{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,11,24]],"date-time":"2025-11-24T07:16:17Z","timestamp":1763968577865,"version":"3.41.0"},"reference-count":24,"publisher":"Association for Computing Machinery (ACM)","issue":"2","license":[{"start":{"date-parts":[[2024,4,30]],"date-time":"2024-04-30T00:00:00Z","timestamp":1714435200000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":["Queue"],"published-print":{"date-parts":[[2024,4,30]]},"abstract":"<jats:p>The principles of security, privacy, accountability, transparency, and fairness are the cornerstones of modern AI regulations. Classic FL was designed with a strong emphasis on security and privacy, at the cost of transparency and accountability. CFL addresses this gap with a careful combination of FL with TEEs and commitments. In addition, CFL brings other desirable security properties, such as code-based access control, model confidentiality, and protection of models during inference. Recent advances in confidential computing such as confidential containers and confidential GPUs mean that existing FL frameworks can be extended seamlessly to support CFL with low overheads. For these reasons, CFL is likely to become the default mode for deploying FL workloads.<\/jats:p>","DOI":"10.1145\/3665220","type":"journal-article","created":{"date-parts":[[2024,5,24]],"date-time":"2024-05-24T17:39:13Z","timestamp":1716572353000},"page":"87-107","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":1,"title":["Trustworthy AI using Confidential Federated Learning"],"prefix":"10.1145","volume":"22","author":[{"given":"Jinnan","family":"Guo","sequence":"first","affiliation":[{"name":"Imperial College London"}]},{"given":"Peter","family":"Pietzuch","sequence":"additional","affiliation":[{"name":"Imperial College London"}]},{"given":"Andrew","family":"Paverd","sequence":"additional","affiliation":[{"name":"Microsoft Security Response Center"}]},{"given":"Kapil","family":"Vaswani","sequence":"additional","affiliation":[{"name":"Azure Research"}]}],"member":"320","published-online":{"date-parts":[[2024,5,24]]},"reference":[{"key":"e_1_2_1_1_1","unstructured":"AMD. 2020. AMD SEV-SNP: strengthening VM isolation with integrity protection and more. White paper; https:\/\/www.amd.com\/content\/dam\/amd\/en\/documents\/epyc-business-docs\/solution-briefs\/amd-secure-encrypted-virtualization-solution-brief.pdf."},{"key":"e_1_2_1_2_1","volume-title":"Innovative technology for CPU based attestation and sealing. Proceedings of the 2nd International Workshop on Hardware and Architectural Support for Security and Privacy 13","author":"Anati I.","year":"2013","unstructured":"Anati, I., Gueron, S., Johnson, S., Scarlata, V. 2013. Innovative technology for CPU based attestation and sealing. Proceedings of the 2nd International Workshop on Hardware and Architectural Support for Security and Privacy 13; https:\/\/www.intel.com\/content\/dam\/develop\/external\/us\/en\/documents\/hasp-2013-innovative-technology-for-attestation-and-sealing-413939.pdf."},{"key":"e_1_2_1_3_1","unstructured":"Brasser F. Jauernig P. Pustelnik F. Sadeghi A.-R. Stapf E. 2022. Trusted container extensions for container-based confidential computing. arXiv preprint arXiv:2205.05747: https:\/\/arxiv.org\/abs\/2205.05747."},{"key":"e_1_2_1_4_1","unstructured":"Cheng P.-C. Ozga W. Valdez E. Ahmed S. Gu Z. Jamjoom H. Franke H. Bottomley J. 2023. Intel TDX demystified: a top-down approach. arXiv preprint arXiv:2303.15540; https:\/\/arxiv.org\/abs\/2303.15540."