Inference Verification in a Trusted Execution Environment (TEE)

We use inference verification to verify that text actually came from a model. This runs on an Nvidia H200 TEE, with the TEE code built and hosted by tinfoil.sh.

Inference verification is the task of verifying that a piece of text was actually generated by a specific model with specific sampling parameters. We use Token-DiFR to accomplish inference verification.

Why does this matter?

Inference verification has two key applications:

Detecting steganography — identifying covert channels hidden in LLM outputs (arXiv:2511.02620)
Verifying inference providers — ensuring a provider actually ran the claimed model and didn't substitute a cheaper one (arXiv:2511.20621)

Importantly, for inference verification to be trustworthy, you also need to trust the verifier itself. That's why we run this inside a Trusted Execution Environment (TEE) — the verification code runs in hardware-isolated memory that even the server operator cannot inspect or tamper with.

Verify Local Text

This example text is stored on the device. Click "Run Verification" to verify it was generated by the model.

Prompt

Response Text to Verify

Temperature

Top K

Top P

Seed

FSSL Threshold

Rank Threshold

1. Query OpenRouter

Prompt

Max Tokens

Simulate a dishonest provider

Consider: you requested a response from Llama 3.1 8B, but the provider wants to save money so they serve you Llama 3.2 3B instead. Click below to simulate such a query — verification should flag the mismatch.

Temperature

Top K

Top P

Seed

Results

TEE Verification Guarantees

Verifying that inference verification is taking place properly.

Chain of Trust

The source code lives at setting-three-security/inference-verification.
The deployer repo (public) has tinfoil-config.yml which specifies the exact Docker image + SHA256 digest.
On tag push, Tinfoil's pri-build-action builds the enclave image and publishes a Sigstore bundle — a signed attestation linking the config to the expected binary measurements.
At boot, the Nvidia H200's CPU measures the enclave (firmware, kernel, app binary) and produces a hardware-signed attestation report.
On every connection, the Tinfoil SDK compares the Sigstore measurements against the enclave's attestation — if they don't match, the connection is refused.

The deployer repo is the public proof. Anyone can look at tinfoil-config.yml, see the exact container image + digest being run, and verify the running enclave matches that config.

Verify This TEE

You can independently verify that this enclave is running the exact code from the public repos using the Tinfoil CLI:

tinfoil attestation verify \
  -e inference-verification-updated-ui.debug.rinberg-lab.containers.tinfoil.dev \
  -r setting-three-security/inference-verification-deployer

This checks that the Sigstore measurements from the public repo match the hardware attestation report from the running enclave.

Inference Verification in a Trusted Execution Environment (TEE)

Verify Local Text

1. Query OpenRouter

Response

2. Verify Response

Results

Verified Text