pith. sign in

arxiv: 2606.09163 · v1 · pith:CRY6RU2Nnew · submitted 2026-06-08 · 💻 cs.CR

EnclaveScale: Hardware-Assisted Edge-DP for Secure Data Centre Power Telemetry

Pith reviewed 2026-06-27 16:21 UTC · model grok-4.3

classification 💻 cs.CR
keywords edge differential privacyhardware enclavespower telemetrydata center securityMarkov chain distillationDCAP attestationGPU transientsByzantine rejection
0
0 comments X

The pith

EnclaveScale uses hardware enclaves, DCAP attestation, and edge differential privacy to achieve zero post-extraction attack success on data center GPU power telemetry.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper presents EnclaveScale as a distributed architecture that processes power telemetry locally inside confidential VMs before any aggregation occurs. It combines attestation of data origins, injection of differential privacy noise, rejection of inconsistent inputs, and conversion of continuous traces into Markov-chain matrices to deliver event-level privacy. A sympathetic reader would care because this setup lets multiple tenants contribute high-resolution GPU power data for modeling AI transients without allowing spoofed inputs or leaks of individual machine behavior. The evaluation on 32 GCP Confidential VMs reports no successful post-extraction attacks while maintaining over 131,000 samples per second throughput per enclave.

Core claim

EnclaveScale distils continuous GPU power transients into discrete Markov-chain transition matrices inside attested enclaves, applies differential privacy noise at the edge, and uses a Global Aggregation Enclave to verify DCAP proofs and perform capacity-weighted aggregation, resulting in event-level differential privacy, origin authentication, and 0% post-extraction attack success rate.

What carries the argument

The post-extraction pipeline of DCAP attestation, differential privacy noise injection, Byzantine rejection, and Markov-chain distillation into transition matrices, backed by an SPDM-authenticated first-mile layer and a Global Aggregation Enclave for proof verification.

If this is right

  • Collaborative modeling of high-resolution generative AI power transients becomes possible across tenants without exposing sub-second anomalies.
  • Malicious hosts cannot spoof sensor inputs once the attestation and first-mile layer are in place.
  • Event-level differential privacy is guaranteed locally before any global aggregation occurs.
  • Steady-state throughput reaches 131,406 samples per second per enclave with attestation overhead amortized to 0.23 microseconds per sample.
  • Dynamic multi-tenant power orchestration can proceed with a measured margin error of 1.3 MW.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

  • The same local distillation and attestation pattern could apply to other high-frequency sensor streams such as network or thermal telemetry.
  • As PCIe IDE and TDISP hardware matures, the proposed SPDM layer may become unnecessary for the first-mile protection.
  • Spatial dilution across more tenants during global aggregation could further reduce the risk of inferring macro-workload patterns.
  • The Markov-chain representation might serve as a general template for turning other continuous time-series data into privacy-preserving discrete models.

Load-bearing premise

DCAP attestation together with the SPDM first-mile layer must prevent host-level synthesis of sensor inputs, and the Markov-chain distillation must retain enough fidelity for accurate generative-AI transient modeling while still providing event-level differential privacy.

What would settle it

A demonstrated successful spoofing of attested sensor inputs on the evaluated 32-VM pipeline, or a measured loss of transient-modeling accuracy below the level needed for the reported 1.3 MW orchestration margin, would falsify the central claims.

Figures

Figures reproduced from arXiv: 2606.09163 by Hung Dang, Minh Vo, Tue Nguyen.

