{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,4,23]],"date-time":"2026-04-23T08:03:30Z","timestamp":1776931410303,"version":"3.51.2"},"publisher-location":"New York, NY, USA","reference-count":94,"publisher":"ACM","funder":[{"DOI":"10.13039\/501100001809","name":"National Natural Science Foundation of China","doi-asserted-by":"publisher","award":["No.62372218, No.U24A6009"],"award-info":[{"award-number":["No.62372218, No.U24A6009"]}],"id":[{"id":"10.13039\/501100001809","id-type":"DOI","asserted-by":"publisher"}]},{"name":"HK RGC Collaborative Research Fund","award":["No. C5032-23GF"],"award-info":[{"award-number":["No. C5032-23GF"]}]},{"name":"Research Institute for Artificial Intelligence of Things, The Hong Kong Polytechnic University","award":[""],"award-info":[{"award-number":[""]}]},{"DOI":"10.13039\/100018735","name":"Ant Group","doi-asserted-by":"publisher","award":[""],"award-info":[{"award-number":[""]}],"id":[{"id":"10.13039\/100018735","id-type":"DOI","asserted-by":"publisher"}]}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":[],"published-print":{"date-parts":[[2025,10,18]]},"DOI":"10.1145\/3725843.3756104","type":"proceedings-article","created":{"date-parts":[[2025,10,17]],"date-time":"2025-10-17T17:19:56Z","timestamp":1760721596000},"page":"340-353","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":0,"title":["ccAI: A Compatible and Confidential System for AI Computing"],"prefix":"10.1145","author":[{"ORCID":"https:\/\/orcid.org\/0000-0001-7039-033X","authenticated-orcid":false,"given":"Chenxu","family":"Wang","sequence":"first","affiliation":[{"name":"Research Institute of Trustworthy Autonomous Systems, Southern University of Science and Technology, Shenzhen, Guangdong, China; Department of Computer Science and Engineering, Southern University of Science and Technology, Shenzhen, Guangdong, China and Department of Computing, The Hong Kong Polytechnic University, Kowloon, Hong Kong, China"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0009-0001-6281-9121","authenticated-orcid":false,"given":"Danqing","family":"Tang","sequence":"additional","affiliation":[{"name":"Ant Group, Hangzhou, Zhejiang, China"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0009-0000-6148-3104","authenticated-orcid":false,"given":"Changxu","family":"Ci","sequence":"additional","affiliation":[{"name":"Ant Group, Hangzhou, Zhejiang, China"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0009-0000-9249-0550","authenticated-orcid":false,"given":"Junjie","family":"Huang","sequence":"additional","affiliation":[{"name":"Department of Computer Science and Engineering, Southern University of Science and Technology, Shenzhen, Guangdong, China"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0009-0008-9886-2368","authenticated-orcid":false,"given":"Yankai","family":"Xu","sequence":"additional","affiliation":[{"name":"Department of Computer Science and Engineering, Southern University of Science and Technology, Shenzhen, Guangdong, China"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-3365-2526","authenticated-orcid":false,"given":"Fengwei","family":"Zhang","sequence":"additional","affiliation":[{"name":"Department of Computer Science and Engineering, Southern University of Science and