Social
Security, privacy, and abuse prevention

Computing on private data

Both secure multiparty computation and differential privacy protect the privacy of data used in computation, but each has advantages in different contexts.

By Joan FeigenbaumMahnush MovahediParker Newton
June 1, 2023
17 min read
Share

Many of today’s most innovative computation-based products and solutions are fueled by data. Where those data are private, it is essential to protect them and to prevent the release of information about data subjects, owners, or users to the wrong parties. How can we perform useful computations on sensitive data while preserving privacy?

DP.CV.jpeg
Related content
A little public data makes privacy-preserving AI models more accurate
Technique that mixes public and private training data can meet differential-privacy criteria while cutting error increase by 60%-70%.

We will revisit two well-studied approaches to this challenge: secure multiparty computation (MPC) and differential privacy (DP). MPC and DP were invented to address different real-world problems and to achieve different technical goals. However, because they are both aimed at using private information without fully revealing it, they are often confused. To help draw a distinction between the two approaches, we will discuss the power and limitations of both and give typical scenarios in which each can be highly effective.

We are interested in scenarios in which multiple individuals (sometimes, society as a whole) can derive substantial utility from a computation on private data but, in order to preserve privacy, cannot simply share all of their data with each other or with an external party.

Secure multiparty computation

MPC methods allow a group of parties to collectively perform a computation that involves all of their private data while revealing only the result of the computation. More formally, an MPC protocol enables n parties, each of whom possesses a private dataset, to compute a function of the union of their datasets in such a way that the only information revealed by the computation is the output of the function. Common situations in which MPC can be used to protect private interests include

  • auctions: the winning bid amount should be made public, but no information about the losing bids should be revealed;
  • voting: the number of votes cast for each option should be made public but not the vote cast by any one individual;
  • machine learning inference: secure two-party computation enables a client to submit a query to a server that holds a proprietary model and receive a response, keeping the query private from the server and the model private from the client.
Diagram of a circuit with a multiplicative depth of two
Related content
Building machine learning models with encrypted data
New approach to homomorphic encryption speeds up the training of encrypted machine learning models sixfold.

Note that the number n of participants can be quite small (e.g., two in the case of machine learning inference), moderate in size, or very large; the latter two size ranges both occur naturally in auctions and votes. Similarly, the participants may be known to each other (as they would be, for example, in a departmental faculty vote) or not (as, for example, in an online auction). MPC protocols mathematically guarantee the secrecy of input values but do not attempt to hide the identities of the participants; if anonymous participation is desired, it can be achieved by combining MPC with an anonymous-communication protocol.

Although MPC may seem like magic, it is implementable and even practical using cryptographic and distributed-computing techniques. For example, suppose that Alice, Bob, Carlos, and David are four engineers who want to compare their annual raises. Alice selects four random numbers that sum to her raise. She keeps one number to herself and gives each of the other three to one of the other engineers. Bob, Carlos, and David do the same with their own raises.

Secure multiparty computation
Four engineers wish to compute their average raise, without revealing any one engineer's raise to the others. Each selects four numbers that sum to his or her raise and sends three of them to the other engineers. Each engineer then sums his or her four numbers — one private number and three received from the others. The sum of all four engineers' sums equals the sum of all four raises.

After everyone has distributed the random numbers, each engineer adds up the numbers he or she is holding and sends the sum to the others. Each engineer adds up these four sums privately (i.e., on his or her local machine) and divides by four to get the average raise. Now they can all compare their raises to the team average.

Amount

Alice’s share

Bob’s share

Carlos’s share

David’s share

Sum of sums

Alice’s raise

3800

-1000

2500

900

1400


Bob’s raise

2514

700

400

650

764


Carlos’s raise

2982

750

-100

832

1500


David’s raise

3390

1500

900

-3000

3990


Sum

12686

1950

3700

-618

7654

12686

Average

3171.5





3171.5

Note that, because Alice (like Bob, Carlos, and David) kept part of her raise private (the bold numbers), no one else learned her actual raise. When she summed the numbers she was holding, the sum didn’t correspond to anyone’s raise. In fact, Bob’s sum was negative, because all that matters is that the four chosen numbers add up to the raise; the sign and magnitude of these four numbers are irrelevant.

Summing all of the engineers’ sums results in the same value as summing the raises directly, namely $12,686. If all of the engineers follow this protocol faithfully, dividing this value by four yields the team average raise of $3,171.50, which allows each person to compare his or her raise against the team average (locally and hence privately) without revealing any salary information.

A highly readable introduction to MPC that emphasizes practical protocols, some of which have been deployed in real-world scenarios, can be found in a monograph by Evans, Kolesnikov, and Rosulek. Examples of real-world applications that have been deployed include analysis of gender-based wage gaps in Boston-area companies, aggregate adoption of cybersecurity measures, and Covid exposure notification. Readers may also wish to read our previous blog post on this and related topics.

Differential privacy

Differential privacy (DP) is a body of statistical and algorithmic techniques for releasing an aggregate function of a dataset without revealing the mapping between data contributors and data items. As in MPC, we have n parties, each of whom possesses a data item. Either the parties themselves or, more often, an external agent wishes to compute an aggregate function of the parties’ input data.

Calibrated noise addition.gif
Related content
Amazon wins best-paper award for protecting privacy of training data
Calibrating noise addition to word density in the embedding space improves utility of privacy-protected text.

