Run AI inside hardware-isolated enclaves. Every inference produces a signed receipt covering model identity, data hashes, and lifecycle evidence events.
EphemeralML protects model weights, user data, and execution integrity through TEE isolation and attestation-bound cryptography.
Client verifies enclave identity and code measurement against a policy allowlist via COSE/CBOR attestation.
HPKE session established (X25519 + ChaCha20-Poly1305). The host forwards ciphertext only.
Model decryption keys released only when KMS confirms enclave measurement matches policy.
Each inference produces an Ed25519-signed AIR v1 receipt with model hash, I/O hashes, and attestation-linked execution evidence.
Encrypted at rest, decrypted only inside an attested enclave. Host never sees plaintext keys.
Prompts and outputs encrypted end-to-end via HPKE. Host relays ciphertext only.
Each inference produces a verifiable AIR v1 receipt (COSE_Sign1 + CWT + EAT profile) with enclave measurements and Ed25519 signature.
Open receipt format based on IETF standards. COSE_Sign1 envelope (RFC 9052) carrying CWT claims (RFC 8392) with EAT profile (RFC 9711), signed with Ed25519.
This is the verifier's internal pipeline for validating an AIR v1 receipt — separate from the three-layer trust model above, which describes what is attested.
COSE/CWT structural validation, required claims present, CDDL conformance.
Ed25519 signature verification (verify_strict), hash bindings, key attestation binding.
Platform-specific trust chain: TDX DCAP collateral, Nitro CA chain, Confidential Space JWT.
Model allowlist, measurement pinning, freshness windows, sequence continuity.
| iss, iat, cti | Standard CWT |
| eat_nonce, eat_profile | EAT (RFC 9711) |
| model_id, model_hash | Model identity |
| request_hash, response_hash | I/O binding |
| attestation_doc_hash | TEE evidence |
| enclave_measurements | Platform measurements |
| security_mode | strict / standard |
| Control | Mode |
|---|---|
| Strict evidence collect | --strict opt-in |
| Cleanup-event evidence required | --require-destroy-event opt-in |
| Baseline compliance | 16 rules |
| Receipt max age | 3600s |
We cryptographically verify the confidential execution environment and policy-bound identity of the workload. Model weights are measured inside the TEE from decrypted bytes. Additional model artifacts are bound via a signed manifest. This model describes the trust claims — the receipt verification pipeline above describes how those claims are checked.
GPU/CPU attestation proves hardware and firmware state plus confidential-computing mode.
Policy pins verify the expected image, project, zone, issuer, and nonce freshness before key release.
Weights are hashed inside the TEE from decrypted bytes; signed manifests can additionally bind tokenizer and config.
Model Identity Coverage AIR hash scheme: sha256-manifest Manifest: authoritative weights: bound tokenizer: bound config: bound adapters: not bound Receipt emitted with manifest-backed model identity
Verifies attestation, holds policy allowlists, establishes HPKE sessions
Networking, storage, API proxy. Forwards ciphertext only.
Decrypts data, loads models, runs inference, signs receipts
End-to-end tested on real hardware TEEs with full attestation chain verification.
| Platform | TEE | Status |
|---|---|---|
| AWS Nitro (m6i) | Nitro Enclaves | PASS |
| GCP CPU (c3-standard-4) | Intel TDX | PASS |
| GCP GPU (a3-highgpu-1g) | NVIDIA H100 CC | PASS |
Insurance workflow pilot on GCP TDX: 3/3 confidential requests completed, 3/3 AIR receipts verified offline.
Every inference run produces signed execution evidence. Expand to see real output from ephemeralml-verify and ephemeralml-compliance.
AIR v1 covers attestation-linked execution evidence. Legacy EphemeralML compliance flows can additionally record self-reported cleanup events, but AIR v1 itself does not claim cryptographic proof of deletion.
EphemeralML AIR v1 Receipt Verification Receipt: 01020304-0506-0708-090a-0b0c0d0e0f10 Model: minilm-l6-v2 v1.0.0 Platform: nitro-pcr Sequence: #1 Issuer: cyntrisec.com -------------------------------------------------------------- 4-Layer Verification: -------------------------------------------------------------- [parse] COSE envelope [PASS] [parse] Algorithm header [PASS] [parse] Content type [PASS] [parse] Payload present [PASS] [parse] AIR v1 profile [PASS] [crypto] Signature (Ed25519) [PASS] [claim] Receipt ID valid [PASS] [claim] Model hash non-zero [PASS] [claim] Measurements present [PASS] [claim] Measurement type valid [PASS] [policy] Model ID match [SKIP] [policy] Timestamp freshness [SKIP] -------------------------------------------------------------- VERIFIED (AIR v1)
EphemeralML Receipt Verification Receipt: 68796942-19cf-4b60-a17c-91e5a0de8555 Model: minilm-l6-v2 v1.0.0 Platform: tdx-mrtd-rtmr Sequence: #0 -------------------------------------------------------------- Checks: -------------------------------------------------------------- Signature (Ed25519) [PASS] Model ID match [SKIP] Measurement type [SKIP] Timestamp freshness [SKIP] Measurements present [PASS] Attestation source [SKIP] Image digest [SKIP] Destroy evidence [SKIP] -------------------------------------------------------------- VERIFIED
Compliance Verification — baseline profile SIG-001 Ed25519 signature [PASS] verified (strict) SIG-002 CBOR deterministic encoding [PASS] canonical round-trip ATT-001 Attestation present [PASS] evidence item found ATT-002 Attestation hash match [PASS] SHA-256 == receipt hash MEAS-001 Measurements 48 bytes [PASS] all MRTD/RTMR valid MEAS-002 Recognized type [PASS] tdx-mrtd-rtmr FRESH-001 Receipt within max age [PASS] age 6s <= 3600s FRESH-002 Not future-dated [PASS] MODEL-001 Model ID present [PASS] minilm-l6-v2 MODEL-002 Manifest present [PASS] ModelManifest found CHAIN-001 Receipt chain valid [PASS] first in chain CBOR-001 Deterministic encoding [PASS] canonical bytes match KEY-001 Key bound to attestation [PASS] binding found POLICY-001 Policy version [PASS] v1-default SEQ-001 Sequence numbers [PASS] sequence_number=0 DESTROY-001 Destroy evidence [PASS] 5 action(s) All 16 rules passed for profile 'baseline' compliant: true
Receipt fields can be mapped to HIPAA 164.312 control categories. This is evidence support, not certification.
Enclave isolation evidence — attested hardware boundary prevents unauthorized access to data during processing.
Signed receipt evidence — each inference produces a verifiable audit record with model identity and data hashes.
Model hash + attestation linkage — signed manifests bind model weights, tokenizer, and config artifacts.
AEAD encryption evidence — end-to-end encrypted transport (X25519 + ChaCha20-Poly1305).
Integrate confidential AI inference into your stack. Check the quickstart guide, explore the source, or request a pilot.
