基于可信执行环境的联邦学习平台

doi:10.3969/j.issn.1671-1122.2026.05.010

摘要/Abstract

摘要：

为评估不同的隐私增强技术在联邦学习中的安全-效率-精度权衡,文章面向典型视觉任务构建了基于可信执行环境的联邦学习平台。该平台以Intel可信域扩展（TDX）和软件防护扩展（SGX）为核心架构,并引入同态加密（HE）与安全多方计算（MPC）作为性能对比基准。在CIFAR-10数据集与ResNet-18模型的高维视觉任务场景下,文章利用该平台进行了对比实验。实验结果表明,在保持基线精度的前提下,基于TDX的方案在提供虚拟机级硬件保护的同时,仅引入约1.3%的端到端时延,综合表现优于 SGX、HE与MPC。尽管 HE 提供了可形式化验证的安全性,但将单轮训练时延与通信开销分别提升至基线的约9倍与21倍,系统负载增加显著；MPC则在时间与通信开销间存在局限。文章明确了各类技术方案的适用边界,对于高维模型的安全聚合场景,TDX是平衡安全需求与性能开销的一个有利选项。

关键词: 联邦学习, 隐私保护, 机密计算, 可信执行环境

Abstract:

This paper presented a confidential federated learning platform (CFLP) based on trusted execution environments (TEEs) for typical vision tasks, aiming to evaluate the security-efficiency-accuracy trade-off of different privacy-enhancing technologies in federated learning. The platform utilized intel trust domain extensions (TDX) and software guard extensions (SGX) as its core architecture, while incorporating homomorphic encryption (HE) and secure multi-party computation (MPC) as performance comparison benchmarks. Systematic comparative experiments were conducted using this platform in high-dimensional vision task scenarios involving the CIFAR-10 dataset and the ResNet-18 model. The results indicate that, while maintaining baseline accuracy, the TDX-based TEE scheme provided virtual-machine-level hardware protection with only an approximately 1.3% increase in end-to-end latency, outperforming SGX, HE, and MPC in comprehensive performance. Although HE offers formally verifiable security, it increased the single-round training latency and communication overhead to approximately 9 times and 21 times that of the baseline, respectively, resulting in significant computational overhead. MPC exhibited limitations in the trade-off between time and communication costs. This study clarifies the applicable boundaries of various technical solutions, demonstrating that for secure aggregation scenarios involving high-dimensional models, TDX is a favorable option for balancing security requirements and performance overhead.

Key words: federated learning, privacy protection, confidential computing, trusted execution environment

中图分类号:

TP309

李子豪, 张锋巍. 基于可信执行环境的联邦学习平台[J]. 信息网络安全, 2026, 26(5): 788-808.

LI Zihao, ZHANG Fengwei. TEE-Based Federated Learning Platform[J]. Netinfo Security, 2026, 26(5): 788-808.

