Bet 64 — Cryptographic audit-trail non-repudiation

This is the first of five "big bets" in a sweep aimed at the operating layer above weights — the federation primitives that distinguish SharedLLM from open-weights drops, model marketplaces, and centralised inference hosting. The motivation came from a survey of the open-AI landscape in April 2026: weights have already been commoditised by DeepSeek-V3, Llama-4, OLMo-2, and Qwen3, but no shipped system combines federated inference, per-user adapter ownership, contributor royalties, and glass-box per-token attribution. That stack is the genuinely uncovered niche. The catalogue's job is to validate the primitives that hold it up. Bet 64 starts with the trust layer underneath glass-box: non-repudiation of inference logs.

The bet asks: can a specialist's audit trail be retroactively forged by the specialist's owner, or does a Merkle commitment scheme make every committed entry permanently provable? The result is a clean STRICT 3/3 PASS — every forgery attempt is caught, every honest proof verifies. The non-repudiation primitive is sound.

Background — why glass-box without non-repudiation is glass-box-of-sand

Bet 18 established that the federation can mathematically attribute a generated token's log-probability to specific specialists. Bet 17 established that the per-token audit trace overhead is bounded under 1% with deferred logging. Together, Bet 17/18 give the federation a transparency mechanism: any contributor can ask "which specialists shaped this output?" and get a numeric answer.

The problem this leaves open: an audit trail that the specialist's owner can rewrite is no audit trail at all. If the operator can change a log entry retroactively to hide an attribution, the glass-box property collapses to glass-box-when-the-operator-feels-like-it. The trust model becomes "hope the specialist owner is honest," which is the same trust model centralised LLM services already offer.

For the federation's transparency claim to be load-bearing, every committed log entry must be bound to a public commitment that no party can alter after the fact. The standard cryptographic primitive for this is a Merkle tree over the log entries with the root published to a tamper-evident commitment chain. Anyone holding a leaf can produce a proof of inclusion; the chain itself is append-only. Forgery, truncation, and replay all become detectable.

The bet measures whether a straightforward implementation of this scheme catches the three canonical attack classes.

Hypothesis

A Merkle commitment scheme over per-query inference logs, with a public append-only commitment log of (epoch, root) pairs, detects all three forgery classes (truncation, substitution, replay) at a 100% rate while preserving 100% of honest proofs.

Pre-registered criteria

  • STRICT: 100% of forgery attempts (3 attack vectors × 100 trials each = 300 total) detected; 0 false positives across 1000 honest commitments.
  • LENIENT: ≥ 99% forgery detection; ≥ 99% honest pass rate.
  • CATASTROPHIC: any forgery passes verification (would invalidate the glass-box trust claim).

The STRICT bar is the right bar. Cryptographic non-repudiation either works or doesn't — there's no continuum where 95% catch is acceptable. A 1% slip in real deployment is enough for a malicious operator to launder enough output to corrupt downstream attribution at scale.

Setup

The protocol implemented:

  1. Each inference produces a LogEntry(query_id, specialist_id, per_token_logprobs, ts).
  2. Every K=50 entries, the specialist publishes a Merkle root over the batch's leaf hashes to a public CommitmentLog. Each commitment is a (epoch, root) pair, append-only.
  3. The commitment log also tracks every committed query_id globally; any duplicate query_id in a future batch is rejected (replay protection).
  4. Verifying a leaf requires: the leaf's content (so the third party can recompute its hash), a Merkle proof (the sibling hashes along the path), and the committed root for that epoch.

The harness runs:

  • Phase 1 (honest): 20 epochs × 50 entries = 1000 entries committed. Five random proofs per epoch are verified against the published root.
  • Phase 2 (attack A — truncation): 100 trials. Pick a random epoch, drop the last entry, recompute a Merkle root over the truncated batch, attempt to claim that root as the original.
  • Phase 3 (attack B — substitution): 100 trials. Pick a random epoch, swap one entry's per-token log-probabilities for fabricated values, generate a Merkle proof for the swapped entry, attempt to verify it against the original committed root.
  • Phase 4 (attack C — replay): 100 trials. Take half of an already-committed epoch and concatenate with new entries, attempt to commit the resulting batch as a new epoch.

Result — STRICT 3/3 PASS

| Category | Trials | Caught/Verified | Rate | |---|---|---|---| | Honest proofs | 100 | 100 | 100.0% | | Truncation forgeries | 100 | 100 | 100.0% | | Substitution forgeries | 100 | 100 | 100.0% | | Replay attempts | 100 | 100 | 100.0% | | Total forgeries | 300 | 300 | 100.0% |

Every honest proof verifies; every forgery is detected. The Merkle commitment scheme behaves exactly as the cryptographic literature predicts.

Why each attack fails

Truncation. A truncated batch has a different leaf set than the original. Even dropping a single leaf changes every internal node on the path from that leaf to the root, which propagates to the root itself. The forged root differs from the published root with overwhelming probability (collision is ~2⁻²⁵⁶ for SHA-256). Detection is immediate and trivial.

Substitution. Replacing a leaf's content changes its hash, which changes the parent, and so on up to the root. Generating a Merkle proof for the substituted leaf produces sibling hashes that combine to a different root than the one published. The verifier rejects.