If this computation is performed in a differentially private manner, then no information that could be inferred from the output about the ith input, xi, can be associated with the individual party Pi. Typically, the number n of participants is very large, the participants are not known to each other, and the goal is to compute a statistical property of the set {x1, …, xn} while protecting the privacy of individual data contributors {P1, …, Pn}.

In slightly more detail, we say that a randomized algorithm M preserves differential privacy with respect to an aggregation function f if it satisfies two properties. First, for every set of input values, the output of M closely approximates the value of f. Second, for every distinct pair (xi, xi') of possible values for the ith individual input, the distribution of M(x1, …, xi,…, xn) is approximately equivalent to the distribution of M(x1, …, xi′, …, xn). The maximum “distance” between the two distributions is characterized by a parameter, ϵ, called the privacy parameter, and M is called an ϵ-differentially private algorithm.

Note that the output of a differentially private algorithm is a random variable drawn from a distribution on the range of the function f. That is because DP computation requires randomization; in particular, it works by “adding noise.” All known DP techniques introduce a salient trade-off between the privacy parameter and the utility of the output of the computation. Smaller values of ϵ produce better privacy guarantees, but they require more noise and hence produce less-accurate outputs; larger values of ϵ yield worse privacy bounds, but they require less noise and hence deliver better accuracy.

For example, consider a poll, the goal of which is to predict who is going to win an election. The pollster and respondents are willing to sacrifice some accuracy in order to improve privacy. Suppose respondents P1, …, Pn have predictions x1, …, xn, respectively, where each xi is either 0 or 1. The poll is supposed to output a good estimate of p, which we use to denote the fraction of the parties who predict 1. The DP framework allows us to compute an accurate estimate and simultaneously to preserve each respondent’s “plausible deniability” about his or her true prediction by requiring each respondent to add noise before sending a response to the pollster.

PATE for ASR framework.png
Related content
Better differential privacy for end-to-end speech recognition
Private aggregation of teacher ensembles (PATE) leads to word error rate reductions of more than 26% relative to standard differential-privacy techniques.

We now provide a few more details of the polling example. Consider the algorithm m that takes as input a bit xi and flips a fair coin. If the coin comes up tails, then m outputs xi; otherwise m flips another fair coin and outputs 1 if heads and 0 if tails. This m is known as the randomized response mechanism; when the pollster asks Pi for a prediction, Pi responds with m(xi). Simple statistical calculation shows that, in the set of answers that the pollster receives from the respondents, the expected fraction that are 1’s is

Pr[First coin is tails] ⋅ p + Pr[First coin is heads] ⋅ Pr[Second coin is heads] = p/2 + 1/4.

Thus, the expected number of 1’s received is n(p/2 + 1/4). Let N = m(x1) + ⋅⋅⋅ + m(xn) denote the actual number of 1’s received; we approximate p by M(x1, …, xn) = 2N/n − 1/2. In fact, this approximation algorithm, M, is differentially private. Accuracy follows from the statistical calculation, and privacy follows from the “plausible deniability” provided by the fact that M outputs 1 with probability at least 1/4 regardless of the value of xi.

Differential privacy has dominated the study of privacy-preserving statistical computation since it was introduced in 2006 and is widely regarded as a fundamental breakthrough in both theory and practice. An excellent overview of algorithmic techniques in DP can be found in a monograph by Dwork and Roth. DP has been applied in many real-world applications, most notably the 2020 US Census.

The power and limitations of MPC and DP

We now review some of the strengths and weaknesses of these two approaches and highlight some key differences between them.

Secure multiparty computation

MPC has been extensively studied for more than 40 years, and there are powerful, general results showing that it can be done for all functions f using a variety of cryptographic and coding-theoretic techniques, system models, and adversary models.

Despite the existence of fully general, secure protocols, MPC has seen limited real-world deployment. One obstacle is protocol complexity — particularly the communication complexity of the most powerful, general solutions. Much current work on MPC addresses this issue.

A model consisting of two decision trees, one that imposes an age criterion and one that imposes a height criterion.
Related content
Machine learning models that act on encrypted data
A privacy-preserving version of the popular XGBoost machine learning algorithm would let customers feel even more secure about uploading sensitive data to the cloud.

More-fundamental questions that must be answered before MPC can be applied in a given scenario include the nature of the function f being computed and the information environment in which the computation is taking place. In order to explain this point, we first note that the set of participants in the MPC computation is not necessarily the same as the set of parties that receive the result of the computation. The two sets may be identical, one may be a proper subset of the other, they may have some (but not all) elements in common, or they may be entirely disjoint.

Although a secure MPC protocol (provably!) reveals nothing to the recipients about the private inputs except what can be inferred from the result, even that may be too much. For example, if the result is the number of votes for and votes against a proposition in a referendum, and the referendum passes unanimously, then the recipients learn exactly how each participant voted. The referendum authority can avoid revealing private information by using a different f, e.g., one that is “YES” if the number of votes for the proposition is at least half the number of participants and “NO” if it is less than half.

This simple example demonstrates a pervasive trade-off in privacy-preserving computation: participants can compute a function that is more informative if they are willing to reveal private information to the recipients in edge cases; they can achieve more privacy in edge cases if they are willing to compute a less informative function.

In addition to specifying the function f carefully, users of MPC must evaluate the information environment in which MPC is to be deployed and, in particular, must avoid the catastrophic loss of privacy that can occur when the recipients combine the result of the computation with auxiliary information. For example, consider the scenario in which the participants are all of the companies in a given commercial sector and metropolitan area, and they wish to use MPC to compute the total dollar loss that they (collectively) experienced in a given year that was attributable to data breaches; in this example, the recipients of the result are the companies themselves.

