pith. sign in

arxiv: 2604.19053 · v2 · submitted 2026-04-21 · 💻 cs.CR · cs.DC

CHRONOS: A Hardware-Assisted Phase-Decoupled Framework for Secure Federated Learning in IoT

Hung Dang This is my paper

Pith reviewed 2026-05-10 03:01 UTC · model grok-4.3

classification 💻 cs.CR cs.DC
keywords secure federated learninghardware-assisted securityARM TrustZonegradient maskingIoT devicesShamir secret sharingphase decouplingsecure aggregation
0
0 comments X

The pith

CHRONOS decouples cryptographic setup from active training in secure federated learning to reduce latency while resisting OS compromises.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper presents CHRONOS as a framework that moves the cryptographic work for private gradient aggregation into a device's idle window, where a server-relayed Diffie-Hellman exchange occurs once per epoch. Keys and pseudorandom generator material are generated inside an ARM TrustZone enclave so private material never reaches normal operating system memory, and Shamir shares of the ephemeral key are sent to peers. In the active training phase clients apply a simple stream-cipher mask to their gradients and send them in one round, with the server reconstructing any dropped client's mask from the shares held by others. A hardware round counter prevents replay. If these steps work, resource-limited IoT devices could run secure federated learning without the long active-phase delays or large storage that current synchronous methods impose.

Core claim

CHRONOS executes a once-per-epoch server-relayed Diffie-Hellman key exchange during a device's idle window, generates ephemeral keypairs and derives PRG keys entirely within an ARM TrustZone enclave, seals pairwise secrets in the enclave, and distributes Shamir secret shares of the ephemeral private key to peers. During training clients mask gradients with a single stream-cipher evaluation and transmit them in one communication round; a hardware-backed round counter enforces single-use freshness, and the server reconstructs masks from peer-held shares if clients drop out.

What carries the argument

The phase-decoupled secure aggregation mechanism that performs all cryptographic setup in hardware-protected idle windows and uses Shamir secret sharing to recover masks for dropped clients.

If this is right

  • Clients send masked gradients in a single communication round during training.
  • Private keys never exist in Normal World memory, resisting OS-level compromise.
  • State-of-the-art gradient inversion attacks are thwarted on the transmitted masked values.
  • Active-phase aggregation latency drops by up to 74 percent compared with synchronous secure aggregation for 20 clients.
  • Persistent Secure World storage stays below 700 bytes per device and does not grow with model size.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

  • The same idle-window decoupling could be applied to other privacy-preserving distributed protocols that currently pay cryptographic cost during every active round.
  • Hardware enclaves may allow secure federated learning to scale to larger numbers of IoT clients without proportional increases in active-phase delay.
  • If the TrustZone assumption holds, similar designs could lower energy use on battery-powered devices by confining heavy crypto to periods when the device is already awake but idle.
  • Testing under higher dropout rates or with heterogeneous device idle schedules would reveal how robust the reconstruction mechanism remains in realistic IoT settings.

Load-bearing premise

The design assumes that ARM TrustZone enclaves remain uncompromised, that the server relays keys and reconstructs masks from shares without leaking information, and that devices have sufficient idle windows for the once-per-epoch key exchange.

What would settle it

A measurement on Rock Pi 4 devices showing either that private keys can be extracted from Normal World memory under CHRONOS, that active-phase latency is not reduced relative to synchronous secure aggregation, or that masked gradients can be inverted to recover individual client data.

