Confidential Computing Summit 2026

Confidential Computing Summit 2026

arrow_back View All Dates

12:45pm PDT

Characterizing NVIDIA Confidential Computing Overheads Across Model Inference & Training - Tanya Verma, Tinfoil

Wednesday June 24, 2026 12:45pm - 1:10pm PDT

We'll walk through where NVIDIA CC overheads appear in the model inference and training pipeline across GPU architectures and try to understand why

Speakers

Tanya Verma

Cofounder, Tinfoil

Tanya is the cofounder of Tinfoil, which provides verifiably private AI. Before Tinfoil, she was a cryptography engineer at Cloudflare where she designed and deployed privacy and security protocols used by billions of users on the internet.* Speaker Email: [email protected]* Speaker Headshot: attached... Read More →

Wednesday June 24, 2026 12:45pm - 1:10pm PDT
Gold Ballroom

Breakout Sessions

12:45pm PDT

Session to be Announced

Wednesday June 24, 2026 12:45pm - 1:10pm PDT

Wednesday June 24, 2026 12:45pm - 1:10pm PDT
Courtyard

Breakout Sessions

1:15pm PDT

Session to be Announced

Wednesday June 24, 2026 1:15pm - 1:40pm PDT

Wednesday June 24, 2026 1:15pm - 1:40pm PDT
Gold Ballroom

Breakout Sessions

1:15pm PDT

Session to be Announced

Wednesday June 24, 2026 1:15pm - 1:40pm PDT

Wednesday June 24, 2026 1:15pm - 1:40pm PDT
Courtyard

Breakout Sessions

1:45pm PDT

ACompany Session (Speaker to be Announced)

Wednesday June 24, 2026 1:45pm - 2:10pm PDT

Wednesday June 24, 2026 1:45pm - 2:10pm PDT
Courtyard

Breakout Sessions

1:45pm PDT

Session to be Announced

Wednesday June 24, 2026 1:45pm - 2:10pm PDT

Wednesday June 24, 2026 1:45pm - 2:10pm PDT
Gold Ballroom

Breakout Sessions

2:15pm PDT

Panel Discussion: Speakers to be Announced

Wednesday June 24, 2026 2:15pm - 2:45pm PDT

Wednesday June 24, 2026 2:15pm - 2:45pm PDT
Courtyard

Breakout Sessions

3:00pm PDT

From Trust Assumptions To Trust Evidence: Why PKI and Confidential Computing Are Converging - Brian Trzupek, DigiCert

Wednesday June 24, 2026 3:00pm - 3:25pm PDT

Every regulated industry runs on the same uncomfortable bargain:multi parties with conflicting interests agree to trust each other procedurally, because no tech mechanism exists to verify the claims they're making. An MRI running an AI diagnostic model involves at least 5 stakeholders:the AI vendor protecting IP, the hospital safeguarding patient data, the device mfg ensuring FW integrity, the regulator verifying the cleared algorithm is actually running, and the patient who never consented to their scan training someone else's model. Today, all of them take each other on faith. Confidential computing changes that equation from trust assumptions to trust evidence.This talk examines 2 concrete problem domains where we are applying HW-rooted attestation and PKI-based trust services to solve real, urgent problems. 1st, we walk through the brownfield medical device challenge: how do you retrofit TPM-based measured boot, model integrity verification, and remote attestation onto med. devices already deployed in the field without disrupting clinical operations? 2nd, we present DigiCert's work on AI agent ID for agentic AI systems; a problem that extends CC principles into the SW ID layer

Speakers

Brian Trzupek

Sr. Vice President Product, DigiCert

Brian Trzupek is SVP of Product at DigiCert. A crypto and security tech by day and night, Trzupek brings nearly two decades of expertise on many security subjects to the team. He is often brainstorming use cases for enterprise PKI (Public Key Infrastructure) facilitated by the industry-leading... Read More →

Wednesday June 24, 2026 3:00pm - 3:25pm PDT
Mint Ballroom

Breakout Sessions

3:00pm PDT

Global Agentic Identity and Programmable Trust: Lessons Learned From the NATO DIANA Pilot - Manu Fontaine, Hushmesh Inc.

