Lingchen Zhao,Qian Wang,Qin Zou,Yan Zhang,Yanjiao Chen

DOI: https://doi.org/10.1109/tifs.2019.2939713

2018-01-01

Abstract:With powerful parallel computing GPUs and massive user data, neural-network-based deep learning can well exert its strong power in problem modeling and solving, and has archived great success in many applications such as image classification, speech recognition and machine translation etc. While deep learning has been increasingly popular, the problem of privacy leakage becomes more and more urgent. Given the fact that the training data may contain highly sensitive information, e.g., personal medical records, directly sharing them among the users (i.e., participants) or centrally storing them in one single location may pose a considerable threat to user privacy. In this paper, we present a practical privacy-preserving collaborative deep learning system that allows users to cooperatively build a collective deep learning model with data of all participants, without direct data sharing and central data storage. In our system, each participant trains a local model with their own data and only shares model parameters with the others. To further avoid potential privacy leakage from sharing model parameters, we use functional mechanism to perturb the objective function of the neural network in the training process to achieve $\epsilon $ -differential privacy. In particular, for the first time, we consider the existence of unreliable participants , i.e., the participants with low-quality data, and propose a solution to reduce the impact of these participants while protecting their privacy. We evaluate the performance of our system on two well-known real-world datasets for regression and classification tasks. The results demonstrate that the proposed system is robust against unreliable participants, and achieves high accuracy close to the model trained in a traditional centralized manner while ensuring rigorous privacy protection.

Jinyu Liu,Ziyang Wang,Qing Yang,Sissi Xiaoxiao Wu

DOI: https://doi.org/10.1109/wocc55104.2022.9880591

2022-01-01

Abstract:We focus on the security issues of decentralized federated learning systems for the core requirements of secure environments and trusted computing for applications such as medical big data, distributed cognitive learning, and autonomous driving. We propose a three-layer security assurance model that aims to ensure secure trusted computing in decentralized networks. Therein, the first-layer security model realizes the authentication of trusted users through blockchain technology to ensure the safe access of legitimate users to the greatest extent; the second-layer security model utilizes the trusted execution environment (TEE) technology to realize the privacy protection and trusted computing of each local user; the last layer of security model adopts a set of detection and location algorithms for defending the internal attackers, in case the first two layers of models fail. Our experimental results show that the proposed three-layer security model can effectively defend against external and internal attacks in the network, thereby promoting secure and trusted computing in distributed federated learning networks.

Ziwen Cheng,Yi Liu,Chao Wu,Yongqi Pan,Liushun Zhao,Xin Deng,Cheng Zhu

DOI: https://doi.org/10.1016/j.future.2024.06.035

IF: 7.307

2024-01-01

Future Generation Computer Systems

Abstract:Blockchain-based Federated Learning (BCFL) is gaining significant attention as a promising decentralized data sharing technology with privacy protection. Most existing BCFL frameworks loosely couple blockchain and Federated Learning (FL). FL transforms data sharing into model sharing, while blockchain decentralizes the model aggregation and handles security verification. However, this simplistic overlay of the two technologies often involves third-party blockchain peers, leading to inefficient workflows and potential privacy attacks from malicious blockchain peers. Some studies have proposed differential privacy with noise addition to prevent privacy attacks, yet most do not allow clients to customize privacy budgets, impacting data availability and limiting BCFL’s application in data sharing. To address these challenges, we first introduce a novel tightly-coupled BCFL framework that integrates training and mining at the client side. Under this framework, a totally decentralized data sharing process is established. Moreover, a Personalised Differential Privacy (PDP) mechanism is devised, enabling clients to add Laplace noise to model gradients based on custom privacy budgets. To achieve optimal privacy budgets, a privacy optimization mechanism based on Stackelberg games is proposed. It establishes utility functions for data requesters and providers, models the process of utility optimization as a Stackelberg game process, and obtains the optimal privacy budget while maximizing utility for all participants. This facilitates flexible and on-demand privacy-protected data sharing. Extensive experiments validate the effectiveness of our approach in enhancing system efficiency and facilitating flexible on-demand privacy-protected data sharing, further solidifying BCFL’s potential in decentralized data sharing scenarios.

