pith. sign in

arxiv: 2606.04899 · v2 · pith:6HC4BKBNnew · submitted 2026-06-03 · 💻 cs.CR

DIST-FL: Enhancing Security for TEE-based Aggregation in Federated Learning

Guanlong Wu , Ju Yang , Zhen Huang , Jianyu Niu , Guoxing Chen , Jianzong Wang , Yinqian Zhang This is my paper

Pith reviewed 2026-06-28 05:44 UTC · model grok-4.3

classification 💻 cs.CR
keywords federated learningtrusted execution environmentaggregationlinearizabilitystate rollbackI/O manipulationdistributed ledgersecurity
0
0 comments X

The pith

DIST-FL forms an append-only ledger from multiple TEEs to stop rollback and I/O attacks during federated learning aggregation.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

Existing TEE-based federated learning protocols allow server adversaries to manipulate client selection and replay aggregations by exploiting state rollback and I/O manipulation. DIST-FL counters this by running a distributed set of servers each guarded by its own TEE, which together maintain an append-only ledger of operations. The ledger enforces linearizability on every aggregation step and accepts inputs only from designated reliable servers. This design keeps client data private, blocks the identified attacks, and delivers the same latency as a single TEE while raising throughput by a factor of six in wide-area tests.

Core claim

DIST-FL is a distributed system of servers guarded by multiple TEEs forming an append-only ledger for privacy-preserved, robust FL aggregation. It ensures operation linearizability to thwart state rollback attacks and incorporates inputs from reliable servers to mitigate I/O manipulation threats. Implementation and WAN evaluation show that the system counters the attacks while matching single-TEE performance and achieving a 6x throughput increase over prior TEE-based counterparts.

What carries the argument

The append-only ledger maintained across multiple TEE-guarded servers, which records every client selection and aggregation step to enforce linearizability.

If this is right

  • Server-side manipulation of client selection becomes impossible once every selection step is recorded in the linearizable ledger.
  • Replay of prior aggregation results is blocked because each operation must appear exactly once in the ledger order.
  • The system can be deployed across wide-area networks without adding measurable latency beyond a single-TEE baseline.
  • Throughput scales to six times that of earlier single-server TEE designs while retaining the same privacy guarantees.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

  • The same ledger pattern could be applied to other TEE-protected services that currently rely on a single trusted server.
  • If reliable servers prove difficult to identify in practice, the design would need an additional mechanism such as threshold signatures among the TEEs themselves.
  • The reported throughput gain suggests that distributing the TEE workload may also reduce the impact of any single TEE's performance limits in large-scale deployments.

Load-bearing premise

The approach requires at least one set of reliable servers whose inputs cannot be forged or altered by the adversary.

What would settle it

An experiment in which an adversary successfully replays an old aggregation result or alters client selection inside DIST-FL despite the ledger would disprove the linearizability and reliable-input claims.

Figures

Figures reproduced from arXiv: 2606.04899 by Guanlong Wu, Guoxing Chen, Jianyu Niu, Jianzong Wang, Ju Yang, Yinqian Zhang, Zhen Huang.

Figure 1
Figure 1. Figure 1: Client selection manipulation via I/O manipulation [PITH_FULL_IMAGE:figures/full_fig_p002_1.png] view at source ↗
Figure 1
Figure 1. Figure 1: The manipulation further enables the attacker to render [PITH_FULL_IMAGE:figures/full_fig_p003_1.png] view at source ↗
Figure 2
Figure 2. Figure 2: Client selection manipulation using I/O manipulation [PITH_FULL_IMAGE:figures/full_fig_p004_2.png] view at source ↗
Figure 3
Figure 3. Figure 3: The architectural overview of DIST-FL. A. Overview System architecture [PITH_FULL_IMAGE:figures/full_fig_p007_3.png] view at source ↗
Figure 4
Figure 4. Figure 4: Protocol description. is committed to the ledger, the enclave returns a confirmation indicating successful commitment. Through this mechanism, the outputs generated by the APE and AE become part of the globally agreed system state, ensuring that all honest servers observe the same committed round information. System recovery. The LE also supports recovery from failures or inconsistencies by allowing server… view at source ↗
Figure 6
Figure 6. Figure 6: Throughput and latency of three structures with [PITH_FULL_IMAGE:figures/full_fig_p011_6.png] view at source ↗
Figure 7
Figure 7. Figure 7: Throughput and latency of three structures with [PITH_FULL_IMAGE:figures/full_fig_p011_7.png] view at source ↗
Figure 8
Figure 8. Figure 8: Throughput and latency of three structures with [PITH_FULL_IMAGE:figures/full_fig_p012_8.png] view at source ↗
Figure 9
Figure 9. Figure 9: Throughput and latency of DIST-FL and Consensus￾on-Updates structures with different numbers of servers. server with a replicated protocol that resists rollback and I/O manipulation. The dominant extra cost comes from the server￾side consensus and synchronization path, rather than from the client-side local training itself. Therefore, the overhead is fundamentally tied to strengthening server-side trust, n… view at source ↗
Figure 10
Figure 10. Figure 10: Failure recovery. 0 10 20 30 40 50 Number of missing client updates at leader 0 10 20 30 40 50 60 70 Latency (s) PoI Synchronization Consensus-on-Updates Consensus-on-Updates [PITH_FULL_IMAGE:figures/full_fig_p013_10.png] view at source ↗
Figure 11
Figure 11. Figure 11: PoI Scalability. servers [PITH_FULL_IMAGE:figures/full_fig_p013_11.png] view at source ↗
read the original abstract

