Trust tiers
Every model on OGONG carries a trust tier that tells you exactly what guarantee you’re getting. The tier describes how the work is served and checked, not which company made the model.
Two guarantees, plainly
The whitepaper draws the line at two things, and they are not the same:
- Privacy: can the machine operator read your prompt and the answer?
- Correctness: can you be sure the answer really came from the model you asked for?
These are two independent axes, and OGONG offers exactly two tiers, one for each way of pinning down correctness. There is no unverified, “just trust me” tier: all supply on the network is checked one way or the other.
| Tier | Privacy | Correctness | Hardware |
|---|---|---|---|
| Confidential (TEE) | Operator is blind (enclave) | Hardware attestation | TDX / SEV-SNP + NVIDIA CC |
| Verified | Operator sees the content | Statistical audit (re-check) | Any GPU, incl. Apple Silicon |
Confidential (TEE): verifiably private
The provider runs inside a Trusted Execution Environment and produces a hardware-signed attestation (a DCAP quote on Intel TDX, with NVIDIA Confidential Computing for the GPU). The quote proves what code and model are running and gives you an encrypted channel into the enclave. The operator of the machine cannot read your prompt or the response.
- Trust root: hardware attestation, checked by you (or a validator on your behalf), and you must check it before you send anything, which is what turns “private” into verifiably private.
- Per-reply guarantee: the enclave signs a receipt over each response, so correctness is hardware-attested for the specific answer you got; settlement won’t release on a receipt that doesn’t verify.
- The honest caveat: confidentiality is only as strong as the TEE itself. A working enclave break on the host serving your request would defeat privacy, and attestation is only as current as the platform’s security version: a valid quote on revoked or out-of-date microcode is rejected. Note the asymmetry: under a compromised minority of enclaves, network correctness still holds (it rests on the audit and the honest validator majority); it’s privacy that degrades.
- Use it for: anything sensitive. Content never leaves the enclave in the clear.
Verified: correct, but the provider can see it
This is the public-compute tier, on any GPU and no special hardware. The provider commits to its work and a verifier re-checks it cheaply by teacher-forcing a single pass (see How verification works). If the re-check agrees, the work is accepted and paid. This proves the answer came from the claimed model.
- Trust root: a cryptographic commitment plus an independent statistical audit.
- What kind of guarantee: probabilistic, not cryptographic. Empirically the separation between honest and cheating work is wide (a substituted model misses by ~10x), but it’s a statistical bound calibrated per hardware pair, not a worst-case proof. Keeping the honest cross-hardware drift clear of near-lossless quantization fraud is the network’s central open calibration gate, so thresholds are set conservatively. For a hard, per-reply correctness claim today, the Confidential (TEE) tier is the stronger basis.
- Caveat: the serving machine sees the content. Your identity is stripped at the router (the provider doesn’t learn who you are), but the prompt text is visible to the GPU running it. If you need privacy, use Confidential.
Why no “private on commodity hardware” tier?
Because you can’t have it. Hiding content from the operator requires a TEE. On an ordinary GPU the operator can always read what the card is processing, so the Verified tier can prove correctness but never privacy. OGONG is honest about this rather than blurring it.
Running your own GPU
Pointing a tool at a GPU you own is a different thing from picking a network tier: there’s no third party to attest or audit, because you already trust the machine. That’s local mode: a zero-signup, no-account server you run for yourself or a friend over an encrypted tunnel. It isn’t part of the marketplace’s tier system. See Local mode.