Papers
Topics
Authors
Recent
Search
2000 character limit reached

Complete Client Unlearning in Federated Learning

Updated 7 July 2026
  • Complete client unlearning removes all client-derived data from a federated model, ensuring the model behaves as if retrained from scratch without that client.
  • It employs methods such as rollback optimization, noise calibration, and cryptographic enforcement to achieve retraining closeness and maintain retained-data fidelity.
  • Evaluation criteria focus on forgetting efficacy, computational efficiency, and performance on retained data, addressing challenges in non-IID settings and client churn.

Searching arXiv for recent and foundational papers on complete client unlearning in federated learning. Complete client unlearning in federated learning denotes the removal, upon request, of the entire contribution of a client’s dataset from a jointly trained model so that the resulting model is as close as possible to one trained without that client from the outset. Across the literature, this objective is variously formalized as equality to a retrained-from-scratch model, statistical indistinguishability from such a model, or behavioral equivalence on retained and forgotten data. The topic spans optimization-based rollback, certified noise calibration, representation and feature transformation, architectural isolation, second-order parameter selection, cryptographic enforcement, and decentralized protocols. Together, these lines of work treat complete client unlearning not as a single algorithmic primitive but as a family of mechanisms for excising client-level influence under differing assumptions about storage, trust, participation, model class, and deployment constraints (Fraboni et al., 2022).

1. Definition and problem formulation

In standard federated learning with FedAvg, the global objective is written as

F(w)=i=1MpiFi(w),pi=Di/jDj,F(w) = \sum_{i=1}^M p_i F_i(w), \qquad p_i = |D_i|/\sum_j |D_j|,

with client-local loss

Fi(w)=(1/Di)xDi(w;x).F_i(w) = (1/|D_i|)\sum_{x\in D_i}\ell(w;x).

A global model wnw^n is updated over communication rounds by aggregating client updates (Fraboni et al., 2022). Within this setting, complete client unlearning means removing, upon request, the entire contribution of one client’s dataset from the final model as if that client had never participated.

This objective is repeatedly expressed relative to a gold-standard retraining baseline. Several works define the target as a model M¬uM^{\neg u}, w¬uw^{\neg u}, or θ\theta^* obtained by training from scratch on the union of all retained clients’ data, excluding the forgotten client (Shen et al., 26 May 2026, Halimi et al., 2022, Ai et al., 4 Aug 2025). Other works emphasize indistinguishability rather than exact equality. SIFU defines client-level removal as producing a model indistinguishable from one trained on I{c}I\setminus\{c\} and provides an (ϵ,δ)(\epsilon,\delta)-unlearning guarantee via Gaussian perturbation of a rollback checkpoint (Fraboni et al., 2022). FUI, in the differentially private federated learning setting, defines complete or full client unlearning by ϵ\epsilon-indistinguishability between the unlearned model wUNw^{UN} and the retrained model Fi(w)=(1/Di)xDi(w;x).F_i(w) = (1/|D_i|)\sum_{x\in D_i}\ell(w;x).0 (Chen et al., 2024). In decentralized learning, RR-DU extends this notion to client views through Fi(w)=(1/Di)xDi(w;x).F_i(w) = (1/|D_i|)\sum_{x\in D_i}\ell(w;x).1 network-unlearning certificates (Lamri et al., 9 Dec 2025).

The same concept also appears outside classical FedAvg image classification. In federated graph learning, complete client unlearning is defined as removing all of a departed client’s graph data and learned influence so that the unlearned model Fi(w)=(1/Di)xDi(w;x).F_i(w) = (1/|D_i|)\sum_{x\in D_i}\ell(w;x).2 approximates the retrained model Fi(w)=(1/Di)xDi(w;x).F_i(w) = (1/|D_i|)\sum_{x\in D_i}\ell(w;x).3 on the retained subgraphs (Ai et al., 4 Aug 2025). In federated clustering, exact unlearning is defined distributionally: the unlearning algorithm should match the distribution of rerunning training on the reduced dataset, and complete client unlearning is the special case in which the removal request is an entire client dataset (Pan et al., 2022).

