Cryptanalysis and Improvement of DeepPAR: Privacy-Preserving and Asynchronous Deep Learning for Industrial IoT

Industrial Internet of Things (IIoT) is gradually changing the mode of traditional industries with the rapid development of big data. Besides, thanks to the development of deep learning, it can be used to extract useful knowledge from the large amount of data in the IIoT to help improve production and service quality. However, the lack of large-scale data sets will lead to low performance and overfitting of learning models. Therefore, federated deep learning with distributed data sets has been proposed. Nevertheless, the research has shown that federated learning can also leak the private data of participants. In IIoT, once the privacy of participants in some special application scenarios is leaked, it will directly affect national security and people’s lives, such as smart power grid and smart medical care. At present, several privacy-preserving federated learning schemes have been proposed to preserve data privacy of participants, but security issues prevent them from being fully applied. In this article, we analyze the security of the DeepPAR scheme proposed by Zhang et al., and point out that the scheme is insecure in the re-encryption key generation process, which will cause the leakage of the secret key of participants or the proxy server. In addition, the scheme is not resistant to collusion attacks between the parameter server and participants. Based on this, we propose an improved scheme. The security proof shows that the improved scheme solves the security problem of the original scheme and is resistant to collusion attacks. Finally, the security and accuracy of the scheme is illustrated by performance analysis.


I. INTRODUCTION
I NDUSTRIAL Internet of Things (IIoT) [1]- [3] refers to the continuous integration of various types of sensors with sensing and monitoring functions into various parts of the industrial production process via the Internet. IIoT can dramatically increase manufacturing efficiency, improve product quality, reduce product costs and resource consumption, and ultimately achieve the goal of upgrading traditional industries to a new stage of intelligence. In order to better improve the quality of production and services, enterprises combine industrial production with the advanced technology available. In modern industrial production, industrial equipment obtains large amounts of data from end users through the use of wireless sensors. Then, these data are sent to cloud servers for data mining to discover useful information. However, handling and utilizing the ever-increasing amount of data effectively is a huge challenge for the IIoT. Fortunately, the emergence of deep learning [4] can effectively extract valuable information from massive amounts of data.
With the development of deep learning techniques, more and more IIoT applications are using deep learning for data analysis. Deep learning can be used to provide intelligent decisions for industrial production and services by training a large amount of data to obtain a model that solves the relevant problem. As we know well, there are two main problems with the application of deep learning: on the one hand, it is difficult to train and maintain models for users with limited resources; on the other hand, the lack of training data set can reduce the accuracy of the model. Therefore, researchers have proposed federated deep learning [5] as an effective way to solve the above problems. In federated deep learning, the parameter server coordinates participants with parameters to work together on the training of the model. As a branch of joint deep learning, each processing unit of the parameter server in asynchronous deep learning can update the model parameters independently [6]. Therefore, using asynchronous deep learning for model training can reduce training time.
Recently, Phong et al. [7] designed a deep learning scheme to protect the privacy of participants' data using the Paillier and LWE homomorphic encryption algorithms. However, there This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/ are still security issues with their scheme, where participants use the same public and private keys and malicious participants can easily access the privacy of other participants. Zhang et al. [8] designed a new privacy-preserving asynchronous deep learning scheme based on proxy re-encryption that addressed the security issues in Phong et al.'s scheme. However, we found that the scheme of Zhang et al. could leak the secret key information of the participants and the proxy server, and could not resist collusion attacks between the parameter server and participants.
In this article, we will demonstrate that the re-encryption key generation process of Zhang et al. 's DeepPAR scheme suffers from security problems. An attacker can easily obtain the secret keys of the participants and the proxy server, and then acquire the private data of the participants. In addition, the scheme cannot resist collusion attacks by the parameter server and the participants. Therefore, we have improved their scheme and successfully solved the security problems of the original scheme. Specifically, our main contributions are summarized as follows.
1) First, we show that the scheme of Zhang et al. suffers from security problems due to the disclosure of secret key information and is not resistant to collusion attacks between the parameter server and the participants. 2) Second, we redesign the re-encryption key generation method of Zhang et al. 's scheme so that the secret keys of the participants and the proxy server are not leaked during the generation of the re-encryption key. It also ensures that the secret key of the proxy server cannot be obtained even in the case of collusion between the parameter server and a participant, perfectly circumventing the privacy leakage problem that exists in the original scheme. 3) Finally, our security analysis and experimental evaluation demonstrate that our scheme is more secure than the DeepPAR scheme of Zhang et al. without loss of model training efficiency and accuracy. Organization: The remainder of this article is organized as follows. We discuss the related work on privacy-preserving deep learning in Section II and introduce the background knowledge required for this article in Section III. We then give the system model, threat model, and security requirements in Section IV. In Section V, we give a description and security analysis of Zhang et al.'s scheme. We present our improved scheme and the corresponding security analysis in Section VI. In Section VII, we provide the communication overhead, computational cost, and the experimental performance of the scheme. Finally, we draw conclusions in Section VIII.

