pith. sign in

arxiv: 2604.20020 · v1 · submitted 2026-04-21 · 💻 cs.CR

Potentials and Pitfalls of Applying Federated Learning in Hardware Assurance

Gijung Lee , Wavid Bowman , Olivia Dizon-Paradis , Reiner Dizon-Paradis , Ronald Wilson , Damon Woodard , Domenic Forte This is my paper

Pith reviewed 2026-05-10 01:37 UTC · model grok-4.3

classification 💻 cs.CR
keywords federated learninghardware assurancereverse engineeringgradient inversiondeep learningSEM imagesprivacy risksintellectual property
0
0 comments X

The pith

Federated learning improves hardware reverse engineering models but allows recovery of proprietary images via gradient inversion.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper tests federated learning as a way for separate hardware stakeholders to jointly train deep learning models on segmentation of scanning electron microscope images for reverse engineering tasks. Performance rises as the number of clients increases because the model sees more data without any party sending its raw images. At the same time the work demonstrates that an attacker can invert the gradients exchanged during training to reconstruct those images and thereby obtain the intellectual property the method was meant to keep private. Readers care because hardware assurance needs scalable ways to detect Trojans and counterfeits while still guarding design secrets in an outsourced supply chain.

Core claim

Federated learning applied to deep learning segmentation for hardware reverse engineering outperforms single-client centralized training as the number of participating clients grows, yet the same training process remains vulnerable to gradient inversion attacks that recover the original scanning electron microscope images and expose sensitive intellectual property.

What carries the argument

Federated learning for collaborative training of segmentation models on private SEM images, shown vulnerable to gradient inversion that reconstructs those images from shared updates.

If this is right

  • Increasing the number of clients raises segmentation accuracy for reverse engineering tasks.
  • Gradient inversion recovers recognizable SEM images from the updates sent during federated training.
  • Avoiding raw data sharing is not enough to protect intellectual property in hardware assurance.
  • Additional defenses must be added before federated learning can be used safely in this domain.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

  • Gains may shrink if each stakeholder's images follow very different distributions.
  • The same inversion risk may appear in other image-based federated learning settings such as medical or industrial inspection.
  • Adding noise or secure aggregation could blunt the attack without losing the performance benefit.
  • Real deployments would need tests against actual attacker resources and heterogeneous client models.

Load-bearing premise

The performance gains from extra clients and the success of the gradient inversion attack will continue to hold when data distributions and model architectures vary across real industry stakeholders.

What would settle it

Run a federated training round with SEM images from several independent hardware sources, then apply a gradient inversion attack and check whether the reconstructed images contain recognizable proprietary design features.

Figures

Figures reproduced from arXiv: 2604.20020 by Damon Woodard, Domenic Forte, Gijung Lee, Olivia Dizon-Paradis, Reiner Dizon-Paradis, Ronald Wilson, Wavid Bowman.

Figure 1
Figure 1. Figure 1: Overall workflow of federated learning. fault detection and IC reverse engineering (RE). Fault detec￾tion is essential in industries like aerospace, automotive diag￾nostics, and industrial automation, where undetected defects can have severe consequences. Traditionally, fault detection has relied on experienced labor, which is time consuming and prone to human error [9]. [10] addressed these chal￾lenges by… view at source ↗
Figure 2
Figure 2. Figure 2: Gradient Inversion Attacks may know the standard cell library of a foundry’s process design kit (PDK) of a particular node. The attacker can use membership inference to identify that SEM images used during training were from that library. These attacks threaten the confidentiality of training data and can lead to the leakage of sensitive information. • Gradient Inversion Attacks: Gradient inversion attacks… view at source ↗
Figure 3
Figure 3. Figure 3: Processes for the experiment. conducted on an AMD EPYC ROME CPU with 32GB of RAM and an NVIDIA A100 GPU with 80GB of GPU RAM. A. Dataset and Environment Setup The segmentation task in FL requires access to SEM images of different layers of an IC, the design layout images, and the corresponding ground-truth images (i.e., ideal segmentation results) for training. The openly accessible REFICS dataset provides… view at source ↗
Figure 4
Figure 4. Figure 4: Example evolution of the gradient inversion attack on [PITH_FULL_IMAGE:figures/full_fig_p007_4.png] view at source ↗
Figure 5
Figure 5. Figure 5: Example segmentation result in FL, with 32nm tech [PITH_FULL_IMAGE:figures/full_fig_p008_5.png] view at source ↗
Figure 6
Figure 6. Figure 6: Test Loss and IoU comparison between Centralized and Federated learning settings using a 32nm technology node [PITH_FULL_IMAGE:figures/full_fig_p009_6.png] view at source ↗
Figure 7
Figure 7. Figure 7: Worst and Best reconstructed images for calculating SSIM. [PITH_FULL_IMAGE:figures/full_fig_p010_7.png] view at source ↗
Figure 8
Figure 8. Figure 8: Worst and Best reconstructed images for calculating [PITH_FULL_IMAGE:figures/full_fig_p010_8.png] view at source ↗
read the original abstract

