Inferensys

Glossary

Privacy-Preserving Machine Learning

This pillar covers cryptographic techniques, including differential privacy and homomorphic encryption, that allow models to train on sensitive data without exposing the underlying records to unauthorized access.
MLOps engineer reviewing model serving infrastructure on laptop, container orchestration visible, technical workspace.
Glossary

Differential Privacy Mechanisms

Terms related to the mathematical frameworks and noise-injection algorithms that provide provable privacy guarantees for individual records in a dataset. Target: CTOs and data scientists implementing formal privacy budgets.

Epsilon-Differential Privacy (ε-DP)

A mathematical framework providing a provable guarantee that the output of a computation is nearly indistinguishable whether or not any single individual's data is included, parameterized by the privacy loss parameter epsilon (ε).

(ε, δ)-Differential Privacy

A relaxed definition of differential privacy that allows a small probability delta (δ) of the strict epsilon guarantee being violated, enabling the use of more efficient mechanisms like the Gaussian mechanism.

Privacy Budget

A finite, quantifiable resource representing the total allowable privacy loss across all queries to a sensitive dataset, which is consumed with each analysis to enforce a global privacy guarantee.

Sensitivity

The maximum amount by which a query's output can change when a single record is added to or removed from a dataset, determining the scale of noise required to achieve differential privacy.

Laplace Mechanism

A fundamental differential privacy mechanism that achieves pure ε-differential privacy for numerical queries by adding random noise drawn from a Laplace distribution calibrated to the query's sensitivity.

Gaussian Mechanism

A differential privacy mechanism that adds noise from a Gaussian distribution, providing the relaxed (ε, δ)-differential privacy guarantee and enabling tighter composition under repeated queries.

Exponential Mechanism

A differential privacy mechanism for selecting a discrete output from a set of candidates, where the probability of selecting each candidate is exponentially proportional to its utility score and inversely proportional to its sensitivity.

Rényi Differential Privacy (RDP)

A privacy definition based on the Rényi divergence that provides tighter composition bounds than standard (ε, δ)-DP, enabling more accurate privacy accounting for iterative algorithms like DP-SGD.

Composition Theorem

A formal result quantifying how the total privacy loss accumulates when multiple differentially private mechanisms are applied to the same dataset, governing the sequential and parallel use of a privacy budget.

Privacy Amplification by Subsampling

A technique where the random selection of a subset of data before applying a differentially private mechanism provides a stronger privacy guarantee than applying the mechanism to the full dataset.

Local Differential Privacy (LDP)

A trust model where each individual perturbs their own data before sending it to an untrusted aggregator, ensuring that the raw data is never revealed to any external party.

Randomized Response

A classic survey technique and a foundational local differential privacy mechanism where a respondent answers a sensitive binary question truthfully only with a controlled probability, providing plausible deniability.

Differentially Private Stochastic Gradient Descent (DP-SGD)

A training algorithm that provides differential privacy for deep learning models by clipping per-example gradients and adding calibrated Gaussian noise during each step of stochastic gradient descent.

Moments Accountant

A privacy accounting method that tracks the moments of the privacy loss random variable to compute a tight bound on the total privacy loss of a composed mechanism, crucial for DP-SGD.

Private Aggregation of Teacher Ensembles (PATE)

A knowledge-distillation framework that trains a student model on the noisy, aggregated votes of an ensemble of teacher models, each trained on a disjoint partition of sensitive data, to achieve differential privacy.

Post-Processing Immunity

A fundamental property of differential privacy guaranteeing that any arbitrary computation applied to the output of a differentially private mechanism cannot weaken the privacy guarantee.

Neighboring Datasets

Two datasets that differ by the presence or absence of a single record, forming the basis for the differential privacy definition which requires that the output distributions on such datasets be indistinguishable.

Gaussian Differential Privacy (GDP)

A privacy framework that characterizes the privacy guarantee of a mechanism using a trade-off function between Type I and Type II errors in a hypothesis testing problem, providing a tight and operational interpretation of privacy loss.

Privacy Loss Distribution

The probability distribution of the privacy loss random variable, which fully characterizes the privacy properties of a mechanism and enables tight numerical composition through methods like Fourier accounting.

Sparse Vector Technique

A differential privacy mechanism that efficiently answers a stream of threshold queries by only releasing noisy answers for queries that exceed a dynamically calibrated, noisy threshold, conserving privacy budget.

User-Level Privacy

A granularity of differential privacy that protects all records belonging to a single user, ensuring that the inclusion or exclusion of a user's entire contribution does not significantly change the output of a computation.

Differentially Private Synthetic Data

Artificially generated data that is produced by a differentially private algorithm, preserving the statistical properties of the original sensitive dataset while providing a formal privacy guarantee against record re-identification.

Objective Perturbation

A differentially private optimization technique that adds calibrated noise directly to the objective function of a learning algorithm before minimization, rather than to the final output or gradients.

Shuffle Model

A distributed privacy model where a trusted shuffler randomly permutes locally randomized reports from users before they reach the analyzer, amplifying the local privacy guarantee through anonymity.

Privacy Odometers

A mechanism for tracking and enforcing a pre-defined privacy budget in an online, adaptive setting, halting further queries once the cumulative privacy loss reaches a specified limit.

f-Differential Privacy (f-DP)

A hypothesis-testing-based generalization of differential privacy that characterizes a mechanism by its trade-off function, which maps any false positive rate to the smallest achievable false negative rate in a membership inference attack.

Discrete Gaussian Mechanism

A differential privacy mechanism that adds noise from a discrete Gaussian distribution, essential for implementations requiring integer-valued outputs and exact arithmetic to avoid floating-point vulnerabilities.

Membership Inference Attack

An attack where an adversary attempts to determine whether a specific record was included in the training dataset of a model, serving as a key empirical metric for auditing the privacy leakage of machine learning algorithms.

Geo-Indistinguishability

A formal extension of differential privacy to location-based services, guaranteeing that a user's precise location is indistinguishable from nearby locations within a specified radius, parameterized by a distance metric.

Pan-Privacy

A stronger privacy definition that requires the internal state of the algorithm to be differentially private in addition to its outputs, protecting against an adversary who can observe snapshots of the algorithm's memory.

Glossary

Homomorphic Encryption for ML

Terms related to cryptographic schemes that allow computation directly on encrypted data, enabling private inference and training without exposing raw inputs. Target: Security architects and machine learning engineers.

Fully Homomorphic Encryption (FHE)

A cryptographic scheme that enables arbitrary computation directly on encrypted data, producing an encrypted result that decrypts to the same output as if the operations were performed on the plaintext.

Partially Homomorphic Encryption (PHE)

A cryptographic scheme that supports only a single type of operation—either addition or multiplication—on ciphertexts, enabling specific privacy-preserving computations like encrypted aggregation.

Somewhat Homomorphic Encryption (SWHE)

A cryptographic scheme capable of evaluating a limited number of both addition and multiplication operations on encrypted data before the inherent noise corrupts the ciphertext and prevents correct decryption.

Leveled Fully Homomorphic Encryption

A variant of homomorphic encryption that can evaluate circuits of a predetermined multiplicative depth without bootstrapping, requiring the computational complexity to be known in advance.

Lattice-Based Cryptography

A post-quantum cryptographic paradigm that bases security on the hardness of mathematical problems involving high-dimensional lattices, serving as the foundational structure for most modern homomorphic encryption schemes.

Ring Learning With Errors (RLWE)

A computational hardness assumption over polynomial rings that underpins the security of efficient lattice-based homomorphic encryption schemes by relying on the difficulty of solving noisy linear equations.

CKKS Scheme

A homomorphic encryption scheme optimized for approximate fixed-point arithmetic on real numbers, making it the preferred choice for privacy-preserving machine learning inference where exact precision is not required.

BFV Scheme

A homomorphic encryption scheme designed for exact integer arithmetic, enabling precise modular computations on encrypted data and commonly used in applications requiring discrete logic.

TFHE Scheme

A fast fully homomorphic encryption scheme that evaluates individual binary gates on encrypted bits via blind rotation, enabling programmable bootstrapping and efficient evaluation of arbitrary functions.

Noise Budget

The finite amount of cryptographic noise a ciphertext can tolerate before decryption fails, consumed by each homomorphic operation and requiring careful management through bootstrapping or modulus switching.

Bootstrapping

A computationally intensive procedure that refreshes a ciphertext's noise budget by homomorphically evaluating the decryption circuit, enabling unlimited computation in fully homomorphic encryption.

Programmable Bootstrapping

An extension of the bootstrapping operation in TFHE that simultaneously resets the noise budget and evaluates a lookup table function on the encrypted data, enabling arbitrary function evaluation in a single step.

Relinearization

A key-switching technique that reduces the size of a ciphertext after a homomorphic multiplication, preventing quadratic growth in ciphertext dimensions and maintaining computational efficiency.

Modulus Switching

A noise management technique that scales down the ciphertext modulus to proportionally reduce the absolute noise, effectively extending the noise budget without executing a full bootstrapping operation.

Rescaling

The CKKS-specific operation that divides the ciphertext by a scaling factor after multiplication to maintain a stable scale and manage noise, analogous to truncating floating-point precision.

SIMD Packing

A technique that encodes multiple plaintext values into a single ciphertext using the Chinese Remainder Theorem, enabling parallel homomorphic operations and amortizing computational cost across data vectors.

Ciphertext Expansion

The ratio of the size of an encrypted data element to its original plaintext size, a critical performance metric for homomorphic encryption that directly impacts storage and communication overhead.

