Feb 2, 2026

Risks and Benefits of Emerging Cryptographic Primitives for Compute Governance

Harry Powell

International cooperation on AI safety requires verification without surveillance. We examine how emerging cryptographic primitives - Fully Homomorphic Encryption (FHE) and Indistinguishability Obfuscation (iO) - could enable privacy-preserving compute governance.

We present two protocols of increasing strength. The first uses FHE to allow compute providers to enforce safety policies on encrypted programs, preserving user privacy while requiring hardware verification for provider compliance. The second adds obfuscation to provide cryptographic guarantees against user-provider collusion, reducing hardware verification to boundary monitoring.

Neither protocol requires users to disclose their programs in plaintext. Both point toward a future where cryptography and physical verification work together to govern powerful computation.

To validate this capability, we include a reference implementation of the second protocol’s architecture. This proof-of-concept utilizes Zero-Knowledge proofs (Schnorr) and ElGamal encryption to demonstrate that boundary verification can be enforced cryptographically without ever decrypting the user's workload.

Reviewer's Comments

Reviewer's Comments

Arrow
Arrow
Arrow

Impressive and well thought out project!The two protocol design with escalating trust assumptions is clean and the threat model analysis is honest. Next steps would be going deeper into what "safety checking" means for realistic training workloads in the wild

Impact potential & innovation: 3

I appreciate the honesty here in describing the two-protocol structure. But the safety checker section is vague, and overall the project is very conceptual.

Execution quality: 2

There is not a huge amount of execution here. The implementation is fine but insubstantial. And the LLM-based safety checker seems weak.

Presentation & clarity: 4

Well-structured, honest about limitations. I particularly like the comparison table - it's clear & useful.

Cite this work

@misc {

title={

(HckPrj) Risks and Benefits of Emerging Cryptographic Primitives for Compute Governance

},

author={

Harry Powell

},

date={

2/2/26

},

organization={Apart Research},

note={Research submission to the research sprint hosted by Apart.},

howpublished={https://apartresearch.com}

}

Recent Projects

View All

Feb 2, 2026

Markov Chain Lock Watermarking: Provably Secure Authentication for LLM Outputs

We present Markov Chain Lock (MCL) watermarking, a cryptographically secure framework for authenticating LLM outputs. MCL constrains token generation to follow a secret Markov chain over SHA-256 vocabulary partitions. Using doubly stochastic transition matrices, we prove four theoretical guarantees: (1) exponentially decaying false positive rates via Hoeffding bounds, (2) graceful degradation under adversarial modification with closed-form expected scores, (3) information-theoretic security without key access, and (4) bounded quality loss via KL divergence. Experiments on 173 Wikipedia prompts using Llama-3.2-3B demonstrate that the optimal 7-state soft cycle configuration achieves 100\% detection, 0\% FPR, and perplexity 4.20. Robustness testing confirms detection above 96\% even with 30\% word replacement. The framework enables $O(n)$ model-free detection, addressing EU AI Act Article 50 requirements. Code available at \url{https://github.com/ChenghengLi/MCLW}

Read More

Feb 2, 2026

Prototyping an Embedded Off-Switch for AI Compute

This project prototypes an embedded off-switch for AI accelerators. The security block requires periodic cryptographic authorization to operate: the chip generates a nonce, an external authority signs it, and the chip verifies the signature before granting time-limited permission. Without valid authorization, outputs are gated to zero. The design was implemented in HardCaml and validated in simulation.

Read More

Feb 2, 2026

Fingerprinting All AI Cluster I/O Without Mutually Trusted Processors

We design and simulate a "border patrol" device for generating cryptographic evidence of data traffic entering and leaving an AI cluster, while eliminating the specific analog and steganographic side-channels that post-hoc verification can not close. The device eliminates the need for any mutually trusted logic, while still meeting the security needs of the prover and verifier.

Read More

Feb 2, 2026

Markov Chain Lock Watermarking: Provably Secure Authentication for LLM Outputs

We present Markov Chain Lock (MCL) watermarking, a cryptographically secure framework for authenticating LLM outputs. MCL constrains token generation to follow a secret Markov chain over SHA-256 vocabulary partitions. Using doubly stochastic transition matrices, we prove four theoretical guarantees: (1) exponentially decaying false positive rates via Hoeffding bounds, (2) graceful degradation under adversarial modification with closed-form expected scores, (3) information-theoretic security without key access, and (4) bounded quality loss via KL divergence. Experiments on 173 Wikipedia prompts using Llama-3.2-3B demonstrate that the optimal 7-state soft cycle configuration achieves 100\% detection, 0\% FPR, and perplexity 4.20. Robustness testing confirms detection above 96\% even with 30\% word replacement. The framework enables $O(n)$ model-free detection, addressing EU AI Act Article 50 requirements. Code available at \url{https://github.com/ChenghengLi/MCLW}

Read More

Feb 2, 2026

Prototyping an Embedded Off-Switch for AI Compute

This project prototypes an embedded off-switch for AI accelerators. The security block requires periodic cryptographic authorization to operate: the chip generates a nonce, an external authority signs it, and the chip verifies the signature before granting time-limited permission. Without valid authorization, outputs are gated to zero. The design was implemented in HardCaml and validated in simulation.

Read More

This work was done during one weekend by research workshop participants and does not represent the work of Apart Research.
This work was done during one weekend by research workshop participants and does not represent the work of Apart Research.