I Introduction
Blockchain, disrupting the current centralized models, is heralded as the next paradigm innovation in digital networks, which opens a door to uncharted cyberspace with everincreasing security, verifiability and transparency concerns. The performance of Blockchain heavily relies on the adopted consensus mechanisms in terms of efficiency, consistency, robustness and scalability. The aim of consensus mechanisms is orchestrating the global state machine so as to agree on the order of deterministic events and screen out invalid events. Undisputedly, the most popular consensus mechanism is PoW, which is adopted by two mainstream Blockchain systems, namely Bitcoin and Ethereum.
PoW determines accounting rights and rewards through the competition among nodes (miners) to solve a hard cryptographic puzzle by bruteforcing, which is called mining, an extremely computationhungry process. It is reported that the total electricity consumption of Bitcoin is comparable to that of Austria annually; the electricity that a single Bitcoin transaction expends is equal to 22.32 U.S. households powered for one day [9]. The energywasting way of PoW deviates from the sustainable and environmentfriendly trend for current technology development, thus diluting its value and hindering its further application.
To tackle the drawback of PoW, researchers proposed solutions from two different perspectives: energyconservation and energyrecycling. Proof of stake (PoS) [16] and votingbased consensus algorithms [23] are typically energyconservation approaches. They economize on energy by cutting down the mining difficulty of rich stakeholders or their delegates. Nondemocracy is an obvious side effect of these approaches since they have a bias toward wealthy peers. Furthermore, their mining process, even with reduced difficulty, is still considered as waste on useless computation.
Energyrecycling consensus algorithms address the energywasting issue of PoW from a different angle. They recycle the energy which is originally employed to solve cryptographic puzzles for useful tasks. For instance, the mining energy can be repurposed for finding long prime chains [15], matrix computation [26], image segmentation [21]
and deep learning
[7]. The idea of energyrecycling consensus algorithms, i.e., turning the meaningless proof of work into practical tasks for completing the consensus of Blockchain, undoubtedly deepens the integration of Blockchain and other fields, expanding the application scope of Blockchain.In this paper, we propose a novel energyrecycling consensus algorithm: proof of federated learning (PoFL), where the energy originally wasted to solve difficult but meaningless puzzles in PoW is reinvested to federated learning. Federated learning [6]
is a distributed machine learning approach, with the idea of bringing code to data rather than the reverse direction. In federated learning, a highquality model maintained by a central server can be learned through aggregating locallycomputed updates, which are sent by a loose federation of participating clients. Since the local training dataset of each client will not be sent to the central server, privacy and security risks are significantly reduced.
Besides PoFL can inherit the advantage of energyrecycling consensus algorithms, we propose it also because PoW and federated learning have a natural fit in terms of organization structure. Due to the huge difficulty for individual mining, pooledmining becomes a trend of PoW, where miners join pools, gathering their computational power, to figure out the cryptographic solution and then the pool manager of each pool allocates rewards proportionally to each miner’s contribution. In other words, both pooledmining and federated learning has a clustering structure. Thus, when the cryptographic puzzle in PoW is replaced with federated learning, the cluster head, namely the pool manager, can coordinate the locallycomputed results updated by pool members (miners) to form a highquality model.
However, the fit of the organization structure does not imply it is nontrivial to realize PoFL. In detail, the merit of federated learning lies in that all clients collaboratively train a highquality model while keeping their training data private from others, where the usufruct and ownership of local training data is an integration. However, the openness of Blockchain endows anyone with the right of mining, i.e., the local model training in PoFL, which results in the separation between the data usufruct and ownership. This may lead to data privacy leakage in model training and verification, deviating from the original intention of federal learning.
Our paper aims to address the above challenge so that PoFL can meet practical demands. To the best of our knowledge, our paper is the first work to employ federal learning as the proof of work for Blockchain, where the main contributions are summarized as follows:

A general framework of PoFL is introduced, which clarifies the interaction among all entities involved and designs a new PoFL block structure for supporting block verification so as to realize the consensus for Blockchain.

A reverse gamebased data trading mechanism is proposed to leverage market power for guarding against training data leakage. This mechanism can determine the optimal data trading probability and pricing strategy even when a pool conceals his
^{1}^{1}1We denote the pool as “he” and the data provider as “she” for differentiation in the following. profit from privacy disclosure. Driven by the proposed mechanism, a pool with a high risk of privacy disclosure has a low data trading chance and needs to pay a high purchase price, which further incentivizes pools to train models without any data leakage. 
