Skip to content
snapshot

Trust & Attestation

How a requester reasons about which untrusted hosts to trust: identity + attestation tiers + reputation from signed receipts + verification. Every number here is from the real loopback-grid trust engine.

How the grid decides which untrusted machines to believe: a reputation built from signed receipts, hardware-attestation tiers, and checking that independent results agree (quorum + canary audits).

Impact: It can safely use strangers' computers — cheaters are caught (wrong fingerprint or a failed secret audit), lose reputation and staked money, and stop getting work.

Avg trust
0.70
over all workers
L2 hosts
4
attested TEE enclaves
Receipts
64
signed verdict trail
Correct rate
86%
55/64 verdicts
Flagged
2
providers caught + deselected
Trust score
A hard attestation gate multiplied by a clamped blend of soft, signed signals, plus an exploration bonus for under-observed hosts.
effective_trust = gate(level ≥ min_level) · clamp(α·R + β·age + γ·voucher + δ·stake − penalties) + exploration
α=0.7β=0.1γ=0.1δ=0.1The attestation level is a hard gate (boolean), not just another score input — fail it and effective_trust is 0 regardless of reputation.
min_trust = 0bootstrap_trust = 0.1half_life = 7.0d

Sample host

worked example · real terms
marsh-otterL2 · TEE
R — reputationConfident
recency-weighted correctness over 144 obs
0.95
× 0.7 = 0.666
ageFactor
observation history → maturity
1.00
× 0.1 = 0.100
voucherTrust
trust lent by peers (none here)
0.80
× 0.1 = 0.080
stakeFactor
log-scaled from 3400 TON staked
0.71
× 0.1 = 0.071
− penalty
recent faults / disputes
0.000
+ explorationBonus
nudge to sample under-observed hosts
+0.000
Attestation gate (hard)
L2L1 PASS
soft (clamped blend)
0.917
reputation (raw)
1.00
effective trust = gate · soft + explore
0.917

Attestation tiers

hardware trust ladder
L0 · anonAnonymous
3 hosts
Evidence
Pinned node key
Proves
Identity continuity only — same key across sessions.
Hardware
Any laptop
L1 · TPMMeasured boot
2 hosts
Evidence
TPM quote (PCRs) + signed event log
Proves
A known-good OS / agent image booted (no plaintext-RAM guarantee).
Hardware
Modern laptops w/ TPM 2.0
L2 · TEEConfidential TEE
4 hosts
Evidence
HW attestation quote — Intel TDX / AMD SEV-SNP / AWS Nitro — verified vs. allowlisted enclave measurement
Proves
DuckDB runs in hardware-encrypted memory; the host root user cannot read plaintext.
Hardware
Confidential cloud VMs

Commodity laptops cap at L0/L1; a true “the operator can't read RAM” guarantee needs L2 confidential hardware.

Selection policy by data class
What a requester demands of candidate hosts before dispatching, per data class.
Data classmin_levelmin_trustquorumNotes
PublicL0 · anon0.702–3Moderate redundancy; cheapest pool, laptops welcome.
InternalL1 · TPM0.853Scoped credentials mandatory; measured-boot floor.
SensitiveL2 · TEEallowlistoptionalAttested enclave or permissioned allowlist; hardware enforces confidentiality.
Selection score & routing
Beyond the hard gates and trust above, eligible hosts are ranked by a composite selection score. Performance and capability terms are driven by counterparty-measured signals (never self-reported ETA), so a host genuinely faster / higher-throughput / proven to handle heavy work wins dispatch more often. Real economics.ranking weights:
quality
success · latency · throughput · completion
w = 0.60
stake (reliability-gated)
amplifies already-reliable hosts only
w = 0.30
price
cheaper bids rank higher
w = 0.25
latency
counterparty-MEASURED commit speed (anti-game)
w = 0.15
throughput
counterparty-MEASURED bytes/sec (anti-game)
w = 0.15
capability
proven ability to handle heavy work
w = 0.10
stake_reliability_floor = 0.50newcomer_trust_ceiling = 1.00The stake term is gated on verified-success rate, and brand-new identities are capped below the top ranks until they build real history — so neither stake nor a lucky streak can buy selection.
Verification
How an answer from an untrusted host is checked before it's trusted or paid. The hash and quorum panels below are the actual results computed during the run.
1Canonical BLAKE3 result hash

