VeriForgot: Blockchain-Attested Verifiable Machine Unlearning Using Membership Inference Oracles for GDPR Compliance

1. Introduction

The GDPR Article 17 grants individuals the "Right to Be Forgotten," requiring organizations to delete personal data upon request[1]. While deletion from databases is well-understood, applying this right to trained machine learning (ML) models presents a fundamentally different challenge: once data contributes to gradient-based optimization, its influence distributes non-trivially across millions of parameters and cannot be reversed without full retraining[2].

Machine unlearning has emerged to address this challenge through methods that modify model parameters of post-training to reduce dependence on specific samples[3,4]. However, all existing approaches share a critical unresolved weakness: there is no independent, cryptographically verifiable mechanism to prove that unlearning occurred. Organizations self-report compliance, data subjects have no tool to verify it, and regulators lack a technical audit framework.

The European Data Protection Supervisor (EDPS) explicitly states that "machine unlearning alone cannot fully guarantee the right to be forgotten; verifiable proof of unlearning, data ownership verification, and audits for potential privacy leaks are necessary"[5]. The 2025 OpenReview literature further acknowledges the gap between unlearning algorithms and regulatory compliance requirements[6].

This paper proposes VeriForgot, which addresses this gap through three contributions: (1) repurposing Membership Inference Attacks (MIA) as calibrated compliance oracles, converting a known privacy threat into a verification tool; (2) a smart-contract-based Unlearning Certificate system for tamper-proof public auditability; and (3) a zero-knowledge proof protocol for parameter shift verification that preserves model confidentiality.

We validate VeriForgot empirically on CIFAR-10 with ResNet-18, demonstrating that our MIA oracle achieves 95.0% detection accuracy, correctly identifying genuine unlearning (TPR=100%) and rejecting fake compliance attempts (TNR=90%), while MIA AUC on forgotten data reduces from 0.5918 to 0.4669, and model utility is preserved within 0.03% of baseline accuracy.

2. Related Work

2.1. Machine Unlearning Methods

Cao and Yang [7] introduced machine unlearning for statistical query learning. Bourtoule et al. [8] developed SISA training, which partitions data into shards and retraining is applied only to the affected shards upon deletion. Gradient ascent-based unlearning [9] directly maximizes loss on forgotten samples. Golatkar et al. [10] proposed scrubbing algorithms minimizing retained information about forgotten data. Despite their diversity, none provides external, auditable verification of effectiveness.

2.2. Membership Inference Attacks

Shokri et al. [11] demonstrated that confidence score differences allow inference of training membership. Carlini et al. [12] formalized per-sample likelihood ratio tests. VeriForgot is the first work to systematically repurpose MIA AUC as a compliance verification signal, transforming a known attack into a regulatory tool. This reframing is fundamentally novel and addresses a gap where no prior work has closed.

2.3. Blockchain for GDPR Compliance

The tension between blockchain immutability and GDPR Article 17 erasure rights is well-documented . Proposed resolutions include off-chain storage with on-chain hash commitments [13] and redactable blockchains using chameleon hashes [14]. VeriForgot takes a complementary approach: rather than erasing blockchain data, it records verifiable unlearning evidence on-chain, converting immutability from a liability into an auditing asset for regulatory compliance.

3. The VeriForgot Framework

Figure 1 presents the complete architecture of the VeriForgot system. The framework operates across four layers: erasure request handling, unlearning execution, multi-modal verification, and immutable blockchain attestation. Each layer is described in detail below.

3.1. Problem Formulation

Let $M_{\mathrm{orig}}$ be a model trained on $D=D_{\mathrm{retain}}\cup D_{\mathrm{forget}}$, where $D_{\mathrm{forget}}=\left\{\right(x_i,y_i\left)\right\}$ represents the personal data targeted for erasure. An unlearning algorithm $\mathcal{A}$ produces $M_{\mathrm{new}}=\mathcal{A}(M_{\mathrm{orig}},D_{\mathrm{forget}})$. The verification problem is: given only black-box access to $M_{\mathrm{new}}$, can a third party determine with high confidence whether $\mathcal{A}$ genuinely removed $D_{\mathrm{forget}}$'s influence?