A privacypreserving model verification mechanism is designed to verify the accuracy of a trained model while preserving the privacy of the task requester’s test data as well as the pool’s submitted model. The proposed mechanism consists of two parts: the homomorphic encryption (HE)based label prediction and the secure twoparty computation (2PC)based label comparison.
The remaining part of the paper proceeds as follows. In Section II, we introduce an overview of our proposed PoFL. To cope with the training data exchange between data providers and pools, we proposed an incentivecompatible data trading mechanism based on the reverse game in Section III. In order to calculate the accuracy of model without disclosing either the test data or the model itself, we proposed a privacypreserving model verification mechanism based on HE and 2PC in Section IV. We conduct an experimental evaluation to illustrate the effectiveness and efficiency of our proposed PoFL in Section V, and summarize the most related work in Section VI. The whole paper is concluded in Section VII.
Ii Framework of PoFL
PoFL employs federated learning to solve realistic problems with practical value to achieve consensus in Blockchain. In our proposed PoFL framework, the problems such as image recognition and semantic analysis are published as tasks on a platform by requesters, along with the corresponding rewards as incentives for mining. Considering that the amount of reward can indirectly reflect the importance and urgency of a task, we assume that the platform will choose the task with the highest reward as the current problem which should be solved by miners as a proofofwork to reach consensus. In the case of multiple tasks with the same highest reward, the platform will select the earliestarrived one.
As mentioned above, pooledmining has become a development trend in Blockchain currently, which has a similar organization structure with federated learning. Therefore, we investigate PoFL under the pooledmining paradigm in this paper, whose framework is shown in Figure 1.
According to Figure 1, pool members (miners) train machine learning (ML) models individually based on their private data to obtain locallycomputed updates, which will be aggregated by the pool manager so as to achieve a highquality model. This process is named as federated mining. After accuracy computation with the requester’s test data, each pool manager packages transactions and generates a new block containing the information needed for model verification. Once receiving blocks, full nodes will identify the winner pool through verifying model accuracy. The winner pool should send his model to the requester, thus obtaining the accounting right and the corresponding reward.
To implement federated learning, miners in the same pool will collectively train their models without any centralized storage, which is coordinated by the pool manager. With respect to the different storage characteristics of data, there are various types of federated learning, such as horizontal federated learning, vertical federated learning, and federated transfer learning. Here we use horizontal federated learning as an example to illustrate the federated mining process
^{2}^{2}2Other types of federated learning can also be implemented using our proposed mechanism. We omit them due to the limited length of the paper., in which the data of miners have the same kind of attributes belonging to different individuals. It is shown in Figure 2 and described as follows:
The pool manager broadcasts an initial model as well as a public key to the pool.

Each miner individually calculates the gradient value based on the private training data and other information received from the pool manager, which is encrypted using the received public key.

The pool manager decrypts the locallycomputed updates sent by miners, aggregating them for establishing a shared qualityimproved model.

According to the deadline for submitting model accuracy published by the platform, the pool manager determines whether or not the next round of training is needed. If not, federated mining is terminated. Otherwise, the aggregated results will be sent back to each miner for implementing Steps 2 and 3 repeatedly.
The sensitive training data could be either owned by the pool members themselves or bought from some data providers. In the latter case, the ownership and the usage right of the training data are separated, posing a potential risk of privacy leakage. To avoid this undesirable situation, we propose a reverse gamebased data trading mechanism in Section III, which leverages the power of the market so that the lower risk of the pool leaking data privacy, the higher the probability that the pool can buy sensitive data, and the lower the price the pool needs to pay, thus incentivizing the pool to behave well.
Once a pool accomplishes the training process, the pool manager will calculate the accuracy of the final model based on the test data provided by the requester. However, on one hand, the requester’s test data may also be sensitive that are not suitable to directly send to the pool or any third party for accuracy verification due to the privacy leakage concern; on the other hand, the pool manager is not willing to publish the trained model explicitly before the end of consensus competition to avoid being plagiarized by other competitors^{3}^{3}3In this case, a competitor may make an opportunistic choice–not training model but submitting a result just slightly modified based on the contributions published by others.. To overcome the above challenges, we propose a privacypreserving model verification mechanism, which is detailed in Section IV. Note that this mechanism can also be employed by full nodes to verify the accuracy of all received models with the help of the requester’s test data.