Order-independent per-row hashing + normalized numeric/NULL form, then BLAKE3. Re-hashing the same 3 columns × 3 rows in a shuffled row order yields the identical digest.

regionordersgmv
emea1842332481002.5
amer2019803120550
apac981201044980.75
hash
reordered hash
order_independent
true
2Commit-first

Workers send result_hash before streaming any rows. Committing the answer up front prevents a host from adapting its result to match peers it observes.

3Quorum / redundant execution

Run on k hosts, require ≥ q matching hashes. The fastest agreeing host streams the data; the losers RESET their in-flight streams. Below is the real evaluate_quorum outcome over 4 committed hashes.

h(A)h(A)h(A')h(divergent)
agreement / quorum
3 / 3
reached
true
4Canary auditing

Inject queries whose answer is already known. A worker that returns the wrong hash is marked Incorrect and slashed — exactly what happened to the flagged providers below.

5Source-data-drift verification

Redundant execution only proves agreement if every racer read the same source data. The requester pins an input snapshot (input_snapshot on the dispatch) and each worker returns an input_fingerprint; the quorum is fingerprint-aware, so results computed over a drifted, stale, or swapped source are partitioned out instead of contaminating the agreed hash.

Honest-limit note — quorum assumes an honest majority among the chosen k. That assumption is why it is combined with reputation, attestation gating, Sybil cost (stake), and canaries rather than used alone.
Receipts
Signed verdicts that feed reputation. Recency-weighted R = Σ wᵢ·correctᵢ / Σ wᵢ,  wᵢ = decayᵗ · job_weight. Receipts are gossiped / DHT-stored independently, so hiding a bad receipt is caught (anti-omission ⇒ treat hidden as low trust).
JobWorkerVerdictFaultLatencyVerifiedSigWhen
marsh-otterCorrect21ms yesed25519:4c6faeb3…5f020s ago
rust-shrikeIncorrectprovider21ms yesed25519:bcd3b872…770b0s ago
pine-martenCorrect62ms yesed25519:518fd553…12070s ago
amber-moleCorrect48ms yesed25519:e2dee65e…670a0s ago
tidal-foxCorrect31ms yesed25519:eb9ba4be…3b0c0s ago
harbor-voleCorrect22ms yesed25519:bcdf3ffe…30030s ago
slate-heronCorrect111ms yesed25519:4e8aac75…d0030s ago
cobalt-stoatInconclusive0ms yesed25519:a9f3be6f…85070s ago
frost-owlCorrect14ms yesed25519:1be67a16…970a0s ago
marsh-otterCorrect19ms yesed25519:0e31c0ff…4d0f0s ago
harbor-voleCorrect23ms yesed25519:2c3213df…bc030s ago
tidal-foxCorrect31ms yesed25519:7e93648e…d6020s ago
amber-moleCorrect46ms yesed25519:bc9deba0…c3090s ago
pine-martenCorrect61ms yesed25519:691f502a…40010s ago
slate-heronCorrect112ms yesed25519:f957ad2a…74020s ago
cobalt-stoatInconclusive0ms yesed25519:d8378fe3…91000s ago
frost-owlCorrect13ms yesed25519:1f30ea5b…65060s ago
marsh-otterCorrect19ms yesed25519:dc97cc72…3d0c0s ago
harbor-voleCorrect23ms yesed25519:fc040ffe…00060s ago
tidal-foxCorrect31ms yesed25519:382ad548…e6030s ago
amber-moleCorrect45ms yesed25519:2af4103a…b8040s ago
pine-martenCorrect61ms yesed25519:e41e7d67…be010s ago
slate-heronCorrect110ms yesed25519:c9d7f002…2b090s ago
