01healthcare · live
Cardio-renal cohort
4 hospitals · EU + US + CH
“Multi-jurisdiction cohort study with on-chain co-approval. The aggregate is signed; the rows are not.”
1.6M records
zero rows leave silos · DP-aggregate out
数据拓扑 · 5 个封存来源
数据有引力 · 计算可迁移
EU-West · sealed
Hospital A
820k EHR
EU-North · sealed
Hospital B
410k imaging
US-East · sealed
Bank C
12M tx
APAC · sealed
Research D
56k samples
CH · sealed
Lab E
230k assays
analysis CVM
TDX + H100
cohort risk model
cpu
gpu
mem
multi-sig owner · 5 / 5
DstackApp.sol · 0x73c2…be09
signed output
dp-aggregate
ε = 1.5 · ✓ verified
receipt
sig chains TDX root + on-chain DstackApp
在源头密封
已验证计算
已签名聚合输出
multi-party studies on dstack
Cross-silo cohorts running today.
Each consortium pins a single compose-hash; KMS only releases per- dataset keys when every owner has signed off through the multi-sig DstackApp owner.
show cohorts withcriteria 1≥ 3 ownersandcriteria 2multi-jurisdictionandcriteria 3HIPAA / GDPR-grade
name
owners
records
criteria 1
criteria 2
criteria 3
status
Cardio-renal cohort study
healthcare research
4
1.6M
match
match
match
live
Cross-bank fraud signals
financial · AML
6
78M
match
match
partial
live
Rare-disease genomics
genomics · research
3
54k
match
match
match
live
Supply-chain risk benchmark
B2B intelligence
8
12M
match
match
miss
forming
ICU readmission cohort
clinical operations
5
320k
match
match
match
forming
Insurance claim adjudication
insurance · ops
2
4M
miss
miss
partial
forming
Match / partial / miss reflect on-chain state of each consortium's DstackApp multi-sig vs the criteria.
工作原理
完整走一遍计算到数据的运行流程。
关闭 dstack,看看中心化流水线如何重新获得行级访问权限。
dstack 上的 Compute-to-Data
封存数据留在源头 · 模型随处运行 · 多方审批控制每次密钥释放
活跃边缘未激活步骤中新增
步骤 1 of 5 · 随滚动响应1
步骤 1 / 5源头封装
每个所有者都运行本地封存 CLI:HKDF(kms_root_pubkey, analysis_app_id, analysis_compose_hash, owner_id)。加密数据集并发布密文。所有者从不发送明文或密钥。修改配方 → 密钥不再匹配。
With dstack: 被盗密文毫无用处。包裹密钥只会在 compose-hash 匹配的经过证明的 CVM 内重新派生。
在你的数据所在之处运行多方研究。
CLI · 封存
Each owner runs the local sealing script (HKDF-derived wrap-key bound to the analysis compose-hash). Plaintext never leaves the silo; only ciphertext + a recipe-bound envelope is published.
CLI
$ python seal-dataset.py \--owner hospital-A \--in cohort-A.parquet→ HKDF wrap-key derived→ ./sealed/cohort-A.tar5.8M rows · 1.2 GB
OWNER UI
compose-hash0xa42…d1f
Hospital A0x91d…0c4
Hospital B0x4ef…7a2
Hospital Cawaiting
2 / 4 quorumawaiting
审批控制台
Owners review the public compose-hash, then sign the multi-sig that owns DstackApp. Threshold-of-N before any key is released.
REST + Sign-RPC
Submit the analysis compose, fetch the signed aggregate. Every response carries a Sign-RPC envelope chained to TDX root + on-chain DstackApp.
API
POST/v1/runs
{ compose, owners }GET/v1/runs/{id}
200 · sig + payloadverifies on-chainSDK
from phala.dstack
a = unwrap("A/cohort.tar")b = unwrap("B/cohort.tar")m = train(pd.concat([a, b]))phala.emit_signed(m.summary())# DP · ε = 1.5CVM 中的 Python
Inside the analysis CVM, unwrap_dataset() asks dstack-guest-agent for per-owner keys. Joins, embeddings, and model passes — all in TDX-encrypted memory.
sealed dataset · cohort-A.tar
1.6M rows
ownerhospital-Aanalysis-app-id0x4f6a…91c0analysis-compose-hash0xa42b…d1f3wrap-keyHKDF(kms, app, compose, owner)algoAES-256-GCM
SealedHIPAAGDPRnever-exits-silorecipe-bound
源头封存,仅在证明匹配时派生密钥
Each owner's wrap key is HKDF(kms_root, app_id, compose_hash, owner_id). Change the recipe and the key changes — old ciphertext is permanently locked out. The wrap key itself only re-derives inside an attested CVM whose compose-hash matches.
DstackApp.sol · 0x73c2…be09
multi-sigHospital Asigned0x91d…0c4
Hospital Bsigned0x4ef…7a2
Hospital Csigned0xab1…d56
Hospital Dpending—
3 / 4 quorumkey release · waiting
链上门限解封
DstackApp.sol holds the compose-hash. KMS only releases per-owner keys when every required owner has signed off through the multi-sig. Any single owner can revoke globally with one on-chain transaction — no coordination needed.
in production today · 3 live consortia
Compute-to-data, in production.
Cohorts where one breach used to mean everyone’s breach. Now: sealed at source, approved on-chain, signed aggregate out.
02financial · live
Cross-bank fraud signals
6 banks · US + UK + SG + DE
“Joint AML model trained without any bank seeing another bank’s ledger. The model file IS the receipt.”
78M transactions
k-of-n quorum · Sign-RPC envelope
03B2B · forming
Supply-chain risk benchmark
8 vendors · US + EU + APAC
“Federated benchmark whose output type is locked to the registered compose. No back-channel exfiltration.”
12M records
output type bound to compose-hash
HIPAA-grade
sealed clinical cohorts
GDPR / UK GDPR
data residency preserved
PCI / FFIEC
cross-bank joins on-chain gated
SOC 2 Type II
attested run history
AI 解决方案路径
在 AI 触及密钥时使用隐私模型。
隐私模型端点是第一个入口点。同样的隐私原语也适用于代理、数据工作流和训练。
LLM API
隐私 AI 推理
提供 OpenAI 兼容的模型调用,提示词、输出和客户上下文都需要在使用中加密保护。
DeepSeek V3.1
128K
$0.27/M input
Qwen3 Coder
256K
$0.40/M input
Llama 3.3 70B
128K
$0.15/M input
GPT OSS 120B
128K
$0.10/M input
Claude Sonnet 4.5
200K
$3.00/M input
Gemini 2.5 Pro
1M
$1.25/M input
Agents
隐私 AI 代理
在可验证的运行时中运行代理的密钥、工具、记忆和操作,而不是放在可见的自动化云中。
Training
隐私模型训练
在保持数据集、梯度、检查点和评估轨迹处于边界内的同时,基于专有数据调整模型。
private training run
Observe without exposing weights.
01
dataset
sealed
02
fine-tune
running
03
eval
private
04
checkpoint
verified
loss curve
proof attached
attestation.json