As microelectronics flourish and outsourcing of the design and manufacturing stages of integrated circuits (ICs) and printed circuit boards (PCBs) becomes the norm, microelectronics stakeholders must also confront a new wave of security challenges, including the threats posed by hardware Trojans, counterfeit electronics, and reverse engineering attacks. Traditional detection and prevention methods like testing and side-channel analysis have limitations in reliability and scalability. Automated reverse engineering by deep learning (DL) models is a foolproof approach to hardware assurance, but faces challenges due to limited data. By pooling data from different stakeholders (competitors in industry, governments, etc.), DL models can be more effectively trained but privacy of intellectual property (IP) is a significant concern. Federated Learning (FL) has been proposed as a potential alternative allowing for the collaborative training of a DL model without sharing raw data. While FL has been widely used in healthcare, IoT, and finance, its application in hardware assurance remains underexplored. This study investigates, for the first time, FL-based DL for hardware assurance, demonstrating that FL outperforms single-client centralized learning in segmentation tasks for reverse engineering. Our results show that increasing the number of clients improves FL performance by collaboratively training the model with more data. However, and more importantly, a major pitfall of FL is also exposed -- it remains vulnerable to gradient inversion attacks. We show that SEM images used in FL can be recovered by attackers, which would therefore expose the sensitive and proprietary IPs that FL was supposed to protect. We highlight these privacy risks and also suggest future research directions to improve security and effectiveness in hardware assurance.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

2 major / 2 minor

Summary. This paper investigates the application of Federated Learning (FL) to hardware assurance tasks, particularly automated reverse engineering of microelectronics using deep learning segmentation on SEM images. It claims that FL outperforms single-client centralized learning, with performance improving as the number of clients increases, but highlights a major pitfall: vulnerability to gradient inversion attacks that can recover the original sensitive images, exposing proprietary IPs.

Significance. If the results hold, the paper makes a valuable contribution by being the first to explore FL in this domain, demonstrating both the collaborative benefits for improving DL models in data-scarce hardware security applications and the critical need to address privacy risks from inversion attacks. This could stimulate research into secure FL variants for hardware assurance.

major comments (2)
  1. Abstract: The abstract asserts that FL outperforms single-client centralized learning in segmentation tasks and that SEM images can be recovered via gradient inversion, but provides no quantitative results, dataset details, attack success rates, or experimental controls; without these, the central empirical claims cannot be verified.
  2. Experimental evaluation (assumed Results section): The claim that increasing the number of clients improves FL performance and generalizes to multi-stakeholder hardware assurance requires that data partitions reflect realistic non-IID distributions across competing stakeholders; the manuscript provides no evidence on this condition or on the exact aggregation/update rules used in the inversion attack evaluation.
minor comments (2)
  1. Introduction: The overview of limitations of traditional methods (testing, side-channel analysis) would benefit from additional recent citations on scalability issues in hardware assurance.
  2. Conclusion: The suggested future research directions for improving security are high-level; including at least one concrete mitigation proposal with preliminary results would strengthen the paper.

Simulated Author's Rebuttal

2 responses · 0 unresolved

We thank the referee for their constructive and detailed comments on our manuscript. We address each major comment point by point below, indicating the revisions we will make to improve clarity and verifiability.

read point-by-point responses

  1. Referee: Abstract: The abstract asserts that FL outperforms single-client centralized learning in segmentation tasks and that SEM images can be recovered via gradient inversion, but provides no quantitative results, dataset details, attack success rates, or experimental controls; without these, the central empirical claims cannot be verified.