Classification and regression trees (CART)
Related content
Privacy challenges in extreme gradient boosting
Scientists describe the use of privacy-preserving machine learning to address privacy challenges in XGBoost training and prediction.

Suppose further that, during that year, one of the companies suffered a severe breach that was covered in the local media, which identified the company by name and reported an approximate dollar figure for the loss that the company suffered as a result of the breach. If that approximate figure is very close to the total loss imposed by data breaches on all the companies that year, then the participants can conclude that all but one of them were barely affected by data breaches that year.

Note that this potentially sensitive information is not leaked by the MPC protocol, which reveals nothing but the aggregate amount lost (i.e., the value of the function f). Rather, it is inferred by combining the result of the computation with information that was already available to the participants before the computation was done. The same risk that input privacy will be destroyed when results are combined with auxiliary information is posed by any computational method that reveals the exact value of the function f.

Differential privacy

The DP framework provides some elegant, simple mechanisms that can be applied to any function f whose output is a vector of real numbers. Essentially, one can independently perturb or “noise up” each component of f(x) by an appropriately defined random value. The amount of noise that must be added in order to hide the contribution (or, indeed, the participation) of any single data subject is determined by the privacy parameter and the maximum amount by which a single input can change the output of f. We explain one such mechanism in slightly more mathematical detail in the following paragraph.

One can apply the Laplace mechanism with privacy parameter ϵ to a function f, whose outputs are k-tuples of real numbers, by returning the value f(x1, …, xn) + (Y1, …, Yk) on input (x1, …, xn), where the Yi are independent random variables drawn from the Laplace distribution with parameter Δ(f)/ϵ. Here Δ(f) denotes the 1sensitivity of the function f, which captures the magnitude by which a single individual’s data can change the output of f in the worst case. The technical definition of the Laplace distribution is beyond the scope of this article, but for our purposes, its important property is that the Yi can be sampled efficiently.

Federated Learning Animation.gif
Related content
Advances in trustworthy machine learning at Alexa AI
The team’s latest research on privacy-preserving machine learning, federated learning, and bias mitigation.

Crucially, DP protects data contributors against privacy loss caused by post-processing computational results or by combining results with auxiliary information. The scenario in which privacy loss occurred when the output of an MPC protocol was combined with information from an existing news story could not occur in a DP application; moreover, no harm could be done by combining the result of a DP computation with auxiliary information in a future news story.

DP techniques also benefit from powerful composition theorems that allow separate differentially private algorithms to be combined in one application. In particular, the independent use of an ϵ1-differentially private algorithm and an ϵ2-differentially private algorithm, when taken together, is (ϵ1 + ϵ2)-differentially private.

One limitation on the applicability of DP is the need to add noise — something that may not be tolerable in some application scenarios. More fundamentally, the ℓ1 sensitivity of a function f, which yields an upper bound on the amount of noise that must be added to the output in order to achieve a given privacy parameter ϵ, also yields a lower bound. If the output of f is strongly influenced by the presence of a single outlier in the input, then it is impossible to achieve strong privacy and high accuracy simultaneously.

For example, consider the simple case in which f is the sum of all of the private inputs, and each input is an arbitrary positive integer. It is easy to see that the ℓ1 sensitivity is unbounded in this case; to hide the contribution or the participation of an individual whose data item strongly dominates those of all other individuals would require enough noise to render the output meaningless. If one can restrict all of the private inputs to a small interval [a,b], however, then the Laplace mechanism can provide meaningful privacy and accuracy.

DP was originally designed to compute statistical aggregates while preserving the privacy of individual data subjects; in particular, it was designed with real-valued functions in mind. Since then, researchers have developed DP techniques for non-numerical computations. For example, the exponential mechanism can be used to solve selection problems, in which both input and output are of arbitrary type.

SPHINCS+ procedure.jpg
Related content
Preparing today for a post-quantum cryptographic future
Amazon is helping develop standards for post-quantum cryptography and deploying promising technologies for customers to experiment with.

In specifying a selection problem, one must define a scoring function that maps input-output pairs to real numbers. For each input x, a solution y is better than a solution y′ if the score of (x,y) is greater than that of (x,y′). The exponential mechanism generally works well (i.e., achieves good privacy and good accuracy simultaneously) for selection problems (e.g., approval voting) that can be defined by scoring functions of low sensitivity but not for those (e.g., set intersection) in which the scoring function must have high sensitivity. In fact, there is no differentially private algorithm that works well for set intersection; by contrast, MPC for set intersection is a mature and practical technology that has seen real-world deployment.

Conclusion

In conclusion, both secure multiparty computation and differential privacy can be used to perform computations on sensitive data while preserving the privacy of those data. Important differences between the bodies of technique include