IND-CPA Security

Indistinguishability under Chosen-Plaintext Attack, the standard semantic security guarantee for homomorphic encryption schemes ensuring that ciphertexts reveal no information about the underlying plaintext.

Post-Quantum Cryptography

Cryptographic algorithms designed to remain secure against attacks from both classical and large-scale quantum computers, a category that encompasses lattice-based homomorphic encryption schemes.

Encrypted Inference

The process of evaluating a pre-trained machine learning model on encrypted input data to produce an encrypted prediction, ensuring the client's query remains private from the server hosting the model.

Polynomial Approximation

The mathematical technique of replacing non-linear functions like sigmoid or ReLU with low-degree polynomials, enabling their evaluation within homomorphic encryption schemes that natively support only addition and multiplication.

Multi-Party FHE

An extension of fully homomorphic encryption where the decryption key is distributed among multiple parties, requiring a threshold of them to collaborate to decrypt the final result.

Circuit Privacy

A security property ensuring that the output of a homomorphic evaluation reveals no information about the evaluated function itself, protecting proprietary model architectures during encrypted inference.

Homomorphic Encryption Standardization

An ongoing community effort to establish common security parameters, API specifications, and benchmark standards for homomorphic encryption schemes to promote interoperability and industry adoption.

Transpiler

A compiler tool that automatically converts a high-level program or neural network description into an optimized homomorphic encryption circuit, abstracting away the low-level cryptographic complexities.

Glossary

Secure Multi-Party Computation

Terms related to cryptographic protocols that distribute computation across multiple parties while keeping each party's input private. Target: Cryptographers and engineers building collaborative analytics systems.

Secret Sharing

A cryptographic method for distributing a secret among a group of participants, each receiving a share, where only a qualified subset can reconstruct the original secret.

Garbled Circuits

A cryptographic protocol, introduced by Andrew Yao, that enables two parties to jointly evaluate a boolean circuit over their private inputs without revealing those inputs to each other.

Oblivious Transfer (OT)

A fundamental cryptographic primitive where a sender transmits one of potentially many pieces of information to a receiver, but remains oblivious to which piece was selected.

Beaver Triples

Pre-computed, secret-shared multiplication triples used in secure multi-party computation to enable efficient, non-interactive multiplication of secretly shared values.

SPDZ Protocol

A family of maliciously secure multi-party computation protocols that uses message authentication codes (MACs) to detect cheating and is highly efficient for arithmetic circuits in the preprocessing model.

Threshold Cryptography

A branch of cryptography where cryptographic operations, such as decryption or signing, require a minimum threshold of participants to collaborate, eliminating single points of failure.

Verifiable Secret Sharing (VSS)

An enhancement of secret sharing where a dealer distributes shares of a secret and provides a proof that allows participants to verify the consistency and validity of their shares without revealing the secret itself.

Universal Composability

A strong security framework for analyzing cryptographic protocols, ensuring that a protocol remains secure even when arbitrarily composed with other protocols or run as a component of a larger system.

Free-XOR Optimization

A technique in garbled circuits that allows XOR gates to be evaluated without any cryptographic operations or associated ciphertexts, significantly reducing computation and communication costs.

Oblivious Transfer Extension

A protocol that efficiently extends a small number of base oblivious transfers into a large number of OTs using only fast symmetric-key cryptography, dramatically improving performance.

Private Information Retrieval (PIR)

A protocol that allows a client to retrieve an item from a database held by a server without the server learning which item was accessed.

Function Secret Sharing (FSS)

A method for splitting a function into compact secret shares that can be evaluated independently, enabling secure two-party computation with minimal communication for specific function classes like distributed point functions.

Secure Aggregation

A class of protocols that allows a central server to compute the sum of model updates from multiple clients in a federated learning setting without inspecting any individual client's contribution.

Private Set Intersection (PSI)

A cryptographic protocol that allows two or more parties to compute the intersection of their private datasets without revealing any elements outside the intersection to the other parties.

Oblivious RAM (ORAM)

A cryptographic technique that hides the access pattern (which memory locations are read or written) of a program from an observer, preventing data leakage through memory access side-channels.

MPC-Based Inference

The process of running a trained machine learning model for prediction on private input data using secure multi-party computation, ensuring that neither the model nor the input is revealed to the computing parties.

Secure Matrix Multiplication

A cryptographic protocol that computes the product of two matrices held by different parties without revealing the individual matrix values to the other party.

Split Learning

A distributed deep learning paradigm where a neural network is partitioned between a client and a server, with the client processing initial layers on raw data and only sending intermediate activations (smashed data) to the server.

Secure Decision Trees

Protocols that allow multiple parties to collaboratively train or evaluate a decision tree model on their combined private datasets without exposing the underlying data.

Secure Stochastic Gradient Descent

A privacy-preserving implementation of the SGD optimization algorithm using cryptographic techniques like secret sharing to compute weight updates from distributed private data without revealing the data.

DReLU Protocol

A secure multi-party computation protocol for evaluating the derivative of the Rectified Linear Unit (ReLU) activation function, a critical and costly operation in private neural network inference.

Crypten

A PyTorch-based framework developed by Meta for secure and privacy-preserving machine learning that implements secure multi-party computation primitives to allow training and inference on encrypted data.

MP-SPDZ

A versatile open-source software framework for benchmarking and running a wide variety of secure multi-party computation protocols, supporting both arithmetic and boolean circuits with different security guarantees.

Secure Federated Averaging

An extension of the Federated Averaging (FedAvg) algorithm that incorporates secure aggregation protocols to protect the privacy of individual client model updates during the global model update step.

Distributed Differential Privacy

A model of differential privacy where noise is generated and added to a computation's output by multiple parties in a distributed manner using secure multi-party computation, without any single party learning the noise value.

Secure Genotype Imputation

The application of secure multi-party computation to statistically infer unobserved genetic variants in a study cohort by referencing a private haplotype reference panel without exposing either dataset.

Secure Polygenic Risk Score

A privacy-preserving protocol for calculating an individual's genetic susceptibility to a disease by securely combining their genomic data with a proprietary model of aggregated variant effects.

Secure GWAS

The use of secure multi-party computation to perform genome-wide association studies across distributed, private genomic datasets, identifying genetic variants linked to traits without pooling sensitive data.

Secure Survival Analysis

Privacy-preserving statistical methods, such as the Cox proportional hazards model, implemented via MPC to analyze time-to-event data across multiple institutions without sharing patient-level records.

Secure Cohort Discovery

A protocol enabling researchers to query distributed clinical databases to identify the number of patients matching specific criteria for a clinical trial, without revealing individual patient data.

Glossary

Federated Learning Architectures

Terms related to decentralized training paradigms where models learn across distributed devices or silos without centralizing raw data. Target: CTOs and ML platform architects in regulated industries.

Cross-Silo Federated Learning

A federated learning topology where a small number of reliable, institutional clients (e.g., hospitals or banks) with substantial compute resources collaboratively train a model without centralizing sensitive data.

Cross-Device Federated Learning

A federated learning topology designed for massive, heterogeneous populations of unreliable edge devices (e.g., smartphones or IoT sensors) with limited compute and intermittent connectivity.

Federated Averaging (FedAvg)

The foundational federated optimization algorithm that combines local stochastic gradient descent (SGD) on clients with iterative server-side model averaging to reduce communication rounds.

FedProx

A federated optimization framework that introduces a proximal term to stabilize local training and handle statistical and systems heterogeneity across non-identical client distributions.

Non-IID Data

A data distribution scenario in federated learning where local client datasets are not independently and identically distributed, leading to significant statistical heterogeneity and client drift.

Vertical Federated Learning

A federated learning paradigm where participants hold different feature spaces for the same sample population, requiring entity alignment and privacy-preserving feature intersection to train a joint model.

Horizontal Federated Learning

A federated learning paradigm where participants share the same feature space but hold different sample populations, enabling collaborative training on wider datasets without sharing raw records.

Federated Transfer Learning

A technique that applies transfer learning to federated settings, enabling knowledge transfer across parties with distinct feature and sample spaces where neither horizontal nor vertical partitioning applies.

Split Learning

A privacy-preserving distributed training architecture where a deep network is cut at a specific layer, with the initial layers trained on the client and the remaining layers trained on a server without sharing raw data.

Client Drift

The divergence of local model updates from the global optimum caused by heterogeneous, non-IID data distributions across clients, leading to unstable or slow convergence in federated optimization.

Gradient Compression

A communication efficiency technique that reduces the bandwidth required for federated updates by applying lossy compression methods such as quantization or sparsification to model gradients before transmission.

Quantization

A model compression technique that reduces the numerical precision of weights or gradients (e.g., from 32-bit floats to 8-bit integers) to decrease communication overhead and inference latency in federated systems.

Sparsification

A gradient compression method that transmits only a subset of significant gradient elements while zeroing out the rest, drastically reducing communication payloads in distributed training.

Knowledge Distillation

A model compression technique where a smaller 'student' model is trained to replicate the behavior of a larger 'teacher' model, often used in federated settings to aggregate heterogeneous local models.

Model Personalization

A federated learning strategy that fine-tunes a globally shared model on local client data to adapt to individual user preferences while still benefiting from broad collaborative training.

Federated Meta-Learning

A framework that combines meta-learning with federated optimization to train a global model that can rapidly adapt to new, unseen client distributions with only a few local gradient steps.

Hierarchical Federated Learning

A multi-tier architecture that introduces intermediate edge aggregators between clients and the central cloud server to reduce latency and communication bottlenecks in large-scale deployments.

Edge Aggregation

The process of performing intermediate model averaging at edge nodes or base stations before sending updates to a central server, reducing wide-area network traffic in hierarchical federated systems.