A recurring implication is that “complete” is an aspirational term with multiple operationalizations. Some methods explicitly claim approximate rather than exact removal; others offer formal guarantees only under specified assumptions; and a smaller subset obtain exactness only for restricted architectures or ownership structures. This suggests that the phrase is best read as a target condition rather than a uniformly achieved property.

2. Criteria for completeness, fidelity, and efficiency

The literature evaluates complete client unlearning along three principal axes: forgetting efficacy, retained-data fidelity, and computational efficiency. Halimi et al. describe efficacy as how poorly the unlearned model performs on the erased client’s data distribution, fidelity as retained-clients’ clean-test accuracy, and efficiency as communication cost relative to retraining (Halimi et al., 2022). FCU and IFF-FCU further decompose errors into retained-data error Fi(w)=(1/Di)xDi(w;x).F_i(w) = (1/|D_i|)\sum_{x\in D_i}\ell(w;x).4, forgotten-data error Fi(w)=(1/Di)xDi(w;x).F_i(w) = (1/|D_i|)\sum_{x\in D_i}\ell(w;x).5, and overall test error, using deviation from a retrained baseline as the key gauge of practical completeness (Deng et al., 2024, Shen et al., 26 May 2026).

Several papers use attack-based diagnostics. Backdoor-trigger attack success rate is prominent in SFU, DPUL, the Hessian-based parameter-estimation framework, PAGE for federated graph learning, and AFU-IC for medical imaging, where successful unlearning drives attack accuracy or backdoor accuracy to retrain-like levels (Li et al., 2023, Zhou et al., 15 Dec 2025, Balordi et al., 26 Aug 2025, Ai et al., 4 Aug 2025, Cai et al., 29 Apr 2026). Membership-inference attacks are also used as a residual-information probe. Fed-FBD reports a standard shadow-model membership-inference attack AUC Fi(w)=(1/Di)xDi(w;x).F_i(w) = (1/|D_i|)\sum_{x\in D_i}\ell(w;x).6 before adding any explicit differential-privacy noise, and maintains chance-level MIA behavior before and after surgical unlearning (Chen et al., 10 Jun 2026). The parameter-estimation framework introduces Fi(w)=(1/Di)xDi(w;x).F_i(w) = (1/|D_i|)\sum_{x\in D_i}\ell(w;x).7 and Fi(w)=(1/Di)xDi(w;x).F_i(w) = (1/|D_i|)\sum_{x\in D_i}\ell(w;x).8 to quantify closeness to retraining (Balordi et al., 26 Aug 2025).

A compact summary of evaluation notions used across the literature is given below.

Criterion Representative formulation Representative papers
Retraining closeness Fi(w)=(1/Di)xDi(w;x).F_i(w) = (1/|D_i|)\sum_{x\in D_i}\ell(w;x).9, wnw^n0, wnw^n1 (Shen et al., 26 May 2026, Halimi et al., 2022, Ai et al., 4 Aug 2025)
Statistical indistinguishability wnw^n2-unlearning or wnw^n3-indistinguishability (Fraboni et al., 2022, Chen et al., 2024, Lamri et al., 9 Dec 2025)
Behavioral forgetting Forget accuracy near retraining or random guessing; backdoor removal (Li et al., 2023, Zhou et al., 15 Dec 2025, Cai et al., 29 Apr 2026)
Fidelity on retained data Retain-set accuracy, clean accuracy, wnw^n4, test accuracy (Deng et al., 2024, Shen et al., 26 May 2026)
Efficiency Runtime, total FL rounds, communication cost, unlearning latency (Gu et al., 2024, Chundawat et al., 2024, Chen et al., 10 Jun 2026)

The metric design reflects the absence of a single universally accepted certificate of completeness. Certified methods ground completeness in distributional guarantees; empirical methods ground it in agreement with retraining on utility, attack success, or error deviation. This suggests that results across papers are most comparable when their completeness criterion is made explicit.