图/表 19

图1

图2

表1

图3

表2

图4

图5

图6

图7

图8

图9

表3

表4

表5

图10

图11

表6

图12

表7

参考文献 39

[1]	SHOKRI R, SHMATIKOV V.Privacy-Preserving Deep Learning[C]//ACM. The 22nd ACM SIGSAC Conference on Computer and Communications Security. New York: ACM, 2015: 1310-1321.
[2]	MCMAHAN B, MOORE E, RAMAGE D, et al. Communication-Efficient Learning of Deep Networks from Decentralized Data[C]//PMLR.The 20th International Conference on Artificial Intelligence and Statistics. New York: PMLR, 2017: 1273-1282.
[3]	YANG Li, ZHU Lingbo, YU Yueming, et al. Review of Federated Learning and Offensive-Defensive Confrontation[J]. Netinfo Security, 2023, 23(12): 69-90.
	杨丽, 朱凌波, 于越明, 等. 联邦学习与攻防对抗综述[J]. 信息网络安全, 2023, 23(12): 69-90.
[4]	HITAJ B, ATENIESE G, PEREZ-CRUZ F. Deep Models under the GAN: Information Leakage from Collaborative Deep Learning[C]//ACM. The 24th ACM SIGSAC Conference on Computer and Communications Security. New York: ACM, 2017: 603-618.
[5]	GILAD-BACHRACH R, DOWLIN N, LAINE K, et al. Cryptonets: Applying Neural Networks to Encrypted Data with High Throughput and Accuracy[C]//PMLR. The 33rd International Conference on Machine Learning. New York: PMLR, 2016: 201-210.
[6]	SHEN Youren, TIAN Hongliang, CHEN Yu, et al. Occlum: Secure and Efficient Multitasking inside a Single Enclave of Intel SGX[C]// ACM. The Twenty-Fifth International Conference on Architectural Support for Programming Languages and Operating Systems. New York: ACM, 2020: 955-970.
[7]	KAIROUZ P, MCMAHAN H B, AVENT B, et al. Advances and Open Problems in Federated Learning[J]. Foundations and Trends® in Machine Learning, 2021, 14(1-2): 1-210. doi: 10.1561/MAL URL
[8]	HE Zeping, XU Jian, DAI Hua, et al. A Review of Federated Learning Application Technologies[J]. Netinfo Security, 2024, 24(12): 1831-1844.
	何泽平, 许建, 戴华, 等. 联邦学习应用技术研究综述[J]. 信息网络安全, 2024, 24(12): 1831-1844.
[9]	LIU Yang, KANG Yan, ZOU Tianyuan, et al. Vertical Federated Learning: Concepts, Advances, and Challenges[J]. IEEE Transactions on Knowledge and Data Engineering, 2024, 36(7): 3615-3634. doi: 10.1109/TKDE.2024.3352628 URL
[10]	GAO Ying, CHEN Xiaofeng, ZHANG Yiyu, et al. A Survey of Attack and Defense Techniques for Federated Learning Systems[J]. Chinese Journal of Computers, 2023, 46(9): 1781-1805.
	高莹, 陈晓峰, 张一余, 等. 联邦学习系统攻击与防御技术研究综述[J]. 计算机学报, 2023, 46(9): 1781-1805.
[11]	BONAWITZ K, IVANOV V, KREUTER B, et al.Practical Secure Aggregation for Privacy-Preserving Machine Learning[C]// ACM. The 2017 ACM SIGSAC Conference on Computer and Communications Security. New York: ACM, 2017: 1175-1191.
[12]	LI Yipeng, LYU Xinchen. Convergence Analysis of Sequential Federated Learning on Heterogeneous Data[J]. Advances in Neural Information Processing Systems, 2023, 36: 56700-56755.
[13]	NING Zhenyu, ZHANG Fengwei, SHI Weisong. Research on Trusted Execution Environment Based on Edge Computing[J]. Journal of Computer Research and Development, 2019, 56(7): 1441-1453.
	宁振宇, 张锋巍, 施巍松. 基于边缘计算的可信执行环境研究[J]. 计算机研究与发展, 2019, 56(7): 1441-1453.
[14]	ARM Limited. TrustZone for Armv8-A[EB/OL]. [2025-11-31]. https://developer.arm.com/-/media/Arm%20Developer%20Community/PDF/Learn%20the%20Architecture/TrustZone%20for%20Armv8-A.pdf.
[15]	COSTAN V, DEVADAS S. Intel SGX Explained[R].IACR, Cryptology ePrint Archive, Report 2016/086, 2016.
[16]	Intel Corporation. Intel Trust Domain Extensions[EB/OL]. (2021-05-01)[2025-12-10]. https://www.intel.com/content/www/us/en/developer/tools/trust-domain-extensions/documentation.html.
[17]	MCKEEN F, ALEXANDROVICH I, BERENZON A, et al.Innovative Instructions and Software Model for Isolated Execution[C]//ACM. The 2nd International Workshop on Hardware and Architectural Support for Security and Privacy. New York: ACM, 2013: 10.
[18]	TSAI C, PORTER D E, VIJ M.Graphene-SGX: A Practical Library OS for Unmodified Applications on SGX[C]//USENIX. 2017 USENIX Annual Technical Conference. Berkeley: USENIX, 2017: 645-658.