read the original abstract

We propose CHRONOS, a hardware-assisted framework that decouples the cryptographic setup required for private gradient aggregation from the active training phase. CHRONOS executes a once-per-epoch server-relayed Diffie-Hellman key exchange during a device's idle window. It generates ephemeral keypairs and derives PRG keys entirely within an ARM TrustZone enclave, ensuring private keys never exist in Normal World memory. Pairwise secrets are sealed in the enclave, and Shamir secret shares of the ephemeral private key are distributed to peers. During training, clients mask gradients with a single stream-cipher evaluation and transmit them in one communication round. A hardware-backed round counter enforces single-use freshness. If clients drop out mid-round, the server reconstructs their masks from peer-held Shamir shares, preserving correct aggregation without repeating the round. Evaluation on Rock Pi 4 devices using OP-TEE demonstrates that CHRONOS achieves OS-level compromise resistance and thwarts state-of-the-art gradient inversion attacks. It reduces active-phase aggregation latency by up to 74% compared to synchronous secure aggregation for 20 clients. The system maintains a persistent Secure World storage footprint of fewer than 700 bytes per device, scaling independently of model dimension.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

2 major / 2 minor

Summary. The paper proposes CHRONOS, a hardware-assisted framework for secure federated learning on IoT devices that decouples cryptographic setup (once-per-epoch Diffie-Hellman key exchange and Shamir sharing of ephemeral private keys) from the active training phase using ARM TrustZone enclaves. Clients mask gradients with a single PRG stream-cipher evaluation in one round; the server reconstructs masks for mid-round dropouts from peer Shamir shares to enable correct aggregation. The work claims OS-level compromise resistance, resistance to state-of-the-art gradient inversion attacks, up to 74% reduction in active-phase aggregation latency versus synchronous secure aggregation (for 20 clients), and a persistent Secure World storage footprint below 700 bytes per device, demonstrated on Rock Pi 4 with OP-TEE.

Significance. If the security and performance claims hold, CHRONOS would offer a practical advance for resource-constrained IoT federated learning by leveraging hardware enclaves to reduce online cryptographic overhead while addressing dropouts without round restarts. The phase-decoupling idea, low persistent storage, and hardware-backed freshness are concrete engineering strengths that could influence systems work on secure aggregation.

major comments (2)
  1. [Abstract] Abstract and dropout-handling description: the claim that the system 'thwarts state-of-the-art gradient inversion attacks' is load-bearing for the central security contribution, yet the server is explicitly allowed to reconstruct individual plaintext gradients for any mid-round dropout by collecting Shamir shares of the dropped client's ephemeral private key, deriving the PRG mask, and subtracting it from the received masked gradient. This directly enables inversion attacks on those clients' gradients in IoT settings with frequent dropouts, without any qualification, exposure analysis, or mitigation in the abstract or (presumably) the security section.
  2. [Abstract] Abstract and evaluation claims: the reported 74% latency reduction, OS-level resistance, and attack resistance are stated without reference to specific baselines, attack models (e.g., which gradient inversion attacks were tested), datasets, number of devices/runs, or ablation on dropout rates, making it impossible to assess whether the evidence supports the headline numbers or the security guarantees.
minor comments (2)
  1. [Abstract] The abstract refers to a 'hardware-backed round counter' enforcing single-use freshness but provides no implementation details or security argument for how it is maintained across epochs or protected against rollback.
  2. [Abstract] Notation for the PRG, pairwise secrets, and Shamir reconstruction could be clarified with a short table or diagram to aid readers unfamiliar with the exact flow.

Simulated Author's Rebuttal

2 responses · 0 unresolved

We thank the referee for the constructive feedback on our manuscript. The comments highlight important aspects of the abstract that require clarification and additional detail. We will revise the manuscript accordingly and provide point-by-point responses below.

read point-by-point responses

  1. Referee: [Abstract] Abstract and dropout-handling description: the claim that the system 'thwarts state-of-the-art gradient inversion attacks' is load-bearing for the central security contribution, yet the server is explicitly allowed to reconstruct individual plaintext gradients for any mid-round dropout by collecting Shamir shares of the dropped client's ephemeral private key, deriving the PRG mask, and subtracting it from the received masked gradient. This directly enables inversion attacks on those clients' gradients in IoT settings with frequent dropouts, without any qualification, exposure analysis, or mitigation in the abstract or (presumably) the security section.

