Exploring the Case of Super Protocol with Self-Sovereign AI and NVIDIA Confidential Computing

Originally published at: Exploring the Case of Super Protocol with Self-Sovereign AI and NVIDIA Confidential Computing | NVIDIA Technical Blog

Confidential and self-sovereign AI is a new approach to AI development, training, and inference where the user’s data is decentralized, private, and controlled by the users themselves. This post explores how the capabilities of Confidential Computing (CC) are expanded through decentralization using blockchain technology. The problem being solved is most clearly shown through the use…

Millions of AI startups exchange models and data, but real collaboration often comes with the risk of leaks and information disclosure. Companies are forced to rely on private infrastructure and complex contracts to protect their data. A confidential AI/Data marketplace based on Nvidia GPU TEE confidential computing will enable AI projects to collaborate securely and effortlessly, with setup taking just a few clicks while providing the highest level of security for clients. The response from the authors of popular AI models on Hugging Face (via cold outreach) has been overwhelmingly positive - nearly 100% express a strong need for a “Confidential Version of Hugging Face” to share more valuable data safely.

How does the Super Protocol marketplace differ from Hugging Face?

Millions of AI startups exchange models and data on Hugging Face, but real collaboration often comes with risks of leaks and information disclosure. Companies are forced to rely on private infrastructure and complex agreements to protect their data.

Super is a ready-to-use AI/Data marketplace and Decentralized Cloud powered by Confidential Computing. The platform enables AI projects to collaborate securely and effortlessly, with everything set up in just a few clicks, ensuring the highest level of security for clients.

I’m not sure I understand the purpose of decentralization. Couldn’t Microsoft Azure Confidential Computing be used for these purposes? Why build a decentralized network? And why is blockchain needed?

Imagine you have a Unique Dataset, and want to rent it to other companies for money.

You could store your dataset in a centralized Azure cloud that supports confidential computing, develop the necessary tools, and invite your partners to upload their models into your enclave for training.

However, for 99% of startups, this would be an overly complex and resource-intensive process.

At Super, we’ve already simplified this work for you.

But imagine that you hired people and successfully built this setup - you’ll then need to verify its code with all the Partners.

And will your partners need to audit it? At Super, we are gradually making our codebase fully open-source and ensuring it is audited by the top experts in the field.

Now, suppose you’ve solved these two challenges and established collaborations with multiple companies. How do you ensure fair cooperation for both sides? Specifically:

• That the models operate within the agreed scenarios.
• That datasets meet the required parameters.

Who should you entrust with this oversight? The best candidate is a smart contract. Smart contracts can enforce project rules, set operational constraints, and handle payment conditions. We’ve also completed this work for you—deploying such a smart contract on Super is a fully automated process.

Finally, if we’re talking about billions of AI agents interacting in a non-deterministic environment (which is the ultimate goal), the complexity of managing this ecosystem skyrockets. Envisioning a centralized “AI God” overseeing everything is simply unacceptable for our team. That’s why our entire infrastructure operates in a decentralized, self-sovereign manner, managed solely through smart contracts. This allows for limitless interactions between agents, programmed transparently within a blockchain ecosystem.

Our project offers an exclusive database of videos and images capturing New York City streets, including areas beyond the reach of Google Street View. We aim to make this data accessible to organizations and developers interested in utilizing it for training their models. However, safeguarding the integrity and security of our data is a top priority. Additionally, we need a reliable mechanism to verify that models were genuinely trained on our datasets. Could you assist us in developing a solution to address these requirements?

Super Protocol (Confidential Computing) provides an optimal solution for this challenge:

1. Secure Data Access
   Data is uploaded into the Super trusted execution environment (TEE), where it remains encrypted. Developers upload their models, which are trained within the TEE, ensuring no access to the original data. No one, including Super developers, has access inside the TEE.
2. Proof of Data Usage
   Remote attestation generates cryptographic proof that training occurred in a secure environment using your data. Data hashes verify and confirm their usage, ensuring transparency and trust.
3. Protection of Trained Models
   Trained models remain protected and can only be accessed through an API provided by the TEE.