Figure 1
Figure 1. Figure 1: The EnclaveScale architecture. Raw telemetry transients (Si) are distilled into DP-noised matrices (Mˆ i) within edge-deployed TDX enclaves (LSEs) and transmitted to the central GAE alongside an attestation quote (qi). Untrusted host components are denoted by red dashed boundaries. PCIe TDISP and IDE deployment, the target architecture requires hardware SPDM responders. Upon boot, the LSE generates an ephe… view at source ↗
Figure 2
Figure 2. Figure 2: GAE per-batch aggregation latency vs. participating LSEs (median [PITH_FULL_IMAGE:figures/full_fig_p018_2.png] view at source ↗
Figure 3
Figure 3. Figure 3: Privacy-Utility Pareto Front: Dynamic Orchestration Error vs. Per-Batch [PITH_FULL_IMAGE:figures/full_fig_p019_3.png] view at source ↗
read the original abstract

EnclaveScale is a distributed, hardware-assisted telemetry architecture providing post-extraction attestation, enabling operators to collaboratively model high-resolution generative AI power transients. Existing cryptographic techniques scale poorly for 10-Hz streaming or fail to authenticate origins, permitting malicious hosts to spoof sensor inputs. We implement and evaluate a post-extraction pipeline utilizing DCAP attestation, differential privacy noise injection, and Byzantine rejection across 32 GCP Confidential VMs, achieving 0\% post-extraction attack success rate. This edge-DP approach distils continuous GPU transients into discrete Markov-chain transition matrices, guaranteeing event-level differential privacy. To mitigate pre-ingestion vulnerabilities, we propose an SPDM-authenticated first-mile layer. While current platforms lack attested I/O, emerging hardware architectures integrate PCIe IDE and TDISP to natively prevent host-level synthesis, securing the end-to-end provenance boundary. A Global Aggregation Enclave verifies these cryptographic proofs prior to capacity-weighted aggregation. Evaluation demonstrates a steady-state throughput of $131{,}406$ samples/s per enclave, amortising attestation overhead to $0.23\,\mu$s/sample. On empirical NVML-sampled H100, A100, and L4 traces, EnclaveScale achieves a dynamic orchestration margin error of $1.3$\,MW compared to $0.1$\,MW for an honest-aggregator central-DP baseline. EnclaveScale establishes a secure foundation for dynamic multi-tenant power orchestration, obfuscating sub-second anomalies locally and protecting macro-workload confidentiality via spatial dilution during global aggregation.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

1 major / 2 minor

Summary. The paper presents EnclaveScale, a distributed hardware-assisted telemetry system for secure data-center power monitoring. It implements a post-extraction pipeline using DCAP attestation, differential privacy noise injection, and Byzantine rejection across 32 GCP Confidential VMs, reporting 0% post-extraction attack success, 131406 samples/s throughput per enclave, and 1.3 MW dynamic orchestration error on NVML traces from H100/A100/L4 GPUs. The system distills GPU power transients into Markov-chain matrices for event-level DP; an SPDM-authenticated first-mile layer is proposed (but not implemented) to address pre-ingestion host spoofing, with future PCIe IDE/TDISP noted as enabling native attestation.

Significance. If the security and accuracy claims hold under full end-to-end evaluation, the work supplies a concrete architecture for privacy-preserving collaborative modeling of AI workload power transients at 10 Hz scale, a setting where existing cryptographic methods are stated to scale poorly. The empirical evaluation on production GPU traces and the explicit throughput/amortized attestation numbers constitute a practical contribution if the methodology details support verification.

major comments (1)
  1. [Abstract / Evaluation] Abstract and Evaluation section: the 0% post-extraction attack success rate is demonstrated only for the implemented pipeline after sensor data have already been extracted; the SPDM first-mile layer required to prevent host-level synthesis of NVML inputs is described as a proposal only, with the text noting that current platforms lack attested I/O. Consequently the central end-to-end provenance claim rests on an untested component whose correctness is not empirically verified.
minor comments (2)
  1. [Results] The 1.3 MW orchestration error is reported without accompanying workload characterization, confidence intervals, or comparison under the same privacy budget as the central-DP baseline, making it difficult to assess whether the accuracy/privacy trade-off is acceptable.
  2. [Evaluation] Throughput and attestation-overhead figures (131406 samples/s, 0.23 μs/sample) are stated as steady-state values without variance, number of runs, or data-exclusion rules, limiting reproducibility assessment.