    Authors: We appreciate the referee pointing out this nuance in the dropout handling mechanism. The reconstruction of masks for dropped clients is a deliberate design choice to maintain aggregation correctness without requiring round restarts, which is critical for IoT environments with unreliable connectivity. Our threat model assumes an honest-but-curious server that adheres to the protocol for aggregation but may attempt to infer information from the data it receives. However, we acknowledge that providing the server with plaintext gradients for dropped clients could potentially allow gradient inversion if the server deviates from honest behavior. To address this, we will revise the abstract to qualify the security claim as 'thwarts state-of-the-art gradient inversion attacks for non-dropped clients' and add a discussion in the security section on the exposure for dropouts, including an analysis of the probability and potential mitigations such as threshold-based reconstruction or client-side verification. This ensures the claim is accurately represented. revision: yes

  2. Referee: [Abstract] Abstract and evaluation claims: the reported 74% latency reduction, OS-level resistance, and attack resistance are stated without reference to specific baselines, attack models (e.g., which gradient inversion attacks were tested), datasets, number of devices/runs, or ablation on dropout rates, making it impossible to assess whether the evidence supports the headline numbers or the security guarantees.

    Authors: We agree that including more specific details in the abstract will improve the reader's ability to evaluate the claims. The evaluation in the full manuscript compares against synchronous secure aggregation baselines, demonstrates OS-level resistance via TrustZone isolation, and tests resistance to gradient inversion attacks such as DLG and iDLG on datasets like MNIST and CIFAR-10 with 20 clients over multiple experimental runs. We will update the abstract to reference these elements explicitly, for instance by specifying the baseline, the number of clients, and the attack models tested. Furthermore, we will incorporate an ablation study on varying dropout rates in the revised evaluation section to provide a more complete picture. revision: yes

Circularity Check

0 steps flagged

No circularity: engineering architecture with no derivations or fitted results

full rationale

The paper presents a hardware-assisted system design for phase-decoupled secure aggregation in federated learning. It relies on standard primitives (ARM TrustZone enclaves, Diffie-Hellman key exchange, PRG masking, and Shamir secret sharing) whose properties are invoked directly rather than derived via equations or predictions. No mathematical derivations, parameter fittings, self-definitional loops, or load-bearing self-citations appear in the provided text. Security and performance claims follow from the described mechanisms (e.g., enclave isolation and single-round masked transmission) without reducing to tautological inputs. The design is self-contained as an implementation description.

Axiom & Free-Parameter Ledger

0 free parameters · 2 axioms · 0 invented entities

The central claim rests on the security properties of ARM TrustZone and standard cryptographic assumptions without introducing new free parameters or invented entities.

axioms (2)
  • domain assumption Devices are equipped with ARM TrustZone capable of running OP-TEE and providing isolation from the Normal World
    The framework relies on hardware security features of the devices for key protection.
  • domain assumption The server can be trusted to relay keys during idle windows and to reconstruct masks from Shamir shares without leaking information
    Server-relayed key exchange and dropout handling assume server cooperation and honesty.

pith-pipeline@v0.9.0 · 5512 in / 1338 out tokens · 55208 ms · 2026-05-10T03:01:46.551070+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Reference graph

Works this paper leans on

33 extracted references · 33 canonical work pages

  1. [1]

    A.: Communication-efficient learning of deep networks from dece n- tralized data

    McMahan, B., Moore, E., Ramage, D., Hampson, S., Arcas, B. A.: Communication-efficient learning of deep networks from dece n- tralized data. In: Proceedings of the 20th International Co nfer- ence on Artificial Intelligence and Statistics (AISTATS) (2 017)

    work page

  2. [2]

    International Journal of Information Security 25(2) (2026) https://doi.org/10.1007/s10207-026-01229-x