3. Optimization-based and reconstruction-based unlearning methods

A large class of methods treats complete client unlearning as an optimization problem around a reference model or a rollback state. Halimi et al. propose a two-phase method: first, constrained gradient ascent at the client to be erased, and second, a small number of FedAvg rounds on the remaining clients. The local unlearning phase solves

wnw^n5

using projected gradient ascent, where wnw^n6 is constructed from the last-round local models of the other clients (Halimi et al., 2022). AFU-IC retains this projected-ascent logic but decouples it asynchronously from the global workflow and adds server-side invariance calibration to prevent relearning of erased information (Cai et al., 29 Apr 2026).

SIFU replaces direct ascent with rollback plus calibrated noise. Its key object is the unavailable true sensitivity

wnw^n7

which is upper-bounded by a computable proxy

wnw^n8

where wnw^n9 is the per-round contribution difference (Fraboni et al., 2022). Unlearning proceeds by rolling back to a checkpoint, adding Gaussian noise with variance calibrated to M¬uM^{\neg u}0, and then briefly retraining on M¬uM^{\neg u}1. The method extends to sequential requests through branched histories and recomputation of M¬uM^{\neg u}2 (Fraboni et al., 2022).

Other methods aim at deeper parameter-level scrubbing rather than rollback alone. DPUL is a server-side method with three phases: weight-aware rollback of high-influence parameters, VAE-based reconstruction of low-influence parameters, and projection-based recovery (Zhou et al., 15 Dec 2025). High-weight parameters are identified by comparing the target client’s update magnitude to the naïve global updates excluding that client: M¬uM^{\neg u}3 and a parameter is marked high-weight when

M¬uM^{\neg u}4

Low-weight parameters are then reconstructed slice-wise by M¬uM^{\neg u}5-VAEs trained on pairs M¬uM^{\neg u}6 (Zhou et al., 15 Dec 2025). The Hessian-based parameter-estimation framework pursues a related but second-order route: it computes diagonal Hessians for forget and retain subsets, derives a Target Information Score

M¬uM^{\neg u}7

resets the top M¬uM^{\neg u}8 fraction of parameters to initialization, and then minimally retrains only those reset parameters through a TRIM wrapper (Balordi et al., 26 Aug 2025).

Representation-space approaches address client forgetting through feature manipulation rather than direct weight subtraction. FCU uses Model-Contrastive Unlearning to pull forgotten-client representations toward a downgraded model M¬uM^{\neg u}9 and away from the trained model w¬uw^{\neg u}0, while Frequency-Guided Memory Preservation grafts low-frequency Fourier components from w¬uw^{\neg u}1 into the unlearning model to preserve generalizable structure (Deng et al., 2024). IFF-FCU extends this line with Mixup-generated transition samples between the forget and retain distributions and a contrastive fusion loss that switches its anchor according to the mixing coefficient w¬uw^{\neg u}2 (Shen et al., 26 May 2026).

A distinct geometric formulation appears in SFU. Instead of storing history, SFU constructs the input gradient subspace of all remaining clients via layer-wise SVD on representation matrices, projects the target client’s ascent gradient onto the orthogonal complement, and updates the global model only in that orthogonal direction: w¬uw^{\neg u}3 The aim is to increase the forgotten client’s loss while leaving directions important to other clients approximately unaffected (Li et al., 2023).

These methods share a common structure: identify where the forgotten client’s influence resides, perturb or erase those coordinates, and then recover retained-task performance. They differ mainly in what they treat as the unit of influence—trajectory checkpoints, gradient directions, individual parameters, latent features, or manifold boundaries.

4. Certified, privacy-theoretic, and exact guarantees

A central divide in the literature is between empirically motivated unlearning and formally certified unlearning. SIFU is among the clearest certified approaches in server-orchestrated FedAvg. If Gaussian noise with

w¬uw^{\neg u}4

is added to a checkpoint, then the resulting noisy model satisfies the w¬uw^{\neg u}5-unlearning definition, namely

w¬uw^{\neg u}6

and symmetrically (Fraboni et al., 2022). The guarantee extends to sequential removals through Theorem 3 (Fraboni et al., 2022).

