pith. sign in

arxiv: 2604.19891 · v1 · submitted 2026-04-21 · 💻 cs.CR

A Data-Free Membership Inference Attack on Federated Learning in Hardware Assurance

Gijung Lee , Wavid Bowman , Olivia P. Dizon-Paradis , Reiner N. Dizon-Paradis , Ronald Wilson , Damon L. Woodard , Domenic Forte This is my paper

Pith reviewed 2026-05-10 01:50 UTC · model grok-4.3

classification 💻 cs.CR
keywords membership inference attackfederated learninghardware assurancegradient inversiondata-free attackimage reconstructioncircuit layoutstechnology node inference
0
0 comments X

The pith

Standard cell library layouts let an adversary reconstruct private hardware images from federated learning updates and infer circuit details without any training data.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper establishes that federated learning for hardware image segmentation remains open to membership inference even when no private data is available to the attacker. It shows that standard cell library layouts can act as fixed priors to steer a gradient inversion process, turning intercepted model updates into reconstructed images. Reconstruction quality then serves as a signal that distinguishes circuit layers and fabrication nodes. If this holds, federated learning cannot be assumed to protect intellectual property in hardware assurance workflows. The approach adds a conditional loss term that improves handling of intricate layout structures.

Core claim

The paper demonstrates that a gradient inversion attack guided by standard cell library layouts reconstructs images from client model updates in a federated learning setup for hardware assurance, and that the fidelity of those reconstructions reveals sensitive characteristics such as metal versus diffusion layers and 32 nm versus 90 nm technology nodes.

What carries the argument

Standard Cell Library Layouts (SCLLs) employed as priors to direct gradient inversion and measure reconstruction fidelity from intercepted federated model updates.

If this is right

  • Federated learning does not inherently protect hardware intellectual property from reconstruction attacks.
  • Reconstruction fidelity distinguishes metal versus diffusion circuit layers.
  • The same method separates 32 nm from 90 nm technology nodes.
  • A novel loss term overcomes evaluation limits when layouts contain complex structures.
  • Information leakage occurs even when the adversary holds no domain-specific datasets.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

  • Similar library-guided inversion could apply to other design-automation tasks that share structural priors.
  • Defenses such as added noise to gradients may be required before federated learning is used for sensitive hardware models.
  • The attack surface grows if public layout libraries become more detailed or widely available.

Load-bearing premise

Standard cell library layouts can function as reliable priors that produce reconstructions whose fidelity accurately signals hardware features without access to private data.

What would settle it

Run the attack on federated updates from 32 nm and 90 nm circuits and check whether reconstruction fidelity scores separate the two technology nodes at rates substantially above chance.

Figures

Figures reproduced from arXiv: 2604.19891 by Damon L. Woodard, Domenic Forte, Gijung Lee, Olivia P. Dizon-Paradis, Reiner N. Dizon-Paradis, Ronald Wilson, Wavid Bowman.

Figure 1
Figure 1. Figure 1: Overall our proposed MIA method process 1) MIA in FL: Despite blocking access to raw data, FL is vulnerable to MIAs due to the exchanged gradient and weight information. These attacks are broadly categorized into update￾based and trend-based methods [6]. • Update-based MIAs directly utilize model gradients or parameters. Gradient-based attacks use the original gradi￾ents or their differences, whereas param… view at source ↗
Figure 2
Figure 2. Figure 2: Representative examples of images reconstructed by GIA, illustrating the large visual quality gap in the metal-as-member [PITH_FULL_IMAGE:figures/full_fig_p005_2.png] view at source ↗
Figure 5
Figure 5. Figure 5: ROC curves for the membership inference attack on [PITH_FULL_IMAGE:figures/full_fig_p006_5.png] view at source ↗
Figure 3
Figure 3. Figure 3: Distribution of Dice scores for members and non [PITH_FULL_IMAGE:figures/full_fig_p006_3.png] view at source ↗
Figure 4
Figure 4. Figure 4: Post processed images from each layer. C. Membership Inference Attack Performance Using the pooled similarity (Dice) scores from the post￾processed images, we performed a membership inference attack. The effectiveness of this attack is detailed in Table II and visualized by the ROC curves in [PITH_FULL_IMAGE:figures/full_fig_p006_4.png] view at source ↗
Figure 6
Figure 6. Figure 6: Visual impact of the Ldummy term when metal is the member. The quality gap between the member (top row) and non-member (bottom row) reconstructions is visibly larger at the optimal λdummy = 5, as the non-member reconstruction becomes significantly more degraded. TABLE III: Ablation Study on the FP Loss Term (AUC) λdummy Metal Layer (Member) Diffusion Layer (Member) 0 (Term Removed) 0.8868 0.9804 (Optimal) … view at source ↗
read the original abstract

