OpenPCC is an open-source framework designed to enable verifiably private AI inference, drawing inspiration from Apple's Private Cloud Compute. Its primary objective is to safeguard sensitive user data, including prompts, AI outputs, and logs, from being exposed to the AI compute provider. This is achieved through a multi-layered privacy methodology encompassing encrypted streaming, hardware attestation, and unlinkable request mechanisms.

The core methodology of OpenPCC hinges on ensuring data confidentiality and unlinkability, combined with verifiable execution integrity.

1. Encrypted Streaming: All data exchanged between the client and the OpenPCC Compute Node is encrypted. This ensures that the content of prompts and generated outputs remains confidential and unintelligible to intermediaries or the compute provider in transit.

2. Hardware Attestation: OpenPCC integrates hardware attestation to provide verifiable guarantees about the integrity and authenticity of the AI inference environment. Before or during inference, the client (or the OpenPCC system) can cryptographically verify that the OpenPCC Compute Node is running on trusted hardware (e.g., within a Trusted Execution Environment like Intel SGX or AMD SEV), that the expected software stack is loaded and untampered, and that it adheres to specific security policies. This provides a strong cryptographic assurance that the inference is occurring in a secure, isolated environment, protected from unauthorized access or modification by the cloud provider or other malicious entities. The presence of transparency.IdentityPolicy and TransparencyVerifier in the client configuration suggests a mechanism for clients to enforce and verify the provenance and policy compliance of the computational environment, potentially linking to attested identities of the compute nodes or the software running on them through OIDC subject/issuer regex.

3. Oblivious HTTP (OHTTP) for Unlinkable Requests: To prevent the AI compute provider from linking specific inference requests back to individual users, OpenPCC leverages Oblivious HTTP. This protocol employs a three-party architecture:
   • OpenPCC Client: Originates the encrypted inference request.
   • OHTTP Relay: A third-party service (e.g., Oblivious.network) that acts as an intermediary. The client sends its encrypted request to the OHTTP Relay. The Relay knows the client's IP address but does not know the final destination of the request, nor can it decrypt the request content.
   • OHTTP Gateway: Operated as part of the OpenPCC deployment. The OHTTP Relay forwards the request to the OHTTP Gateway. The Gateway knows the encrypted request and its final destination (the OpenPCC Compute Node) but does not know the original client's IP address, as this information is stripped or obfuscated by the Relay.

This separation of concerns—where the Relay knows the client but not the destination/content, and the Gateway knows the destination/content but not the client—creates a strong unlinkability guarantee. The compute provider, which interacts with the Gateway and Compute Nodes, cannot discern the true origin of any given request, thereby protecting user privacy.

The operational flow involves an OpenPCC client forming an AI inference request (e.g., in OpenAI API format), encrypting it, and transmitting it via a pre-configured OHTTP Relay to an OpenPCC OHTTP Gateway. The Gateway then routes the request to an available OpenPCC Compute Node, potentially based on metadata like X-Confsec-Node-Tags for model-specific routing. The Compute Node performs the inference within an attested, secure environment, and the encrypted result is returned through the OHTTP Gateway and Relay back to the client. This entire process is designed to be auditable and deployable on custom infrastructure, aiming to establish a community-governed standard for AI data privacy.