However, the current block structure does not contain any modelrelated parameters, which makes the full nodes not able to verify blocks to achieve the final consensus in Blockchain. To solve this problem, we design a new block structure, which is shown in Figure 3. The proposed block header keeps some information in the existing block structure, such as the hash value of the previous block header for maintaining the chain structure, the Merkle tree root for securing transactions, the block height counting from the first block, and the tamperresistant timestamp. In addition, in order to facilitate other nodes verifying the accuracy of the model for each pool in the network, we include task, and accuracy in the POFL block header. To be specific, task is the current executed one by all miners, which is selected by the platform; is the information used for verifying model accuracy, detailed in Section IV; and accuracy indicates the accuracy of the ML model trained by the pool.
Iii Reverse gamebased data trading mechanism
As mentioned above, when training data are bought from some data providers, there is a potential risk of privacy leakage due to the separation between the ownership and the usage right of the data. An intuitive countermeasure is that data providers encrypt their sensitive data and send them to the pool for miners’ training. However, this will make the training time too long, which further impacts the block generation rate and overall performance of Blockchain. Take the training on the encrypted MNIST dataset [20] as an example. It takes 570.11 seconds to run a single instance using CryptoNets model [10]
and nearly 57 hours to train two epochs using CryptoCNN model
[27]. Therefore, it is not practical to employ encrypted data to train ML models for consensus in Blockchain.To tackle the above challenge, we propose a reverse gamebased data trading mechanism, which takes advantage of market power to make a rational pool maximize his utility only when he trains the model without any data leakage. The proposed mechanism leverages the reverse game to describe the cooperative and conflictive relationship between the pool and the data provider, which is an efficient tool to explore the solutions for a class of privateinformation games. The pool also has private information in reality, such as the net profit of pooledmining and the profit of disclosing data privacy. This information is tightly related to the probability that the pool discloses training data, which will never be told to the data provider. Leveraging on the reverse game theory, the data provider can determine the optimal trading probability and the corresponding price without knowing the private information of the pool, thus preserving the privacy of the training data using the market as a tool.
In our mechanism, the data trading probability and its purchase price depend on not only the private information of the pool but also his reputation. The reputation of the pool is calculated according to his data privacy disclosure record. In order to establish a credible reputation mechanism, we publish the data trading records between the pool and the data provider on Blockchain. Due to the features of transparency and traceability of Blockchain, once a piece of data is disclosed, the malicious pool can be easily detected and will be accountable for this information leak with a reduced reputation. This further affects the data trading probability and the purchase price of the pool in the future.
The reverse gamebased data trading mechanism selects the pool manager as the representative to conduct data trading with data providers. This design is based on two considerations: 1) It can avoid the waste of resources caused by two pool members in the same pool purchasing two copies of the same data; 2) The pool manager is able to have the knowledge of the data amount used for training in the entire pool, so that the amount of training data for each miner can be distributed as evenly as possible, which acts as the cornerstone of the average income allocation after successful mining. Once the data trading process is finished, the data provider directly sends the data to the corresponding miner, which helps avoid the communication overhead and possible privacy leakage risks caused by the pool manager’s transmission^{4}^{4}4Each miner can acquire training data directly from one or more data providers which are assigned by the pool manager according to the data trading contracts, rather than obtain all data from the pool manager who need to collect training data from all data providers..
To optimize the incompleteinformation game between the data provider and the pool, the data provider is empowered to design a game rule, which can enforce the pool to derive the strategy based on his real private information. This requires the game rule to satisfy the incentive compatibility (IC) principle, implying that the game rule can enable the pool to obtain a higher utility when he develops the strategy based on the real private information rather than the fake one. In particular, the expected utility () of the pool within a duration is defined as:
(1) 
In (1), is the legally expected net profit of a pool from this data trading; is the expected profit of leaking those sensitive data, which is closely related to the pool’s reputation and the value (sensitivity) of the data, denoted by , so we define it as with being coefficients; and are respectively the bid of the pool and the markup price proposed by the data provider, and thus the final price of the traded data is ; is the probability that the pool can successfully purchase data from the data provider, which can be obtained by
(2) 
In (2), and are respectively the highest values of and in the recent rounds of data trading; and are coefficients satisfying and . The above equation indicates that the higher the reputation of the pool or the higher the final price for the sensitive data, the more willing the data provider to sell the data. Our mechanism requires that at the beginning of the data trading process, the rule for calculating the successful trading probability shown in (2) will be informed to both parties, i.e., the data provider and the pool.
