Papers
Topics
Authors
Recent
Gemini 2.5 Flash
Gemini 2.5 Flash
121 tokens/sec
GPT-4o
9 tokens/sec
Gemini 2.5 Pro Pro
47 tokens/sec
o3 Pro
4 tokens/sec
GPT-4.1 Pro
38 tokens/sec
DeepSeek R1 via Azure Pro
28 tokens/sec
2000 character limit reached

Confidential Federated Computations (2404.10764v2)

Published 16 Apr 2024 in cs.CR and cs.LG

Abstract: Federated Learning and Analytics (FLA) have seen widespread adoption by technology platforms for processing sensitive on-device data. However, basic FLA systems have privacy limitations: they do not necessarily require anonymization mechanisms like differential privacy (DP), and provide limited protections against a potentially malicious service provider. Adding DP to a basic FLA system currently requires either adding excessive noise to each device's updates, or assuming an honest service provider that correctly implements the mechanism and only uses the privatized outputs. Secure multiparty computation (SMPC) -based oblivious aggregations can limit the service provider's access to individual user updates and improve DP tradeoffs, but the tradeoffs are still suboptimal, and they suffer from scalability challenges and susceptibility to Sybil attacks. This paper introduces a novel system architecture that leverages trusted execution environments (TEEs) and open-sourcing to both ensure confidentiality of server-side computations and provide externally verifiable privacy properties, bolstering the robustness and trustworthiness of private federated computations.