Xiangyun Tang,Liehuang Zhu,Meng Shen,Jialiang Peng,Jiawen Kang,Dusit Niyato,Ahmed A. Abd El-Latif

DOI: https://doi.org/10.1109/mwc.003.2100598

IF: 12.777

2022-09-04

IEEE Wireless Communications

Abstract:Empowered by promising artificial intelligence, the traditional Internet of Things is evolving into the Artificial Intelligence of Things (AIoT), which is an important enabling technology for Industry 4.0. Collaborative learning is a key technology for AIoT to build machine learning (ML) models on distributed datasets. However, there are two critical concerns of collaborative learning for AIoT: privacy leakage of sensitive data and dishonest computation. Specifically, data contains sensitive information of users, which cannot be openly shared for model learning. Furthermore, to protect the privacy of data or other selfish purposes, participants of collaborative learning may behave dishonestly, submitting dummy data or incorrect model computation. Therefore, it is important to guarantee privacy preservation of data and honest computation on collaborative learning. Our work tackles the two concerns wherein a model demander can securely train ML models with sensitive data and can regulate the computation of participants. To this end, we propose a secure and trusted collaborative learning framework called TrusCL. The framework guarantees privacy preservation via a delicate combination of homomorphic encryption (HE) and differential privacy (DP), achieving the trade-off between efficiency and accuracy. Furthermore, based on blockchain, in our design, the key steps of secure collaborative learning are recorded on blockchain so that malicious behaviors can be effectively tracked and choked in a timely manner to facilitate trusted computation. Experimental results validate the trade-off performance of Trus-CL between model training efficiency and trained model accuracy.

computer science, information systems,telecommunications,engineering, electrical & electronic, hardware & architecture

Shangwei Guo,Xu Zhang,Fei Yang,Tianwei Zhang,Yan Gan,Tao Xiang,Yang Liu

DOI: https://doi.org/10.48550/arXiv.2112.10183

2021-12-20

Abstract:With the rapid demand of data and computational resources in deep learning systems, a growing number of algorithms to utilize collaborative machine learning techniques, for example, federated learning, to train a shared deep model across multiple participants. It could effectively take advantage of the resources of each participant and obtain a more powerful learning system. However, integrity and privacy threats in such systems have greatly obstructed the applications of collaborative learning. And a large amount of works have been proposed to maintain the model integrity and mitigate the privacy leakage of training data during the training phase for different collaborative learning systems. Compared with existing surveys that mainly focus on one specific collaborative learning system, this survey aims to provide a systematic and comprehensive review of security and privacy researches in collaborative learning. Our survey first provides the system overview of collaborative learning, followed by a brief introduction of integrity and privacy threats. In an organized way, we then detail the existing integrity and privacy attacks as well as their defenses. We also list some open problems in this area and opensource the related papers on GitHub: <a class="link-external link-https" href="https://github.com/csl-cqu/awesome-secure-collebrative-learning-papers" rel="external noopener nofollow">this https URL</a>.

Cryptography and Security

Jing Liu,Xuesong Hai,Keqin Li

DOI: https://doi.org/10.3390/fi16010006

2024-01-01

Future Internet

Abstract:Massive amounts of data drive the performance of deep learning models, but in practice, data resources are often highly dispersed and bound by data privacy and security concerns, making it difficult for multiple data sources to share their local data directly. Data resources are difficult to aggregate effectively, resulting in a lack of support for model training. How to collaborate between data sources in order to aggregate the value of data resources is therefore an important research question. However, existing distributed-collaborative-learning architectures still face serious challenges in collaborating between nodes that lack mutual trust, with security and trust issues seriously affecting the confidence and willingness of data sources to participate in collaboration. Blockchain technology provides trusted distributed storage and computing, and combining it with collaboration between data sources to build trusted distributed-collaborative-learning architectures is an extremely valuable research direction for application. We propose a trusted distributed-collaborative-learning mechanism based on blockchain smart contracts. Firstly, the mechanism uses blockchain smart contracts to define and encapsulate collaborative behaviours, relationships and norms between distributed collaborative nodes. Secondly, we propose a model-fusion method based on feature fusion, which replaces the direct sharing of local data resources with distributed-model collaborative training and organises distributed data resources for distributed collaboration to improve model performance. Finally, in order to verify the trustworthiness and usability of the proposed mechanism, on the one hand, we implement formal modelling and verification of the smart contract by using Coloured Petri Net and prove that the mechanism satisfies the expected trustworthiness properties by verifying the formal model of the smart contract associated with the mechanism. On the other hand, the model-fusion method based on feature fusion is evaluated in different datasets and collaboration scenarios, while a typical collaborative-learning case is implemented for a comprehensive analysis and validation of the mechanism. The experimental results show that the proposed mechanism can provide a trusted and fair collaboration infrastructure for distributed-collaboration nodes that lack mutual trust and organise decentralised data resources for collaborative model training to develop effective global models.

