Whitepaper

Azoth is a market for cryptographically verified LLM inference. Operators run open-weight language models inside Trusted Execution Environments and produce, alongside each response, an attestation quote that binds the output to a specific model, runtime, prompt and execution.

Users submit prompts and receive both a response and the attestation. The attestation can be independently verified against the hardware vendor's root of trust — no need to trust the operator, only the silicon.

Closed-API inference offers no cryptographic guarantee that the claimed checkpoint was used, that the system prompt was unchanged, that the output was not post-filtered, or that the prompt will not enter training. Trust is brand, not mathematics.

Existing decentralised inference markets address concentration but generally do not address verifiability: they rely on staking weights or reputation rather than on a per-call cryptographic binding between output and execution.

Each operator runs an approved open-weight model inside one of three TEE classes: NVIDIA H100 / H200 Confidential Compute, AMD SEV-SNP, or Intel TDX. The model weights and runtime image are loaded inside the enclave; the host operating system never sees the cleartext computation.

Every execution emits an attestation quote signed by the vendor's root key. The quote contains: model_hash (SHA-256 of the loaded weights), image_hash (SHA-256 of the runtime image, including tokenizer and sampling parameters), prompt_hash, response_hash, nonce and timestamp.

The AzothVerifier contract on Base validates each quote against the relevant vendor root certificate, checks model_hash and image_hash against an approved whitelist, ensures nonce freshness, and on success emits a WorkAccepted event.

Escrow paid by the user is released to the operator the same block WorkAccepted fires. There is no off-chain settlement, no batched netting, no challenge window — verification is atomic with payment.

TEE is the base tier and covers approximately 99% of traffic with sub-100 ms overhead beyond model inference. Above it sit three additional layers:

Probabilistic redundancy. A small fraction (~3%) of prompts are randomly duplicated to a second operator running on an independent hardware vendor; output commitments are compared on-chain and divergence escalates to a third independent operator.

Watchtower network. Independent audit nodes stake AZTH and continuously shoot canonical-prompt traps with deterministic expected outputs at random operators. A mismatch slashes the operator: half of the stake is awarded to the watchtower, half is burned.

ZKML side-car. For premium calls where the cost of hardware compromise is intolerable, a zero-knowledge inference proof is produced in parallel via EZKL or RISC Zero. Orders of magnitude slower, mathematically tight.

All payments and attestations settle on Base. Base is chosen for three reasons: per-call inference fees are denominated in millicents and only an OP-Stack L2 with predictable fees can host that surface; Coinbase's onramp is the widest consumer entrypoint in crypto; and final security is inherited from Ethereum L1 via the OP Stack proof system.

AZTH is the unit of payment and stake. ETH is the gas and on-ramp. Both are used directly; no wrapping, no synthetic representation.

TEE is not mathematics. If NVIDIA, AMD or Intel is compromised or coerced, the relevant root of trust falls. Watchtowers and redundancy mitigate this — they do not eliminate it.

Side-channel research against enclaves is active and ongoing; mitigation depends on rapid rotation of approved image_hash entries and prompt revocation of compromised images.

Censorship-resistance is bounded. Operators may refuse to serve specific prompts. The protocol does not mandate service; the market and reputation decide.

Latency is not better than closed APIs. Attestation and on-chain settlement add 50–200 ms on top of model inference. Acceptable for interactive use; debatable for real-time agents.

Azoth verifies that a specific model produced a specific output. It does not verify that the model is safe, truthful or aligned. That is a different problem and is out of scope.