# Trust-based Security

Trust-based security refers to leveraging confidential computing's trusted execution environment (TEE) in federated learning: confidential federated AI.



## Confidential Computing

Confidential computing provides a physically isolated trusted execution environment (TEE) to secure the entire workload while data is in use. 

### Capabilities of Confidential Computing

Confidential computing enhances data security and privacy by leveraging specialized hardware and technologies to protect sensitive computations and data in use. The key capabilities include:


<img src="gpu_cc.png" alt="NVIDIA Confidential Computing" width="500">

* **Trusted Execution Environment (TEE)**
    * Provides an isolated environment that ensures the confidentiality and integrity of applications and data during processing.
    * Protects against unauthorized access, even from privileged software such as the operating system or hypervisor.

* **Virtualization-Based Security ("Lift & Shift")**

    * Enables applications to run in secure environments without requiring modifications or partitioning.
    * Facilitates seamless migration of existing workloads to confidential computing platforms.

* **Secure Transfer**
    * Supports high-performance hardware acceleration for encryption of data during transfers between CPUs and GPUs.
    * Ensures secure communication channels for sensitive data processing.

* **Hardware Root of Trust**

    * Establishes a secure foundation using authenticated firmware measurement and attestation mechanisms for hardware, including GPUs.
    * Validates the integrity and authenticity of the system, ensuring it is operating in a trusted state.


<img src="cc_tech_stack.png" alt="Confidential Computing Tech Stack" width="500">

## Computing Technology Stack

There are multiple components to Confidential computing technology including hardware

* Hardware: CPU (AMD SEV-SNP, Intel TDX, etc), GPU (H100, Blackwell) 
* Attestation Service -- verify if the hardware is trust-worthy
* Virtualization:
    * Confidential Virtual Machine (CVM)
    * Confidential Container 
    * Kubernetes Pod with Kata container in kubernates (CoCo) 

* Key Broker Service -- The key broker service (KBS) is a server that facilitates remote attestation and secret delivery.
  

## Confidential Federated AI Use Cases

Federated Training Workflow:
Confidential Federated Learning (Confidential FL) enables secure and trustworthy training environments by incorporating Confidential Computing for trust verification at different stages of the training process. These use cases demonstrate how trust among participants is explicitly managed and protected.

There are three typical use cases:

* **Building Explicit Trust** -- explicitly verifies that participants are trustworthy at any time

* **Secure Aggregation** -- ensures that model updates from clients are aggregated securely without exposing individual model weights or enabling reverse engineering of private data

* **Model Theft Prevention** -- prevents unauthorized access or theft of the model during the training process




### Build Explicit Trust Among All Participants

Trustworthiness Verification: At different stages of the training process, we explicitly check the trustworthiness of participants using Confidential Computing Attestation. The level of trust varies depending on the use case, and different trust models are applied based on the relationship between the clients and the FL server.

### Secure Aggregation

**Scenario**

Clients trust their own infrastructure and training code, but do not trust the FL server. FL Client doesn’t trust FL server due to possible model inversion attack. Secure the server to make sure the attack is not possible


**Solution**

Only the FL server needs to be a Confidential Computing Node for secure aggregation. Client nodes do not need to be confidential, and the server’s trustworthiness is verified through self-attestation (server attests its own integrity).


### Model Theft Prevention

**Scenario**

The model owner wants to ensure the model IP is protected during training.

**Solution**

To prevent model theft, all nodes (both FL clients and the FL server) must be protected via Confidential Computing TEE. Model theft prevention aims to protect the intellectual property (IP) of a model throughout the federated learning process, ensuring that the global model is not shared among unauthorized participants. This process involves securing both the model and the training data during and after the training process to safeguard the model owner's rights.