Skip to content
BLOKZ.dev

The Committed Sample: Activation Fingerprints for Verifiable LLM Inference

LLM non-determinism has been the blocker for output-based verification. DiFR commits to a random seed before inference — and activation fingerprints built from random orthogonal projections detect 4-bit quantization in just 2 tokens at AUC > 0.999.

(updated Jul 15, 2026) 8 min read intermediate

Re-running the same LLM query twice and comparing byte-level outputs seemed like the obvious path to verifiable inference. It doesn’t work. As covered in The Determinism Problem, floating-point non-associativity means a transformer’s forward pass is not reproducible: dynamic batch scheduling changes reduction order, and GPU kernel execution varies across calls. The same prompt, same hardware, same model weights — different tokens.

That non-determinism handed cheating inference providers a permanent alibi: any discrepancy between runs could be attributed to benign numerical noise. Verification schemes based on output comparison had no answer.

DiFR — a November 2025 paper from Adam Karvonen, Daniel Reuter, Roy Rinberg, Luke Marks, Adrià Garriga-Alonso, and Keri Warr — closes the gap with two complementary mechanisms. The first makes token sampling deterministic without fixing the underlying arithmetic. The second compresses model activations into compact fingerprints that detect 4-bit quantization in as few as 2 output tokens at AUC > 0.999. Together they outline a protocol that on-chain inference markets can adopt today.

The non-determinism was always in sampling, not arithmetic

DiFR’s first insight is a reframing. The forward pass arithmetic is non-deterministic, yes — but the sampling step that converts logits to tokens is a separate, independently seeded PRNG draw. If both the provider and the verifier commit to a shared random seed before inference, the sampling step becomes fully deterministic given any particular set of logits.

Token-DiFR operationalizes this with sampling seed synchronization:

  1. Before the inference call, buyer and provider exchange a 64-bit seed (committed on-chain, or derived via ECDH).
  2. The provider runs inference normally — non-deterministic arithmetic included — but feeds the agreed seed into the sampling PRNG at each decoding step.
  3. A trusted reference implementation, conditioned on that same seed and the provider’s committed model, predicts which tokens are consistent with valid logits from the correct model.
  4. The provider’s output tokens must fall within this corridor.

The corridor is not a single token; it’s a probability-weighted set of valid outputs. The arithmetic noise means the provider’s logits float slightly around the true values, so the corridor has some width. But a cheating provider who substitutes an INT4 quantized model gets substantially different logits. Quantization shifts weight matrices and thus the entire activation trajectory — the shifted logits produce a sampling distribution outside the reference corridor.

Token-DiFR detects 4-bit quantization with AUC > 0.999 within 300 output tokens — roughly 200 words of prose output. The provider bears zero overhead; only the verifier’s reference implementation needs to check.

Three hundred tokens is still a substantial buffer. For single-sentence agent decisions or real-time resolution of prediction markets, you may have far fewer tokens to examine. That’s where the second mechanism comes in.

The orthogonal fingerprint: detection in two tokens

Activation-DiFR fingerprints the forward pass itself rather than waiting for output tokens. After each decoding step, the provider computes:

f_i = W · h_i

where h_i is the activation vector at layer i (dimension d = 4096–8192 for typical frontier models) and W is a random orthogonal projection matrix of dimension k × d, with k ≪ d. The key property: W is derived from the shared random seed, so both provider and reference know it ahead of time.

Why does this work? The Johnson-Lindenstrauss lemma guarantees that random orthogonal projections preserve L2 distances with high probability. An FP32 model and its 4-bit quantized counterpart have different weight matrices, so their internal activation distributions diverge substantially — even if their output tokens occasionally agree. The fingerprints f_i pick up that activation-level divergence far earlier than token-level discrepancies become visible.

The lemma leans on a fact that is only true in high dimensions: a random projection matrix W has near-orthonormal rows, so it barely distorts the geometry it projects. That near-orthonormality is itself a consequence of dimension. Two random directions in a space of dimension d have a cosine similarity that concentrates on zero with standard deviation exactly 1/√d — at the d ≈ 4096–8192 of a frontier model’s activation layer, essentially every pair is within a degree of perpendicular. The scene below makes that collapse literal: drag the dimension up and watch a sphere of random directions fall onto the equator orthogonal to a fixed reference.

⬢ loading artifact…
Nearly Orthogonal — drag to orbit the sphere · slide dimension d (3 → 8192) to watch the angles concentrate at 90° open artifact ↗

The results from DiFR are stark:

MethodModel changeDetectionTokens sampled
Token-DiFR4-bit quantizationAUC > 0.999300
Activation-DiFR4-bit quantizationAUC > 0.9992

Activation-DiFR also reduces communication overhead by 25–75% relative to existing activation-transmission methods. The full activation vector at a 4096-dim layer is 16 KB at FP32 precision. At k = 128 dimensions for the projection, the fingerprint is ~512 bytes — small enough to bundle into a standard Ethereum calldata payload.

⬢ loading artifact…
The Activation Receipt — select precision level to reveal fingerprint divergence open artifact ↗

The simulation above shows what happens to the fingerprint comparison as model precision degrades. At FP32, provider and reference fingerprints are statistically indistinguishable. Switch to INT4 and the fingerprint vectors diverge enough to flag model substitution in the first two forward steps.

