⚠ī¸ CRITICAL HARDWARE REQUIREMENT

DGX Spark with GB10 chip does NOT support confidential computing.

Cerumbra requires hardware with Trusted Execution Environment (TEE) support:

  • ✅ NVIDIA H100 GPUs (Hopper architecture)
  • ✅ Compatible CPU with AMD SEV-SNP or Intel TDX

Current Status: Waiting for compatible hardware to become available for production deployment.

The DGX Spark GB10 system cannot provide hardware-backed confidential computing.
NVIDIA Developer Forum Reference

The current implementation runs in simulation mode for protocol development and testing.

End-to-End Encrypted Conversations with GPUs

Cerumbra enables private, secure AI inference using browser-to-TEE encryption

Try the Demo

What is Cerumbra?

Cerumbra is a protocol for end-to-end encrypted conversations with GPU-accelerated AI models running in Trusted Execution Environments (TEEs). It ensures that your prompts and the model's responses remain private and secure throughout the entire inference process.

⚠ī¸ Hardware Development Note: This project is currently waiting for hardware that supports confidential computing. The NVIDIA DGX Spark with GB10 does not support the required Trusted Execution Environment features. Production deployment requires NVIDIA H100 GPUs with compatible TEE-enabled CPUs (AMD SEV-SNP or Intel TDX).

🔒

End-to-End Encryption

Your data is encrypted from browser to GPU TEE, ensuring complete privacy (requires H100 hardware)

✓

Remote Attestation

Cryptographically verify that your inference runs in a genuine TEE (requires H100 hardware)

⚡

GPU Acceleration

Leverage NVIDIA H100 TEE for high-performance encrypted inference

🌐

Decentralized Network

Foundation for the decentralized Cerumbra Network

Architecture

Cerumbra implements a secure communication protocol between browsers and GPU TEEs:

1

Browser Client

Web browser generates an ephemeral key pair using Web Crypto API

→
2

TEE Attestation

GPU TEE provides cryptographic proof of its authenticity and integrity

→
3

Key Exchange

ECDH key exchange establishes a shared secret between browser and TEE

→
4

Encrypted Inference

Prompts are encrypted, processed in TEE, and responses streamed back securely

Technology Stack

  • Browser Crypto: Web Crypto API for ECDH key generation and AES-GCM encryption
  • TEE: NVIDIA Blackwell Trusted Execution Environment
  • Attestation: Remote attestation protocol with certificate chain verification
  • Transport: WebSocket for low-latency streaming responses

Security Model

Cerumbra's security guarantees are based on multiple layers of protection:

🔐 Cryptographic Guarantees

  • Forward Secrecy: Each session uses ephemeral keys that are never stored
  • Authenticated Encryption: AES-256-GCM provides both confidentiality and authenticity
  • Key Derivation: HKDF derives session keys from ECDH shared secret

🛡ī¸ TEE Protection

  • Memory Encryption: All data in GPU memory is encrypted by hardware
  • Isolated Execution: Code runs in hardware-isolated environment
  • Attestation: Remote parties can verify TEE authenticity and integrity

🔍 Threat Model

  • Protected Against: Network eavesdropping, server operators, cloud providers
  • Assumptions: TEE hardware and attestation infrastructure are trustworthy
  • Out of Scope: Physical attacks, side-channel attacks on TEE

⚠ī¸ Security Considerations

  • Certificate Validation: Always verify TEE attestation certificates against known roots
  • Nonce Freshness: Use cryptographically random nonces for each session
  • Key Rotation: Consider rotating session keys for long-running conversations

Attestation Flow

Remote attestation is the cornerstone of Cerumbra's security, allowing browsers to verify they're communicating with a genuine TEE.