Replay. The commitment log tracks every query_id ever committed; resubmitting an already-seen query_id is rejected by the global uniqueness check before the new batch is even processed. A more subtle replay (use a fresh query_id but reuse the underlying log entry's timestamp) is bounded by the timestamp policy, but this bet does not test that — the basic uniqueness check is sufficient for the headline.

Why this matters for the federation

The federation's glass-box attribution property (Bet 18) reduces to: "every output cites which specialists contributed." That's only meaningful if the cited contributions cannot be retroactively altered. With Bet 64's scheme:

  • Owner cannot rewrite history. Once an epoch's root is committed, the entries underneath it are permanent. The operator can choose to publish logs or not, but cannot alter what was committed.
  • Contributors can verify. Any specialist trainer or upstream data contributor can request a proof for any committed epoch. The proof is a small Merkle path (logarithmic in K) plus the leaf content. Verification is constant-time.
  • Third-party audit becomes possible. A regulator or independent auditor can sample committed epochs, request proofs, and verify them without trusting the federation's coordinator. The audit is mechanical, not social.

The composition with Bet 18 is what unlocks the production trust story: glass-box per-token attribution + non-repudiable audit trail = the federation can offer a transparency property that no centralised LLM service can match. OpenAI, Anthropic, and Google can all rewrite their logs at any time; the federation cannot.

What this does not claim

The bet has a narrow scope. It validates:

  • The math of Merkle commitments. Standard cryptographic primitive; this bet confirms the implementation is correct.
  • The three canonical attacks. Truncation, substitution, and replay are the textbook forgery classes; the bet's harness covers them.

It does not validate:

  • The commitment log itself. The bet treats the CommitmentLog as append-only and globally visible. Real deployment requires this property to hold via blockchain, certificate-transparency-style log, or distributed gossip with byzantine-tolerant ordering. Bet 65 (gossip fork-safety) and Bet 66 (decentralized revocation) start to address the gossip layer.
  • Time-stamping authority. The ts field is implicitly trusted; in production, timestamps need an independent attestation (RFC 3161 or equivalent). Out of scope for this bet.
  • Side-channel leakage. Even with valid commitments, the contents of log entries may leak sensitive information (query text, user identity). The federation's privacy story requires either log contents to be redacted or a zero-knowledge proof variant. Open work.
  • Coordinated owner-operator collusion. If the owner of the commitment log itself colludes with the specialist owner, both can collude to suppress an entire epoch. Mitigation: multiple independent commitment logs, with the federation requiring quorum before considering an epoch "committed."
  • Post-quantum security. SHA-256 is conjectured to remain secure against quantum attacks for collision-finding, but the bet does not test PQ resistance directly.

What this enables in deployment

  • Regulatory disclosure. A federation operator subject to EU AI Act transparency obligations can offer per-output attribution proofs to regulators, with cryptographic guarantees against tampering. This is a real differentiator versus centralised LLM services, which cannot offer the equivalent.
  • Royalty payments tied to attribution. Bet 14's royalty ledger pays trainers based on their specialist's usage. Bet 64's non-repudiation ensures the usage logs cannot be falsified after the fact. Together they support a trust model where the trainer can verify their earnings independently of the federation operator.
  • Independent third-party audit. A press organisation, academic auditor, or civil-society watchdog can sample committed epochs and verify them. The federation becomes auditable at infrastructure cost rather than at coordination cost.

Run command

PYTHONPATH=src python -m experiments.bets.64_audit_nonrepudiation

Output: experiments/bets/results/64_audit_nonrepudiation.json records honest proof pass rate, per-attack-vector detection counts, and the strict/lenient/catastrophic flags.

  • Bet 17: audit-overhead is bounded. The mechanism this bet protects.
  • Bet 18: glass-box LLM (per-specialist log-prob attribution). The transparency primitive non-repudiation supports.
  • Bet 14: royalty ledger. Tied to non-repudiable usage logs.
  • Bet 65: gossip fork-safety. The directory-layer counterpart to commitment-log integrity.
  • Bet 68: royalty correctness at scale. The economic-layer falsification that Bet 64's transparency does not by itself prevent.

Why it matters

The "Linux moment for AGI" framing is half-stale: open weights are already commoditised. The genuinely uncovered niche is the operating layer above weights — federation, attribution, royalties, sovereignty. Bet 64 is one of the load-bearing primitives in that stack. Without non-repudiation, glass-box is a marketing claim; with it, glass-box is a cryptographic property that survives adversarial operators. The catalogue's discipline — pre-register the criteria, run the experiment, report the result — turns "we have transparency" from a slogan into a measurable assurance. That's the difference between this bet existing as a numbered file in a versioned harness and the same idea living as a paragraph in a marketing deck.

The methodological lesson: trust primitives are testable, not assumable. The federation has dozens of statements that look like primitives but are actually load-bearing assumptions. The catalogue's job is to convert each one into a falsifiable bet. Bet 64 is one of the cleanest because the cryptographic literature already tells us the answer; the bet's contribution is confirming the implementation matches the math.

Up next

Bet 65 — Gossip fork-safety under hash-collision attack

Conflict-detection-and-quarantine resists Sybil coalitions up to 50%. LENIENT pass; zero leaks at any Sybil level. STRICT propagation deadline relaxed to realistic 12-round envelope.