Federated Learning (FL) is an emerging solution to the data scarcity problem for training deep learning models in hardware assurance. While FL is designed to enhance privacy by not sharing raw data, it remains vulnerable to Membership Inference Attacks (MIAs) that can leak sensitive intellectual property (IP). Traditional MIAs are often impractical in this domain because they require access to auxiliary datasets that can match the unique statistical properties of private data. This paper introduces a novel, data-free MIA targeting image segmentation models in FL for hardware assurance. Our methodology leverages Standard Cell Library Layouts (SCLLs) as priors to guide a gradient inversion attack, allowing an adversary to reconstruct images from a client's intercepted model update without needing any private data. We demonstrate that, by analyzing the reconstruction fidelity, an adversary can infer sensitive hardware characteristics, successfully distinguishing between circuit layers (e.g., metal vs. diffusion) and technology nodes (e.g., 32nm vs. 90nm). Our findings reveal that a novel loss term can conditionally amplify the attack's effectiveness by overcoming evaluation bottlenecks for structurally complex data. This work underscores a significant IP risk, challenging the assumption that FL provides inherent privacy guarantees and proving that severe information leakage can occur even without access to domain-specific datasets.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

2 major / 2 minor

Summary. The paper proposes a data-free membership inference attack (MIA) against federated learning (FL) for image segmentation models in hardware assurance applications. It uses public Standard Cell Library Layouts (SCLLs) as priors to guide gradient inversion on intercepted client updates, enabling reconstruction of private images without access to domain data. By measuring reconstruction fidelity, the adversary is claimed to infer sensitive hardware characteristics, distinguishing circuit layers (e.g., metal vs. diffusion) and technology nodes (e.g., 32nm vs. 90nm). A novel loss term is introduced to conditionally improve attack performance on structurally complex data.

Significance. If the empirical claims hold, the work would demonstrate a concrete privacy leakage vector in FL deployments for hardware IP protection, showing that public priors can suffice for effective gradient inversion even without matching auxiliary data. This challenges the privacy assumptions of FL in specialized domains and contributes a conditional loss mechanism that may generalize to other inversion attacks on complex imagery. The approach highlights risks at the intersection of adversarial ML and hardware security.

major comments (2)
  1. [Abstract and §4] Abstract and §4 (Proposed Method): The central claim that SCLL-guided gradient inversion produces fidelity differences reliably distinguishing hardware features (layers/nodes) rests on the unverified assumption that node-specific structural details survive in the gradients and are recoverable via the novel loss term. No derivation, pseudocode, or analysis is provided showing how the loss overcomes generic cell geometry overlap in SCLLs versus private layouts, leaving the distinction vulnerable to collapse if inversion converges to similar fidelities across nodes.
  2. [§5 and Table 1] §5 (Evaluation) and Table 1 (if present): No quantitative metrics (e.g., fidelity scores, success rates, ROC-AUC for layer/node classification), ablation on the novel loss term, or controls comparing SCLL priors against generic image statistics are reported. This directly undermines the load-bearing claim of successful distinction, as the abstract provides only qualitative assertions without evidence that fidelity variations are driven by hardware features rather than reconstruction artifacts.
minor comments (2)
  1. [§4] Notation for the novel loss term is introduced without an explicit equation or comparison to standard inversion losses (e.g., L2 or perceptual), reducing clarity on its conditional amplification mechanism.
  2. [§3] The manuscript would benefit from a clearer statement of threat model assumptions, particularly client participation rate and update interception feasibility in the FL hardware assurance setting.

