Attested Inference Receipt (AIR) v1 FROZEN

EAT profile identifier: https://spec.cyntrisec.com/air/v1

Format	COSE_Sign1 (RFC 9052) + CWT (RFC 8392) + EAT (RFC 9711)
Signing	Ed25519 only (COSE alg -8), verify_strict semantics
Claims	17 total: 5 standard CWT/EAT + 12 private (keys -65537 to -65549)
Platforms	AWS Nitro Enclaves, Intel TDX
Status	v1.0 frozen. Closed profile, no extension mechanism.

Internet-Draft

draft-tsyrulnikov-rats-attested-inference-receipt — IETF RATS working group area.

IPR disclosure: IPR 7182

What AIR Does

An AIR receipt binds model identity (cryptographic hash), input/output hashes, attestation-linked measurements, and operational telemetry into a single signed artifact. One inference, one receipt, independently verifiable by any third party with standard COSE/CWT tooling.

AIR is attestation-linked but does not replace platform-specific attestation. It carries measurements and a hash reference to the platform attestation document. Verification is split into two concerns: AIR-local verification of the receipt itself, and platform-specific verification of the underlying attestation evidence.

Claim Summary

Standard CWT/EAT:
  iss (1)           Issuer
  iat (6)           Issued-at (Unix seconds, uint only)
  cti (7)           Receipt ID (UUID v4, 16 bytes)
  eat_profile (265) "https://cyntrisec.com/spec/air/v1"
  eat_nonce (10)    Optional client nonce (8-64 bytes)

AIR Private Claims:
  model_id (-65537)              Human-readable model name
  model_version (-65538)         Model version string
  model_hash (-65539)            SHA-256 of model weights
  request_hash (-65540)          SHA-256 of inference input
  response_hash (-65541)         SHA-256 of inference output
  attestation_doc_hash (-65542)  SHA-256 of platform attestation doc
  enclave_measurements (-65543)  Platform measurement registers
  policy_version (-65544)        Workload policy version
  sequence_number (-65545)       Monotonic counter per session
  execution_time_ms (-65546)     Inference wall-clock time
  memory_peak_mb (-65547)        Peak memory usage
  security_mode (-65548)         Workload security mode
  model_hash_scheme (-65549)     Optional: hash computation method

Schema (CDDL)

The full CDDL schema is in the Internet-Draft (Section 4.5 and Appendix A). Machine-readable CDDL: air-v1.cddl

Golden Vectors

10 test vectors (2 valid, 8 invalid) covering all four verification layers. Available at: air-v1/vectors/

• v1-nitro-no-nonce — Valid, Nitro measurements, no nonce
• v1-tdx-with-nonce — Valid, TDX measurements, with nonce
• 8 invalid vectors: wrong-key, wrong-alg, zero-model-hash, bad-measurement-length, nonce-mismatch, model-hash-mismatch, platform-mismatch, stale-iat

Implementations

• Rust reference (Cyntrisec/EphemeralML) — full emitter + 4-layer verifier, 500+ tests, E2E on AWS Nitro + GCP TDX + GCP H100 CC
• Python interop verifier — pycose + cbor2, validates all 10 golden vectors

RATS Architecture Mapping

• Attester: Confidential workload (TEE)
• Verifier: AIR receipt verifier (AIR-local) + platform attestation verifier
• Relying Party: Auditor, compliance officer, end user
• Endorser: TEE platform vendor or attestation service

Related Work

• draft-messous-eat-ai — EAT profile for AI agent identity (complementary; AIR covers per-inference execution)
• SCITT — transparency service receipts (complementary; AIR receipts could be registered as SCITT statements)
• RFC 9334 — RATS Architecture
• RFC 9711 — Entity Attestation Token (EAT)