Papers
Topics
Authors
Recent
Search
2000 character limit reached

Confidential Federated Compute

Updated 5 July 2026
  • Confidential federated compute is a secure distributed computation model that safeguards data, code, and workflow state using TEEs, cryptographic protocols, and attestation mechanisms.
  • It leverages diverse architectures—such as TEE enclaves, confidential VMs, and MPC—to enforce strict access policies and verify server-side executions across untrusted infrastructures.
  • Applications span federated learning, secure analytics, and retrieval systems, balancing performance tradeoffs with enhanced privacy and integrity guarantees.

Confidential federated compute denotes federated or cross-organizational computation in which confidentiality and integrity are extended beyond data locality to the computation itself: code, model state, intermediate values, and policy-governed access are protected while execution spans untrusted infrastructure. In the recent literature, the concept appears in federated learning and analytics, federated retrieval-augmented generation, secure distributed linear algebra, blockchain-anchored off-chain workflows, and confidential interconnects. Across these settings, the recurrent objective is to protect data “in use” while making server-side behavior attestable or otherwise verifiable, typically through Trusted Execution Environments (TEEs), confidential virtual machines (CVMs), remote attestation, threshold cryptography, multiparty homomorphic encryption, secure multiparty computation, or proof-producing execution (Eichner et al., 2024, Quoc et al., 2021, Castillo et al., 22 Apr 2025).

1. Definition and conceptual scope

Standard federated learning and analytics keep raw data at the data owner, but several papers treat that guarantee as insufficient. SecFL explicitly identifies three residual problems in ordinary federated learning: a root or privileged attacker on the cloud or training host can read or tamper with training models and infer sensitive information from gradients or global parameters; malicious clients can collude to steal other clients’ local data or local models; and malicious clients can poison or manipulate their updates to corrupt the global model. “Confidential Federated Computations” makes the parallel argument for federated learning and analytics more broadly: basic FLA provides limited protections against a potentially malicious service provider, DP-only deployments still assume honest execution of the privacy mechanism, and SMPC-based oblivious aggregation remains challenged by scalability and Sybil attacks (Quoc et al., 2021, Eichner et al., 2024).

Accordingly, confidential federated compute is not merely federated data minimization. It treats server-side execution, aggregation, workflow state, and release policies as privacy-critical objects. In this model, a device or organization does not only avoid uploading raw data; it also restricts which attested binaries may access encrypted uploads, how often access is permitted, which downstream transformations are allowed, and, in some systems, whether the entire workflow can be audited against open-source code and reproducible builds (Eichner et al., 2024).

The term also spans different workload classes. PAPAYA distinguishes federated analytics from federated learning by emphasizing one-shot or few-shot protocols, SQL-like on-device transformations, and population-scale histogram aggregation, in contrast to iterative model optimization with large parameter exchanges. This suggests that confidential federated compute is better understood as an execution model for distributed sensitive computation than as a synonym for federated learning alone (Srinivas et al., 2024).

2. Attested architectures and trust boundaries

A canonical TEE-centric architecture appears in SecFL. Both local training and global aggregation are placed inside Intel SGX enclaves, with SCONE used to run unmodified training software in enclaves. A trusted Security Policy Manager, itself inside an SGX enclave, stores secrets and configuration, attests client enclaves and the cloud-side global training enclave, releases decryption keys only after successful attestation, and enforces policies over the global computation, the global model, and the code and data used locally. Training code and input data are encrypted; local training occurs inside each client enclave; model updates move over TLS between client enclaves and the global-training enclave; aggregation is also performed inside an enclave; and an asynchronous monotonic counter service is used to ensure freshness of training data, models, and related secrets (Quoc et al., 2021).

A second architecture centers on a long-lived TEE-hosted policy service. In “Confidential Federated Computations,” the core trusted component is the ledger, which “literally holds the keys” to uploaded encrypted client data and enforces stateful access policies. A publisher encrypts data with AEAD under an ephemeral key, wraps that key with a ledger-generated public key using single-shot HPKE, and binds access policy into associated data. Downstream TEE consumers can obtain unwrapped keys only if the ledger authorizes access under the declared policy. The trusted chain is built with Project Oak, DICE-style recursive measurement of the boot chain, and hardware-backed remote attestation on AMD SEV-SNP today and Intel TDX later, while orchestration, storage, and transport remain outside the trusted boundary (Eichner et al., 2024).