Definition Search Book Streamline Icon: https://streamlinehq.com
References (64)
  1. Logcat command-line tool. URL https://developer.android.com/tools/logcat.
  2. sigstore rekor. URL https://docs.sigstore.dev/logging/overview/.
  3. Roughtime. URL https://roughtime.googlesource.com/roughtime/.
  4. Delta calculation for thresholding, 2020. URL https://github.com/google/differential-privacy/blob/main/common_docs/Delta_For_Thresholding.pdf.
  5. Performance Considerations of Intel® Trust Domain Extensions on 4th Generation Intel® Xeon® Scalable Processors, September 2023. URL https://www.intel.com/content/www/us/en/developer/articles/technical/trust-domain-extensions-on-4th-gen-xeon-processors.html.
  6. Project Oak, 2024. URL https://github.com/project-oak/oak.
  7. TensorFlow: Large-scale machine learning on heterogeneous systems, 2015. URL https://www.tensorflow.org/. Software available from tensorflow.org.
  8. The skellam mechanism for differentially private federated learning. Advances in Neural Information Processing Systems, 34:5052–5064, 2021.
  9. One-shot empirical privacy estimation for federated learning, 2023.
  10. Nimble: Rollback protection for confidential cloud services (extended version). Cryptology ePrint Archive, Paper 2023/761, 2023. URL https://eprint.iacr.org/2023/761. https://eprint.iacr.org/2023/761.
  11. Applications and challenges in securing time. In 12th USENIX Workshop on Cyber Security Experimentation and Test (CSET 19), Santa Clara, CA, August 2019. USENIX Association. URL https://www.usenix.org/conference/cset19/presentation/anwar.
  12. Apple. Designing for privacy (video and slide deck). Apple WWDC, https://developer.apple.com/videos/play/wwdc2019/708, 2019.
  13. Avocado: A secure In-Memory distributed storage system. In 2021 USENIX Annual Technical Conference (USENIX ATC 21), pages 65–79. USENIX Association, July 2021. ISBN 978-1-939133-23-6. URL https://www.usenix.org/conference/atc21/presentation/bailleu.
  14. Remote ATtestation procedureS (RATS) Architecture. RFC 9334, January 2023. URL https://www.rfc-editor.org/info/rfc9334.
  15. When the curious abandon honesty: Federated learning is not private. In 2023 IEEE 8th European Symposium on Security and Privacy (EuroS&P), pages 175–199. IEEE, 2023.
  16. ℰℰ\mathcal{E}caligraphic_Epsolute: Efficiently querying databases while providing differential privacy. In Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security. ACM, November 2021. doi: 10.1145/3460120.3484786. URL http://dx.doi.org/10.1145/3460120.3484786.
  17. Practical secure aggregation for privacy-preserving machine learning. In proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, pages 1175–1191, 2017.
  18. Towards federated learning at scale: System design. arXiv preprint arXiv:1902.01046, 2019.
  19. Federated learning and privacy. Communications of the ACM, 65(4):90–97, 2022.
  20. Simultaneous private learning of multiple concepts. In Proceedings of the 2016 ACM Conference on Innovations in Theoretical Computer Science, ITCS’16. ACM, January 2016. doi: 10.1145/2840728.2840747. URL http://dx.doi.org/10.1145/2840728.2840747.
  21. Federated learning of out-of-vocabulary words. arXiv preprint 1903.10635, 2019. URL http://arxiv.org/abs/1903.10635.
  22. (amplified) banded matrix factorization: A unified approach to private training. Advances in Neural Information Processing Systems, 36, 2024.
  23. Graeme Connell. Technology deep dive: Building a faster ORAM layer for enclaves, August 2022. URL https://signal.org/blog/building-faster-oram/.
  24. Finding hierarchical heavy hitters in data streams. In Proceedings 2003 VLDB Conference, pages 464–475. Elsevier, 2003.
  25. Intel Corporation. Guidelines for mitigating timing side channels against cryptographic implementations, June 2022. URL https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/secure-coding/mitigate-timing-side-channel-crypto-implementation.html.
  26. Intel Corporation. Intel® Trust Domain Extensions (Intel® TDX), February 2023.
  27. Prio: Private, robust, and scalable computation of aggregate statistics. In 14th USENIX Symposium on Networked Systems Design and Implementation (NSDI 17), pages 259–282, Boston, MA, March 2017. USENIX Association. ISBN 978-1-931971-37-9. URL https://www.usenix.org/conference/nsdi17/technical-sessions/presentation/corrigan-gibbs.
  28. Damien Desfontaines. Tiny bits matter: precision-based attacks on differential privacy, July 2022. URL https://www.tmlt.io/resources/tiny-bits-matter-precision-based-attacks-on-differential-privacy.
  29. John R Douceur. The sybil attack. In International workshop on peer-to-peer systems, pages 251–260. Springer, 2002.
  30. Cynthia Dwork. Differential privacy. In Michele Bugliesi, Bart Preneel, Vladimiro Sassone, and Ingo Wegener, editors, Automata, Languages and Programming, pages 1–12, Berlin, Heidelberg, 2006. Springer Berlin Heidelberg. ISBN 978-3-540-35908-1.
  31. Trusted Computing Group. DICE attestation architecture, 2020. URL https://trustedcomputinggroup.org/wp-content/uploads/TCG_DICE_Attestation_Architecture_r22_02dec2020.pdf.
  32. Differential privacy under fire. In 20th USENIX Security Symposium (USENIX Security 11), San Francisco, CA, August 2011. USENIX Association. URL https://www.usenix.org/conference/usenix-security-11/differential-privacy-under-fire.
  33. Federated learning for mobile keyboard prediction. arXiv preprint 1811.03604, 2018.