II. RELATED WORK
In the last decade, the research of privacy-preserving deep learning has become a hot topic for scholars. Many privacypreserving deep learning schemes have been born [9]- [11].
McMahan et al. [12] presented a practical federated learning model of deep networks based on iterative model averaging from decentralized data, which can jointly train the model without sending user data to an aggregation server and realize the purpose of federated training and prediction. This is a common federated averaging algorithm provided by Google. To better describe the technologies, we divide these works into two categories: one is the protection of data through data perturbation, and the other is the protection of data through cryptographic tools.
Differential privacy [13]- [15] has been widely used as a mainstream data perturbation mechanism for privacypreserving deep learning. Shokri and Shmatikov [6] proposed a distributed deep learning scheme with participant privacy in mind. Unlike traditional deep learning training where participants upload data to a parameter server, in their scheme, participants train independently with their own private data sets in local. After training, participants simply upload the gradients obtained from training to the parameter server. Their solution protects the privacy of the participants to a certain extent. Phan et al. [16] proposed a privacy-preserving mechanism that can dynamically add noise based on the contribution of features to the output in a deep learning network, which can reduce the overhead of participants. Zhang and Zhu [17] designed two privacy-preserving distributed learning schemes using differential privacy. Gong et al. [18] proposed a privacy-enhanced multiparty deep learning framework, which dynamically allocated privacy budgets at different stages of training to further improve security without compromising the accuracy of model training. Kim et al. [19] combined homomorphic encryption and differential privacy to design a privacy-preserving deep learning scheme, and their scheme can be effectively applied to deep learning. Abadi et al. [20] proposed a deep learning framework with differential privacy by adding Laplacian noise to gradients. However, Xiang et al. [21] pointed out that adding noise to the gradient ensured privacy, but it greatly reduces the accuracy of the model. In addition, they presented a differentially private deep learning scheme from an optimization perspective.
SMC performs secure computing jointly between some untrustworthy participants and is often used to multiparty deep learning, but SMC has high communication complexity owing to high interaction. Bonawitz et al. [26] proposed a secure data aggregation method using secret sharing techniques. However, the communication overhead for users in the scheme is too high. Xu et al. [27] proposed an efficient privacypreserving federated learning approach (HybridAlpha), which employed an SMC protocol based on functional encryption. Mohassel and Zhang [28] proposed a secure two-party computation, which can support the computation of nonlinear functions and can be applied to common deep learning models. Bansal et al. [29] constructed a two-party protocol using secret sharing and secure scalars that can protect privacy during the deep learning training process. However, when the number of parties is large enough, the scheme no longer works.
Homomorphic encryption [30], [31] allows arithmetic operations to be performed under ciphertext. The decrypted result calculated on ciphertext is consistent with the result calculated on plaintext, which can effectively protect data privacy in deep learning. Phong et al. [7] pointed out privacy leakage issues in the scheme of Shokri and Shmatikov [6], which demonstrated that even uploading gradient information without uploading local data also lead to participant privacy leakage. Therefore, they used homomorphic encryption to encrypt the participants' gradients and then uploaded them to the parameter server, which used homomorphic properties to update the model. Due to semantical security of homomorphic encryption schemes, the adversary cannot directly access the gradient information. However, all participants in the scheme use the same homomorphic encryption key, resulting in private information of other participants insecure. To overcome this drawback, Zhang et al. [8] designed DeepPAR, a privacy-preserving deep learning scheme based on proxy reencryption. All participants in the scheme had different public and secret keys, and participants encrypted the gradients using their own public keys and uploaded them to the parameter server. The parameter server used proxy re-encryption to convert the ciphertext into another ciphertext by the proxy public key for aggregation. This effectively prevented the privacy of the participants from being compromised. However, we find that the scheme is not resistant to collusion attacks and that the generation process of the proxy re-encryption key is insecure, leading to the disclosure of secret key information of the proxy and the participants. Tang et al. [32] proposed a distributed deep learning scheme with security guarantees and high accuracy. In this scheme, a key transformation server was used to re-encrypt the encrypted gradients. At the same time, the data service provider (DSP) performed homomorphic aggregation of the re-encrypted gradients and computed updates to the ciphertext. Their scheme solved the problem of collusion between the cloud server and any learning participants in distributed deep learning schemes, but its communication overhead is too high. Ma et al. [33] first introduced the concept of verifiability in privacy-preserving deep learning, but there is a risk of server and participants complicity.

