Glossary

α (alpha), a validator’s audit coverage in [0,1]. --alpha 1 audits every reply; --alpha 0 audits none. The design target is full coverage, affordable because checking is cheap.

β (beta), target lifetime false-ejection rate (the Ville bound) used by the SPRT when deciding to eject a provider.

Attestation, a hardware-signed proof of what code and model an enclave is running; the trust root of the Confidential (TEE) tier. See DCAP quote.

Commitment, a verifiable digest a provider emits over its work: a Merkle tree, root commit_root, whose leaves bind a hidden-state SRP sketch and a top-k logprob digest per 32-token window. Lets a verifier re-check a sampled slice cheaply.

commit_root, the Merkle root of a reply’s per-window commitment leaves, signed into the provider’s record.

consensus_id, sha256(cert); ties a registered validator to the QUIC cert it presents, so peers pin one another by their on-chain-registered certs.

DCAP quote, a hardware-signed attestation (Intel TDX) proving what code/model is running inside a TEE; the trust root for the Confidential tier.

Escrow, on-chain account holding a consumer’s funds until a release is audited and quorum-settled. On a reject the funds are refunded to the consumer.

Gateway, ogong-gatewayd; the OpenAI-compatible HTTP front door for consumers, and an optional fiat on-ramp.

Honeypot audit, a planted audit carrying a known-bad output, indistinguishable from a real one; a verifier that passes it (rubber-stamping accept) is itself slashed.

Hybrid PQ signature, the provider record is signed with Ed25519 and ML-DSA-44, so it survives the future break of either scheme.

KS test (Kolmogorov–Smirnov), the sup-norm distance between the committed and recomputed top-k logprob distributions; catches a localized probability shift that an averaged TV would dilute. Reject threshold ≈ 0.10.

LOGIC, the logprob-commitment primitive: top-k logprob digests at every decode position. The cheap first check, using values the engine already exposes.

Maker, the author of a model, identified in ogong/<tier>/<maker>/<model> and attributed on-chain. A royalty slot is reserved but inactive at launch (deferred to governance).

model_root, a SHA-256 over the model’s ordered shard content hashes; binds a commitment to a specific model identity (quantization included implicitly).

Provider, a node serving inference from a GPU; the daemon is ogong-provider. Risks no correctness bond and doubles as a verifier for peers serving the same model.

Quorum settle, the on-chain settlement that releases escrow; requires co-signatures from a stake-weighted supermajority of validators (more than two-thirds of stake).

Reputation, a per-provider score (with stake) that weights how much work the router routes to it.

ρ (rho), the ratio of verification cost to generation cost. Measured at ≈ 1% on datacenter GPUs (~100x cheaper than generation) and ≈ 5% on Apple Silicon (~20x). This is what makes full-coverage auditing affordable.

Router, ogong-routerd; the marketplace match engine, an attested enclave that draws a provider proportionally to stake × reputation and is slashable for misrouting.

Score mode, the engine path that returns per-token logprobs/hidden states from a single teacher-forced prefill without generating (what makes the audit cheap). The default verification path (capability-detected, with a fallback).

Settlement sink, the role/env that lets a validator submit the on-chain settle. Only the handling validator holds it; peers are cosign-only.

SPRT, sequential probability ratio test; accumulates per-reply verdicts into a running decision so a persistent cheater is ejected quickly while honest noise rarely is (bounded by β).

SRP sketch (sign-random-projection), the hidden-state commitment: the activations projected onto a fixed, public bank of random ±1 directions. Well-conditioned and not the provider’s to choose, so a substitute model can’t hide in a hand-picked subspace. Replaces the older provider-chosen magnitude-top-k scheme. Reject threshold (relative-L2) ≈ 0.10.

Stake, OGONG locked by an operator to buy priority and availability weighting. It is not a slashable correctness bond.

Teacher-forced verification, the audit method: the verifier runs one forward pass over (prompt + claimed output) and reads the model’s hidden states and logprobs off that pass, instead of re-generating. The source of ρ ≈ 1%.

TEE (Confidential tier), Trusted Execution Environment; the verifiably-private tier where the operator can’t read your prompt.

Threshold-BLS beacon, the committee randomness source for audit selection. Validators share one BLS key (via a dealerless DKG); each epoch’s beacon is the unique threshold signature over it, so no coalition can grind or steer the draw and withholding can’t move it. Anyone verifies it against the group public key. A drand-style construction; it closes the “watch then decide” attack.

TOPLOC, the hidden-state-commitment primitive (implemented as the SRP sketch); a stronger check than logprobs alone because it pins internal activations, which distillation can’t fake.

Total-variation (TV) distance, the distance between committed and recomputed top-k logprob distributions; a companion signal to KS (honest ~0.01, a quant cheat ~0.05). The logprob reject line itself is KS ≈ 0.10.

Trajectory, the recorded sequence of a generation (token windows, or sampled denoising steps for diffusion) that a verifier re-checks during an audit.

Validator, ogong-validatord; an attested CPU enclave (no GPU) that audit-selects work, adjudicates verifier scores, co-signs settlement, and posts the only slashable bond in the system.

Verifier, ogong-verifierd; a provider GPU in audit duty that teacher-forces the claimed output on an independent engine and returns Accept/Reject, paid a flat fee per audit.

VRF (verifiable random function), the per-validator audit-selection primitive, now the bootstrap fallback to the threshold-BLS beacon. Keeps audit selection unpredictable yet verifiable, so a provider can’t tell which replies are checked.