  • The nature of the privacy guarantee: Use of MPC to compute a function y = f(x1, x2, ..., xn) guarantees that the recipients of the result learn the output y and nothing more. For example, if there are exactly two input vectors that are mapped to y by f, the recipients of the output y gain no information about which of two was the actual input to the MPC computation, regardless of the number of components in which these two input vectors differ or the magnitude of the differences. On the other hand, for any third input vector that does not map to y, the recipient learns with certainty that the real input to the MPC computation was not this third vector, even if it differs from one of the first two in only one component and only by a very small amount. By contrast, computing f with a DP algorithm guarantees that, for any two input vectors that differ in only one component, the (randomized!) results of the computation are approximately indistinguishable, regardless of whether the exact values of f on these two input vectors are equal, nearly equal, or extremely different. Straightforward use of composition yields a privacy guarantee for inputs that differ in c components at the expense of increasing the privacy parameter by a factor of c.
  • Typical use cases: DP techniques are most often used to compute aggregate properties of very large datasets, and typically, the identities of data contributors are not known. None of these conditions is typical of MPC use cases.
  • Exact vs. noisy answers: MPC can be used to compute exact answers for all functions f. DP requires the addition of noise. This is not a problem in many statistical computations, but even small amounts of noise may not be acceptable in some application scenarios. Moreover, if f is extremely sensitive to outliers in the input data, the amount of noise needed to achieve meaningful privacy may preclude meaningful accuracy.
  • Auxiliary information: Combining the result of a DP computation with auxiliary information cannot result in privacy loss. By contrast, any computational method (including MPC) that returns the exact value y of a function f runs the risk that a recipient of y might be able to infer something about the input data that is not implied by y alone, if y is combined with auxiliary information.

Finally, we would like to point out that, in some applications, it is possible to get the benefits of both MPC and DP. If the goal is to compute f, and g is a differentially private approximation of f that achieves good privacy and accuracy simultaneously, then one natural way to proceed is to use MPC to compute g. We expect to see both MPC and DP used to enhance data privacy in Amazon’s products and services.

Research areas
Tags
About the Author
Joan Feigenbaum
Joan Feigenbaum is an Amazon Scholar and the Grace Murray Hopper professor of computer science at Yale University.
Mahnush Movahedi
Mahnush Movahedi is an applied scientist in Amazon Web Services' cryptography group.
Parker Newton
Parker Newton is an applied scientist in Amazon Web Services' cryptography group.

