S2S · Silicon-to-Signature · Patent Pending

NVIDIA attests the GPU once. Then nothing.

Confidential-computing attestation proves a GPU is genuine and uncompromised — at startup, one time. Every inference served afterward is cryptographically unbound from that attestation. Swap the model, reroute to another GPU, quietly serve INT4 as full-precision, alter the output — NVIDIA's attestation still passes. S2S closes that gap: it binds each inference into a hash-chained attestation epoch anchored to the hardware evidence and a Hive-issued nonce, signed independently with ML-DSA-65 (FIPS 204), verifiable offline by anyone.

Prove what ran, where, under what model, in what unbroken order — without trusting anyone.

What it is: a third party can prove a specific output came from a specific model, at a specific quantization, on a specific genuine, uncompromised GPU, in unbroken sequence — without trusting NVIDIA, the inference provider, the model owner, or Hive. What it is not: S2S does not prove the output is correct (that's zkML, prohibitively expensive). It proves occurrence and custody — not truth of the answer.
Honest status — read this first

The cryptographic core is built and proven: 11/11 tests pass (the seven failure modes plus invariants). The verifier makes zero network calls. Commitments are proven non-revealing. Signing is ML-DSA-65 (FIPS 204). Real GPU silicon is pending a CC-mode GPU. In the reference build, all origin evidence is flagged simulated=True — nothing masquerades as a live hardware receipt. There are no live-silicon benchmarks on this page because none exist yet. Nothing here claims a real hardware receipt until the seven tests pass with simulated=False on genuine CC-mode hardware.

What's real today, and what's pending

We report only what we have measured against the actual primitives. The numbers below are from the crypto core in the reference build. No live GPU benchmark appears anywhere on this page — real silicon comes next.

11/11
tests pass · 7 failure modes + invariants
≈9µs
hook emit() p99 · vs ≈18ms synchronous sign
~2000×
receipting kept off the inference hot path
0
network calls in the verifier · sockets hard-blocked in test

Commitments proven non-revealing (no prompt, completion, or weight plaintext leaks). Signed with ML-DSA-65 / FIPS 204, consistent with the rest of the Hive stack. Real silicon: pending a CC-mode GPU — see the runbook for swapping simulated evidence for live nvtrust output.

Attestation proves the GPU booted. It says nothing about what ran after.

NVIDIA's confidential-computing attestation is a one-time startup event. Between that moment and every inference a customer, regulator, or court ever cares about, there is an open gap — and today no one closes it.

The attestation is one-time

At instance startup, nvtrust verifies the GPU is genuine, uncompromised, and in CC mode. That check takes 1–3 seconds and happens once. It is never re-bound to any specific inference served afterward.

Everything after is unbound

Swap the model, reroute to a different GPU, serve a cheaper quantization, or alter the output post-compute — and the startup attestation still passes. Nothing ties a given output back to the hardware that was actually attested.

S2S is the leash

S2S binds each inference into a hash-chained attestation epoch anchored to the committed hardware evidence and a Hive-issued nonce. Break any link — or claim a terminated epoch — and offline verification fails, loudly.

Primitive reference: NVIDIA nvtrust — attestation SDK and verifier reference · NIST FIPS 204 (ML-DSA).

The demo: seven attacks where hardware attestation passes and S2S catches it

Each test performs the attack, shows NVIDIA's hardware attestation still passes ✓, and shows S2S fails ✗ every time. These seven tests are the acceptance criteria and the product demo — all seven pass in the crypto core today (against simulated evidence, flagged simulated=True).