Client Selection

The scheduling mechanism that determines which subset of available devices participates in a federated training round, balancing statistical efficiency against system constraints like battery life and bandwidth.

Straggler Mitigation

Techniques designed to handle slow or unresponsive clients in synchronous federated rounds, including asynchronous updates, coded computation, or dropping stragglers to prevent training bottlenecks.

Communication Efficiency

The optimization objective in federated learning focused on minimizing the number of bits transmitted between clients and the server to reduce latency, energy consumption, and monetary costs.

Decentralized Federated Learning

A peer-to-peer federated topology that eliminates the central aggregation server, relying on gossip protocols or blockchain consensus to share model updates directly between participating nodes.

Gossip Learning

A fully decentralized learning protocol where nodes exchange and average models directly with randomly selected peers in a peer-to-peer network without a central coordinator.

Federated Analytics

The application of federated computation principles to generate aggregate statistics and insights from decentralized raw data without collecting or inspecting individual records on a central server.

On-Device Training

The process of performing local model optimization directly on edge hardware using locally stored data, enabling personalization and privacy before sharing only abstracted updates with a federated server.

Continual Federated Learning

A training paradigm where a federated model learns sequentially from a stream of non-stationary client data over time, mitigating catastrophic forgetting while preserving privacy across evolving distributions.

Catastrophic Forgetting

The tendency of a neural network to abruptly overwrite previously learned knowledge upon training on new data distributions, a critical challenge in sequential and continual federated learning scenarios.

Federated Foundation Model

A large-scale pre-trained model collaboratively trained across decentralized data silos using federated optimization, combining the generalization power of foundation models with data locality requirements.

Parameter-Efficient Fine-Tuning (PEFT)

A set of adaptation methods that update only a small subset of model parameters or lightweight adapters, enabling efficient on-device personalization of large models in federated settings.

Federated Fairness

The algorithmic objective of ensuring that a collaboratively trained federated model performs equitably across diverse client populations, preventing performance disparities for underrepresented data distributions.

Glossary

Trusted Execution Environments

Terms related to hardware-enforced isolated compute enclaves that protect data and models during active processing. Target: Infrastructure architects and security engineers deploying confidential computing.

Trusted Execution Environment (TEE)

A secure area of a main processor that guarantees code and data loaded inside is protected with respect to confidentiality and integrity, isolating it from the host operating system.

Confidential Computing

A hardware-based security paradigm that protects data in use by performing computation within a hardware-enforced Trusted Execution Environment, shielding sensitive workloads from the cloud provider and other tenants.

Attestation

The cryptographic process by which a Trusted Execution Environment proves its identity, integrity, and security posture to a remote relying party before that party provisions secrets or trusts the enclave's outputs.

Intel SGX

A set of security instruction codes built into Intel processors that allows user-level code to allocate private regions of memory, called enclaves, protected from processes running at higher privilege levels.

Intel TDX

A hardware-isolated, virtual machine-level Trusted Execution Environment that extends Confidential Computing to entire virtual machines, enabling lift-and-shift migration of legacy workloads without code modification.

AMD SEV-SNP

An advanced hardware security feature that encrypts virtual machine memory and adds strong integrity protection to prevent malicious hypervisor-based attacks like data replay and memory remapping.

ARM CCA

A hardware architecture that introduces dynamically created, hardware-backed address spaces called Realms to protect sensitive data and code from the hypervisor and other virtual machines.

Enclave

A hardware-isolated memory region within a processor that protects application code and data from inspection or modification by any software outside the enclave, including the operating system.

Remote Attestation

A protocol enabling a Trusted Execution Environment on one machine to prove its identity and software integrity to a remote verifier, establishing a cryptographic trust anchor for distributed confidential workloads.

Data Sealing

A mechanism that cryptographically binds data to a specific enclave's identity and security version, allowing the enclave to securely persist secrets to untrusted storage and retrieve them only on the same platform.

Trusted Computing Base (TCB)

The set of all hardware, firmware, and software components critical to a system's security; a bug or vulnerability in any TCB component can compromise the entire system's security guarantees.

Side-Channel Attack

A non-invasive attack that exploits physical information leakage—such as timing, power consumption, or electromagnetic emissions—from a computing device to extract secrets from a theoretically secure enclave.

ECALL

A controlled entry point that allows untrusted application code to invoke a trusted function inside an enclave, forming the strictly defined interface between the protected and unprotected execution environments.

OCALL

A controlled exit function that allows an enclave to temporarily transfer execution to the untrusted host application to make necessary system calls, returning results to the protected environment.

Confidential VM

A full virtual machine instance running inside a hardware-backed Trusted Execution Environment, encrypting its entire memory space to protect against unauthorized access from the hypervisor or cloud operator.

Confidential Container

A containerized workload deployed within a hardware-enforced Trusted Execution Environment, combining the agility of containers with the data-in-use protection of Confidential Computing.

NVIDIA Confidential Computing

A hardware and firmware security architecture that extends Trusted Execution Environment protections to GPU-accelerated workloads, enabling secure AI training and inference on protected data.

Hardware Root of Trust

A physically immutable, tamper-resistant hardware module that serves as the foundational trust anchor for a computing platform, underpinning secure boot, attestation, and cryptographic key generation.

Trusted Platform Module (TPM)

A dedicated microcontroller designed to secure hardware through integrated cryptographic keys, providing functions for measured boot, remote attestation, and sealed storage for platform integrity.

Enclave Measurement

A cryptographic hash of the initial code, data, and configuration loaded into an enclave, serving as a unique, unforgeable fingerprint used during attestation to verify the enclave's precise software identity.

MRENCLAVE

A cryptographic hash value representing the exact identity of the code and initial data loaded into an Intel SGX enclave, used by verifiers to confirm the enclave is running the expected software.

MRSIGNER

A cryptographic hash of the public key used to sign an enclave's authorizing certificate, allowing attestation verifiers to establish trust based on the software vendor's identity rather than a specific code version.

DCAP

An Intel-provided attestation infrastructure that allows data center operators to run their own attestation services without relying on Intel's cloud-hosted service, enabling scalable, privacy-preserving verification.

Confidential AI

The application of Confidential Computing hardware to protect the confidentiality and integrity of machine learning models, training data, and inference inputs during active computation.

Private Inference

A machine learning serving paradigm where a client's input data and the server's model weights remain mutually confidential during the inference computation, typically enforced by a Trusted Execution Environment.

Model Protection

Techniques that safeguard the intellectual property of a trained machine learning model by encrypting its weights and architecture, ensuring they are only decrypted within a secure, attested enclave during inference.

Data-in-Use Protection

The security practice of encrypting data while it is actively being processed in memory, closing the final vulnerability gap left by protecting data at rest and in transit.

Runtime Encryption

The transparent, hardware-level encryption of a process's or virtual machine's entire memory space, ensuring that data remains encrypted even when loaded into RAM for active computation.

Enclave-Aware Orchestration

The extension of container orchestration platforms like Kubernetes to schedule, attest, and manage the lifecycle of workloads that require hardware-based Trusted Execution Environments.

Confidential Consortium Framework (CCF)

An open-source framework for building secure, highly available, and performant multi-party applications that leverage Trusted Execution Environments for tamper-proof, transparent governance.

Glossary

Model Inversion Defenses

Terms related to attacks that reconstruct training data from model parameters and the defensive techniques used to mitigate such extraction risks. Target: Security researchers and privacy engineers.

Model Inversion Attack

An attack that reconstructs representative samples of a target class or specific training data points by exploiting access to a trained model's parameters and confidence scores.

Gradient Inversion

A privacy attack that reconstructs the original input data used for training by analyzing the gradients shared during distributed learning processes like Federated Learning.

Deep Leakage from Gradients (DLG)

An iterative optimization algorithm that recovers pixel-accurate training images from shared gradients by minimizing the distance between dummy and actual gradients.

Feature Reconstruction

A class of attacks that inverts intermediate feature representations or embeddings back into the original input space to extract sensitive visual or textual information.

Confidence Score Masking

A defense mechanism that limits the information leaked by a model by truncating or rounding the prediction vector to return only the top-k class labels instead of full probability distributions.

Differential Privacy (DP)

A mathematical framework that provides provable privacy guarantees by injecting calibrated noise into the computation, ensuring the output distribution is nearly identical whether or not a single individual's data is included.

DP-SGD

Differentially Private Stochastic Gradient Descent, a training algorithm that bounds the influence of individual training examples by clipping per-sample gradients and adding Gaussian noise to the aggregated gradient.

Privacy Budget (Epsilon)

A quantifiable metric, denoted by epsilon, that measures the degree of privacy loss in a differential privacy mechanism; a lower epsilon indicates a stronger privacy guarantee.

Membership Inference Attack (MIA)

An attack that determines whether a specific data record was part of a model's training set by analyzing the model's prediction behavior on that record.

Prediction Vector

The output vector of a classifier, often a softmax layer, containing the confidence scores for each class, which can be exploited by model inversion and membership inference attacks.

Defensive Distillation

A defensive technique that trains a second model using the smoothed class probability vectors of a first model, effectively masking the gradient information exploited by adversarial and inversion attacks.

Information Bottleneck

A theoretical principle and training objective that compresses input data into a latent representation that is maximally informative about the target task while minimizing mutual information with the original input, naturally limiting inversion risk.

Adversarial Regularization

A training methodology that augments the loss function with a penalty term designed to minimize the success of an adversary attempting to reconstruct inputs or infer membership, enhancing model robustness.

Maximal Coding Rate Reduction (MCR2)

A representation learning principle that maximizes the coding rate difference between the whole dataset and individual classes, promoting discriminative and compressed features that are inherently resistant to inversion.

