VerifiableFL: Verifiable Claims for Federated Learning using Exclaves

In federated learning (FL), data providers jointly train a machine learning model without sharing their training data. This makes it challenging to provide verifiable claims about the trained FL model, e.g., related to the employed training data, any data sanitization, or the correct training algorithm-a malicious data provider can simply deviate from the correct training protocol without detection. While prior FL training systems have explored the use of trusted execution environments (TEEs) to protect the training computation, such approaches rely on the confidentiality and integrity of TEEs. The confidentiality guarantees of TEEs, however, have been shown to be vulnerable to a wide range of attacks, such as side-channel attacks. We describe VerifiableFL, a system for training FL models that establishes verifiable claims about trained FL models with the help of fine-grained runtime attestation proofs. Since these runtime attestation proofs only require integrity protection, VerifiableFL generates them using the new abstraction of exclaves. Exclaves are integrity-only execution environments, which do not contain software-managed secrets and thus are immune to data leakage attacks. VerifiableFL uses exclaves to attest individual data transformations during FL training without relying on confidentiality guarantees. The runtime attestation proofs then form an attested dataflow graph of the entire FL model training computation. The graph is checked by an auditor to ensure that the trained FL model satisfies its claims, such as the use of data sanitization by data providers or correct aggregation by the model provider. VerifiableFL extends NVFlare FL framework to use exclaves. We show that VerifiableFL introduces less than 12% overhead compared to unprotected FL training.

💡 Research Summary

VerifiableFL tackles the problem of providing trustworthy, verifiable claims about models trained via federated learning (FL), where multiple data owners jointly train a model without sharing raw data. Traditional approaches that rely on trusted execution environments (TEEs) such as Intel SGX or AMD SEV‑SNP focus on static attestation at deployment time and on guaranteeing both confidentiality and integrity. The authors argue that static attestation cannot capture dynamic deviations (e.g., a data provider skipping a sanitization step) and that confidentiality guarantees are fragile in the face of side‑channel attacks, which can also compromise the integrity of attestation proofs.

To overcome these limitations, the paper introduces a new hardware abstraction called an exclave. An exclave provides integrity‑only protection: it guarantees that code and data transformations are executed exactly as measured, but it does not attempt to keep the data secret from the operator. The hardware holds a signing key that is never exposed to software, allowing the exclave to produce cryptographic signatures over runtime measurements. Because the security model does not depend on confidentiality, even if an attacker reads all data inside the exclave (or extracts it via side‑channels), the attestation remains trustworthy.

VerifiableFL integrates exclaves into the FL training pipeline. For every data transformation—data pre‑processing, local model training, differential‑privacy noise addition, robust aggregation—a Exclave Data Record (EDR) is generated. An EDR binds together (i) a hash of the input data, (ii) a hash of the code that performed the transformation, and (iii) a hash of the resulting output, all signed by the hardware. These records are chained together to form an Exclave Data Flow Graph (EDG) that represents the entire end‑to‑end dataflow of the FL job. A third‑party auditor can later verify the EDG to confirm claims such as “all providers applied the required sanitization step” or “the model provider performed unbiased aggregation”.

The prototype extends NVIDIA’s NVFlare FL framework. Since current commercial hardware does not expose a pure exclave primitive, the authors implement a variant using AMD’s SEV‑SNP virtual TPM feature, which offers similar integrity‑only guarantees with slightly weaker security properties. Performance evaluation shows that running FL inside exclaves and generating EDRs incurs less than 12 % overhead compared to an unprotected baseline, making the approach practical for real‑world deployments.

In summary, VerifiableFL demonstrates that runtime, integrity‑only attestation can replace the more heavyweight confidentiality‑focused TEEs for the purpose of verifying FL training processes. By providing fine‑grained, cryptographically signed evidence of every transformation, the system enables regulators, model consumers, and other stakeholders to audit federated training pipelines without relying on reputational trust or costly re‑training. The work opens a path toward standardized, auditable FL deployments that satisfy emerging regulatory requirements such as the EU AI Act. Future directions include hardware standardization of exclave primitives and automated policy languages for expressing complex training‑process claims.