ML Security PapersVerifBFL: Leveraging zk-SNARKs for A Verifiable Blockchained Federated Learning
Ahmed Ayoub Bellachia 1,2, Mouhamed Amine Bouchiha 1, Yacine Ghamri-Doudane 1, Mourad Rabah 1
Published on arXiv
2501.04319
Data Poisoning Attack
OWASP ML Top 10 — ML02
Key Finding
Achieves end-to-end verifiable federated learning with training proof generation under 81s, aggregation proof under 2s, and on-chain verification under 0.6s
VerifBFL
Novel technique introduced
Blockchain-based Federated Learning (FL) is an emerging decentralized machine learning paradigm that enables model training without relying on a central server. Although some BFL frameworks are considered privacy-preserving, they are still vulnerable to various attacks, including inference and model poisoning. Additionally, most of these solutions employ strong trust assumptions among all participating entities or introduce incentive mechanisms to encourage collaboration, making them susceptible to multiple security flaws. This work presents VerifBFL, a trustless, privacy-preserving, and verifiable federated learning framework that integrates blockchain technology and cryptographic protocols. By employing zero-knowledge Succinct Non-Interactive Argument of Knowledge (zk-SNARKs) and incrementally verifiable computation (IVC), VerifBFL ensures the verifiability of both local training and aggregation processes. The proofs of training and aggregation are verified on-chain, guaranteeing the integrity and auditability of each participant's contributions. To protect training data from inference attacks, VerifBFL leverages differential privacy. Finally, to demonstrate the efficiency of the proposed protocols, we built a proof of concept using emerging tools. The results show that generating proofs for local training and aggregation in VerifBFL takes less than 81s and 2s, respectively, while verifying them on-chain takes less than 0.6s.
Key Contributions
- First use of recursive zk-SNARK proofs (Nova IVC) for end-to-end verifiability of both local FL training and global aggregation, preventing free-riding and falsified updates
- On-chain verification of training and aggregation proofs without a trusted central aggregator, ensuring accountability and auditability of participant contributions
- Integration of differential privacy to protect local training data from inference attacks, demonstrated via proof-of-concept with practical performance (<81s training proof, <2s aggregation proof, <0.6s on-chain verification)
🛡️ Threat Analysis
Primary contribution defends against malicious FL participants submitting falsified model updates (free-riding, poisoning) — uses zk-SNARK proofs to cryptographically verify honest local training and aggregation, constituting a Byzantine-fault-tolerant FL protocol per ML02 definition. The DP component also addresses inference attacks on shared gradients, but the poisoning defense via verifiable computation is the novel contribution.