ML Security PaperszkFL-Health: Blockchain-Enabled Zero-Knowledge Federated Learning for Medical AI Privacy
Savvy Sharma , George Petrovic , Sarthak Kaushik
Published on arXiv
2512.21048
Model Inversion Attack
OWASP ML Top 10 — ML03
Data Poisoning Attack
OWASP ML Top 10 — ML02
Key Finding
Proposes a verifiable FL architecture that cryptographically prevents a malicious aggregator from altering contributions while preventing gradient inversion attacks via TEE isolation — no empirical evaluation results presented (evaluation plan outlined for future work).
zkFL-Health
Novel technique introduced
Healthcare AI needs large, diverse datasets, yet strict privacy and governance constraints prevent raw data sharing across institutions. Federated learning (FL) mitigates this by training where data reside and exchanging only model updates, but practical deployments still face two core risks: (1) privacy leakage via gradients or updates (membership inference, gradient inversion) and (2) trust in the aggregator, a single point of failure that can drop, alter, or inject contributions undetected. We present zkFL-Health, an architecture that combines FL with zero-knowledge proofs (ZKPs) and Trusted Execution Environments (TEEs) to deliver privacy-preserving, verifiably correct collaborative training for medical AI. Clients locally train and commit their updates; the aggregator operates within a TEE to compute the global update and produces a succinct ZK proof (via Halo2/Nova) that it used exactly the committed inputs and the correct aggregation rule, without revealing any client update to the host. Verifier nodes validate the proof and record cryptographic commitments on-chain, providing an immutable audit trail and removing the need to trust any single party. We outline system and threat models tailored to healthcare, the zkFL-Health protocol, security/privacy guarantees, and a performance evaluation plan spanning accuracy, privacy risk, latency, and cost. This framework enables multi-institutional medical AI with strong confidentiality, integrity, and auditability, key properties for clinical adoption and regulatory compliance.
Key Contributions
- Healthcare-tailored system and threat model for cross-silo FL using a hybrid ZKP + TEE architecture with an untrusted aggregator threat model
- zkFL-Health protocol combining client cryptographic commitments, aggregator-side succinct ZK proofs of correct aggregation (Halo2/Nova), and blockchain-backed immutable audit trail
- Security, privacy, and compliance analysis covering confidentiality (TEE), integrity (ZKP), and auditability (blockchain) with HIPAA/GDPR alignment
🛡️ Threat Analysis
ZKPs verify that the aggregator used exactly the committed client inputs and the correct aggregation rule, defending against Byzantine/poisoning behavior by a malicious aggregator (dropping, altering, or injecting contributions). This is a Byzantine-fault-tolerant FL defense — a core ML02 threat in federated settings.
TEEs and cryptographic commitments directly defend against gradient inversion attacks in federated learning — the adversary is the untrusted aggregator attempting to reconstruct client training data from exchanged updates. The paper explicitly cites DLG and gradient inversion as core threats and uses TEEs to prevent the aggregator from observing raw client updates.