    Authors: We agree that the abstract would benefit from greater specificity to allow immediate verification of the claims. In the revised manuscript, we will expand the abstract to incorporate key quantitative results (such as segmentation performance metrics comparing FL to single-client baselines), dataset characteristics (including the number and sources of SEM images), attack success indicators, and reference to experimental controls such as aggregation method and baseline setups. This revision will make the central empirical contributions more transparent while preserving the abstract's brevity. revision: yes

  2. Referee: Experimental evaluation (assumed Results section): The claim that increasing the number of clients improves FL performance and generalizes to multi-stakeholder hardware assurance requires that data partitions reflect realistic non-IID distributions across competing stakeholders; the manuscript provides no evidence on this condition or on the exact aggregation/update rules used in the inversion attack evaluation.

    Authors: We acknowledge the importance of demonstrating realistic non-IID conditions for the generalizability claim. We will revise the Experimental Evaluation section to include explicit evidence and description of the data partitioning approach used to simulate distributions across competing stakeholders, along with any supporting statistics on heterogeneity. We will also specify the aggregation algorithm employed and the precise update rules and implementation details for the gradient inversion attack evaluation. These additions will directly address the concern and strengthen the manuscript's support for the multi-stakeholder applicability. revision: yes

Circularity Check

0 steps flagged

No circularity: purely experimental claims with no derivations or fitted predictions

full rationale

The paper reports direct experimental outcomes from FL segmentation training on SEM images and gradient inversion attacks. No equations, parameters fitted to subsets then renamed as predictions, or self-citation chains appear in the abstract or described results. Claims such as 'FL outperforms single-client centralized learning' and 'SEM images can be recovered' are presented as empirical findings, not quantities defined in terms of themselves or prior self-work. The derivation chain is therefore self-contained against external benchmarks.

Axiom & Free-Parameter Ledger

0 free parameters · 0 axioms · 0 invented entities

The paper is purely empirical with no mathematical derivations, free parameters, or postulated entities described in the abstract.

pith-pipeline@v0.9.0 · 5610 in / 1015 out tokens · 33382 ms · 2026-05-10T01:37:29.005138+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Reference graph

Works this paper leans on

32 extracted references · 32 canonical work pages

  1. [1]

    Hardware trust and assurance through reverse engineering: A tutorial and outlook from image analysis and machine learning perspectives,

    U. J. Botero, R. Wilson, H. Lu, M. T. Rahman, M. A. Mallaiyan, F. Ganji, N. Asadizanjani, M. M. Tehranipoor, D. L. Woodard, and D. Forte, “Hardware trust and assurance through reverse engineering: A tutorial and outlook from image analysis and machine learning perspectives,”ACM Journal on Emerging Technologies in Computing Systems (JETC), vol. 17, no. 4, ...

    work page 2021

  2. [2]

    Tehranipoor, U

    M. Tehranipoor, U. Guin, D. Forte, M. Tehranipoor, U. Guin, and D. Forte,Counterfeit integrated circuits. Springer, 2015

    work page 2015

  3. [3]

    Goldreich,Foundations of cryptography: volume 2, basic applica- tions

    O. Goldreich,Foundations of cryptography: volume 2, basic applica- tions. Cambridge university press, 2001, vol. 2

    work page 2001

  4. [4]

    Modelling and automatically analysing privacy properties for honest-but-curious adversaries,

    A. Paverd, A. Martin, and I. Brown, “Modelling and automatically analysing privacy properties for honest-but-curious adversaries,”Tech. Rep, 2014

    work page 2014

  5. [5]

    A new hardware trojan detection technique using deep convolutional neural network,

    R. Sharma, V . S. Rathor, G. Sharma, and M. Pattanaik, “A new hardware trojan detection technique using deep convolutional neural network,” Integration, vol. 79, pp. 1–11, 2021

    work page 2021

  6. [6]

    A primer on hardware security: Models, methods, and metrics,

    M. Rostami, F. Koushanfar, and R. Karri, “A primer on hardware security: Models, methods, and metrics,”Proceedings of the IEEE, vol. 102, no. 8, pp. 1283–1295, 2014

    work page 2014

  7. [7]

    The chips act of 2022,

    commerce.senate.gov, “The chips act of 2022,” https://www.commerce.senate.gov/services/files/ 592E23A5-B56F-48AE-B4C1-493822686BCB, [Accessed 06-03- 2025]

    work page 2022

  8. [8]