A third pattern pushes confidentiality into the network substrate itself. JANUS, described as a “Confidential Federated Interconnect,” splits the Trusted Computing Base between a hardware-isolated Control Plane and a measured guest-resident eBPF Data Plane. The Control Plane is the SEAM-mode RMM, which validates signed policies, performs MAKE, verifies guest measurements before releasing keys, enforces epoch consistency, and blocks unauthorized or stale peers. The Data Plane is a measured guest-resident eBPF/XDP proxy attached at the earliest networking layer; it transparently intercepts traffic, consults policy tables, and performs AES-256-GCM encrypt/decrypt in guest ring-0. The host OS, hypervisor, and network fabric are untrusted, and key release is explicitly bound to measured guest state through RTMR checks and a BPF-Lock LSM that disables later bpf(BPF_PROG_LOAD) calls after the authorized proxy is loaded (Dang et al., 10 May 2026).

3. Confidential-compute substrates and verification mechanisms

The substrate need not be TEEs alone. Trusted Compute Units generalize confidential federated computation as chained verifiable off-chain services. A TCU executes a program PP inside a verifiable computation environment, exposes /compute, /proofRetrieval, and /info, verifies predecessor proofs or attestations, binds internal inputs, and emits an output together with a proof-like artifact. The framework formalizes execution as

P(EIn,IIn,PK)(Out,π)P(EIn, IIn, PK) \rightarrow (Out, \pi)

and verification as

verify(Out,π,VK){0,1}.verify(Out, \pi, VK) \rightarrow \{0,1\}.

Its stated novelty is heterogeneous composability: TEEs and zkVMs are treated as interchangeable realizations of the same abstraction, with provenance anchored in a blockchain Program Registry (Castillo et al., 22 Apr 2025).

Cryptographic substrates remain prominent where hardware trust is insufficient or undesirable. SF-PCA combines multiparty homomorphic encryption, interactive protocols, and edge computing so that each data provider keeps local data in cleartext and performs as much work as possible locally, while only aggregated or low-dimensional intermediate values are collectively encrypted. The result is end-to-end confidentiality against all-but-one colluding passive adversaries. The federated Kaplan–Meier system instead uses multikey or threshold CKKS, where each institution encrypts local event and at-risk counts, the server performs only homomorphic addition, and threshold decryption requires cooperation from at least TT parties, preventing any sub-threshold coalition from learning the aggregate (Froelicher et al., 2023, Veeraragavan et al., 2024).

Several systems use MPC-style or share-based computation rather than TEEs. The genomic computing framework redesigns SPDZ by decoupling Beaver Triple Generators from MPC servers and introducing blind triple dispensation, so the expensive preprocessing layer is separated from online arithmetic over private genomic data. The secure truth-finding system uses additive secret sharing over Z2q\mathbb{Z}_{2^q} together with polynomial pseudo-equality tests to evaluate conditioned sums in Cosine and 3-Estimates without revealing source answers. CaPC Learning combines homomorphic encryption for confidential inference, garbled circuits for argmax, and PATE-style noisy vote aggregation so that parties can improve local models without pooling data or model weights in the clear (Zhu, 2021, Saadeh et al., 2023, Choquette-Choo et al., 2021).

4. Representative workload domains

Workload domain Representative systems Primary protection pattern
Federated learning and analytics SecFL, PAPAYA, CFC platform TEEs or CVMs, attestation, policy enforcement, DP
Distributed statistics and linear algebra SF-PCA, federated QR, Kaplan–Meier, genomic MPC, truth-finding MHE, secure aggregation, SPDZ, secret sharing
Federated retrieval and systems backplanes C-FedRAG, Flower CRC system, JANUS, FEDB, TCU Confidential VMs/TEEs, attested interconnects, proofs, trusted mappings

In federated learning and analytics, the protected object is usually server-side aggregation or training. SecFL encloses both local and global training; PAPAYA confines cross-device aggregation, thresholding, and DP noise addition to a Trusted Secure Aggregator inside Intel SGX; and the CFC platform organizes leaf workers and a root CVM for operations such as GROUP BY SUM, with the root adding final DP noise. PAPAYA is deliberately restricted to a small, auditable enclave that performs secure aggregation and privacy enforcement, while on-device code handles local SQL-like transforms, batching, and eligibility checks (Quoc et al., 2021, Srinivas et al., 2024, Bell-Clark et al., 23 Mar 2026).

