'My Words Are Like an Uncontrollable Dog': On Life with Nonfluent Aphasia (thereader.mitpress.mit.edu)

Hello HN! We’re Tanya, Sacha, Jules and Nate from Tinfoil: https://tinfoil.sh. We host models and AI workloads on the cloud while guaranteeing zero data access and retention. This lets us run open-source LLMs like Llama, or Deepseek R1 on cloud GPUs without you having to trust us—or any cloud provider—with private data.

Since AI performs better the more context you give it, we think solving AI privacy will unlock more valuable AI applications, just how TLS on the Internet enabled e-commerce to flourish knowing that your credit card info wouldn't be stolen by someone sniffing internet packets.

We come from backgrounds in cryptography, security, and infrastructure. Jules did his PhD in trusted hardware and confidential computing at MIT, and worked with NVIDIA and Microsoft Research on the same, Sacha did his PhD in privacy-preserving cryptography at MIT, Nate worked on privacy tech like Tor, and I (Tanya) was on Cloudflare's cryptography team. We were unsatisfied with band-aid techniques like PII redaction (which is actually undesirable in some cases like AI personal assistants) or “pinky promise” security through legal contracts like DPAs. We wanted a real solution that replaced trust with provable security.

Running models locally or on-prem is an option, but can be expensive and inconvenient. Fully Homomorphic Encryption (FHE) is not practical for LLM inference for the foreseeable future. The next best option is using secure enclaves: a secure environment on the chip that no other software running on the host machine can access. This lets us perform LLM inference in the cloud while being able to prove that no one, not even Tinfoil or the cloud provider, can access the data. And because these security mechanisms are implemented in hardware, there is minimal performance overhead.

Even though we (Tinfoil) control the host machine, we do not have any visibility into the data processed inside of the enclave. At a high level, a secure enclave is a set of cores that are reserved, isolated, and locked down to create a sectioned off area. Everything that comes out of the enclave is encrypted: memory and network traffic, but also peripheral (PCIe) traffic to other devices such as the GPU. These encryptions are performed using secret keys that are generated inside the enclave during setup, which never leave its boundaries. Additionally, a “hardware root of trust” baked into the chip lets clients check security claims and verify that all security mechanisms are in place.

Up until recently, secure enclaves were only available on CPUs. But NVIDIA confidential computing recently added these hardware-based capabilities to their latest GPUs, making it possible to run GPU-based workloads in a secure enclave.

Here’s how it works in a nutshell:

1. We publish the code that should run inside the secure enclave to Github, as well as a hash of the compiled binary to a transparency log called Sigstore

2. Before sending data to the enclave, the client fetches a signed document from the enclave which includes a hash of the running code signed by the CPU manufacturer. It then verifies the signature with the hardware manufacturer to prove the hardware is genuine. Then the client fetches a hash of the source code from a transparency log (Sigstore) and checks that the hash equals the one we got from the enclave. This lets the client get verifiable proof that the enclave is running the exact code we claim.

3. With the assurance that the enclave environment is what we expect, the client sends its data to the enclave, which travels encrypted (TLS) and is only decrypted inside the enclave.

4. Processing happens entirely within this protected environment. Even an attacker that controls the host machine can’t access this data. We believe making end-to-end verifiability a “first class citizen” is key. Secure enclaves have traditionally been used to remove trust from the cloud provider, not necessarily from the application provider. This is evidenced by confidential VM technologies such as Azure Confidential VM allowing ssh access by the host into the confidential VM. Our goal is to provably remove trust both from ourselves, aka the application provider, as well as the cloud provider.

We encourage you to be skeptical of our privacy claims. Verifiability is our answer. It’s not just us saying it’s private; the hardware and cryptography let you check. Here’s a guide that walks you through the verification process: https://docs.tinfoil.sh/verification/attestation-architectur....

People are using us for analyzing sensitive docs, building copilots for proprietary code, and processing user data in agentic AI applications without the privacy risks that previously blocked cloud AI adoption.

