EnclaveScale: Hardware-Assisted Edge-DP for Secure Data Centre Power Telemetry
Pith reviewed 2026-06-27 16:21 UTC · model grok-4.3
The pith
EnclaveScale uses hardware enclaves, DCAP attestation, and edge differential privacy to achieve zero post-extraction attack success on data center GPU power telemetry.
A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.
Core claim
EnclaveScale distils continuous GPU power transients into discrete Markov-chain transition matrices inside attested enclaves, applies differential privacy noise at the edge, and uses a Global Aggregation Enclave to verify DCAP proofs and perform capacity-weighted aggregation, resulting in event-level differential privacy, origin authentication, and 0% post-extraction attack success rate.
What carries the argument
The post-extraction pipeline of DCAP attestation, differential privacy noise injection, Byzantine rejection, and Markov-chain distillation into transition matrices, backed by an SPDM-authenticated first-mile layer and a Global Aggregation Enclave for proof verification.
If this is right
- Collaborative modeling of high-resolution generative AI power transients becomes possible across tenants without exposing sub-second anomalies.
- Malicious hosts cannot spoof sensor inputs once the attestation and first-mile layer are in place.
- Event-level differential privacy is guaranteed locally before any global aggregation occurs.
- Steady-state throughput reaches 131,406 samples per second per enclave with attestation overhead amortized to 0.23 microseconds per sample.
- Dynamic multi-tenant power orchestration can proceed with a measured margin error of 1.3 MW.
Where Pith is reading between the lines
- The same local distillation and attestation pattern could apply to other high-frequency sensor streams such as network or thermal telemetry.
- As PCIe IDE and TDISP hardware matures, the proposed SPDM layer may become unnecessary for the first-mile protection.
- Spatial dilution across more tenants during global aggregation could further reduce the risk of inferring macro-workload patterns.
- The Markov-chain representation might serve as a general template for turning other continuous time-series data into privacy-preserving discrete models.
Load-bearing premise
DCAP attestation together with the SPDM first-mile layer must prevent host-level synthesis of sensor inputs, and the Markov-chain distillation must retain enough fidelity for accurate generative-AI transient modeling while still providing event-level differential privacy.
What would settle it
A demonstrated successful spoofing of attested sensor inputs on the evaluated 32-VM pipeline, or a measured loss of transient-modeling accuracy below the level needed for the reported 1.3 MW orchestration margin, would falsify the central claims.
Figures
read the original abstract
EnclaveScale is a distributed, hardware-assisted telemetry architecture providing post-extraction attestation, enabling operators to collaboratively model high-resolution generative AI power transients. Existing cryptographic techniques scale poorly for 10-Hz streaming or fail to authenticate origins, permitting malicious hosts to spoof sensor inputs. We implement and evaluate a post-extraction pipeline utilizing DCAP attestation, differential privacy noise injection, and Byzantine rejection across 32 GCP Confidential VMs, achieving 0\% post-extraction attack success rate. This edge-DP approach distils continuous GPU transients into discrete Markov-chain transition matrices, guaranteeing event-level differential privacy. To mitigate pre-ingestion vulnerabilities, we propose an SPDM-authenticated first-mile layer. While current platforms lack attested I/O, emerging hardware architectures integrate PCIe IDE and TDISP to natively prevent host-level synthesis, securing the end-to-end provenance boundary. A Global Aggregation Enclave verifies these cryptographic proofs prior to capacity-weighted aggregation. Evaluation demonstrates a steady-state throughput of $131{,}406$ samples/s per enclave, amortising attestation overhead to $0.23\,\mu$s/sample. On empirical NVML-sampled H100, A100, and L4 traces, EnclaveScale achieves a dynamic orchestration margin error of $1.3$\,MW compared to $0.1$\,MW for an honest-aggregator central-DP baseline. EnclaveScale establishes a secure foundation for dynamic multi-tenant power orchestration, obfuscating sub-second anomalies locally and protecting macro-workload confidentiality via spatial dilution during global aggregation.
Editorial analysis
A structured set of objections, weighed in public.