In statistical and numerical workloads, the challenge is often that intermediate linear-algebra objects are themselves revealing. The federated QR paper studies Householder reflections, Givens rotations, and Gram–Schmidt under additive secure aggregation, concluding that Householder and Givens are unsuitable because their intermediate statistics enable reconstruction, whereas a Gram–Schmidt-based scheme shares only aggregated norms and inner products. SF-PCA preserves the structure of randomized PCA under multiparty CKKS, and the federated Kaplan–Meier system shows that threshold HE can support survival analysis without revealing local event or at-risk counts (Hartebrodt et al., 2022, Froelicher et al., 2023, Veeraragavan et al., 2024).

Knowledge-intensive inference has recently become another major domain. In C-FedRAG, each provider performs local retrieval over its own corpus, while an orchestrator gathers retrieved chunks, reranks them inside a confidential-computing environment, and sends the final augmented prompt to an LLM. A Flower-based federated RAG system makes the same split more explicit: retrieval remains local to each silo, but the server-side aggregation and generation stages run inside an attested confidential environment, with Flower CRC providing confidential remote LLM inference (Addison et al., 2024, Stripelis et al., 26 Mar 2026).

Adjacent systems contribute mechanisms rather than end-user workloads. FEDB is a confidential database rather than a federated learning system, yet its core idea—keeping data-independent identifiers outside the trusted domain and resolving them to plaintext secrets only inside a trusted privacy zone—directly informs confidential federated compute. JANUS contributes an attested interconnect for long-running distributed pipelines, and TCU contributes proof-carrying chaining across heterogeneous off-chain services (Huang et al., 19 Mar 2026, Dang et al., 10 May 2026, Castillo et al., 22 Apr 2025).

5. Security properties, assumptions, and unresolved leakage

The strongest claims in this literature combine confidentiality, integrity, freshness, and policy enforcement. SecFL explicitly claims confidentiality, integrity, and freshness of input data, code, and machine-learning models, plus enforcement of pre-agreed client policies. The TCU framework adds chained provenance and auditable traceability through its Program Registry. The CFC platform emphasizes external verifiability: an outside verifier should be able to check that client data is processed only by executables built from open-source code and authorized by policy (Quoc et al., 2021, Castillo et al., 22 Apr 2025, Eichner et al., 2024).

These guarantees, however, are highly assumption-sensitive. Many cryptographic systems assume semi-honest or honest-but-curious participants, stable membership during key generation and decryption, or non-colluding servers. The federated Kaplan–Meier system assumes fewer than the threshold TT key-share holders cannot decrypt and no coalition of size at least TT colludes maliciously. The secure truth-finding protocol assumes two non-colluding servers under passive security. CaPC assumes a semi-trusted privacy guardian that does not collude. TCU explicitly excludes side-channel and fault-injection attacks from its trust assumptions, and JANUS does not protect against availability attacks, traffic analysis, CPU microarchitectural side channels, post-boot kernel-resident exploitation by a malicious tenant, or non-network covert exfiltration inside the destination host (Veeraragavan et al., 2024, Saadeh et al., 2023, Choquette-Choo et al., 2021, Castillo et al., 22 Apr 2025, Dang et al., 10 May 2026).

A recurring misconception in the literature is that federation by itself is sufficient. Multiple papers reject that view directly. The CFC architecture argues that basic FLA still exposes private uploads or intermediate aggregates to a malicious provider unless stronger mechanisms are used. C-FedRAG argues that federation alone is not enough for RAG because an orchestrator that sees retrieved text in the clear becomes an “over-curious” visibility point. SecFL makes the same point for model updates and training state (Eichner et al., 2024, Addison et al., 2024, Quoc et al., 2021).

