Harpocrates

Concepts

Understand the core concepts that power Harpocrates' confidential AI infrastructure.

Encrypted Prompts

Your data is encrypted on your device before it leaves your infrastructure. Harpocrates uses a hybrid encryption scheme:

  • Asymmetric encryption for key exchange with the TEE enclave
  • Symmetric encryption (AES-256-GCM) for payload encryption
  • Perfect forward secrecy for each inference session
Only the TEE enclave can decrypt your data. Network operators, cloud providers, and even Harpocrates maintainers cannot access your plaintext prompts.

Enclave Execution

Trusted Execution Environments (TEEs) provide hardware-enforced isolation for sensitive computations. When your encrypted data arrives:

  1. The enclave decrypts your data inside the secure boundary
  2. The AI model processes your data entirely within the TEE
  3. The result is encrypted before leaving the enclave
  4. An attestation is generated proving correct execution

The enclave's memory is encrypted and inaccessible to the host OS, other processes, or physical attacks. Even cloud administrators with root access cannot inspect the computation.

Zero-Knowledge Attestations

After inference completes, Harpocrates generates a zero-knowledge proof that cryptographically verifies:

  • The computation ran inside a genuine TEE enclave
  • The correct model was used for inference
  • No tampering occurred during execution
  • The output matches the encrypted input

These attestations are posted on-chain and can be independently verified by anyone, providing auditability without compromising privacy.

ETH-Based Billing on Horizen L3

All inference requests are metered and settled on Horizen L3 using ETH while ZEN is not yet live on that network. This provides:

  • Transparent pricing with on-chain receipts
  • No vendor lock-in or opaque billing practices
  • Automatic settlement without monthly invoices
  • Micropayments for individual inference requests
Pricing is based on model size, input tokens, and output tokens. Check the current rates in your dashboard or query the pricing API.

Privacy Guarantees

Harpocrates provides strong privacy guarantees through its layered architecture:

Data Confidentiality

Your prompts and responses are encrypted end-to-end. Neither the network operators nor the inference providers can access your plaintext data.

Computational Integrity

ZK attestations prove that your inference was computed correctly without revealing your input or intermediate states.

Verifiable Privacy

TEE remote attestation allows you to cryptographically verify that your data is processed in a genuine secure enclave.

Limitations and Assumptions

While Harpocrates provides strong privacy guarantees, it's important to understand the security model:

  • TEE security depends on hardware manufacturers (Intel, AMD)
  • Side-channel attacks may leak limited information about computation patterns
  • Model weights are visible to enclave operators (but not user data)
  • Output length and timing information may be observable
Harpocrates is designed for confidential computing, not anonymous computing. Metadata like request counts and timing are recorded for billing purposes.