Technology, Shenzhen, Guangdong, China"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-2725-2529","authenticated-orcid":false,"given":"Jiannong","family":"Cao","sequence":"additional","affiliation":[{"name":"Department of Computing, The Hong Kong Polytechnic University, Kowloon, Hong Kong, China"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0009-0005-4802-9587","authenticated-orcid":false,"given":"Jie","family":"Song","sequence":"additional","affiliation":[{"name":"Ant Group, Hangzhou, Zhejiang, China"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0009-0007-9580-5395","authenticated-orcid":false,"given":"Shoumeng","family":"Yan","sequence":"additional","affiliation":[{"name":"Ant Group, Hangzhou, Zhejiang, China"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0009-0000-4027-0310","authenticated-orcid":false,"given":"Tao","family":"Wei","sequence":"additional","affiliation":[{"name":"Ant Group, Hangzhou, Zhejiang, China"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0009-0002-7682-1019","authenticated-orcid":false,"given":"Zhengyu","family":"He","sequence":"additional","affiliation":[{"name":"Ant Group, Hangzhou, Zhejiang, China"}],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"320","published-online":{"date-parts":[[2025,10,17]]},"reference":[{"key":"e_1_3_3_1_2_2","unstructured":"Abhinav\u00a0Jauhri Aaron\u00a0Grattafiori Abhimanyu\u00a0Dubey et\u00a0al. 2024. The Llama 3 Herd of Models. arXiv preprint arXiv:https:\/\/arXiv.org\/abs\/2407.21783 (2024)."},{"key":"e_1_3_3_1_3_2","doi-asserted-by":"publisher","DOI":"10.1145\/3079856.3080232"},{"key":"e_1_3_3_1_4_2","unstructured":"AlDanial. 2021. cloc. https:\/\/github.com\/AlDanial\/cloc."},{"key":"e_1_3_3_1_5_2","unstructured":"Alibaba. 2025. Alibaba Cloud AI and Data Intelligence. https:\/\/alibabacloud.com\/en\/solutions\/ai\/data-intelligence?_p_lc=1."},{"key":"e_1_3_3_1_6_2","unstructured":"AMD. 2023. AMD Radeon RX Graphics Cards. https:\/\/www.amd.com\/en\/graphics\/radeon-rx-graphics."},{"key":"e_1_3_3_1_7_2","unstructured":"AMD. 2023. AMD SEV-TIO: Trusted I\/O for SecureEncrypted Virtualization. https:\/\/www.amd.com\/content\/dam\/amd\/en\/documents\/developer\/sev-tio-whitepaper.pdf."},{"key":"e_1_3_3_1_8_2","unstructured":"AMD. 2024. FPGA Leadership Across Multiple Process Nodes. https:\/\/www.xilinx.com\/products\/silicon-devices\/fpga.html."},{"key":"e_1_3_3_1_9_2","unstructured":"ARM. 2023. Arm Mali Graphics Processing Units (GPUs). https:\/\/developer.arm.com\/ip-products\/graphics-and-multimedia\/mali-gpus."},{"key":"e_1_3_3_1_10_2","unstructured":"ARM. 2023. Arm System Memory Management Unit Architecture Specification. https:\/\/developer.arm.com\/documentation\/ihi0070\/latest\/."},{"key":"e_1_3_3_1_11_2","unstructured":"ARM. 2023. Ethos-N78. https:\/\/www.arm.com\/products\/silicon-ip-cpu\/ethos\/ethos-n78."},{"key":"e_1_3_3_1_12_2","unstructured":"ARM. 2023. Introducing Arm Confidential Compute Architecture Guide. https:\/\/developer.arm.com\/documentation\/den0125\/latest\/."},{"key":"e_1_3_3_1_13_2","volume-title":"Proceedings of the 30th USENIX Security Symposium","author":"Bahmani Raad","year":"2021","unstructured":"Raad Bahmani, Ferdinand Brasser, Ghada Dessouky, Patrick Jauernig, Matthias Klimmek, Ahmad-Reza Sadeghi, and Emmanuel Stapf. 2021. CURE: A Security Architecture with CUstomizable and Resilient Enclaves. In Proceedings of the 30th USENIX Security Symposium."