III. PRELIMINARIES
The main notations in this article are shown in Table I.

A. ElGamal Cryptography
Homomorphic encryption is a special type of encryption that allows us to perform homomorphic arithmetic operations on ciphertext without decrypting the ciphertext. The result of the homomorphic operation is the same as the result of the plaintext operation when the secret key is used to decrypt the ciphertext. A common homomorphic encryption scheme is the ElGamal encryption scheme [34]. ElGamal cryptosystem is composed of three algorithms: 1) KeyGen; 2) Enc; and 3) Dec.
1) KeyGen: Given large primes p and p satisfying p = 2p +1, choose a random generator h ∈ Z * p such that g = h 2 mod p. Then, choose random number θ ∈ Z * p and compute γ = g θ . Let the public key be PK = (p, g, γ ) and the secret key be SK = θ . 2) Enc: Given a random number r ∈ Z * p , the cryptographer encrypts the plaintext m that he wants to encrypt, computing the ciphertext c 1 = g m γ r and c 2 = g r . Finally, the ciphertext C = (c 1 , c 2 ) of the plaintext m is obtained. 3) Dec: Given a ciphertext C = (c 1 , c 2 ) and a secret key SK = θ , decrypt to obtain the plaintext If message m is relatively small, message m can be acquired efficiently by using Pollard's Rho algorithm. Homomorphic Nature: ElGamal encryption has an additive homomorphic property, which allows addition to be performed on a set of plaintexts without decrypting their ciphertexts. Given two ciphertexts C andĈ additive homomorphic operations are done on the ciphertext of m 1 and m 2 as follows:

B. Proxy Re-Encryption
In this section, we briefly describe the proxy reencryption scheme based on ElGamal encryption [35]. Given a multiplicative cyclic group G. The proxy re-encryption scheme consists of five algorithms (KeyGen, RKGen, Enc, Dec, ReEnc). 1) KeyGen (1 λ ) → (sk a , pk a ): Given the security parameter λ, the user generates the secret key sk a = a R ← Z * p and the public key pk a = g a ∈ G. 2) RKGen (sk a , sk b ) → rk a→b : Given two secret keys sk a and sk b = b, generate a re-encryption key rk a→b = sk −1 a · sk b by the re-encryption algorithm. 3) Enc (pk a , m) → C a : Given the plaintext m and the public key pk a , the user chooses a random integer r and then computes the ciphertext C a = (g m · g r , g sk a r ) using the ElGamal encryption algorithm. 4) Dec (sk a , C a ) → m: After obtaining the ciphertext C a , the user decrypts to obtain the original plaintext m using the secret key sk a according to the ElGamal decryption algorithm. 5) ReEnc (C a , rk a→b ) → C b : After getting the ciphertext C a , the user uses the re-encryption key rk a→b to transform the ciphertext into another ciphertext C b = (g m · g r , (g sk a r ) rk a→b ) = (g m · g r , g sk b r ).

C. Asynchronous Deep Learning
Deep learning is a special type of machine learning algorithm, a branch of machine learning. The aim of deep learning is to extract complex features from high-dimensional data and use these features to build a model that relates the input to output. In the deep learning model, each neuron node (except the bias node) is associated with an activation function. Examples of activation functions are hyperbolic tangent Stochastic Gradient Descent (SGD): The SGD algorithm is an optimization algorithm for the gradient descent algorithm [36]. Simply speaking, instead of using all available data for training, it selects small batches of data to compute the gradients in the network. In the most extreme cases, we can even choose a random sample of data for the gradient descent algorithm at each training session, which corresponds to maximum randomness.
We denote the weight vector as w. There is a total of d weights in the vector, denoted as Let E be the loss function, i.e., the difference between the true value of the objective function and the output computed by the deep learning model. Calculate the gradient η of E for each parameter in w by the following equation: where δ is the partial derivative. For asynchronous SGD (ASGD), each participant is trained using their own training data set to obtain the gradient. Since ASGD is based on the idea of parallel computing, participants divide the gradient vector η into N parts that can be uploaded to different processing units of the parameter server. Thus, the update rule can be expressed as w (i) where α is the learning rate.

A. System Model
As shown in Fig. 1, three parties are involved in the scenario used for asynchronous deep learning, including a parameter server, a proxy server and participants. The descriptions of these parties are given as follows.
1) Parameter Server: The parameter server has powerful storage and computational capabilities. The parameter server is responsible for collecting the encrypted gradient vectors and converting the ciphertext gradient vectors into another set of ciphertext with the same public key of the proxy server, and then updating the global weight parameters using the encrypted gradients. It is equipped with N processors capable of independently and simultaneously updating the corresponding part of the global weight parameters. 2) Proxy Server: The main task of the proxy server is to participate in generating the re-encryption key and decrypting the blinded ciphertext weight parameters and sending them to the participants. 3) Participants: n participants collect the data from sensors or IoT devices and form their own private data set and a replica of the global model. They then work together to train a model with higher accuracy. Each participant trains the model utilizing their own data set in local to obtain a new group of gradients. Then, they encrypt the gradients using their own public keys and send them to the parameter server. In addition, the participants are involved in the generation of the proxy re-encryption key.