Similarly, the expected utility () of the data provider within a duration is defined as:
(3) 
In (3), is the expected loss brought by sensitive data leakage, defined as , which has the similar definition with and are coefficients. With a higher value of the sensitive data, the markup price proposed by the data provider, namely , should also be higher. So we define , with being the coefficient.
In the reverse gamebased data trading mechanism, the strategies of the pool and the data provider are respectively and . In other words, the strategy of the data provider is not a value but a rule, i.e., a function, which empowers the data provider to force the pool to make the optimal bid based on his real private information, such as the legally expected net profit () of a pool from this data trading and his expected profit () from leaking sensitive data. Our proposed mechanism is illustrated in Fig. 4, which includes three phases:

Phase 1: The data provider first designs an optimal game rule which can maximize her utility.

Phase 2: Once receiving , the pool needs to decide whether or not to accept the game rule. If yes, he will calculate the optimal bid according to for maximizing his utility. Otherwise, he just ignores the received message.

Phase 3: If the data provider does not receive before a given deadline, the trading negotiation is terminated. Otherwise, she will calculate and thus the probability of data trading in this round, i.e., , can also be derived in light of (2). Once the data provider and the pool reaches an agreement on the data trading, the final price of the training data is .
In the following, we will introduce how to obtain the optimal strategies of both parties, i.e., and . Let , the integrand of (3). To maximize , we adopt the variational method. In detail, through solving the EulerLagrange equation under , we have
(4) 
Similarly, let the integrand of (1) be . The optimal strategy of the pool can also be calculated through the variational method. That is,
(5) 
in which
Theorem III.1.
When , in (4) is the equilibrium strategy of the data provider.
Proof.
According to the variational method, when and , can be maximized. Because is not related to , and . Thus, the condition of maximizing is simplified to , implying should be met. However, if , in (4) will be meaningless, so should be satisfied. Due to and , when is satisfied, can be maximized. Thus, the theorem is proved. ∎
By the similar way, we can obtain the following theorem:
Theorem III.2.
When , in (5) is the equilibrium strategy of the pool.
Theorem III.3.
The game rule designed by the data provider is incentivecompatible.
Proof.
We assume that and are the fake private information, based on which a dishonest strategy is reported to the data provider. Due to and , . Because is maximized only when his strategy is according to (5), . Thus, the pool can maximize his utility only if he reports the strategy based on the true privacy information. In other words, the game rule is incentive compatible. ∎
The game rule satisfying the incentivecompatibility principle drives the pool to calculate based on his real private information. As the strategy of the data provider is a function of , i.e., , it will also be derived based on real private information. This is equivalent to the situation where both the pool and the data provider make the optimal strategies for maximizing their utilities based on the global information known by two sides. In addition, the incentivecompatibility of the game rule enforces both and to reveal the risk of the data privacy leakage in this round of data trading. This is because they are calculated based on the real private information of the pool, i.e., his legally expected net profit () from this data trading and expected extra profit () from leaking sensitive data, while both rational players in the reverse game are utilitydriven, making and closely related to whether the data traded in this round will be leaked or not. Therefore, the calculation of successful trading probability in (2) can reduce or even prevent privacy leakage behavior since it depends on not only the historical data privacy leakage behavior of the pool but also the privacy leakage risk in this round.
Iv Privacypreserving Model Verification Mechanism
As we mentioned above, after each epoch of training, the model accuracy should be calculated based on the test data of the requester. However, on one hand, the test data may be sensitive so that the requester is not willing to share them; on the other hand, the trained model should not be published before the end of consensus competition to avoid being plagiarized by other competitors. To address this challenge, we design a privacypreserving model verification mechanism to verify the accuracy of the trained model without information disclosure from either the requester or the pool. This mechanism can also be used by full nodes to verify the accuracy of models when receiving blocks from pools.
The accuracy of the trained model is evaluated by the number of the same predicted labels as the actual ones. Hence, the model verification in our mechanism is divided into two parts, i.e., label prediction and label comparison. To illustrate how our mechanism accomplishes label prediction and comparison, we take the deep feedforward network model^{5}^{5}5Other models can be processed in the same way. as an example, which is a typical type of deep learning network structure.