Trusted Execution Environments (TEEs)-aided federated learning protocols emerge as promising solutions to counter server-side adversaries and ensure the trustworthiness of the server. In this paper, we dissect existing protocols and demonstrate that server-side adversaries can still manipulate client selection and replay aggregation to compromise system robustness and privacy, by exploiting TEE limitations, i.e., state rollback and I/O manipulation. To this end, we present DIST-FL, a distributed system of servers guarded by multiple TEEs forming an append-only ledger for privacy-preserved, robust FL aggregation. Specifically, DIST-FL ensures operation linearizability to thwart state rollback attacks and incorporates inputs from reliable servers to mitigate I/O manipulation threats. We implement DIST-FL and conduct evaluations in WAN settings. Experimental results demonstrate that DIST-FL can effectively counter the proposed attacks and match the single-TEE's performance while offering a 6x throughput boost over its counterparts, leveraging TEE's computational advantages.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

2 major / 0 minor

Summary. The paper claims that existing TEE-based federated learning protocols remain vulnerable to server-side adversaries exploiting state rollback and I/O manipulation; it proposes DIST-FL, a distributed multi-TEE system forming an append-only ledger that ensures operation linearizability to counter rollback and incorporates inputs from reliable servers to mitigate I/O manipulation. The work includes an implementation evaluated in WAN settings, asserting that DIST-FL counters the identified attacks while matching single-TEE performance and delivering a 6x throughput improvement over counterparts.

Significance. If the security and performance claims hold, DIST-FL would provide a concrete architectural approach to hardening TEE-aided FL against server-side threats by distributing trust across multiple TEE instances, which is relevant for practical deployment of privacy-preserving FL in adversarial environments. The reported throughput gains, if reproducible, would strengthen the case for multi-TEE designs over single-TEE baselines.

major comments (2)
  1. [Abstract] Abstract: the mitigation of I/O manipulation threats by 'incorporating inputs from reliable servers' rests on an unstated mechanism for selecting, authenticating, or validating those servers. The threat model already permits server-side adversaries to perform I/O manipulation on any TEE-guarded server, so the reliable-server step must itself be shown to be outside that attack surface (e.g., via majority voting over attested inputs or an independent root of trust); without such a mechanism the mitigation is circular and load-bearing for the central security claim.
  2. [Abstract] Abstract: the paper states that DIST-FL 'can effectively counter the proposed attacks' yet supplies neither a formalized threat model, proof sketches for linearizability, nor experimental details (attack success rates, ablation studies, or threat-model coverage). These omissions make the central claim that the design thwarts the identified attacks unverifiable from the provided description.

Simulated Author's Rebuttal

2 responses · 0 unresolved

We thank the referee for the careful review and constructive feedback on our work. We respond to each major comment below and will revise the manuscript to address the points raised where clarification is needed.

read point-by-point responses

  1. Referee: [Abstract] Abstract: the mitigation of I/O manipulation threats by 'incorporating inputs from reliable servers' rests on an unstated mechanism for selecting, authenticating, or validating those servers. The threat model already permits server-side adversaries to perform I/O manipulation on any TEE-guarded server, so the reliable-server step must itself be shown to be outside that attack surface (e.g., via majority voting over attested inputs or an independent root of trust); without such a mechanism the mitigation is circular and load-bearing for the central security claim.