B. Threat Model
In Zhang et al.'s [8] scheme, they assume that the parameter server and proxy server are honest-but-curious. However, the scheme cannot against collusion attacks between the parameter server and participants. Moreover, in the real application, the parameter server, proxy server, and participants are likely to be compromised by external adversaries or become a malicious adversary A. Therefore, for the problem of the scheme, we give a formal definition of the threat model for the malicious adversaries through the real/ideal world model. In the real/ideal world model, if any adversary in the real world can be simulated by a simulator adversary in the ideal world, the protocol for the specific attack is secure. The framework is as follows.
The Real Model: The protocol has three parties-participant P i , parameter server S, and proxy server O. All parties can access the public parameters, such as the public keys and protocol Participant P i and the proxy server O have the inputs X and Y, respectively, and the parameter server S has an input {•, ⊥}, where • represents the null or rejecting to participant in the protocol, and ⊥ expresses the interrupt. The adversary A can interact with any parties in the system model. After performing the protocol, the joint execution of P i , S, O, and A in the real world is marked as The Ideal Model: In the ideal world, a trusted third party T is introduced to perform the output of the ideal functionality f and partiesP i ,S,Ō. Besides, partiesP i ,Ō have the inputs X,Ȳ, respectively, and the partyS has an input {•, ⊥}. The appointment is followed.
1) IfP i ,S,Ō are honest,P i andŌ send their inputs to T, andS sends • to T. The simulator adversary SIM replaces the parties to send the inputs and obtains T's response.
where XP i and YŌ are any sets. In the process, if a party is malicious,X andȲ may be different from X and Y. 3) If d = {•, ⊥} and T has receivedX(Ȳ) = ⊥ or ⊥, then T sendsX ∩Ȳ or ⊥ toP i (Ō); If d = •, the party T sends d toP i (Ō). In the ideal world, the joint execution ofP i ,S,Ō, and SIM is marked as IDEAL f ,SIM (X, Y).
Simulatability: In the real/ideal model, the protocol is called as the security computation functionality f in the malicious model. If the real-world adversary A has an ideal world adversary SIM, causing the outputs in the real world and the ideal world are computationally indistinguishable

C. Security Requirements
Our solution ensures system security even under a malicious adversary model. In real life, cloud servers may actively deviate from the protocol and try to compromise the privacy of participants, and may deceive participants with false results in order to save on computational costs or storage resources. In our scenario, even if a participant colludes with the server, there is no way to access the privacy information of other participants. We assume that the parameter server and proxy server do not collude, which is feasible in the real world because major cloud service providers will guarantee honest and reliable services for their own reputation and credibility. We present the specific security requirements for our scheme. 1) Input Privacy: Since the gradients can reveal the privacy of the participants, when the participants have trained with local data to obtain the gradients, the participants encrypt the gradients and send them to the parameter server. Due to the protection of the encryption scheme, the adversary cannot obtain the plaintext value of the ciphertext gradients. Furthermore, the parameter server cannot access the private information of other participants even if it colludes with some participants. 2) Model Privacy: The model trained by the parameter server and the participants is their private property and the proxy server is only responsible for decrypting the blinded weight parameters and therefore cannot access the model parameters. Besides, other participants who are not authorized to do so cannot access the model parameters. Therefore, our solution needs to satisfy the privacy of the model and ensure that the model parameters are not accessible to illegal users.
V. DESCRIPTION AND SECURITY ANALYSIS OF THE DEEPPAR SCHEME PROPOSED BY ZHANG et al.

A. Zhang et al.'s DeepPAR Scheme
In this section, we first briefly introduce the DeepPAR scheme proposed by Zhang et al. [8]. Then, the security issues are analyzed. Their scheme is described in detail as follows.
1) KeyGen: Each participant P i randomly picks a number x i ∈ Z * p as its secret key sk i and computes its public key pk i = g x i , denoted as (pk i , sk i ), where i ∈ [1, n]. Similarly, the proxy server randomly chooses a number x o ∈ Z * p as its secret key sk and computes its public key pk = g x o , denoted as (pk, sk). Finally, the parameter server, proxy server and participants generate the re-encryption key rk i following the steps below.
a) The parameter server S chooses a random number r i ∈ Z * p and sends it to the participant P i . b) P i calculates x −1 i · r i and sends it to the proxy server O. c) O uses its secret key x o to compute x −1 i · r i · x o and then sends it to S. d) After receiving x −1 i · r i · x o , S obtains the reencryption key rk i = x −1 i · x o for the ith participant by multiplying by r −1 i . 2) Compute: Each participant P i downloads the weight parameters stored in the processing unit PU j of the parameter server and then decrypts them, with the specific decryption process described in the Decrypt phase, which yields the current weights w global , where j ∈ I Then, a small batch data set is selected and deep learning training is performed to obtain a new gradient vector G = (G (1) , . . . , G (N) ). Finally, the participant encrypts the gradient to obtain N] and sends it to the corresponding processing unit PU j of the parameter server.
3) Re-Encrypt: When the parameter server S receives the gradient E pk i (−α·G (d) ) encrypted by participant P i using his public key pk i , S converts the ciphertext into another ciphertext E pk (−α · G (d) ) under the same public key pk of the O. Let the gradient ciphertext be (c 1 , c 2 ) = (g w · g r i , g x i r i ) and the transformation process is as follows: 4) Aggregate: When each processing unit PU j of S has completed the re-encryption of the received gradient vectors, it aggregates all the gradient vector ciphertexts to obtain E pk (w (d) , where w global is the global weights, and d ∈ I N]. 5) Decrypt: When S completes the aggregation, each participant downloads the aggregation result, but at this point, the ciphertext is encrypted using the public key of the proxy server, and the participant cannot decrypt it, so it can only be sent to the proxy server for decryption.
To protect the value of encrypted global weight parameters E pk (w global ), P i selects the blind factor s i ∈ Z p and calculates E pk (w global + s i ), and then sends them to the proxy server for decryption. The proxy server decrypts them and sends w global + s i to the participant. The participant receives w global + s i and directly removes s i to get the plaintext of the weight parameters w global , and then updates the model using the weight parameters.

