Nvidia · Filed Feb 11, 2025 · Published Jul 9, 2026 · verified — real USPTO data

Nvidia Patent Locks Secret Codes Inside Chips So Software Cannot Steal Them

Even software running on the same chip normally can't be fully trusted with your encryption keys. Nvidia's latest patent describes a system where the keys never leave a dedicated hardware vault, no matter what code is running nearby.

Nvidia Secure Key Delivery Patent Explained — figure from US 2026/0197168 A1
Figure from the official USPTO publication.
See all 13 drawings from this filing ↓
Publication number US 2026/0197168 A1
Applicant Nvidia Corporation
Filing date Feb 11, 2025
Publication date Jul 9, 2026
Inventors Ron Keidar, Xinxing Hu, Hye Su Lee
CPC classification 380/283
Grant likelihood Medium
Examiner SHAW, BRIAN F (Art Unit 2432)
Status Notice of Allowance Mailed -- Application Received in Office of Publications (May 28, 2026)
Document 20 claims

What Nvidia's hardware key isolation actually does

Imagine you have a safe-deposit box at a bank. You can use what's inside, but the bank never hands you the actual key. You just tell the vault what you need done, and the vault does it internally. Nvidia's patent works on a similar principle, but for chips.

When a chip sends or receives data, it encrypts that data using a secret key. Normally, that key passes through software at some point, which means a bug or a bad actor could intercept it. This patent describes a way to handle keys entirely in hardware, in a locked-down section of the chip called a Root-of-Trust, so the key never surfaces where regular software can grab it.

On top of that, the system regularly rotates the keys, replacing old ones with new ones generated from a random number and the current key. That way, even if something went wrong at one point in time, old captured data becomes useless. It's the chip-security equivalent of changing your passwords regularly, but done automatically and in tamper-resistant silicon.

How the key tunnel and nonce rotation work together

The patent describes a secure key delivery architecture built around a central Root-of-Trust (RoT), a hardened, isolated section of the chip that no ordinary software can touch.

Inside the RoT, software agents handle key generation for each communication protocol. When a session key (the one-time key used to encrypt a specific data exchange) needs to travel across a public bus, it travels in a wrapped form, meaning it's encrypted itself. A dedicated hardware unit called the key tunnel receives the wrapped key and unwraps it entirely in silicon, then hands the unwrapped key directly to the relevant crypto engine for that protocol. Software running outside the RoT never sees the key in the clear.

The system also handles key rotation, the practice of periodically replacing encryption keys so old ones can't be exploited. It does this using a nonce (a randomly generated number used exactly once) combined with the current derivation key to produce a new set of ephemeral keys (short-lived keys generated for a specific operation or session). Both the software agent inside the RoT and the hardware key-unwrap engine hold a synchronized copy, so they can independently derive the same new key set without ever transmitting the raw keys.

The result is a system where keys are generated, rotated, and consumed entirely within trusted hardware, with no moment where vulnerable software can intercept them.

What this means for AI chip and data-center security

Nvidia's chips now power a large share of data-center AI workloads, which means they handle sensitive model weights, proprietary training data, and sometimes regulated personal data. A key-interception attack at the silicon level, even a theoretical one, is the kind of threat that enterprise and government buyers take seriously. This patent addresses that attack surface directly by making hardware the only place keys ever exist unencrypted.

For confidential computing, the growing practice of encrypting data even while it's being processed, this kind of architecture is the foundation. If Nvidia builds this into future data-center GPUs or its proprietary NVLink interconnects, it strengthens the case for running sensitive workloads on Nvidia hardware where you currently might hesitate.

Editorial take

This is unglamorous but genuinely important work. Key management is one of the most exploited weak points in secure computing, and hardware-enforced key isolation is the right approach. It won't make headlines the way a new GPU does, but enterprise security teams will notice it on a spec sheet.

The drawings

13 drawing sheets from US 2026/0197168 A1 · click any drawing to enlarge

Patent filing page

Which company should we read for you?

We track 17 companies here. Pro is the same weekly breakdown for any company you choose, delivered privately. Type a name and we'll scope it and send you a quote.

Get one Big Tech patent every Sunday

Plain English, intelligent commentary, no hype. Free.

Source. Full patent text and figures from the official USPTO publication PDF.

Editorial commentary on a publicly published patent application. Not legal advice.