Related content

Work with us

See more jobs See more jobs
Applied Scientist, Fauna
US, NY, New York
We are seeking an Applied Scientist to lead the development of evaluation frameworks and data collection protocols for robotic capabilities. In this role, you will focus on designing how we measure, stress-test, and improve robot behavior across a wide range of real-world tasks. Your work will play a critical role in shaping how policies are validated and how high-quality datasets are generated to accelerate system performance. You will operate at the intersection of robotics, machine learning, and human-in-the-loop systems, building the infrastructure and methodologies that connect teleoperation, evaluation, and learning. This includes developing evaluation policies, defining task structures, and contributing to operator-facing interfaces that enable scalable and reliable data collection. The ideal candidate is highly experimental, systems-oriented, and comfortable working across software, robotics, and data pipelines, with a strong focus on turning ambiguous capability goals into measurable and actionable evaluation systems. Key job responsibilities - Design and implement evaluation frameworks to measure robot capabilities across structured tasks, edge cases, and real-world scenarios - Develop task definitions, success criteria, and benchmarking methodologies that enable consistent and reproducible evaluation of policies - Create and refine data collection protocols that generate high-quality, task-relevant datasets aligned with model development needs - Build and iterate on teleoperation workflows and operator interfaces to support efficient, reliable, and scalable data collection - Analyze evaluation results and collected data to identify performance gaps, failure modes, and opportunities for targeted data collection - Collaborate with engineering teams to integrate evaluation tooling, logging systems, and data pipelines into the broader robotics stack - Stay current with advances in robotics, evaluation methodologies, and human-in-the-loop learning to continuously improve internal approaches - Lead technical projects from conception through production deployment - Mentor junior scientists and engineers
Applied Scientist, Prime Video - Content Localization, Understanding & Enrichment
US, WA, Seattle
Prime Video is a first-stop entertainment destination offering customers a vast collection of premium programming in one app available across thousands of devices. Prime members can customize their viewing experience and find their favorite movies, series, documentaries, and live sports – including Amazon MGM Studios-produced series and movies; licensed fan favorites; and programming from Prime Video subscriptions such as Apple TV+, HBO Max, Peacock, Crunchyroll and MGM+. All customers, regardless of whether they have a Prime membership or not, can rent or buy titles via the Prime Video Store, and can enjoy even more content for free with ads. Are you interested in shaping the future of entertainment? Prime Video's technology teams are creating best-in-class digital video experience. As a Prime Video team member, you’ll have end-to-end ownership of the product, user experience, design, and technology required to deliver state-of-the-art experiences for our customers. You’ll get to work on projects that are fast-paced, challenging, and varied. You’ll also be able to experiment with new possibilities, take risks, and collaborate with remarkable people. We’ll look for you to bring your diverse perspectives, ideas, and skill-sets to make Prime Video even better for our customers. With global opportunities for talented technologists, you can decide where a career Prime Video Tech takes you! As an Applied Scientist, you will apply state of the art natural language processing and computer vision research to video centric digital media. We are looking for scientists with expertise in vision-language models/multimodal LLMs and long-form content understanding (full movies/episode vs. short clips). You will be dealing with architectures that handle long-context understanding and causal reasoning across extended temporal sequences. Key job responsibilities Our team builds multi-modal machine learning technologies to enrich and understand video content. We aim not only to understand individual components within the content itself, but also their relationships to each other to provide a holistic and broader contextual understanding. This powers the next generation of video understanding and search capabilities for Prime Video. About the team Prime Video's Content Localization, Understanding & Enrichment organization is responsible for 1) enabling Prime Video to "see" and "understand" video content including characters, scenes, dialogue, events & visual elements and 2) delivering localized, accessible content that meets a consistent cinematic quality standard at scale. This team's mission is to deeply understand all content and empower all customers with relevant language options, innovative accessibility assists, and rich title-information across all their content-experiences on Prime Video. We create and publish content on-time that's meaningful, accurate, and accessible to every customer globally. We delight our customers by pushing the boundaries of content understanding and enrichment. Through inclusion and innovation, we do the most fulfilling work of our career.
Sr Data Scientist, SPX AI Lab, SPX Science
US, WA, Seattle
Amazon Seller Assistant is our flagship GenAI-first, multi-agent system that reimagines Seller experience. Our vision is to provide each seller with a proactive, autonomous, agentic assistant that understands their business and helps them navigate the complexities of selling by anticipating their needs, surfacing insights, resolving issues, taking actions on their behalf, and helping them grow. Amazon Seller Assistant helps millions of sellers on Amazon serve billions of customers worldwide. We are seeking a world-class Senior Data Scientist to help define and build the next generation of Amazon Seller Assistant. You will partner with top-tier scientist, engineers and product teams to launch production-grade agentic capabilities at Amazon's scale — owning your problem space end-to-end, from a crisp customer insight to a shipped product that millions of sellers rely on. Key job responsibilities • Own the science vision, strategy, and roadmap for a key Seller Assistant capability area. • Define and ship agentic experiences — sub-agent onboarding, tool onboarding, evaluations— that solve hard seller problems at scale. • Partner with scientists and engineers to translate frontier AI research into production-grade features sellers trust and depend on. • Design rigorous evaluation frameworks — automated and human-in-the-loop — to measure agent quality, accuracy, and business impact. • Deep-dive into seller data, identify unmet needs, and write compelling PRFAQs that set the direction for your team. • Drive cross-functional alignment across science, engineering, UX, and business teams to deliver with speed and quality. About the team Amazon Seller Assistant team operates at the very frontier of agentic AI and agentic commerce — not as a research group, but as a team shipping production-grade, multi-agent systems used by millions of sellers worldwide. We move with the urgency of a startup and the resources of the world's most customer-obsessed company, the latest breakthroughs in science and engineering into capabilities that sellers rely on every day.
Applied SCI III - AMZ007408
US, NY, New York
MULTIPLE POSITIONS AVAILABLE Employer: Amazon Development Center U.S., Inc. Offered Position: Applied Scientist III - AMZ007408 Job Location: New York, NY Position Responsibilities: Participate in the design, development, evaluation, deployment, and updating of formal reasoning systems for security, privacy, and data protection applications. Drive technical and scientific innovation in security automation, data protection, and privacy-preserving technologies, with a focus on developing scalable solutions for cloud environments. Develop and/or apply formal verification techniques and automated theorem proving methods for different applications in cloud security and privacy. Collaborate with internal and external users to understand requirements and enhance formal verification and automated reasoning capabilities. Lead research and development efforts in AI security, specifically evaluate emerging threats and opportunities, including securing Generative AI systems and designing robust safeguards. Proactively identify and explore new opportunities for deploying and leveraging formal reasoning solutions across various domains.