B. Cryptanalysis of Zhang et al.'s DeepPAR Scheme
Theorem 1: During the re-encryption key generation process, if the proxy server eavesdrops on r i sent by the parameter server and the parameter server eavesdrops on x −1 i · r i sent by the participant, the participant's secret key is no longer secure.
Proof: Suppose the proxy server eavesdrops on r i sent by the parameter server, once the proxy server receives x −1 i · r i from the participant, it can remove r i to get x −1 i . Since p is a prime number, we can know that x −1 i and p have the greatest common factor of 1, then there must exist integers u and v such that x −1 i and p satisfy the following equation: So, we can use the extended Euclidean algorithm to find u, and finally, u is x i we require to get the secret key of the participant. Similarly, when the parameter server eavesdrops on x −1 i · r i sent by the participant, since the parameter server knows r i , it can easily find x −1 i , then the parameter server can also use the extended Euclidean algorithm to find x i , and thus acquires the secret key of the participant.
Theorem 2: During the re-encryption key generation, if the parameter server eavesdrops on x −1 i · r i that the participant sends to the proxy server and the participant eavesdrops on x −1 i · r i · x o that the proxy server sends to the parameter server, the proxy server's secret key is no longer secure.
Proof: Suppose the parameter server eavesdrops on x −1 i ·r i sent by the participant to the proxy server, when the parameter server receives x −1 i · r i · x o sent by the proxy server, he uses the eavesdropped x −1 i · r i to obtain the secret key x o of the proxy server by direct calculation, so that the secret key x o of the proxy server will be leaked, which will cause the gradients leakage in the parameter server. Similarly, when the participant eavesdrops on x −1 i ·r i ·x o sent by the proxy server to the parameter server, the participant can use x −1 i · r i to directly get the secret key x o of the proxy server. Both types of eavesdropping cause the proxy server's secret key to be no longer secure.
Theorem 3: DeepPAR is not resistant to collusion attacks between the parameter server and participants.
Proof: In the DeepPAR scheme, the re-encryption key rk i = x −1 i · x o , which includes the secret key information of the proxy server, can be easily obtained if the parameter server conspires with any of the participants to get x −1 i , so that the parameter server can get the secret key x o of the proxy server. In the re-encryption stage, all participants upload their encrypted gradient information to the parameter server, and after the parameter server finishes re-encryption, all participants' ciphertext is obtained with the same public key pk of the proxy server, so that the parameter server can use the obtained secret key x o of the proxy server to decrypt all users' ciphertext, which causes the users' private information to be disclosed to the parameter server, so the scheme is not resistant to collusion attacks.

VI. OUR PROPOSAL
In this section, we propose an improved DeepPAR-based asynchronous deep learning scheme to address the security issues of Zhang et al.'s scheme, the security analysis will be presented later.

A. Improved DeepPAR Scheme
In our improved scheme, we have modified the generation and transmission of re-encryption key to enhance security. 1) KeyGen: Each participant P i randomly picks a number x i ∈ Z * p as its secret key and computes its public key g x i , denoted as (pk i , sk i ). In such a manner, the proxy server randomly chooses a number x o ∈ Z * p as its secret key sk and computes its public key pk = g x o , denoted as (pk, sk). Finally, the parameter server, proxy server, and participants generate the re-encryption key rk i following the steps below.
a) The parameter server S selects a random number r i and sends its ciphertext r i pk i encrypted with the public key pk i to the participant P i . b) After receiving the ciphertext r i pk i , P i decrypts it with its own secret key sk i , calculates x −1 i · r i , and then sends its ciphertext x −1 i · r i pk encrypted with the proxy server's public key pk to the proxy server O. c) O chooses a random number t i and computes g t i .
Then, O decrypts x −1 i · r i pk using its own secret key x o . Finally, O computes x −1 i · r i · t −1 i · x o using its own secret key x o and t −1 i and sends it to S. d) S receives x −1 i · r i · t −1 i · x o and multiplies it by r −1 i , and S can obtain the re-encryption key rk i = x −1 i · t −1 i · x o for the ith participant. 2) Compute: Each participant P i downloads the weight parameters stored in the processing unit PU j of the parameter server and then decrypts them, with the specific decryption process described in the Decrypt phase, which yields the current weights w global , where Then, a small batch data set is selected and trained with deep learning to obtain a new gradient vector G = (G (1) , . . . , G (N) ), and finally, the participants encrypt −α · G (d) to obtain the ciphertext N], and sends it to the corresponding processing unit PU j of the parameter server. In the following, we specify the process of encryption. For the sake of convenience of description, we take one of the gradients in the gradient vector w for illustration, P i uses g t i for encryption, and the ciphertext C = (c 1 , c 2 ) is obtained according to the following equation: 3) Re-Encrypt: When S receives the gradient encrypted by participant P i using his public key pk i , S converts the ciphertext into another ciphertext under the same public key pk of O using the re-encryption key rk i . The conversion process is as follows: 4) Aggregate: When each processing unit PU j of S has completed re-encryption of the received gradient vectors, S aggregates all the gradient vector ciphertexts to obtain