Dropout

A stochastic regularization technique that randomly omits units during training, which introduces uncertainty in feature representations and has been shown to mitigate the effectiveness of model inversion attacks.

Adversarial Training

A robust optimization framework that augments the training dataset with adversarial examples, hardening the model against evasion attacks and reducing the fidelity of reconstructed inputs from inversion attacks.

Mixup Training

A data augmentation technique that trains models on convex combinations of pairs of inputs and their labels, which smooths decision boundaries and degrades the quality of model inversion reconstructions.

Autoencoder-Based Defense

A defensive architecture that pre-processes inputs through a denoising or variational autoencoder to purge sensitive high-frequency signals before they reach the primary classifier, obstructing reconstruction attacks.

PATE (Private Aggregation of Teacher Ensembles)

A student-teacher framework that trains a student model on the noisy aggregated votes of an ensemble of teacher models trained on disjoint sensitive data, providing strong differential privacy guarantees.

Output Perturbation

A privacy mechanism that directly adds random noise to a model's final output, such as a prediction vector or aggregated statistic, to mask the contribution of individual training data points.

Query Auditing

A runtime defense that monitors incoming API queries to a model, detecting and blocking anomalous sequences or high-frequency requests characteristic of model inversion or extraction attacks.

Knowledge Distillation

A model compression technique where a smaller 'student' model is trained to replicate the behavior of a larger 'teacher' model, which can be leveraged for privacy by transferring only non-sensitive, generalized knowledge.

Dimensionality Reduction

The process of projecting high-dimensional data into a lower-dimensional latent space, which can serve as a defense by creating an information bottleneck that naturally discards fine-grained details necessary for input reconstruction.

Dataset Inference (DI)

A forensic technique that determines whether a specific dataset was used to train a model by analyzing the model's internal activations or prediction margins, serving as a detection mechanism for unauthorized training.

Model Watermarking

A technique for embedding a secret, verifiable pattern into a model's weights or behavior to assert ownership and detect unauthorized model theft or extraction, rather than preventing data inversion.

Split Learning

A distributed training paradigm where a model is partitioned between a client and server, with the client only sharing intermediate activations (smashed data) rather than raw data or full gradients, reducing the attack surface for inversion.

Total Variation Denoising

A signal processing technique used as a defense by applying a total variation loss penalty during inversion attacks, which fails to reconstruct fine textures and acts as a natural image prior that protects against gradient leakage.

Per-Sample Gradient Clipping

The core operation in DP-SGD that bounds the sensitivity of the training algorithm by scaling down individual gradients to a maximum L2 norm, limiting the influence of any single data point on the model update.

Label-Only Inversion

A black-box attack variant that reconstructs class-level representative images by querying a model and observing only the hard-label predictions, without access to confidence scores or gradients.

Gradient Matching

The optimization objective used in gradient inversion attacks that minimizes the cosine similarity or L2 distance between dummy gradients generated from random noise and the actual shared private gradients.

Glossary

Membership Inference Protections

Terms related to attacks that determine if a specific record was used in a model's training set and the countermeasures to prevent this leakage. Target: Privacy auditors and machine learning security specialists.

Membership Inference Attack (MIA)

An adversarial method that determines whether a specific data record was included in a machine learning model's training dataset by analyzing the model's output behavior.

Shadow Model

A replica model trained to mimic the target model's behavior, used by attackers to generate labeled data for training a membership inference classifier.

Differential Privacy (DP)

A mathematical framework that provides provable privacy guarantees by injecting calibrated noise into computations, ensuring the output is statistically indistinguishable whether or not any single individual's data is included.

Privacy Budget (Epsilon)

A quantifiable parameter (ε) in differential privacy that controls the maximum allowable information leakage, where a smaller epsilon indicates a stronger privacy guarantee.

DP-SGD

Differentially Private Stochastic Gradient Descent, a training algorithm that clips per-sample gradients and adds Gaussian noise to protect the privacy of individual training records during model optimization.

Rényi Differential Privacy (RDP)

A relaxation of pure differential privacy based on Rényi divergence that provides tighter composition bounds, enabling more accurate privacy accounting for iterative algorithms like DP-SGD.

Privacy Loss Distribution (PLD)

A precise accounting method that tracks the full distribution of privacy loss random variables across composed mechanisms, enabling tighter privacy budget calculations than moment-based accountants.

Memorization

The phenomenon where a machine learning model encodes exact or near-exact copies of individual training examples within its parameters, increasing vulnerability to membership inference and extraction attacks.

Overfitting

A modeling error where a machine learning algorithm learns the noise and random fluctuations in the training data to the extent that it negatively impacts generalization and amplifies membership inference risk.

Regularization

A set of techniques including weight decay, dropout, and early stopping that constrain model complexity to reduce overfitting and incidentally lower the success rate of membership inference attacks.

Prediction Entropy

A measure of uncertainty in a model's output probability distribution, where lower entropy on training samples compared to non-training samples serves as a primary signal for membership inference.

Machine Unlearning

The process of removing the influence of specific training data points from a trained model without full retraining, enabling compliance with data deletion requests and mitigating membership inference.

SISA Training

Sharded, Isolated, Sliced, Aggregated training, an exact unlearning framework that partitions data into independent shards to limit the retraining scope when a deletion request is received.

Knowledge Distillation

A model compression technique where a smaller student model is trained to replicate the softened outputs of a larger teacher ensemble, which can incidentally reduce membership information leakage.

PATE

Private Aggregation of Teacher Ensembles, a framework that trains a student model using noisy voting from an ensemble of teacher models trained on disjoint data partitions to achieve differential privacy.

Adversarial Regularization

A defensive training methodology that incorporates a simulated membership inference attacker into the training objective, forcing the model to learn representations that minimize privacy leakage.

Privacy Risk Score

A per-instance metric that quantifies the likelihood a specific training record can be successfully identified by a membership inference attack, enabling targeted protective measures.

Data Minimization

A privacy engineering principle that restricts data collection and retention to the minimum necessary, inherently reducing the attack surface for membership inference by limiting exposed training records.

Out-of-Distribution Detection

A technique that identifies inputs dissimilar to the training distribution, which can be used to throttle predictions and prevent attackers from querying the model with membership inference probes.

Conformal Prediction

A distribution-free framework that produces prediction sets with guaranteed coverage, enabling selective classification and abstention that can mask the overconfident signals exploited by membership inference.

Temperature Scaling

A post-hoc calibration method that smooths the model's output probabilities by dividing logits by a learned temperature parameter, reducing the confidence gap between training and non-training samples.

Exposure Metric

A quantitative measure of how much a model has memorized a specific canary sequence or data point, used to audit and empirically bound the success of potential membership inference attacks.

Label-Only Attack

A black-box membership inference variant that requires only the model's predicted hard label rather than full confidence scores, making it effective against APIs that limit output information.

Gradient Clipping

A technique that bounds the L2 norm of per-sample gradients during training, serving as a critical preprocessing step in DP-SGD to limit the sensitivity of individual records to the model update.

Privacy Amplification by Subsampling

The property where randomly sampling a subset of data for each training step amplifies the privacy guarantee, as the uncertainty of inclusion provides an additional layer of deniability.

Model Inversion

An attack that reconstructs representative features or exact training inputs from model parameters, representing a more severe privacy breach than membership inference by extracting actual data content.

Calibration

The alignment between a model's predicted confidence and its empirical accuracy, where well-calibrated models exhibit smaller confidence discrepancies that membership inference attacks exploit.

Selective Classification

A prediction strategy where the model abstains from making decisions on inputs with high uncertainty, serving as a defense by denying attackers the high-confidence signals needed for membership inference.

Uncertainty Quantification (UQ)

The field of estimating and representing the confidence bounds of model predictions, distinguishing between aleatoric and epistemic uncertainty to identify and mitigate overconfident memorization.

Information Bottleneck

A training principle that encourages the model to compress input representations while preserving task-relevant information, naturally limiting the capacity to memorize and leak individual training records.

Glossary

Data Poisoning Defense

Terms related to adversarial attacks that corrupt training data to compromise model integrity and the robust training techniques used to neutralize them. Target: ML security engineers and data pipeline architects.

Backdoor Attack

An attack where an adversary injects a hidden trigger pattern into a model during training, causing it to misclassify inputs containing that trigger while maintaining normal performance on clean data.

Label Flipping

A data poisoning technique where an attacker deliberately changes the labels of a subset of training examples to degrade model accuracy or introduce a specific misclassification behavior.

Clean-Label Poisoning

An attack that injects correctly labeled but subtly perturbed training samples that appear benign to human reviewers, yet cause the model to learn a malicious decision boundary.

Gradient Matching

A poisoning attack strategy that crafts malicious training examples whose gradients closely align with the gradient of a target adversarial objective, making the attack potent with minimal data.

Adversarial Training

A defensive technique that augments the training dataset with adversarial examples to improve a model's robustness against evasion and poisoning attacks.

Differential Privacy SGD (DP-SGD)

A training algorithm that clips per-example gradients and adds calibrated noise to the aggregated gradient, providing formal differential privacy guarantees and limiting the influence of any single training point.

Robust Aggregation

A class of Byzantine-resilient algorithms used in federated learning to combine model updates from multiple clients while mitigating the impact of malicious or corrupted contributions.

Krum

A robust aggregation rule for distributed learning that selects a single model update from a set of client updates that is closest to a majority of its neighbors, effectively tolerating Byzantine failures.

FoolsGold

A defense mechanism that identifies malicious clients in federated learning by analyzing the diversity of their historical gradient updates, assuming sybil attackers produce highly similar contributions.

