyle \prod }}_{j=1}^{K}e\left(H_1\left(C_{ij}\parallel P_{ij}\parallel H_1\left(F\left(y_j\right){\gamma }_{y_j}\parallel Ts\right)\right),s_{ij}\cdot g_0\right) \mathrm{is}$ established. The individual elements of the $II{D}_{ij}$ verification message involve batch validation, and any operation will result in unequal validation. Therefore, the scheme ensures the integrity of $II{D}_{ij}$ data.

6.3. Fault Tolerance

If $II{D}_{ij}$ fails or is under attack, it cannot send IIoT data to $DN$ since $DN$ only knows which group an $IID$ belongs to in the aggregation region. The ICC uses $H_1\left(F\left(y_j\right){\gamma }_{y_j}\parallel Ts\right)$ to find $II{D}_{ij}$ while masking its identity.

$ICC$ compares the hash table constituted by $H_1\left(F\left(y_j\right){\gamma }_{y_j}\parallel Ts\right)$ with other complete groups to find $II{D}_{ij}$. Then, it selects an $IID$ from $H_1\left(F\left(y_j\right){\gamma }_{y_j}\parallel Ts\right)$ to replace $II{D}_{i{j}^{\prime }}$. Therefore, $II{D}_{ij}$ does not consider the data of $II{D}_{ij}$. $ICC$ chooses L shares of $F\left(y_j\right){\gamma }_{y_j}$ from the received $K-1$ shares of $F\left(y_j\right){\gamma }_{y_j}$ to reconstruct the secret.

Let us assume $II{D}_{i{j}^{\prime }}$ ($1\le j^{\prime }\le K$) has failed to transmit $d_{j^{\prime }}$ to $SN$; then, $SN$ aggregates the ciphertext.

$$\begin{array}{ll}C& ={\displaystyle {\displaystyle \prod }_{i=1}^M}{\displaystyle {\displaystyle \prod }_{j=1,j\ne j^{\prime }}^K}{g}_i^{d_{ij}}\cdot r^N\cdot H_2{(Ts)}^{F\left(y_j\right){\gamma }_{y_j}}\\ & ={\displaystyle {\displaystyle \prod }_{i=1}^M}{g}_i^{{{\displaystyle \sum }}_{j=1,j\ne j^{\prime }}^K{d}_{ij}}\cdot r^N\cdot H_2{(Ts)}^{F\left(y_j\right){\gamma }_{y_j}}{}^{ }{ \mathrm{mod} \mathrm{N}}^2\\ & =g^{b_1{{\displaystyle \sum }}_{j=1}^M{d}_{1j}+\cdots +b_i{{\displaystyle \sum }}_{j=1,j\ne j^{\prime }}^M{d}_{i{j}^{\prime }}+\cdots +b_K{{\displaystyle \sum }}_{j=1}^M{d}_{Kj}}\cdot r^N{ \mathrm{mod} \mathrm{N}}^2\\ & =g^{b_1{{\displaystyle \sum }}_{j=1}^M{d}_{1j}+b_2{{\displaystyle \sum }}_{j=1}^M{d}_{2j}+\cdots +b_K{{\displaystyle \sum }}_{j=1}^M{d}_{Kj}}\cdot r^N{ \mathrm{mod} \mathrm{N}}^2\end{array}$$

(11)

$ICC$ uses the private key $\left(\lambda ,\mu \right)$ to decrypt $C$.

$$Dec\left(C\right)=b_1{{\displaystyle \sum }}_{j=1}^M{d}_{1j}+b_2{{\displaystyle \sum }}_{j=1}^M{d}_{2j}+\cdots +b_K{{\displaystyle \sum }}_{j=1}^M{d}_{Kj }$$

(12)

$ICC$ obtains the aggregated data $X$ of all IIDs except $II{D}_{i{j}^{\prime }}$. As a result, it is obvious that $ICC$ can obtain the right aggregation results. Therefore, the PPDAFL scheme implements fault tolerance.

7. Performance Evaluation

7.1. Computation Complexity

Table 3. Computational expense comparison.