#AttackHW attestationS2S — why it fails
1Model swap — attest GPU, load model A, serve model B✓ passes M mismatch → chain fails
2Quantization swap — serve INT4 as full-precision✓ passes quantization in M differs
3Device reroute — attest D₁, silently serve on unattested D₂✓ passes (D₁) device_id in Cᵢ ≠ device in H
4Output alteration — modify / cache / fabricate output post-compute✓ passes output_commit doesn't open
5Attestation replay — present a genuine report from a prior session✓ passes (report IS genuine) missing Hive's nonce in S
6Firmware change mid-epoch✓ passes (pre-change) epoch terminated → signed event
7CC-mode exit mid-epoch✓ passes (in-mode) cc_mode in H changed → epoch dies
The money shot side-by-side, one screen
Why the gap is invisible without S2S
NVIDIA hardware attestation
✓ cert chain validates to NVIDIA root
✓ attestation report signature valid
✓ measurements match golden values
✓ GPU genuine, uncompromised, in CC mode

VALID

Hive S2S chain of custody
✗ continuity chain does not reconcile
✗ committed model identity ≠ served model
✗ epoch integrity broken

BROKEN — model substituted at inference #47

The hardware attestation is telling the truth: the GPU really is genuine. That's exactly why the gap is dangerous — the one signal a buyer trusts stays green while the model underneath is swapped. S2S is the only layer that sees it.

The five bindings

Everything below is computed by the binding module, which runs in the attestor — not on the operator's box. (H, S) together define an attestation epoch; every inference served under that GPU state lives inside one epoch, hash-chained. Kᵢ is the gap closure: recursive continuity that ties each inference back to the hardware evidence and the previous link.

# H binds the evidence BYTES, not a boolean — a verifier can re-run the check
H  = commit(attestation_report ‖ chain_verify ‖ ocsp ‖ measurement ‖ device_id ‖ cc_mode)
# S carries HIVE's nonce — this is what makes replay impossible
S  = commit(attestor_nonce ‖ session_id ‖ epoch_open_ts ‖ validity_window)   # Hive's nonce
M  = commit(weights_digest ‖ quantization ‖ adapters ‖ engine ‖ manifest)    # quant is load-bearing
Cᵢ = commit(input_commit ‖ output_commit ‖ params ‖ ts ‖ device_id ‖ seq)    # non-revealing
Kᵢ = commit(H ‖ S ‖ M ‖ Cᵢ ‖ Kᵢ₋₁)     ← THE GAP CLOSURE (recursive continuity)
Receipt = Sign_MLDSA65(H ‖ S ‖ M ‖ Cᵢ ‖ Kᵢ ‖ epoch_metadata)
H commits evidence, not a verdict

H binds the actual attestation report bytes, chain-verify result, OCSP status, and measurements — not a stored "it passed" boolean. A verifier re-runs the verification against exactly what was committed.

Commitments are non-revealing

The receipt never leaks the prompt, the completion, or the weights. Everything is hashed and committed — proven non-revealing in test, no plaintext leakage.

Quantization is load-bearing

The quantization state lives inside M. Serving INT4 under the identity of a full-precision model must — and does — fail verification. It cannot be oversold.

Epoch termination — firmware or driver change, CC-mode exit, model reload, GPU-set change, or validity-window expiry — is itself a signed event. Anything claiming to be served under a terminated epoch fails verification.

How the attestation flow works — and the one thing we add

S2S drives NVIDIA's nvtrust attestation flow, captures the evidence, and binds it. The critical Hive addition is a single, decisive change: whose nonce goes into the attestation request.

NVIDIA's nvtrust flow — driven, not reinvented
  • Retrieve the 5-cert device chain: Attestation, Device Identity, Provisioner, Model, Root.
  • Verify the chain in reverse, Device Identity up to Root.
  • Check each cert for revocation against NVIDIA's OCSP service.
  • Retrieve the GPU-signed attestation report; validate its signature with the Attestation Certificate.
  • Compare each measurement to the golden list. All pass → GPU genuine, uncompromised, in CC mode.
The Hive addition — our nonce, our epoch

The challenge / nonce fed into the attestation request comes from Hive's attestor, not the operator. If the operator supplies its own nonce, it can replay old evidence. Because the nonce is ours, a genuine report from a prior session — attack #5 — carries the wrong nonce and fails S2S even though the report itself is authentic.

Public verifier: standalone, offline, zero network calls to Hive. A regulator, auditor, customer, or court verifies with just the receipt, the committed evidence, and Hive's public key — no account, no credentials, no access to any content.

Supported hardware

NVIDIA CC-mode GPUs: H100 (SXM5 + PCIe), H200 SXM5, B200 SXM6, GB200. Requires a CPU TEE underneath — AMD SEV-SNP or Intel TDX — and a compatible VBIOS + driver combo per NVIDIA's Secure AI Compatibility Matrix.