Simulated Author's Rebuttal

1 responses · 0 unresolved

We thank the referee for the careful analysis and for identifying the need to more sharply delineate the implemented post-extraction pipeline from the proposed first-mile layer. We address the comment below and will revise the manuscript accordingly.

read point-by-point responses
  1. Referee: [Abstract / Evaluation] Abstract and Evaluation section: the 0% post-extraction attack success rate is demonstrated only for the implemented pipeline after sensor data have already been extracted; the SPDM first-mile layer required to prevent host-level synthesis of NVML inputs is described as a proposal only, with the text noting that current platforms lack attested I/O. Consequently the central end-to-end provenance claim rests on an untested component whose correctness is not empirically verified.

    Authors: We agree that the reported 0% attack success rate applies exclusively to the implemented post-extraction pipeline (DCAP attestation, edge-DP Markov-chain noise injection, and Byzantine rejection) evaluated on the 32 GCP Confidential VMs. The manuscript already states that the SPDM first-mile layer is a proposal because 'current platforms lack attested I/O' and that native support will arrive via PCIe IDE/TDISP. No empirical verification is provided or claimed for the un-implemented first-mile component. The end-to-end provenance discussion is therefore conditional on future hardware rather than an assertion of current full-stack security. To eliminate any ambiguity, we will revise the abstract to foreground the qualifier '0% post-extraction attack success rate' and add an explicit sentence in the Evaluation section restating the scope of the empirical results and the status of the first-mile proposal. revision: yes

Circularity Check

0 steps flagged

No significant circularity

full rationale

The paper describes a systems implementation and empirical evaluation of a telemetry pipeline using DCAP attestation, DP noise, and Byzantine rejection. No equations, derivations, fitted parameters, or predictions are presented that reduce to their own inputs by construction. The 0% attack success rate is an empirical measurement on 32 VMs for the post-extraction stage only; the proposed SPDM first-mile layer is explicitly noted as unimplemented. No self-citations, ansatzes, or uniqueness theorems are invoked in a load-bearing way. The work is self-contained as a performance and security evaluation report rather than a closed-form derivation.

Axiom & Free-Parameter Ledger

0 free parameters · 2 axioms · 0 invented entities

Ledger extracted from abstract only; full paper may introduce additional parameters or assumptions.

axioms (2)
  • domain assumption DCAP attestation correctly verifies enclave state and prevents post-extraction tampering
    Invoked to achieve 0% post-extraction attack success
  • domain assumption Markov-chain transition matrices plus DP noise guarantee event-level differential privacy for power transients
    Central to the privacy guarantee stated in the abstract

pith-pipeline@v0.9.1-grok · 5807 in / 1278 out tokens · 25910 ms · 2026-06-27T16:21:33.211960+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Reference graph

Works this paper leans on

29 extracted references · 5 canonical work pages · 1 internal anchor

  1. [1]

    Measurement of Generative AI Workload Power Profiles for Whole-Facility Data Center Infrastructure Planning

    R. Vercellino, J. Willard, G. Campos, W. d. S. Pereira, O. Hull, M. Selensky, J. Mueller, Measurement of generative ai workload power profiles for whole-facility data center infrastructure planning (2026). doi:10.48550/ARXIV.2604.07345. URLhttps://arxiv.org/abs/2604.07345

  2. [2]

    Keller, MP-SPDZ: A versatile framework for multi-party computa- tion, in: Proceedings of the 2020 ACM SIGSAC Conference on Com- puter and Communications Security, 2020, pp

    M. Keller, MP-SPDZ: A versatile framework for multi-party computa- tion, in: Proceedings of the 2020 ACM SIGSAC Conference on Com- puter and Communications Security, 2020, pp. 1575–1590

  3. [3]

    Bonawitz, V

    K. Bonawitz, V. Ivanov, B. Kreuter, A. Marcedone, H. B. McMahan, S. Patel, D. Ramage, A. Segal, K. Seth, Practical secure aggregation for privacy-preserving machine learning, in: Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, 2017, pp. 1175–1191

  4. [4]

