Privacy concern is one of the main problems in collaborative training. Although some collaborative training allows collaborative participants to only share model updates rather than raw training data, such as federated learning. There are still some privacy problems that are not completely solved [12–14]. Attackers may infer whether a sample exists in the training dataset or contain certain privacy attributes from the user gradient, called member inference attacks [15] and attribute inference attacks [16].

Secure aggregation [17] is a cryptography-based privacy-preserving method that prevents aggregators from gaining direct access to individual participants’ gradients and committing privacy attacks. Homomorphic encryption is a common security aggregation algorithm that allows users to operate on ciphertext and decrypt the results of operations, where the decryption result is the same as for operating on plaintext. Participants can first encrypt the gradient via homomorphic encryption. The parameter aggregator then aggregates all encrypted gradients and decrypts the aggregated result, thereby indirectly obtaining a global model update contributed by the participants. The existing homomorphic encryption methods are mainly based on full-homomorphic encryption [18] and semi-homomorphic encryption [19].

Fully homomorphic encryption is mainly based on ideal lattices theory [20]. It relies on a large number of polynomial-based power operations and modulo operations, which greatly increases the consumption of implementation. It is still difficult to apply directly in the existing work.

Paillier encryption [19] is a representative work of semi-homomorphism that is widely used because of its simple structure. Phong et al. [21] proposed the method combining asynchronous stochastic gradient descent and Paillier homomorphic encryption. They proved that the system could prevent the aggregator from learning the data privacy of the participants, and ensure the availability of the model training with the acceptable system overhead. Zhou et al. [22] applied a homomorphic encryption scheme to fog computing. They proposed a scheme that combines Paillier encryption and blindness technology, which can resist collusion attacks by multiple malicious entities.

In order to improve the efficiency of the homomorphic encryption system, Zhang et al. [23] proposed a federated learning model called BatchCrypt. They encoded batches of gradients and perform homomorphic encryption with less time, which greatly reduces the overhead of the whole system. LWE has more extensive applicability because of its full-homomorphism. Hao et al. [24] utilized and improved the BGV algorithm based on LWE, which achieves the secure aggregation of gradients to prevent privacy disclosure. It makes the scheme based on homomorphic encryption practical.

The above works complete the data privacy protection for the participants and make the system feasible, but another potential problem has appeared: it is difficult for the aggregator to determine whether a problem exists due to the semantic invisibility of the encrypted data.

Semantic invisibility of encrypted data presents numerous challenges, including transmission errors, malicious tampering by intermediaries, and the exclusion of some user-generated gradients by dishonest aggregators.

The correctness audit of the transmission gradient becomes very difficult in the encrypted state. Weng et al. [9] provided an audit mechanism based on ∑-protocol [25] which generates proofs of correctness for each gradient. Guo et al. [26] proposed a Paillier-based zero-knowledge proof algorithm. The server and users can jointly calculate the statement of encrypted gradients to prove the correctness of gradients.

To ensure that the gradients provided by each participant are indeed aggregated correctly, Xu et al. [27] use a homomorphic hash technique combined with pseudorandom function to help users verify the correctness of aggregation. To extend the applicability of the algorithm, Guo et al. [28] proposed a commitment scheme based on linearly homomorphic hash to verify the integrity of aggregation. Before sending gradient to the server, the users need to generate and exchange the hash value of their gradient. The users can verify whether the gradient is tampered with by checking hash values.

Despite the foregoing, there is a serious problem that has not been addressed. Encrypted data may be accessed by multiple users as public data. Malicious users can forward them to other collaborative tasks with the same purpose for improper profit. There are even cases where multiple users claim ownership of ciphertext in the same task. This will undermine the willingness of honest users to engage in collaborative training and thus lead to a shortage of training data for social applications. In this paper, we propose an ownership verification mechanism based on the Patterson commitment that can prove that the user owns the plaintext of the data without providing the plaintext.

Σ-protocol [25] is a two-party interaction protocol in zero-knowledge proof field. It is used to prove that someone knows a secret without disclosing it. There are many classic examples such as Schnorr’s protocol [29], which is used for authentication.

Consider a binary relation R and an element ( x , y ) ∈ R , and we have f ( x ) = y , where x is called the pre-image of y under a mapping f . In Σ-protocol, we think of x as a witness and y as the corresponding instance for x , where x and y are finite values.

Suppose that there are two parties, one of which is prover, and the other is verifier. Without exposing x , the prover wants to prove to the verifier that he knows the pre-image value x of y under the mapping f . As shown in Figure 1, they need to follow Σ-protocol with the steps below:

Step 1: Prover computes a commitment c with the value of, and sends it to verifier.