Lifeng Liu,Yifan Hu,Jiawei Yu,Fengda Zhang,Gang Huang,Jun Xiao,Chao Wu

DOI: https://doi.org/10.1145/3387168.3387211

2019-01-01

Abstract:Currently, training neural networks often requires a large corpus of data from multiple parties. However, data owners are reluctant to share their sensitive data to third parties for modelling in many cases. Therefore, Federated Learning (FL) has arisen as an alternative to enable collaborative training of models without sharing raw data, by distributing modelling tasks to multiple data owners. Based on FL, we premodel sent a novel and decentralized approach to training encrypted models with privacy-preserved data on Blockchain. In our approach, Blockchain is adopted as the machine learning environment where different actors (i.e., the model provider, the data provider) collaborate on the training task. During the training process, an encryption algorithm is used to protect the privacy of data and the trained model. Our experiments demonstrate that our approach is practical in real-world applications.

Hongyang Yan,Li Hu,Xiaoyu Xiang,Zheli Liu,Xu Yuan

DOI: https://doi.org/10.1016/j.ins.2020.09.064

IF: 8.1

2021-02-01

Information Sciences

Abstract:<p>Collaborative learning and related techniques such as federated learning, allow multiple clients to train a model jointly while keeping their datasets at local. <em>Secure Aggregation</em> in most existing works focus on protecting model gradients from the server. However, an dishonest user could still easily get the privacy information from the other users. It remains a challenge to propose an effective solution to prevent information leakage against dishonest users.</p><p>To tackle this challenge, we propose a novel and effective privacy-preserving collaborative machine learning scheme, targeting at preventing information leakage agains adversaries. Specifically, we first propose a privacy-preserving network transformation method by utilizing Random-Permutation in Software Guard Extensions(SGX), which protects the model parameters from being inferred by a curious server and dishonest clients. Then, we apply Partial-Random Uploading mechanism to mitigate the information inference through visualizations. To further enhance the efficiency, we introduce network pruning operation and employ it to accelerate the convergence of training. We present the formal security analysis to demonstrate that our proposed scheme can preserve privacy while ensuring the convergence and accuracy of secure aggregation. We conduct experiments to show the performance of our solution in terms of accuracy and efficiency. The experimental results show that the proposed scheme is practical.</p>

computer science, information systems

Genqing Bian,Wenjing Qu,Bilin Shao

DOI: https://doi.org/10.3390/electronics12092068

IF: 2.9

2023-05-01

Electronics

Abstract:COVID-19 is a serious epidemic that not only endangers human health, but also wreaks havoc on the development of society. Recently, there has been research on using artificial intelligence (AI) techniques for COVID-19 detection. As AI has entered the era of big models, deep learning methods based on pre-trained models (PTMs) have become a focus of industrial applications. Federated learning (FL) enables the union of geographically isolated data, which can address the demands of big data for PTMs. However, the incompleteness of the healthcare system and the untrusted distribution of medical data make FL participants unreliable, and medical data also has strong privacy protection requirements. Our research aims to improve training efficiency and global model accuracy using PTMs for training in FL, reducing computation and communication. Meanwhile, we provide a secure aggregation rule using differential privacy and fully homomorphic encryption to achieve a privacy-preserving Byzantine robust federal learning scheme. In addition, we use blockchain to record the training process and we integrate a Byzantine fault tolerance consensus to further improve robustness. Finally, we conduct experiments on a publicly available dataset, and the experimental results show that our scheme is effective with privacy-preserving and robustness. The final trained models achieve better performance on the positive prediction and severe prediction tasks, with an accuracy of 85.00% and 85.06%, respectively. Thus, this indicates that our study is able to provide reliable results for COVID-19 detection.

engineering, electrical & electronic,computer science, information systems,physics, applied

Zhongshu Gu,Hani Jamjoom,Dong Su,Heqing Huang,Jialong Zhang,Tengfei Ma,Dimitrios Pendarakis,Ian Molloy