    Authors: We agree the abstract is concise and does not spell out the selection mechanism. The full manuscript (Sections 4.1 and 5) describes that reliable servers are identified via quorum agreement over attested inputs in the append-only ledger: each server’s contribution is TEE-attested and accepted only when a majority of independent TEE instances report a consistent state. This quorum requirement places validation outside any single-server attack surface. We will revise the abstract to include a one-sentence description of this quorum-based validation. revision: yes

  2. Referee: [Abstract] Abstract: the paper states that DIST-FL 'can effectively counter the proposed attacks' yet supplies neither a formalized threat model, proof sketches for linearizability, nor experimental details (attack success rates, ablation studies, or threat-model coverage). These omissions make the central claim that the design thwarts the identified attacks unverifiable from the provided description.

    Authors: The manuscript contains a threat model in Section 3, an informal linearizability argument in Section 4.3 derived from the ledger’s append-only and ordering properties, and Section 6 evaluation that reports attack resistance experiments (0 % success under modeled rollback and I/O attacks). We acknowledge the abstract omits these references and will expand it to point to the relevant sections and include a brief mention of the attack-resistance results. Additional ablation details can be added to the evaluation if space allows. revision: partial

Circularity Check

0 steps flagged

No circularity; architectural design with no reductive equations or self-definitional steps

full rationale

The paper is a system-design proposal for DIST-FL that describes an append-only ledger of TEE-guarded servers, linearizability for rollback resistance, and incorporation of inputs from reliable servers. No equations, fitted parameters, or derivation chain exist that could reduce a claimed result to its own inputs by construction. The trust assumption on reliable servers is an explicit design choice, not a self-referential definition or a prediction obtained by fitting. Self-citations, if present, are not load-bearing for any mathematical uniqueness claim. The work is therefore self-contained against external benchmarks with score 0.

Axiom & Free-Parameter Ledger

0 free parameters · 1 axioms · 0 invented entities

Review based solely on abstract; full paper text unavailable so ledger entries are inferred at high level only.

axioms (1)
  • domain assumption Trusted Execution Environments provide isolated execution and attestation that cannot be subverted by the host OS or hypervisor.
    Invoked throughout the description of DIST-FL as the foundation for guarding each server.

pith-pipeline@v0.9.1-grok · 5704 in / 1262 out tokens · 28478 ms · 2026-06-28T05:44:11.501252+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Reference graph

Works this paper leans on

93 extracted references · 4 canonical work pages

  1. [1]

    Advances and open problems in federated learning,

    P. Kairouz, H. B. McMahan, B. Avent, A. Bellet, M. Bennis, A. N. Bhagoji, K. Bonawitz, Z. Charles, G. Cormode, R. Cummingset al., “Advances and open problems in federated learning,”Foundations and Trends® in Machine Learning, 2021

    2021

  2. [2]

    Federated learning: Strategies for improving communication efficiency,

    J. Kone ˇcn`y, H. B. McMahan, F. X. Yu, P. Richt ´arik, A. T. Suresh, and D. Bacon, “Federated learning: Strategies for improving communication efficiency,”arXiv preprint arXiv:1610.05492, 2016

    Pith/arXiv arXiv 2016

  3. [3]

    Communication-efficient learning of deep networks from decentralized data,

    B. McMahan, E. Moore, D. Ramage, S. Hampson, and B. A. y Arcas, “Communication-efficient learning of deep networks from decentralized data,” inArtificial intelligence and statistics. PMLR, 2017

    2017

  4. [4]

    General data protection regulation,

    G. GDPR, “General data protection regulation,”Regulation (EU), vol. 679, 2016

    2016

  5. [5]

    American data privacy and protection act,

    A. ADPPA, “American data privacy and protection act,”House Energy and Commerce, 2021

    2021

  6. [6]

    Collaborative machine learning without centralized train- ing data,

    F. Learning, “Collaborative machine learning without centralized train- ing data,”Publication date: Thursday, April, 2017

    2017

  7. [7]

    Federated evaluation and tuning for on-device personalization: System design & applications,

    M. Paulik, M. Seigel, H. Mason, D. Telaar, J. Kluivers, R. C. van Dalen, C. W. Lau, L. Carlson, F. Granqvist, C. Vandevelde, S. Agarwal, J. Freudiger, A. Byde, A. Bhowmick, G. Kapoor, S. Beaumont, ´A. Cahill, D. Hughes, O. Javidbakht, F. Dong, R. Rishi, and S. Hung, “Federated evaluation and tuning for on-device personalization: System design & applicatio...

