DECIFR: Domain-Aware Exfiltration of Circuit Information from Federated Gradient Reconstruction
This exposes a practical threat to privacy in FL for integrated circuit design, highlighting that standard protocols are insufficient in domains with extensive knowledge.
The paper demonstrates a vulnerability in Federated Learning (FL) for hardware assurance, where domain-specific knowledge of standard cell library layouts enables an adversary to reconstruct client training images from model updates and reliably infer membership status based on image quality.
Federated Learning (FL) is a promising approach for multiparty collaboration as a privacy-preserving technique in hardware assurance, but its security against adversaries with domain-specific knowledge is underexplored. This paper demonstrates a critical vulnerability where available standard cell library layouts (SCLL) can be exploited to compromise the privacy of sensitive integrated circuit (IC) training data. We introduce DECIFR, a novel two-stage Membership Inference Attack (MIA) that requires no auxiliary dataset. The attack employs a guided Gradient Inversion Attack (GIA) to reconstruct a client's training images from intercepted model updates. Our findings reveal that the fidelity of these reconstructions directly correlates with membership status, allowing an adversary to reliably distinguish members from non-members based on image quality. This work exposes a practical threat that overcomes the limitations of conventional attacks and underscores that standard FL protocols are insufficient for securing domains with extensive knowledge. We conclude that robust defenses are essential for the secure application of FL in hardware assurance.