Algorithm	[16]	[17]	PPDAFL
Key generation	$2KM$	$2KM$	$KM$
Secret sharing	$KM$	$3KM$	$KM$
Encryption	$KM$	$KM$	$KM$
Signature generation	$KM$	$KM$	$KM$
Signature verification	$KM$	$KM$	$M$
Key agreement	$2KM$	$0$	$0$
Secret reconstruction	$M$	$KM$	$M$
Decryption	$M$	$M$	$M$

lists the comparisons of the execution time of the schemes from [16,17] and the PPDAFL scheme.

According to Table 3, the PPDAFL scheme take less time to calculate than the schemes of [16,17]. In the PPDAFL scheme, due to the use of batch verification, the signature verification is only 1/$K$ of the scheme from [16] or [17]. Since the schemes from [16,17] generate N pairs of keys, the cost of PPDAFL is half of that of the scheme from [16] or [17]. The number of key agreements for PPDAFL is 0, whereas that of the scheme from [16] or [17] is $2KM$ times greater. The number of secret sharing for the PPDAFL scheme is equal to $KM \mathrm{times}$, and that of the scheme from [16] is equal to $3KM$ times.

As shown in Figure 3, the calculation overhead of the scheme from [17] is the highest, whereas that of the PPDAFL scheme is the lowest. With the increase in the number of smart devices in each aggregation area and the number of aggregation areas, the advantages of the PPDAFL scheme are more obvious.

7.2. Communication Overhead

Since the data received by $ICC$ is the same as that sent by $SDs$, and the data obtained by $SDs$ is the same as that sent by $ICC$, only the transmission communication cost of $SDs$ and $ICC$ is considered. Without losing the generality, the comparisons in

Table 4. Communication overhead comparison.

Round	[16]		[17]		PPDAFL
	IID (User)	ICC (Server)	IID (User)	ICC (Server)	IID (User)	ICC (Server)
0	$2R$	$0$	$2R$	$0$	$R$	$0$
1	$\left(K-1\right)R$	3$KR$	$KR$	3$KR$	$R$	$KR$
2	$R$	$\left(K-1\right)R$	$3R$	$KR$	$KR$	$R$
3	$R$	$0$	$KR$	$R$	$KR$	$R$
4	$R$	$\left(K-1\right)R$	$KR$	$R$	$R$	$0$

and Figure 4, Figure 5 and Figure 6 consider only one of $\mathrm{the} M$ aggregation regions.

Table 4 lists the communication costs for the PPDAFL scheme, the scheme of [16], and the scheme of [17]. The cost of each round of communication for the PPDAFL scheme is compared to the EPPDA scheme in Table 4.

In Table 4, the communication cost of PPDAFL is less than that of the schemes from [16,17], especially in Round 1. Compared with the schemes from [16,17], PPDAFL schemes have a lower latency and higher practicability.

$K$ represents the number of IIDs in each aggregation area, and $R$ indicates the data length. As shown in Figure 4, the communication overhead of the scheme from [17] is the highest, whereas that of the PPDAFL scheme is the lowest.

Figure 5 shows the communication comparison between PPDAFL and the schemes from [16,17] at $R$= 256 bits. Figure 6 shows the comparison of the communication costs between PPDAFL and the schemes of [16,17] when $K$= 200. As shown in Figure 5 and Figure 6, PPDAFL has a higher communication efficiency than the schemes of [16,17]. As the number of IIDs or the length of the data increases, PPDAFL saves more communication overhead.

8. Conclusions

A multidimensional data aggregation scheme for privacy protection in the IIoT based on federated learning is proposed. In each round of data aggregation, the PBFT consensus algorithm selects an IID as the aggregation and initialization node. In federated learning, data aggregation is used to protect the model changes of a single user and resist reverse analysis attacks from the industrial management center. Our design does not require any trusted entity. The analyses are presented to prove that the proposed scheme meets all the design goals. Our scheme has low computation and communication overheads. Through performance simulation and security analysis, it is proved that our scheme meets the objectives of privacy protection, data integrity, and fault tolerance. In the future, we will focus on the combination of FL, blockchain, and the Stackelberg game to explore balancing privacy and efficiency.