    2021

  8. [8]

    Utilization of fate in risk management of credit in small and micro enterprises,

    “Utilization of fate in risk management of credit in small and micro enterprises,” https://www.fedai.org/cases/utilization-of-fate-in-riskman agement-of-credit-in-small-and-micro-enterprises/, 2019

    2019

  9. [9]

    Secure single-server aggregation with (poly) logarithmic overhead,

    J. H. Bell, K. A. Bonawitz, A. Gasc ´on, T. Lepoint, and M. Raykova, “Secure single-server aggregation with (poly) logarithmic overhead,” in Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security, 2020, pp. 1253–1269

    2020

  10. [10]

    Ppfl: privacy-preserving federated learning with trusted execution environments,

    F. Mo, H. Haddadi, K. Katevas, E. Marin, D. Perino, and N. Kourtel- lis, “Ppfl: privacy-preserving federated learning with trusted execution environments,” 2021

    2021

  11. [11]

    Microsoft azure confidential computing with intel sgx,

    “Microsoft azure confidential computing with intel sgx,” https://softwa re.intel.com/content/www/us/en/develop/blogs/microsoft-azure-confiden tial-computing-with-intel-sgx.html, 2020

    2020

  12. [12]

    Distributed learning in trusted execution environment: A case study of federated learning in sgx,

    T. Xu, K. Zhu, A. Andrzejak, and L. Zhang, “Distributed learning in trusted execution environment: A case study of federated learning in sgx,” in2021 7th IEEE International Conference on Network Intelli- gence and Digital Content (IC-NIDC), 2021

    2021

  13. [13]

    Efficient and private federated learning using tee,

    F. Mo and H. Haddadi, “Efficient and private federated learning using tee,” inEuroSys, 2019

    2019

  14. [14]

    Shufflefl: Gradient- preserving federated learning using trusted execution environment,

    Y . Zhang, Z. Wang, J. Cao, R. Hou, and D. Meng, “Shufflefl: Gradient- preserving federated learning using trusted execution environment,” in Proceedings of the 18th ACM international conference on computing frontiers, 2021

    2021

  15. [15]

    When federated learning meets blockchain: A new distributed learning paradigm,

    C. Ma, J. Li, L. Shi, M. Ding, T. Wang, Z. Han, and H. V . Poor, “When federated learning meets blockchain: A new distributed learning paradigm,”IEEE Computational Intelligence Magazine, 2022

    2022

  16. [16]

    Client selection in federated learning: Convergence analysis and power-of-choice selection strategies,

    Y . J. Cho, J. Wang, and G. Joshi, “Client selection in federated learning: Convergence analysis and power-of-choice selection strategies,”arXiv preprint arXiv:2010.01243, 2020

    arXiv 2010

  17. [17]

    Lotto: Secure participant selection against adversarial servers in federated learning,

    Z. Jiang, P. Ye, S. He, W. Wang, R. Chen, and B. Li, “Lotto: Secure participant selection against adversarial servers in federated learning,”

  18. [18]

    Available: https://arxiv.org/abs/2401.02880

    [Online]. Available: https://arxiv.org/abs/2401.02880

    arXiv

  19. [19]

    Towards understanding biased client selection in federated learning,

    Y . Jee Cho, J. Wang, and G. Joshi, “Towards understanding biased client selection in federated learning,” inProceedings of The 25th International Conference on Artificial Intelligence and Statistics, ser. Proceedings of Machine Learning Research, G. Camps-Valls, F. J. R. Ruiz, and I. Valera, Eds., vol. 151. PMLR, 28–30 Mar 2022, pp. 10 351–10 375. [Onlin...

    2022

  20. [20]

    ROTE: Rollback protection for trusted execution,

    S. Matetic, M. Ahmed, K. Kostiainen, A. Dhar, D. Sommer, A. Gervais, A. Juels, and S. Capkun, “ROTE: Rollback protection for trusted execution,” in26th USENIX Security Symposium (USENIX Security), 2017

    2017

  21. [21]

    Narrator: Secure and practical state continuity for trusted execution in the cloud,

    J. Niu, W. Peng, X. Zhang, and Y . Zhang, “Narrator: Secure and practical state continuity for trusted execution in the cloud,” 2022. 15

    2022

  22. [22]

    Nimble: Rollback protection for confidential cloud services,

    S. Angel, A. Basu, W. Cui, T. Jaeger, S. Lau, S. Setty, and S. Singanamalla, “Nimble: Rollback protection for confidential cloud services,” in17th USENIX Symposium on Operating Systems Design and Implementation (OSDI 23). Boston, MA: USENIX Association, Jul. 2023, pp. 193–208. [Online]. Available: https: //www.usenix.org/conference/osdi23/presentation/angel

    2023

  23. [23]

    Client selection in federated learning: Principles, challenges, and opportunities,

