An advanced Oasis Network tutorial for developers who want to combine AI, confidential smart contracts, encrypted vector storage, and verifiable off-chain execution.
Introduction
Most AI applications today leak sensitive data somewhere in the pipeline.
Even if the frontend is secure, prompts, embeddings, retrieval context, API calls, or inference metadata are usually visible to:
- Cloud providers
- Backend operators
- Database administrators
- Analytics tools
- Infrastructure vendors
This becomes a serious issue for:
- Financial AI assistants
- Healthcare copilots
- Private enterprise knowledge bases
- Identity systems
- Reputation engines
- On-chain AI agents
In this tutorial, we will build a Confidential Retrieval-Augmented Generation (RAG) Agent using:
- Oasis Sapphire
- ROFL (Runtime Off-chain Logic)
- Encrypted storage
- Smart contracts
- Off-chain AI inference
- Verifiable confidential execution
Instead of storing prompts or embeddings publicly, we will:
- Encrypt user knowledge before storage
- Perform confidential retrieval
- Execute AI inference off-chain through ROFL
- Return only approved outputs on-chain
- Keep sensitive data hidden from everyone except the user
What We Are Building
We are building a confidential AI assistant where:
- Users upload private documents
- Documents are encrypted before storage
- Embeddings are generated off-chain
- Retrieval happens confidentially
- AI inference runs through ROFL
- Smart contracts manage permissions and integrity
The architecture combines:
- Confidential EVM execution
- Off-chain compute
- AI pipelines
- Privacy-preserving storage
- Ethereum compatibility
Final Architecture
flowchart TD
A[User Uploads Document] --> B[Frontend Encrypts Data]
B --> C[IPFS / Arweave Storage]
B --> D[Oasis Sapphire Contract]
D --> E[ROFL Worker]
E --> F[Embedding Model]
F --> G[Encrypted Vector Store]
H[User Query] --> I[Confidential Retrieval]
I --> G
G --> J[Relevant Context]
J --> K[LLM Inference]
K --> L[Signed Response]
L --> D
D --> M[Verified Output Returned]
Why Sapphire Matters
Traditional EVM chains expose:
- Contract state
- Function arguments
- Internal logic
- Metadata
- User activity
Sapphire changes this model by introducing confidential smart contracts.
This allows developers to:
- Encrypt application state
- Generate secrets securely
- Store confidential metadata
- Protect AI prompts
- Hide retrieval logic
- Secure wallet-based identity systems
Unlike “privacy through frontend encryption,” Sapphire provides confidentiality at the runtime layer.
Why ROFL Matters
Large AI models cannot realistically run fully on-chain.
Inference requires:
- GPUs
- External APIs
- Heavy compute
- Vector databases
- Long-running processes
ROFL enables:
- Off-chain execution
- Trusted compute
- Verifiable outputs
- Secure communication with Sapphire
Think of ROFL as a confidential execution bridge between:
- Smart contracts
- AI systems
- External infrastructure
Tech Stack
| Layer | Technology |
|---|---|
| Smart Contracts | Solidity + Sapphire |
| Off-chain Compute | ROFL |
| Storage | IPFS / Arweave |
| AI Embeddings | Sentence Transformers |
| Vector Search | ChromaDB / Qdrant |
| Frontend | Next.js |
| Wallet | RainbowKit + Wagmi |
| Encryption | AES-GCM |
| AI Inference | OpenAI / Local LLM |
Step 1: Setting Up Sapphire
Create a new project:
mkdir confidential-rag-agent
cd confidential-rag-agent
npm init -y
Install dependencies:
npm install hardhat ethers dotenv
Initialize Hardhat:
npx hardhat
Add Sapphire configuration:
require('@oasisprotocol/sapphire-hardhat');
module.exports = {
solidity: '0.8.20',
networks: {
sapphire: {
url: 'https://testnet.sapphire.oasis.io',
chainId: 23295,
accounts: [process.env.PRIVATE_KEY]
}
}
}
Step 2: Creating the Confidential Contract
Our contract will:
- Store encrypted metadata
- Register AI responses
- Verify ROFL signatures
- Manage access permissions
// SPDX-License-Identifier: MIT
pragma solidity ^0.8.20;
contract ConfidentialRAG {
struct Document {
string cid;
bytes encryptedKey;
address owner;
}
mapping(uint256 => Document) public documents;
uint256 public docCounter;
event DocumentStored(uint256 indexed id, address owner);
function storeDocument(
string memory cid,
bytes memory encryptedKey
) external {
documents[docCounter] = Document({
cid: cid,
encryptedKey: encryptedKey,
owner: msg.sender
});
emit DocumentStored(docCounter, msg.sender);
docCounter++;
}
}
Step 3: Encrypting User Data
Never upload raw user data directly.
Instead:
- Generate a local encryption key
- Encrypt the document client-side
- Upload encrypted data to IPFS
- Store only references on Sapphire
Architecture:
sequenceDiagram
participant U as User
participant F as Frontend
participant I as IPFS
participant S as Sapphire
U->>F: Upload document
F->>F: Generate AES key
F->>F: Encrypt document
F->>I: Upload encrypted file
I-->>F: CID
F->>S: Store CID + encrypted key
Example encryption:
const encrypted = await encryptFile(file, secretKey)
Step 4: Generating Embeddings Through ROFL
We now process the encrypted content off-chain.