Overhead — negligible

CC-mode inference overhead is ~2–5% for transformer workloads (near-zero for large models / long sequences). The attestation flow itself is 1–3s, one time at startup — not per request, irrelevant to steady-state latency.

Emission hook

vLLM first (then TensorRT-LLM / SGLang). Off the hot path (async), with a pluggable signer interface — null-signer default, Hive as the default independent implementation. Fail-open on serving, fail-closed on the receipt.

Attestation SDK: NVIDIA nvtrust · Serving target: vLLM.

What we don't claim

Honesty is the product. Here is exactly where the edges are.

Not correctness

S2S proves occurrence and custody — what ran, where, under what model, in what order. It does not prove the output is medically, factually, or legally correct. That's zkML, and it's out of scope.

Not VM-level attestation

Some "confidential" cloud offerings attest the whole CVM, not the GPU. S2S requires the report signed by the GPU's security processor. VM-level isolation is not enough — confirm real GPU-CC before building on a provider.

Blackwell fabric gap

On B300 HGX, the tenant currently cannot bind the Fabric Manager binary, its config, or the programmed NVSwitch routing tables into attestation evidence. We note it, we don't hide it, and we scope multi-GPU claims accordingly.

Where S2S sits in the Hive canon

S2S is Hive's compute-side root — one of two orthogonal root axes, not "the one deepest root." It roots which GPU ran the inference, under what model, unaltered, in-sequence. That is a different dimension from the key-side roots, which govern the signing key itself.

Key-side roots

QPuF — how the signing key was born and why it can't be cloned. HiveSeal — where the key lives in silicon. Together they answer one question: "can I trust the signer?"

Compute-side root (S2S)

S2S answers the orthogonal question: "can I trust the computation the signer is attesting?" A receipt is strongest carrying both a key-side root and the S2S compute-side root — a position neither NVIDIA (silicon, not independent) nor an inference provider (deployment, neither) can hold.

Within the SiGR line, S2S sits beneath SiGR on the compute axis: SiGR proves an inference happened and carries the verdict; S2S proves it happened on a specific, uncompromised GPU under a specific model.

PrimitiveWhat it provesAxisWhen
S2S — Silicon-to-SignatureAn inference ran on a specific genuine, uncompromised GPU, under a specific model at a specific quantization, unaltered, in unbroken sequence.Compute-side rootnow (crypto core) hardware pending
SiGR — Signed Inference Guarantee ReceiptA specific model at a specific config produced a specific output, and carries the verdict — signed, offline-verifiable.Compute axis (above S2S)now
PPR — Physiological Provenance ReceiptAn inference over biosignal came from a real, on-body sensor, from the enrolled subject, unspliced, read by the stated model.Provenancenow
AFiR — Attested Fragmented Inference RoutingSigned routing of an inference across fragments / providers.Compute axisnow
HiveSealWhere the signing key lives in silicon — a key-side root.Key-side rootnow
QPuFHow the signing key was born and why it can't be cloned — the deepest key-side root.Key-side rootnow

Adopt S2S for the compute-side root and the same receipt discipline — signed, offline-verifiable, post-quantum — composes with every key-side and provenance primitive in the family.

Pilot S2S on real CC-mode silicon

We're looking for CC-mode GPU design partners and inference providers running vLLM to take the crypto core to live hardware. You bring an H100 / H200 / B200 / GB200 in CC mode; we wire the nvtrust attestation flow, inject Hive's nonce, run the seven failure-mode tests with simulated=False, and you walk out with the first receipts a regulator, auditor, or court can verify offline — without trusting NVIDIA, the provider, the model owner, or Hive.

S2S — Silicon-to-Signature. Patent Pending. Binds NVIDIA GPU hardware attestation to every inference served on that GPU, signed independently with ML-DSA-65 (FIPS 204), verifiable offline. Crypto core built and proven — 11/11 tests pass. Real silicon pending a CC-mode GPU; all simulated evidence is flagged simulated=True. We never fabricate a receipt.