Wednesday June 24, 2026 3:00pm - 3:25pm PDT

NATO DIANA, NATO’s innovation accelerator, is building a heterogeneous, cross-Allied ecosystem spanning innovators, mentors, test centers, ministries of defense, and other agencies across 32 Allied nations. This is the trust problem the Internet of Agents will face at global scale: how people, organizations, and their respective agents prove identity, authority, and credentials across trust boundaries without leaking private, confidential, or national-security knowledge.
To address this challenge, DIANA sought a “chip-level zero-trust” identity infrastructure. Confidential Computing sits at the root: identity, authentication, authorization, credentialing, and key management are all unified and verified from the chips up. Each entity acts through its agent with its own cryptographic identity, trust boundary, knowledge isolation, and globally verified execution.

In this session, we will share lessons from the DIANA pilot and show why Agentic Identity is the foundational layer of Programmable Trust for the Internet of Agents: a model for sovereign ecosystems where agents interact, coordinate, and transact under hardware-backed guarantees of verifiability, confidentiality, and privacy.

Speakers

Manu Fontaine

Founder and CEO, Hushmesh Inc.

Manu Fontaine is the Founder and CEO of Hushmesh, a dual-use, early-stage, Delaware Public Benefit Corporation in the Washington DC area. Hushmesh leverages Confidential Computing technology to develop, deploy, and operate "the Mesh": the Programmable Trust infrastructure for the... Read More →

Wednesday June 24, 2026 3:00pm - 3:25pm PDT
Gold Ballroom

Breakout Sessions

3:00pm PDT

Q-Day Survival Guide: What the Post-quantum Cryptography Transition Means for Confidential Computing - Arthur Savage, Red Hat

Wednesday June 24, 2026 3:00pm - 3:25pm PDT

Cryptographic algorithms will one day be broken by large quantum computers, necessitating the replacement of classical cryptography (like RSA) with post-quantum cryptography (PQC). This event, called Q-day, is a rolling deadline with previous estimates falling around 2035. However, in early 2026, many groundbreaking developments rapidly shortened Q-day estimates to 2030 or sooner, leaving little time to execute this unprecedented global cryptographic overhaul.

This talk will put Q-day in context for the audience: timelines, the recent scientific breakthroughs and how they alter threat models in open source, and which gaps and blockers are most pressing. Then, we view these blockers through the lens of confidential computing, from hardware to software. We will discuss current risks and best practices, then open the audience to discussion of the needs of diverse applications across the confidential computing ecosystem. This talk is both informative and information-gathering, fostering mutual understanding and collaboration to integrate PQC before time runs out. This talk will be technical, but no prior knowledge about PQC is necessary and we welcome participation from all.

Speakers

Arthur Savage

Software Engineer, Red Hat

Arthur Savage is a software engineer at Red Hat with a passion for cybersecurity. He has a Master's degree in Electrical and Computer Engineering with specialties in data analytics, image forensics, and post quantum cryptography.

Wednesday June 24, 2026 3:00pm - 3:25pm PDT
Courtyard

Breakout Sessions

3:30pm PDT

Privacy-Preserving Fraud Intelligence for India's Open Finance Ecosystem Using TEEs - Kiran Gopinath, Sahamati Foundation & Rene Kolga, Google Cloud

Wednesday June 24, 2026 3:30pm - 3:55pm PDT

Loan fraud in India is a $4 billion annual problem. Simultaneously, it is very hard to detect and prevent this when each lender sees only their slice of a borrower's activity. India's Open Finance framework, called Account Aggregator, establishes the foundation for coordinated fraud prevention at scale. However, lenders cannot pool raw borrower data to combat it.

Aikya, built on a Trusted Execution Environment, provides the answer by running cross-institutional velocity checks inside a secure enclave where no participant sees another's data, turning a privacy constraint into a structural guarantee.

Sahamati Foundation governs India's Open Finance framework enabling individuals and businesses to share real-time financial data across financial institutions and fintechs with their consent. With over 1,000 participating entities and tens of millions of active data flows, it is one of the largest Open Finance deployments in the world.