    Deep learning based approach for hardware trojan detection,

    S. Sankaran, V . S. Mohan, and A. Purushothaman, “Deep learning based approach for hardware trojan detection,” in2021 IEEE International Symposium on Smart Electronic Systems (iSES). IEEE, 2021, pp. 177– 182

    work page 2021

  9. [9]

    Deep cnn-based visual defect detection: Survey of current literature,

    S. B. Jha and R. F. Babiceanu, “Deep cnn-based visual defect detection: Survey of current literature,”Computers in Industry, vol. 148, p. 103911, 2023

    work page 2023

  10. [10]

    Quality safety monitoring of led chips using deep learning-based vision inspection methods,

    Y . Shu, B. Li, and H. Lin, “Quality safety monitoring of led chips using deep learning-based vision inspection methods,”Measurement, vol. 168, p. 108123, 2021

    work page 2021

  11. [11]

    Deep learning-based image analysis framework for hardware assurance of digital integrated circuits,

    T. Lin, Y . Shi, N. Shu, D. Cheng, X. Hong, J. Song, and B. H. Gwee, “Deep learning-based image analysis framework for hardware assurance of digital integrated circuits,”Microelectronics Reliability, vol. 123, p. 114196, 2021

    work page 2021

  12. [12]

    Sem2gds: A deep-learning based framework to detect malicious modifications in ic layout,

    T. Lin, Y . Shi, and B. H. Gwee, “Sem2gds: A deep-learning based framework to detect malicious modifications in ic layout,” in2023 IEEE International Symposium on Circuits and Systems (ISCAS). IEEE, 2023, pp. 1–5

    work page 2023

  13. [13]

    REFICS: As- similating data-driven paradigms into reverse engineering and hardware assurance on integrated circuits,

    R. Wilson, H. Lu, M. Zhu, D. Forte, and D. L. Woodard, “REFICS: As- similating data-driven paradigms into reverse engineering and hardware assurance on integrated circuits,”IEEE Access, vol. 9, pp. 131 955– 131 976, 2021

    work page 2021

  14. [14]

    REFICS: A step towards linking vision with hardware assurance,

    R. Wilson, H. Lu, M. Zhu, D. Forte, and D. Woodard, “REFICS: A step towards linking vision with hardware assurance,” inProceedings of the IEEE/CVF Winter Conference on Applications of Computer Vision, 2022, pp. 4031–4040

    work page 2022

  15. [15]

    A survey on federated learning: challenges and applications,

    J. Wen, Z. Zhang, Y . Lan, Z. Cuia, J. Cai, and W. Zhang, “A survey on federated learning: challenges and applications,”International Journal of Machine Learning and Cybernetics, vol. 14, pp. 513–535, 2023

    work page 2023

  16. [16]

    Privacy-preserving artificial intelligence techniques in biomedicine,

    R. Torkzadehmahani, R. Nasirigerdeh, D. B. Blumenthal, T. Kacprowski, M. List, J. Matschinske, J. Spaeth, N. K. Wenke, and J. Baumbach, “Privacy-preserving artificial intelligence techniques in biomedicine,” Methods of Information in Medicine, vol. 61, pp. e12–e27, 2022

    work page 2022

  17. [17]

    A federated learning framework for breast cancer histopathological image classification,

    L. Li, N. Xie, and S. Yuan, “A federated learning framework for breast cancer histopathological image classification,”Electronics, vol. 11, no. 22, p. 3767, 2022

    work page 2022

  18. [18]

    Effectiveness of federated learning and cnn ensemble architectures for identifying brain tumors using mri images,

    M. Islam, M. T. Reza, M. Kaosar, and M. Z. Parvez, “Effectiveness of federated learning and cnn ensemble architectures for identifying brain tumors using mri images,”Neural Processing Letters, vol. 55, no. 4, pp. 3779–3809, 2023

    work page 2023

  19. [19]

    Federated learning for internet of things: A comprehensive survey,

    D. C. Nguyen, M. Ding, P. N. Pathirana, A. Seneviratne, J. Li, and H. V . Poor, “Federated learning for internet of things: A comprehensive survey,”IEEE Communications Surveys & Tutorials, vol. 23, no. 3, pp. 1622–1658, 2021

    work page 2021

  20. [20]