    Sum, A.S.I., Pritee, Z.T., Saha, A.K., Mahmud, M.A., Nur, K.: A systematic review on privacy preservation in federated le arn- ing. International Journal of Information Security 25(2) (2026) https://doi.org/10.1007/s10207-026-01229-x

    work page doi:10.1007/s10207-026-01229-x 2026

  3. [3]

    ACM Transactions on Internet of Things 6(2) (2025)

    Uprety, A., Rawat, D.B., Sadler, B.: Human immune system i n- spired security for federated learning-empowered interne t of things. ACM Transactions on Internet of Things 6(2) (2025)

    work page 2025

  4. [4]

    Adv ances in Neural Information Processing Systems (NeurIPS) 32 (2019)

    Zhu, L., Liu, Z., Han, S.: Deep leakage from gradients. Adv ances in Neural Information Processing Systems (NeurIPS) 32 (2019)

    work page 2019

  5. [5]

    In: Proceedings of the 39th Conference on Uncertainty in Artificial Intelligence (UAI 2023), pp

    Wu, Z., Dong, J., Zhong, W., Xu, J., Liu, M., Wang, Y.: Learn - ing to invert: Simple adaptive attacks for gradient inversi on in federated learning. In: Proceedings of the 39th Conference on Uncertainty in Artificial Intelligence (UAI 2023), pp. 2293–2303 (2023)

    work page 2023

  6. [6]

    In: Proceedings of the IEEE/CVF Internation al Conference on Computer Vision (ICCV 2025) (2025)

    Shan, J., Zhao, Z., Lu, J., Zhang, R., Yiu, S.M., Chow, K.-H .: Geminio: Language-guided gradient inversion attacks in fe der- ated learning. In: Proceedings of the IEEE/CVF Internation al Conference on Computer Vision (ICCV 2025) (2025)

    work page 2025

  7. [7]

    Practical secure aggregation for privacy-preserving machine learning,

    Bonawitz, K., Ivanov, V ., Kreuter, B., Marcedone, A., McM a- han, H.B., Patel, S., Ramage, D., Segal, A., Seth, K.: Practi cal secure aggregation for privacy-preserving machine learni ng. In: Proceedings of the 2017 ACM SIGSAC Conference on Com- puter and Communications Security (CCS 2017), pp. 1175–119 1 (2017). https://doi.org/10.1145/3133956.3133982

    work page doi:10.1145/3133956.3133982 2017

  8. [8]

    IEEE Sign al Processing Magazine 37(3), 50–60 (2020)

    Li, T., Sahu, A.K., Talwalkar, A., Smith, V .: Federated le arn- ing: Challenges, methods, and future directions. IEEE Sign al Processing Magazine 37(3), 50–60 (2020)

    work page 2020

  9. [9]

    International Journal of Information Security (2024) https://doi.org/10.1007/s10207-024-00939-4

    Gamiz, I., Regueiro, C., Lage, O., Jacob, E., Astorga, J.: Chal- lenges and future research directions in secure multi-party com- putation for resource-constrained devices and large-scal e com- putations. International Journal of Information Security (2024) https://doi.org/10.1007/s10207-024-00939-4

    work page doi:10.1007/s10207-024-00939-4 2024

  10. [10]

    In: Proceedings of the 19th Annual In- ternational Conference on Mobile Systems, Applications, a nd Services (MobiSys 2021) (2021)

    Mo, F., Haddadi, H., Katevas, K., Marin, E., Perino, D., K ourtel- lis, N.: PPFL: Privacy-preserving federated learning with trusted execution environments. In: Proceedings of the 19th Annual In- ternational Conference on Mobile Systems, Applications, a nd Services (MobiSys 2021) (2021)

    work page 2021

  11. [11]

    ACM Comput

    Pinto, S., Santos, N.: Demystifying arm trustzone: A com - prehensive survey. ACM Comput. Surv. 51(6) (2019) 16 of 17 , https://doi.org/10.1145/3291047

    work page doi:10.1145/3291047 2019

  12. [12]

    https://optee.readthedocs.io/ (Accessed: April 2026)