},{"key":"e_1_3_3_1_14_2","doi-asserted-by":"publisher","DOI":"10.1109\/MICRO61859.2024.00018"},{"key":"e_1_3_3_1_15_2","unstructured":"Victor Costan and Srinivas Devadas. 2016. Intel SGX Explained. IACR Cryptol. ePrint Arch. (2016)."},{"key":"e_1_3_3_1_16_2","volume-title":"USENIX Security Symposium","author":"Costan Victor","year":"2016","unstructured":"Victor Costan, Ilia\u00a0A. Lebedev, and Srinivas Devadas. 2016. Sanctum: Minimal Hardware Extensions for Strong Software Isolation. In USENIX Security Symposium."},{"key":"e_1_3_3_1_17_2","unstructured":"CVE. 2017. CVE-2017-17176. http:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2017-17176."},{"key":"e_1_3_3_1_18_2","unstructured":"CVE. 2018. CVE-2018-12010. http:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2018-12010."},{"key":"e_1_3_3_1_19_2","unstructured":"CVE. 2019. CVE-2019-2318. http:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2019-2318."},{"key":"e_1_3_3_1_20_2","unstructured":"CVE. 2020. CVE-2020-5991. https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2020-5991."},{"key":"e_1_3_3_1_21_2","unstructured":"CVE. 2022. CVE-2022-21821. https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2022-21821."},{"key":"e_1_3_3_1_22_2","unstructured":"Haowei\u00a0Zhang Daya\u00a0Guo Dejian\u00a0Yang et\u00a0al. 2025. DeepSeek-R1: Incentivizing Reasoning Capability in LLMs via Reinforcement Learning. arXiv preprint arXiv:https:\/\/arXiv.org\/abs\/2501.12948 (2025)."},{"key":"e_1_3_3_1_23_2","doi-asserted-by":"crossref","unstructured":"Whitfield Diffie and Martin Hellman. 1976. New Directions in Cryptography. IEEE Transactions on Information Theory (1976).","DOI":"10.1109\/TIT.1976.1055638"},{"key":"e_1_3_3_1_24_2","volume-title":"Recommendation for Block Cipher Modes of Operation: Galois\/Counter Mode (GCM) and GMAC","author":"Dworkin Morris\u00a0J","year":"2007","unstructured":"Morris\u00a0J Dworkin. 2007. Recommendation for Block Cipher Modes of Operation: Galois\/Counter Mode (GCM) and GMAC. Technical Report NIST SP 800-38D. National Institute of Standards and Technology. https:\/\/nvlpubs.nist.gov\/nistpubs\/legacy\/sp\/nistspecialpublication800-38d.pdf"},{"key":"e_1_3_3_1_25_2","unstructured":"Enflame Tech. 2025. Enflame S60. https:\/\/www.enflame-tech.com\/s60."},{"key":"e_1_3_3_1_26_2","unstructured":"Google. 2022. GPUs on Compute Engine. https:\/\/cloud.google.com\/compute\/docs\/gpus\/."},{"key":"e_1_3_3_1_27_2","unstructured":"Google. 2024. Tensor Processing Units (TPUs) - Google Cloud. https:\/\/cloud.google.com\/tpu."},{"key":"e_1_3_3_1_28_2","unstructured":"Google. 2025. AI Infrastructure ML and DL Model Training. https:\/\/cloud.google.com\/ai-infrastructure\/."},{"key":"e_1_3_3_1_29_2","unstructured":"Google. 2025. Announcing A3 supercomputers with NVIDIA H100 GPUs purpose-built for AI. https:\/\/cloud.google.com\/blog\/products\/compute\/introducing-a3-supercomputers-with-nvidia-h100-gpu."},{"key":"e_1_3_3_1_30_2","doi-asserted-by":"publisher","DOI":"10.1109\/ITNG.2014.31"},{"key":"e_1_3_3_1_31_2","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2023.23041"},{"key":"e_1_3_3_1_32_2","doi-asserted-by":"publisher","DOI":"10.1145\/3373376.3378460"},{"key":"e_1_3_3_1_33_2","unstructured":"Intel. 2025. Intel Advanced Encryption Standard Instructions (AES-NI). https:\/\/www.intel.com\/content\/www\/us\/en\/developer\/articles\/technical\/advanced-encryption-standard-instructions-aes-ni.html."