Cryptographic Enclave

KASTEL
Secure and Compliant AI for Medical Data (SECAIMED)

Medical data holds immense potential for advancing healthcare, particularly in the development of novel diagnosticsand therapies. However, it is often distributed across multiple institutions—hospitals, research centers, and clinics—creating a fragmented landscape that complicates integration and analysis. Despite the societal importance,everaging these distributed datasets in a meaningful and legally compliant way remains a significant challenge. A key barrier is General Data Protection Regulation (GDPR) compliance, which imposes strict requirements on data privacy, consent, and purpose limitation. Training ML models on multi-institutional data is difficult: data cannot be freely pooled and data protection must be ensured. Mitigations like federated learning or privacy-preserving methods often degrade performance (e.g., by added noise, overhead in aggregation and training cycles), increase complexity (by altering the model architecture or the experimental setup) and the attack surface (hacking even a single party in multi-institutional setups can have devastating consequences), and still leave unresolved legal questions. Similar questions arise with respect to other use-cases, e.g. when a model trained on data by one institution is to be used or validated by another institution, while the evaluation data and the model is seen as sensitive information.

Further critical challenges are traceability and data provenance. Current approaches rarely provide robust ways to track sources of training data, or document how models were used. Traceability is essential for scientific rigor and for regulatory compliance under frameworks like the AI Act, which require evidence that training data was appropriate. Current solutions (e.g., federated learning, privacy-preserving methods, software-only methods or even commodity secure enclaves) either degrade utility, cannot scale to demanding workloads, or fail to adequately mitigate security risks. As a result, AI researchers face trade-offs between data protection, method development, and performance and therefore have to invest time into (often insufficient) mitigation strategies instead of AI method development.

The Kaapana platform for medical image processing from DKFZ has been extended to transparently outsource computations to the cryptographic enclave.
This screenshot shows the result of a computation that was triggered in Kaapana and computed with the cryptographic enclave.
Debug output of the Kaapana client that performs the computation via the cryptographic enclave.

SECAIMED, a joint project between cryptographers, IT security researchers and legal scholars at KIT as well as experts for medical image analysis at DKFZ addresses these challenges with three objectives:

  1. High-security ML on sensitive data. We use a novel “cryptographic enclave” to perform ML at near-native speed, providing provable and quantifiable security guarantees that will be evaluated for legal compliance.
  2. AI method development and application. We will provide a flexible and trusted environment where researchers can safely test and develop ML methods without compromising performance or compliance.
  3. Traceability and data provenance. Our methodology will allow to securely track and document training data, model inputs, and usage to support reproducibility, scientific rigor, and regulatory compliance, ensuring models are applied safely and appropriately.

By jointly enabling security, performance, traceability and compliance, SECAIMED does more than protect data—it empowers AI research, enabling experiments and methodological advances that are suboptimal or even infeasible with current privacy-preserving approaches. Its benefits extend beyond medicine to other high-stakes domains.

Approach. We achieve the aforementioned goals using a novel approach for secure computations, called the cryptographic enclave, which integrates techniques from cryptography as well as established secure enclaves like Intel SGX, resulting in a solution for legally compliant secure computations with very high security under very plausible assumptions. In more detail, we extend the scope of secure enclaves from parts of a CPU or GPU to a whole data center room that contains a sophisticated security architecture built from highly advanced untrusted and trusted hardware and software components. What sets us apart from previous approaches, including other secure enclaves, is that not even we, the enclave’s operators, need to be trusted, which we achieve by an open architecture combined with technical protection mechanisms.

Our approach is unique as it encloses a novel technological concept, the cryptographic enclave, for high-security outsourcing, and at the same time jointly considering the perspectives of advanced machine learning tasks, IT security, applied medical data science as well as legal compliance. When only considering a subset, a solution may seem viable while being totally inadequate. In particular, the legal dimension sets our project apart from others, bridging the gap between technical innovation and practical application by addressing real-world regulatory constraints that often hinder both research as well as practical application.

Our approach not only promises technical protection mechanisms that are appropriate for different advanced ML applications and ML research, but also novel, strong and previously unachieved guarantees for properties like security and traceability. They generalize in every aspect: The approach is applicable to many advanced ML-related tasks in the field of medial image processing. The novel enclave can be used for a multitude of ML and non-ML tasks where high security and high performance is required, which will be investigated as part of this project. Moreover, it can offer a solution to the emerging problem that more and more health research institutions cannot provide needed resources for demanding ML research on premise. Finally, our approach can be combined with other (often complementary) privacy mechanisms, for example differential privacy.

Establishing that our technical security measures provide legal legitimacy with respect to the GDPR and other legal acts can substantially enable and accelerate collaborative research on sensitive data, in particular in the medical domain. By basing security on EU-manufactured and BSI-certified components, digital sovereignty is strengthened.