Step 2: Verifier returns a random value e called challenge to prover.

Step 3: Prover sends a response z to verifier. It is computed with x and e .

Step 4: Verifier uses instance y and the message ( c ,   e ,   z ) generated in previous steps to compute the verification result.

Since the challenge e is randomly selected, if the prover does not know the witness x, he cannot use challenge e to compute a correct response z in Step 3. When the verification passes, the verifier is convinced that the prover knows the witness x . The witness in our ownership verification mechanism can be a secret gradient used for social computing. A user can prove that it knows the secret gradient x corresponding to the commitment c

Pedersen commitment [30] is a homomorphic commitment scheme, in which one computes a commitment bound to a chosen value. Pedersen commitment scheme can be used to prove that a committed value is not tampered with. According to its homomorphism, it is usually used to prove that the secret committed data satisfies certain binding relationships. The scheme consists of a commitment phase and a verification phase. In the beginning, A trusted third party selects a multiplicative group G with the order of large prime q , then selects two prime elements g and h of group G , where no one knows the value x to make g = x ∗ h . After the committer and verifier agree on two elements g and h , they follow the process as follows:

Commitment: To commit to secret value v , the committer chooses a random value r , computes commitment comm ( v , r ) = v ∗ g + r ∗ h and sends it to verifier.

Verification: Committer sends ( v , r ) to verifier. Verifier use ( v , r ) to computes c o m m ′ ( v , r ) = v ∗ g + r ∗ h and checks whether it is equal to c o m m ( v , r ) . If the verification passed, it means that v is not tampered with.

Pedersen commitment scheme is designed that the sum of two commitments can also be seen as a commitment. It can be represented by c o m m ( v 3 , r 3 ) = c o m ( v 1 , r 1 ) + c o m ( v 2 , r 2 ) , where v 3 = v 1 + v 2 , r 3 = r 1 + r 2 . It seems like someone use a random value r 3 to commit to v 3 .

Pedersen commitment scheme has the following properties: 1) Perfectly hiding: the r in the commitment computation is randomly chosen, so two commitments to one value will be different. No one can find a correlation between commitment and committed value. 2) Computationally binding: the commitments on different messages are different, which means that the malicious party cannot deny the value he committed. A more detailed introduction and proof can be seen in [30].

Different from Σ-protocol, the committed value in Pedersen commitment scheme needs to be revealed in the verification phase. It cannot be directly used to prove that the single encrypted gradient is not tampered with. In our scheme, we use the homomorphism of Pedersen commitment scheme to check whether the aggregated commitment is correctly corresponding to the aggregated gradient, further confirming the binding relationship between the commitment and encrypted gradient.

As we attempt to solve the problem of data silos in social computing through cooperative training, privacy protection and data ownership have become unavoidable difficulties. Cryptography-based secure aggregation methods can be a good solution to keep private information from being accessed by unauthorized users, but they also make it more difficult to verify data ownership. Two main roles are included in the current collaborative training:

Model Aggregator is a service provider that publishes the request for data training. It asks multiple users to provide trained gradients to conduct social computing.

Data Owners are users who have datasets and are willing to participate in collaborative training. They submit the trained models or gradients to the model aggregator for model updating.

Once we use a cryptography-based secure aggregation algorithm that prevents model aggregators from obtaining plaintext data from a single data owner. It is difficult to distinguish whether the user who submits encrypted data is its real owner or not. As shown in Figure 2, attackers can download encrypted data from elsewhere or historically, and then participate in the current cooperative training for improper profit, which we call encrypted forwarding attacks. In addition, we present several threat scenarios for encrypted forwarding attacks.

Threat 1. Attackers can only obtain encrypted data and claim ownership of the encrypted data. Malicious users access encrypted data through public channels, such as the available audit information or publicly accessible blocks on the blockchain. The encrypted data is being downloaded by attackers and forwarded to similar tasks for unfair gain.

Threat 2. Attackers can obtain encrypted data as well as its verification information. As an intermediate forwarder, a malicious user receives not only the encrypted data but also the previous verification information. By masquerading as a data owner and participating in social computing, traditional mechanisms of ownership verification may be bypassed.

Security Goal: To prevent encrypted forwarding attacks by malicious attackers, we need an ownership verification mechanism for encrypted data. For privacy reasons, it can conclusively confirm ownership of data without directly obtaining the plaintext of user’s data. In addition, verification information must be real-time to prevent falsification by forwarding historical verification information.