},{"key":"e_1_3_3_1_34_2","unstructured":"Intel. 2025. Intel Agilex 7 FPGA F-Series 027. https:\/\/www.intel.com\/content\/www\/us\/en\/products\/sku\/208599\/intel-agilex-7-fpga-fseries-027-r25a\/ordering.html."},{"key":"e_1_3_3_1_35_2","unstructured":"Intel. 2025. Intel\u00ae 64 and IA-32 Architectures Software Developer Manuals. https:\/\/www.intel.com\/content\/www\/us\/en\/developer\/articles\/technical\/intel-sdm.html."},{"key":"e_1_3_3_1_36_2","unstructured":"Intel. 2025. Quartus Prime Design Software. https:\/\/www.intel.com\/content\/www\/us\/en\/products\/details\/fpga\/development-tools\/quartus-prime.html."},{"key":"e_1_3_3_1_37_2","unstructured":"Intel Corporation. 2022. Intel Trust Domain Extensions. https:\/\/cdrdv2.intel.com\/v1\/dl\/getContent\/690419."},{"key":"e_1_3_3_1_38_2","unstructured":"Intel Corporation. 2023. Intel TDX Connect TEE-IO Device Guide. https:\/\/cdrdv2-public.intel.com\/772642\/whitepaper-tee-io-device-guide-v0-6-5.pdf."},{"key":"e_1_3_3_1_39_2","volume-title":"Proceedings of the 2023 USENIX Annual Technical Conference","author":"Ivanov Andrei","year":"2023","unstructured":"Andrei Ivanov, Benjamin Rothenberger, Arnaud Dethise, Marco Canini, Torsten Hoefler, and Adrian Perrig. 2023. SAGE: Software-based Attestation for GPU Execution. In Proceedings of the 2023 USENIX Annual Technical Conference."},{"key":"e_1_3_3_1_40_2","doi-asserted-by":"publisher","DOI":"10.1145\/3297858.3304021"},{"key":"e_1_3_3_1_41_2","doi-asserted-by":"publisher","DOI":"10.1109\/MICRO56248.2022.00019"},{"key":"e_1_3_3_1_42_2","doi-asserted-by":"publisher","DOI":"10.23919\/cje.2021.00.089"},{"key":"e_1_3_3_1_43_2","volume-title":"Authentication Failures in NIST version of GCM","author":"Joux Antoine","year":"2006","unstructured":"Antoine Joux. 2006. Authentication Failures in NIST version of GCM. Technical Report. National Institute of Standards and Technology. https:\/\/csrc.nist.gov\/csrc\/media\/projects\/block-cipher-techniques\/documents\/bcm\/joux_comments.pdf"},{"key":"e_1_3_3_1_44_2","doi-asserted-by":"publisher","DOI":"10.1109\/DSD.2019.00042"},{"key":"e_1_3_3_1_45_2","volume-title":"Proceedings of the 17th USENIX Symposium on Operating Systems Design and Implementation","author":"Mai Haohui","year":"2023","unstructured":"Haohui Mai, Jiacheng Zhao, Christos Kozyrakis, Mingyu Gao, Hongren Zheng, Quanxi Li, Zibin Liu, Cong Wang, Huimin Cui, and Xiaobing Feng. 2023. Honeycomb: An Secure, Efficient GPU Execution Environment with Minimal TCB. In Proceedings of the 17th USENIX Symposium on Operating Systems Design and Implementation."},{"key":"e_1_3_3_1_46_2","unstructured":"Michael Larabel. 2017. NVIDIA Sends Out Signed Firmware Images For GP108 Pascal GPUs. https:\/\/www.phoronix.com\/news\/NVIDIA-GP108-Firmware."},{"key":"e_1_3_3_1_47_2","unstructured":"Microsoft. 2025. Azure OpenAI Service. https:\/\/cazure.microsoft.com\/en-us\/products\/ai-services\/openai-service."},{"key":"e_1_3_3_1_48_2","unstructured":"Microsoft. 2025. ND-H100-v5 sizes series. https:\/\/learn.microsoft.com\/en-us\/azure\/virtual-machines\/sizes\/gpu-accelerated\/ndh100v5-series?tabs=sizebasic."},{"key":"e_1_3_3_1_49_2","doi-asserted-by":"publisher","DOI":"10.1109\/ATS64447.2024.10915219"},{"key":"e_1_3_3_1_50_2","unstructured":"NVIDIA. 2022. CUDA Toolkit. https:\/\/developer.nvidia.com\/cuda-toolkit."