ML Security PapersSecuring Private Federated Learning in a Malicious Setting: A Scalable TEE-Based Approach with Client Auditing
Shun Takagi , Satoshi Hasegawa
Published on arXiv
2509.08709
Model Inversion Attack
OWASP ML Top 10 — ML03
Key Finding
The framework adds only small constant overhead to clients in several realistic federated learning settings while providing formal DP privacy guarantees against malicious servers
In cross-device private federated learning, differentially private follow-the-regularized-leader (DP-FTRL) has emerged as a promising privacy-preserving method. However, existing approaches assume a semi-honest server and have not addressed the challenge of securely removing this assumption. This is due to its statefulness, which becomes particularly problematic in practical settings where clients can drop out or be corrupted. While trusted execution environments (TEEs) might seem like an obvious solution, a straightforward implementation can introduce forking attacks or availability issues due to state management. To address this problem, our paper introduces a novel server extension that acts as a trusted computing base (TCB) to realize maliciously secure DP-FTRL. The TCB is implemented with an ephemeral TEE module on the server side to produce verifiable proofs of server actions. Some clients, upon being selected, participate in auditing these proofs with small additional communication and computational demands. This extension solution reduces the size of the TCB while maintaining the system's scalability and liveness. We provide formal proofs based on interactive differential privacy, demonstrating privacy guarantee in malicious settings. Finally, we experimentally show that our framework adds small constant overhead to clients in several realistic settings.
Key Contributions
- Novel TEE-based server extension acting as a trusted computing base (TCB) with ephemeral module that produces verifiable proofs of server actions, enabling maliciously secure DP-FTRL
- Client auditing protocol that lets a subset of selected clients verify server proofs with small additional communication and computational overhead, reducing TCB size while maintaining scalability and liveness
- Formal privacy proofs under the interactive differential privacy framework demonstrating DP guarantees hold against a malicious adversary, including handling client dropout and Sybil attacks
🛡️ Threat Analysis
The adversary is a malicious server (Dolev-Yao model) who can deviate from the DP-FTRL protocol — e.g., skipping or reducing noise injection — to learn more about client training data than DP bounds allow. The TEE-based TCB and client auditing mechanism directly defend against this threat by ensuring the DP mechanism is faithfully executed, bounding how much the adversary can extract about private training data. While the specific attack vector is 'bypassing DP' rather than gradient reconstruction, the underlying threat is an active adversary trying to extract private training data beyond the DP limit.