We suppose that there exist many users who possess private training data in a community. They all agree on the structure and configuration of a common task model. When a user wants to update its model, it claims to be a model aggregator and requests collaborative training from other users. Other data owners will respond to the model aggregator. We denote the model aggregator as a g and data owners as o w i , i ∈ { 1 , ⋯ , N }

The aggregator a g then collects gradients from these data owners to update its task model. The process of gradient collecting is shown in Figure 3.

Initialization: After the aggregator and data owners form a group together, a trusted institution will execute the initialization process. Concretely, it confirms the scale of the group and initializes the ( l , N ) threshold Paillier algorithm, where N is the number of data owners and l ∈ { N 3 + 1 ,   ... ,   N } is the least number of data owners together to decrypt a cipher. The concrete process is shown in Algorithm 1.

The trusted institution publishes the public key P K = ( g ¯ , n , θ ) . It also distributes shares of private key S K i and verification key V K i to each data owner o w i , respectively.

Encoding of gradient: The homomorphism of Paillier algorithm can be represented as ∏ i E n c ( m i ) = Enc ( ∑ i m i ) , where E n c ( ) denotes the encryption. The aggregator a g can aggregate encrypted gradients E n c ( m i ) and decrypt it to obtain aggregated gradient ∑ i m i . Suppose that a data owner o w i has the gradient g i = ( g i 1 , ⋯ , g i j , ⋯ , g i n ) to upload. Each element g i j represents the gradient of the j − t h component of the model. First of all, each data owner o w i encodes the gradient. They divide each element g i j into several vectors g i j ( k ) and encode them into a specific format which can be encrypted by Paillier algorithm. The data owner o w i encrypts the gradient by encrypting each vector g i j ( k ) . To explain the encryption of gradients briefly, we use m i to represent the gradient encrypted by Paillier algorithm.

Encryption and aggregation: We assume that there is a group composed of k data owners. Given the public parameter P K = ( g ¯ , n , θ ) and threshold l , each data owner o w i encrypts its gradient g i by computing c i = g ¯ m i t i n mod n 2 , where t i is a random element chosen from Z n ∗ . Then they together upload the cipher c i to the aggregator a g . The aggregator a g will aggregate all the encrypted gradient c i by computing c = ∏ i = 1 k c i and return the aggregation result c to each data owner o w i to request the decryption. To ensure that the aggregator a g correctly aggregates all the encrypted gradient c i , we introduce the commitment scheme in [28].

Decryption and update: In the decryption phase, each data owner o w i provides his decryption share d i = c 2 Δ s i mod n 2 , where s i is its share of the private key. In addition, each data owner o w i will also publish the proof s i = log v Δ V K i = log c 4 Δ ( d i ) 2 . If at least l data owners are verified to provide correct decryption shares, the aggregator a g can obtain the decryption result by computing m = L ( ∏ i ∈ S d i 2 u i mod n 2 ) × 1 4 Δ 2 θ mod n , where u i = Δ × λ 0 , i S ∈ Z , λ x , i S = ∏ i ' ∈ S \ { i } x − i ' i − i ' and L ( u ) = u − 1 N . The proof of correctness can be seen in [32]. To request data owners to join in the decryption process, the aggregator a g should pay for the gradients to them. According to the addictive homomorphism of Paillier algorithm, the decryption result m is equal to ∑ i = 1 k m i . The aggregator a g will use it to update the task model.

In the collaborative training based on homomorphic encryption such as Paillier encryption, the aggregator is set to obtain only the decrypted aggregation result but not any gradient from individual data owner. Only in this way, the privacy in gradients will not be directly obtained by the aggregator. If a malicious user obtains an encrypted gradient, he may forward the encrypted gradient to another aggregator to profit. To solve the forwarding problem, the aggregator is required to verify the ownership of each received encrypted gradient.

The verification mechanism is based on Σ-protocol and Pedersen commitment scheme. As for Pedersen commitment scheme, a trusted institution is required to select two prime elements g , h ∈ G , where G is a cyclic group and log g h is unknown to others. The process of verification is shown in Algorithm 2:

Commitment submission: After data owner o w i has uploaded the encrypted gradient c i to the aggregator a g , it computes a commitment c o m m ( r i , m i ) : = C i = g r i h m i , where r i is a random value and m i is the gradient. Then it submits ( C i , r i ) to the aggregator a g .