},{"key":"e_1_3_3_1_51_2","unstructured":"NVIDIA. 2022. NVIDIA CONFIDENTIAL COMPUTING. https:\/\/www.nvidia.com\/en-us\/data-center\/solutions\/confidential-computing\/."},{"key":"e_1_3_3_1_52_2","volume-title":"Confidential Compute on NVIDIA Hopper H100","year":"2023","unstructured":"NVIDIA. 2023. Confidential Compute on NVIDIA Hopper H100. Technical Report. NVIDIA Corporation. https:\/\/images.nvidia.com\/aem-dam\/en-zz\/Solutions\/data-center\/HCC-Whitepaper-v1.0.pdf"},{"key":"e_1_3_3_1_53_2","unstructured":"NVIDIA. 2023. Graphics Cards. https:\/\/www.nvidia.com\/en-us\/geforce\/graphics-cards\/."},{"key":"e_1_3_3_1_54_2","unstructured":"NVIDIA. 2024. NVIDIA Multi-Instance GPU. https:\/\/www.nvidia.com\/en-us\/technologies\/multi-instance-gpu\/."},{"key":"e_1_3_3_1_55_2","unstructured":"NVIDIA. 2024. NVIDIA NIM LLMs Benchmarking. https:\/\/docs.nvidia.com\/nim\/benchmarking\/llm\/latest\/metrics.html."},{"key":"e_1_3_3_1_56_2","unstructured":"NVIDIA. 2025. GeForce RTX 4090 Graphics Cards for Gaming. https:\/\/www.nvidia.com\/en-us\/geforce\/graphics-cards\/40-series\/rtx-4090\/."},{"key":"e_1_3_3_1_57_2","unstructured":"NVIDIA. 2025. NVIDIA A100 Tensor Core GPU. https:\/\/www.nvidia.com\/en-us\/data-center\/a100\/."},{"key":"e_1_3_3_1_58_2","unstructured":"NVIDIA. 2025. NVIDIA H100 Tensor Core GPU. https:\/\/www.nvidia.com\/en-us\/data-center\/h100\/."},{"key":"e_1_3_3_1_59_2","unstructured":"NVIDIA. 2025. NVIDIA Linux Open GPU Kernel Module Source. https:\/\/github.com\/NVIDIA\/open-gpu-kernel-modules."},{"key":"e_1_3_3_1_60_2","unstructured":"NVIDIA. 2025. NVIDIA T4 Tensor Core GPU for AI Inference. https:\/\/www.nvidia.com\/en-us\/data-center\/tesla-t4\/."},{"key":"e_1_3_3_1_61_2","unstructured":"OpenAI. 2025. ChatGPT-OpenAI. https:\/\/openai.com\/chatgpt."},{"key":"e_1_3_3_1_62_2","unstructured":"OpenAI. 2025. DALL-E-2-OpenAI. https:\/\/openai.com\/index\/dall-e-2\/."},{"key":"e_1_3_3_1_63_2","unstructured":"OpenAI. 2025. Sora - OpenAI. https:\/\/openai.com\/index\/sora."},{"key":"e_1_3_3_1_64_2","unstructured":"PCI-SIG. 2010. PCI Express Base Specification Revision 3.0. https:\/\/members.pcisig.com\/wg\/PCI-SIG\/document\/download\/8265."},{"key":"e_1_3_3_1_65_2","unstructured":"PCI-SIG. 2017. PCI Express Base Specification Revision 4.0 Version 1.0. https:\/\/members.pcisig.com\/wg\/PCI-SIG\/document\/10912?downloadRevision=active5."},{"key":"e_1_3_3_1_66_2","unstructured":"PCI-SIG. 2019. PCI Express Base Specification Revision 5.0 Version 1.0. https:\/\/members.pcisig.com\/wg\/PCI-SIG\/document\/13005."},{"key":"e_1_3_3_1_67_2","unstructured":"PCI-SIG. 2020. IDE Security IP for PCIe 5.0. https:\/\/pcisig.com\/sites\/default\/files\/files\/PCIe%20Security%20Webinar_Aug%202020_PDF.pdf."},{"key":"e_1_3_3_1_68_2","unstructured":"PCI-SIG. 2022. PCI Express Base Specification Revision 6.0 Version 1.0. https:\/\/members.pcisig.com\/wg\/PCI-SIG\/document\/16609."},{"key":"e_1_3_3_1_69_2","doi-asserted-by":"publisher","DOI":"10.1109\/DAC56929.2023.10247768"},{"key":"e_1_3_3_1_70_2","unstructured":"RyokoAI. 2025. ShareGPT52K. https:\/\/huggingface.co\/datasets\/RyokoAI\/ShareGPT52K."},{"key":"e_1_3_3_1_71_2","doi-asserted-by":"publisher","DOI":"10.1109\/SP61157.2025.00013"},{"key":"e_1_3_3_1_72_2","unstructured":"Teven\u00a0Le Scao Angela Fan Christopher Akiki et\u00a0al. 2022. BLOOM: A 176B-Parameter Open-Access Multilingual Language Model. arXiv preprint arXiv:https:\/\/arXiv.org\/abs\/2211.05100 (2022)."