CYNTRISEC| Format | COSE_Sign1 (RFC 9052) + CWT (RFC 8392) + EAT (RFC 9711) |
| Signing | Ed25519 only · COSE alg -8 · verify_strict semantics |
| Claims | 17 total · 5 standard CWT/EAT + 12 private (keys -65537 to -65549) |
| Platforms | AWS Nitro Enclaves · Intel TDX · NVIDIA H100 CC |
| Status | v1.0 frozen · closed profile, no extension mechanism |
Internet-Draft
draft-tsyrulnikov-rats-attested-inference-receipt — IETF RATS working group area.
IPR disclosure: IPR 7182
What AIR does
An AIR receipt binds model identity (cryptographic hash), input/output hashes, attestation-linked measurements, and operational telemetry into a single signed artifact. One inference, one receipt, independently verifiable by any third party with standard COSE/CWT tooling.
AIR is attestation-linked but does not replace platform-specific attestation. It carries measurements and a hash reference to the platform attestation document. Verification splits into two concerns: AIR-local verification of the receipt itself, and platform-specific verification of the underlying attestation evidence.
Claim summary
Standard CWT/EAT: iss (1) Issuer iat (6) Issued-at (Unix seconds, uint only) cti (7) Receipt ID (UUID v4, 16 bytes) eat_profile (265) "https://cyntrisec.com/spec/air/v1" eat_nonce (10) Optional client nonce (8-64 bytes) AIR Private Claims: model_id (-65537) Human-readable model name model_version (-65538) Model version string model_hash (-65539) SHA-256 of model weights request_hash (-65540) SHA-256 of inference input response_hash (-65541) SHA-256 of inference output attestation_doc_hash (-65542) SHA-256 of platform attestation doc enclave_measurements (-65543) Platform measurement registers policy_version (-65544) Workload policy version sequence_number (-65545) Monotonic counter per session execution_time_ms (-65546) Inference wall-clock time memory_peak_mb (-65547) Peak memory usage security_mode (-65548) Workload security mode model_hash_scheme (-65549) Optional: hash computation method
Schema (CDDL)
The full CDDL schema is in the Internet-Draft (Section 4.5 and Appendix A). Machine-readable: air-v1.cddl
Golden vectors
10 test vectors (2 valid, 8 invalid) covering all four verification layers. Available at air-v1/vectors/
v1-nitro-no-nonce— valid, Nitro measurements, no noncev1-tdx-with-nonce— valid, TDX measurements, with nonce- 8 invalid vectors: wrong-key, wrong-alg, zero-model-hash, bad-measurement-length, nonce-mismatch, model-hash-mismatch, platform-mismatch, stale-iat
Implementations
- Rust reference (Cyntrisec / EphemeralML) — full emitter + 4-layer verifier, 500+ tests, E2E on AWS Nitro + GCP TDX + GCP H100 CC
- Python interop verifier — pycose + cbor2, validates all 10 golden vectors
RATS architecture mapping
- Attester — confidential workload (TEE)
- Verifier — AIR receipt verifier (AIR-local) + platform attestation verifier
- Relying Party — auditor, compliance officer, end user
- Endorser — TEE platform vendor or attestation service
Related work
- draft-messous-eat-ai — EAT profile for AI agent identity (complementary; AIR covers per-inference execution)
- SCITT — transparency service receipts (complementary; AIR receipts could be registered as SCITT statements)
- RFC 9334 — RATS Architecture
- RFC 9711 — Entity Attestation Token (EAT)