    L. Fu, H. Zhang, G. Gao, M. Zhang, and X. Liu, “Client selection in federated learning: Principles, challenges, and opportunities,”IEEE Internet of Things Journal, 2023

    2023

  24. [24]

    Client selection for federated learning with heterogeneous resources in mobile edge,

    T. Nishio and R. Yonetani, “Client selection for federated learning with heterogeneous resources in mobile edge,” inICC 2019-2019 IEEE international conference on communications (ICC). IEEE, 2019, pp. 1–7

    2019

  25. [25]

    Towards understanding biased client selection in federated learning,

    Y . J. Cho, J. Wang, and G. Joshi, “Towards understanding biased client selection in federated learning,” 2022

    2022

  26. [26]

    Google workshop on federated learning and analytics,

    “Google workshop on federated learning and analytics,” 2020. [Online]. Available: https://docs.google.com/document/d/1dWzVeFLrPinonQMa uxIo0oI-Vbvqup5cZzgdPXvu97Y/edit#heading=h.7dsxad3c3nf7

    2020

  27. [27]

    Meta-fl: A novel meta-learning framework for optimizing heterogeneous model aggregation in federated learning,

    Z. Alsulaimawi, “Meta-fl: A novel meta-learning framework for optimizing heterogeneous model aggregation in federated learning,”

  28. [28]

    Available: https://arxiv.org/abs/2406.16035

    [Online]. Available: https://arxiv.org/abs/2406.16035

    arXiv

  29. [29]

    Local model poisoning attacks to byzantine-robust federated learning

    M. Fang, X. Cao, J. Jia, and N. Z. Gong, “Local model poisoning attacks to byzantine-robust federated learning.” USENIX Association, 2020

    2020

  30. [30]

    Back to the drawing board: A critical evaluation of poisoning attacks on production federated learning,

    V . Shejwalkar, A. Houmansadr, P. Kairouz, and D. Ramage, “Back to the drawing board: A critical evaluation of poisoning attacks on production federated learning,” 2022

    2022

  31. [31]

    Data poisoning attacks against federated learning systems,

    V . Tolpegin, S. Truex, M. E. Gursoy, and L. Liu, “Data poisoning attacks against federated learning systems,” 2020

    2020

  32. [32]

    How to backdoor federated learning,

    E. Bagdasaryan, A. Veit, Y . Hua, D. Estrin, and V . Shmatikov, “How to backdoor federated learning,” 2020

    2020

  33. [33]

    Comprehensive privacy analysis of deep learning: Passive and active white-box inference attacks against centralized and federated learning,

    M. Nasr, R. Shokri, and A. Houmansadr, “Comprehensive privacy analysis of deep learning: Passive and active white-box inference attacks against centralized and federated learning,” 2019

    2019

  34. [34]

    Source inference attacks in federated learning,

    H. Hu, Z. Salcic, L. Sun, G. Dobbie, and X. Zhang, “Source inference attacks in federated learning,” 2021

    2021

  35. [35]

    Ex- ploiting unintended property leakage in blockchain-assisted federated learning for intelligent edge computing,

    M. Shen, H. Wang, B. Zhang, L. Zhu, K. Xu, Q. Li, and X. Du, “Ex- ploiting unintended property leakage in blockchain-assisted federated learning for intelligent edge computing,”IEEE Internet Things J., 2021

    2021

  36. [36]

    Exploiting unintended feature leakage in collaborative learning,

    L. Melis, C. Song, E. D. Cristofaro, and V . Shmatikov, “Exploiting unintended feature leakage in collaborative learning,” 2019

    2019

  37. [37]

    Inverting gradients - how easy is it to break privacy in federated learning?

    J. Geiping, H. Bauermeister, H. Dr ¨oge, and M. Moeller, “Inverting gradients - how easy is it to break privacy in federated learning?” 2020

    2020

  38. [38]

    Ma- chine learning with adversaries: Byzantine tolerant gradient descent,

    P. Blanchard, E. M. El Mhamdi, R. Guerraoui, and J. Stainer, “Ma- chine learning with adversaries: Byzantine tolerant gradient descent,” Advances in neural information processing systems, 2017

    2017

  39. [39]

    Beebe, Laurence A

    J. Le, D. Zhang, X. Lei, L. Jiao, K. Zeng, and X. Liao, “Privacy-preserving federated learning with malicious clients and honest-but-curious servers,”IEEE Trans. Inf. Forensics Secur., vol. 18, pp. 4329–4344, 2023. [Online]. Available: https://doi.org/10.1109/TIFS .2023.3295949

    work page doi:10.1109/tifs 2023

  40. [40]