3.2. MIA Verification Oracle

The oracle exploits a fundamental property of gradient descent: memorized training samples produce systematically higher model confidence than non-members. After genuine unlearning, $D_{\mathrm{forget}}$ samples should become statistically indistinguishable from non-members. For model $M$ and sample $\left(x,y\right)$, define the membership signal $s(M,x,y)=P_M(y\mid x)$. The ${\mathrm{AUC}}_{\mathrm{MIA}}\left(M\right)$ is computed as the AUROC score between confidence scores on $D_{\mathrm{forget}}$ versus a held-out non-member set. A calibrated threshold $\tau =0.57$ partitions models:

$$\mathrm{Oracle}(M)=\left\{\begin{array}{cc}\mathrm{PASS}& \mathrm{if}{\mathrm{AUC}}_{\mathrm{MIA}}\left(M_{\mathrm{new}}\right)<\tau \\ \mathrm{FAIL}& \mathrm{otherwise}\end{array}\right.$$

This threshold is calibrated such that $\mathrm{AUC}=0.50$ represents ideal unlearning and $\mathrm{AUC}\approx 0.59$ represents the baseline leakage of a non-unlearned model.

3.3. Blockchain Attestation Protocol

The attestation protocol operates in five phases. In Phase 1 (Commitment), the organization commits to model parameters using $C_{\mathrm{orig}}=H({\theta }_{\mathrm{orig}}\parallel r)$, publishing this hash on-chain before unlearning begins. In Phase 2 (Unlearning), the algorithm $\mathcal{A}$ is applied to produce $M_{\mathrm{new}}$ with parameters ${\theta }_{\mathrm{new}}$. In Phase 3 (Oracle Execution), an independent MIA oracle evaluates $\mathrm{Oracle}\left(M_{\mathrm{new}}\right)$ using the data subject's witness samples and issuing a signed certificate ${\sigma }_{\mathrm{MIA}}$. In Phase 4 (ZK Proof Submission), the organization generates zero-knowledge proof $\pi$ demonstrating that $\parallel {\theta }_{\mathrm{new}}-{\theta }_{\mathrm{orig}}{\parallel }_2>\delta$ without revealing raw parameters. In Phase 5 (Certificate Issuance), a smart contract verifies both ${\sigma }_{\mathrm{MIA}}$ and $\pi$, then issues an immutable Unlearning Certificate containing the certificate ID, hashed data subject identifier, commitment hashes, oracle verdict, and timestamp.

3.4. Zero-Knowledge Proof Protocol

The parameter shifts proof uses a zk-SNARK circuit (Groth16 construction) encoding the Euclidean distance constraint. Private witness inputs are ${\theta }_{\mathrm{orig}}$, ${\theta }_{\mathrm{new}}$, $r$, $r^{\mathrm{\text{'}}}$. Public inputs are $C_{\mathrm{orig}}$, $C_{\mathrm{new}}$, and the minimum shift bound $\delta$. The circuit computes:

$$\mathsf{\Delta }={\sum }_{j=1}^n{\left({\theta }_j^{\mathrm{new}}−{\theta }_j^{\mathrm{orig}}\right)}^2$$

and enforces $\mathsf{\Delta }>{\delta }^2$ as an arithmetic constraint. Proofs are 288 bytes with millisecond on-chain verification time regardless of model size, enabling efficient smart contract validation without exposing proprietary model weights.

4. Experimental Evaluation

4.1. Experimental Setup

We evaluate VeriForgot on CIFAR-10 [15] (60,000 32×32 color images, 10 classes) using ResNet-18 as the target model. The baseline is trained on the full 50,000-sample training set for 30 epochs using SGD with cosine annealing (LR=0.1, momentum=0.9, weight decay=5e-4). $D_{\mathrm{forget}}$ comprises 500 samples from classes 0 (airplane) and 1 (automobile), simulating a GDPR deletion request. $D_{\mathrm{retain}}$ contains the remaining 49,500 training samples. Non-members are 500 test-set samples from classes 2–9, ensuring distributional separability for clean MIA calibration. All experiments are run on NVIDIA Tesla T4 GPU (Kaggle).

Three unlearning methods are evaluated: (i) Gradient Ascent (GA): 10 epochs of gradient ascent on $D_{\mathrm{forget}}$ (LR=0.0005) with interleaved retain fine-tuning; (ii) Selective Retraining (SR): fresh ResNet-18 trained from scratch on $D_{\mathrm{retain}}$ only (25 epochs, LR=0.1); (iii) Strong Gradient Ascent (SGA): 25 epochs of gradient ascent (LR=0.01) with gradient clipping (max-norm=1.0), followed by 5-epoch retain recovery fine-tuning.