Iva Homomorphic encryptionbased label prediction
According to the design of the deep feedforward network, the value of a node in each layer is calculated based on the inputs from the last layer, which is . Here,
represents the sigmoid function and
, whereis the weight vector and
is the bias of node , with denoting all nodes in the last layer. Particularly, the input of the first layer is the test data of the requester , where is the th attribute in the th row of data with and with indicating how many pieces^{6}^{6}6For instance, one piece of data in a medical dataset denotes the data of one patient. of test data that the requester owns and denoting the number of attributes in each piece of data; while the last item of each piece of test data, i.e., (), is the label.Since is sensitive for the requester, to avoid leaking in the process of calculating the accuracy of models, an effective method is secure twoparty computation (2PC). For example, Rouhani et al. [25] realized privacypreserving label prediction utilizing 2PC. However, the communication and computation complexity of directly using 2PC is too high, making the efficiency of label prediction relatively low. To address this problem, we propose the homomorphic encryption (HE)based label prediction. In detail, the requester only needs to send the encrypted , denoted as , as well as the corresponding public key to the pool, who can use HE to calculate the outputs of the second layer, i.e., , based on the first (input) layer of encrypted data attributes. This is because the HE technology can output the desired calculation results in plaintext with operations on the ciphertext. Assuming that the number of nodes in the first layer is the same as the number of attributes, i.e., , and the number of nodes in the second layer is represented by . Take the first piece of data as an example, we can calculate the value of node in the second layer as:
(6) 
in which and are the corresponding computation of and under HE, and is also operated with calculation.
In order to prevent disclosing the real value of () from the requester, the pool masks them with a random vector , which can be encrypted to with the requester’s public key. So is calculated as follows:
(7) 
Once the requester receives , she decrypts them with the private key and sends back in plaintext to the pool, which helps to calculates serving as the input of the next layer in the deep feedforward network. After that, the rest layers in the deep feedforward network model can be calculated locally by the pool with no need to interact with the requester until deriving the predicted labels.
IvB 2PCbased label comparison
After label prediction, label comparison starts, where the accuracy of the model can be derived through counting the number of the same predicted label as the actual one (). However, there still exists the privacy protection issue in this process. On one hand, the pool is not willing to disclose the predicted label since the trained model might be inferred from this side information. On the other hand, the actual label is sensitive data for the requester as we mentioned above. To overcome this challenge, we propose a 2PCbased label comparison. The main reason of using 2PC lies in that it is easy to employ a garbled circuit (GC) to describe the label comparison process so that this process can be completed efficiently, since the efficiency of 2PC is closely related to the GC construction in both the communication and computation complexity [5] [17] [24].
To realize the proposed method, we firstly design the boolean circuit for comparison as shown in Fig. 5. The inputs of the circuit are and , both of which are assumed to be bit, and the output is the total number of correct predictions. Based on our circuit design, if , the statistical total number of correct prediction adds 1. Otherwise, this is an erroneous one and adds 0. Even though the accuracy should be calculated by , we use the total number of correct predictions to denote it for simplicity since is stable in one round of calculation, verification and comparison.
The cost of GC is linearly correlated with the number of garbled gates [13]. Taking advantage of the freeXOR technology [17], XOR can be free, implying that XOR does not need associated garbled tables and the corresponding hashing or symmetric key operations. Therefore, a direct way to improve the performance is reducing the number of costly garbled gates, namely those nonXOR gates. In detail, to compare two values, a SUB gate is supposed to be exploited, which is a nonXOR gate. In our scheme, we replace the SUB gate with a combination of an XOR gate and a NOT gate shown in Fig. 6. Note that the NOT gate is also free since it can be implemented using an XOR gate with one of the inputs as constant 1. We summarize the number of nonfree binary gates of our circuit in Table I, where the bit Adder denotes all the adders from 1 bit to bit, namely .
Gate  OR  nbit Adder  All Gates 

Number 
After the fundamental construction of the boolean circuit, we employ JustGarble [5] for garbling, due to its optimization in high efficiency, proven security and garbled row reduction. In short, to garble a circuit is to encrypt the inputs and outputs of the gates in the circuit and disorder the permutation of them. We omit the description of detailed operation for garbling because they are simple variable operations like a couple of shifts. It is worth mentioning that the time cost of the above garbling way is in the level of nanoseconds per gate, and the size of garbled tables is order of magnitude, which is efficient enough to meet the requirement for model verification.
