Most AI on blockchain applications today still rely heavily on trust.
- The AI inference happens on centralized servers.
- The wallet keys live in backend infrastructure.
- Smart contracts trust APIs blindly.
- And users have no way to verify what actually happened off-chain.
In this tutorial, we’ll build something far more advanced:
A verifiable confidential AI execution layer using:
- Oasis Sapphire
- ROFL (Runtime Offchain Logic)
- Intel TDX Trusted Execution Environments
- Remote Attestation
- Enclave-managed wallet signing
- Cross-chain transaction execution
This architecture enables:
- Private AI inference
- Verifiable off-chain execution
- Secure enclave wallet management
- Cross-chain automation
- Trust-minimized AI agents
Without needing zkML or expensive zkVM proving systems.
What We’re Building
+---------------------------------------------------+
| User / dApp |
+--------------------+------------------------------+
|
v
+---------------------------------------------------+
| Sapphire Smart Contract |
|---------------------------------------------------|
| - Stores trusted ROFL identities |
| - Verifies enclave signatures |
| - Accepts/verifies AI execution results |
+--------------------+------------------------------+
^
|
Signed attested result
|
+---------------------------------------------------+
| ROFL App Inside Intel TDX |
|---------------------------------------------------|
| - Runs AI inference |
| - Calls APIs |
| - Generates wallet keys internally |
| - Signs responses |
| - Performs remote attestation |
+--------------------+------------------------------+
|
v
External APIs / Other Chains / LLMs
Why This Matters
Most AI agents today suffer from major trust issues.
| Problem | Why It Matters |
| ------------------------------------------------------------------|
| Centralized inference | Outputs can be manipulated |
| Backend wallet custody | Keys can be stolen |
| Hidden execution logic | Impossible to audit |
| Fake oracle data | Contracts trust unverifiable APIs |
| Cross-chain trust assumptions | Bridges increase attack surface |
ROFL changes this entirely.
Instead of trusting a backend server:
- computation runs inside a Trusted Execution Environment
- outputs are cryptographically signed
- enclave identities are attested
- smart contracts verify execution authenticity
This creates trustless off-chain compute.
Core Technologies
Sapphire
Sapphire is Oasis Network’s confidential EVM runtime.
Features:
- encrypted calldata
- encrypted state
- confidential smart contract execution
- Solidity/EVM compatibility
Unlike traditional EVM chains, node operators cannot inspect execution data.
ROFL (Runtime Offchain Logic)
ROFL allows developers to run arbitrary off-chain logic inside TEEs.
This means your application can:
- call APIs
- run AI models
- sign transactions
- manage secrets
- execute autonomous workflows
while remaining cryptographically verifiable.
Intel TDX
Intel TDX provides confidential virtual machines with:
- encrypted memory
- hardware isolation
- attestation support
- strong execution guarantees
ROFL supports TDX-backed confidential compute environments.
Architecture Deep Dive
User Prompt
|
v
+-----------------------------------+
| Sapphire Smart Contract |
+-----------------------------------+
|
v
+-----------------------------------+
| ROFL TDX Enclave |
|-----------------------------------|
| 1. Receives encrypted request |
| 2. Runs AI inference |
| 3. Generates signed result |
| 4. Signs with enclave wallet |
+-----------------------------------+
|
v
Cross-chain execution
|
v
Ethereum / Base / Arbitrum
Step 1: Install Oasis CLI
curl -sSL https://get.oasis.io | bash
Verify installation:
oasis --version
Step 2: Create a ROFL Application
mkdir ai-executor
cd ai-executor
oasis rofl init
This generates:
rofl.yaml
The manifest defines:
- enclave configuration
- TEE type
- networking
- policies
- deployment settings
Step 3: Configure ROFL Manifest
Example advanced configuration:
name: ai-executor
version: 0.1.0
tee: tdx
kind: containers
resources:
memory: 8192
cpus: 4
network:
paratime: sapphire
policy:
quotes:
pcs:
tdx: {}
container:
runtime: docker
Important Manifest Settings
| Field | Purpose |
| ------------|--------------------------------|
| tee | TEE backend (SGX/TDX) |
| kind | Raw or containerized workloads |
| resources | Enclave memory + CPU |
| network | Connected ParaTime |
| policy | Attestation requirements |
Step 4: Build the Enclave
oasis rofl build
This generates an ORC bundle:
my-app.orc
The bundle includes:
- enclave measurements
- metadata
- binaries
- identity hashes
Step 5: Generate Wallet Keys Inside the Enclave
This is one of the most powerful features.
Traditional AI agents store keys:
- in
.envfiles - in cloud KMS systems
- in backend infrastructure
Instead:
Wallet Key Generated INSIDE TEE
↓
Key Never Leaves Enclave
↓
Transactions Signed Securely
No backend custody required.