Certified Robustness

A property of a model that provides a mathematical proof guaranteeing its prediction will remain constant for any input within a specified Lp-norm radius, defending against adversarial perturbations.

Randomized Smoothing

A technique for constructing a certifiably robust classifier by adding random Gaussian noise to inputs and returning the most probable prediction under that noise distribution.

Spectral Signatures

A detection method that identifies poisoned training examples by analyzing the singular value decomposition of feature representations, revealing statistical outliers that correlate with backdoor triggers.

Activation Clustering

A defense that separates clean and poisoned training data by clustering the activations of the final hidden layer for each class, isolating samples that cause anomalous internal representations.

Neural Cleanse

A backdoor detection and mitigation technique that reverse-engineers potential triggers by finding the minimal perturbation required to misclassify all samples to a target label, then patches the model.

Fine-Pruning

A defense that removes backdoors by pruning dormant neurons that are activated by the trigger but not by clean validation data, followed by fine-tuning the pruned model on a clean dataset.

Knowledge Distillation Defense

A mitigation strategy that trains a new student model using only the soft labels from a potentially poisoned teacher model on a clean dataset, aiming to transfer benign knowledge while discarding backdoor behavior.

Gradient Clipping

A technique that caps the L2-norm of individual per-example gradients during training to bound the maximum influence any single data point can exert on the model update.

Byzantine Fault Tolerance

The property of a distributed system that enables it to reach correct consensus and continue operating reliably even when an arbitrary subset of its components exhibits malicious or arbitrary failures.

Data Sanitization

The process of filtering or transforming a training dataset to remove anomalous, mislabeled, or poisoned samples before they can corrupt the model's learning process.

Data Provenance

The documented lineage and origin of a dataset, including its creation, transformation, and chain of custody, used to verify integrity and detect unauthorized tampering in the ML supply chain.

Trigger Reconstruction

A reverse-engineering defense that computationally recovers the specific pattern or patch an attacker embedded in a backdoored model by solving an optimization problem over the model's weights.

Model Inspection

The practice of analyzing a trained model's internal weights, decision boundaries, or feature attributions to detect anomalies indicative of a backdoor or poisoning attack without requiring access to the training data.

Poisoning Budget

The maximum fraction or absolute number of training samples an adversary is assumed to control, defining the threat model's strength and the required tolerance of a robust defense.

STRIDE

A threat modeling framework developed by Microsoft that categorizes security threats into Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, and Elevation of Privilege.

MITRE ATLAS

A globally accessible knowledge base of adversary tactics, techniques, and case studies specific to artificial intelligence systems, modeled after the MITRE ATT&CK framework for cybersecurity.

Model Supply Chain Security

The practice of ensuring the integrity and authenticity of all components in the ML lifecycle, from pre-trained weights and datasets to software dependencies, against tampering and poisoning.

Artifact Signing

A security measure that cryptographically signs model weights, datasets, and code to create a verifiable digital signature, ensuring they have not been modified since the trusted publisher released them.

Data Quality Firewall

An automated, inline filtering system in the data pipeline that inspects, validates, and blocks anomalous or potentially poisoned training samples before they reach the model training process.

Distributional Shift Detection

A monitoring technique that identifies when the statistical properties of incoming production data or a new training batch deviate significantly from the original training distribution, flagging potential poisoning.

Red Teaming

A structured adversarial assessment where a security team simulates real-world poisoning and evasion attacks against an ML system to proactively identify vulnerabilities before malicious actors can exploit them.

Glossary

Secure Aggregation Protocols

Terms related to cryptographic methods that allow a central server to compute the sum of model updates from multiple clients without inspecting individual contributions. Target: Distributed systems engineers and cryptographers.

Secure Aggregation (SecAgg)

A cryptographic protocol enabling a central server to compute the sum of model updates from multiple clients without inspecting any individual client's contribution, preserving privacy in federated learning.

Pairwise Masking

A technique in secure aggregation where each pair of clients agrees on a shared secret mask added to their updates, ensuring individual contributions cancel out in the final sum while hiding them from the server.

Secret Sharing

A cryptographic method for distributing a secret among a group of participants, where each holds a share, and only a qualified subset can reconstruct the original secret, used for dropout resilience in secure aggregation.

Shamir Secret Sharing

A specific secret sharing scheme that encodes a secret as a polynomial, distributing points on the polynomial as shares, and requiring a threshold number of shares to reconstruct the secret via Lagrange interpolation.

Dropout Resilience

The property of a secure aggregation protocol that allows the correct computation of the aggregate sum even when a subset of participating clients disconnects or fails to complete the protocol round.

Byzantine Fault Tolerance

The resilience of a distributed system to arbitrary or malicious failures, ensuring correct consensus and computation even when some nodes exhibit adversarial behavior, including sending incorrect or contradictory data.

Key Agreement

A cryptographic protocol allowing two or more parties to establish a shared secret key over an insecure communication channel without prior shared secrets, foundational for pairwise masking in secure aggregation.

Diffie-Hellman Key Exchange

A specific key agreement protocol that allows two parties to jointly establish a shared secret over a public channel, with security based on the computational hardness of the discrete logarithm problem.

Pseudorandom Generator (PRG)

A deterministic algorithm that expands a short, uniformly random seed into a longer sequence of bits that is computationally indistinguishable from truly random bits, used to efficiently generate masks in secure aggregation.

Authenticated Encryption

A symmetric encryption scheme that simultaneously provides confidentiality, integrity, and authenticity assurances on the plaintext, protecting against chosen-ciphertext attacks during client-to-server communication.

Digital Signature

A cryptographic mechanism for verifying the authenticity and integrity of a digital message, allowing a recipient to confirm the message was created by a known sender and was not altered in transit.

Zero-Knowledge Proof

A cryptographic protocol where one party proves to another that a statement is true without revealing any information beyond the validity of the statement itself, used to enforce honest behavior in malicious settings.

Semi-Honest Security

A security model for cryptographic protocols that assumes adversaries follow the protocol specification correctly but may attempt to learn additional information from the protocol transcript, also known as honest-but-curious.

Malicious Security

A strong security model that guarantees protocol correctness and privacy even when adversaries arbitrarily deviate from the protocol specification, including injecting false data or aborting early.

Gossip Protocol

A decentralized communication pattern where each node periodically exchanges information with a random subset of peers, enabling robust and scalable information dissemination without a central coordinator.

All-Reduce

A collective communication operation in distributed computing that aggregates data from all participating nodes and distributes the result back to every node, commonly used for summing gradients in distributed training.

Synchronization Barrier

A coordination point in a parallel computation where all participating processes must arrive before any is allowed to proceed to the next phase, ensuring consistency across communication rounds.

Straggler Mitigation

Techniques designed to prevent slow or unresponsive clients from delaying the entire computation, including using coded computation or setting timeouts to proceed without their updates.

Gradient Clipping

A technique that bounds the L2 norm of individual model updates to a maximum threshold before aggregation, limiting the influence of any single client and providing robustness to outliers or adversarial inputs.

Quantized Aggregation

The process of compressing model updates into low-precision representations before transmission and aggregation, reducing communication overhead at the cost of introducing quantization error into the global model.

Verifiable Secret Sharing (VSS)

An enhancement of secret sharing that allows recipients of shares to verify their consistency, preventing a malicious dealer from distributing invalid shares that would prevent correct reconstruction.

Commitment Scheme

A cryptographic primitive allowing a party to commit to a chosen value while keeping it hidden, with the ability to reveal the value later, ensuring the committer cannot change the value after committing.

Aggregate Signature

A cryptographic scheme that compresses multiple digital signatures from different users on different messages into a single short signature, reducing bandwidth and verification overhead in secure aggregation.

Threshold Encryption

A public-key encryption scheme where the private key is distributed among multiple parties, requiring a threshold number of them to cooperate to decrypt a ciphertext, preventing any single party from decrypting alone.

Additive Homomorphic Encryption (AHE)

A form of encryption that allows the direct computation of the sum of plaintexts by performing an operation on their corresponding ciphertexts, enabling a server to aggregate encrypted updates without decrypting them.

Learning With Errors (LWE)

A foundational computational problem in lattice-based cryptography, conjectured to be hard even for quantum computers, used to construct post-quantum secure encryption and secure aggregation protocols.

Forward Secrecy

A security property ensuring that the compromise of long-term keys does not compromise past session keys, protecting previously transmitted model updates even if a device is later compromised.

Trusted Execution Environment (TEE)

A secure area of a main processor that guarantees code and data loaded inside is protected with respect to confidentiality and integrity, providing a hardware-backed alternative for server-mediated secure aggregation.

Federated Averaging (FedAvg)

The foundational federated learning algorithm where a global model is updated by averaging the locally trained model weights from a sampled subset of clients, typically combined with secure aggregation to protect those updates.

Gradient Leakage

A class of privacy attacks where an adversary analyzes publicly shared model gradients to reconstruct private training data, the primary threat that secure aggregation protocols are designed to prevent.

Glossary

Synthetic Data Generation

Terms related to the creation of artificial datasets that statistically mirror real sensitive data without containing identifiable records. Target: Data scientists and compliance officers seeking privacy-safe data sharing.

Generative Adversarial Network (GAN)

A deep learning architecture where two neural networks, a generator and a discriminator, compete adversarially to produce increasingly realistic synthetic data that mimics a target distribution.

Variational Autoencoder (VAE)

A generative model that encodes input data into a probabilistic latent space and decodes samples from that space to generate new, statistically similar synthetic records.

Differential Privacy

A mathematical framework that provides a provable guarantee limiting the information leakage about any single individual in a dataset, typically achieved by injecting calibrated noise into computations.

