GPT Protocol: Verifiable Confidential AI Inference via AMD SEV-SNP Enclaves

Hello IC community! We are excited to finally pull back the curtain on GPT Protocol, an infrastructure project we’ve been building at the intersection of the Internet Computer and Confidential Computing (AMD SEV-SNP).

Our team has spent the last year addressing the “Black Box” problem of centralized AI and the fact that even in “Web3 DeAI,” your prompts eventually end up as plaintext on someone else’s server. We chose to build on the Internet Computer because it is the only ecosystem that provides the orchestration power, reverse gas model, and stable memory storage needed to manage a truly sovereign AI stack.

We’ve just hit our Public Beta milestone and would love to share how we’re using the IC as a verifiable controller for hardware-enforced enclaves.

1. TL;DR

• What is it? A decentralized infrastructure layer for “Sovereign AI” that ensures user prompts and documents are never visible to node operators or protocol developers.
• Key Innovation: Bridging IC smart contracts with hardware-enforced Trusted Execution Environments (AMD SEV-SNP) to create an end-to-end encrypted AI pipeline.
• Current Status: Public Beta (Open Source).
• Links: App (gpt.one) | GitHub Repo

2. The Problem: The AI “Black Box”

Current AI interactions require total surrender of data sovereignty. Whether you use a centralized AI chatbot or a standard “Web3 AI” project, your prompts are eventually stored on a provider’s server. This exposes proprietary code, sensitive documents, and personal context to logging, model training, and potential breaches.

3. The Solution: GPT Protocol

GPT Protocol facilitates Verifiable Confidential Inference. We use a “Double-Lock” encryption strategy where user data is encrypted in the browser and only decrypted inside a hardware-attested enclave.

By the time your data hits the network, it is an opaque blob. By the time it hits the compute node for processing by an inference API, it is isolated in CPU-encrypted memory that even the host OS cannot “peek” into. You might ask: “If you use third-party APIs, isn’t the privacy lost?”

We solve this through a Privacy-Preserving Proxy Layer inside the enclave:

1. Zero-Retention Providers Only: We strictly route traffic to enterprise-grade API endpoints that offer legally binding Zero-Data-Retention (ZDR) and “No-Training” policies.
2. Identity Stripping (Metadata Privacy): The request sent to the API provider is stripped of all user-identifiable information (IP addresses, User IDs, browser fingerprints). To inference providers, every request looks like it comes from the same “GPT Protocol Node,” not a specific individual.
3. API Key & Provider Mixing: The protocol rotates through a massive pool of API keys across multiple Node Providers. By “shuffling” the data stream across different accounts and providers, we prevent any single third party from building a longitudinal profile or “shadow persona” of a user based on their prompt history.

4. Why we built on the IC

The Internet Computer is the only platform capable of acting as the Verifiable Orchestrator for high-performance confidential compute.

• Trustless Registry: We use the IC as a global registry for SEV-SNP Attestation Reports. The IC verifies the hardware’s cryptographic “quote” to ensure the node is genuine AMD silicon running our exact open-source binary.
• Single-Tenant Canisters: Every user gets a dedicated gpt_user canister. This provides physical data isolation at the state level - something not possible on legacy chains.
• Stable Memory Vector Store: Using ic-stable-structures, we store multi-gigabyte document chunks and chats on-chain. This allows for Confidential RAG, where the IC manages the encrypted index, and only relevant chunks are sent to the enclave.
• Reverse Gas Model: Users interact with the AI without needing to manage cycles or gas for every message, provided by the canister’s cycle balance.

5. Technical Architecture

The protocol is a Rust-heavy monorepo split into three distinct planes:

A. The Control Plane (gpt_index)

The “Brain” of the network. It manages:

• Node Governance: Whitelists specific measurement_hex hashes of VM images containing node binaries.
• TCB Policies: Enforces minimum security versions for AMD firmware to protect against hardware vulnerabilities.
• User Provisioning: Automatically deploys new gpt_user instances upon registration - currently limited up to a single hour of use per user.

B. The Data Plane (gpt_user)

Your personal encrypted vault.

• Chat Storage: Chat history and files are stored as AES-256-GCM encrypted blobs.
• Virtual File System: A hierarchical folder structure implemented on-chain using stable memory.

C. The Compute Plane (gpt_node + gpt_host)

The confidential worker.

• AMD SEV-SNP Enclave: A minimalist Alpine Linux system running in RAM.
• Identity Extraction: During boot, the node extracts a 32-byte seed from the hardware report to derive its node specifications from the index canister.

6. Visuals

image2145×1292 163 KB

image2560×1600 145 KB

image2560×1600 284 KB

image2560×1600 155 KB

7. Credibility & Open Source

We believe that for privacy to be real, it must be auditable.