Simulated Author's Rebuttal

2 responses · 0 unresolved

We thank the referee for the constructive and detailed feedback on our manuscript. We address each major comment point by point below and indicate the revisions we will make to improve clarity and substantiation of our claims.

read point-by-point responses

  1. Referee: [Abstract and §4] Abstract and §4 (Proposed Method): The central claim that SCLL-guided gradient inversion produces fidelity differences reliably distinguishing hardware features (layers/nodes) rests on the unverified assumption that node-specific structural details survive in the gradients and are recoverable via the novel loss term. No derivation, pseudocode, or analysis is provided showing how the loss overcomes generic cell geometry overlap in SCLLs versus private layouts, leaving the distinction vulnerable to collapse if inversion converges to similar fidelities across nodes.

    Authors: We appreciate the referee's emphasis on the need for rigorous justification of the novel loss term. The manuscript introduces the conditional loss to address evaluation bottlenecks on complex data and shows its empirical benefits, but we agree that an explicit derivation and analysis of its interaction with SCLL priors versus private layouts would strengthen the presentation. In the revised manuscript, we will add a mathematical derivation demonstrating how the loss term amplifies recoverable structural differences in the gradients, pseudocode for the full gradient inversion procedure, and an analysis explaining why node-specific details (e.g., layer and technology node variations) lead to distinguishable fidelities rather than collapsing under generic cell overlaps. revision: yes

  2. Referee: [§5 and Table 1] §5 (Evaluation) and Table 1 (if present): No quantitative metrics (e.g., fidelity scores, success rates, ROC-AUC for layer/node classification), ablation on the novel loss term, or controls comparing SCLL priors against generic image statistics are reported. This directly undermines the load-bearing claim of successful distinction, as the abstract provides only qualitative assertions without evidence that fidelity variations are driven by hardware features rather than reconstruction artifacts.

    Authors: We thank the referee for identifying this gap in the quantitative support for our claims. The evaluation section demonstrates the attack's ability to distinguish layers and nodes through reconstruction examples, but we concur that the absence of explicit metrics, ablations, and controls limits the strength of the evidence. We will revise §5 to include quantitative results such as fidelity scores, success rates, and ROC-AUC values for layer and node inference tasks. We will also add an ablation study isolating the contribution of the novel loss term and control experiments using generic image statistics as priors to confirm that fidelity differences arise from hardware-specific features. revision: yes

Circularity Check

0 steps flagged

No circularity: method relies on external public priors and empirical reconstruction without self-referential derivations

full rationale

The paper presents an empirical attack methodology that uses publicly available Standard Cell Library Layouts (SCLLs) as external priors to guide gradient inversion on intercepted model updates. No equations, derivations, fitted parameters, or self-citations are described in the provided text that would reduce any claimed result (such as fidelity-based distinction of hardware features) back to inputs defined in terms of the target outcome. The central claim rests on the external validity of SCLL-guided inversion producing distinguishable reconstructions, which is an independent empirical question rather than a self-definitional or fitted-input construction. This is the normal case of a non-circular empirical study.

