SYSTEM Cited by 1 source

Google Confidential Federated Analytics

What it is

Google Confidential Federated Analytics is the Google service that aggregates encrypted metadata contributions from a fleet of client devices, computes anonymised aggregate insights, and never decrypts any individual contribution. The service is the central server side of Google's federated-analytics stack — the production target of the 2026-05-27 lattice-based one-shot secure-aggregation protocol.

Architecturally it is a TEE-resident aggregator that runs a publicly-reviewable secure-aggregation binary, attested via hardware root-of-trust to clients before they release contributions or key shares.

Architectural composition

The service combines four independently-justified privacy mechanisms:

Layer	Mechanism	Wiki page
Layer 1 (math)	Lattice-based one-shot secure aggregation	concepts/secure-aggregation + patterns/one-shot-secure-aggregation
Layer 2 (hardware)	TEE (Intel TDX or AMD SEV-SNP) with attestation	concepts/trusted-execution-environment + concepts/remote-attestation
Layer 3 (key distribution)	Client-committee key shares	patterns/client-committee-key-shares
Layer 4 (output privacy)	Differential-privacy noise	concepts/differential-privacy

The composition is the canonical wiki instance of cryptography-plus-TEE defense in depth.

End-to-end flow

Android device (SafetyCore / Recorder / Gboard / etc.)
        │
        │ 1. Local computation produces effectiveness metadata
        ↓
  Lattice encryption: cᵢ ← Encrypt(metadataᵢ, kᵢ)
        │
        │ 2. Single-shot HTTPS upload of (cᵢ, key share)
        ↓
┌─────────────────────────────────────────────────────────┐
│ Google Confidential Federated Analytics                 │
│   ┌─────────────────────────────────────────────┐       │
│   │ TEE (Intel TDX or AMD SEV-SNP)              │       │
│   │  - Attests its binary digest to clients     │       │
│   │  - Aggregates ciphertexts: Σcᵢ              │       │
│   │  - Aggregates key components: Σkᵢ           │       │
│   │  - Cannot decrypt individual contributions  │       │
│   └─────────────────────────────────────────────┘       │
└─────────────────────────────────────────────────────────┘
        │
        │ 3. Aggregate decryption gated on committee unmasking
        ↓
Client committee (rotating subset of fleet)
  - Reveals key hints
  - DP noise applied at this step
        │
        │ 4. Decryption of aggregate (only)
        ↓
Engineers observe: anonymised, aggregated, DP-bounded insights

Production targets

The 2026-05-27 post names two deployment categories:

Target	Generation	Notes
systems/pixel-recorder	Gen 2 (TEE + DP, no crypto layer)	"Google has deployed TEE-backed differentially private aggregation for computing insights into AI systems in the Pixel Recorder app." — already in production
systems/android-safetycore	Gen 3 (the 2026-05-27 architecture)	"Android SafetyCore will leverage our zero-trust private analytics" — first named target of the new architecture
systems/gboard	(Gen 1+ federated analytics)	Cited in the original federated-analytics blog as a federated-analytics consumer

The service is positioned as a Google-internal platform that multiple Android products consume; it is not a public Google Cloud product as of the 2026-05-27 post.

Threat-model coverage

Threat	Mitigation
Compromised aggregation operator (insider)	TEE memory encryption + cryptographic non-extractability
Side-channel attack against TEE	Cryptographic layer — leaked state is encrypted
Tampered aggregation binary	TEE attestation + transparency log
Server obtains per-client decryption key	Cryptographic protocol prevents — only sum-of-keys is ever assembled
Compromised client committee minority	Threshold cryptography — sub-threshold collusion cannot decrypt
Aggregate reveals individual due to small population	Differential-privacy noise applied at unmasking
Quantum attack against the encryption	concepts/lattice-based-cryptography (Lattice substrate) — PQ-secure by construction
Malicious clients submit garbage to skew aggregate	Not addressed in the post; standard fleet-protection (rate limits, attestation gating) presumed

Operational disclosure (what's NOT disclosed)

The 2026-05-27 post is architecturally focused — it discloses the shape but not operational numbers. Specifically not disclosed:

• Aggregate-window cadence (per-day, per-hour, per-event)
• Committee size and rotation cadence
• DP budget allocation (ε / δ values)
• TEE substrate split (Intel TDX vs AMD SEV-SNP)
• End-to-end aggregation latency
• QPS to the analytics service
• Contributing client fraction across an aggregation window
• Failure-recovery mechanics if committee unmasking fails

These will likely populate a follow-up production-retrospective post.

Relation to existing wiki systems

• Sibling to systems/whatsapp-private-processing: same era, same family (TEE + attestation + transparency), but WhatsApp Private Processing is the inference direction (server-side LLM inference over private content) while Google Confidential Federated Analytics is the aggregation direction. Architecturally, WhatsApp Private Processing uses TEE as the only confidentiality layer (composing with OHTTP for unlinkability); Google Confidential Federated Analytics adds a cryptographic layer underneath.
• Sibling to CVM: the CVM is the wiki's general-purpose write-up of the TEE-as-VM primitive that Google Confidential Federated Analytics's TEE layer is built on.
• Sibling to systems/agentcore-identity and similar attestation-gated AWS services: same attestation primitive, applied to a different domain.

Caveats

• Public name uncertainty. The 2026-05-27 post refers to "Google's confidential federated analytics system" (lowercase, descriptive) rather than introducing a specific product brand. The wiki page uses the descriptive name as the canonical-system identifier.
• The cryptographic protocol is referenced via the ACM paper, not inlined. The blog post explains the architectural shape but not the formal protocol specification.
• Public-cloud productization. Whether Google Cloud will offer this as a public service for non-Google workloads is not addressed in the post.

Seen in

• sources/2026-05-27-google-private-analytics-via-zero-trust-aggregation — canonical wiki source. Architecture-disclosure shape; deployment retrospective + operational numbers are not yet published.

Related

• systems/android-safetycore — first named Gen-3 production target
• systems/pixel-recorder — Gen-2 production deployment
• systems/gboard — Gen-1+ federated-analytics consumer
• systems/intel-tdx — TEE substrate option
• systems/amd-sev-snp — TEE substrate option
• systems/whatsapp-private-processing — sibling private-AI-inference architecture
• concepts/federated-analytics — the workload class
• concepts/secure-aggregation — Layer 1
• concepts/lattice-based-cryptography — math substrate for Layer 1
• concepts/trusted-execution-environment — Layer 2
• concepts/differential-privacy — Layer 4
• concepts/remote-attestation — composed with Layer 2
• patterns/cryptography-plus-tee-defense-in-depth — the architecture pattern
• patterns/one-shot-secure-aggregation — Layer 1 sub-pattern
• patterns/client-committee-key-shares — Layer 3 sub-pattern
• companies/google