Note that GC is finally composed of garbled tables, which gives the keys used to encrypt the inputs and output of each gate. After constructing GC, the pool sends it to the requester along with the corresponding keys of predicted labels, denoted as (). In order to verify the model accuracy without leaking the privacy of each other, the oblivious transfer (OT) [12][14] is adopted, by which the requester can only find out the corresponding keys of her actual labels () without any knowledge on the predicted labels, so neither the pool can know anything about the actual labels. After receiving the keys of inputs and , the requester can calculate the corresponding garbled encryptedoutput and evaluate GC to find out the actual output , which is the encrypted value of . Once receiving , the pool decrypts it and packages it in the block as accuracy.
It is worth noting that our model verification mechanism can also be utilized by full nodes to verify a model’s accuracy. Therefore, the encrypted weights and biases need to be packaged in the block with . All of these encrypted data are denoted by , which are stored in the block header as we mentioned in Section II.
V Experimental Evaluation
In this section, we evaluate our proposed PoFL through simulations based on synthetic and realworld data as follows.
Va Data trading
In this subsection, we study the impact of some key parameters in our proposed data trading mechanism. Firstly, we study the impact of the pool’s reputation . Here we set , , , , and to satisfy Theorems III.1 and III.2^{7}^{7}7Other parameters satisfying requirements are also evaluated, which presents similar performance trend. So we omit these results to avoid redundancy.. As shown in Fig. 7(a), when , the maximum utilities of both the pool and the data provider quadratically increase. The similar trend happens on the probability that the pool can purchase training data as illustrated in Fig. 7(b). The reason behind these facts is that the higher will bring a higher data trading probability in light of (2) and a lower expected loss brought by sensitive data leakage according to (3), which together contribute to the increase of utilities for both sides.
Then we examine the impact of the pool’s legally expected net profit , which is reported in Fig. 7(c)(d). Note that the parameter setting here is the same as the above ones except the varying and . It can be observed from figures that both maximum utilities and the data trading probability increase with . This is because the larger , the higher the data price that the pool is willing to provide, which not only increases as defined in (2) but also improves the utilities for both sides due to (1) and (3).
Next, we evaluate the impacts of and on data trading, which directly reflect the expected profit of leaking private data, i.e., . With the same mentioned above, we use in Fig. 8(a)(b) and in Fig. 8(c)(d). As shown in Fig. 8(a)(c), with the increase of and , which is equivalent to the increase of , the maximum utility of the pool increases due to his selling of sensitive data, while the utility of the data provider decreases because of her increasing loss brought by data leakage. According to Fig. 8(b)(d), one can tell that as the extra profit that the pool can gain from leaking data increases, the probability he can obtain the data is decreasing significantly, which can act as a reverse driving force for the legal behavior of the pool.
VB Federated mining
We simulate the federated mining process based on the CIFAR10 dataset [18] with 50,000 training samples which is composed of 10 classes of images with three RGB channels. Here we set that the initial model selected by the pool manager is AlexNet [19]. Even though there are other models with higher accuracy like more than 96.53% [11], AlexNet can function well as an example in our proposed mechanism. In fact, how to select the initial model is out of the scope of our work.
To be specific, we take the linear regression training as an example
^{8}^{8}8Other training functions can be implemented in a similar way.. We use Batch Gradient Descent (BGD) to optimize the parameters of the model. Assuming that the total number of miners contributing to federated mining in the pool is and the learning rate is . Fig. 9(a) illustrates, when the learning rate changes, the convergence speed to achieve certain accuracy is different but it is not the case where the higher the learning rate the better. This is because indicates the length of step in the direction of gradient. If is too small, the training process can be timeconsuming; while if it is too large, it may cause excessive loss as the gradient obtained from the training data is an approximate value of the real one.Assuming that the whole dataset is evenly distributed among miners in the pool and each miner has the same proportion of the dataset, which is equivalent to . It turns out that the larger the portion of data each miner owns, the faster to reach the highest accuracy, shown in Fig. 9(b). This is because with more data, the calculated gradient will be closer to the real value for the fastest gradient descent.
VC Accuracy calculation
After federated mining, the model of each pool is translated and encrypted to calculate the accuracy based on the privacypreserving model verification mechanism. We conduct the numerical analysis on both computation and communication cost of HE and construction affected by data quantity.