ROFL workers can:
- Fetch encrypted files
- Decrypt securely
- Generate embeddings
- Store vectors
- Return signed proofs
ROFL Flow:
flowchart LR
A[Sapphire Event] --> B[ROFL Worker]
B --> C[Decrypt File]
C --> D[Generate Embeddings]
D --> E[Vector Database]
E --> F[Signed Result]
F --> G[Sapphire Contract]
Example Python embedding pipeline:
from sentence_transformers import SentenceTransformer
model = SentenceTransformer('all-MiniLM-L6-v2')
embedding = model.encode(document_text)
Step 5: Confidential Retrieval
When a user asks a question:
- Query embedding is generated
- Similar vectors are retrieved
- Relevant context is assembled
- Context stays encrypted/private
- LLM receives only authorized information
This prevents:
- Prompt leakage
- Public retrieval inspection
- Competitor scraping
- Metadata deanonymization
Step 6: AI Inference Layer
The inference engine can use:
- OpenAI APIs
- Local Llama models
- Mistral
- DeepSeek
- Confidential GPU infrastructure
Prompt assembly example:
prompt = f"""
Context:
{retrieved_context}
Question:
{user_question}
"""
Step 7: Returning Verifiable Results
ROFL signs outputs before returning them.
The contract verifies:
- Authorized worker
- Valid signature
- Fresh timestamp
- Integrity proof
This creates a verifiable AI pipeline.
Security Design
Our architecture protects against:
| Threat | Mitigation |
|---|---|
| Public prompt leakage | Sapphire confidentiality |
| Storage snooping | Client-side encryption |
| Vector DB exposure | Encrypted embeddings |
| Fake AI outputs | ROFL signatures |
| Metadata correlation | Confidential execution |
| Frontend compromise | Wallet authorization |
Is this Architecture good?
Most Web3 AI projects today are not truly private.
They usually:
- Store prompts publicly
- Leak retrieval context
- Expose embeddings
- Depend entirely on centralized APIs
Oasis enables something different:
Confidential AI infrastructure.
That is a much bigger opportunity than simple “AI on blockchain” narratives. So yes, this is huge.
Improvements (!)
You can extend this architecture with:
Multi-Agent Systems
Use multiple ROFL workers for:
- Retrieval
- Ranking
- Moderation
- Inference
- Verification
zkML Integration
Combine:
- ROFL confidentiality
- ZK proofs
- Verifiable inference
Token-Gated Knowledge Access
Require NFT or token ownership before retrieval.
Cross-Chain Identity
Use confidential reputation scores across:
- Ethereum
- Base
- Arbitrum
- Solana
Potential Real-World Use Cases
| Industry | Use Case |
|---|---|
| Healthcare | Private medical copilots |
| Finance | Confidential portfolio AI |
| Gaming | Hidden strategy agents |
| Enterprise | Secure internal knowledge AI |
| DAOs | Private governance research |
| Identity | Confidential trust scoring |
Performance Considerations
AI systems are expensive.
Optimize:
- Embedding caching
- Batched retrieval
- Async inference
- Vector compression
- Partial encryption
- Event indexing
Avoid pushing unnecessary data on-chain.
The blockchain should coordinate trust, not store entire AI workloads.
Common Mistakes Developers Make
Storing Raw AI Data On-Chain
Never store:
- Prompts
- Embeddings
- Conversations
- User documents
Directly on public chains.
Treating Frontend Encryption as Enough
Frontend-only privacy still exposes backend operators.
Ignoring Metadata Privacy
Even transaction patterns can reveal sensitive information.
Production Architecture
flowchart TB
subgraph User Layer
A[Wallet User]
B[Next.js Frontend]
end
subgraph Confidential Layer
C[Sapphire Smart Contract]
D[ROFL Workers]
end
subgraph AI Layer
E[Embedding Models]
F[LLM Inference]
G[Vector Database]
end
subgraph Storage Layer
H[IPFS]
I[Arweave]
end
A --> B
B --> C
B --> H
C --> D
D --> E
D --> F
D --> G
H --> D
I --> D
Closingg Thoughts
The next generation of AI applications will not be won by the teams with the biggest models.
They will be won by the teams that solve:
- Privacy
- Data ownership
- Confidential computation
- Verifiable inference
- User-controlled AI
Oasis Sapphire and ROFL provide a powerful foundation for building that future.
Instead of thinking about blockchain as "where data lives". think about it as a trust coordination layer for confidential AI systems.
That shift changes everything.
Useful Resources
Oasis Network
- Oasis Network Official Website
- Oasis Documentation
- Sapphire Documentation
- ROFL Documentation
- Oasis GitHub Organization
- Oasis Sapphire Examples
- Oasis Developer Tutorials
Ethereum / Smart Contract Development
Decentralized Storage
AI / Vector Databases
- Sentence Transformers
- ChromaDB Documentation
- Qdrant Documentation
- LangChain Documentation
- LlamaIndex Documentation
Top comments (0)