},{"key":"e_1_3_3_1_73_2","doi-asserted-by":"publisher","DOI":"10.1109\/EuroSP53844.2022.00025"},{"key":"e_1_3_3_1_74_2","unstructured":"Siladitya Ray. 2023. Samsung Bans ChatGPT Among Employees After Sensitive Code Leak.https:\/\/www.forbes.com\/sites\/siladityaray\/2023\/05\/02\/samsung-bans-chatgpt-and-other-chatbots-for-employees-after-sensitive-code-leak\/."},{"key":"e_1_3_3_1_75_2","unstructured":"K. Singhal Shekoofeh Azizi Tao Tu Said Mahdavi and Jason Wei. 2022. Large Language Models Encode Clinical Knowledge. Nature (2022)."},{"key":"e_1_3_3_1_76_2","volume-title":"Proceedings of the 33rd USENIX Security Symposium","author":"Sridhara Supraja","year":"2023","unstructured":"Supraja Sridhara, Andrin Bertschi, Benedict Schl\u00fcter, Mark Kuhne, Fabio Aliberti, and Shweta Shinde. 2023. ACAI: Protecting Accelerator Execution with Arm Confidential Computing Architecture. In Proceedings of the 33rd USENIX Security Symposium."},{"key":"e_1_3_3_1_77_2","doi-asserted-by":"publisher","DOI":"10.1109\/SP40001.2021.00059"},{"key":"e_1_3_3_1_78_2","doi-asserted-by":"publisher","DOI":"10.1145\/3669940.3707224"},{"key":"e_1_3_3_1_79_2","unstructured":"Tenstorrent. 2025. Wormhole n150d. https:\/\/tenstorrent.com\/en\/hardware\/wormhole."},{"key":"e_1_3_3_1_80_2","unstructured":"Hugo Touvron Louis Martin Kevin Stone Peter Albert Amjad Almahairi Yasmine Babaei Nikolay Bashlykov Soumya Batra Prajjwal Bhargava Shruti Bhosale et\u00a0al. 2023. Llama 2: Open Foundation and Fine-tuned Chat Models. arXiv preprint arXiv:https:\/\/arXiv.org\/abs\/2307.09288 (2023)."},{"key":"e_1_3_3_1_81_2","volume-title":"Remote Attestation with TPM2","author":"community tpm2-software","year":"2019","unstructured":"tpm2-software community. 2019. Remote Attestation with TPM2. Trusted Computing Group. https:\/\/tpm2-software.github.io\/tpm2-tss\/getting-started\/2019\/12\/18\/Remote-Attestation.html#\/"},{"key":"e_1_3_3_1_82_2","volume-title":"TCG Trusted Attestation Protocol (TAP) Information Model","author":"Group Trusted Computing","year":"2019","unstructured":"Trusted Computing Group. 2019. TCG Trusted Attestation Protocol (TAP) Information Model. Technical Report. Trusted Computing Group. https:\/\/trustedcomputinggroup.org\/wp-content\/uploads\/TNC_TAP_Information_Model_v1.00_r0.29A_publicreview.pdf"},{"key":"e_1_3_3_1_83_2","volume-title":"TPM 2.0 specification","author":"Group Trusted Computing","year":"2025","unstructured":"Trusted Computing Group. 2025. TPM 2.0 specification. Trusted Computing Group. https:\/\/trustedcomputinggroup.org\/resource\/tpm-library-specification\/"},{"key":"e_1_3_3_1_84_2","volume-title":"Proceedings of the 2023 USENIX Annual Technical Conference","author":"Vaswani Kapil","year":"2023","unstructured":"Kapil Vaswani, Stavros Volos, Cedric Fournet, Antonio\u00a0Nino Diaz, Ken Gordon, Balaji Vembu, Sam Webster, David Chisnall, Saurabh Kulkarni, Graham Cunningham, et\u00a0al. 2023. Confidential Computing within an AI Accelerator. In Proceedings of the 2023 USENIX Annual Technical Conference."},{"key":"e_1_3_3_1_85_2","volume-title":"Proceedings of the 13th USENIX Symposium on Operating Systems Design and Implementation","author":"Volos Stavros","year":"2018","unstructured":"Stavros Volos, Kapil Vaswani, and Rodrigo Bruno. 