We first study the communication cost between the pool manager and the requester, changing with data quantity. Assuming that there are four layers with 256, 16, 16, 10 nodes respectively in the model, the communication cost of HE and OT of is shown in Fig. 10(a). As we can see, the communication cost of HE is almost linear to the quantity of data. This is because the exchanged data are , and , which are linearly increasing with data quantity. In addition, the communication cost of OT in is also increasing with data quantity since it is related to the number of garbled gates. According to Table I, the number of garbled gates is changing with , where is exactly the data quantity.
Then we present the computation costs of both HE and GC in Fig. 10(b). During HE, both the costs of the pool and the requester increase linearly with data quantity but the cost of the pool increases faster than that of the requester. This is because the requester can complete a lot of calculation offline, such as the encryption of the test data, then the online calculation only refers to the decryption of ; while for the pool, he has to calculate a lot of intermediate results, such as and , which costs him more compared to that of the requester when data quantity increases. While the time cost of GC consists of two parts, garbling the circuit of the pool and evaluating GC of the requester. We use the best PRMbased garbling scheme of JustGarble system called GaX and our processor runs at 3.20 GHz [5]. The consumption of GC construction is proportional to the number of nonfree gates in the circuit, which is also changing with .
VD Accuracy verification
When blocks are generated, it comes to the accuracy verification process of full nodes. The time for full nodes to verify accuracy and reach a consensus is very significant. The shorter the time, the better the efficiency and the higher the security. In our proposed mechanism, the main time spent on verification is accuracy sorting and testing. The time of sorting is based on the operating speed and the number of blocks. For the operating speed, we take ASIC in [2] as an example. Referring to the average sorting time of ASIC, the time consumption increases with the number of models as shown in Fig. 11(a). While for the number of received blocks, according to the statistics of Bitcoin [1], there are 9,364 nodes at present. Thus, the time of sorting all the accuracy of received blocks in our system will not exceed 60 microseconds for full nodes.
After sorting the accuracy of models in a descending order, full nodes test these models from the first one. If the model with the highest accuracy is verified to be true, there is no need to test other models. Otherwise, the second one will be tested until finding the first model with verified accuracy being the same as that stored in the block header. The quantity of our test data is set as 10,000. The average time for full nodes to test the accuracy of models is between 1.65 seconds and 1.7 seconds as shown in Fig. 11(b). In addition to the time of sorting, all the time we need is no more than 2 seconds.
Vi Related Work
Many attempts have been made to find valuable work as a substitute of puzzles in PoW, which should be difficult to solve but easy to verify. Initially, researchers take a small step forward replacing the nonce with some mathematic problems. Primecoin [15] requires miners to find long prime chains for the proof of work. There are many similar problems [4], such as orthogonal vectors, allpairs shortest paths problem and rSUM, which requires to find r numbers to have their sum be zero. However, there is no significant practical value in solving these mathematical problems at the cost of ridiculously large amounts of energy.
Next, more diverse and improved attempts are proposed. In PoX (proof of exercise) [26], scientific computation matrixbased problems are sent by employers to a thirdparty platform where miners select tasks to solve. Permacoin [22] proposes PoR (proof of retrievability) to investigate the storage space and memory for a file or file fragment, where the mining is not associated with computation but storage resources. PieceWork [8] reuses the wasted work for additional goals such as spam prevention and DoS mitigation by outsourcing.
In recent, the combination of deep learning and Blockchain has appeared. A substitution of PoW named PoDL (proof of deep learning) [7] first uses deep learning for Blockchain maintenance instead of useless hash calculation, which only needs to add some new components to the block header and thus can be applied to the current cryptocurrency systems. However, the user needs to provide a complete training dataset for model training and test datasets for verification to all miners, which sacrifices data privacy and may frustrate the data provider to apply Blockchain. Besides, image segmentation is employed in [21], which defines the segmentation model as proof. Furthermore, Coin.AI [3] proposes a proofofstorage scheme to reward users for providing storage for deep learning models.
Vii Conclusion
In this paper, we propose a novel energyrecycling consensus algorithm named PoFL, where the cryptographic puzzles in PoW is replaced with federated learning tasks. To realize PoFL, a general framework is introduced and a new PoFL block structure is designed for supporting block verification. To guarantee the privacy of training data, a reverse gamebased data trading mechanism is proposed, which takes advantage of market power to make a rational pool maximize his utility only when he trains the model without any data leakage, thus further motivating pools to behave well. In addition, a privacypreserving model verification mechanism is designed to verify the accuracy of a trained model while preserving the privacy of the task requester’s test data as well as avoiding the pool’s submitted model to be plagiarized by others, which employs homomorphic encryption and secure twoparty computation in label prediction and comparison, respectively. Extensive simulations based on synthetic and realworld data demonstrate the effectiveness and efficiency of PoFL.