We’re excited to share Tinfoil with HN!

* Try the chat (https://tinfoil.sh/chat): It verifies attestation with an in-browser check. Free, limited messages, $20/month for unlimited messages and additional models

* Use the API (https://tinfoil.sh/inference): OpenAI API compatible interface. $2 / 1M tokens

* Take your existing Docker image and make it end to end confidential by deploying on Tinfoil. Here's a demo of how you could use Tinfoil to run a deepfake detection service that could run securely on people's private videos: https://www.youtube.com/watch?v=_8hLmqoutyk. Note: This feature is not currently self-serve.

* Reach out to us at contact@tinfoil.sh if you want to run a different model or want to deploy a custom application, or if you just want to learn more!

Let us know what you think, we’d love to hear about your experiences and ideas in this space!

Comments (41)

sigmaisaletter · 48m ago

Looks great. Not sure how big the market is between "need max privacy, need on-prem" and "don't care, just use what is cheap/popular" tho.

Can you talk about how this relates to / is different / is differentiated from what Apple claimed to do during their last WWDC? They called it "private cloud compute". (To be clear, after 11 months, this is still "announced", with no implementation anywhere, as far as I can see.)

Here is their blog post on Apple Security, dated June 10: https://security.apple.com/blog/private-cloud-compute/

EDIT: JUST found the tinfoil blog post on exactly this topic. https://tinfoil.sh/blog/2025-01-30-how-do-we-compare

davidczech · 30m ago

Private Cloud Compute has been in use since iOS 18 released.

Etheryte · 1h ago

How large do you wager your moat to be? Confidential computing is something all major cloud providers either have or are about to have and from there it's a very small step to offer LLM-s under the same umbrella. First mover advantage is of course considerable, but I can't help but feel that this market will very quickly be swallowed by the hyperscalers.

3s · 1h ago

Confidential computing as a technology will become (and should be) commoditized, so the value add comes down to security and UX. We don’t want to be a confidential computing company, we want to use the right tool for the job of building private & verifiable AI. If that becomes FHE in a few years, then we will use that. We are starting with easy-to-use inference, but our goal of having any AI application be provably private

ATechGuy · 1h ago

This. Big tech providers already offer confidential inference today.

julesdrean · 56m ago

Yes Azure has! They have very different trust assumptions though. We wrote about this here https://tinfoil.sh/blog/2025-01-30-how-do-we-compare

mnahkies · 48m ago

Last I checked it was only Azure offering the Nvidia specific confidential compute extensions, I'm likely out of date - a quick Google was inconclusive.

Have GCP and AWS started offering this for GPUs?

candiddevmike · 23m ago

GCP, yes: https://cloud.google.com/confidential-computing/confidential...

julesdrean · 2m ago

Azure and GCP offer Confidential VMs which removes trust from the cloud providers. We’re trying to also remove trust in the service provider (aka ourselves). One example is that when you use Azure or GCP, by default, the service operator can SSH into the VM. We cannot SSH into our inference server and you can check that’s true.

itsafarqueue · 1h ago

Being gobbled by the hyperscalers may well be the plan. Reasonable bet.

SebP · 12m ago

Thats impressive, congrats. You've taken the "verifiable security" concept to the next level. I'm working on a similar concept, without "verifiable" part... trust remains to be built, but adding RAG ad fine tuned modelds to the use of open source LLMs, deployed in the cloud: https://gptsafe.ai/

amanda99 · 1h ago

Does this not require one to trust the hardware? I'm not an expert in hardware root of trust, etc, but if Intel (or whatever chip maker) decides to just sign code that doesn't do what they say it does (coerced or otherwise) or someone finds a vuln; would that not defeat the whole purpose?

I'm not entirely sure this is different than "security by contract", except the contracts get bigger and have more technology around them?

natesales · 1h ago

We have to trust the hardware manufacturer (Intel/AMD/NVIDIA) designed their chips to execute the instructions we inspect, so we're assuming trust in vendor silicon either way.