A second misconception is that TEEs alone reproduce the ideal centralized DP model. The side-channel hardening paper identifies message-length and memory-allocation channels that could be exploited by a hypothetical insider to circumvent DP guarantees in a CVM-based platform. One concrete example is DPGroupByAggregator::Serialize(), whose serialized output in a prior version was 190 bytes for (Reddit, android) and 217 bytes for (Reddit, iOS). The paper proposes a PositiveLaplaceMechanism for message padding and private resizing mechanisms based on UDSAboveThreshold and StrictUDSAboveThreshold for associative maps. FEDB reaches a similar conclusion from a database perspective: even after removing synchronous cryptography from the hot path, access-pattern leakage, search patterns, timing, result size, and comparison outputs remain in its leakage profile L=(Linit,Lquery,Lupdate)\mathcal{L} = (\mathcal{L}_{init}, \mathcal{L}_{query}, \mathcal{L}_{update}) (Bell-Clark et al., 23 Mar 2026, Huang et al., 19 Mar 2026).

6. Efficiency, scalability, and deployment tradeoffs

System Reported result Deployment implication
JANUS 6 μs per packet; 13–15 μs latency overhead; 6.1% pipeline penalty; 100-node cluster under 1.5 s Measured in-kernel enforcement can approach native-speed routing
VM-based TEE FL at most 1.5x overhead Whole-VM isolation can be practical for OpenFL workloads
FEDB up to 78.0× speedup over HEDB; 34.3% to 80.0% storage reduction Hot-path cryptography can dominate performance more than confidentiality itself
Federated Kaplan–Meier 8–19× computational overhead Threshold HE remains materially costlier but feasible for moderate-scale deployments
SF-PCA 3× to 250× faster than privacy-preserving alternatives Hybrid local-cleartext plus encrypted aggregation amortizes cryptographic cost

The reported measurements show that there is no single performance profile for confidential federated compute. Systems that keep the fast path close to native execution can be relatively inexpensive: JANUS attributes its steady-state 6.0 μs enforcement latency mainly to AES-GCM authenticated decryption, and the VM-based TEE study reports that Intel TDX introduces limited overhead compared with enclave-based SGX systems for confidential federated learning (Dang et al., 10 May 2026, Casella, 20 Jan 2025).

By contrast, strongly cryptographic schemes often accept substantial overheads for stronger trust minimization. The Kaplan–Meier framework reports 8–19× computational overhead, though it also states that threshold-based homomorphic encryption is feasible for moderate-scale deployments. CaPC reports that secure inference dominates overhead, with about 100× slowdown versus non-encrypted CPU inference at base-level security and up to 1000× at high security levels. SF-PCA positions itself between these extremes by combining local cleartext linear algebra with multiparty CKKS, which yields 3× to 250× speedups over privacy-preserving alternatives based solely on MPC or homomorphic encryption (Veeraragavan et al., 2024, Choquette-Choo et al., 2021, Froelicher et al., 2023).

Engineering choices that remove unnecessary cryptography from critical paths can dominate system-level outcomes. FEDB replaces decrypt–compute–encrypt cycles with Get and Put lookups over trusted mappings, reducing approximate per-operation cost from decryption at 1408\sim 1408 cycles and encryption at 5795\sim 5795 cycles to Get at P(EIn,IIn,PK)(Out,π)P(EIn, IIn, PK) \rightarrow (Out, \pi)0 cycles and Put at P(EIn,IIn,PK)(Out,π)P(EIn, IIn, PK) \rightarrow (Out, \pi)1 cycles on ARM. In federated analytics, PAPAYA instead relies on device-side batching, one-shot protocols, and histogram-based aggregation so that the dominant device costs become process initiation, communication, and orchestration overhead rather than local computation; the system is described as capable of serving populations ranging from thousands to billions of devices (Huang et al., 19 Mar 2026, Srinivas et al., 2024).

The broader systems literature therefore treats confidential federated compute less as a single technique than as a set of design tradeoffs. TEEs and CVMs can provide strong confidentiality and integrity for real code paths with modest overhead, but inherit hardware trust and side-channel concerns. Purely cryptographic systems reduce hardware trust but often impose heavier runtime and communication costs. Hybrid designs—TEE-based execution with DP, TEEs combined with open-source attestation, or local cleartext computation combined with encrypted low-dimensional aggregation—are repeatedly presented as the practical compromise for real deployments (Eichner et al., 2024, Casella, 20 Jan 2025, Froelicher et al., 2023).

Topic to Video (Beta)

No one has generated a video about this topic yet.

Whiteboard

No one has generated a whiteboard explanation for this topic yet.

Follow Topic

Get notified by email when new papers are published related to Confidential Federated Compute.