Referee Report
Summary. The paper presents EnclaveScale, a distributed hardware-assisted telemetry system for secure data-center power monitoring. It implements a post-extraction pipeline using DCAP attestation, differential privacy noise injection, and Byzantine rejection across 32 GCP Confidential VMs, reporting 0% post-extraction attack success, 131406 samples/s throughput per enclave, and 1.3 MW dynamic orchestration error on NVML traces from H100/A100/L4 GPUs. The system distills GPU power transients into Markov-chain matrices for event-level DP; an SPDM-authenticated first-mile layer is proposed (but not implemented) to address pre-ingestion host spoofing, with future PCIe IDE/TDISP noted as enabling native attestation.
Significance. If the security and accuracy claims hold under full end-to-end evaluation, the work supplies a concrete architecture for privacy-preserving collaborative modeling of AI workload power transients at 10 Hz scale, a setting where existing cryptographic methods are stated to scale poorly. The empirical evaluation on production GPU traces and the explicit throughput/amortized attestation numbers constitute a practical contribution if the methodology details support verification.
major comments (1)
- [Abstract / Evaluation] Abstract and Evaluation section: the 0% post-extraction attack success rate is demonstrated only for the implemented pipeline after sensor data have already been extracted; the SPDM first-mile layer required to prevent host-level synthesis of NVML inputs is described as a proposal only, with the text noting that current platforms lack attested I/O. Consequently the central end-to-end provenance claim rests on an untested component whose correctness is not empirically verified.
minor comments (2)
- [Results] The 1.3 MW orchestration error is reported without accompanying workload characterization, confidence intervals, or comparison under the same privacy budget as the central-DP baseline, making it difficult to assess whether the accuracy/privacy trade-off is acceptable.
- [Evaluation] Throughput and attestation-overhead figures (131406 samples/s, 0.23 μs/sample) are stated as steady-state values without variance, number of runs, or data-exclusion rules, limiting reproducibility assessment.
Simulated Author's Rebuttal
We thank the referee for the careful analysis and for identifying the need to more sharply delineate the implemented post-extraction pipeline from the proposed first-mile layer. We address the comment below and will revise the manuscript accordingly.
read point-by-point responses
-
Referee: [Abstract / Evaluation] Abstract and Evaluation section: the 0% post-extraction attack success rate is demonstrated only for the implemented pipeline after sensor data have already been extracted; the SPDM first-mile layer required to prevent host-level synthesis of NVML inputs is described as a proposal only, with the text noting that current platforms lack attested I/O. Consequently the central end-to-end provenance claim rests on an untested component whose correctness is not empirically verified.
Authors: We agree that the reported 0% attack success rate applies exclusively to the implemented post-extraction pipeline (DCAP attestation, edge-DP Markov-chain noise injection, and Byzantine rejection) evaluated on the 32 GCP Confidential VMs. The manuscript already states that the SPDM first-mile layer is a proposal because 'current platforms lack attested I/O' and that native support will arrive via PCIe IDE/TDISP. No empirical verification is provided or claimed for the un-implemented first-mile component. The end-to-end provenance discussion is therefore conditional on future hardware rather than an assertion of current full-stack security. To eliminate any ambiguity, we will revise the abstract to foreground the qualifier '0% post-extraction attack success rate' and add an explicit sentence in the Evaluation section restating the scope of the empirical results and the status of the first-mile proposal. revision: yes
Circularity Check
No significant circularity
full rationale
The paper describes a systems implementation and empirical evaluation of a telemetry pipeline using DCAP attestation, DP noise, and Byzantine rejection. No equations, derivations, fitted parameters, or predictions are presented that reduce to their own inputs by construction. The 0% attack success rate is an empirical measurement on 32 VMs for the post-extraction stage only; the proposed SPDM first-mile layer is explicitly noted as unimplemented. No self-citations, ansatzes, or uniqueness theorems are invoked in a load-bearing way. The work is self-contained as a performance and security evaluation report rather than a closed-form derivation.
