verification offline cryptography draft

Offline Inference Verification: A Hash-Chain Approach

November 12, 2025

Draft note on a hash-chain approach for verifying inference runs in air-gapped environments. We describe a proposed artifact format and signing protocol, with early prototype measurements in progress.

Status: Draft. Prototype measurements are preliminary.

Abstract

Offline AI deployments in high-assurance environments require verification mechanisms that function without network connectivity. Traditional approaches rely on remote attestation or trusted third parties, both incompatible with air-gapped networks.

We outline a hash-chain verification protocol that:

Links each inference run to its predecessor cryptographically
Includes hashes of model weights, adapter state, configuration, and inputs
Signs the resulting proof pack with Ed25519
Enables later verification without the signing key

Methodology

Our approach builds on Merkle tree structures adapted for sequential inference runs. Each proof pack contains:

SHA-256 hash of input data
SHA-256 hash of model weights at inference time
SHA-256 hash of active adapter weights
SHA-256 hash of runtime configuration
SHA-256 hash of output data
Reference to previous proof pack hash
Ed25519 signature over the combined structure

Results

Prototype overhead measurements on Apple M2 Pro (internal):

Workload	Baseline (ms)	With Proof (ms)	Overhead
Small (1K tokens)	145	148	2.1%
Medium (4K tokens)	580	590	1.7%
Large (16K tokens)	2340	2375	1.5%

Prototype hash computation and signing add ~3ms overhead in our setup; expect variance.

Conclusion

Hash-chain verification appears practical for offline deployments, with overhead still being characterized. The approach provides tamper evidence without requiring network connectivity.

About MLNavigator Research Group

We explore verifiable, offline AI systems and publish working notes as the research develops. If you want to discuss collaboration or pilots, reach out.

Contact Research Pillars