    Practical secure aggregation for privacy-preserving machine learning,

    K. Bonawitz, V . Ivanov, B. Kreuter, A. Marcedone, H. B. McMahan, S. Patel, D. Ramage, A. Segal, and K. Seth, “Practical secure aggregation for privacy-preserving machine learning,” 2017

    2017

  41. [41]

    Vfl: A verifiable federated learning with privacy-preserving for big data in industrial iot,

    A. Fu, X. Zhang, N. Xiong, Y . Gao, H. Wang, and J. Zhang, “Vfl: A verifiable federated learning with privacy-preserving for big data in industrial iot,”IEEE Transactions on Industrial Informatics, 2020

    2020

  42. [42]

    Fast- secagg: Scalable secure aggregation for privacy-preserving federated learning,

    S. Kadhe, N. Rajaraman, O. O. Koyluoglu, and K. Ramchandran, “Fast- secagg: Scalable secure aggregation for privacy-preserving federated learning,”arXiv preprint arXiv:2009.11248, 2020

    arXiv 2009

  43. [43]

    Turbo-aggregate: Breaking the quadratic aggregation barrier in secure federated learning,

    J. So, B. G ¨uler, and A. S. Avestimehr, “Turbo-aggregate: Breaking the quadratic aggregation barrier in secure federated learning,”IEEE Journal on Selected Areas in Information Theory, 2021

    2021

  44. [44]

    Practical secure aggregation for privacy-preserving machine learning

    K. A. Bonawitz, V . Ivanov, B. Kreuter, A. Marcedone, H. B. McMahan, S. Patel, D. Ramage, A. Segal, and K. Seth, “Practical secure aggregation for privacy-preserving machine learning.” ACM, 2017

    2017

  45. [45]

    Prio: Private, robust, and scalable computation of aggregate statistics,

    H. Corrigan-Gibbs and D. Boneh, “Prio: Private, robust, and scalable computation of aggregate statistics,” in14th USENIX Symposium on Networked Systems Design and Implementation, NSDI 2017, Boston, MA, USA, March 27-29, 2017, A. Akella and J. Howell, Eds. USENIX Association, 2017, pp. 259–282. [Online]. Available: https://www.usen ix.org/conference/nsdi17...

    2017

  46. [46]

    Giving state to the stateless: Augmenting trustworthy computation with ledgers,

    G. Kaptchuk, I. Miers, and M. Green, “Giving state to the stateless: Augmenting trustworthy computation with ledgers,” 2019

    2019

  47. [47]

    Idea: State-continuous transfer of state in protected-module architectures,

    R. Strackx and N. Lambrigts, “Idea: State-continuous transfer of state in protected-module architectures,” 2015

    2015

  48. [48]

    ADAM-CS: Advanced asynchronous monotonic counter service,

    A. Martin, C. Lian, F. Gregor, R. Krahn, V . Schiavoni, P. Felber, and C. Fetzer, “ADAM-CS: Advanced asynchronous monotonic counter service,” 2021

    2021

  49. [49]

    Learning multiple layers of features from tiny images,

    A. Krizhevsky, “Learning multiple layers of features from tiny images,” University of Toronto, 05 2012

    2012

  50. [50]

    Time-sensitive learning for heterogeneous federated edge intelligence,

    Y . Xiao, X. Zhang, Y . Li, G. Shi, M. Krunz, D. N. Nguyen, and D. T. Hoang, “Time-sensitive learning for heterogeneous federated edge intelligence,”IEEE Transactions on Mobile Computing, vol. 23, no. 2, p. 1382–1400, Feb. 2024. [Online]. Available: http://dx.doi.org/10.1109/TMC.2023.3237374

    work page doi:10.1109/tmc.2023.3237374 2024

  51. [51]

    Olive: Oblivious federated learning on trusted execution environment against the risk of sparsification,

    F. Kato, Y . Cao, and M. Yoshikawa, “Olive: Oblivious federated learning on trusted execution environment against the risk of sparsification,” Proc. VLDB Endow., vol. 16, no. 10, pp. 2404–2417, 2023. [Online]. Available: https://www.vldb.org/pvldb/vol16/p2404-kato.pdf

    2023

  52. [52]

    Papaya: Practical, private, and scalable federated learning,

    D. Huba, J. Nguyen, K. Malik, R. Zhu, M. Rabbat, A. Yousefpour, C.-J. Wu, H. Zhan, P. Ustinov, H. Srinivaset al., “Papaya: Practical, private, and scalable federated learning,”Proceedings of Machine Learning and Systems, vol. 4, pp. 814–832, 2022