Axiom & Free-Parameter Ledger
axioms (2)
- domain assumption DCAP attestation correctly verifies enclave state and prevents post-extraction tampering
- domain assumption Markov-chain transition matrices plus DP noise guarantee event-level differential privacy for power transients
Reference graph
Works this paper leans on
-
[1]
R. Vercellino, J. Willard, G. Campos, W. d. S. Pereira, O. Hull, M. Selensky, J. Mueller, Measurement of generative ai workload power profiles for whole-facility data center infrastructure planning (2026). doi:10.48550/ARXIV.2604.07345. URLhttps://arxiv.org/abs/2604.07345
work page internal anchor Pith review Pith/arXiv arXiv doi:10.48550/arxiv.2604.07345 2026
-
[2]
Keller, MP-SPDZ: A versatile framework for multi-party computa- tion, in: Proceedings of the 2020 ACM SIGSAC Conference on Com- puter and Communications Security, 2020, pp
M. Keller, MP-SPDZ: A versatile framework for multi-party computa- tion, in: Proceedings of the 2020 ACM SIGSAC Conference on Com- puter and Communications Security, 2020, pp. 1575–1590
2020
-
[3]
Bonawitz, V
K. Bonawitz, V. Ivanov, B. Kreuter, A. Marcedone, H. B. McMahan, S. Patel, D. Ramage, A. Segal, K. Seth, Practical secure aggregation for privacy-preserving machine learning, in: Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, 2017, pp. 1175–1191
2017
-
[4]
D. A. P. 0001, J. G. 0001, Q. V. Le, C. Liang, L.-M. Munguia, D. Rothchild, D. R. So, M. Texier, J. Dean, Carbon emissions and large neural network training., CoRR (2021)
2021
-
[5]
rep., Intel Corpora- tion (2023)
Intel, Intel trust domain extensions (TDX), Tech. rep., Intel Corpora- tion (2023). URLhttps://www.intel.com/content/www/us/en/developer/ articles/technical/intel-trust-domain-extensions.html
2023
-
[6]
Distributed Management Task Force (DMTF), Security protocol and data model (spdm) specification, version 1.2.1 (dsp0274), Tech. rep. (2023). URLhttps://www.dmtf.org/dsp/DSP0274 34
2023
-
[7]
Balle, Y.-X
B. Balle, Y.-X. W. 0003, Improving the gaussian mechanism for dif- ferential privacy: Analytical calibration and optimal denoising., ICML (2018)
2018
-
[8]
Dwork, Differential privacy: A survey of results, Theory and Appli- cations of Models of Computation (2008) 1–19
C. Dwork, Differential privacy: A survey of results, Theory and Appli- cations of Models of Computation (2008) 1–19
2008
-
[9]
Paulin, Concentration inequalities for markov chains by martingale methods, Electronic Journal of Probability 20 (2015) 1–32
D. Paulin, Concentration inequalities for markov chains by martingale methods, Electronic Journal of Probability 20 (2015) 1–32
2015
-
[10]
Intel Corporation, Intel trust domain extensions (Intel TDX) module advisory, Tech. Rep. INTEL-SA-00837, Intel Security Center (2024). URLhttps://www.intel.com/content/www/us/en/ security-center/advisory/intel-sa-00837.html
2024
-
[11]
Intel Corporation, Frequency throttling side channel guidance, Intel Security Advisory INTEL-SA-00698; software guidance for mitigating frequency-based timing side channels on Sapphire Rapids and later. (2022). URLhttps://www.intel.com/content/ www/us/en/developer/articles/technical/ frequency-throttling-side-channel-guidance.html
2022
-
[12]
Mironov, Rényi differential privacy, in: IEEE 30th Computer Security Foundations Symposium (CSF), 2017, pp
I. Mironov, Rényi differential privacy, in: IEEE 30th Computer Security Foundations Symposium (CSF), 2017, pp. 263–275
2017
-
[13]
Y.-X. Wang, B. Balle, S. P. Kasiviswanathan, Subsampled rényi differ- ential privacy and analytical moments accountant, in: The 22nd Inter- national Conference on Artificial Intelligence and Statistics, 2019
2019
-
[14]
Kairouz, H
P. Kairouz, H. B. McMahan, et al., Advances and open problems in federated learning, Foundations and Trends in Machine Learning 14 (1–
-
[15]
