In federated learning, adversarial aggregators can bypass secure aggregation by manipulating client selection, launching bias-selection attacks (BSAs) that compromise both privacy and fairness. While verifiable random selection mitigates BSAs, it forfeits the critical model-performance gains from utility-aware informed selection. This paper proposes AdRo-FL—the first secure aggregation framework jointly achieving BSA robustness, utility-driven client selection, and privacy preservation. AdRo-FL integrates minimum selection quota enforcement, utility-guided verifiable random function (VRF) validation, quantization-based compression, and deadline-aware scheduling, supporting both clustered and distributed settings. Experiments demonstrate that, compared to insecure baselines, AdRo-FL improves time-to-accuracy by up to 1.85× and final test accuracy by up to 1.06×, striking an optimal trade-off among security, efficiency, and model performance.

Federated Learning (FL) enables collaborative learning without exposing clients' data. While clients only share model updates with the aggregator, studies reveal that aggregators can infer sensitive information from these updates. Secure Aggregation (SA) protects individual updates during transmission; however, recent work demonstrates a critical vulnerability where adversarial aggregators manipulate client selection to bypass SA protections, constituting a Biased Selection Attack (BSA). Although verifiable random selection prevents BSA, it precludes informed client selection essential for FL performance. We propose Adversarial Robust Federated Learning (AdRo-FL), which simultaneously enables: informed client selection based on client utility, and robust defense against BSA maintaining privacy-preserving aggregation. AdRo-FL implements two client selection frameworks tailored for distinct settings. The first framework assumes clients are grouped into clusters based on mutual trust, such as different branches of an organization. The second framework handles distributed clients where no trust relationships exist between them. For the cluster-oriented setting, we propose a novel defense against BSA by (1) enforcing a minimum client selection quota from each cluster, supervised by a cluster-head in every round, and (2) introducing a client utility function to prioritize efficient clients. For the distributed setting, we design a two-phase selection protocol: first, the aggregator selects the top clients based on our utility-driven ranking; then, a verifiable random function (VRF) ensures a BSA-resistant final selection. AdRo-FL also applies quantization to reduce communication overhead and sets strict transmission deadlines to improve energy efficiency. AdRo-FL achieves up to $1.85 imes$ faster time-to-accuracy and up to $1.06 imes$ higher final accuracy compared to insecure baselines.