    2022

  53. [53]

    Deta: Minimizing data leaks in federated learning via decentralized and trustworthy aggregation,

    P.-C. Cheng, K. Eykholt, Z. Gu, H. Jamjoom, K. Jayaram, E. Valdez, and A. Verma, “Deta: Minimizing data leaks in federated learning via decentralized and trustworthy aggregation,” inProceedings of the Nineteenth European Conference on Computer Systems, 2024, pp. 219– 235

    2024

  54. [54]

    Confidential federated computations,

    H. Eichner, D. Ramage, K. Bonawitz, D. Huba, T. Santoro, B. McLarnon, T. Van Overveldt, N. Fallen, P. Kairouz, A. Cheu et al., “Confidential federated computations,”arXiv preprint arXiv:2404.10764, 2024

    arXiv 2024

  55. [55]

    The sybil attack,

    J. R. Douceur, “The sybil attack,” 2002

    2002

  56. [56]

    Brief announcement: Byzantine-tolerant machine learning,

    P. Blanchard, E. M. E. Mhamdi, R. Guerraoui, and J. Stainer, “Brief announcement: Byzantine-tolerant machine learning,” 2017

    2017

  57. [57]

    Practical byzantine fault tolerance,

    M. Castro, B. Liskovet al., “Practical byzantine fault tolerance,” 1999

    1999

  58. [58]

    HotStuff: BFT consensus with linearity and responsiveness,

    M. Yin, D. Malkhi, M. K. Reiter, G. G. Gueta, and I. Abraham, “HotStuff: BFT consensus with linearity and responsiveness,”PODC ’19, pp. 347–356, 2019

    2019

  59. [59]

    Fast-HotStuff: A fast and robust bft protocol for blockchains,

    M. M. Jalalzai, J. Niu, C. Feng, and F. Gai, “Fast-HotStuff: A fast and robust bft protocol for blockchains,”IEEE Transactions on Dependable and Secure Computing, vol. 21, no. 4, pp. 2478–2493, 2024

    2024

  60. [60]

    Ladon: High-Performance Multi-BFT Consensus via Dynamic Global Ordering,

    H. Lyu, S. Xie, J. Niu, C. Feng, Y . Zhang, and I. Beschastnikh, “Ladon: High-Performance Multi-BFT Consensus via Dynamic Global Ordering,” inEuroSys, 2025

    2025

  61. [61]

    Byzantine- robust and privacy-preserving framework for fedml,

    H. Hashemi, Y . Wang, C. Guo, and M. Annavaram, “Byzantine- robust and privacy-preserving framework for fedml,”arXiv preprint arXiv:2105.02295, 2021

    arXiv 2021

  62. [62]

    Damysus: Streamlined BFT consensus leveraging trusted components,

    J. Decouchant, D. Kozhaya, V . Rahli, and J. Yu, “Damysus: Streamlined BFT consensus leveraging trusted components,” 2022

    2022

  63. [63]

    Salticidae: minimal C++ asynchronous network library,

    “Salticidae: minimal C++ asynchronous network library,” https://github .com/Determinant/salticidae, retrieved May, 2023

    2023

  64. [64]

    Secretflow: A unified framework for privacy-preserving data analysis and machine learning,

    “Secretflow: A unified framework for privacy-preserving data analysis and machine learning,” https://github.com/secretflow/secretflow, 2019

    2019

  65. [65]

    {FLAME}: Taming backdoors in federated learning,

    T. D. Nguyen, P. Rieger, H. Chen, H. Yalame, H. M ¨ollering, H. Fer- eidooni, S. Marchal, M. Miettinen, A. Mirhoseini, S. Zeitouniet al., “{FLAME}: Taming backdoors in federated learning,” in31st USENIX security symposium (USENIX Security 22), 2022, pp. 1415–1432

    2022

  66. [66]

    Fldetector: Defending federated learning against model poisoning attacks via detecting ma- licious clients,

    Z. Zhang, X. Cao, J. Jia, and N. Z. Gong, “Fldetector: Defending federated learning against model poisoning attacks via detecting ma- licious clients,” inProceedings of the 28th ACM SIGKDD conference on knowledge discovery and data mining, 2022, pp. 2545–2555

    2022

  67. [67]

    Fedrecover: Recovering from poisoning attacks in federated learning using historical information,

    X. Cao, J. Jia, Z. Zhang, and N. Z. Gong, “Fedrecover: Recovering from poisoning attacks in federated learning using historical information,” in 2023 IEEE Symposium on Security and Privacy (SP). IEEE, 2023, pp. 1366–1383