    Multi-task network anomaly detection using federated learning,

    Y . Zhao, J. Chen, D. Wu, J. Teng, and S. Yu, “Multi-task network anomaly detection using federated learning,” inProceedings of the 10th international symposium on information and communication technology, 2019, pp. 273–279

    work page 2019

  21. [21]

    Femloc: Federated meta- learning for adaptive wireless indoor localization tasks in iot networks,

    Y . Etiabi, W. Njima, and E. M. Amhoud, “Femloc: Federated meta- learning for adaptive wireless indoor localization tasks in iot networks,” arXiv preprint arXiv:2405.11079, 2024

    work page arXiv 2024

  22. [22]

    Transparency and privacy: the role of explainable ai and federated learning in financial fraud detection,

    T. Awosika, R. M. Shukla, and B. Pranggono, “Transparency and privacy: the role of explainable ai and federated learning in financial fraud detection,”IEEE Access, 2024

    work page 2024

  23. [23]

    Federated learning for credit risk assessment

    C. M. Lee, J. D. Fern ´andez, S. P. Menci, A. Rieger, and G. Fridgen, “Federated learning for credit risk assessment.” inHICSS, 2023, pp. 386–395

    work page 2023

  24. [24]

    U-net based zero- hour defect inspection of electronic components and semiconductors

    F. K ¨alber, O. K¨op¨ukl¨u, N. H. Lehment, and G. Rigoll, “U-net based zero- hour defect inspection of electronic components and semiconductors.” inVISIGRAPP (5: VISAPP), 2021, pp. 593–601

    work page 2021

  25. [25]

    Ra-unet: A new deep learning segmentation method for semiconductor wafer defect analysis on fine-grained scanning electron microscope (sem) images,

    Y . Qiao, Y . Chen, F. Liu, Z. Mei, Y . Luo, Y . Chen, Y . Liao, B. Wu, and Y . Deng, “Ra-unet: A new deep learning segmentation method for semiconductor wafer defect analysis on fine-grained scanning electron microscope (sem) images,”IEEE Transactions on Semiconductor Man- ufacturing, 2025

    work page 2025

  26. [26]

    Communication-efficient learning of deep networks from decentralized data,

    B. McMahan, E. Moore, D. Ramage, S. Hampson, and B. A. y Arcas, “Communication-efficient learning of deep networks from decentralized data,” inArtificial intelligence and statistics. PMLR, 2017, pp. 1273– 1282

    work page 2017

  27. [27]

    Deep leakage from gradients,

    L. Zhu, Z. Liu, and S. Han, “Deep leakage from gradients,”Advances in neural information processing systems, vol. 32, 2019

    work page 2019

  28. [28]

    Inverting gradients-how easy is it to break privacy in federated learning?

    J. Geiping, H. Bauermeister, H. Dr ¨oge, and M. Moeller, “Inverting gradients-how easy is it to break privacy in federated learning?”Ad- vances in neural information processing systems, vol. 33, pp. 16 937– 16 947, 2020

    work page 2020

  29. [29]

    Sok: On gradient leakage in federated learning,

    J. Du, J. Hu, Z. Wang, P. Sun, N. Z. Gong, K. Ren, and C. Chen, “Sok: On gradient leakage in federated learning,”arXiv preprint arXiv:2404.05403, 2024

    work page arXiv 2024

  30. [30]

    Federated learning-based semantic segmenta- tion for pixel-wise defect detection in additive manufacturing,

    M. Mehta and C. Shao, “Federated learning-based semantic segmenta- tion for pixel-wise defect detection in additive manufacturing,”Journal of Manufacturing Systems, vol. 64, pp. 197–210, 2022

    work page 2022

  31. [31]

    Lasre: A novel approach to large area accelerated segmentation for reverse engineering on sem images,

    R. Wilson, D. Forte, N. Asadizanjani, and D. L. Woodard, “Lasre: A novel approach to large area accelerated segmentation for reverse engineering on sem images,” inInternational Symposium for Testing and Failure Analysis, vol. 83348. ASM International, 2020, pp. 180– 187

    work page 2020

  32. [32]

    Differentially private federated deep learning for multi-site medical image segmentation,

    A. Ziller, D. Usynin, N. Remerscheid, M. Knolle, M. Makowski, R. Braren, D. Rueckert, and G. Kaissis, “Differentially private federated deep learning for multi-site medical image segmentation,”arXiv preprint arXiv:2107.02586, 2021

    work page arXiv 2021