CTGAN

A conditional tabular generative adversarial network specifically designed to model non-Gaussian, multi-modal distributions and mixed data types found in structured databases.

Synthetic Data Vault (SDV)

An open-source ecosystem of generative models for creating synthetic tabular, relational, and time-series data while preserving statistical properties and referential integrity.

K-Anonymity

A privacy property ensuring that each released record is indistinguishable from at least k-1 other records with respect to quasi-identifiers, preventing identity disclosure.

Re-identification Risk

The probability that an adversary can successfully link anonymized or synthetic records back to the specific real-world individual they describe.

Membership Inference Attack

An adversarial technique that determines whether a specific data point was included in the training set of a machine learning model, exposing potential privacy violations.

Attribute Inference Attack

A privacy attack where an adversary predicts sensitive attributes of an individual by exploiting correlations learned by a model from non-sensitive features.

Mode Collapse

A failure condition in GAN training where the generator learns to produce only a limited variety of outputs, failing to capture the full diversity of the real data distribution.

Wasserstein Distance

A metric for measuring the distance between probability distributions, often used as a stable loss function in GANs to improve training convergence and sample diversity.

Privacy-Utility Trade-off

The fundamental balancing act between the strength of a privacy guarantee and the statistical fidelity or downstream usefulness of the resulting synthetic or anonymized data.

Synthetic Tabular Data

Artificially generated structured data organized in rows and columns that replicates the statistical correlations, distributions, and constraints of a real relational database.

Synthetic Time Series

Sequential data points generated to mimic the temporal dynamics, seasonality, and autocorrelations of real sensor readings, financial logs, or event streams.

Statistical Fidelity

The degree to which a synthetic dataset preserves the univariate distributions, multivariate correlations, and aggregate statistics of the original real data.

Data Minimization

A core privacy principle dictating that only the minimum amount of personal data necessary for a specific purpose should be collected, processed, or retained.

Fairness-Aware Synthesis

The practice of generating synthetic data that explicitly corrects for historical biases and ensures demographic parity or equalized odds across protected subgroups.

Synthetic Data Quality Report

A diagnostic document that quantifies the fidelity, privacy, and utility of a synthetic dataset by measuring column shapes, pair trends, and boundary adherence against the real data.

SDMetrics

An open-source Python library for evaluating synthetic data quality by computing statistical, privacy, and efficacy metrics in a standardized reporting framework.

Synthcity

A comprehensive open-source library providing a unified interface for training, evaluating, and benchmarking a wide range of synthetic data generation models.

Synthetic Health Data

Artificially generated patient records, medical images, or clinical notes that replicate real healthcare data properties without exposing protected health information.

Synthetic Financial Data

Generated transaction logs, market feeds, or credit histories that preserve the complex temporal patterns and fraud signatures of real financial systems for model development.

Data Amplification

The process of using generative models to create a larger synthetic dataset from a smaller real one, boosting the performance of downstream machine learning models.

Synthetic Data Governance

The framework of policies, standards, and controls for managing the lifecycle, quality, privacy risk, and ethical use of synthetic data within an organization.

Model Card

A structured transparency document that details a machine learning model's intended use, performance characteristics, limitations, and ethical considerations.

Data Card

A standardized factsheet that documents the provenance, composition, collection process, and recommended uses of a dataset to ensure responsible consumption.

Synthetic Data Watermark

An imperceptible, robust signal embedded into synthetic data to enable provenance tracking, distinguish it from real data, and prevent unauthorized misuse.

Train-Synthetic-Test-Real (TSTR)

An evaluation paradigm where a model is trained entirely on synthetic data and tested on real data to measure the synthetic data's utility for downstream tasks.

Denoising Diffusion Probabilistic Model (DDPM)

A class of generative models that learn to reverse a gradual noising process, synthesizing high-fidelity data by iteratively denoising random Gaussian noise.

Conditional Synthesis

The generation of synthetic data points that satisfy specific user-defined constraints or belong to a particular class, enabling targeted data augmentation and scenario modeling.

Glossary

Privacy-Preserving Record Linkage

Terms related to techniques for matching and merging records across disparate databases without revealing the identities of non-matching entities. Target: Data engineers and health informatics specialists.

Privacy-Preserving Record Linkage (PPRL)

A cryptographic framework that enables the identification and merging of records belonging to the same entity across disparate databases without revealing the plaintext identifiers of non-matching records to any party.

Bloom Filter Encoding

A probabilistic data structure used in PPRL to encode sensitive identifiers like names into a bit-array using multiple hash functions, enabling approximate matching while resisting cryptanalysis.

Cryptographic Longterm Key (CLK)

A hardened, salted hash-based encoding scheme derived from Bloom filters that allows for privacy-preserving record linkage by generating irreversible, length-preserving tokens from personal identifiers.

Locality-Sensitive Hashing (LSH)

An algorithmic technique that hashes similar input items into the same buckets with high probability, used in private blocking to drastically reduce the number of record pair comparisons without revealing plaintext.

Felligi-Sunter Model

The foundational statistical framework for probabilistic record linkage that computes match weights based on the agreement and disagreement patterns of individual record fields to estimate the likelihood of a true match.

Probabilistic Linkage

A record matching methodology that uses statistical likelihood ratios to calculate the probability that two records refer to the same entity, accounting for data errors and missing values unlike deterministic rules.

Deterministic Linkage

A record matching methodology that classifies a pair as a match only if a predefined set of identifiers agree exactly, offering high precision but low recall in the presence of typographical errors.

Edit Distance Threshold

A fuzzy matching parameter defining the maximum allowable string transformation cost for two values to be considered equivalent, commonly implemented using Levenshtein or Damerau-Levenshtein distance.

Jaro-Winkler Distance

A string similarity metric optimized for short strings like personal names that gives higher scores to strings with matching prefixes, widely used in fuzzy record linkage applications.

Phonetic Encoding

A class of algorithms that index words by their pronunciation to match homophones, enabling the linkage of records despite spelling variations; common implementations include Soundex and Double Metaphone.

Blocking Key Selection

The strategic process of choosing specific record attributes to partition a dataset into mutually exclusive blocks, dramatically reducing the quadratic computational complexity of record linkage.

Sorted Neighborhood Method

A blocking technique that sorts records by a key and slides a fixed-size window over the sorted list to compare only nearby records, balancing computational efficiency with match recall.

TF-IDF Blocking

A blocking strategy that uses term frequency-inverse document frequency weighting to identify the most discriminative tokens for indexing, improving block quality for large-scale text-heavy record linkage.

Entity Resolution

The comprehensive process of identifying, linking, and merging disparate records that refer to the same real-world entity within or across datasets, also known as identity resolution or data matching.

Golden Record

The single, best-curated version of a master data entity created by resolving and merging all conflicting attributes from duplicate records through survivorship rules.

Master Data Management (MDM)

A comprehensive governance and technology framework that ensures the uniformity, accuracy, and semantic consistency of an enterprise's shared critical data assets, often relying on a golden record.

Private Blocking

A cryptographic preprocessing step in PPRL that partitions encoded datasets into blocks using techniques like LSH or reference value encoding to reduce comparisons without leaking plaintext similarity.

Hardened Bloom Filter

A cryptographically enhanced Bloom filter that incorporates a secret salt and multiple hashing iterations to resist frequency-based cryptanalysis attacks during privacy-preserving record linkage.

MinHash

A technique for quickly estimating the Jaccard similarity between two sets by comparing the minimum hash values of their elements, used in PPRL for efficient private blocking.

Secure Edit Distance

A secure multi-party computation protocol that allows two parties to compute the string edit distance between their private inputs without revealing the underlying strings to each other.

Private Set Intersection Cardinality (PSI-CA)

A cryptographic protocol that allows two parties to learn only the size of the intersection of their private sets, often used as a building block for private blocking in PPRL.

Linkage Quality Assessment

The evaluation of record linkage output using precision, recall, and F-measure against a ground-truth set to measure the rates of false matches and false non-matches.

Transitive Closure

A graph-based resolution technique that identifies all connected components in a pairwise comparison graph to merge records into a single entity cluster, ensuring linkage consistency.

Schema Alignment

The preprocessing step of mapping semantically equivalent attributes from different source schemas to a common canonical format before performing record linkage.

Data Standardization

The process of transforming raw data into a consistent format by parsing, cleaning, and normalizing values to improve the accuracy of downstream record linkage algorithms.

Two-Party Computation Linkage

A PPRL protocol where two data custodians jointly compute matching records using secure multi-party computation without revealing their full datasets to a central third party.

Multi-Party Computation Linkage

A PPRL protocol extending secure linkage to three or more parties, allowing collaborative entity resolution across a consortium without exposing individual-level data.

Clerical Review

The manual human adjudication of record pairs that fall into an uncertainty region where automated probabilistic scoring cannot confidently classify them as a match or non-match.

Match Score Thresholding

The process of setting cutoff values on a composite similarity score to automatically classify record pairs as matches, non-matches, or potential matches requiring clerical review.

False Match Rate

The proportion of record pairs incorrectly classified as matches out of all true non-matching pairs, representing a critical error metric in privacy-preserving record linkage quality assessment.

Glossary

De-identification Pipelines

Terms related to the systematic transformation of raw data to remove or obscure personally identifiable information before use in machine learning workflows. Target: Data governance officers and ML pipeline engineers.

k-Anonymity

A privacy model ensuring each record in a dataset is indistinguishable from at least k-1 other records with respect to quasi-identifiers, preventing singling out individuals.

l-Diversity

An extension of k-anonymity requiring each equivalence class to contain at least l well-represented values for sensitive attributes, mitigating homogeneity attacks.

t-Closeness

A privacy model requiring the distribution of a sensitive attribute in any equivalence class to be within a threshold t of its distribution in the overall dataset, preventing skewness attacks.