Applied Science Manager, Center for Quantum Computing
US, CA, San Francisco
The Amazon Center for Quantum Computing (CQC) is seeking to hire an Applied Science Manager to lead a team of scientists in the physical design and simulation of superconducting quantum processors. In this role, you will use advanced modeling, simulation, and experimental design to drive improvements in scaling and performance. You will partner with other physics and engineering teams to advance the development of fault-tolerant quantum computers. Key job responsibilities - Hire Applied Scientists from diverse technical backgrounds to design quantum processors and improve the design process - Develop scientific talent through goal setting, feedback, collaborative work, and coaching - Collaborate with other science teams in designing experiments to overcome scaling and performance limitations - Influence engineering team development priorities in enabling systematic processor design and simulation workflows - Manage tactical and strategic initiatives with scientific projects pursued within team - Enable creative and innovative experimentation while striving for operational excellence About the team The Amazon Center for Quantum Computing (CQC) is a multi-disciplinary team of scientists, engineers, and technicians, on a mission to develop a fault-tolerant quantum computer. Inclusive Team Culture Here at Amazon, it’s in our nature to learn and be curious. Our employee-led affinity groups foster a culture of inclusion that empower us to be proud of our differences. Ongoing events and learning experiences, including our Conversations on Race and Ethnicity (CORE) and AmazeCon conferences, inspire us to never stop embracing our uniqueness. Diverse Experiences Amazon values diverse experiences. Even if you do not meet all of the preferred qualifications and skills listed in the job description, we encourage candidates to apply. If your career is just starting, hasn’t followed a traditional path, or includes alternative experiences, don’t let it stop you from applying. Mentorship & Career Growth We’re continuously raising our performance bar as we strive to become Earth’s Best Employer. That’s why you’ll find endless knowledge-sharing, mentorship and other career-advancing resources here to help you develop into a better-rounded professional. Work/Life Balance We value work-life harmony. Achieving success at work should never come at the expense of sacrifices at home, which is why we strive for flexibility as part of our working culture. When we feel supported in the workplace and at home, there’s nothing we can’t achieve in the cloud. Export Control Requirement Due to applicable export control laws and regulations, candidates must be either a U.S. citizen or national, U.S. permanent resident (i.e., current Green Card holder), or lawfully admitted into the U.S. as a refugee or granted asylum, or be able to obtain a US export license. If you are unsure if you meet these requirements, please apply and Amazon will review your application for eligibility.
Applied Scientist, AWS Automated Reasoning
GB, London
The Agentic Automated Reasoning Group is building the next generation of software verification tools combining advances in artificial intelligence, the computational capacity of the cloud, and our deep expertise in the domain. Join us if you want to be a part of this transformational endeavor. The Strata team (https://github.com/strata-org) is seeking an applied scientist with broad interest and expertise in model checking, interactive theorem proving, programming language semantics, and generative AI. You will combine your expertise with that of your coworkers to build new tools that solve code analysis problems previously considered beyond reach. Our application areas span all the way from Infrastructure as Code to high-performance cryptography written in assembly code, while our methods span from interactive theorem proving to automated test generation. Each day, hundreds of thousands of developers make billions of transactions worldwide on AWS. They harness the power of the cloud to enable innovative applications, websites, and businesses. Using automated reasoning technology and mathematical proofs, AWS allows customers to answer questions about security, availability, durability, and functional correctness. We call this provable security, absolute assurance in security of the cloud and in the cloud. https://aws.amazon.com/security/provable-security/ Key job responsibilities Work with customer teams to understand the nature of their software and the properties they need to establish of it. Identify tools and methods capable of addressing the verification needs of customers, including any novel analysis capabilities required. Use techniques spanning property-based testing to model checkers, and interactive theorem provers to establish program properties. Explore generative AI techniques to help customers formalize their requirements, find revealing tests, generate required boiler plate for testing and model checking, and find and repair program proofs. About the team The Agentic Automated Reasoning Group at AWS develops and applies state of the art formal methods and automated reasoning techniques to ensure the security, reliability, and correctness of AWS services and customer applications, with a strong focus on AI based agents. Our work innovates tools and services to perform verification at scale and apply them to build safe and secure systems at AWS. We are also pioneering the use of formal verification and automated reasoning to develop agentic systems, ensuring AI agents operate within defined safety boundaries.
Member of Technical Staff, FAR (Frontier AI & Robotics)
US, CA, San Francisco
Join the next revolution in robotics at Amazon's Frontier AI & Robotics team, where you'll work alongside world-renowned AI pioneers to lead key initiatives in robotic intelligence. As a Member of Technical Staff, you'll spearhead the development of breakthrough foundation models that enable robots to perceive, understand, and interact with the world in unprecedented ways. You'll drive technical excellence in areas such as perception, manipulation, science understanding, sim2real transfer, multi-modal foundation models, and multi-task learning, designing novel algorithms that bridge the gap between state-of-the-art research and real-world deployment at Amazon scale. In this role, you'll combine hands-on technical work with scientific leadership, ensuring your team delivers robust solutions for dynamic real-world environments. You'll leverage Amazon's vast computational resources to tackle ambitious problems in areas like very large multi-modal robotic foundation models and efficient, promptable model architectures that can scale across diverse robotic applications. Key job responsibilities - Lead technical initiatives in robotics foundation models, driving breakthrough approaches through hands-on research and development in areas like open-vocabulary panoptic scene understanding, scaling up multi-modal LLMs, sim2real/real2sim techniques, end-to-end vision-language-action models, efficient model inference, video tokenization - Design and implement novel deep learning architectures that push the boundaries of what robots can understand and accomplish - Guide technical direction for specific research initiatives, ensuring robust performance in production environments - Mentor and support fellow scientists while maintaining strong individual technical contributions - Collaborate with engineering teams to optimize and scale models for real-world applications - Influence technical decisions and implementation strategies within your area of focus A day in the life - Develop and implement novel foundation model architectures, working hands-on with our extensive compute infrastructure - Guide and support fellow scientists in solving complex technical challenges, from sim2real transfer to efficient multi-task learning - Lead focused technical initiatives from conception through deployment, ensuring successful integration with production systems - Drive technical discussions within your team and with key stakeholders - Conduct experiments and prototype new ideas using our massive compute cluster - Mentor team members while maintaining significant hands-on contribution to technical solutions Amazon offers a full range of benefits that support you and eligible family members, including domestic partners and their children. Benefits can vary by location, the number of regularly scheduled hours you work, length of employment, and job status such as seasonal or temporary employment. The benefits that generally apply to regular, full-time employees include: 1. Medical, Dental, and Vision Coverage 2. Maternity and Parental Leave Options 3. Paid Time Off (PTO) 4. 