Home
AIR v1

Confidential inference.
Cryptographic proof.

Run AI inside hardware-isolated enclaves. Every inference produces a signed receipt covering model identity, data hashes, and lifecycle evidence events.

Start Building Request a Pilot Security Model
657
Tests Passing
16
Compliance Rules
38
Attest Checks
3
Platforms E2E
How It Works

Attestation, encryption, receipts

EphemeralML protects model weights, user data, and execution integrity through TEE isolation and attestation-bound cryptography.

1

Verify the enclave

Client verifies enclave identity and code measurement against a policy allowlist via COSE/CBOR attestation.

2

Encrypted session

HPKE session established (X25519 + ChaCha20-Poly1305). The host forwards ciphertext only.

3

Gated model loading

Model decryption keys released only when KMS confirms enclave measurement matches policy.

4

Signed receipt

Each inference produces an Ed25519-signed AIR v1 receipt with model hash, I/O hashes, attestation evidence, and destroy proof.

W

Model Weights

Encrypted at rest, decrypted only inside an attested enclave. Host never sees plaintext keys.

D

User Data

Prompts and outputs encrypted end-to-end via HPKE. Host relays ciphertext only.

R

Execution Receipts

Each inference produces a verifiable AIR v1 receipt (COSE_Sign1 + CWT + EAT profile) with enclave measurements and Ed25519 signature.

AIR v1

Attested Inference Receipt

Open receipt format based on IETF standards. COSE_Sign1 envelope (RFC 9052) carrying CWT claims (RFC 8392) with EAT profile (RFC 9711), signed with Ed25519.

18
Claims (16 required + 2 optional)
CDDL
Formal schema definition
10
Golden test vectors
38
AttestCheckCode variants

Four-layer trust verification

T1

Parse

COSE/CWT structural validation, required claims present, CDDL conformance.

T2

Crypto

Ed25519 signature verification (verify_strict), hash bindings, key attestation binding.

T3

Chain

Platform-specific trust chain: TDX DCAP collateral, Nitro CA chain, Confidential Space JWT.

T4

Policy

Model allowlist, measurement pinning, freshness windows, sequence continuity.

Key Claims

iss, iat, cti Standard CWT
eat_nonce, eat_profile EAT (RFC 9711)
model_id, model_hash Model identity
request_hash, response_hash I/O binding
attestation_doc_hash TEE evidence
enclave_measurements Platform PCRs
security_mode strict / standard
Security

What we guarantee, and what we don't

Guaranteed

  • Host blindness — the host relays ciphertext only; cannot decrypt prompts, outputs, or model keys
  • Attestation-gated key release — model DEKs released only to approved enclave measurements
  • Session binding — encryption keys bound to attestation + nonce to prevent key swapping
  • Model integrity — Ed25519-signed manifests prevent serving a different model blob
  • Auditability — each inference produces a verifiable AIR v1 receipt with destroy evidence

Explicitly not claimed

  • Protection against all microarchitectural side-channels
  • Availability guarantees (the host can DoS)
  • Confidentiality under full enclave compromise

Enforcement Controls

Control Mode
Strict evidence collect --strict opt-in
Destroy evidence required --require-destroy-event opt-in
Baseline compliance 16 rules
Receipt max age 3600s
Architecture

Three-zone trust model

Client (Trusted)

Verifies attestation, holds policy allowlists, establishes HPKE sessions

Host (Untrusted)

Networking, storage, API proxy. Forwards ciphertext only.

Enclave (TEE)

Decrypts data, loads models, runs inference, signs receipts

Client ↔ Host Relay ↔ Enclave • Host ↔ KMS / GCS
Multi-Cloud E2E

Verified across 3 platforms

End-to-end tested on real hardware TEEs with full attestation chain verification.

Platform TEE Status
AWS Nitro (m6i) Nitro Enclaves PASS
GCP CPU (c3-standard-4) Intel TDX PASS
GCP GPU (a3-highgpu-1g) NVIDIA H100 CC PASS
Evidence

See what a verified receipt looks like

Every inference run produces cryptographic evidence. Expand to see real output from ephemeralml-verify and ephemeralml-compliance.

EphemeralML Receipt Verification

  Receipt:     68796942-19cf-4b60-a17c-91e5a0de8555
  Model:       minilm-l6-v2 v1.0.0
  Platform:    tdx-mrtd-rtmr
  Sequence:    #0

  --------------------------------------------------------------
  Checks:
  --------------------------------------------------------------
  Signature (Ed25519)         [PASS]
  Model ID match              [SKIP]
  Measurement type            [SKIP]
  Timestamp freshness         [SKIP]
  Measurements present        [PASS]
  Attestation source          [SKIP]
  Image digest                [SKIP]
  Destroy evidence            [PASS]
  --------------------------------------------------------------

  VERIFIED

Compliance Verification — baseline profile

  SIG-001   Ed25519 signature             [PASS]  verified (strict)
  SIG-002   CBOR deterministic encoding   [PASS]  canonical round-trip
  ATT-001   Attestation present           [PASS]  evidence item found
  ATT-002   Attestation hash match        [PASS]  SHA-256 == receipt hash
  MEAS-001  Measurements 48 bytes         [PASS]  all MRTD/RTMR valid
  MEAS-002  Recognized type               [PASS]  tdx-mrtd-rtmr
  FRESH-001 Receipt within max age        [PASS]  age 6s <= 3600s
  FRESH-002 Not future-dated              [PASS]
  MODEL-001 Model ID present              [PASS]  minilm-l6-v2
  MODEL-002 Manifest present              [PASS]  ModelManifest found
  CHAIN-001 Receipt chain valid           [PASS]  first in chain
  CBOR-001  Deterministic encoding        [PASS]  canonical bytes match
  KEY-001   Key bound to attestation      [PASS]  binding found
  POLICY-001 Policy version               [PASS]  v1-default
  SEQ-001   Sequence numbers              [PASS]  sequence_number=0
  DESTROY-001 Destroy evidence            [PASS]  5 action(s)

  All 16 rules passed for profile 'baseline'
  compliant: true
Stack

Built with

Rust 2021
GCP Confidential Space
Intel TDX
AWS Nitro Enclaves
NVIDIA H100 CC
HPKE (X25519)
ChaCha20-Poly1305
Ed25519
COSE / CWT / EAT
Candle ML
Cloud KMS
cargo-audit CI

Start building with EphemeralML

Integrate confidential AI inference into your stack. Check the quickstart guide, explore the source, or request a pilot.

Start Building Request a Pilot GitHub