},{"key":"e_1_2_1_5_1","volume-title":"Intel SGX explained","author":"Costan V.","year":"2016","unstructured":"Costan, V., Devadas, S. 2016. Intel SGX explained; https:\/\/eprint.iacr.org\/2016\/086."},{"key":"e_1_2_1_6_1","doi-asserted-by":"crossref","unstructured":"Dhanuskodi G. Guha S. Krishnan V. Manjunatha A. Nertney R. O'Connor M. Rogers P. 2023. Creating the first confidential GPUs. acmqueue 21(4); https:\/\/queue.acm.org\/detail.cfm?id=3623391.","DOI":"10.1145\/3623393.3623391"},{"key":"e_1_2_1_7_1","volume-title":"et. al","author":"Dwork C.","year":"2014","unstructured":"Dwork, C., Roth, A., et. al. 2014. The algorithmic foundations of differential privacy. Foundations and Trends in Theoretical Computer Science 9(3-4), 211?407; https:\/\/dl.acm.org\/doi\/10.1561\/0400000042."},{"key":"e_1_2_1_8_1","doi-asserted-by":"publisher","DOI":"10.5555\/3489212.3489304"},{"key":"e_1_2_1_9_1","unstructured":"Hande K. 2023. Announcing Azure confidential VMs with NVIDIA H100 Tensor Core GPUs in Preview. Azure Confidential Computing Blog; https:\/\/techcommunity.microsoft.com\/t5\/azure-confidential-computing\/announcing-azure-confidential-vms-with-nvidia-h100-tensor-core\/ba-p\/3975389#:~:text=\"The%20Azure%20confidential%20VMs%20with remain%20protected%20end%20to%20end.\""},{"volume-title":"A taxonomy of attacks on federated learning","author":"Jere M. S.","key":"e_1_2_1_10_1","unstructured":"Jere, M. S., Farnan, T., Koushanfar, F. 2020. A taxonomy of attacks on federated learning. IEEE Security & Privacy 19(2), 20?28; https:\/\/ieeexplore.ieee.org\/document\/9308910."},{"key":"e_1_2_1_11_1","unstructured":"Johnson M. A. Volos S. Gordon K. Allen S. T. Wintersteiger C. M. Clebsch S. Starks J. Costa M. 2023. COCOAEXPO: confidential containers via attested execution policies. arXiv preprint arXiv:2302.03976; https:\/\/arxiv.org\/abs\/2302.03976."},{"key":"e_1_2_1_12_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2019.00002"},{"key":"e_1_2_1_13_1","doi-asserted-by":"publisher","DOI":"10.1145\/3178876.3186133"},{"key":"e_1_2_1_14_1","volume-title":"30th Usenix Security Symposium, 717?732; https:\/\/www.usenix.org\/conference\/usenixsecurity21\/presentation\/li-mengyuan.","author":"Li M.","year":"2021","unstructured":"Li, M., Zhang, Y., Wang, H., Li, K., Cheng, Y. 2021. CIPHERLEAKS: breaking constant-time cryptography on AMD SEV via the ciphertext side channel. 30th Usenix Security Symposium, 717?732; https:\/\/www.usenix.org\/conference\/usenixsecurity21\/presentation\/li-mengyuan."},{"key":"e_1_2_1_15_1","volume-title":"16th Usenix Symposium on Operating Systems Design and Implementation; https:\/\/www.usenix.org\/conference\/osdi22\/presentation\/li.","author":"Li X.","year":"2022","unstructured":"Li, X., Li, X., Dall, C., Gu, R., Nieh, J., Sait, Y., Stockwell, G. 2022. Design and verification of the Arm confidential compute architecture. 16th Usenix Symposium on Operating Systems Design and Implementation; https:\/\/www.usenix.org\/conference\/osdi22\/presentation\/li."},{"key":"e_1_2_1_16_1","volume-title":"Proceedings of the 27th Usenix Security Symposium; https:\/\/www.usenix.org\/conference\/usenixsecurity18\/presentation\/lipp.","author":"Lipp M.","year":"2018","unstructured":"Lipp, M., Schwarz, M., Gruss, D., Prescher, T., Haas, W., Fogh, A., Horn, J., et al. 2018. Meltdown: reading kernel memory from user space. Proceedings of the 27th Usenix Security Symposium; https:\/\/www.usenix.org\/conference\/usenixsecurity18\/presentation\/lipp."