Skip to main content

Volume 5 · Frontier and deployment

The current frontier and its engineering landing, along three lines: private computation and confidential inference (TEE / GPU confidential computing / HE / MPC), verifiable deletion and machine unlearning, and production-grade differential privacy and federated learning deployment.

Confidential inference

In one sentence what actually ships today is mainly the hardware isolation + remote attestation route — e.g. GPU confidential computing on NVIDIA H100/H200, and Apple Private Cloud Compute as a private cloud architecture with a verifiable transparency log (same mechanism family, different shapes — don't conflate them); the cryptographic route (HE / MPC) is still too expensive at LLM scale. But "confidential" is a marketing word — the real boundary isn't "the vendor says confidential," it's whether you (or your device) verified the attestation, who the threat model covers, and what it still doesn't solve (side channels, trusting the chip vendor, legal orders). This entry takes Volume 1's TEE and HE·MPC foundations down to "can you actually run private inference."

MediumProduction

Secure aggregation

In one sentence use secure multiparty computation so the server can compute only "the sum of all clients' updates," never any single update — the single point is hidden, and inversion loses what it stands on. It's communication-efficient and robust to client dropout, and is already used in Google's production FL (Bonawitz et al., MLSys 2019 secure aggregation downgrades "the server is trusted" to "the server only sees the aggregate sum"; but it's not a cure-all — it defends against "seeing a single update," not "the aggregate sum itself leaking" or "parties colluding," so still pair it with DP.

MediumProduction

Unlearning verifiability

In one sentence the same model parameters can be produced from a different dataset / a different gradient sequence, so a model owner can pass off a fabricated "I unlearned it" proof while actually keeping the record. Alongside it, TOFU (Maini et al., COLM 2024) turns "forget quality" into a measurable benchmark and finds no off-the-shelf method convincingly passes the "forget quality vs. utility" tradeoff. Conclusion first: audit the algorithm / process, not the final weights; "deleted" must be provable, or it's compliance theater.

MediumResearch

Split learning leakage

In one sentence this is not private. The Feature-Space Hijacking Attack (Pasquini et al., CCS 2021) shows a malicious server can actively steer the split model into an insecure state and reconstruct the client's private training inputs from the intermediate activations (reconstructing images on MNIST / Omniglot / CelebA); UnSplit (Erdoğan et al., WPES @ CCS 2022) shows that even an honest-but-curious server — knowing only the client architecture, with no active interference — can invert (reconstruction MSE ≈ 0.08–0.15 on MNIST / Fashion-MNIST / CIFAR-10). Don't read "didn't send raw pixels" as privacy.

HighResearch

On-device inference

In one sentence on-device means "the device doesn't send it out." But "on-device" is a word that's easy to over-read — the real boundary isn't "the vendor says on-device," it's which requests still fall back to the cloud, how much capability you trade away because the on-device model is smaller, and the telemetry / diagnostics / model-download channels. Bottom line first: "on-device" ≠ "nothing leaves the device." What's verifiable is that a given request completes on the local device and its prompt didn't leave the device for that path; but which requests run on-device versus fall back to the cloud is a deployment fact to check, not a model promise. For the fall-back-to-cloud portion, you go back to confidential inference to verify it.

MediumProduction

LoRA Adapter Leakage

In one sentence the difference between the base and the fine-tuned model is itself the fingerprint of the fine-tune data. An attacker who holds your adapter and that public base can use the public base as a reference frame and run membership inference / extraction amplified by the delta. LoRA-Leak (arXiv 2507.18302, ⚠️preprint) measures it "the delta is small / the base is public" is not privacy — the public base is a free reference in the attacker's hands that raises your members' distinguishability.

MediumResearch

Unlearning benchmarks & evaluation

In one sentence not just "can it still recite it?" but forget quality × retained utility × privacy leakage under attack, three axes at once. And these benchmarks converge on an uncomfortable finding — few methods survive both the utility test and the leakage test (MUSE reports that of eight algorithms, only one avoids severe privacy leakage ⚠️ preprint). But the benchmarks have blind spots of their own: a benchmark is a proxy, and passing it ≠ truly forgotten (this picks up this volume's Unlearning verifiability); whatever it doesn't cover is a corner it can't see.

MediumResearch