Citadel: Protecting Data Privacy and Model Confidentiality for Collaborative Learning with SGX

With the advancement of machine learning (ML) and its growing awareness, more organizations who own data but not ML expertise would like collaborate with those who do to train ML models. The data owners would like to keep the data private for privacy and legality concerns, while the ML technology providers (model owners) would like to retain their intellectual property. However, existing methods do not provide scalable solutions for such scenario. We devise, implement, and validate Citadel, a system that provides both data privacy and model privacy in untrusted infrastructures with the help of Intel SGX. We evaluate Citadel with various ML models, and confirm that Citadel provides both data and model privacy in a scalable manner.