The on-chain protocol

DiFR was designed for cloud inference providers and their customers. The on-chain translation is direct. The protocol maps onto a standard escrow contract with three phases:

Setup phase:

buyer  → InferenceEscrow.commit(keccak256(seed || nonce), queryHash, bounty)
provider → InferenceEscrow.accept(modelCommitment)

modelCommitment is the keccak256 of the model’s weights or a trusted model registry hash. The contract stores both commitments.

Execution phase:

provider → runs inference with shared seed
provider → computes activation fingerprints F₁, F₂ at two designated layers
provider → InferenceEscrow.submit(outputTokens, seed, [F₁, F₂])

Verification phase: A reference oracle checks whether [F₁, F₂] are consistent with the committed model at the committed seed:

referenceOracle → InferenceEscrow.attest(valid: bool, queryHash)
contract → pays provider if valid; slashes deposit if fraud

The reference oracle is the remaining trust surface. Three compositions are practical:

  • Optimistic reference oracle: a bonded off-chain verifier checks fingerprints and posts results on-chain; a 24-hour dispute window allows challenges. Per-query cost is negligible; the bond deters fraud.
  • TEE reference oracle: the reference check runs inside a TDX/SGX enclave, with a DCAP attestation stored in the contract (see Trusting the Quote). On-chain verification cost: ~290k gas for the compressed TEE proof.
  • ZK reference oracle: a SNARK proves the fingerprint was computed from valid activations. This would require a zkVM circuit for the projection step — feasible in principle but too slow for real-time use at current prover throughput.

The optimistic path is the practical starting point. It mirrors rollup fraud proofs: the reference oracle is trusted unless challenged, and challenges are kept economically deterred by the bonded deposit.

Gas costs and economics

The on-chain footprint of the protocol is modest:

OperationApprox. gas
commit(seed_hash, queryHash) — two keccak256 stores~30,000
submit(tokens, seed, [F₁, F₂]) — 2 × 128-byte fingerprints~48,000
attest(bool) — oracle result~22,000
Total per verified inference~100,000

At 2 gwei basefee and ETH at $1,750, that’s approximately $0.35 per verified inference call on L1. On Base or Arbitrum, the same operations land under $0.01.

For comparison: a typical on-chain AI agent query costs $0.50–5.00 in inference fees. At L2 prices, DiFR verification adds effectively nothing. On L1, the overhead is 7–70% of inference cost — significant but within the range where a verifiable guarantee commands a premium in high-stakes applications (DeFi strategy calls, prediction market resolution, governance votes).

The provider’s overhead is near-zero: computing W · h_i is a single matrix-vector multiply parallelizable alongside the existing forward pass. DiFR’s vLLM integration reports sub-1% throughput impact.

What this does and doesn’t fix

Activation-DiFR catches model substitution: the provider running a cheaper or different model than the one committed to. It does not catch:

Selective cheating. A provider who uses the correct model on most queries but substitutes on targeted ones escapes detection unless those queries happen to be sampled. This is the domain of Proof of Sampling — a different but complementary layer that deters selective fraud through random auditing at a 0.74% rate.

Input manipulation. DiFR checks the model, not the context fed into it. A provider can influence outputs by modifying system prompts or injected context without triggering fingerprint divergence.

Fine-tune evasion. A provider who fine-tunes the committed model slightly — enough to shift reasoning behavior, but not enough to move activations far from the reference distribution — might stay within the fingerprint tolerance. The DiFR paper does not evaluate fine-tune evasion explicitly.

Reference oracle trust. The entire protocol assumes an honest reference implementation. If the reference oracle is compromised or colluding with the provider, all guarantees collapse. TEE attestation and ZK reference checks reduce but do not eliminate this surface.

DiFR works best as one layer in a verification stack. Model commitment anchors which model is supposed to run. Activation fingerprinting confirms it ran on your query. Proof of Sampling ensures the right model ran on enough queries. Together they address the three distinct cheating vectors (wrong model, wrong execution, selective substitution) without requiring expensive per-query ZK proofs.

Takeaways

Non-determinism was the structural blocker for output-based LLM verification: a cheating provider could always claim divergent outputs were arithmetic noise. DiFR’s seed commitment sidesteps this by making sampling deterministic conditional on a shared seed — the provider’s logit noise stays within bounds, but the sampling step is pinned.

The activation fingerprint is the efficient companion: at k = 128 dimensions, it detects 4-bit quantization in 2 forward steps, adds ~512 bytes of communication overhead per call, and costs roughly $0.35 to anchor on Ethereum mainnet. The random orthogonal projection that makes it work is three lines of linear algebra.

What the combination enables is a primitives for verifiable inference markets where model commitments are cheap to enforce and fraud is detectable before a poisoned result propagates into an on-chain decision. The reference oracle is the remaining open design surface — and as the optimistic, TEE, and ZK compositions show, it degrades gracefully depending on how much residual trust you are willing to accept.

Written by Blokz Development Co. — an engineering agency building agentic systems and blockchain infrastructure. This publication is written and maintained in the open, with AI routines doing much of the heavy lifting.

Content licensed CC BY 4.0 · View source on GitHub ↗

Related articles

Type to search the archive.