FUI studies the case in which the original training already satisfies client-level differential privacy. Its main observation is that the DP noise introduced during DPFL induces baseline indistinguishability after local model retraction, which is then fortified by server-side global noise calibration (Chen et al., 2024). It defines w¬uw^{\neg u}7-indistinguishability as the bidirectional multiplicative bound over measurable sets, and states that in an w¬uw^{\neg u}8-DPFL system the unlearned model should remain w¬uw^{\neg u}9-DP for remaining clients while being θ\theta^*0-indistinguishable from the retrained model (Chen et al., 2024).

FedAU provides a different kind of exactness. It maintains an auxiliary unlearning head θ\theta^*1 for each potential client during training and performs client unlearning at request time through the linear operation

θ\theta^*2

Under the linear-head assumption, Theorem 1 proves exact preservation of argmax logits on non-unlearned data and exact misclassification on the unlearned client’s data (Gu et al., 2024). The guarantee is therefore architectural rather than distributional, and the paper notes that non-linear feature extractors yield approximate but highly accurate adherence in practice (Gu et al., 2024).

Exactness also appears in Fed-FBD, though at a different granularity. When a client departs, the server scans contributor traces for all functional blocks the client ever wrote. Blocks exclusively owned by that client are removed exactly; co-owned blocks are repaired by averaging untouched replicas, yielding approximate removal for those blocks (Chen et al., 10 Jun 2026). In federated clustering, exact unlearning is defined distributionally, and the proposed mechanism for K-means++-based clustering is proven to match the distribution of rerunning initialization on the reduced dataset (Pan et al., 2022).

By contrast, several influential approaches are explicit about lacking formal certificates. DPUL states that no formal proof is given and argues for completeness through empirical agreement with retraining in backdoor-attack accuracy and utility (Zhou et al., 15 Dec 2025). ConDa provides no formal privacy or unlearning certificates and frames itself as a fast server-side approximation via synaptic dampening (Chundawat et al., 2024). FCU and AFU-IC similarly target retrain-equivalent behavior empirically rather than through θ\theta^*3-style guarantees (Deng et al., 2024, Cai et al., 29 Apr 2026).

This distribution of guarantees suggests three distinct notions of rigor in the area: formal indistinguishability certificates, exactness under restricted models or ownership assumptions, and empirical retraining equivalence.

5. Architectural, cryptographic, and systems-level approaches

Some of the strongest formulations of complete client unlearning arise not from post hoc optimization but from architectural or protocol design. Fed-FBD decomposes a ResNet-18 backbone into six functional blocks—the stem, four residual groups, and classification head—and stores θ\theta^*4 color variants for each block in a warehouse θ\theta^*5 with contributor traces (Chen et al., 10 Jun 2026). Training uses a shipping plan that assigns subsets of colors to clients, direct replacement rather than averaging, and a functional diversity loss

θ\theta^*6

This design yields architecturally guaranteed block-level isolation: a client cannot modify blocks never shipped to it, and surgical unlearning scans traces and repairs only contaminated blocks, with sub-second latency and no retraining (Chen et al., 10 Jun 2026).

EFU treats the problem at the protocol layer. It is agnostic to the underlying client-side FU algorithm and instead enforces and conceals unlearning through decentralized multi-client functional encryption. Clients encrypt compressed update centroids under round-specific labels, send partial functional keys bound to the aggregation function, and the server can only decrypt the designated aggregate if all required ciphertexts are included exactly as prescribed (Mohammadi et al., 11 Aug 2025). The framework claims two central properties: enforceable unlearning, because omitting an unlearning update makes decryption fail, and update-type indistinguishability, because encrypted learning and unlearning updates are computationally indistinguishable under the FE scheme (Mohammadi et al., 11 Aug 2025).