The real benefit of confidential computing is to extend that trust to the source code too (the inference server, OS, firmware).

Maybe one day we’ll have truly open hardware ;)

offmycloud · 17m ago

> https://docs.tinfoil.sh/verification/attestation-architectur...

I tried taking a look at your documentation, but the site search is very slow and laggy in Firefox.

3s · 1m ago

Interesting, we haven't noticed that (on Firefox as well). We'll look into it!

max_ · 1h ago

The only way to guarantee privacy in cloud computing is via homorphic encryption.

This approach relies too much on trust.

If you have data you are seriously sensitive about, its better for you to run models locally on air gapped instances.

If you think this is an overkill, just see what happened to coinbase of recent. [0]

[0]: https://www.cnbc.com/2025/05/15/coinbase-says-hackers-bribed...

FrasiertheLion · 56m ago

Yeah, totally agree with you. We would love to use FHE as soon as it's practical. And if you have the money and infra expertise to deploy air gapped LLMs locally, you should absolutely do that. We're trying to do the best we can with today's technology, in a way that is cheap and accessible to most people.

gojomo · 45m ago

Is there a frozen client that someone could audit for assurance, then repeatedly use with your TEE-hosted backend?

If instead users must use your web-served client code each time, you could subtly alter that over time or per-user, in ways unlikely to be detected by casual users – who'd then again be required to trust you (Tinfoil), rather than the goal on only having to trust the design & chip-manufacturer.

FrasiertheLion · 39m ago

Yes, we have a customer who is indeed interested in having a frozen client for their app, which we're making possible. We currently have not frozen our client because we're in the early days and want to be able to iterate quickly on functionality. But happy to do so on a case-by-case basis for customers.

computerbuster · 40m ago

This is an incredibly robust solution to a really pressing problem for a lot of individuals/orgs who want to use/deploy reasonably powerful LLMs without paying through the nose for hardware. Others have mentioned the hyperscalers have solutions that make some amount of sense (Azure confidential computing, AWS nitro enclaves) but if you read a bit more about Tinfoil, it is clear they want to operate with far less explicit user trust (and thus much better security). This team is setting the standard for provably private LLM inference, and to me, it makes other solutions seem half-baked by comparison. Props to this talented group of people.

blintz · 2h ago

Excited to see someone finally doing this! I can imagine folks with sensitive model weights being especially interested.

Do you run into rate limits or other issues with TLS cert issuance? One problem we had when doing this before is that each spinup of the enclave must generate a fresh public key, so it needs a fresh, publicly trusted TLS cert. Do you have a workaround for that, or do you just have the enclaves run for long enough that it doesn’t matter?

FrasiertheLion · 2h ago

We actually run into the rate limit issue often particularly while spinning up new enclaves while debugging. We plan on moving to HPKE: https://www.rfc-editor.org/rfc/rfc9180.html over the next couple months. This will let us generate keys inside the enclave and encrypt the payload with the enclave specific keys, while letting us terminate TLS in a proxy outside the enclave. All the data is still encrypted to the enclave using HPKE (and still verifiable).

This will let us fix the rate limit issue.

meelvidushi · 1h ago

So impressive - cloud AI that is verifiable with zero trust assumptions is going to be game-changing regardless of the industry application. Looks like it could be used by anyone for making anything trustworthy.

jMyles · 1h ago

> with zero trust assumptions

It's not that though. Not close. You are trusting the chip maker, whose process is secret (actually worse, it's almost certainly shared with the state).

3s · 1h ago

We do have to trust the chip maker until open hardware catches up [1].

[1] https://news.ycombinator.com/item?id=43997856

davidczech · 57m ago

Even if you had open hardware, how would you even know a chip you have sitting in front of you was fabricated correctly?

julesdrean · 51m ago

Check out incredible work by Bunnie to make this possible at home https://www.bunniestudios.com/blog/2024/iris-infra-red-in-si...

etaioinshrdlu · 2h ago

Does the secure enclave also perform the TLS encryption on data leaving the enclave?

