So I was reading this article about Signal-creator Moxie Marlinspike’s new project, Confer , which claims to be a verifiably E2E encrypted LLM chat service. There are a couple of short blog articles that give the gist of it, and some github repos including this one that includes scripts for producing the VM that will run your particular LLM session. But if I’m following this all correctly, it implies that every chat session (or perhaps every logged-in user) would have their own VM running their own LLM to ensure that the chain of trust is complete. This seems impossible from a scalability perspective, as even small LLMs require huge quantities of RAM and compute. Did I miss something fundamental here?
The blog article you link I think implies you do not have your own VM. LLMs are stateless, the previous conversation is fed in as part of the prompt.
You send your message, which is E2E encrypted. The LLM runs in an environment where it can decrypt your message and run in through the LLM, then send a response to you. Then it gets the next user’s message and replies to them.
The key part is that the LLM is running inside an encrypted environment not accessible to the host system, so no one can watch as it decrypts your message.
That’s what I get from reading your links.
Ok, I interpreted it to mean that the VMs were being created as-needed and was keyed to your key specifically (which would be the most secure scenario, I think) and couldn’t figure out what that could possibly work economically. But it makes more sense if just a separately encrypted host is decrypting your request and encrypting your reply along with everyone else’s.