cobalt-stoatInconclusive0ms yesed25519:16a40b14…f6060s ago
frost-owlCorrect13ms yesed25519:06060188…47020s ago
marsh-otterCorrect20ms yesed25519:2cd2b51c…100b0s ago
harbor-voleCorrect22ms yesed25519:66137ae0…74060s ago
tidal-foxCorrect31ms yesed25519:67a5ddbc…7c000s ago
amber-moleCorrect47ms yesed25519:9cbb44d2…33030s ago
pine-martenCorrect60ms yesed25519:f1855b17…f2050s ago
slate-heronCorrect112ms yesed25519:8af04929…a4010s ago
cobalt-stoatInconclusive0ms yesed25519:e9406855…d5060s ago
frost-owlCorrect14ms yesed25519:fbd42d28…8b0e0s ago
marsh-otterCorrect18ms yesed25519:5bf63899…2f0c0s ago
harbor-voleCorrect23ms yesed25519:80110eba…90030s ago
tidal-foxCorrect32ms yesed25519:041eb851…00060s ago
amber-moleCorrect46ms yesed25519:e88719cd…59000s ago
pine-martenCorrect61ms yesed25519:e960c36f…3f070s ago
slate-heronCorrect111ms yesed25519:39e158a3…2e030s ago
cobalt-stoatInconclusive0ms yesed25519:36f9d4ca…99000s ago
frost-owlCorrect15ms yesed25519:a2cac458…da050s ago
marsh-otterCorrect19ms yesed25519:37b519af…e4050s ago
harbor-voleCorrect23ms yesed25519:a3a0a886…040e0s ago
tidal-foxCorrect32ms yesed25519:55576ca2…6d070s ago
amber-moleCorrect45ms yesed25519:0b19eabd…5a000s ago
pine-martenCorrect61ms yesed25519:ff277b8f…ab010s ago
slate-heronCorrect112ms yesed25519:1ac497d3…690e0s ago
cobalt-stoatInconclusive0ms yesed25519:c0f1840a…3f0d0s ago
frost-owlCorrect14ms yesed25519:f42bc37a…3a0d0s ago
marsh-otterCorrect19ms yesed25519:ad774885…d9090s ago
harbor-voleCorrect23ms yesed25519:70e8abe1…6b0c0s ago
tidal-foxCorrect31ms yesed25519:abf11296…e10a0s ago
amber-moleCorrect47ms yesed25519:715e79e8…11090s ago
pine-martenCorrect60ms yesed25519:59cd702e…cc000s ago
slate-heronCorrect112ms yesed25519:030a77ca…aa000s ago
cobalt-stoatInconclusive0ms yesed25519:92f33af0…940a0s ago
frost-owlCorrect14ms yesed25519:e04ea517…f80e0s ago
marsh-otterCorrect20ms yesed25519:66700978…dc0d0s ago
harbor-voleCorrect24ms yesed25519:600047f2…d2070s ago
tidal-foxCorrect31ms yesed25519:9af873d4…d30f0s ago
amber-moleCorrect46ms yesed25519:53436c9c…2a070s ago
pine-martenCorrect61ms yesed25519:8c45ab2f…6a0c0s ago
slate-heronCorrect111ms yesed25519:4000f1be…94080s ago
cobalt-stoatInconclusive0ms yesed25519:07a900fa…460c0s ago
Flagged providers · caught by verification
Real nodes the trust engine penalized this run. They returned a divergent hash (Incorrect) or never committed (Timeout), were verified against the quorum, and the engine drove their reputation and trust to ~0 — so the scheduler stops selecting them.
WorkerAttestationBehaviorcorrect / faultsreputationtrust
rust-shrikeL0 · anoncheat0/10.000.00
cobalt-stoatL0 · anonfail0/00.07
There is no central authority here — each node independently verifies a verdict against the committed hashes and decides on its own whether to down-weight or drop a peer.
Trust terms — radar (plotly)
The real soft-score inputs for the top worker vs. a penalized node — the trust engine's actual per-term values.
loading plot…
Verified-result latency (plotly histogram)
Commit-first latency across every Correct receipt this run.
loading plot…