Also, if you're decoding TLS on the enclave, wouldn't that imply that you're parsing HTTP and JSON on the GPU itself? Very interesting if true.

natesales · 2h ago

The verified trust boundary extends from the CPU to GPU [1], and TLS encrypts all data to/from the enclave and client so we can't see anything in the clear.

HTTP parsing and application logic happens on the CPU like normal. The GPU runs CUDA just like any other app, after it's integrity is verified by the CPU. Data on the PCIe bus is encrypted between the CPU and GPU too.

[1] https://github.com/NVIDIA/nvtrust/blob/main/guest_tools/atte...

etaioinshrdlu · 2h ago

Could you talk more about how how this works? I don't think linked article doesn't given enough detail on how the trust boundary extends from CPU to GPU.

Does the CPU have the ability to see unencrypted data?

natesales · 2h ago

The keys are generated on the CPU and never leave the enclave, but the data is decrypted on the CPU so it hits the registers in plaintext.

When the enclave starts, the CPU does a few things:

1. The CPU does a key exchange with the GPU (in confidential compute mode [1]) to derive a key to encrypt data over PCIe

2. The CPU verifies the integrity of the GPU against NVIDIA's root of trust [2]

[1] https://developer.nvidia.com/blog/confidential-computing-on-...

[2] https://github.com/tinfoilsh/cvmimage/blob/b65ced8796e8a8687...

edit: formatting

candiddevmike · 2h ago

You're not terminating the TLS connection from the client anywhere besides the enclave? How do you load balance or front end all of this effectively?

FrasiertheLion · 2h ago

>You're not terminating the TLS connection from the client anywhere besides the enclave?

Yes.

>How do you load balance or front end all of this effectively?

We don't, atleast not yet. That's why all our model endpoints have different subdomains. In the next couple months, we're planning to generate a keypair inside the enclave using HPKE that will be used to encrypt the data, as I described in this comment: https://news.ycombinator.com/item?id=43996849

danr4 · 2h ago

great name. good idea if it works.

leboshkibowl · 1h ago

hasn’t iexec (french co) been doing this for years? what’s your competitive advantage or moat, considering they are the first-movers?

FrasiertheLion · 1h ago

CPU-based TEEs (AWS Nitro Enclaves, AMD SEV, Intel TDX) have been around for a few years, but aren’t widely used because they are more akin to primitives than fully baked security solutions. We are trying to make this as user friendly and self serve as possible, with full verifiability by open sourcing the entire server that runs inside the enclave. So far we have not found any end to end verifiably private solution on the market that we could just sign up for to try, which was a big reason we started Tinfoil in the first place. We also strongly believe that verifiably private AI should be the norm, so the more players in the space, the better because a missing piece is market awareness and convincing folks this is actually possible and real.

EGreg · 1h ago

Been building something along these lines for a while. At Qbix, we call it our QBOX. Full stack, using Nix for the base, and Nitro attestation. No SSH. We have the exact same approach — cron running and only downloading signed scripts and binaries from endpoints. But there is a lot more… Would be great to connect and maybe join forces.

Want to connect some time next Tuesday or Wednesday? https://calendly.com/qbix/meeting

FrasiertheLion · 1h ago

Yes, excited to connect, scheduled a call! We used Nitro back in December when we were prototyping but moved to NVIDIA CC because we wanted to support LLMs.

ramoz · 1h ago

Their GTM doesn't include a $ in front of their company acronym.

I think there is similarity to https://www.anjuna.io/ and https://www.opaque.co/ here. I've heard of these, never iExec.

Onavo · 3h ago

Are you HIPAA compliant?

FrasiertheLion · 3h ago

Not yet, we're about one week away from SOC2, will pursue HIPAA which is arguably easier next.