5)
Decrypt: When S completes the aggregation, each participant downloads the aggregation results E pk (w global ), but at this point, the ciphertexts are encrypted using the public key of the proxy server, and the participant cannot decrypt them, so they can only be sent to the proxy server for decryption. To protect the value of the global weight parameters E pk (w global ), P i selects the blind factor s i and calculates E pk (w global + s i ), then sends them to the proxy server for decryption. The proxy server decrypts them and sends w global + s i to the participant. The participant receives w global +s i and directly removes s i to get the plaintext w global of the weight parameters, and then updates the model using the weight parameters.

B. Security Analysis
In this section, we analyze the security of the above scenario. All data in our scenario is transmitted over an insecure public channel and is at risk of being eavesdropped. It is assumed in this scenario that the parameter server and the proxy server do not conspire, but the server may conspire with some participants to access the private data of other participants. Besides, the scheme utilizes the ElGamal cryptography, which is semantically secure under the decisional Diffie-Hellman (DDH) and discrete logarithm hard problem. Based on the ElGamal security, we prove the security of our improved scheme according to the real/ideal world model. The specific security analysis is as follows.
Theorem 4: The KeyGen phase is secure against the malicious adversaries A P i , A O , and A S .
Proof: In the key generation process, a challenge parameter server can safely interact with a malicious adversary A S . In the real world, the view of the adversary A S in steps a) and d) is After constructing a simulator SIM, the simulator SIM replaces the parameter server to obtain the output of the party T in the ideal world. The view of the simulator SIM is where r 1 , r 11 , r 1 ·r 2 , r 2 ∈ Z p * . Owing to the semantic security of the ElGamal cryptosystem and the randomness of the random numbers, it can conclude that the real world and ideal world are indistinguishable in the process In step b), a challenge participant P i communicates with a malicious adversary A P i . The view of adversary A P i in the real world is The view of the constructed simulator SIM in the ideal world is where r ii , r i , r xi , r xi ∈ Z p * . If server S sends {⊥} to the trusted party T, the view of the simulator SIM remains unchanged. Owing to the semantic security of ElGamal cryptosystem and the randomness of the random numbers, it demonstrates that the ideal world is indistinguishable from the real world In step c), a challenge proxy server O interacts with a malicious adversary A O . The view of the adversary A O in the real world is In the ideal world, the simulator SIM replacing the proxy server O is built to communicate with the trusted party T, and obtains the output. The view of the simulator SIM in the ideal world is where r t , r t , r xt , r xt · r tx ∈ Z p * . If the participant P i sends {⊥} to the trusted party T, the view of the simulator SIM remains unchanged. In short, owing to the discrete logarithm problem and randomness of the random numbers, the output of the ideal world cannot distinguish between the output of the real world In summary, because the re-encryption key generation process is secure, the secret keys of the participants and the proxy server are secure.
Theorem 5: The Compute, Re-encrypt, and Aggregate phases are secure against the malicious adversaries A P i and A S .
Proof: In the Compute process, knowing g t i and g x i , any adversary cannot acquire g t i x i , and then cannot obtain r i from g t i x i r i owing to the DDH and discrete logarithm problem. Besides, in the real world, adversary A P i can obtain the view by interacting with the participant P i : U REAL = {C}. In the ideal world, the constructed simulator SIM replacing the participant P i communicates with the trusted party T, obtaining the view U IDEAL = {r C }, where r C ∈ Z p * . According to the semantic security of the ElGamal cryptosystem, the output of the ideal world cannot distinguish between the output of the real world In the Re-encrypt phase, knowing g x o and ciphertext [r i ] pk i , any adversary cannot obtain g x o r i owing to the semantic security of ElGamal cryptosystem. In addition, the output of the Re-encrypt and Aggregate phases also cannot distinguish between the ideal world and the real world.
Theorem 6: The Decrypt phase is secure against the malicious adversaries Proof: In the Decrypt phase, a challenge participant P i can communicate with the adversary A P i . In the real world, the view of adversary A P i is In the ideal world, the constructed simulator SIM replacing the participant P i acquires the output from the trusted party T. The view of the simulator SIM is Q IDEAL = r wg , r wgs , r ws where r wg , r wgs , r ws ∈ Z p * . According to the semantic security of ElGamal cryptosystem and the randomness of the random numbers, the output of the ideal world is indistinguishable from that of the real world For a challenge proxy server, adversary A O can obtain its view by communicating with the proxy server in the real world In the ideal world, the simulator SIM replacing the challenge proxy server interacts with the trusted party T, obtaining the view as follows: where r wgs , r ws ∈ Z p * . Due to the same semantic security and randomness, the output cannot distinguish between the ideal world and the real world Theorem 7: The improved scheme can resist collusion attacks between the parameter server and participants.
Proof: The parameter server in the improved scheme has the re-encryption key Assuming that the parameter server and any of the participants conspire, the parameter server can only get x −1 i , and due to the presence of t −1 i , the parameter server cannot get the secret key of the proxy server x o , so the private information of the other participants will not be obtained by the parameter server. The process solves the problem of Theorem 3. In summary, the improved scheme can resist the server and participant's collusion threat.