[19]	PINTO S, SANTOS N. Demystifying Arm TrustZone: A Comprehensive Survey[J]. ACM Computing Surveys, 2019, 51(6): 1-36.
[20]	LIPP M. Cache Attacks and Rowhammer on ARM[D]. Graz: Graz University of Technology, 2016.
[21]	ARM LTD. ARM TrustZone for Cortex-A: Technical Reference Manual[D]. Cambridge: ARM Ltd, Revision r1p0, 2022.
[22]	LI Mengyuan, ZHANG Yinqian, WANG Huibo, et al. CIPHERLEAKS: Breaking Constant-Time Cryptography on AMD SEV via the Ciphertext Side Channel[C]//USENIX. The 30th USENIX Security Symposium (USENIX Security 21). Berkeley: USENIX, 2021: 717-732.
[23]	ZHANG Yiming, HU Yuxin, NING Zhenyu, et al. SHELTER: Extending ARM CCA with Isolation in User Space[C]//USENIX. The 32nd USENIX Security Symposium (USENIX Security 23). Berkeley: USENIX, 2023: 6257-6274.
[24]	ZHANG Fengwei, ZHOU Lei, ZHANG Yiming, et al. Trusted Execution Environment: Status and Prospects[J]. Journal of Computer Research and Development, 2024, 61(1): 243-260.
	张锋巍, 周雷, 张一鸣, 等. 可信执行环境:现状与展望[J]. 计算机研究与发展, 2024, 61(1): 243-260.
[25]	VAN BULCK J, PIESSENS F, STRACKX R. SGX-Step: A Practical Attack Framework for Precise Enclave Execution Control[C]//ACM. The 2nd Workshop on System Software for Trusted Execution. New York: ACM, 2017: 1-6.
[26]	BAUMANN A, PEINADO M, HUNT G. Shielding Applications from an Untrusted Cloud with Haven[J]. ACM Transactions on Computer Systems (TOCS), 2015, 33(3): 1-26.
[27]	FREDRIKSON M, JHA S, RISTENPART T.Model Inversion Attacks that Exploit Confidence Information and Basic Countermeasures[C]//ACM. The 22nd ACM SIGSAC Conference on Computer and Communications Security. New York: ACM, 2015: 1322-1333.
[28]	ZHU Ligeng, LIU Zhijian, HAN Song. Deep Leakage from Gradients[J]. Advances in Neural Information Processing Systems, 2019, 32: 14400-14409.
[29]	NASR M, SHOKRI R, HOUMANSADR A. Comprehensive Privacy Analysis of Deep Learning: Passive and Active White-Box Inference Attacks against Centralized and Federated Learning[C]//IEEE. 2019 IEEE Symposium on Security and Privacy (SP). New York: IEEE, 2019: 739-753.
[30]	ABADI M, CHU A, GOODFELLOW I, et al. Deep Learning with Differential Privacy[C]//ACM. The 23rd ACM Conference on Computer and Communications Security. New York: ACM, 2016: 308-318.
[31]	GHAZI B, GOLOWICH N, KUMAR R, et al. Deep Learning with Label Differential Privacy[J]. Advances in Neural Information Processing Systems, 2021, 34: 27131-27145.
[32]	MOHASSEL P, ZHANG Yupeng. Secureml: A System for Scalable Privacy-Preserving Machine Learning[C]//IEEE. 2017 IEEE Symposium on Security and Privacy (SP). New York: IEEE, 2017: 19-38.
[33]	CHEN Yu, LUO Fang, LI Tong, et al. A Training-Integrity Privacy-Preserving Federated Learning Scheme with Trusted Execution Environment[J]. Information Sciences, 2020, 522: 69-79. doi: 10.1016/j.ins.2020.02.037 URL
[34]	PENG Wei, LI Yinshuai, ZHANG Yinqian. Shadows in Cipher Spaces: Exploiting Tweak Repetition in Hardware Memory Encryption[C]//USENIX. The 34th USENIX Security Symposium (USENIX Security 25). Berkeley: USENIX, 2025: 5759-5776.
[35]	WITHARANA H, WEERASENA H, MISHRA P. Formal Verification of Virtualization-Based Trusted Execution Environments[J]. IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems, 2024, 43(11): 4262-4273. doi: 10.1109/TCAD.2024.3443008 URL
[36]	ZHANG Ziqi, GONG Chen, CAI Yifeng, et al. No Privacy Left Outside: On the (In-) Security of TEE-Shielded DNN Partition for On-Device ML[C]//2024 IEEE Symposium on Security and Privacy (SP). New York: IEEE, 2024: 3327-3345.
[37]	LECUN Y, CORTES C. The MNIST Database of Handwritten Digits[EB/OL]. (1998-01-01)[2025-01-15]. http://yann.lecun.com/exdb/mnist/.
[38]	KRIZHEVSKY A, HINTON G. Learning multiple layers of features from tiny images[EB/OL]. (2009-09-01)[2025-12-15]. https://www.cs.toronto.edu/-kriz/learning-features-2009-TR.pdf.
[39]	HSU T M H, QI Huiqi, BROWN M. Measuring the Effects of Non-Identical Data Distribution for Federated Visual Classification[EB/OL]. (2019-09-13)[2025-12-15]. https://arxiv.org/abs/1909.06335.