Pyrefly:A fast type checker/IDE extension for Python written in Rust (engineering.fb.com)

Viktor Vasnetsov: The Dean of a Dynasty of Russian Artists [pdf] (tg-m.ru)

Show HN: AI spots rivals and plans strategies–for any business (3.92.132.194)

Bill to tax remittances sent by migrants, visa holders to their home countries (nbcnews.com)

'My Words Are Like an Uncontrollable Dog': On Life with Nonfluent Aphasia (thereader.mitpress.mit.edu)

The most annoying video player of all time (mux.com)

Ban sales of gear from China's TP-Link, Republican lawmakers tell Trump admin (therecord.media)

The Unreasonable Effectiveness of an LLM Agent Loop with Tool Use (sketch.dev)

What in the World Just Happened with Grok? (theatlantic.com)

MVP needs to change to Value Hypothesis Testing (earlyhacks.com)

Show HN: Cloudflare and LiquidMetal Show Off RAG Object Storage Solution (youtube.com)

Adverse childhood experiences and interpersonal functioning: A systemic review (sciencedirect.com)

Palantir's NHS data platform rejected by most hospitals (democracyforsale.substack.com)

US doctors rewrite DNA of infant with genetic disorder in medical first (theguardian.com)

Show HN: AI tool finds all your competitors from a single startup idea prompt (44.201.113.39)

Jump Point Search (en.wikipedia.org)

Refactoring Clojure (orsolabs.com)

Rethinking Freedom in the Digital Age: The Rise of the Carepunks (news.dyne.org)

UAE and US Presidents Attend Unveiling of Phase 1 of 5GW AI Campus in Abu Dhabi (commerce.gov)

Trump's sanctions on ICC prosecutor have halted tribunal's work (apnews.com)

Isdera bankrupt: end of a sports car icon (shots.media)

Meta Is Delaying the Rollout of Its Flagship AI Model (wsj.com)

White House announces AI data campus partnership with the UAE (cnbc.com)

Organizing a Design System via Folksonomy (ericwbailey.website)

Automated Authority: AI Algorithms (newamerica.org)

Show HN: AsianMOM – WebGPU Vision-LLM app that roasts you like ur mom in-browser (asianmom.kuber.studio)

Right click to copy any file as Markdown on Mac (iddogino.com)

Show HN: Pixelagent – Build your Stateful Agent Framework in 200 lines of code (github.com)

Workers are saying 'no' to toxic environments (apnews.com)

Virginia Woolf? Snob Richard Wright? Sexist Dostoyevsky? Anti-Semite (2019) (nytimes.com)

Get ready to see a lot more mini-trucks on Colorado's roads (cpr.org)

Unicode in Five Minutes (2013) (richardjharris.github.io)

Show HN: Wavesly – Check Sea and Ocean Temperature (wavesly.io)

Show HN: Smol vsc*de plugin to find in all open files via native search (github.com)

Scott Forstall on the Future of Siri and AI (2017) [video] (youtube.com)

October the First Is Too Late (gwern.net)

Catalogue of Novel Operating Systems (github.com)

Keyboard Sounds – Add sound effects to your typing experience (keyboardsounds.net)

Rafale maker Dassault shares plummet, Avic Chengdu maker of J-10 stock soar (hindustantimes.com)

My full statement regarding DOOM Eternal (2022) (medium.com)

LLM functions in TypeScript: a composable pattern for prompt/LLM/parse/execute (medium.com)

The Dumbest Move in Tech: Laying Off Developers Because of AI (ppaolo.substack.com)

Gitlab 18.0 Released with Gitlab Duo for Premium and Ultimate (about.gitlab.com)

Keep calm (but delete your nudes): the new rules for travelling to America (theguardian.com)

Has Grok lost its mind and mind-melded with its owner? (garymarcus.substack.com)

The current state of TLA⁺ development (ahelwer.ca)

OpenAI to Z Challenge (openai.com)

Why untested AI-generated code is a crisis waiting to happen (leaddev.com)

Ask HN: Is Substack the New Medium?

What's New in the Oracle Solaris 11.4.81 CBE Release (blogs.oracle.com)

Launch HN: Tinfoil (YC X25): Verifiable Privacy for Cloud AI

Comments (41)