Speakers

Kiran Gopinath

Chief Innovation Officer and Head Sahamati Labs, Sahamati Foundation

As Chief Innovation Officer at Sahamati, Kiran leads initiatives shaping India’s Account Aggregator ecosystem, one of the world’s fastest-growing Open Finance networks and is the founder of Sahamati Labs, where he drives innovation at the intersection of AI, Open Finance. His... Read More →

Rene Kolga

Sr Product Manager, Google Cloud

Rene Kolga, CISSP, has over 15 years of cybersecurity experience in the areas of endpoint protection, insider threat, encryption and vulnerability management. Currently, he is a Product Manager at Google on the Confidential Computing team. Prior to Google, Rene worked for Symantec... Read More →

Wednesday June 24, 2026 3:30pm - 3:55pm PDT
Gold Ballroom

Breakout Sessions

3:30pm PDT

Realizing Confidential VMs Ensuring Privacy of AI Features at LY Corporation in a Real-World Cloud - LY Corporation - Hiroki Narukawa & Akihiro Misawa, LY Corporation

Wednesday June 24, 2026 3:30pm - 3:55pm PDT

This presentation shows a real-world example of our private cloud introducing Confidential VMs based on SEV-SNP where application in container is included in trust boundary.

At LY Corporation, as part of our privacy enhancement for LINE (messaging app with 194 million active users), we provide Confidential VMs powered by AMD SEV-SNP in our private cloud. This ensures that even employees cannot access data input to AI systems, and that the data remains protected even in the event of infrastructure compromise.

This session focuses on two parts: one is mobile client perspective, the other is cloud-user perspective.

In our Confidential VM implementation, the whole system including application can be attested to the mobile clients using Attestation Report feature of SEV-SNP.

Our implementation includes SEV-SNP support in OpenStack, OVMF provisioning to ensure attestation, and our OS image to ensure that only the expected application is running. By designing the chain of trust, everything including OVMF, kernel, OS image and container image is included inside the trust boundary, while cloud users can use the common OS image.

Speakers

Akihiro Misawa

Infrastructure Engineer, LY Corporation

An infrastructure engineer at LY Corporation, working on system infrastructure. Involved in OS image management, automation, and internal tooling to support service operations at scale.

Hiroki Narukawa

Software Engineer, LY Corporation

Software Engineer in LY Corporation, working on IaaS.
Mainly developing software running inside hypervisor or Baremetal nodes. I often scope on lowlayer problems.
He work on developing software and managing version of OpenStack, qemu, libvirt. He has contributed some patches to... Read More →

Wednesday June 24, 2026 3:30pm - 3:55pm PDT
Mint Ballroom

Breakout Sessions

3:30pm PDT

WhatsApp Private Processing - Kevin Hui, Yunqi Li, Sidharth Verma, Henry Wang & Varun Patil, Meta

Wednesday June 24, 2026 3:30pm - 3:55pm PDT

WhatsApp (Meta) launched its flagship Confidential Computing use-case last year (https://engineering.fb.com/2025/04/29/security/whatsapp-private-processing-ai-tools/), introducing one of the first large-scale applications of confidential computing. In this presentation, we will go over an overview of how Private Processing works, the operational lessons we learned while deploying confidential virtual machines at the scale of WhatsApp, and where we think the evolution of our Private Processing stack will take us for years to come.

Topics:
- CVM hardening
- Binary transparency
- OHTTP
- Remote Attestation TLS (RA-TLS)
- Debugging CVMs in production
- Virtual Research Environment
- And others

Speakers

Kevin Hui

Software Engineer, Meta

Kevin works on the Private Compute Platform team at Meta. This team is responsible for the infrastructure surrounding Private Processing and other privacy-preserving products at Meta leveraging Trusted Execution Environments.

Kevin focuses on the build tooling and virtualization aspects of Confidential Virtual Machines, enabling developers at Meta to write privacy-first products without having to worry about the low-level details surrounding confidential computing... Read More →

Yunqi Li

Research Scientist, Meta

Yunqi works on the WhatsApp Server Privacy team, where they contribute to core messaging systems and privacy-focused technologies including Trusted Execution Environments (TEE), Binary Transparency, and Audit Transparency.

At the intersection of systems engineering and applied... Read More →

Sidharth Verma

Software Engineer, Meta

Sidharth is a Software Engineer on Meta Superintelligence Lab's Inference Service Management team. His specific focus area is TEE inference infrastructure, helping to enable the next generation of SOTA models for private inference at large scale.

Varun Patil

Research Scientist, Meta Platforms Inc

Varun is a researcher at Meta building Private Processing, WhatsApp's secure and private AI inference platform powered by trusted execution.

Henry Wang

SWE, Meta

N/A.