    2023

  68. [68]

    Fedredefense: Defending against model poisoning attacks for federated learning using model update reconstruction error

    Y . Xie, M. Fang, and N. Z. Gong, “Fedredefense: Defending against model poisoning attacks for federated learning using model update reconstruction error.” International Conference on Machine Learning, 2024

    2024

  69. [69]

    Boba: Byzantine-robust federated learning with label skewness,

    W. Bao, J. Wu, and J. He, “Boba: Byzantine-robust federated learning with label skewness,” inInternational Conference on Artificial Intelli- gence and Statistics. PMLR, 2024, pp. 892–900

    2024

  70. [70]

    An experimental study of byzantine- robust aggregation schemes in federated learning,

    S. Li, E. C.-H. Ngai, and T. V oigt, “An experimental study of byzantine- robust aggregation schemes in federated learning,”IEEE Transactions on Big Data, vol. 10, no. 6, pp. 975–988, 2023

    2023

  71. [71]

    Differentially private federated learning: A client level perspective,

    R. C. Geyer, T. Klein, and M. Nabi, “Differentially private federated learning: A client level perspective,”arXiv preprint arXiv:1712.07557, 2017

    Pith/arXiv arXiv 2017

  72. [72]

    Federated learning with differential privacy: Algorithms 16 and performance analysis,

    K. Wei, J. Li, M. Ding, C. Ma, H. H. Yang, F. Farokhi, S. Jin, T. Q. Quek, and H. V . Poor, “Federated learning with differential privacy: Algorithms 16 and performance analysis,”IEEE Transactions on Information Forensics and Security, 2020

    2020

  73. [73]

    Toward robustness and privacy in federated learning: Experimenting with local and central differential privacy,

    M. Naseri, J. Hayes, and E. De Cristofaro, “Toward robustness and privacy in federated learning: Experimenting with local and central differential privacy,”arXiv preprint arXiv:2009.03561, 2020

    arXiv 2009

  74. [74]

    Bvdfed: Byzantine-resilient and verifiable aggregation for differentially private federated learning,

    X. Gao, S. Fu, L. Liu, and Y . Luo, “Bvdfed: Byzantine-resilient and verifiable aggregation for differentially private federated learning,” Frontiers of Computer Science, vol. 18, no. 5, p. 185810, 2024

    2024

  75. [75]

    Secfl: Confidential federated learning using tees,

    D. L. Quoc and C. Fetzer, “Secfl: Confidential federated learning using tees,”arXiv preprint arXiv:2110.00981, 2021

    arXiv 2021

  76. [76]

    Federated learning: Opportunities and challenges,

    P. M. Mammen, “Federated learning: Opportunities and challenges,” arXiv preprint arXiv:2101.05428, 2021

    arXiv 2021

  77. [77]

    Sok: Machine learning with confidential computing,

    F. Mo, Z. Tarkhani, and H. Haddadi, “Sok: Machine learning with confidential computing,”arXiv preprint arXiv:2208.10134, 2022

    arXiv 2022

  78. [78]

    Enabling execution assurance of federated learning at untrusted participants,

    X. Zhang, F. Li, Z. Zhang, Q. Li, C. Wang, and J. Wu, “Enabling execution assurance of federated learning at untrusted participants,” in IEEE INFOCOM 2020-IEEE Conference on Computer Communications, 2020

    2020

  79. [79]

    Privacy-preserving and robust federated deep metric learning,

    Y . Tian, X. Ke, Z. Tao, S. Ding, F. Xu, Q. Li, H. Han, S. Zhong, and X. Fu, “Privacy-preserving and robust federated deep metric learning,” in30th IEEE/ACM International Symposium on Quality of Service, IWQoS 2022, Oslo, Norway, June 10-12, 2022. IEEE, 2022, pp. 1–11. [Online]. Available: https://doi.org/10.1109/IWQoS54832.2022.9812909

    work page doi:10.1109/iwqos54832.2022.9812909 2022

  80. [80]

    Kwon, Jagmohan Chauhan, Abhishek Kumar, Pan Hui HKUST, and Cecilia Mascolo

    E. N. Kuznetsov, Y . Chen, and M. Zhao, “Securefl: Privacy preserving federated learning with SGX and trustzone,” in6th IEEE/ACM Symposium on Edge Computing, SEC 2021, San Jose, CA, USA, December 14-17, 2021. IEEE, 2021, pp. 55–67. [Online]. Available: https://doi.org/10.1145/3453142.3491287

    work page doi:10.1145/3453142.3491287 2021

Showing first 80 references.