References
 [1] (2019) Note: BTC[Online]. Available: https://bitnodes.earn.com/ Cited by: §VD.
 [2] (2017) An efficient o () comparisonfree sorting algorithm. IEEE Transactions on Very Large Scale Integration (VLSI) Systems 25 (6), pp. 1930–1942. Cited by: §VD.
 [3] (2019) Coin.ai: a proofofusefulwork scheme for blockchainbased distributed deep learning. arXiv preprint arXiv:1903.09800. Cited by: §VI.
 [4] (2017) Proofs of useful work.. IACR Cryptology ePrint Archive 2017, pp. 203. Cited by: §VI.
 [5] (2013) Efficient garbling from a fixedkey blockcipher. Note: Cryptology ePrint Archive, Report 2013/426https://eprint.iacr.org/2013/426 Cited by: §IVB, §IVB, §VC.
 [6] (2019) Towards federated learning at scale: system design. arXiv preprint arXiv:1902.01046. Cited by: §I.
 [7] (2019) Energyrecycling blockchain with proofofdeeplearning. arXiv preprint arXiv:1902.03912. Cited by: §I, §VI.
 [8] (2017) (Short paper) piecework: generalized outsourcing control for proofs of work. In International Conference on Financial Cryptography and Data Security, pp. 182–190. Cited by: §VI.
 [9] (2019) Bitcoin energy consumption index. Note: [Online]. Available: https://digiconomist.net/bitcoinenergyconsumption, Cited by: §I.

[10]
(2016)
Cryptonets: applying neural networks to encrypted data with high throughput and accuracy
. In International Conference on Machine Learning, pp. 201–210. Cited by: §III. 
[11]
(2014)
Fractional maxpooling
. CoRR abs/1412.6071. External Links: Link, 1412.6071 Cited by: §VB.  [12] (2008) OTcombiners via secure computation. In Conference on Theory of Cryptography, Cited by: §IVB.
 [13] (2011) Efficient secure computation with garbled circuits. In International Conference on Information Systems Security, pp. 28–48. Cited by: §IVB.
 [14] (2009) Efficient oblivious pseudorandom function with applications to adaptive ot and secure computation of set intersection. In Theory of Cryptography Conference on Theory of Cryptography, Cited by: §IVB.
 [15] (2013) Primecoin: cryptocurrency with prime number proofofwork. Cited by: §I, §VI.
 [16] (2012) Ppcoin: peertopeer cryptocurrency with proofofstake. selfpublished paper, August 19. Cited by: §I.
 [17] (2008) Improved garbled circuit: free xor gates and applications. In International Colloquium on Automata, Languages & Programming, Cited by: §IVB, §IVB.
 [18] (2009) Learning multiple layers of features from tiny images. Technical report Citeseer. Cited by: §VB.
 [19] (2012) Imagenet classification with deep convolutional neural networks. In Advances in neural information processing systems, pp. 1097–1105. Cited by: §VB.
 [20] (2010) MNIST handwritten digit database. Note: [Online]. Available: http://yann.lecun.com/exdb/mnist/ Cited by: §III.

[21]
(2019)
Exploiting computation power of blockchain for biomedical image segmentation.
In
Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition Workshops
, pp. 0–0. Cited by: §I, §VI.  [22] (2014) Permacoin: repurposing bitcoin work for data preservation. In Security & Privacy, Cited by: §VI.
 [23] (2018) A survey about consensus algorithms used in blockchain.. Journal of Information processing systems 14 (1). Cited by: §I.
 [24] (2009) Secure twoparty computation is practical. In International Conference on the Theory & Application of Cryptology & Information Security: Advances in Cryptology, Cited by: §IVB.
 [25] (2018) Deepsecure: scalable provablysecure deep learning. In Proceedings of the 55th Annual Design Automation Conference, pp. 2. Cited by: §IVA.
 [26] (2017) Sustainable blockchain through proof of exercise. In 2017 IEEE 16th International Symposium on Network Computing and Applications (NCA), pp. 1–9. Cited by: §I, §VI.
 [27] (2019) CryptoNN: training neural networks over encrypted data. arXiv preprint arXiv:1904.07303. Cited by: §III.