• Reproducible Builds: Our OS images (gpt_vm) are built via Docker with necessary compilation-time tweaks to ensure bitwise reproducibility. You can hash the binary yourself and compare it to the registry on the IC.
• Open Source: The entire stack, from the kernel assembly to the React frontend, is available under the MIT license.

8. Roadmap for 2026

• Live Billing Integration: On-chain automated payments for compute resources.
• Provider Incentives: Full documentation and deployment tooling on how to start earning rewards as a verified confidential node operator.
• OpenAI-Compatible Bridge: A drop-in proxy layer allowing any existing application built with the OpenAI SDK to migrate to confidential TEE inference simply by updating their BASE_URL environment variable.
• GPU Support: Launch of GPU-backed enclaves (H100/H200) for private large-scale model inference.
• Threshold Privacy: Integration of vetKeys for threshold-based decryption logic.
• Autonomous Agents: Allowing AI agents to hold their own ICP/ckBTC in a secure enclave.

9. Links & Resources

• Main Site: https://gpt.one
• Source Code: onecompany/gpt
• Twitter/X: @gpticp

10. Beta Notes & Development Status

Please keep in mind that the project is currently under active development, and we expect to ship significant refinements and features in the very near future. To facilitate rapid iteration and testing during this Public Beta phase, dedicated user canisters are currently limited to a one-hour lifespan and are automatically de-provisioned (erased) afterward.

Be sure to follow this forum thread! We will be posting regular updates here, including information on our full release schedule, latest features, and technical deep-dives.

We are looking for technical feedback from the IC community! Specifically, we’d love to hear your thoughts on our attestation verification logic. Happy to answer any questions below!

Interesting project, awful choice of name (might wanna change it before you get sued, see eg. clawdebot renamed to Moltbot because Anthropic), ambitious roadmap ahead given the price of H100’s .
Love the rust heavy monorepo approach, but given the hardware req to deploy it’s a bit costly to deploy in order to play around with it. looking forward to future updates.

Thanks for the reply. Appreciate you checking it out.

On the name: fair point. Just to be clear, “GPT” isn’t trademarked. OpenAI tried and the USPTO said no. Still, we get the concern and we’re thinking about changing the name before we go bigger.

On the cost: H100s are crazy expensive, agreed. But the basic SEV-SNP setup to try this out or run a live node can be under $1k in the US. We’ve seen many used EPYC servers for sale in that range. If you don’t want to buy hardware, we’ve also seen compatible hosting for cheap, like Scaleway’s EM-I120E-NVMe for €129.99/month with hourly billing available.

Also worth mentioning: after the beta, nodes will be rewarded. The plan is to take a small cut per request (targeting ~1% max fee) and route that back to node operators.

For reference, we fully support SEV-SNP on EPYC 7003 (Milan), EPYC 8004 (Siena, anchored to Genoa’s ARK/ASK), EPYC 9004 (Genoa), and EPYC 9005 (Turin).

We also use Hetzner they have EPYC Genoa starting from ~ 200 Euros/mo , that is why I said it is a “bit” expensive to play with it. Did you try and reach out to current NP’s ?

Hi @net
I’m really interested in what you’re building, and I fully agree with the privacy-first AI direction. Feels like we’re coming from a very similar inference background.

We can also provide H100s in the US if you ever need hardware for testing. This is us: https://www.geodd.io: DeployPad (beta launch next week).

Would be great to connect sometime.

P.S There was another spare AMD EPYC in Colombo Datacenter (Not IC node just single cpu barebone), if you need it for testing we can provide. No charge

Appreciate it! We may take you up on H100s for early GPU-enclave experiments next month if they’re still available. For the EPYC test server, what’s the exact spec (EPYC model, system platform/motherboard)? We’re compiling BIOS + TCB baselines across Dell/Supermicro and other platforms, and we’d like to validate/derive the versions directly from the test machine.

What’s the best way to chat? Please DM me here and we can coordinate. Good luck with the beta launch next week!

Thanks for the suggestion! We haven’t reached out to existing NPs yet, but it’s on our list now. For the Public Beta, we’re running on a mix of our local fleet plus Hetzner and Scaleway, which has been enough to validate the remote attestation flow end-to-end across multiple EPYC generations.

Not sure if this has it: Tyan Transport SX TS65A-B8036 2U
It had EPYC 7 ish processor. Yes lets DM here

I suggest you follow up with the NP working group to see where SEV enabled nodes and subnets currently stand, tagging @icarus and @louisevelayo and also you should book a demo or just a preview of sort with the DeAi working group.
Best of luck looking forward to this.