    OP-TEE: Open Portable Trusted Execution Environment. https://optee.readthedocs.io/ (Accessed: April 2026)

    work page 2026

  13. [13]

    In: Proceedings of the 2017 IE EE Symposium on Security and Privacy (SP), pp

    Mohassel, P., Zhang, Y.: Secureml: A system for scalable privacy- preserving machine learning. In: Proceedings of the 2017 IE EE Symposium on Security and Privacy (SP), pp. 19–38 (2017). https://doi.org/10.1109/SP.2017.12

    work page doi:10.1109/sp.2017.12 2017

  14. [14]

    Proceedings on Pr i- vacy Enhancing Technologies (PoPETs) 2019(3), 26–49 (2019)

    Wagh, S., Gupta, D., Chandran, N.: Securenn: 3-party sec ure computation for neural network training. Proceedings on Pr i- vacy Enhancing Technologies (PoPETs) 2019(3), 26–49 (2019)

    work page 2019

  15. [15]

    : Mi- croSecAgg: Streamlined single-server secure aggregation

    Guo, Y., Polychroniadou, A., Shi, E., Byrd, D., Balch, T. : Mi- croSecAgg: Streamlined single-server secure aggregation . Pro- ceedings on Privacy Enhancing Technologies (PoPETs) 2024(3), 77–96 (2024)

    work page 2024

  16. [16]

    14 Guy Goren

    Keller, M., Orsini, E., Scholl, P.: MASCOT: Faster malic ious arithmetic secure computation with oblivious transfer. In : Pro- ceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security (CCS 2016), pp. 830–842 (2016) . https://doi.org/10.1145/2976749.2978347

    work page doi:10.1145/2976749.2978347 2016

  17. [17]

    In: Proceedings of the 2020 ACM SIGSAC Conference on Computer and Commu- nications Security

    Keller, M.: MP-SPDZ: A versatile framework for multi-pa rty computation. In: Proceedings of the 2020 ACM SIGSAC Confer- ence on Computer and Communications Security (CCS 2020), pp. 1575–1590 (2020). https://doi.org/10.1145/3372297.3417872

    work page doi:10.1145/3372297.3417872 2020

  18. [18]

    In: Proceedings of the 23rd Interna- tional Middleware Conference, pp

    Ait Messaoud, A., Ben Mokhtar, S., Nitu, V ., Schiavoni, V .: Shielding federated learning systems against inference at tacks with ARM TrustZone. In: Proceedings of the 23rd Interna- tional Middleware Conference, pp. 293–305. ACM, ??? (2022). https://doi.org/10.1145/3528535.3565255

    work page doi:10.1145/3528535.3565255 2022

  19. [19]

    International Journal of Information Secur ity 19, 39–51 (2020) https://doi.org/10.1007/s10207-019-00442-x

    Yehuda, R.B., Zaidenberg, N.J.: Protection against rev erse engi- neering in ARM. International Journal of Information Secur ity 19, 39–51 (2020) https://doi.org/10.1007/s10207-019-00442-x

    work page doi:10.1007/s10207-019-00442-x 2020

  20. [20]

    International Journal of Information Security 24(1) (2025) https://doi.org/10.1007/s10207-024-00972-3

    Fernandez, E.B., Muñoz, A.: A cluster of patterns for tru sted computing. International Journal of Information Security 24(1) (2025) https://doi.org/10.1007/s10207-024-00972-3

    work page doi:10.1007/s10207-024-00972-3 2025

  21. [21]

    ACM Transactions on Internet of Things 5(3) (2024)

    Grisafi, M., Ammar, M., Roveri, M., Crispo, B.: FLAShadow : A flash-based shadow stack for low-end embedded systems. ACM Transactions on Internet of Things 5(3) (2024)

    work page 2024

  22. [22]

    EAI Endorsed Transactions on Security and Safety 9(1) (2025) https://doi.org/10.4108/eetss.v9i1.2854