    D. A. P. 0001, J. G. 0001, Q. V. Le, C. Liang, L.-M. Munguia, D. Rothchild, D. R. So, M. Texier, J. Dean, Carbon emissions and large neural network training., CoRR (2021)

  5. [5]

    rep., Intel Corpora- tion (2023)

    Intel, Intel trust domain extensions (TDX), Tech. rep., Intel Corpora- tion (2023). URLhttps://www.intel.com/content/www/us/en/developer/ articles/technical/intel-trust-domain-extensions.html

  6. [6]

    Distributed Management Task Force (DMTF), Security protocol and data model (spdm) specification, version 1.2.1 (dsp0274), Tech. rep. (2023). URLhttps://www.dmtf.org/dsp/DSP0274 34

  7. [7]

    Balle, Y.-X

    B. Balle, Y.-X. W. 0003, Improving the gaussian mechanism for dif- ferential privacy: Analytical calibration and optimal denoising., ICML (2018)

  8. [8]

    Dwork, Differential privacy: A survey of results, Theory and Appli- cations of Models of Computation (2008) 1–19

    C. Dwork, Differential privacy: A survey of results, Theory and Appli- cations of Models of Computation (2008) 1–19

  9. [9]

    Paulin, Concentration inequalities for markov chains by martingale methods, Electronic Journal of Probability 20 (2015) 1–32

    D. Paulin, Concentration inequalities for markov chains by martingale methods, Electronic Journal of Probability 20 (2015) 1–32

  10. [10]

    Intel Corporation, Intel trust domain extensions (Intel TDX) module advisory, Tech. Rep. INTEL-SA-00837, Intel Security Center (2024). URLhttps://www.intel.com/content/www/us/en/ security-center/advisory/intel-sa-00837.html

  11. [11]

    Intel Corporation, Frequency throttling side channel guidance, Intel Security Advisory INTEL-SA-00698; software guidance for mitigating frequency-based timing side channels on Sapphire Rapids and later. (2022). URLhttps://www.intel.com/content/ www/us/en/developer/articles/technical/ frequency-throttling-side-channel-guidance.html

  12. [12]

    Mironov, Rényi differential privacy, in: IEEE 30th Computer Security Foundations Symposium (CSF), 2017, pp

    I. Mironov, Rényi differential privacy, in: IEEE 30th Computer Security Foundations Symposium (CSF), 2017, pp. 263–275

  13. [13]

    Y.-X. Wang, B. Balle, S. P. Kasiviswanathan, Subsampled rényi differ- ential privacy and analytical moments accountant, in: The 22nd Inter- national Conference on Artificial Intelligence and Statistics, 2019

  14. [14]

    Kairouz, H

    P. Kairouz, H. B. McMahan, et al., Advances and open problems in federated learning, Foundations and Trends in Machine Learning 14 (1–

  15. [15]

    Steinke, M

    T. Steinke, M. Nasr, M. Jagielski, Privacy auditing with one (1) train- ing run, in: Advances in Neural Information Processing Systems 36, NeurIPS 2023, Neural Information Processing Systems Foundation, Inc. (NeurIPS), 2023, p. 49268–49280.doi:10.52202/075280-2143. URLhttp://dx.doi.org/10.52202/075280-2143 35

  16. [16]

    Keller, E

    M. Keller, E. Orsini, P. Scholl, Mascot: bounding vulnerabilities and errors in secure computation, in: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, 2016, pp. 830– 841

  17. [17]

    F. Mo, H. Haddadi, K. Katevas, E. Marin, D. Perino, N. Kourtellis, PPFL: Privacy-preserving federated learning with trusted execution en- vironments, in: Proceedings of the 19th Annual International Confer- ence on Mobile Systems, Applications, and Services (MobiSys), 2021

  18. [18]