DOI: https://doi.org/10.48550/arXiv.1812.03230

2018-12-08

Abstract:Distributed collaborative learning (DCL) paradigms enable building joint machine learning models from distrusting multi-party participants. Data confidentiality is guaranteed by retaining private training data on each participant's local infrastructure. However, this approach to achieving data confidentiality makes today's DCL designs fundamentally vulnerable to data poisoning and backdoor attacks. It also limits DCL's model accountability, which is key to backtracking the responsible "bad" training data instances/contributors. In this paper, we introduce CALTRAIN, a Trusted Execution Environment (TEE) based centralized multi-party collaborative learning system that simultaneously achieves data confidentiality and model accountability. CALTRAIN enforces isolated computation on centrally aggregated training data to guarantee data confidentiality. To support building accountable learning models, we securely maintain the links between training instances and their corresponding contributors. Our evaluation shows that the models generated from CALTRAIN can achieve the same prediction accuracy when compared to the models trained in non-protected environments. We also demonstrate that when malicious training participants tend to implant backdoors during model training, CALTRAIN can accurately and precisely discover the poisoned and mislabeled training data that lead to the runtime mispredictions.

Cryptography and Security,Machine Learning

Fei Yang,Xu Zhang,Shangwei Guo,Daiyuan Chen,Yan Gan,Tao Xiang,Yang Liu

DOI: https://doi.org/10.1007/s10462-024-10797-0

IF: 9.588

2024-06-22

Artificial Intelligence Review

Abstract:Increasing numbers of artificial intelligence systems are employing collaborative machine learning techniques, such as federated learning, to build a shared powerful deep model among participants, while keeping their training data locally. However, concerns about integrity and privacy in such systems have significantly hindered the use of collaborative learning systems. Therefore, numerous efforts have been presented to preserve the model's integrity and reduce the privacy leakage of training data throughout the training phase of various collaborative learning systems. This survey seeks to provide a systematic and comprehensive evaluation of security and privacy studies in collaborative training, in contrast to prior surveys that only focus on one single collaborative learning system. Our survey begins with an overview of collaborative learning systems from various perspectives. Then, we systematically summarize the integrity and privacy risks of collaborative learning systems. In particular, we describe state-of-the-art integrity attacks (e.g., Byzantine, backdoor, and adversarial attacks) and privacy attacks (e.g., membership, property, and sample inference attacks), as well as the associated countermeasures. We additionally provide an analysis of open problems to motivate possible future studies.

computer science, artificial intelligence

Yanjun Zhang,Guangdong Bai,Xue Li,Caitlin Curtis,Chen Chen,Ryan K L Ko

DOI: https://doi.org/10.48550/arXiv.2007.06953

2020-07-14

Abstract:Collaborative learning enables two or more participants, each with their own training dataset, to collaboratively learn a joint model. It is desirable that the collaboration should not cause the disclosure of either the raw datasets of each individual owner or the local model parameters trained on them. This privacy-preservation requirement has been approached through differential privacy mechanisms, homomorphic encryption (HE) and secure multiparty computation (MPC), but existing attempts may either introduce the loss of model accuracy or imply significant computational and/or communicational overhead. In this work, we address this problem with the lightweight additive secret sharing technique. We propose PrivColl, a framework for protecting local data and local models while ensuring the correctness of training processes. PrivColl employs secret sharing technique for securely evaluating addition operations in a multiparty computation environment, and achieves practicability by employing only the homomorphic addition operations. We formally prove that it guarantees privacy preservation even though the majority (n-2 out of n) of participants are corrupted. With experiments on real-world datasets, we further demonstrate that PrivColl retains high efficiency. It achieves a speedup of more than 45X over the state-of-the-art MPC/HE based schemes for training linear/logistic regression, and 216X faster for training neural network.

Cryptography and Security

Zhe Sun,Weiping Li,Junxi Liang,Lihua Yin,Chao Li,Nan Wei,Jie Zhang,Hanyi Wang,Sun,Li,Liang,Yin,Li,Wei,Zhang,Wang

DOI: https://doi.org/10.3390/math12050718

IF: 2.4

2024-02-29

Mathematics

Abstract:The advent of the big data era has brought unprecedented data demands. The integration of computing resources with network resources in the computing force network enables the possibility of distributed collaborative training. However, unencrypted collaborative training is vulnerable to threats such as gradient inversion attacks and model theft. To address this issue, the data in collaborative training are usually protected by cryptographic methods. However, the semantic meaninglessness of encrypted data makes it difficult to prevent potential data poisoning attacks and free-riding attacks. In this paper, we propose a fairness guarantee approach for privacy-preserving collaborative training, employing blockchain technology to enable participants to share data and exclude potential violators from normal users. We utilize a cryptography-based secure aggregation method to prevent data leakage during blockchain transactions, and employ a contribution evaluation method for encrypted data to prevent data poisoning and free-riding attacks. Additionally, utilizing Shamir's secret sharing for secret key negotiation within the group, the negotiated key is directly introduced as noise into the model, ensuring the encryption process is computationally lightweight. Decryption is efficiently achieved through the aggregation of encrypted models within the group, without incurring additional computational costs, thereby enhancing the computational efficiency of the encryption and decryption processes. Finally, the experimental results demonstrate the effectiveness and efficiency of our proposed approach.

