Tilde Lowengrimm on Nostr: Everyone seems to be relying on "trusted execution environments" to build ...
Everyone seems to be relying on "trusted execution environments" to build ostensibly-private ways to query large models, and, as the paper notes: "Unfortunately, there is a history of practical attacks on various TEE implementations.".
I think the authors have a really good set of insights about the mismatch between the absolutely magical privacy which can be offered by E2EE, and the narrower promises it'll ever be possible to make about a TEE, no matter how well-built: Since the security of TEEs and E2EE depend on orthogonal considerations, their resulting security guarantees are incomparable in a technical sense. That is, the precise type of security you get, and the conditions under which you get it, are different and not directly comparable. TEEs rely upon a distinct set of conditions for their security from E2EE, and therefore cannot be substituted into an E2EE protocol without acknowledging that the nature of the security offered has changed, away from E2EE security. Thus, again, while the security goals are similar, they are not interchangeable technologies.While privacy-preserving training techniques such as the above have made important steps towards mitigating the feasibility of attacks, they do not meet the security guarantees of E2EE: they reduce information leakage in training data, but they do not prevent it completely — and their preventative measures are not based on the security of encryption, so the protection they provide is of a different nature to E2EE security.
I think the authors have a really good set of insights about the mismatch between the absolutely magical privacy which can be offered by E2EE, and the narrower promises it'll ever be possible to make about a TEE, no matter how well-built: Since the security of TEEs and E2EE depend on orthogonal considerations, their resulting security guarantees are incomparable in a technical sense. That is, the precise type of security you get, and the conditions under which you get it, are different and not directly comparable. TEEs rely upon a distinct set of conditions for their security from E2EE, and therefore cannot be substituted into an E2EE protocol without acknowledging that the nature of the security offered has changed, away from E2EE security. Thus, again, while the security goals are similar, they are not interchangeable technologies.While privacy-preserving training techniques such as the above have made important steps towards mitigating the feasibility of attacks, they do not meet the security guarantees of E2EE: they reduce information leakage in training data, but they do not prevent it completely — and their preventative measures are not based on the security of encryption, so the protection they provide is of a different nature to E2EE security.