Wednesday June 24, 2026 3:30pm - 3:55pm PDT
Courtyard

Breakout Sessions

4:00pm PDT

A Large-Scale Data Clean Room Case Study in Japan: Confidential Computing and Privacy Regulations - ACompany (Speakers to be Announced)

Wednesday June 24, 2026 4:00pm - 4:25pm PDT

AI model advancement demands cross-enterprise data collaboration, but strict privacy regulations create barriers. This session explores a commercialized Data Clean Room in Japan by Acompany and KDDI, a Fortune Global 500 telecom company.
We will share the architecture enabling secure data matching and privacy-preserving AI development. We detail how this satisfies the strict third-party data transfer restrictions under Japan's Act on the Protection of Personal Information (APPI). By keeping the calculation process protected, enterprises can jointly analyze sensitive large-scale datasets—including personal and location data—without exposing raw information to partners.
Furthermore, we explore the relationship between policy discussions and CC in Japan. With CC recognized as an essential data security technology in public and private sectors, we discuss the potential for market expansion. We provide insights into how bridging governance and technology creates a scalable confidential AI infrastructure.

Note: Session content is subject to minor changes.

Wednesday June 24, 2026 4:00pm - 4:25pm PDT
Gold Ballroom

Breakout Sessions

4:00pm PDT

Overview of the AWS Nitro System: Building Trust Through Secure Cloud Infrastructure - Matthew Wilson, Amazon

Wednesday June 24, 2026 4:00pm - 4:25pm PDT

The AWS Nitro System is the foundation for modern Amazon EC2 instances that enables AWS to innovate faster, reduce cost for customers, and deliver added benefits like increased security and new instance types. We've applied formal methods to the Nitro System since day one. AWS has reimagined our virtualization infrastructure. Traditionally, hypervisors protect physical hardware and BIOS, virtualize CPU, storage, and networking, and provide management capabilities. The Nitro System breaks apart those functions, offloads them to dedicated hardware and software, and reduces costs by delivering nearly all server resources to instances.

This session explores the architecture and security model of the Nitro System, demonstrating how offloading virtualization functions minimizes the hypervisor attack surface and enables features like secure boot and Nitro Enclaves. We'll introduce the Nitro Isolation Engine, where we've applied formal methods. Starting from proving correctness properties of early boot firmware and the API endpoint component of the Nitro Controller, the Nitro Isolation Engine is a minimal trusted computing base and is a default capability of AWS Graviton5 processors

Speakers

Matthew Wilson

Vice President/Distinguished Engineer at Amazon, Amazon

Matt Wilson is a Vice President and Distinguished Engineer at Amazon Web Services. He leads the technical architecture of the Amazon Software Development Experience (ASBX) division, which owns secure software development lifecycle tools and processes. Matt was a lead designer of the... Read More →

Wednesday June 24, 2026 4:00pm - 4:25pm PDT
Courtyard

Breakout Sessions

4:00pm PDT

Private Model as a Service: Zero-Trust Blueprint for Protecting AI Weights - Marcos Entenza, Red Hat

Wednesday June 24, 2026 4:00pm - 4:25pm PDT

In the agentic era, deploying proprietary AI on-premises raises a critical question: how do you protect model IP when infrastructure admins have full hardware access? This session introduces Private Model as a Service (PMaaS), a production-ready reference architecture that secures AI model weights across their entire lifecycle using hardware-rooted Trusted Execution Environments (TEEs).

We dive into the technical orchestration of Confidential Containers (CoCo) and KServe to build a cryptographically verified inference pipeline with vLLM. Model weights are distributed and decrypted exclusively inside hardware-verified CPU TEEs (Intel TDX, AMD SEV-SNP) with GPU memory protection (NVIDIA H100/B200). Remote attestation via a Key Broker Service (KBS) ensures decryption keys are only released to policy-compliant, verified environments.

We also cover the challenges of running vLLM inside restricted TEEs and our work upstreaming GPU attestation logic into Kata Containers and CoCo. Attendees leave with a practical blueprint for deploying zero-trust confidential AI workloads that decouple model security from infrastructure trust.

Speakers

Marcos Entenza

Sr. Principal Product Manager, Red Hat

Marcos Entenza, a.k.a Mak, works on the core Red Hat OpenShift Container Platform for hybrid and multi-cloud environments to enable customers to run Red Hat OpenShift anywhere. Mak is an experienced Product Manager passionate about building scalable infrastructures, and he oversees... Read More →

Wednesday June 24, 2026 4:00pm - 4:25pm PDT
Mint Ballroom

Breakout Sessions