},{"key":"e_1_2_1_17_1","volume-title":"Proceedings of the 20th International Conference on Artificial Intelligence and Statistics, 1273?1282; https:\/\/proceedings.mlr.press\/v54\/mcmahan17a\/mcmahan17a.pdf.","author":"McMahan B.","year":"2017","unstructured":"McMahan, B., Moore, E., Ramage, D., Hampson, S., Aguera y Arcas, B. 2017. Communication-efficient learning of deep networks from decentralized data. Proceedings of the 20th International Conference on Artificial Intelligence and Statistics, 1273?1282; https:\/\/proceedings.mlr.press\/v54\/mcmahan17a\/mcmahan17a.pdf."},{"key":"e_1_2_1_18_1","doi-asserted-by":"crossref","unstructured":"Mo F. Haddadi H. Katevas K. Marin E. Perino D. Kourtellis N. 2022. PPFL: enhancing privacy in federated learning with confidential computing. GetMobile: Mobile Computing and Communications 25(4) 35?38; https:\/\/dl.acm.org\/doi\/10.1145\/3529706.3529715.","DOI":"10.1145\/3529706.3529715"},{"key":"e_1_2_1_19_1","unstructured":"Quoc D. L. Fetzer C. 2021. SecFL: confidential federated learning using TEEs. arXiv 2110.00981; https:\/\/arxiv.org\/abs\/2110.00981."},{"key":"e_1_2_1_20_1","unstructured":"Roth H. R. Cheng Y. Wen Y. Yang I. Xu Z. Hsieh Y.-T. Kersten K. et al. 2022. NVIDIA Flare: federated learning from simulation to real-world. arXiv preprint arXiv:2210.13291; https:\/\/arxiv.org\/abs\/2210.13291."},{"key":"e_1_2_1_21_1","doi-asserted-by":"crossref","unstructured":"Russinovich M. Costa M. Fournet C. Chisnall D. Delignat-Lavaud A. Clebsch S. Vaswani K. Bhatia V. 2021. Toward confidential cloud computing. Communications of the ACM 64(6) 54?61; https:\/\/dl.acm.org\/doi\/10.1145\/3453930.","DOI":"10.1145\/3453930"},{"key":"e_1_2_1_22_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-030-58951-6_24"},{"key":"e_1_2_1_23_1","volume-title":"Proceedings of the 27th Usenix Security Symposium; https:\/\/www.usenix.org\/conference\/usenixsecurity18\/presentation\/bulck.","author":"Van Bulck J.","year":"2018","unstructured":"Van Bulck, J., Minkin, M., Weisse, O., Genkin, D., Kasikci, B., Piessens, F., Silberstein, M., Wenisch, T. F., Yarom, Y., Strackx, R. 2018. Foreshadow: extracting the keys to the Intel SGX kingdom with transient out-of-order execution. Proceedings of the 27th Usenix Security Symposium; https:\/\/www.usenix.org\/conference\/usenixsecurity18\/presentation\/bulck."},{"key":"e_1_2_1_24_1","doi-asserted-by":"publisher","DOI":"10.1109\/TIFS.2020.2988575"}],"container-title":["Queue"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3665220","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3665220","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,19]],"date-time":"2025-06-19T00:58:33Z","timestamp":1750294713000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3665220"}},"subtitle":["Federated learning and confidential computing are not competing technologies."],"short-title":[],"issued":{"date-parts":[[2024,4,30]]},"references-count":24,"journal-issue":{"issue":"2","published-print":{"date-parts":[[2024,4,30]]}},"alternative-id":["10.1145\/3665220"],"URL":"https:\/\/doi.org\/10.1145\/3665220","relation":{},"ISSN":["1542-7730","1542-7749"],"issn-type":[{"type":"print","value":"1542-7730"},{"type":"electronic","value":"1542-7749"}],"subject":[],"published":{"date-parts":[[2024,4,30]]},"assertion":[{"value":"2024-05-24","order":3,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}