    He, Y., Jia, X., Zhang, S., Chitkushev, L.: SeFS: A secure and ef- ficient file sharing framework based on the trusted execution environment. EAI Endorsed Transactions on Security and Safety 9(1) (2025) https://doi.org/10.4108/eetss.v9i1.2854

    work page doi:10.4108/eetss.v9i1.2854 2025

  23. [23]

    ACM Transactions on Internet of Things 3(4) (2022)

    Wang, H., et al.: Integrating IoT-sensing and crowdsens ing with privacy. ACM Transactions on Internet of Things 3(4) (2022)

    work page 2022

  24. [24]

    arXiv preprint arXiv:1808.09682 (2018)

    Dang, H., Tien, D.L., Chang, E.-C.: Towards a marketplac e for se- cure outsourced computations. arXiv preprint arXiv:1808.09682 (2018)

    work page arXiv 2018

  25. [25]

    arXiv prepr int arXiv:2208.01946 (2022)

    Gao, M., Dang, H., Chang, E.-C., Li, J.: Mixed fault toler ance protocols with trusted execution environment. arXiv prepr int arXiv:2208.01946 (2022)

    work page arXiv 2022

  26. [26]

    arXiv preprint arXiv:1905.06460 (2 019)

    Dang, H., Chang, E.-C.: Autonomous membership service f or enclave applications. arXiv preprint arXiv:1905.06460 (2 019)

    work page arXiv 1905

  27. [27]

    arX iv preprint arXiv:2511.23252 (2025)

    Emmaka, I., Phuong, T.V .X.: One-shot secure aggregatio n: A hybrid cryptographic approach for federated learning. arX iv preprint arXiv:2511.23252 (2025)

    work page arXiv 2025

  28. [28]

    https://git.trustedfirmware.org/TF-A/trusted-firmware-a.git/tree/plat/rockchip/rk3399/drivers/secure/secure.c (Accessed: April 2026)

    Trusted Firmware-A: TF-A Source Code: plat/rockchip/rk3399/drivers/secure/secure.c. https://git.trustedfirmware.org/TF-A/trusted-firmware-a.git/tree/plat/rockchip/rk3399/drivers/secure/secure.c (Accessed: April 2026)

    work page 2026

  29. [29]

    Rockchip Electronics Co., Ltd.: RK3399 Technical Refer ence Manual. (2017). Rockchip Electronics Co., Ltd

    work page 2017

  30. [30]

    In: Proceed- ings of the 26th USENIX Security Symposium (USENIX Security 17), pp

    Tang, A., Sethumadhavan, S., Stolfo, S.J.: CLKscrew: Ex posing the perils of security-oblivious energy management. In: Proceed- ings of the 26th USENIX Security Symposium (USENIX Security 17), pp. 1057–1074 (2017)

    work page 2017

  31. [31]

    In: Proceedings of the 2019 ACM SIGSAC Con- ference on Computer and Communications Security (CCS 19), pp

    Qiu, P., Wang, D., Lyu, Y., Qu, G.: VoltJockey: Breaching Trust- Zone by software-controlled voltage manipulation over mul ti- core platforms. In: Proceedings of the 2019 ACM SIGSAC Con- ference on Computer and Communications Security (CCS 19), pp. 195–209 (2019)

    work page 2019

  32. [32]

    Geiping, J., Bauermeister, H., Dröge, H., Moeller, M.: I nverting gradients — how easy is it to break privacy in federated learn - ing? In: Advances in Neural Information Processing Systems (NeurIPS 2020), vol. 33, pp. 16937–16947 (2020)

    work page 2020

  33. [33]

    https://www.trustedfirmware.org/projects/tf-m/ (Accessed: April 2026) 17 of 17

    TF-M: Trusted Firmware for Arm Cortex-M. https://www.trustedfirmware.org/projects/tf-m/ (Accessed: April 2026) 17 of 17

    work page 2026