A performance analysis of VM-based Trusted Execution Environments for Confidential Federated Learning
Bruno Casella
TL;DR
This paper addresses privacy and integrity in Federated Learning by evaluating VM-based TEEs (Intel TDX) against application-isolation TEEs (SGX) with TLS protection for CFL deployments. It extends a CFL performance model to include VM-based TEEs, and conducts experiments on three image datasets (MNIST, CIFAR-10, CIFAR-100) using two networks (ResNet-18, MobileNetV3-Small) over 100 federated rounds. The results show TDX overhead is modest compared with SGX, with regression-coefficient estimates $O_{TDX} = C_{TDX} × T_{baseline}$ where $C_{TDX}$ is $0.126$ for ResNet-18 and $0.245$ for MobileNetV3-Small, while TLS adds $O_{TLS} = C_{TLS} × T_{baseline}$ with $C_{TLS}$ values $0.079$ and $0.065$, respectively; overall overhead stays under $1.5×$. This demonstrates that CFL on untrusted infrastructures such as public clouds or HPC facilities can be deployed with limited performance penalties.
Abstract
Federated Learning (FL) is a distributed machine learning approach that has emerged as an effective way to address recent privacy concerns. However, FL introduces the need for additional security measures as FL alone is still subject to vulnerabilities such as model and data poisoning and inference attacks. Confidential Computing (CC) is a paradigm that, by leveraging hardware-based trusted execution environments (TEEs), protects the confidentiality and integrity of ML models and data, thus resulting in a powerful ally of FL applications. Typical TEEs offer an application-isolation level but suffer many drawbacks, such as limited available memory and debugging and coding difficulties. The new generation of TEEs offers a virtual machine (VM)-based isolation level, thus reducing the porting effort for existing applications. In this work, we compare the performance of VM-based and application-isolation level TEEs for confidential FL (CFL) applications. In particular, we evaluate the impact of TEEs and additional security mechanisms such as TLS (for securing the communication channel). The results, obtained across three datasets and two deep learning models, demonstrate that the new VM-based TEEs introduce a limited overhead (at most 1.5x), thus paving the way to leverage public and untrusted computing environments, such as HPC facilities or public cloud, without detriment to performance.