Confidential-computing attestation proves a GPU is genuine and uncompromised — at startup, one time. Every inference served afterward is cryptographically unbound from that attestation. Swap the model, reroute to another GPU, quietly serve INT4 as full-precision, alter the output — NVIDIA's attestation still passes. S2S closes that gap: it binds each inference into a hash-chained attestation epoch anchored to the hardware evidence and a Hive-issued nonce, signed independently with ML-DSA-65 (FIPS 204), verifiable offline by anyone.
Prove what ran, where, under what model, in what unbroken order — without trusting anyone.
We report only what we have measured against the actual primitives. The numbers below are from the crypto core in the reference build. No live GPU benchmark appears anywhere on this page — real silicon comes next.
Commitments proven non-revealing (no prompt, completion, or weight plaintext leaks). Signed with ML-DSA-65 / FIPS 204, consistent with the rest of the Hive stack. Real silicon: pending a CC-mode GPU — see the runbook for swapping simulated evidence for live nvtrust output.
NVIDIA's confidential-computing attestation is a one-time startup event. Between that moment and every inference a customer, regulator, or court ever cares about, there is an open gap — and today no one closes it.
At instance startup, nvtrust verifies the GPU is genuine, uncompromised, and in CC mode. That check takes 1–3 seconds and happens once. It is never re-bound to any specific inference served afterward.
Swap the model, reroute to a different GPU, serve a cheaper quantization, or alter the output post-compute — and the startup attestation still passes. Nothing ties a given output back to the hardware that was actually attested.
S2S binds each inference into a hash-chained attestation epoch anchored to the committed hardware evidence and a Hive-issued nonce. Break any link — or claim a terminated epoch — and offline verification fails, loudly.
Primitive reference: NVIDIA nvtrust — attestation SDK and verifier reference · NIST FIPS 204 (ML-DSA).
Each test performs the attack, shows NVIDIA's hardware attestation still passes ✓, and shows S2S fails ✗ every time. These seven tests are the acceptance criteria and the product demo — all seven pass in the crypto core today (against simulated evidence, flagged simulated=True).
| # | Attack | HW attestation | S2S — why it fails |
|---|---|---|---|
| 1 | Model swap — attest GPU, load model A, serve model B | ✓ passes | ✗ M mismatch → chain fails |
| 2 | Quantization swap — serve INT4 as full-precision | ✓ passes | ✗ quantization in M differs |
| 3 | Device reroute — attest D₁, silently serve on unattested D₂ | ✓ passes (D₁) | ✗ device_id in Cᵢ ≠ device in H |
| 4 | Output alteration — modify / cache / fabricate output post-compute | ✓ passes | ✗ output_commit doesn't open |
| 5 | Attestation replay — present a genuine report from a prior session | ✓ passes (report IS genuine) | ✗ missing Hive's nonce in S |
| 6 | Firmware change mid-epoch | ✓ passes (pre-change) | ✗ epoch terminated → signed event |
| 7 | CC-mode exit mid-epoch | ✓ passes (in-mode) | ✗ cc_mode in H changed → epoch dies |
VALID
BROKEN — model substituted at inference #47
The hardware attestation is telling the truth: the GPU really is genuine. That's exactly why the gap is dangerous — the one signal a buyer trusts stays green while the model underneath is swapped. S2S is the only layer that sees it.
Everything below is computed by the binding module, which runs in the attestor — not on the operator's box. (H, S) together define an attestation epoch; every inference served under that GPU state lives inside one epoch, hash-chained. Kᵢ is the gap closure: recursive continuity that ties each inference back to the hardware evidence and the previous link.
# H binds the evidence BYTES, not a boolean — a verifier can re-run the check H = commit(attestation_report ‖ chain_verify ‖ ocsp ‖ measurement ‖ device_id ‖ cc_mode) # S carries HIVE's nonce — this is what makes replay impossible S = commit(attestor_nonce ‖ session_id ‖ epoch_open_ts ‖ validity_window) # Hive's nonce M = commit(weights_digest ‖ quantization ‖ adapters ‖ engine ‖ manifest) # quant is load-bearing Cᵢ = commit(input_commit ‖ output_commit ‖ params ‖ ts ‖ device_id ‖ seq) # non-revealing Kᵢ = commit(H ‖ S ‖ M ‖ Cᵢ ‖ Kᵢ₋₁) ← THE GAP CLOSURE (recursive continuity) Receipt = Sign_MLDSA65(H ‖ S ‖ M ‖ Cᵢ ‖ Kᵢ ‖ epoch_metadata)
H binds the actual attestation report bytes, chain-verify result, OCSP status, and measurements — not a stored "it passed" boolean. A verifier re-runs the verification against exactly what was committed.
The receipt never leaks the prompt, the completion, or the weights. Everything is hashed and committed — proven non-revealing in test, no plaintext leakage.
The quantization state lives inside M. Serving INT4 under the identity of a full-precision model must — and does — fail verification. It cannot be oversold.