2018. Graviton: Trusted Execution Environments on GPUs. In Proceedings of the 13th USENIX Symposium on Operating Systems Design and Implementation."},{"key":"e_1_3_3_1_86_2","volume-title":"Proceedings of the 31st Annual Network and Distributed System Security Symposium","author":"Wang Chenxu","year":"2024","unstructured":"Chenxu Wang, Fengwei Zhang, Yunjie Deng, Kevin Leach, Jiannong Cao, Zhenyu Ning, Shoumeng Yan, and Zhengyu He. 2024. CAGE: Complementing Arm CCA with GPU Extensions. In Proceedings of the 31st Annual Network and Distributed System Security Symposium."},{"key":"e_1_3_3_1_87_2","doi-asserted-by":"publisher","DOI":"10.1109\/SP46214.2022.9833604"},{"key":"e_1_3_3_1_88_2","unstructured":"Guanting\u00a0Chen Xiao\u00a0Bi Deli\u00a0Chen et\u00a0al. 2024. DeepSeek LLM: Scaling Open-Source Language Models with Longtermism. arXiv preprint arXiv:https:\/\/arXiv.org\/abs\/2401.02954 (2024)."},{"key":"e_1_3_3_1_89_2","unstructured":"Xilinx. 2023. Xilinx DMA IP Reference drivers. https:\/\/github.com\/Xilinx\/dma_ip_drivers."},{"key":"e_1_3_3_1_90_2","doi-asserted-by":"publisher","DOI":"10.18653\/v1\/P19-1472"},{"key":"e_1_3_3_1_91_2","unstructured":"Susan Zhang Stephen Roller Naman Goyal et\u00a0al. 2022. OPT: Open Pre-trained Transformer Language Models. arXiv preprint arXiv:https:\/\/arXiv.org\/abs\/2205.01068 (2022)."},{"key":"e_1_3_3_1_92_2","volume-title":"Proceedings of the 27th ACM International Conference on Architectural Support for Programming Languages and Operating Systems","author":"Zhao Mark","year":"2021","unstructured":"Mark Zhao, Mingyu Gao, and Christos Kozyrakis. 2021. ShEF: Shielded Enclaves for Cloud FPGAs. In Proceedings of the 27th ACM International Conference on Architectural Support for Programming Languages and Operating Systems."},{"key":"e_1_3_3_1_93_2","unstructured":"Yiran Zhao Chaoqun Liu Yue Deng et\u00a0al. 2025. Babel: Open Multilingual Large Language Models Serving Over 90\\(\\%\\) of Global Speakers. arXiv preprint arXiv:https:\/\/arXiv.org\/abs\/2503.00865 (2025)."},{"key":"e_1_3_3_1_94_2","doi-asserted-by":"publisher","DOI":"10.1109\/SP40000.2020.00054"},{"key":"e_1_3_3_1_95_2","unstructured":"Jianwei Zhu Hang Yin et\u00a0al. 2024. Confidential Computing on NVIDIA Hopper GPUs: A Performance Benchmark Study. arXiv preprint arXiv:https:\/\/arXiv.org\/abs\/2409.03992 (2024)."}],"event":{"name":"MICRO 2025: 58th IEEE\/ACM International Symposium on Microarchitecture","location":"Seoul Korea","acronym":"MICRO 2025","sponsor":["SIGMICRO ACM Special Interest Group on Microarchitectural Research and Processing"]},"container-title":["Proceedings of the 58th IEEE\/ACM International Symposium on Microarchitecture"],"original-title":[],"link":[{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3725843.3756104","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2026,1,26]],"date-time":"2026-01-26T21:43:16Z","timestamp":1769463796000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3725843.3756104"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2025,10,17]]},"references-count":94,"alternative-id":["10.1145\/3725843.3756104","10.1145\/3725843"],"URL":"https:\/\/doi.org\/10.1145\/3725843.3756104","relation":{},"subject":[],"published":{"date-parts":[[2025,10,17]]},"assertion":[{"value":"2025-10-17","order":3,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}