Encryption and key management

Prompt encryption and key management are fundamental to Continuum's security architecture, ensuring that all data remains confidential from the service provider. Together with the other security mechanisms, this ensures that data is protected throughout its lifecycle. In Continuum, these processes are tightly integrated with the platform's attestation mechanisms, guaranteeing that encryption keys are only accessible to trusted, verified components.

How encryption works in Continuum

Continuum utilizes end-to-end encryption to protect data as it moves between the client and the server-side components, including the Attestation Service (AS) and AI worker nodes. The process involves several key steps:

1. Client-side encryption: Before sending any data to the Continuum platform, the client encrypts the data (referred to as a "prompt") using a symmetric encryption key. This key is generated and securely stored in the client's trusted environment.

2. Secure key exchange: The client then interacts with the AS to securely exchange encryption secrets. This involves the client verifying the AS's attestation report to ensure that it's interacting with a trusted and verified service. Once the AS is verified, the client securely uploads the encryption key to the AS.

3. Key distribution to workers: After the AS verifies the AI worker nodes through attestation, it securely distributes the encryption keys to the appropriate workers. These workers use the keys to decrypt the prompts, process the data, and then re-encrypt the results before sending them back to the client.

4. Response encryption: The AI worker nodes encrypt the inference results and send them back to the client through the encryption proxy. The client then decrypts the response using its locally stored decryption key.

Key management and attestation integration

Key management in Continuum is deeply integrated with the platform's attestation mechanisms. Here's how this integration works:

• Attestation-driven key distribution: The AS centrally handles the verification of AI worker nodes. Prompt encryption keys are only distributed to AI worker nodes after successful attestation. This ensures that keys are only available to trusted environments, preventing unauthorized access.

• Client verification of AS: Before engaging in key exchange, the client verifies the AS through its attestation report. This step ensures that the AS is operating in a secure and trusted environment, safeguarding the key exchange process.

• Service provider isolation: The AS and AI workers in Continuum are designed to operate independently of the service provider, meaning the provider has no access to encryption keys. This security is reinforced during the remote attestation process, where the client not only verifies the AS's integrity but also its identity. By inspecting the open-source code, clients can confirm that the AS is configured to prevent any unauthorized access by the service provider, ensuring that all encryption keys remain secure and exclusively controlled by the client.

The resulting flow is illustrated below:

Example workflow

Let's walk through a typical encryption and key management workflow in Continuum:

1. Client initialization: The client generates a symmetric encryption key and encrypts the prompt.

2. Attestation and key exchange: The client verifies the AS's attestation report and securely uploads the encryption key to the AS.

3. Worker node verification: The AS verifies the AI worker nodes, ensuring they meet the security requirements specified in the manifest.

4. Key distribution: The AS securely distributes the encryption key to the verified AI worker nodes.

5. Secure processing: The AI worker nodes decrypt the prompt, process the data, re-encrypt the results, and send them back to the client.