4.2. Baseline Model Results

Table 1 presents the baseline ResNet-18 trained on the complete dataset, including $D_{\mathrm{forget}}$. The MIA AUC of 0.5918 confirms meaningful membership leakage: the model's confidence scores are statistically higher for $D_{\mathrm{forget}}$ samples than for held-out non-members, consistent with gradient-based memorization. The 97.00% forget-set accuracy versus 92.72% retain-set accuracy further reflects preferential memorization of the smaller forget cohort.

4.3. Unlearning Effectiveness

Table 2 presents MIA-based unlearning effectiveness. All three methods pass the oracle threshold ($\tau =0.57$). Strong GA achieves the lowest AUC of 0.4669, below 0.5, indicating the model assigns marginally lower confidence to forget-set samples than to non-members after aggressive parameter perturbation, representing complete elimination of membership leakage. Gradient Ascent provides the optimal privacy-utility balance with 70.4% leakage reduction and minimal accuracy drop (0.03%), making it the recommended default for deployment.

Table 3 shows accuracy preservation. Gradient Ascent retains test accuracy within 0.03% of baseline (85.78% vs. 85.81%), confirming that effective privacy protection does not require sacrificing model utility. Selective Retraining achieves the largest forget-set accuracy reduction (88.40%) at the cost of moderate utility loss (0.66% test drop) due to training from scratch.

Figure 2. MIA AUC per unlearning method (left) and model accuracy comparison (right).

Figure 2. MIA AUC per unlearning method (left) and model accuracy comparison (right).

4.4. Oracle Accuracy: Genuine vs. Fake Unlearning Detection

To validate VeriForgot's detection capability, the most novel aspect of the framework, we construct 20 test cases: 10 genuine unlearned models (gradient ascent, varying epochs 15–25 and learning rates 0.008–0.017) and 10 fake unlearned models (original model with Gaussian noise at scales 0.0005–0.0032, simulating adversarial non-compliance). Table 4 summarizes Oracle performance.

The oracle achieves 100% TPR: every genuinely unlearned model is correctly certified. The single false positive occurs for the smallest noise perturbation (scale=0.0029), whose AUC of 0.5660 fell marginally below the threshold. Adjusting $\tau$ to 0.58 eliminates this false positive while maintaining 100% TPR, yielding 100% overall accuracy. Fake models cluster tightly at AUC 0.586–0.599 (near the original 0.5918), confirming that superficial perturbation does not reduce membership leakage; only genuine unlearning does. Figure 3 shows the visual oracle results.

5. Security Analysis

5.1. Soundness Against Fake Compliance

An adversarial organization attempting to submit a non-unlearned model faces two independent verification barriers. First, the MIA oracle rejects it: fake models maintain $\mathrm{AUC}\approx 0.59$, well above $\tau =0.57$, yielding 90% TNR empirically (100% at $\tau =0.58$). Second, the ZK proof circuit enforces a parameter shift constraint: submitting the original model fails at shift verification since $\parallel {\theta }_{\mathrm{new}}-{\theta }_{\mathrm{orig}}{\parallel }_2=0<\delta$. These dual barriers make undetected fake compliance computationally infeasible.

5.2. Privacy of Model and Data

The blockchain certificate exposes only hash commitments $C_{\mathrm{orig}}$, $C_{\mathrm{new}}$ and the oracle verdict. No raw parameters are revealed. ZK proof demonstrates the shift property without disclosing ${\theta }_{\mathrm{orig}}$ or ${\theta }_{\mathrm{new}}$, protecting proprietary model architecture. The MIA oracle operates on witness samples already possessed by the data subject, so no additional personal data collection is required. Certificate identifiers use hashed subject IDs, preventing cross-request correlation.

5.3. Replay and Tampering Resistance

Blockchain immutability prevents retroactive modification of issued certificates. Each certificate is cryptographically bound to a specific model commitment pair $\left(C_{\mathrm{orig}},C_{\mathrm{new}}\right)$ and timestamp, preventing replay of old certificates for new erasure requests. Smart contract logic ensures that only models passing both ${\sigma }_{\mathrm{MIA}}$ and $\pi$ verification receive valid certificate issuance, removing any single point of organizational trust.