mathematics

Minghui Xu,Zongrui Zou,Ye Cheng,Qin Hu,Dongxiao Yu,Xiuzhen Cheng

DOI: https://doi.org/10.1109/tc.2022.3169436

2023-01-01

Abstract:Decentralized learning involves training machine learning models over remote mobile devices, edge servers, or cloud servers while keeping data localized. Even though many studies have shown the feasibility of preserving privacy, enhancing training performance or introducing Byzantine resilience, but none of them simultaneously considers all of them. Therefore we face the following problem: how can we efficiently coordinate the decentralized learning process while simultaneously maintaining learning security and data privacy for the entire system? To address this issue, in this paper we propose SPDL, a blockchain-secured and privacy-preserving decentralized learning system. SPDL integrates blockchain, Byzantine Fault-Tolerant (BFT) consensus, BFT Gradients Aggregation Rule (GAR), and differential privacy seamlessly into one system, ensuring efficient machine learning while maintaining data privacy, Byzantine fault tolerance, transparency, and traceability. To validate our approach, we provide rigorous analysis on convergence and regret in the presence of Byzantine nodes. We also build a SPDL prototype and conduct extensive experiments to demonstrate that SPDL is effective and efficient with strong security and privacy guarantees.

Hongxu Su,Cheng Xiang,Bharath Ramesh

DOI: https://doi.org/10.31585/jbba-7-1-(3)2024

2024-02-28

Abstract:The development of cutting-edge large language models such as ChatGPT has sparked global interest in the transformative potential of chatbots to automate language tasks. However, alongside the remarkable advancements in natural language processing, concerns about user privacy and data security have become prominent challenges that need immediate attention. In response to these critical concerns, this article presents a novel approach that addresses the privacy and security issues in chatbot applications. We propose a secure and privacy-preserving framework for chatbot systems by leveraging the power of decentralised federated learning (DFL) and secure multi-party computation (SMPC). Our DFL framework leverages blockchain smart contracts for participant selection, orchestrating the training process on user data while keeping the data local, and model distribution. After each round of local training by the participants, the blockchain network securely aggregates the model updates using SMPC, ensuring that participants’ raw model parameters are not exposed to others. The global model is encrypted and stored in hypermedia protocols such as the InterPlanetary File System. Participants decrypt the global model updates using their private keys to further fine-tune their models. Iterative training rounds are executed through the blockchain network, with participants updating the model collaboratively using SMPC. Experiments show that our approach achieves comparable performance to centralised models while offering significant improvements in privacy and security. This article presents a ground-breaking solution to privacy and security challenges in chatbots, and we hope our approach will foster trust and encourage broader adoption of chatbot technology with privacy at the forefront.

Sebastien Lugan,Paul Desbordes,Luis Xavier Ramos Tormo,Axel Legay,Benoit Macq

DOI: https://doi.org/10.1109/ACCESS.2019.2959220

2019-06-19

Abstract:Distributed learning across a coalition of organizations allows the members of the coalition to train and share a model without sharing the data used to optimize this model. In this paper, we propose new secure architectures that guarantee preservation of data privacy, trustworthy sequence of iterative learning and equitable sharing of the learned model among each member of the coalition by using adequate encryption and blockchain mechanisms. We exemplify its deployment in the case of the distributed optimization of a deep learning convolutional neural network trained on medical images.

Cryptography and Security,Machine Learning

Minghui Xu,Zongrui Zou,Ye Cheng,Qin Hu,Dongxiao Yu,Xiuzhen Cheng

DOI: https://doi.org/10.48550/arXiv.2201.01989

2022-01-06

Cryptography and Security

Abstract:Decentralized learning involves training machine learning models over remote mobile devices, edge servers, or cloud servers while keeping data localized. Even though many studies have shown the feasibility of preserving privacy, enhancing training performance or introducing Byzantine resilience, but none of them simultaneously considers all of them. Therefore we face the following problem: \textit{how can we efficiently coordinate the decentralized learning process while simultaneously maintaining learning security and data privacy?} To address this issue, in this paper we propose SPDL, a blockchain-secured and privacy-preserving decentralized learning scheme. SPDL integrates blockchain, Byzantine Fault-Tolerant (BFT) consensus, BFT Gradients Aggregation Rule (GAR), and differential privacy seamlessly into one system, ensuring efficient machine learning while maintaining data privacy, Byzantine fault tolerance, transparency, and traceability. To validate our scheme, we provide rigorous analysis on convergence and regret in the presence of Byzantine nodes. We also build a SPDL prototype and conduct extensive experiments to demonstrate that SPDL is effective and efficient with strong security and privacy guarantees.