Epoch termination — firmware or driver change, CC-mode exit, model reload, GPU-set change, or validity-window expiry — is itself a signed event. Anything claiming to be served under a terminated epoch fails verification.
S2S drives NVIDIA's nvtrust attestation flow, captures the evidence, and binds it. The critical Hive addition is a single, decisive change: whose nonce goes into the attestation request.
The challenge / nonce fed into the attestation request comes from Hive's attestor, not the operator. If the operator supplies its own nonce, it can replay old evidence. Because the nonce is ours, a genuine report from a prior session — attack #5 — carries the wrong nonce and fails S2S even though the report itself is authentic.
Public verifier: standalone, offline, zero network calls to Hive. A regulator, auditor, customer, or court verifies with just the receipt, the committed evidence, and Hive's public key — no account, no credentials, no access to any content.
NVIDIA CC-mode GPUs: H100 (SXM5 + PCIe), H200 SXM5, B200 SXM6, GB200. Requires a CPU TEE underneath — AMD SEV-SNP or Intel TDX — and a compatible VBIOS + driver combo per NVIDIA's Secure AI Compatibility Matrix.
CC-mode inference overhead is ~2–5% for transformer workloads (near-zero for large models / long sequences). The attestation flow itself is 1–3s, one time at startup — not per request, irrelevant to steady-state latency.
vLLM first (then TensorRT-LLM / SGLang). Off the hot path (async), with a pluggable signer interface — null-signer default, Hive as the default independent implementation. Fail-open on serving, fail-closed on the receipt.
Attestation SDK: NVIDIA nvtrust · Serving target: vLLM.
Honesty is the product. Here is exactly where the edges are.
S2S proves occurrence and custody — what ran, where, under what model, in what order. It does not prove the output is medically, factually, or legally correct. That's zkML, and it's out of scope.
Some "confidential" cloud offerings attest the whole CVM, not the GPU. S2S requires the report signed by the GPU's security processor. VM-level isolation is not enough — confirm real GPU-CC before building on a provider.
On B300 HGX, the tenant currently cannot bind the Fabric Manager binary, its config, or the programmed NVSwitch routing tables into attestation evidence. We note it, we don't hide it, and we scope multi-GPU claims accordingly.
S2S is Hive's compute-side root — one of two orthogonal root axes, not "the one deepest root." It roots which GPU ran the inference, under what model, unaltered, in-sequence. That is a different dimension from the key-side roots, which govern the signing key itself.
QPuF — how the signing key was born and why it can't be cloned. HiveSeal — where the key lives in silicon. Together they answer one question: "can I trust the signer?"
S2S answers the orthogonal question: "can I trust the computation the signer is attesting?" A receipt is strongest carrying both a key-side root and the S2S compute-side root — a position neither NVIDIA (silicon, not independent) nor an inference provider (deployment, neither) can hold.
Within the SiGR line, S2S sits beneath SiGR on the compute axis: SiGR proves an inference happened and carries the verdict; S2S proves it happened on a specific, uncompromised GPU under a specific model.
| Primitive | What it proves | Axis | When |
|---|---|---|---|
| S2S — Silicon-to-Signature | An inference ran on a specific genuine, uncompromised GPU, under a specific model at a specific quantization, unaltered, in unbroken sequence. | Compute-side root | now (crypto core) hardware pending |
| SiGR — Signed Inference Guarantee Receipt | A specific model at a specific config produced a specific output, and carries the verdict — signed, offline-verifiable. | Compute axis (above S2S) | now |
| PPR — Physiological Provenance Receipt | An inference over biosignal came from a real, on-body sensor, from the enrolled subject, unspliced, read by the stated model. | Provenance | now |
| AFiR — Attested Fragmented Inference Routing | Signed routing of an inference across fragments / providers. | Compute axis | now |
| HiveSeal | Where the signing key lives in silicon — a key-side root. | Key-side root | now |
| QPuF | How the signing key was born and why it can't be cloned — the deepest key-side root. | Key-side root | now |
Adopt S2S for the compute-side root and the same receipt discipline — signed, offline-verifiable, post-quantum — composes with every key-side and provenance primitive in the family.
We're looking for CC-mode GPU design partners and inference providers running vLLM to take the crypto core to live hardware. You bring an H100 / H200 / B200 / GB200 in CC mode; we wire the nvtrust attestation flow, inject Hive's nonce, run the seven failure-mode tests with simulated=False, and you walk out with the first receipts a regulator, auditor, or court can verify offline — without trusting NVIDIA, the provider, the model owner, or Hive.
S2S — Silicon-to-Signature. Patent Pending. Binds NVIDIA GPU hardware attestation to every inference served on that GPU, signed independently with ML-DSA-65 (FIPS 204), verifiable offline. Crypto core built and proven — 11/11 tests pass. Real silicon pending a CC-mode GPU; all simulated evidence is flagged simulated=True. We never fabricate a receipt.