Axiom & Free-Parameter Ledger

0 free parameters · 1 axioms · 0 invented entities

The central claim rests on the domain assumption that publicly available standard cell library layouts provide sufficient structural guidance for successful image reconstruction and subsequent membership inference without private data.

axioms (1)
  • domain assumption Standard Cell Library Layouts (SCLLs) can serve as effective priors to guide gradient inversion attacks on image segmentation models without access to private data.
    Invoked to enable the data-free property of the attack.

pith-pipeline@v0.9.0 · 5546 in / 1268 out tokens · 64226 ms · 2026-05-10T01:50:34.445793+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Reference graph

Works this paper leans on

23 extracted references · 23 canonical work pages

  1. [1]

    A new hardware trojan detection technique using deep convolutional neural network,

    R. Sharma, V . S. Rathor, G. Sharma, and M. Pattanaik, “A new hardware trojan detection technique using deep convolutional neural network,” Integration, vol. 79, pp. 1–11, 2021

    work page 2021

  2. [2]

    A primer on hardware security: Models, methods, and metrics,

    M. Rostami, F. Koushanfar, and R. Karri, “A primer on hardware security: Models, methods, and metrics,”Proceedings of the IEEE, vol. 102, no. 8, pp. 1283–1295, 2014

    work page 2014

  3. [3]

    The chips act of 2022,

    commerce.senate.gov, “The chips act of 2022,” https://www.commerce.senate.gov/services/files/592E23A5-B56F- 48AE-B4C1-493822686BCB, [Accessed 06-03-2025]

    work page 2022

  4. [4]

    Membership inference attacks against machine learning models,

    R. Shokri, M. Stronati, C. Song, and V . Shmatikov, “Membership inference attacks against machine learning models,” in2017 IEEE symposium on security and privacy (SP). IEEE, 2017, pp. 3–18

    work page 2017

  5. [5]

    Knock knock, who’s there? membership inference on aggregate location data,

    A. Pyrgelis, C. Troncoso, and E. De Cristofaro, “Knock knock, who’s there? membership inference on aggregate location data,”arXiv preprint arXiv:1708.06145, 2017

    work page arXiv 2017

  6. [6]

    Membership inference attacks and defenses in federated learning: A survey,

    L. Bai, H. Hu, Q. Ye, H. Li, L. Wang, and J. Xu, “Membership inference attacks and defenses in federated learning: A survey,”ACM Computing Surveys, vol. 57, no. 4, pp. 1–35, 2024

    work page 2024

  7. [7]

    Comprehensive privacy analysis of deep learning: Passive and active white-box inference attacks against centralized and federated learning,

    M. Nasr, R. Shokri, and A. Houmansadr, “Comprehensive privacy analysis of deep learning: Passive and active white-box inference attacks against centralized and federated learning,” in2019 IEEE symposium on security and privacy (SP). IEEE, 2019, pp. 739–753

    work page 2019

  8. [8]

    Gan enhanced membership inference: A passive local attack in federated learning,

    J. Zhang, J. Zhang, J. Chen, and S. Yu, “Gan enhanced membership inference: A passive local attack in federated learning,” inICC 2020 - 2020 IEEE International Conference on Communications (ICC), 2020, pp. 1–6

    work page 2020

  9. [9]

    Efficient passive membership inference attack in federated learning,

    O. Zari, C. Xu, and G. Neglia, “Efficient passive membership inference attack in federated learning,” inNeurIPS PriML 2021-workshop Privacy in Machine Learning, 2021

    work page 2021

  10. [10]

    Effective passive membership inference attacks in federated learning against overparameterized models,

    J. Li, N. Li, and B. Ribeiro, “Effective passive membership inference attacks in federated learning against overparameterized models,” inThe Eleventh International Conference on Learning Representations, 2023

    work page 2023

  11. [11]

    Cs-mia: Membership inference attack based on prediction confidence series in federated learning,

    Y . Gu, Y . Bai, and S. Xu, “Cs-mia: Membership inference attack based on prediction confidence series in federated learning,”Journal of Information Security and Applications, vol. 67, p. 103201, 2022

    work page 2022

  12. [12]

    Enhance membership inference attacks in federated learning,

    X. He, Y . Xu, S. Zhang, W. Xu, and J. Yan, “Enhance membership inference attacks in federated learning,”Computers & Security, vol. 136, p. 103535, 2024

    work page 2024

  13. [13]