x ma,q jiang,x liu,q pei,j ma

DOI: https://doi.org/10.1109/TDSC.2022.3192326

2022-01-01

IEEE Transactions on Dependable and Secure Computing

Abstract:Organizations tend to collaboratively train the deep learning model over their combined datasets for a common benefit (e.g., better-trained model or learning a complicated model). However, due to the consideration about privacy leakage, organizations cannot share their data directly, especially related to sensitive domains. In this article, a privacy-preserving collaborative deep learning mechanism, namely Sigma, is designed to allow participating organizations to train a collective model without exposing their local training data to the others. Specifically, a single-server-aided private collaborative architecture is introduced to achieve the private collaborative learning, which protects organizations’ data even if <inline-formula><tex-math notation="LaTeX">$n-1$</tex-math></inline-formula> out of <inline-formula><tex-math notation="LaTeX">$n$</tex-math></inline-formula> participants colluded. We also design a practical protocol to perform the secure model training, which can resist the typical inference attack through the sharing information. After that, we propose a fair model releasing mechanism for participants and introduce differential privacy to prevent model stealing and membership inference attack. Furthermore, we prove that Sigma can ensure participants’ privacy preservation and analyze the communication overhead in theory. To evaluate the effectiveness and efficiency of Sigma, we conduct an experiment over two real-world datasets and the simulation results demonstrate that Sigma can efficiently achieve the collaborative model training and effectively resist the membership inference attack.

Tsuyoshi Idé,Dzung T. Phan,Rudy Raymond

2024-04-02

Abstract:This paper presents two methodological advancements in decentralized multi-task learning under privacy constraints, aiming to pave the way for future developments in next-generation Blockchain platforms. First, we expand the existing framework for collaborative dictionary learning (CollabDict), which has previously been limited to Gaussian mixture models, by incorporating deep variational autoencoders (VAEs) into the framework, with a particular focus on anomaly detection. We demonstrate that the VAE-based anomaly score function shares the same mathematical structure as the non-deep model, and provide comprehensive qualitative comparison. Second, considering the widespread use of "pre-trained models," we provide a mathematical analysis on data privacy leakage when models trained with CollabDict are shared externally. We show that the CollabDict approach, when applied to Gaussian mixtures, adheres to a Renyi differential privacy criterion. Additionally, we propose a practical metric for monitoring internal privacy breaches during the learning process.

Machine Learning,Cryptography and Security,Distributed, Parallel, and Cluster Computing

Yao Xiao,Lei Xu,Yan Wu,Jiahang Sun,Liehuang Zhu

DOI: https://doi.org/10.1109/jiot.2024.3454087

IF: 10.6

2024-01-01

IEEE Internet of Things Journal

Abstract:With the help of artificial intelligence, the large amount of data generated by IoT has unleashed significant value. Federated learning is emerging as a novel paradigm which can be applied to solve the privacy issues caused by analyzing IoT data. However, traditional federated learning protocols are vulnerable to inference and poisoning attacks. Various solutions have been proposed to enhance data privacy and robustness. Nonetheless, most of these solutions are usually centralized and rely on unrealistic security assumptions. Furthermore, the recently proposed blockchain-based decentralized solutions generally incur high costs, which is unaffordable for resource-constrained IoT devices. In this paper, we propose a practical secure federated learning system named PrSeFL. We utilize blockchain to decentralize federated learning process so that the security assumptions are easier to achieve in practice. To preserve data privacy, we implement secure multiparty computation based secure aggregation in blockchain environment. To guarantee practical robustness, we enforce norm constraints on the masked updates via zero-knowledge proof. Moreover, we propose a modified dynamic accumulator which is utilized to realize lightweight anonymous authentication of users. Simulation results show that, compared with state-of-the-art systems, PrSeFL has superior performance on authentication and model training. And the advantage of PrSeFL becomes more significant as the number of users grows.