VII. PERFORMANCE EVALUATION
In this section, we evaluate and experiment with the performance and accuracy of our improved scheme. First, we compare the communication overhead and computational cost with DeepPAR [8] and Tang et al. [32]. Thereinto, DeepPAR [8] is the original scheme of our scheme, and Tang et al. [32] is a comparison scheme solving the collusion problem. For comparison, in the scheme of Tang et al., we define steps 1-4 as the KeyGen phase, steps 5 and 6 as the Compute phase, step 7 as the Re-encrypt and Aggregate phase, and step 8 as the Decrypt phase.

A. Communication Overhead
Improved Scheme: Let the length of the large prime p be k bits, then the length of the ciphertext for each ElGamal encryption algorithm is 2k bits. In the KeyGen phase, the main communication overhead is in the re-encryption key generation process, and its total communication overheads are 5nk. In the Compute phase, participants compute the ciphertext gradients and upload them to the parameter server, and their communication overheads are 2nMk, where M is the number of gradients. In the Decrypt phase, participants need to download the global ciphertext weights and decrypt them with the proxy server, and their communication overheads are 5nMk. There is no communication overhead for the other phases of the scheme. Thus, the communication overheads of the whole process are 7nMk + 5nk bits.
Compared Scheme: In the KeyGen phase, the total communication overheads of the re-encryption key generation process in DeepPAR [8] and Tang et al. [32] are 3nk and 5nk, respectively. In the Compute phase, the user computes the ciphertext gradients and uploads them to the parameter server, and their communication overheads in DeepPAR [8] and Tang et al. [32] are 2nMk and 4nMk+8Mk, respectively. In the Decrypt phase, the participant needs to download the ciphertext weights and decrypt them with the proxy server, and their communication overheads in DeepPAR [8] and Tang et al. [32] are 5nMk and  Since several iterations of training are required in the process of training a deep learning model, the initialization process is required for the first training, and initialization is not required after the first training. Then, we compare the communication overhead in different phases of several schemes, as shown in Table II.
In addition, we tested the communication overhead of the improved and comparison schemes with different numbers of participants and parameters. The test results are shown in Figs. 2 and 3. From the test results and the table results, we can see that the communication overheads of the improved scheme and the DeepPAR [8] scheme are basically the same, and that of Tang et al. [32] is obviously higher than the other two schemes. The results demonstrate that the difference in communication overhead between the improved and original schemes is not significant.

B. Computational Cost
We analyze the computational cost of the improved and comparison schemes in the section. To simplify the representation, we denote a/an multiplication/exponentiation as Mul/Exp, a homomorphic re-encryption as Enc, and a hash as Hash.
Improved Scheme: In the KeyGen phase, the parameter server gets the corresponding re-encryption key for each participant, in which the parameter server performs 3nExp + 2nMul costs, each participant takes 4Exp + 3Mul costs, and the proxy server executes 2nExp + 3nMul costs. In the Compute phase, participants encrypt the gradient vectors and upload them to the parameter server, and this phase requires 3MExp+MMul costs for each participant. In the Re-encryption phase, the parameter server needs to convert all ciphertexts into another set of ciphertexts with the same public key pk of the proxy server, in this phase, the parameter server performs MExp costs. In the Aggregate phase, the parameter server needs to take 2MMul costs. In the Decrypt phase, the participants send the blinded model parameters to the proxy server for decryption. This phase requires MExp + MMul computational costs for each participant and MExp + MMul computational costs for the proxy server.
Original Scheme: In the KeyGen phase, the parameter server gets the corresponding re-encryption key for each participant. In this phase, the parameter server performs nMul costs, each participant takes nMul costs, and the proxy server spends nMul computational costs. In the Compute phase, participants encrypt the gradient vectors and upload them to the parameter server, this phase requires 3MExp + MMul computational costs for each participant. In the Re-encrypt phase, the parameter server needs to convert all ciphertexts into another set of ciphertexts with the same public key pk of the proxy server, in this phase, the parameter server needs to perform MExp costs. In the Aggregate phase, the parameter server needs to perform 2MMul costs. In the Decrypt phase, the participant sends the blinded parameters to the proxy server for decryption, among them, the participant performs MExp + MMul costs and the proxy server takes MExp + MMul computational costs.
Tang et al.'s Scheme: In the KeyGen phase, the key transform server (KTS) takes Mul + 2Exp computational costs, participants perform Exp+MMul computational costs, and DSP provides 2Exp costs. In the Compute phase, the participant takes Mul + MEnc costs to compute the ciphertext gradients, and KTS costs MEnc + n(Hash + 2Enc) to compute the first phase of re-encryption. In the Re-encrypt phase, DSP performs n(Hash+2Enc+Exp) costs to compute the second phase of re-encryption. In the Aggregate phase, KTS takes nEnc costs to aggregate the weights. In the Decrypt phase, participant takes M(2Hash + 3Mul + 6Exp) computational costs to decrypt.
As a summary, in the improved scheme, each participant needs to perform 4(M + 1)Exp + (2M + 3)Mul costs, the  Table III.
As can be seen from Table III, the computational cost of participants in the improved scheme is only slightly increased compared to the original scheme; the main increase in computational cost is in the parameter server and the proxy server, which have a powerful computational power. Besides, Tang et al.'s scheme has distinctly more computational cost than the other two schemes. Therefore, our scheme successfully solves the privacy leakage problem of the original scheme with a slight increase in participant overhead.