T. Steinke, M. Nasr, M. Jagielski, Privacy auditing with one (1) train- ing run, in: Advances in Neural Information Processing Systems 36, NeurIPS 2023, Neural Information Processing Systems Foundation, Inc. (NeurIPS), 2023, p. 49268–49280.doi:10.52202/075280-2143. URLhttp://dx.doi.org/10.52202/075280-2143 35
-
[16]
Keller, E
M. Keller, E. Orsini, P. Scholl, Mascot: bounding vulnerabilities and errors in secure computation, in: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, 2016, pp. 830– 841
2016
-
[17]
F. Mo, H. Haddadi, K. Katevas, E. Marin, D. Perino, N. Kourtellis, PPFL: Privacy-preserving federated learning with trusted execution en- vironments, in: Proceedings of the 19th Annual International Confer- ence on Mobile Systems, Applications, and Services (MobiSys), 2021
2021
-
[18]
C. Zhang, J. Xia, B. Yang, H. Puyang, W. Wang, R. Chen, I. E. Akkus, P. Aditya, F. Yan, Citadel: Protecting data privacy and model confidentiality for collaborative learning, in: Proceedings of the ACM Symposium on Cloud Computing, SoCC ’21, ACM, 2021, p. 546–561. doi:10.1145/3472883.3486998. URLhttp://dx.doi.org/10.1145/3472883.3486998
-
[19]
Dwork, M
C. Dwork, M. Naor, T. Pitassi, G. N. Rothblum, Differential privacy un- der continual observation, in: Proceedings of the 42nd ACM Symposium on Theory of Computing (STOC), 2010, pp. 715–724
2010
-
[20]
T.-H. H. Chan, E. Shi, D. Song, Private and continual release of statis- tics, in: Proceedings of the 37th International Colloquium on Automata, Languages, and Programming (ICALP), 2010, pp. 405–417
2010
-
[21]
Cummings, V
R. Cummings, V. Feldman, A. McMillan, K. Talwar, Mean estimation with user-level privacy under data heterogeneity, in: Advances in Neural Information Processing Systems (NeurIPS), 2022
2022
-
[22]
A. Cheu, A. Smith, J. Ullman, D. Zeber, M. Zhilyaev, Distributed differ- ential privacy via shuffling, in: Annual International Conference on the Theory and Applications of Cryptographic Techniques (EUROCRYPT), 2019, pp. 375–403
2019
-
[23]
Erlingsson, V
Ú. Erlingsson, V. Feldman, I. Mironov, A. Raghunathan, K. Talwar, A. Thakurta, Amplification by shuffling: From local to central dif- ferential privacy via anonymity, in: Proceedings of the Thirtieth An- nual ACM-SIAM Symposium on Discrete Algorithms (SODA), 2019, pp. 2468–2479. 36
2019
-
[24]
Damgård, V
I. Damgård, V. Pastro, N. Smart, S. Zakarias, Multiparty computation from somewhat homomorphic encryption, in: Annual Cryptology Con- ference (CRYPTO), 2012, pp. 643–662
2012
-
[25]
Y. Sheng, C. Zhang, Z. Zhu, H. Xu, J. Wen, R. Wang, J. Yang, Q. Wang, S. Bu, Power for ai data centers: Energy demand, grid im- pacts, challenges and perspectives, Energies 19 (3) (2026) 722.doi: 10.3390/en19030722. URLhttp://dx.doi.org/10.3390/en19030722
-
[26]
Dodge, T
J. Dodge, T. Prewitt, R. Tachet des Combes, E. Odmark, R. Schwartz, E. Strubell, A. S. Luccioni, N. A. Smith, N. DeCario, W. Buchanan, Measuring the carbon intensity of AI in cloud instances, Proceedings of the ACM Conference on Fairness, Accountability, and Transparency (FAccT) (2022)
2022
-
[27]
Power stabilization for ai training datacenters,
E. Choukse, B. Warrier, S. Heath, L. Belmont, A. Zhao, H. A. Khan, B. Harry, M. Kappel, R. J. Hewett, K. Datta, Y. Pei, C. Lichtenberger, J. Siegler, D. Lukofsky, Z. Kahn, G. Sahota, A. Sullivan, C. Freder- ick, H. Thai, R. Naughton, D. Jurnove, J. Harp, R. Carper, N. Ma- halingam, S. Varkala, A. G. Kumbhare, S. Desai, V. Ramamurthy, P. Gottumukkala, G. B...
-
[28]
Bourdon, A
A. Bourdon, A. Noureddine, R. Rouvoy, L. Seinturier, A preliminary study of the impact of software engineering on GreenIT, in: First In- ternational Workshop on Green and Sustainable Software (GREENS), 2012
2012
-
[29]
rep., NVIDIA Corporation (2024)
NVIDIA, NVIDIA GPU remote attestation and Reference Integrity Manifest (RIM) architecture, Tech. rep., NVIDIA Corporation (2024). URLhttps://docs.nvidia.com/nvtrust/ reference-integrity-manifest/ 37
2024
discussion (0)
Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.