The Kiosk Model

The Problem with Centralized FHE

Centralized FHE servers hold cryptographic keys in memory continuously, creating a persistent attack surface. The algebraic homomorphism that enables encrypted computation also creates structural vulnerabilities inherent to the deployment model — not bugs that can be patched, but consequences of the architecture itself.

The Inversion

Instead of running FHE on provider-owned servers, ship self-destructing disposable computation units to consumer hardware. The provider sells cryptographic capability, not compute time. Units exist only during active computation — milliseconds of attack surface instead of 24/7 exposure.

Three Deployment Models

Self-Destruction

Destruction is not cleanup — it is an integral part of the computation lifecycle. After computation completes, cryptographic state is transformed into algebraic meaninglessness and zeroed from memory in microseconds. A destruction receipt — a cryptographic hash of the final system state — proves the computation occurred and the unit self-destructed, without revealing inputs, outputs, or keys.

Shadow Entropy Metering

Every FHE computation produces an irreducible cryptographic byproduct: shadow entropy. This byproduct serves simultaneously as the billing mechanism and the tamper detection system. The amount of shadow entropy a computation produces is deterministic and predictable from the circuit description — which is always public in FHE. Enforcement is mathematical, not contractual. There is no DRM to crack, no license server to spoof.

Dead Man's Switch

Five independent triggers fire immediate destruction with no graceful shutdown: integrity mismatch, memory access violation, clock anomaly, heartbeat timeout, and client-initiated abort. If destruction fires from the first four triggers, the client receives no result. The adversary gets nothing.

Development Status