Example Rust Wallet Generation
use k256::ecdsa::SigningKey;
use rand_core::OsRng;
fn generate_wallet() -> SigningKey {
SigningKey::random(&mut OsRng)
}
The private key only exists inside enclave memory.
Step 6: Run AI Inference Securely
Example inference service:
from transformers import pipeline
classifier = pipeline(
"text-classification",
model="distilbert-base-uncased"
)
result = classifier("Execute strategy?")
print(result)
Inside ROFL:
- prompts remain confidential
- inference is hidden from operators
- outputs are signed by the enclave
Secure AI Execution Flow
User Prompt
↓
ROFL Enclave
↓
Private AI Inference
↓
Signed Output
↓
Sapphire Verification
Step 7: Remote Attestation
Attestation proves:
“This exact code executed inside genuine TDX hardware.”
Without attestation:
- TEEs are just claims
With attestation:
- contracts can verify enclave authenticity
Attestation Flow
ROFL App Starts
↓
TEE Generates Measurement
↓
Attestation Quote Produced
↓
Quote Registered On-Chain
↓
Sapphire Verifies Identity
Step 8: Register the ROFL App
Create the application:
oasis rofl create \
--network testnet \
--paratime sapphire
Deploy updates:
oasis rofl update
This stores:
- enclave identities
- measurements
- execution policy
- attestation configuration
on-chain.
Step 9: Smart Contract Verification
Now we create a Sapphire contract that verifies:
- enclave identity
- signatures
- trusted execution
Solidity Verification Contract
pragma solidity ^0.8.20;
contract VerifiedAIExecutor {
mapping(bytes32 => bool) public trustedEnclaves;
function registerEnclave(bytes32 enclaveId) external {
trustedEnclaves[enclaveId] = true;
}
function verifyExecution(
bytes32 enclaveId,
bytes calldata signature,
bytes calldata result
) external view returns (bool) {
require(trustedEnclaves[enclaveId], "Untrusted enclave");
// Signature verification logic
return true;
}
}
Step 10: Cross-Chain Transaction Execution
This is where things become extremely powerful.
The enclave can:
- manage Ethereum wallets
- sign Base transactions
- execute Arbitrum transactions
- interact with multiple chains
without bridges.
Cross-Chain Execution Flow
AI Strategy Generated
↓
TEE Decides Action
↓
TEE Signs Transaction
↓
Broadcast To Ethereum RPC
↓
Result Returned To Sapphire
This enables:
- autonomous trading systems
- AI treasury management
- confidential DAO executors
- secure cross-chain agents
Step 11: Deterministic Execution Logging
AI outputs are often nondeterministic.
To improve auditability:
- hash prompts
- hash outputs
- hash model versions
Example:
let hash = sha256(prompt + model_version + output);
Then store:
- output hash
- enclave ID
- timestamp
on-chain.
Security Considerations
TEEs are powerful but not perfect.
Potential risks:
- side-channel attacks
- hardware trust assumptions
- speculative execution vulnerabilities
Still, TEEs provide dramatically stronger guarantees than centralized servers.
Why This Architecture Is Important
Traditional AI systems rely on:
- trusted cloud providers
- centralized APIs
- backend custody
ROFL + Sapphire introduces:
| Traditional Backend | ROFL + Sapphire |
|---|---|
| Centralized inference | TEE-attested inference |
| Backend wallet storage | Enclave-managed keys |
| Hidden execution | Verifiable execution |
| API trust assumptions | Hardware-backed trust |
| Centralized orchestration | Permissionless infrastructure |
Real-World Use Cases
Verifiable AI Trading Agents
The enclave:
- runs private strategies
- signs trades
- proves execution authenticity
Confidential Healthcare AI
- patient data remains private
- inference occurs inside TEEs
- outputs become auditable
Autonomous DAO Executors
AI agents:
- propose governance actions
- execute treasury operations
- prove execution legitimacy
Multi-Chain AI Wallet Infrastructure
One enclave can securely control:
- Ethereum
- Base
- Arbitrum
- future ecosystems
without custodial bridges.
The Bigger Picture
ROFL introduces something Web3 desperately needs:
Trustless Off-Chain Compute
Not:
- “another oracle”
- “another AI chain”
But:
- verifiable computation
- confidential execution
- autonomous infrastructure
This creates a new primitive between:
- smart contracts
- AI infrastructure
- confidential computing
- cross-chain orchestration
Final Thoughts
Most AI + blockchain systems today still require enormous trust assumptions.
With:
- Sapphire
- ROFL
- TDX
- attestation
- enclave-managed wallets
developers can finally build systems where:
- computation is private
- outputs are verifiable
- execution is cryptographically authenticated
This unlocks:
- autonomous AI agents
- confidential DeFi automation
- verifiable off-chain compute
- secure cross-chain execution
- trusted AI infrastructure
And this is likely only the beginning of what confidential compute on Oasis can enable.
Top comments (0)