In Split Learning (SL), malicious clients can inject backdoors by submitting poisoned gradients, yet existing defenses predominantly reside on the server side and cannot be enforced on untrusted clients. To address this, we propose the first interactive zero-knowledge proof (ZKP)-based client-side defense for SL, enabling verifiable and privacy-preserving audit of local forward and backward computation integrity. Our approach integrates frequency-domain model partitioning analysis with a lightweight local defense algorithm to establish a robust, low-overhead edge-side verification mechanism. Experiments across diverse DNN architectures and attack settings demonstrate that our method reduces backdoor attack success rates to below 6%, while maintaining verification latency under 10 seconds per iteration even for million-parameter models. This significantly enhances both the security and practicality of distributed training in untrusted environments.

Split Learning (SL) is a distributed learning approach that enables resource-constrained clients to collaboratively train deep neural networks (DNNs) by offloading most layers to a central server while keeping in- and output layers on the client-side. This setup enables SL to leverage server computation capacities without sharing data, making it highly effective in resource-constrained environments dealing with sensitive data. However, the distributed nature enables malicious clients to manipulate the training process. By sending poisoned intermediate gradients, they can inject backdoors into the shared DNN. Existing defenses are limited by often focusing on server-side protection and introducing additional overhead for the server. A significant challenge for client-side defenses is enforcing malicious clients to correctly execute the defense algorithm. We present ZORRO, a private, verifiable, and robust SL defense scheme. Through our novel design and application of interactive zero-knowledge proofs (ZKPs), clients prove their correct execution of a client-located defense algorithm, resulting in proofs of computational integrity attesting to the benign nature of locally trained DNN portions. Leveraging the frequency representation of model partitions enables ZORRO to conduct an in-depth inspection of the locally trained models in an untrusted environment, ensuring that each client forwards a benign checkpoint to its succeeding client. In our extensive evaluation, covering different model architectures as well as various attack strategies and data scenarios, we show ZORRO's effectiveness, as it reduces the attack success rate to less than 6% while causing even for models storing umprint{1000000} parameters on the client-side an overhead of less than 10 seconds.