End-to-End Encrypted Conversations with GPUs

Cerumbra enables private, secure AI inference using browser-to-TEE encryption

Try the Demo

What is Cerumbra?

Cerumbra is a revolutionary protocol for end-to-end encrypted conversations with GPU-accelerated AI models running in Trusted Execution Environments (TEEs). It ensures that your prompts and the model's responses remain private and secure throughout the entire inference process.

🔒

End-to-End Encryption

Your data is encrypted from browser to GPU TEE, ensuring complete privacy

Remote Attestation

Cryptographically verify that your inference runs in a genuine TEE

GPU Acceleration

Leverage NVIDIA Blackwell TEE for high-performance encrypted inference

🌐

Decentralized Network

Foundation for the decentralized Cerumbra Network

Architecture

Cerumbra implements a secure communication protocol between browsers and GPU TEEs:

1

Browser Client

Web browser generates an ephemeral key pair using Web Crypto API

2

TEE Attestation

GPU TEE provides cryptographic proof of its authenticity and integrity

3

Key Exchange

ECDH key exchange establishes a shared secret between browser and TEE

4

Encrypted Inference

Prompts are encrypted, processed in TEE, and responses streamed back securely

Technology Stack

  • Browser Crypto: Web Crypto API for ECDH key generation and AES-GCM encryption
  • TEE: NVIDIA Blackwell Trusted Execution Environment
  • Attestation: Remote attestation protocol with certificate chain verification
  • Transport: WebSocket for low-latency streaming responses

Security Model

Cerumbra's security guarantees are based on multiple layers of protection:

🔐 Cryptographic Guarantees

  • Forward Secrecy: Each session uses ephemeral keys that are never stored
  • Authenticated Encryption: AES-256-GCM provides both confidentiality and authenticity
  • Key Derivation: HKDF derives session keys from ECDH shared secret

🛡️ TEE Protection

  • Memory Encryption: All data in GPU memory is encrypted by hardware
  • Isolated Execution: Code runs in hardware-isolated environment
  • Attestation: Remote parties can verify TEE authenticity and integrity

🔍 Threat Model

  • Protected Against: Network eavesdropping, server operators, cloud providers
  • Assumptions: TEE hardware and attestation infrastructure are trustworthy
  • Out of Scope: Physical attacks, side-channel attacks on TEE

⚠️ Security Considerations

  • Certificate Validation: Always verify TEE attestation certificates against known roots
  • Nonce Freshness: Use cryptographically random nonces for each session
  • Key Rotation: Consider rotating session keys for long-running conversations

Attestation Flow

Remote attestation is the cornerstone of Cerumbra's security, allowing browsers to verify they're communicating with a genuine TEE.

Step 1: Attestation Request

Browser sends a challenge nonce to the TEE

{
  "type": "attestation_request",
  "nonce": "<random_bytes>"
}

Step 2: TEE Quote Generation

TEE generates a cryptographic quote including:

  • Hardware measurements (PCRs)
  • TEE public key
  • Challenge nonce
  • Signature from TEE hardware

Step 3: Certificate Chain

TEE provides certificate chain linking quote to hardware root of trust:

  • TEE Signing Certificate
  • Intermediate CA Certificates
  • Hardware Root Certificate

Step 4: Verification

Browser verifies:

  • Certificate chain is valid
  • Quote signature is correct
  • Nonce matches request
  • Measurements match expected values

Example Attestation Verification

async function verifyAttestation(quote, certChain, expectedNonce) {
    // 1. Verify certificate chain
    await verifyCertificateChain(certChain);
    
    // 2. Extract TEE public key from certificate
    const teePublicKey = extractPublicKey(certChain[0]);
    
    // 3. Verify quote signature
    const quoteValid = await crypto.subtle.verify(
        { name: "ECDSA", hash: "SHA-256" },
        teePublicKey,
        quote.signature,
        quote.data
    );
    
    // 4. Verify nonce freshness
    if (quote.nonce !== expectedNonce) {
        throw new Error("Nonce mismatch");
    }
    
    // 5. Verify measurements
    verifyMeasurements(quote.measurements);
    
    return teePublicKey;
}

Interactive Demo

Experience Cerumbra's end-to-end encryption in action. This demo simulates the complete flow from key exchange to encrypted inference.

Connection Status

Not Connected
Use ?server=ws://host:port in the URL to preconfigure.

Cryptographic State

Not generated
Not received
Not established
Not verified

Encrypted Conversation

Enter a prompt to start an encrypted inference...

Protocol Logs

Waiting for connection...

Implementation Guide

Get started with Cerumbra in your own applications:

1. Browser-Side Setup

// Generate ephemeral key pair
const keyPair = await crypto.subtle.generateKey(
    { name: "ECDH", namedCurve: "P-256" },
    true,
    ["deriveKey", "deriveBits"]
);

// Export public key for TEE
const publicKeyJwk = await crypto.subtle.exportKey("jwk", keyPair.publicKey);

2. Attestation Verification

// Request attestation from TEE
const attestation = await requestAttestation(nonce);

// Verify TEE authenticity
const teePublicKey = await verifyAttestation(
    attestation.quote,
    attestation.certChain,
    nonce
);

3. Key Exchange

// Perform ECDH key exchange
const sharedSecret = await crypto.subtle.deriveBits(
    { name: "ECDH", public: teePublicKey },
    keyPair.privateKey,
    256
);

// Derive encryption key
const encryptionKey = await crypto.subtle.importKey(
    "raw",
    await hkdf(sharedSecret, "cerumbra-v1"),
    { name: "AES-GCM" },
    false,
    ["encrypt", "decrypt"]
);

4. Encrypted Inference

// Encrypt prompt
const iv = crypto.getRandomValues(new Uint8Array(12));
const encryptedPrompt = await crypto.subtle.encrypt(
    { name: "AES-GCM", iv },
    encryptionKey,
    encoder.encode(prompt)
);

// Send to TEE
await sendEncrypted({ iv, data: encryptedPrompt });

Cerumbra Network

Cerumbra is designed as the foundation for a decentralized network of encrypted AI inference providers:

🌐 Decentralized

Anyone can run a Cerumbra node with compatible TEE hardware

🔍 Verifiable

All nodes provide cryptographic proof of their TEE configuration

💰 Incentivized

Node operators are compensated for providing private inference

🔒 Private by Default

End-to-end encryption ensures privacy across the entire network

Roadmap

  • Phase 1 (Current): Protocol specification and demo implementation
  • Phase 2: Production TEE integration with NVIDIA Blackwell
  • Phase 3: Network protocol and node discovery
  • Phase 4: Tokenomics and incentive mechanism
  • Phase 5: Multi-model support and governance