对比维度	横向联邦学习	纵向联邦学习
数据划分	特征相同,样本不同	样本重叠,特征不同
核心挑战	模型参数的安全聚合	加密实体对齐与联合建模
典型场景	不同医院间的医疗影像分析	银行与电商的联合信用评分
聚合内容	完整的模型参数或梯度	加密的中间计算结果

特性	Intel® SGX	Arm TrustZone	Intel® TDX	AMD SEV-SNP	Arm CCA
隔离粒度	进程级(Enclave)	系统分区级 (Normal / Secure World)	虚拟机级 (Trust Domain)	虚拟机级 (Encrypted VM)	虚拟机级 (Realm)
部署模型	代码重构/ LibOS	专用可信OS / APP	直接迁移	直接迁移	直接迁移
内存容量	SGX1受EPC限制SGX2支持动态内存	受限于系统配置	支持整个 VM 内存	支持整个 VM 内存	支持整个Realm内存
可信基(TCB)	应用代码 SGX 硬件	可信OS / APP Arm 硬件	客户机操作系统TDX 硬件	客户机操作系统 AMD-SP硬件	Realm 操作系统 Arm CCA 硬件 RMM
I/O 模型	OCALL 委托不可信主机	委托给非安全世界的OS处理	由客户机操作系统驱动处理	通过共享内存由客户机驱动处理	通过共享内存由客户机驱动处理
性能开销	频繁的 Enclave 转换开销高	世界切换(World Switch)开销较高	计算开销低,完整性检查引入额外开销	计算开销低,完整性检查引入额外开销	理论开销低（待大规模硬件验证）
生态	成熟,研究多,已知攻击多	成熟,数十亿移动/IoT设备的基础	较新,云支持增长快	已在主流云平台广泛部署	发展初期,硬件生态正在构建

模型名称	适配数据集	参数量 / M (10⁶)	模型体积 / MB	实验定位
SimpleCNN	MNIST ($1\times 28\times 28$)	0.58	2.3	功能验证
ResNet-18	CIFAR-10 ($3\times 32~\times 32~$)	11.17	44.6	真实场景模拟

组件	项目	规格参数
服务器宿主机	CPU	Intel® Xeon® Silver 4510 @2.40 GHz (12 Physical Cores)
	RAM	128 GB DDR5
	Kernel	Linux 6.8.0-tetd (TDX/SGX Enabled)
	TEE Support	Intel® SGX2 (EPC: 128 MB)& Intel® TDX 1.0
机密虚拟机	vCPU	12 vCPUs (KVM Virtualization)
	RAM	16 GB Allocated
	OS	Ubuntu 24.04.2 LTS (Kernel 6.8.0-generic)
客户端节点	CPU	2 × Intel® Xeon® Silver 4510 (48 Threads)
	RAM	512 GB DDR5
	GPU	NVIDIA H100 PCIe (80 GB HBM3)
软件环境	Framework	PyTorch 2.9.1 (CUDA 12.8), Python 3.12
	TEE Runtime	Gramine 1.9 (for SGX Enclave)
	Deployment	Docker 29.0.4

学习模式	模型架构	数据集	数据分布	准确率	收敛 Epoch/轮	通信体积	本地—全局精度差
集中训练	SimpleCNN	MNIST	—	98.82%± 0.12%	5.0	—	—
联邦学习			IID	99.28%± 0.04%	27.0 (5.4×5)	71.94 MB	0.42%±0.12%
联邦学习			Non-IID	98.94%± 0.12%	32.0 (6.4×5)	85.26 MB	3.06%±0.61%
集中训练	ResNet-18	CIFAR-10	—	90.58%± 0.43%	38.2	—	—
联邦学习			IID	91.92%± 0.26%	82.0 (16.4×5)	4.10 GB	3.68%±0.54%
联邦学习			Non-IID	89.70%± 1.03%	180.0 (36.0×5)	8.99 GB	12.80%±1.99%