Step 1: Attestation Request

Browser sends a challenge nonce to the TEE

{
  "type": "attestation_request",
  "nonce": "<random_bytes>"
}

Step 2: TEE Quote Generation

TEE generates a cryptographic quote including:

  • Hardware measurements (PCRs)
  • TEE public key
  • Challenge nonce
  • Signature from TEE hardware

Step 3: Certificate Chain

TEE provides certificate chain linking quote to hardware root of trust:

  • TEE Signing Certificate
  • Intermediate CA Certificates
  • Hardware Root Certificate

Step 4: Verification

Browser verifies:

  • Certificate chain is valid
  • Quote signature is correct
  • Nonce matches request
  • Measurements match expected values

Example Attestation Verification

async function verifyAttestation(quote, certChain, expectedNonce) {
    // 1. Verify certificate chain
    await verifyCertificateChain(certChain);
    
    // 2. Extract TEE public key from certificate
    const teePublicKey = extractPublicKey(certChain[0]);
    
    // 3. Verify quote signature
    const quoteValid = await crypto.subtle.verify(
        { name: "ECDSA", hash: "SHA-256" },
        teePublicKey,
        quote.signature,
        quote.data
    );
    
    // 4. Verify nonce freshness
    if (quote.nonce !== expectedNonce) {
        throw new Error("Nonce mismatch");
    }
    
    // 5. Verify measurements
    verifyMeasurements(quote.measurements);
    
    return teePublicKey;
}

Interactive Demo (Simulation Mode)

ℹī¸ Simulation Mode: This demo runs in simulation mode since compatible hardware (H100 GPUs with TEE-enabled CPUs) is not yet available. It demonstrates the complete protocol flow from key exchange to encrypted inference, but does not use actual hardware TEE attestation.

Experience Cerumbra's end-to-end encryption protocol in action. This demo simulates the complete flow from key exchange to encrypted inference.

Connection Status

Not Connected
Use ?server=ws://host:port in the URL to preconfigure.

Cryptographic State

Not generated
Not received
Not established
Not verified
gpt-oss-20b

Encrypted Conversation

Enter a prompt to start an encrypted inference...

Protocol Logs

Waiting for connection...

Implementation Guide

Get started with Cerumbra in your own applications:

1. Browser-Side Setup

// Generate ephemeral key pair
const keyPair = await crypto.subtle.generateKey(
    { name: "ECDH", namedCurve: "P-256" },
    true,
    ["deriveKey", "deriveBits"]
);

// Export public key for TEE
const publicKeyJwk = await crypto.subtle.exportKey("jwk", keyPair.publicKey);

2. Attestation Verification

// Request attestation from TEE
const attestation = await requestAttestation(nonce);

// Verify TEE authenticity
const teePublicKey = await verifyAttestation(
    attestation.quote,
    attestation.certChain,
    nonce
);

3. Key Exchange

// Perform ECDH key exchange
const sharedSecret = await crypto.subtle.deriveBits(
    { name: "ECDH", public: teePublicKey },
    keyPair.privateKey,
    256
);

// Derive encryption key
const encryptionKey = await crypto.subtle.importKey(
    "raw",
    await hkdf(sharedSecret, "cerumbra-v1"),
    { name: "AES-GCM" },
    false,
    ["encrypt", "decrypt"]
);

4. Encrypted Inference

// Encrypt prompt
const iv = crypto.getRandomValues(new Uint8Array(12));
const encryptedPrompt = await crypto.subtle.encrypt(
    { name: "AES-GCM", iv },
    encryptionKey,
    encoder.encode(prompt)
);

// Send to TEE
await sendEncrypted({ iv, data: encryptedPrompt });

Cerumbra Network

Cerumbra is designed as the foundation for a decentralized network of encrypted AI inference providers:

🌐 Decentralized

Anyone can run a Cerumbra node with compatible TEE hardware

🔍 Verifiable

All nodes provide cryptographic proof of their TEE configuration

💰 Incentivized

Node operators are compensated for providing private inference

🔒 Private by Default

End-to-end encryption ensures privacy across the entire network

Roadmap

  • Phase 1 (Current): Protocol specification and demo implementation
  • Phase 2: Production TEE integration with NVIDIA Blackwell
  • Phase 3: Network protocol and node discovery
  • Phase 4: Tokenomics and incentive mechanism
  • Phase 5: Multi-model support and governance