C. Experimental Performance
In this section, we present the results of a series of experiments on a real data set. The experiments were implemented using Python3.7, and the benchmarks are over on an Xeon CPU Sliver 4110 @2.10-GHz server.
Data Set: We use the MNIST data set, which consists of 60 000 training handwritten digits and 10 000 test digits from "0" to "9." Each data set contains 784 features, representing 28 × 28 pixels in the image. In this article, we use PyTorch 1.7.0 to build and train a LeNet deep learning model to evaluate the performance of our scheme.
Based on the above theoretical analysis, we can know that there is a large performance difference between the generation process of the re-encryption key rk i in the KeyGen phase of the improved scheme and the comparison schemes. Therefore, we tested the re-encryption key generation time of the improved scheme and the comparison schemes [8], [32] under different numbers of participants, and the specific test results are shown in Fig. 4.
In Fig. 4, the improved scheme has more running time than the comparison schemes with the number of participants {100, 200, . . . , 1000} growing in the re-encryption key generation process. However, the key generation time is only an initialization step performed before training and does not need to be initialized in each iteration during iterative training, so it has little impact on the running time of training. In addition, due to the change in the re-encryption key generation process, the  security of the improved scheme is a huge improvement over the original scheme [8].
Since the main purpose of the scheme is to complete the training of the deep learning model and guarantee the accuracy of the model, we again tested the running time of the improved scheme and the comparison schemes with different training parameters, and the specific test results are shown in Fig. 5.
As shown in Fig. 5, the running time of the improved scheme is almost the same as that of the comparison schemes [8], [32] with the number of parameters {100, 200, . . . , 1000} growing. The results demonstrate that their running time is approximately proportional to the number of parameters. This is because the improved scheme has finished the initialization of the parameters during the iterative training of  the model, and there is no need to repeat the initialization during the training process, so the training time of the model is basically the same as that of the original scheme [8].
Then, we tested the effect of different number of model parameters on the model training accuracy, and the experimental results are shown in Fig. 6.
From Fig. 6, it can be seen that as the number of parameters {10000, 20000, . . . , 60000} increases, the training accuracy of the model also grows. However, with the increase in the number of parameters, the running time of the model also rises. Therefore, in order to train the model more efficiently, participants can make a compromise between runtime and accuracy by selecting the appropriate model parameters for training.
Finally, we tested the accuracy of the model for learning rates α = 0.01, α = 0.001, and α = 0.0001, and the specific experimental results are shown in Fig. 7. As shown in Fig. 7, we can see that when α = 0.01, the accuracy of the model varies irregularly with the growth of the epochs, which is due to the poor choice of the learning rate causing the model to oscillate constantly at the local optimal point and fail to converge to the optimal point. The overall accuracy of the model at α = 0.001 and α = 0.0001 is increasing with the epochs {0, 5, 10, . . . , 40} growing, and the model reaches its highest accuracy of 99.06% at α = 0.0001.

VIII. CONCLUSION
In this article, we propose an analysis and improvement scheme based on the DeepPAR asynchronous deep learning scheme designed by Zhang et al. to address the security issues in the DeepPAR asynchronous deep learning scheme. First, this article analyzed the security problems in the original DeepPAR scheme. Then, we proposed an improved scheme to address these security problems, and provided a detailed analysis and discussion of the security of the improved scheme. Finally, we compared the improved scheme with the original DeepPAR scheme in terms of communication overhead, computational cost, and experimental performance. The runtime of the improved scheme is higher than that of the original scheme in the initialization phase, and the runtime and training accuracy are basically the same as those of the original scheme, but the security of the improved scheme is higher, and this scheme is more feasible in a high privacypreserving scenario like deep learning. In future work, we will focus on other attacks method, such as reconstruction attacks, model inversion attacks, and attribute-inference attacks in the privacy-preserving FL framework.
Zhiyong Hong received the B.S. and M.S. degrees