New Google Release 'private AI Compute' — Secure AI Processing With...
The company said it has built Private AI Compute to "unlock the full speed and power of Gemini cloud models for AI experiences, while ensuring your personal data stays private to you and is not accessible to anyone else, not even Google."
Google's CPU and TPU workloads (aka trusted nodes) rely on an AMD-based hardware Trusted Execution Environment (TEE) that encrypts and isolates memory from the host. The tech giant noted that only attested workloads can run on the trusted nodes, and that administrative access to the workloads is cut off. Furthermore, the nodes are secured against potential physical data exfiltration attacks.
The infrastructure also supports peer-to-peer attestation and encryption between the trusted nodes to ensure that user data is decrypted and processed only within the confines of a secure environment and is shielded from broader Google infrastructure.
"Each workload requests and cryptographically validates the workload credentials of the other, ensuring mutual trust within the protected execution environment," Google explained. "Workload credentials are provisioned only upon successful validation of the node's attestation against internal reference values. Failure of validation prevents connection establishment, thus safeguarding user data from untrusted components."
The overall process flow works like this: A user client establishes a Noise protocol encryption connection with a frontend server and establishes bi-directional attestation. The client also validates the server's identity using an Oak end-to-end encrypted attested session to confirm that it's genuine and not modified.
Following this step, the server sets up an Application Layer Transport Security (ALTS) encryption channel with other services in the scalable inference pipeline, which then communicates with model servers running on the hardened TPU platform. The entire system is "ephemeral by design," meaning an attacker who manages to gain privileged access to the system cannot obtain past data, as the inputs, model inferences, and computations are discarded as soon as the user session is completed.
Google has also touted the various protections baked into the system to maintain its security and integrity and prevent unauthorized modifications. These include -
NCC Group, which has conducted an external assessment of Private AI Compute between April and September 2025, said it was able to discover a timing-based side channel in the IP blinding relay component that co
Source: The Hacker News
