So I was reading this article about Signal-creator Moxie Marlinspike’s new project, Confer , which claims to be a verifiably E2E encrypted LLM chat service. There are a couple of short blog articles that give the gist of it, and some github repos including this one that includes scripts for producing the VM that will run your particular LLM session. But if I’m following this all correctly, it implies that every chat session (or perhaps every logged-in user) would have their own VM running their own LLM to ensure that the chain of trust is complete. This seems impossible from a scalability perspective, as even small LLMs require huge quantities of RAM and compute. Did I miss something fundamental here?
The articles are light on detail but the code’s all there. The approach makes sense if the VMs are not cryptographically signed with the user’s key, but are just signed against another key to verify authenticity. I read it as if each VM was created on the fly for a user and signed with that users’s key, but that seems unlikely after re reading it.