Enclaves have a property that allows the hardware to compute a measurement (a cryptographic hash) of everything running inside it, such as the firmware, system software such as the operating system and drivers, the application code, the security configuration. This is signed by the hardware manufacturer (Intel/AMD + NVIDIA).

Then, verification involves a three part approach. Disclaimer: I'm the cofounder of Tinfoil: https://tinfoil.sh/, we also run inference inside secure enclaves. So I'll explain this as we do it.

First, you open source the code that's running in the enclave, and pin a commitment to it to a transparency log (in our case, Sigstore).

Then, when a client connects to the server (that's running in the enclave), the enclave computes the measurement of its current state and returns that to the client. This process is called remote attestation.

The client then fetches the pinned measurements from Sigstore and compares it against the fetched measurements from the enclave. This guarantees that the code running in the enclave is the same as the code that was committed to publicly.

So if someone claimed they were only analyzing aggregated metrics, they could not suddenly start analyzing individual request metrics because the code would change -> hash changes -> verification fails.

The model is running in a secure enclave that spans the GPU using NVIDIA Confidential Computing: https://www.nvidia.com/en-us/data-center/solutions/confident.... The connection is encrypted with a key that is only accessible inside the enclave.

Within the enclave itself, DRAM and PCIe connections between the CPU and GPU are encrypted, but the CPU registers and the GPU onboard memory are plaintext. So the computation is happening on plaintext data, it’s just extremely difficult to access it from even the machine running the enclave.

Arguably this is less useful for consumer hardware in the first place. This is mostly useful when I don’t trust the service provider with my data but still need to use their services (casting my vote, encrypted inference, and so forth)

Most people outside of a narrow set of cryptography engineers are unfamiliar with the term anonymous credentials, while age and identity verification are two privacy-invasive requirements that are being heavily discussed and rapidly being written into laws lately. The post's intro discusses both quite heavily, and they form the author's entire motivation for writing the post.

The central question the post attempts to answer is "The problem for today is: how do we live in a world with routine age-verification and human identification, without completely abandoning our privacy?"

My rephrase is an attempt to surface that, compared to the dry and academic title that will get overlooked. I think this is a very important topic these days where we are rapidly ceding are privacy to at best, confused and at worst, malicious regulations.