Pseudonymization

The processing of personal data to replace direct identifiers with artificial pseudonyms, allowing re-identification only with separately stored additional information.

Tokenization

A data security technique substituting sensitive data elements with non-sensitive surrogate tokens that retain essential metadata without compromising the original value.

Data Masking

The process of creating a structurally similar but inauthentic version of data to protect sensitive information in non-production environments while preserving analytical utility.

Format-Preserving Encryption (FPE)

An encryption method where the ciphertext retains the same format and length as the plaintext, enabling retrofitting encryption into legacy systems without schema changes.

Differential Privacy

A mathematical framework providing provable privacy guarantees by injecting calibrated noise into query results, ensuring the output distribution is nearly identical whether or not any single individual is included.

Epsilon Budget

The cumulative privacy loss parameter in differential privacy that quantifies the total leakage allowed across multiple queries before the formal guarantee is exhausted.

Laplace Mechanism

A differential privacy technique adding noise drawn from a Laplace distribution to the output of a numeric query, calibrated to the query's sensitivity and the privacy parameter epsilon.

Gaussian Mechanism

A differential privacy technique adding noise drawn from a Gaussian distribution to query outputs, used when relaxing pure epsilon-differential privacy to approximate (epsilon, delta)-differential privacy.

Quasi-Identifier (QID)

A set of non-sensitive attributes that, when combined with external data, can uniquely or nearly uniquely identify an individual record within a dataset.

Re-identification Risk

The probability that an adversary can successfully link de-identified records back to specific individuals using auxiliary information or statistical inference.

Data Minimization

The principle of limiting data collection, processing, and retention to only what is directly necessary and proportionate for a specified purpose.

Generalization Hierarchy

A structured taxonomy of attribute values organized from specific to general, used to replace precise values with broader categories to achieve k-anonymity.

Statistical Disclosure Control (SDC)

A suite of statistical methods applied to microdata and tabular data to reduce the risk of disclosing confidential information while maximizing analytical utility.

Synthetic Data Vault

A system using generative models to create entirely artificial datasets that statistically mimic the properties of real sensitive data without containing identifiable records.

Attribute Suppression

The complete removal of an entire column or attribute from a dataset because it poses an unacceptable re-identification risk or is not essential for the analysis.

Cell Suppression

A disclosure control technique that selectively hides the values of specific cells in tabular data to prevent the inference of sensitive individual contributions.

Data Perturbation

The intentional alteration of original data values through noise addition, swapping, or rounding to preserve statistical patterns while obscuring individual records.

Expert Determination

A HIPAA Safe Harbor alternative where a qualified statistician certifies that the risk of re-identification from a de-identified dataset is very small.

HIPAA Safe Harbor

A compliance method under the HIPAA Privacy Rule requiring the removal of 18 specific direct identifiers from protected health information to consider it de-identified.

Data Lineage

The documented lifecycle tracking of data's origins, movements, transformations, and dependencies across pipelines, essential for auditing de-identification processes.

Consent Management

A system governing the collection, storage, and enforcement of user permissions regarding the specific purposes for which their personal data can be processed.

Automated Redaction

The use of named entity recognition and pattern matching algorithms to automatically detect and obscure sensitive text spans in unstructured documents.

DICOM De-identification

The process of stripping protected health information from Digital Imaging and Communications in Medicine files, including pixel data and metadata headers, for research use.

Privacy by Design (PbD)

An engineering framework embedding privacy controls into the architecture of systems and processes from the initial design phase rather than as a retroactive compliance layer.

Data Protection Impact Assessment (DPIA)

A mandatory risk assessment process under GDPR for processing activities likely to result in high risk to individuals' rights and freedoms, identifying mitigations.

Data Residency

The regulatory or policy requirement mandating that digital data is stored and processed within the geographical boundaries of a specific jurisdiction.

Data Classification

The systematic categorization of data assets based on sensitivity levels and business criticality to apply appropriate handling, masking, and access control policies.

Glossary

Zero-Knowledge Proofs for ML

Terms related to cryptographic protocols that allow one party to prove the correctness of a model's inference or training without revealing the underlying data or model weights. Target: Cryptographers and verifiable computing specialists.

Zero-Knowledge Proof (ZKP)

A cryptographic protocol enabling a prover to convince a verifier of a statement's truth without revealing any information beyond the statement's validity.

zkSNARK

A Zero-Knowledge Succinct Non-Interactive Argument of Knowledge that produces constant-size proofs and enables fast verification for computational integrity.

zkSTARK

A Zero-Knowledge Scalable Transparent Argument of Knowledge that relies on collision-resistant hash functions instead of a trusted setup, offering post-quantum security.

Arithmetic Circuit

A directed acyclic graph representing a computation as a series of addition and multiplication gates over a finite field, serving as the foundational representation for ZKP systems.

Constraint System

A set of mathematical equations encoding the valid execution of a computation, which a prover must satisfy to generate a valid proof of correct execution.

Rank-1 Constraint System (R1CS)

A standard format for representing arithmetic circuit satisfiability as a set of quadratic constraints, widely used in early zkSNARK constructions like Groth16.

Plonk

A universal and updatable zkSNARK construction that uses a polynomial interactive oracle proof and a single trusted setup ceremony for all circuits of a bounded size.

Groth16

A pairing-based zkSNARK protocol known for producing the smallest proof sizes and fastest verification times, but requiring a circuit-specific trusted setup.

Halo2

A recursive zkSNARK proving system that eliminates the need for a trusted setup by using inner product arguments and a cycle of elliptic curves for incremental verification.

Nova

A recursive proof composition scheme based on folding schemes that achieves fast prover times by deferring expensive cryptographic operations through incremental computation.

Polynomial Commitment

A cryptographic primitive allowing a prover to commit to a polynomial and later open it at specific points, with the proof size being independent of the polynomial's degree.

Fiat-Shamir Heuristic

A cryptographic transformation that converts an interactive public-coin proof into a non-interactive proof by replacing the verifier's random challenges with the output of a cryptographic hash function.

Trusted Setup Ceremony

A multi-party computation protocol used to generate the common reference string for a ZKP system, where security relies on at least one participant destroying their generated toxic waste.

Common Reference String (CRS)

A public string of structured parameters generated during a trusted setup that is shared between the prover and verifier to enable non-interactive zero-knowledge proofs.

Transparent Setup

A ZKP system design that uses publicly verifiable randomness, such as hash functions, to generate parameters, eliminating the security risks associated with a multi-party trusted setup ceremony.

Universal Setup

A single, one-time trusted setup procedure that generates a structured reference string capable of supporting any circuit up to a pre-defined maximum size, as used in Plonk.

Witness

The secret auxiliary input known only to the prover that satisfies the constraints of a given circuit, such as private model weights or input data in a zkML context.

Proof Carrying Data (PCD)

A cryptographic primitive enabling a proof that attests to the correct execution of a distributed computation across multiple steps or parties, maintaining a verifiable lineage of state transitions.

Recursive Proof Composition

A technique where a ZKP verifier algorithm itself is expressed as an arithmetic circuit, allowing the creation of a single proof that attests to the validity of multiple prior proofs.

Incrementally Verifiable Computation (IVC)

A paradigm enabling a prover to update a proof after each step of a long-running computation, such that the final proof size and verification time remain constant regardless of the total number of steps.

Folding Scheme

A cryptographic method that reduces the task of checking two instances of a constraint system into the task of checking a single instance, enabling efficient recursive proving in systems like Nova.

Lookup Argument

A sub-protocol within a ZKP system that efficiently proves a value exists within a public table, enabling optimized verification of non-arithmetic operations like bitwise functions in a circuit.

zkEVM

A Zero-Knowledge Virtual Machine that generates validity proofs for Ethereum Virtual Machine execution, enabling scalable and private smart contract execution on layer-2 rollups.

zkML

The application of zero-knowledge proofs to machine learning, enabling a prover to cryptographically attest to the correctness of a model's inference or training without revealing the model weights or input data.

Sumcheck Protocol

A fundamental interactive proof protocol used to verify the sum of a multivariate polynomial's evaluations over a Boolean hypercube, serving as a core building block for systems like Spartan.

Spartan

A transparent zkSNARK system that uses the sumcheck protocol and polynomial commitments to achieve sub-linear verification costs without requiring a trusted setup.

Bulletproofs

A non-interactive zero-knowledge proof protocol with short proof sizes that does not require a trusted setup, originally designed for confidential transactions and range proofs.

STARK-Friendly Hash

A cryptographic hash function, such as Poseidon or Rescue-Prime, designed to minimize the number of multiplication gates when expressed as an arithmetic circuit, optimizing prover efficiency in zkSTARK systems.

Poseidon Hash

A family of hash functions specifically architected for zero-knowledge proof systems, operating natively over large finite fields to minimize the circuit complexity of hashing operations.

Verification Key

A cryptographic short key derived from the circuit and setup parameters that a verifier uses to efficiently check the validity of a zero-knowledge proof.

Glossary

Private Set Intersection

Terms related to protocols that allow two parties to discover the intersection of their datasets without exposing the elements unique to either party. Target: Security engineers and collaborative analytics developers.

Oblivious Transfer (OT)

A foundational cryptographic protocol where a sender transmits one of many pieces of information to a receiver, but remains oblivious to which piece was selected, while the receiver learns nothing about the other pieces.