Result:
Your data stays confidential, while developers receive securely trained models along with proof of proper data usage.

If Super Protocol clients run CUDA applications in Confidential Computing mode, how does the performance compare to non-confidential computing mode?

A primary goal of delivering NVIDIA Confidential Computing (CC) to customers is that CUDA applications can run unchanged while maximizing the acceleration potential of the underlying hardware and software. CUDA provides lift and shift benefits to applications that will be run in CC mode. As a result, the NVIDIA GPU CC architecture is compatible with the CPU architectures that also provide application portability from non-confidential to CC environments.

Given the description so far, Super Protocol Confidential Computing workloads on the GPU perform close to non-CC mode when the amount of compute is large compared to the amount of input data. When the amount of compute is low compared to the input data, the overhead of communicating across the non-secure interconnect limits the application throughput. Please refer to the charts below for examples.

BERT LLM and ResNet-501098×1280 97.1 KB

You may also want to watch Michael O’Connor, Chief Architect of NVIDIA, presenting NVIDIA CC during a joint talk with Super Protocol. At the 11:05 mark, Michael specifically addresses the performance topic: https://www.youtube.com/watch?v=EL8l7lFam3s

another decentralized approach is leverage Federated learning, where the model weights are exchanged but the data is private. Confidential Federated learning i.e. Federated learning with Confidential Computing, can added another layer of security in that case. Checkout NVIDIA FLARE (NVIDIA FLARE)

Hello! We produce media content and want to digitize it to create NFT collections that we’ll distribute via blockchain under licensing agreements with our distributors and resellers. The problem is that smart contracts are public, so distributors can see the terms of their competitors. Is there a way to hide smart contracts and their parameters using your technology?

Yeah, we get this request a lot from the blockchain industry. With the Super Protocol, you can run your smart contracts in confidential mode and still give stakeholders proof of the transaction without revealing the details. We’ve implemented similar projects for Disney, Pearson, and Microsoft in several countries.

Suppose I want to deploy my AI-based digital assistant on your system and connect many different sources of personal data, including biometric data. Can your system guarantee that my personal data will be safe and stored for a long time?

Superprotocol makes it easy to connect to distributed storage systems like Filecoin and Storj so you can use your own account without any hassle. We ensure the security of your entire computing stack with verifiable reports, starting from the creation of the TEE key for your task all the way to delivering the final results. This means no one - whether it’s a vendor a developer from Superprotocol or any third party - can tamper with your processes or access your data.

Thanks for the comment! I have another question: In our CryptoLoan project, we offer private loans and collateral services, and it’s critical to keep user data hidden. These processes involve handling large amounts of personal data in a way that’s both verifiable and secure, but implementing this on-chain is proving to be quite challenging. Could your solution help address this issue?

Yes, absolutely. One of the projects our team developed using confidential computing protocols was Aggregion, designed specifically for digital marketing purposes. The platform handled over 150 million customer profiles daily from retail networks, telecom providers, and banks. All data was strictly confidential, with measures in place to ensure zero risk of compromise. This case is detailed in a joint paper with Intel, which is attached to this response. Intel_confidential_computing_delivers_personal_shopping_1.pdf (292.4 KB)

Thanks for getting back to me! Quick question: How do we transfer data from Web2 to Web3 and guarantee it hasn’t been tampered with? We work with media providers, wrapping their content into NFTs with licenses. Chainlink is an option, but it’s expensive, slow, and limited. It gets even trickier when we need to transfer confidential data, process it, and verify it without revealing anything before writing it to the blockchain. Any ideas?

Using this guide, you can easily create and deploy an oracle. The oracle will be secure and verifiable, ensuring reliable value transfers between protocols or between a protocol and a Web2 system. Oracles can handle complex tasks, even with AI agents, with virtually no impact on performance. Example: Oracles | Super Protocol If you have any questions or need assistance with your project, feel free to reach out to us at info@superprotocol.com, and we’ll be happy to help!