  34. Training keyword spotting models on non-iid data with federated learning, 2020.
  35. Papaya: Practical, private, and scalable federated learning. CoRR, abs/2111.04877, 2021. URL https://arxiv.org/abs/2111.04877.
  36. Advanced Micro Devices Inc. Technical guidance for mitigating effects of ciphertext visibility under amd sev. URL https://www.amd.com/system/files/documents/221404394-a_security_wp_final.pdf.
  37. Advanced Micro Devices Inc. AMD SEV-SNP: Strengthening VM isolation with integrity protection and more, January 2020. URL https://www.amd.com/content/dam/amd/en/documents/epyc-business-docs/solution-briefs/amd-secure-encrypted-virtualization-solution-brief.pdf.
  38. Google Inc. Confidential federated compute, 2024a. URL https://github.com/google-parfait/confidential-federated-compute.
  39. Google Inc. Federated compute platform, 2024b. URL https://github.com/google-parfait/federated-compute.
  40. Google Inc. Tensorflow federated: Federated program, 2024c. URL https://github.com/tensorflow/federated/blob/main/docs/program/federated_program.md.
  41. Elephants do not forget: Differential privacy with state continuity for privacy budget, 2024.
  42. Advances and open problems in federated learning. arXiv preprint arXiv:1912.04977, 2019.
  43. The distributed discrete gaussian mechanism for federated learning with secure aggregation. arXiv preprint arXiv:2102.06387, 2021a.
  44. Practical and private (deep) learning without sampling or shuffling. In Proceedings of the 38th International Conference on Machine Learning, pages 5213–5225, 2021b.
  45. Releasing search queries and clicks privately. In Proceedings of the 18th International Conference on World Wide Web, WWW ’09, page 171–180, New York, NY, USA, 2009. Association for Computing Machinery. ISBN 9781605584874. doi: 10.1145/1526709.1526733. URL https://doi.org/10.1145/1526709.1526733.
  46. Robust emulation of shared memory using dynamic quorum-acknowledged broadcasts. In Proceedings of IEEE 27th International Symposium on Fault Tolerant Computing, pages 272–281, 1997. doi: 10.1109/FTCS.1997.614100.
  47. ROTE: Rollback protection for trusted execution. In 26th USENIX Security Symposium (USENIX Security 17), pages 1289–1306, Vancouver, BC, August 2017. USENIX Association. ISBN 978-1-931971-40-9. URL https://www.usenix.org/conference/usenixsecurity17/technical-sessions/presentation/matetic.
  48. Communication-efficient learning of deep networks from decentralized data. In Artificial intelligence and statistics, pages 1273–1282. PMLR, 2017.
  49. Narrator: Secure and practical state continuity for trusted execution in the cloud. In Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security, CCS ’22, page 2385–2399, New York, NY, USA, 2022. Association for Computing Machinery. ISBN 9781450394505. doi: 10.1145/3548606.3560620. URL https://doi.org/10.1145/3548606.3560620.
  50. In search of an understandable consensus algorithm. In Proceedings of the 2014 USENIX Conference on USENIX Annual Technical Conference, USENIX ATC’14, page 305–320, USA, 2014. USENIX Association. ISBN 9781931971102.
  51. Federated evaluation and tuning for on-device personalization: System design & applications. arXiv preprint arXiv:2102.08503, 2021.
  52. Federated analytics: Collaborative data science without data collection, May 2020. URL https://ai.googleblog.com/2020/05/federated-analytics-collaborative-data.html. Google AI Blog.
  53. Federated learning for emoji prediction in a mobile keyboard. arXiv preprint 1906.04329, 2019.
  54. J. M. Rushby. Design and verification of secure systems. SIGOPS Oper. Syst. Rev., 15(5):12–21, dec 1981. ISSN 0163-5980. doi: 10.1145/1067627.806586. URL https://doi.org/10.1145/1067627.806586.
  55. Ccf: A framework for building confidential verifiable replicated services. Technical Report MSR-TR-2019-16, Microsoft, April 2019. URL https://www.microsoft.com/en-us/research/publication/ccf-a-framework-for-building-confidential-verifiable-replicated-services/.
  56. WeSee: Using malicious #VC interrupts to break AMD SEV-SNP, 2024.
  57. Two models are better than one: Federated learning is not private for google gboard next word prediction. In European Symposium on Research in Computer Security, pages 105–122. Springer, 2023.
  58. Samplable anonymous aggregation for private federated data analysis. arXiv preprint arXiv:2307.15017, 2023.
  59. The Apache Software Foundation. Apache Beam©. URL https://beam.apache.org.
  60. Engraft: Enclave-guarded raft on byzantine faulty nodes. In Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security, CCS ’22, page 2841–2855, New York, NY, USA, 2022. Association for Computing Machinery. ISBN 9781450394505. doi: 10.1145/3548606.3560639. URL https://doi.org/10.1145/3548606.3560639.
  61. Advances in private training for production on-device language models. https://research.google/blog/advances-in-private-training-for-production-on-device-language-models, 2017.
  62. Federated learning of gboard language models with differential privacy. arXiv preprint arXiv:2305.18465, 2023.
  63. Applied federated learning: Improving Google keyboard query suggestions. arXiv preprint 1812.02903, 2018.
  64. Federated heavy hitters discovery with differential privacy, 2020.
Citations (1)

Summary

We haven't generated a summary for this paper yet.

HackerNews

  1. Confidential Federated Computations (1 point, 0 comments)