401(k) Plan If you are not sure that every qualification on the list above describes you exactly, we'd still love to hear from you! At Amazon, we value people with unique backgrounds, experiences, and skillsets. If you’re passionate about this role and want to make an impact on a global scale, please apply! About the team At Frontier AI & Robotics, we're not just advancing robotics – we're reimagining it from the ground up. Our team is building the future of intelligent robotics through ground breaking foundation models and end-to-end learned systems. We tackle some of the most challenging problems in AI and robotics, from developing sophisticated perception systems to creating adaptive manipulation strategies that work in complex, real-world scenarios. What sets us apart is our unique combination of ambitious research vision and practical impact. We leverage Amazon's massive computational infrastructure and rich real-world datasets to train and deploy state-of-the-art foundation models. Our work spans the full spectrum of robotics intelligence – from multimodal perception using images, videos, and sensor data, to sophisticated manipulation strategies that can handle diverse real-world scenarios. We're building systems that don't just work in the lab, but scale to meet the demands of Amazon's global operations. Join us if you're excited about pushing the boundaries of what's possible in robotics, working with world-class researchers, and seeing your innovations deployed at unprecedented scale.
Applied Scientist II, Demand Enablement, Product Analytics and Operations
US, NY, New York
In this role, you will design and build intelligent multi-agent systems that automate root cause analysis for advertising campaign delivery at scale. You will architect agentic orchestration patterns where specialized sub-agents (campaign diagnostics, deal-level troubleshooting, pacing control) are invoked as composable tools by a reasoning layer that determines which subsystems to query based on the nature of the issue. You will develop hierarchical analysis frameworks that move from daily trend detection to intra-day anomaly isolation, enabling the system to pinpoint when and why delivery degraded rather than relying on static time windows. You will build self-learning feedback loops where the system identifies recurring failure signatures (auction dynamics, pacing anomalies, supply contention), updates its diagnostic knowledge as engineering teams deploy fixes, and retires stale patterns automatically. We are looking for a passionate Applied Scientist with technical expertise in LLM-based agent architectures, retrieval-augmented generation, time-series anomaly detection, and production ML systems. In addition to hands-on experience building agentic AI solutions, an ideal candidate should demonstrate the ability to translate complex distributed system behaviors into structured diagnostic reasoning, show a willingness to push the boundaries of how LLMs interact with real-time operational data, and thrive in an environment where you ship production systems that directly reduce advertiser escalation time from days to minutes. Key job responsibilities * Conduct deep data analysis to derive insights for the business, identify gaps, and uncover new opportunities. * Develop scalable and effective machine learning models and optimization strategies to solve business problems. * Run regular A/B experiments, gather data, and perform statistical analysis to optimize advertiser experiences. * Collaborate closely with software engineers to deliver end-to-end solutions into production. * Enhance the scalability, efficiency, and automation of large-scale data analytics, model training, deployment, and serving. * Research and implement new machine learning models and techniques to improve advertising performance. A day in the life Your primary focus is building a multi-agent diagnostic system that automates root cause analysis for advertising campaign delivery issues. On a typical day, you might review how the system handled recent escalations, identify where it reasoned incorrectly, adjust orchestration logic, and write new evaluation cases. You will design agent architectures that invoke specialized sub-agents as tools, build hierarchical analysis frameworks that move from trend detection to anomaly isolation, and develop self-learning loops that keep the system's diagnostic knowledge current as the underlying platform evolves. You will work closely with SDEs building the diagnostic platform, product managers defining the troubleshooting experience, and the support teams who rely on your system to resolve advertiser delivery issues in minutes instead of days. Beyond the core agent work, you may find yourself diving into causal inference to measure recommendation effectiveness, prototyping proactive anomaly detection, or contributing to evaluation science for systems that reason over complex operational data. About the team The Demand Enablement, Product Analytics and Operations team builds the diagnostic and intelligence layer for Amazon DSP, the demand-side platform powering Amazon's programmatic advertising business. We own the systems that detect, diagnose, and surface delivery issues across campaigns, giving internal teams and advertisers the visibility to act before problems impact spend. Our product portfolio spans automated troubleshooting platforms, advertiser-facing delivery insights, and AI-powered root cause analysis using multi-agent architectures on foundation models. We are a small, high-ownership team that ships production systems end-to-end, from data pipelines processing billions of bid events to LLM-based agents that reason over complex advertising systems. If you want to work at the intersection of applied science, distributed systems observability, and real business impact measured in advertiser dollars recovered, this is the team.
Research Scientist II, WW Sustainability
US, WA, Seattle
Join us at the forefront of Amazon's sustainability initiatives to work on environmental and social advancements that support Amazon's long-term worldwide sustainability strategy. At Amazon, we're working to be the most customer-centric company on earth. To get there, we need exceptionally talented, bright, and driven people who are passionate about making a meaningful impact on communities and the environment while helping shape the future of sustainable business practices. Sustainability Science and Innovation (SSI) is a multi-disciplinary team within WW Sustainability combining science, analytics, economics, statistics, machine learning, product development, and engineering expertise. We use data across the sustainability imperatives (carbon, water, waste, biodiversity, environmental risk and more) and these skills and capabilities to identify, develop, experiment, and scale the scientific solutions and innovations necessary for Amazon, customers and partners to help them solve their hardest unmet and evolving sustainability needs and goals. The Worldwide Sustainability (WWS) organization is seeking an exceptional scientific leader to join Amazon's Sustainability Science and Innovation team as a Researcher Scientist for Materials Chemistry Innovation. This role focuses on hands-on experimental research in materials chemistry to accelerate the discovery and validation of sustainable materials through systematic synthesis, characterization, and performance testing. You will lead the design and execution of experimental research campaigns targeting catalysts, functional materials, and sustainability-relevant chemistries across multivariate parameter spaces. You will establish scientific strategy and technical roadmaps for materials discovery while leading research initiatives that tackle complex sustainability challenges in critical industrial sectors. This position requires driving breakthrough solutions in materials