    Fedmia: An effective membership inference attack exploiting

    G. Zhu, D. Li, H. Gu, Y . Yao, L. Fan, and Y . Han, “Fedmia: An effective membership inference attack exploiting” all for one” principle in federated learning,” inProceedings of the Computer Vision and Pattern Recognition Conference, 2025, pp. 20 643–20 653

    work page 2025

  14. [14]

    Deep leakage from gradients,

    L. Zhu, Z. Liu, and S. Han, “Deep leakage from gradients,”Advances in neural information processing systems, vol. 32, 2019

    work page 2019

  15. [15]

    The state-of-the-art in ic reverse engi- neering,

    R. Torrance and D. James, “The state-of-the-art in ic reverse engi- neering,” inInternational Workshop on Cryptographic Hardware and Embedded Systems. Springer, 2009, pp. 363–381

    work page 2009

  16. [16]

    Practical partial hardware reverse engineering analysis: For local fault injection and authenticity verification,

    F. Courbon, “Practical partial hardware reverse engineering analysis: For local fault injection and authenticity verification,”Journal of Hardware and Systems Security, vol. 4, no. 1, pp. 1–10, 2020

    work page 2020

  17. [17]

    Counterfeit integrated circuits: A rising threat in the global semiconductor supply chain,

    U. Guin, K. Huang, D. DiMase, J. M. Carulli, M. Tehranipoor, and Y . Makris, “Counterfeit integrated circuits: A rising threat in the global semiconductor supply chain,”Proceedings of the IEEE, vol. 102, no. 8, pp. 1207–1228, 2014

    work page 2014

  18. [18]

    A survey on federated learning: challenges and applications,

    J. Wen, Z. Zhang, Y . Lan, Z. Cuia, J. Cai, and W. Zhang, “A survey on federated learning: challenges and applications,”International Journal of Machine Learning and Cybernetics, vol. 14, pp. 513–535, 2023

    work page 2023

  19. [19]

    Privacy-preserving artificial intelligence techniques in biomedicine,

    R. Torkzadehmahani, R. Nasirigerdeh, D. B. Blumenthal, T. Kacprowski, M. List, J. Matschinske, J. Spaeth, N. K. Wenke, and J. Baumbach, “Privacy-preserving artificial intelligence techniques in biomedicine,” Methods of Information in Medicine, vol. 61, pp. e12–e27, 2022

    work page 2022

  20. [20]

    Communication-efficient learning of deep networks from decentralized data,

    B. McMahan, E. Moore, D. Ramage, S. Hampson, and B. A. y Arcas, “Communication-efficient learning of deep networks from decentralized data,” inArtificial intelligence and statistics. PMLR, 2017, pp. 1273– 1282

    work page 2017

  21. [21]

    Exploiting unintended feature leakage in collaborative learning,

    L. Melis, C. Song, E. De Cristofaro, and V . Shmatikov, “Exploiting unintended feature leakage in collaborative learning,” in2019 IEEE symposium on security and privacy (SP). IEEE, 2019, pp. 691–706

    work page 2019

  22. [22]

    REFICS: As- similating data-driven paradigms into reverse engineering and hardware assurance on integrated circuits,

    R. Wilson, H. Lu, M. Zhu, D. Forte, and D. L. Woodard, “REFICS: As- similating data-driven paradigms into reverse engineering and hardware assurance on integrated circuits,”IEEE Access, vol. 9, pp. 131 955– 131 976, 2021

    work page 2021

  23. [23]

    U-net: Convolutional networks for biomedical image segmentation,

    O. Ronneberger, P. Fischer, and T. Brox, “U-net: Convolutional networks for biomedical image segmentation,” inInternational Conference on Medical image computing and computer-assisted intervention. Springer, 2015, pp. 234–241

    work page 2015