Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Hardening Confidential Federated Compute against Side-channel Attacks

James Bell-Clark, Albert Cheu, Adria Gascon, Jonathan Katz

Abstract

In this work, we identify a set of side-channels in our Confidential Federated Compute platform that a hypothetical insider could exploit to circumvent differential privacy (DP) guarantees. We show how DP can mitigate two of the side-channels, one of which has been implemented in our open-source library.

Hardening Confidential Federated Compute against Side-channel Attacks

Abstract

In this work, we identify a set of side-channels in our Confidential Federated Compute platform that a hypothetical insider could exploit to circumvent differential privacy (DP) guarantees. We show how DP can mitigate two of the side-channels, one of which has been implemented in our open-source library.
Paper Structure (22 sections, 6 theorems, 14 equations, 3 figures, 1 table, 6 algorithms)

This paper contains 22 sections, 6 theorems, 14 equations, 3 figures, 1 table, 6 algorithms.

Table of Contents

  1. Background
  2. Side channels and how to observe them
  3. Two Concrete Attacks
  4. Attack using Message Length
  5. Attack using Memory Allocation
  6. Our mitigations
  7. Related Work
  8. Open Research Directions
  9. Preliminaries
  10. Differential Privacy
  11. Defense against Message Length Adversary
  12. Defense against Memory Allocation Adversary
  13. Tuning AboveThreshold for Unidirectional Sensitivity (UDS)
  14. Enforcing a Strict Stopping Condition on UDSAboveThreshold
  15. "Off-the-shelf" Associative Maps
  16. ...and 7 more sections

Key Result

Lemma 1

Suppose $M$ is $\varepsilon$-DP. If there is another algorithm $M'$ that satisfies $|| M(D)-M'(D) ||_{TV} \leq \frac{\delta}{e^\varepsilon+1}$ for any input $D$, then $M'$ is $(\varepsilon,\delta)$-DP.

Figures (3)

  • Figure 1: Visualization of the central model contrasted with our system, in the context of a toy SQL query. Red objects are adversarial. Locked arrows indicate encrypted communications.
  • Figure 2: Overhead due to padding. Color distinguishes $\varepsilon$ values.
  • Figure 3: Page faults caused by adding to an std::unordered_map.

Theorems & Definitions (16)

  • Lemma 1
  • proof
  • Theorem 2
  • proof
  • Theorem 3
  • Theorem 4
  • proof
  • Theorem 5
  • proof
  • Theorem 6
  • ...and 6 more