Garbled Circuit

A cryptographic protocol that allows two parties to jointly evaluate a Boolean circuit over their private inputs without revealing those inputs to each other, forming a basis for general secure two-party computation.

Cuckoo Hashing

A hashing scheme that resolves collisions by relocating existing keys using multiple hash functions, commonly used in PSI protocols to optimize storage and reduce communication complexity.

Bloom Filter

A space-efficient probabilistic data structure used to test whether an element is a member of a set, with a controllable false-positive rate but no false negatives, often used as a building block in private set intersection.

Homomorphic Encryption (HE)

A form of encryption that permits computation directly on ciphertexts, generating an encrypted result which, when decrypted, matches the result of the operations as if they had been performed on the plaintext.

Oblivious Pseudorandom Function (OPRF)

A protocol where a client learns the output of a pseudorandom function keyed by a server on the client's input, without the server learning the input or the client learning the server's key.

OT Extension

A cryptographic technique that efficiently generates a large number of oblivious transfers from a small number of base OTs using only fast symmetric-key operations, dramatically reducing computational overhead.

IKNP Protocol

The foundational OT extension protocol by Ishai, Kilian, Nissim, and Petrank that enables the efficient generation of a large number of oblivious transfers from a small seed, forming the core of many modern PSI protocols.

Vector OLE (VOLE)

A cryptographic primitive that allows two parties to generate a long vector of correlated oblivious linear evaluations, serving as a fast, low-communication foundation for recent high-performance PSI protocols.

Malicious Security

A cryptographic security model that guarantees protocol correctness and privacy even when an adversary arbitrarily deviates from the protocol specification, providing the strongest practical security guarantee.

Semi-Honest Security

A cryptographic security model that assumes all parties follow the protocol correctly but may attempt to learn additional information from the transcript, offering a baseline efficiency-security trade-off.

Asymmetric PSI

A variant of private set intersection where only one party learns the intersection result while the other party learns nothing, commonly used in client-server contact discovery applications.

PSI Cardinality

A private set intersection variant that reveals only the size of the intersection to one or both parties, without disclosing the actual intersecting elements themselves.

Labeled PSI

A private set intersection protocol where one party's set elements have associated data labels, and the other party learns only the labels corresponding to the intersection of their input sets.

Unbalanced PSI

A private set intersection protocol optimized for scenarios where the set sizes of the two parties are significantly different, often with one party holding a much smaller set than the other.

Multiparty PSI

An extension of private set intersection from two to multiple parties, allowing a group to compute the intersection of their collective datasets without revealing individual elements to each other.

Contact Discovery

A real-world application of private set intersection that allows a messaging service user to determine which of their phone contacts are also users of the service without revealing their entire address book to the server.

Private Record Linkage

The process of identifying and merging records that refer to the same entity across different databases without revealing the identities of non-matching records, often using private set intersection techniques.

Fuzzy PSI

A private set intersection protocol that identifies approximate matches between elements, such as similar strings or biometric templates, rather than requiring exact equality.

PSI-Sum

A private set intersection variant that reveals the sum of values associated with the intersecting elements, enabling private aggregate analytics without exposing the underlying intersection set.

Diffie-Hellman Key Exchange

A method of securely exchanging cryptographic keys over a public channel, which serves as the mathematical foundation for many classical private set intersection protocols based on exponentiation.

Elliptic Curve Diffie-Hellman (ECDH)

A variant of the Diffie-Hellman protocol using elliptic curve cryptography to provide equivalent security with smaller key sizes, commonly used in efficient DH-based PSI implementations.

Circuit PSI

A generic approach to constructing private set intersection protocols by securely evaluating a Boolean circuit that computes the intersection function, often using garbled circuits.

KKRT Protocol

A highly efficient semi-honest PSI protocol by Kolesnikov, Kumaresan, Rosulek, and Trieu that uses OT extension and Cuckoo hashing to achieve fast, low-communication private set intersection.

Ferret OT

A state-of-the-art OT extension protocol that achieves extremely high speed by leveraging vector oblivious linear evaluation (VOLE) and quasi-cyclic codes for correlation-robust hashing.

Random Oracle Model

A cryptographic proof model where a hash function is idealized as a truly random function accessible by all parties, used to prove the security of many practical PSI constructions.

Communication Complexity

A measure of the total amount of data exchanged between parties during a protocol execution, a critical performance metric for private set intersection in bandwidth-constrained environments.

Post-Quantum PSI

Private set intersection protocols designed to remain secure against adversaries equipped with large-scale quantum computers, typically relying on lattice-based or other quantum-resistant cryptographic assumptions.

FHE-Based PSI

A private set intersection construction that leverages fully homomorphic encryption to evaluate the intersection logic directly on encrypted data, often achieving low round complexity.

Delegated PSI

A private set intersection variant where the computationally intensive operations are outsourced to a third-party server without the server learning the private inputs or the intersection result.

Glossary

Gradient Leakage Prevention

Terms related to attacks that reconstruct private training data from shared model gradients and the defensive techniques used to sanitize these updates. Target: Federated learning researchers and privacy engineers.

Deep Leakage from Gradients (DLG)

An optimization-based attack that reconstructs private training data from shared model gradients by iteratively matching dummy inputs to the observed gradient updates.

Gradient Inversion Attack

A class of privacy attacks that recover sensitive input data by inverting the mathematical relationship between a model's parameters and its loss gradient.

Gradient Matching

The core optimization objective in gradient leakage attacks that minimizes the distance between dummy gradients and real shared gradients to reconstruct private inputs.

Cosine Similarity Loss

A loss function used in gradient inversion attacks that measures the angular distance between real and synthetic gradients, often converging faster than Euclidean distance.

Peak Signal-to-Noise Ratio (PSNR)

A metric quantifying the fidelity of reconstructed images in gradient leakage attacks by comparing the maximum possible signal power to the power of reconstruction noise.

Structural Similarity Index (SSIM)

A perceptual metric that evaluates the visual quality of images reconstructed via gradient leakage by comparing luminance, contrast, and structure against originals.

Learned Perceptual Image Patch Similarity (LPIPS)

A deep feature-based metric for assessing gradient leakage reconstruction quality that correlates more closely with human perception than pixel-space metrics.

Gradient Pruning

A defense technique that selectively transmits only a subset of gradient elements during distributed training to reduce the information available for leakage attacks.

Gradient Clipping

A defense mechanism that bounds the norm of individual gradients before sharing, limiting the signal-to-noise ratio available to an adversary attempting data reconstruction.

Differential Privacy (DP)

A mathematical framework providing provable privacy guarantees by injecting calibrated noise into computations, ensuring the output distribution is nearly indistinguishable regardless of any single record's inclusion.

DP-SGD

A differentially private variant of stochastic gradient descent that clips per-sample gradients and adds Gaussian noise to the aggregated batch gradient during training.

Privacy Budget (Epsilon)

The quantified parameter in differential privacy that bounds the maximum privacy loss, where smaller epsilon values enforce stronger privacy guarantees at the cost of model utility.

Privacy Accountant

An algorithmic component that tracks the cumulative privacy loss across multiple queries or training steps to ensure the total expenditure remains within a predefined budget.

Rényi Differential Privacy (RDP)

A relaxation of pure differential privacy based on Rényi divergence that provides tighter composition bounds for tracking privacy loss in iterative algorithms like DP-SGD.

Secure Aggregation

A cryptographic protocol enabling a central server to compute the sum of model updates from multiple clients without inspecting any individual contribution in plaintext.

Gradient Obfuscation

A family of defensive techniques that intentionally degrade the quality of shared gradients through noise, compression, or transformation to thwart inversion attacks.

Gradient Sparsification

A communication-efficient defense that transmits only the largest-magnitude gradient elements, reducing the bandwidth of the leakage channel available to an adversary.

Gradient Quantization

A technique that reduces the numerical precision of gradient values before transmission, introducing quantization error that acts as a natural defense against precise inversion.

SignSGD

An extreme quantization method that communicates only the sign of each gradient element, drastically limiting the information leakage while enabling distributed training.

Local Differential Privacy (LDP)

A privacy model where individual users perturb their data or gradients locally before sharing, ensuring the aggregator never accesses the true values.

Gradient Perturbation

A defense strategy that adds carefully calibrated noise directly to gradients before transmission to mask the contribution of individual training samples.

Ghost Clipping

A memory-efficient technique for per-sample gradient clipping in DP-SGD that avoids materializing individual per-sample gradients, reducing the computational overhead of differential privacy.

Poisson Sampling

A subsampling method used in DP-SGD where each example is included in a batch with a fixed probability, enabling privacy amplification via the subsampled Gaussian mechanism.

Privacy Amplification by Subsampling

The phenomenon where randomly sampling a subset of data before applying a differentially private mechanism yields a stronger privacy guarantee than processing the full dataset.

Gaussian Differential Privacy (GDP)

A privacy framework that characterizes the privacy loss of algorithms using hypothesis testing and f-divergences, providing tight composition bounds for subsampled mechanisms.

Model Inversion Attack

An attack that exploits access to a trained model's parameters or confidence scores to reconstruct representative samples of the private training data distribution.

Membership Inference Attack

An attack that determines whether a specific data record was included in a model's training set by analyzing the model's output behavior on that record.

Split Learning

A distributed training paradigm where the model is partitioned between client and server, with the client sharing only intermediate activations rather than raw data or full gradients.

Gradient Compression

A unified term for techniques like sparsification and quantization that reduce the communication volume of gradients while incidentally limiting the fidelity of potential leakage.

Byzantine Resilience

Robust aggregation rules designed to tolerate malicious or faulty clients that may submit poisoned or dummy gradient updates to disrupt distributed training.