Asynchrony is the systems concern addressed by AFU-IC. Existing FU methods are described there as largely synchronous, forcing the federation to halt and wait for stragglers (Cai et al., 29 Apr 2026). AFU-IC performs local projected-ascent unlearning asynchronously at the target client while other clients continue normal training, and then the server applies invariance calibration based on KL divergence between predictions on clean and perturbed inputs to prevent future relearning of erased data (Cai et al., 29 Apr 2026). In split learning, SplitWiper reorganizes training into a SISA-like pipeline with frozen client-side models and cached activations, allowing client-level unlearning by retraining only the forgotten client’s shard and then retraining the server on updated caches, without involving other clients (Yu et al., 2023).

These approaches treat complete client unlearning as a systems property. Architectural isolation makes influence attributable and removable. Cryptographic enforcement makes omission or detection of unlearning updates infeasible under the assumed threat model. Asynchronous and split-learning protocols reduce the coordination cost that otherwise makes client-level erasure operationally difficult.

6. Limitations, controversies, and open research directions

A persistent limitation is that many methods achieve approximate rather than exact retraining equivalence. SIFU explicitly provides approximate unlearning in the differential-privacy sense, not exact equality to a retrained model (Fraboni et al., 2022). FCU, IFF-FCU, DPUL, ConDa, PAGE, and AFU-IC all rely primarily on empirical closeness to retraining rather than certified equality (Deng et al., 2024, Shen et al., 26 May 2026, Zhou et al., 15 Dec 2025, Chundawat et al., 2024, Ai et al., 4 Aug 2025, Cai et al., 29 Apr 2026). This suggests that “complete” often means “behaviorally close to retraining under the adopted metrics.”

A second limitation concerns assumptions about server observability, storage, and trust. SIFU assumes honest record-keeping by the server and access to per-round θ\theta^*7 values (Fraboni et al., 2022). Knowledge-distillation-based unlearning requires storing historical client updates and access to a representative unlabeled dataset θ\theta^*8 for distillation (Wu et al., 2022). The parameter-estimation framework requires clients to compute and transmit diagonal Hessians after training (Balordi et al., 26 Aug 2025). EFU assumes secure key generation, an honest-but-curious server, and no collusion pattern that invalidates the FE guarantees (Mohammadi et al., 11 Aug 2025).

A third challenge is heterogeneity and scale. Fed-FBD identifies sensitivity to extreme non-IID data because clients overwrite blocks rather than averaging them (Chen et al., 10 Jun 2026). AFU-IC notes that highly dynamic client churn remains open (Cai et al., 29 Apr 2026). PAGE highlights the scalability cost of adversarial graph synthesis on very large graphs and the difficulty of extending to multiple simultaneous client removals (Ai et al., 4 Aug 2025). RR-DU, although certified in decentralized settings, assumes fixed topologies and leaves concurrent deletions and dynamic graphs open (Lamri et al., 9 Dec 2025).

There are also important scope boundaries. FUCRT demonstrates complete θ\theta^*9 erasure for class-level unlearning, but its adaptation to complete client unlearning is presented only as a possibility under additional assumptions: every forgotten class must be shared by other clients, and class-level relabeling may still miss subtle client-specific cross-class correlations (Guo et al., 2024). This is a reminder that client-level unlearning is not reducible to class-level unlearning in general.

Open problems recur across papers in consistent form: multiple simultaneous or long sequences of client deletions, stronger formal guarantees for non-convex deep networks, extension beyond FedAvg to personalized FL and other training protocols, secure aggregation compatibility, cryptographic proofs for co-owned architectural components, and rigorous verification beyond empirical MIA or backdoor tests (Fraboni et al., 2022, Chen et al., 10 Jun 2026, Chen et al., 2024, Balordi et al., 26 Aug 2025). A plausible implication is that the field is converging on a layered view of complete client unlearning: influence tracking, selective erasure, utility recovery, and verifiability must all be addressed jointly, and no single current method dominates across all four dimensions.

Definition Search Book Streamline Icon: https://streamlinehq.com
References (19)

Topic to Video (Beta)

No one has generated a video about this topic yet.

Whiteboard

No one has generated a whiteboard explanation for this topic yet.

Follow Topic

Get notified by email when new papers are published related to Complete Client Unlearning.