synthesis and characterization through internal capabilities and strategic partnerships with universities, industry scientists, and government laboratories. You will mentor junior scientists and engineers while collaborating across Amazon's Innovation Lab Network to translate research into scalable solutions. Your leadership will be essential in developing early-stage, cost-effective materials that address significant technical and economic challenges fundamental to Amazon's operations, requiring you to navigate complex trade-offs between immediate deliverables and long-term environmental impact. You will also shape how emerging automation and AI tools are applied to accelerate materials discovery workflows. The ideal candidate demonstrates extensive experience in materials synthesis, advanced characterization techniques, and systematic experimental design for performance validations. You must possess proven ability to lead cross-functional teams, establish research priorities, and drive scientific innovation from concept to implementation. Deep technical expertise in materials testing methods, combined with strategic vision for translating research into practical applications is essential. Experience with high-throughput and combinatorial experimental approaches to efficiently explore large design spaces is highly valued. Your work will establish new paradigms in sustainable materials discovery through rigorous experimental research and performance testing, directly contributing to Amazon's sustainability goals while creating scalable solutions that extend beyond the company's immediate operations. Key job responsibilities - Develop scientific models that help solve complex and ambiguous sustainability problems, and extract strategic learnings from large datasets. - Work closely with applied scientists and software engineers to implement your scientific models. - Support early-stage strategic sustainability initiatives and effectively learn from, collaborate with, and influence stakeholders to scale-up high-value initiatives. - Support research and development of cross-cutting technologies for industrial decarbonization, including building the data foundation and analytics for new AI models. - Drive innovation in key focus areas including packaging materials, building materials, and alternative fuels. About the team Diverse Experiences: World Wide Sustainability (WWS) values diverse experiences. Even if you do not meet all of the qualifications and skills listed in the job description, we encourage candidates to apply. If your career is just starting, hasn’t followed a traditional path, or includes alternative experiences, don’t let it stop you from applying. Inclusive Team Culture: It’s in our nature to learn and be curious. Our employee-led affinity groups foster a culture of inclusion that empower us to be proud of our differences. Ongoing events and learning experiences, including our Conversations on Race and Ethnicity (CORE) and AmazeCon conferences, inspire us to never stop embracing our uniqueness. Mentorship & Career Growth: We’re continuously raising our performance bar as we strive to become Earth’s Best Employer. That’s why you’ll find endless knowledge-sharing, mentorship and other career-advancing resources here to help you develop into a better-rounded professional.
Sr Manager, Applied Science, AWS Compliance & Security Assurance
US, NY, New York
About the Team Our team builds and operates automated reasoning technology that powers security and privacy assurance across Amazon and AWS at scale. Our technology is deeply integrated into critical Amazon and AWS security workflows. We operate at the intersection of automated reasoning, program analysis, and applied security — and our work directly impacts the security posture of every AWS service. About the Role We are looking for an experienced Applied Science Manager to lead the team's static analysis platform science team. In this role, you will own the technical vision and roadmap for our automated reasoning engine's static analysis capabilities, drive innovation in scalable program analysis, and lead a team of applied scientists working at the frontier of automated reasoning for security while also contributing technically as a player/coach. You will partner closely with security, privacy, and compliance stakeholders across AWS to expand the reach and impact of provably correct code analysis. You will also partner closely with automated reasoning experts across the company and contribute to the science of security Key job responsibilities Technical Leadership: Own the science roadmap for our automated reasoning engine, including taint analysis, compositional heap analysis, modular method summarization, and dataflow graph generation Hands-on Contribution: Personally contribute to key research and design decisions, including prototyping novel analyses and reviewing technical artifacts Team Building & Management: Hire, develop, and retain a world-class team of applied scientists; foster a culture of scientific rigor, innovation, and operational excellence Product Integration: Partner with application security and service teams to expand our platform's integration footprint and deliver new security and privacy analysis capabilities Research & Innovation: Advance the state of the art in static program analysis, including exploring formal verification of analysis correctness (e.g., using Lean, Coq, or Dafny), expanding language support beyond Java, and developing novel analysis techniques for emerging security properties Stakeholder Engagement: Collaborate with AWS AppSec, Privacy Engineering, and service teams to understand their security assurance needs and translate them into analysis capabilities Strategic Influence: Represent our team in the broader Automated Reasoning community at Amazon; contribute to automated reasoning initiatives, and academic partnerships About the team Our team builds and operates automated reasoning technology that powers security and privacy assurance across Amazon and AWS at scale. Our automated reasoning engine is the core technology behind our managed dataflow mapping service, which automatically tracks how data flows through AWS service teams’ code and infrastructure. Our technology is deeply integrated into critical Amazon and AWS security workflows. We operate at the intersection of automated reasoning, program analysis, and applied security — and our work directly impacts the security posture of every AWS service. Diverse Experiences Amazon Security values diverse experiences. Even if you do not meet all of the qualifications and skills listed in the job description, we encourage candidates to apply. If your career is just starting, hasn’t followed a traditional path, or includes alternative experiences, don’t let it stop you from applying. Why Amazon Security? At Amazon, security is central to maintaining customer trust and delivering delightful customer experiences. Our organization is responsible for creating and maintaining a high bar for security across all of Amazon’s products and services. We offer talented security professionals the chance to accelerate their careers with opportunities to build experience in a wide variety of areas including cloud, devices, retail, entertainment, healthcare, operations, and physical stores. Inclusive Team Culture In Amazon Security, it’s in our nature to learn and be curious. Ongoing DEI events and learning experiences inspire us to continue learning and to embrace our uniqueness. Addressing the toughest security challenges requires that we seek out and celebrate a diversity of ideas, perspectives, and voices. Training & Career Growth We’re continuously raising our performance bar as we strive to become Earth’s Best Employer. That’s why you’ll find endless knowledge-sharing, training, and other career-advancing resources here to help you develop into a better-rounded professional. Work/Life Balance We value work-life harmony. Achieving success at work should never come at the expense of sacrifices at home, which is why flexible work hours and arrangements are part of our culture. When we feel supported in the workplace and at home, there’s nothing we can’t achieve.
See more jobs
View from space of a connected network around planet Earth representing the Internet of Things.
Get more from Amazon Science
Subscribe to our newsletter

Amazon.com | Conditions of Use | Privacy | © 1996-2026 Amazon.com, Inc. or its affiliates

Social