    Zhang, J

    C. Zhang, J. Xia, B. Yang, H. Puyang, W. Wang, R. Chen, I. E. Akkus, P. Aditya, F. Yan, Citadel: Protecting data privacy and model confidentiality for collaborative learning, in: Proceedings of the ACM Symposium on Cloud Computing, SoCC ’21, ACM, 2021, p. 546–561. doi:10.1145/3472883.3486998. URLhttp://dx.doi.org/10.1145/3472883.3486998

  19. [19]

    Dwork, M

    C. Dwork, M. Naor, T. Pitassi, G. N. Rothblum, Differential privacy un- der continual observation, in: Proceedings of the 42nd ACM Symposium on Theory of Computing (STOC), 2010, pp. 715–724

  20. [20]

    T.-H. H. Chan, E. Shi, D. Song, Private and continual release of statis- tics, in: Proceedings of the 37th International Colloquium on Automata, Languages, and Programming (ICALP), 2010, pp. 405–417

  21. [21]

    Cummings, V

    R. Cummings, V. Feldman, A. McMillan, K. Talwar, Mean estimation with user-level privacy under data heterogeneity, in: Advances in Neural Information Processing Systems (NeurIPS), 2022

  22. [22]

    A. Cheu, A. Smith, J. Ullman, D. Zeber, M. Zhilyaev, Distributed differ- ential privacy via shuffling, in: Annual International Conference on the Theory and Applications of Cryptographic Techniques (EUROCRYPT), 2019, pp. 375–403

  23. [23]

    Erlingsson, V

    Ú. Erlingsson, V. Feldman, I. Mironov, A. Raghunathan, K. Talwar, A. Thakurta, Amplification by shuffling: From local to central dif- ferential privacy via anonymity, in: Proceedings of the Thirtieth An- nual ACM-SIAM Symposium on Discrete Algorithms (SODA), 2019, pp. 2468–2479. 36

  24. [24]

    Damgård, V

    I. Damgård, V. Pastro, N. Smart, S. Zakarias, Multiparty computation from somewhat homomorphic encryption, in: Annual Cryptology Con- ference (CRYPTO), 2012, pp. 643–662

  25. [25]

    Sheng, C

    Y. Sheng, C. Zhang, Z. Zhu, H. Xu, J. Wen, R. Wang, J. Yang, Q. Wang, S. Bu, Power for ai data centers: Energy demand, grid im- pacts, challenges and perspectives, Energies 19 (3) (2026) 722.doi: 10.3390/en19030722. URLhttp://dx.doi.org/10.3390/en19030722

  26. [26]

    Dodge, T

    J. Dodge, T. Prewitt, R. Tachet des Combes, E. Odmark, R. Schwartz, E. Strubell, A. S. Luccioni, N. A. Smith, N. DeCario, W. Buchanan, Measuring the carbon intensity of AI in cloud instances, Proceedings of the ACM Conference on Fairness, Accountability, and Transparency (FAccT) (2022)

  27. [27]

    Power stabilization for ai training datacenters,

    E. Choukse, B. Warrier, S. Heath, L. Belmont, A. Zhao, H. A. Khan, B. Harry, M. Kappel, R. J. Hewett, K. Datta, Y. Pei, C. Lichtenberger, J. Siegler, D. Lukofsky, Z. Kahn, G. Sahota, A. Sullivan, C. Freder- ick, H. Thai, R. Naughton, D. Jurnove, J. Harp, R. Carper, N. Ma- halingam, S. Varkala, A. G. Kumbhare, S. Desai, V. Ramamurthy, P. Gottumukkala, G. B...

  28. [28]

    Bourdon, A

    A. Bourdon, A. Noureddine, R. Rouvoy, L. Seinturier, A preliminary study of the impact of software engineering on GreenIT, in: First In- ternational Workshop on Green and Sustainable Software (GREENS), 2012

  29. [29]

    rep., NVIDIA Corporation (2024)

    NVIDIA, NVIDIA GPU remote attestation and Reference Integrity Manifest (RIM) architecture, Tech. rep., NVIDIA Corporation (2024). URLhttps://docs.nvidia.com/nvtrust/ reference-integrity-manifest/ 37