Commitment verification: The aggregator a g will compute the aggregated gradient c = ∏ i = 1 k c i and the aggregated commitments C = ∏ i = 1 k C i , r = ∑ i = 1 k r i . Then it sends a random challenge value e back to each data owner. Each d a t a owner o w i needs to use the challenge value e to compute a response R i = g k i h l i , u i = k i + e r i mod p , v i = l i + e m i mod p . Then each data owner submits ( R i , u i , v i ) to the aggregator a g . After that, the aggregator a g aggregates all ( R i , u i , v i ) to obtain ( R , u , v ) by computing R = ∏ i = 1 k R i , u = ∑ i = 1 k u i , v = ∑ i = 1 k v i . Then it verifies whether g u h v = R C e holds. If it passes, it means that each data owner o w i proves it knows the secret value m i bound to the commitments C i .

Ownership verification: To verify the committed value is the correct gradient, the aggregator a g requests owners to decrypt the gradient c = ∏ i = 1 k c i , and obtains the aggregated gradient m = ∑ i = 1 k m i . Then he checks whether C = g r h m . If it passes, it means that the secret value m i is indeed the gradient corresponding to cipher c i . The aggregator a g confirms that each data owner owns the plaintext of his gradient.

In our scheme, the aggregator can reduce the consumption of verification through checking the aggregated commitments. If the verification failed, it means that some data owners cannot provide the correct plaintext of their gradients. The aggregation of gradients and commitments will be rescheduled. Concretely, the aggregator can divide the group into several subgroups, then repeat the gradient aggregation and commitment verification. The malicious data owner will be identified through a series of verifications.

In order to maintain the correctness of gradient and prevent it from being obtained directly by others, we use the addictive threshold Paillier homomorphic encryption algorithm. Firstly, we discuss the feasibility of the threshold Paillier encryption algorithm for gradient protection in our scheme.

Lemma 1: ε g ( x , y ) → g x ∗ y n mod n 2 is bijective when the order of g is a non-zero multiple of n , and it is also a homomorphic mapping that ε g ( x 1 , y 1 ) ∗ ε g ( x 2 , y 2 ) = ε g ( x 1 + x 2 , y 1 + y 2 ) .

Lemma 2: A number x is said to be an nth residue modulo n 2 if there exists a number y ∈ Z n 2 * such that z = y n mod n 2 , and it is hard to find the value of z .

The proof of Lemma 1 and Lemma 2 can be seen in [19]. Lemma 1 indicates that the aggregated ciphertext of gradient can be decrypted to the aggregated gradient. The aggregator is able to acquire aggregated gradient without knowing individual gradients. From Lemma 2, we can conclude that the ciphertext of gradient is hard to be cracked.

Each data owner in our threshold Paillier algorithm has the ability to decrypt a cipher only in groups, so whenever a data owner obtains an individual encrypted gradient, he can’t decrypt it unless others collude with him. The individual gradient can be well protected in our encryption scheme.

The Σ-protocol can make one prove that he knows the secret without revealing it. Specifically, a prover can state a commitment and prove that he knows the secret in the commitment. In the process of our protocol, the data owner o w i states C i : = g r i h m i , and then generates two random values ( k i , l i ) to hide the information in ( R i ,   u i , v i ) to prevent gradient m i from being exposed to others.

Lemma 3: Only when the generated random values k i and l i are different, no one can recover the secret value from the ( R i ,   u i , v i ) , that is, a commitment will not disclose any information about the committed value.

The concrete proofs can be seen in [33]. As long as the data owner ensures that the random values k i and l i are different, we can think that the gradient is protected in the commitment according to Lemma 3.

Lemma 4: Two commitments for two different messages are different, otherwise the relationship between g and h can be calculated, which is not in line with the discrete logarithm hypothesis.

According to Lemma 4, we know each commitment is corresponding to a unique gradient. If a data owner submits a commitment, it means that it states the ownership of a gradient. We suppose that there exists a user who forwards another data owner’s encrypted gradient. As we stated in Threat Models, we consider two kinds of treat model.

If an attacker only obtains encrypted gradient, it needs to state a commitment. Consider that it does not know the plaintext of gradient g i , it may commit to a secret fake gradient g f a k e and upload the commitment C f a k e . In the following steps, it needs to respond to the challenge e , which proves the binding relationship between fake gradient g f a k e and commitment C f a k e . In other words, if the verification passes, the aggregator can think that the user has committed to the plaintext of gradient, which can be denoted as g i . After that, the aggregator uses the decryption result to check whether the committed g f a k e is equal to the gradient g i . If not, the user’s malicious behavior of forwarding will be discovered.

If an attacker obtains encrypted data as well as its historical verification information, it needs to respond to the dynamic challenge e in the verification process. Due to it even does not know the committed value in commitments, the verification will fail. In other words, the historical verification information is not reusable for an attacker.

Despite each data owner may obtain encrypted gradient from the aggregator in the decryption phase, the forwarding attack still does not work because of our commitment scheme.