Alice Benchmark v2.0

The Trust Score Ladder.

Six progressive tests. Six real certificates. Each bar is on-chain, verifiable by anyone. Most AI energy claims stop at Test 1.

LIVE · Mistral 7B · H100 · Batch 64
TEST 1
0.20 Self Reported
most benchmarks stop here
TEST 6
1.00 HW Attested

Progressive attestation

The complete ladder

Same workload. Same model. Six trust levels — computed deterministically from evidence present in each certificate.

Test
Score
Posture
Certificate
test1
0.20
SELF REPORTED
sa-xxxxxxxx ↗ verify
NVML ≥10 samples RAPL Signed Exporter Machine FP TEE Quote ML-DSA-65 Merkle Polygon
test2
0.45
CROSS CHECKED
sa-xxxxxxxx ↗ verify
NVML ≥10 samples RAPL CPU+DRAM Signed Exporter Machine FP TEE Quote ML-DSA-65 Merkle Polygon
+ Ed25519 signed at capture · machine identity
test3
0.60
CROSS CHECKED
sa-xxxxxxxx ↗ verify
NVML ≥10 samples RAPL CPU+DRAM Signed Exporter (+ FP in payload) TEE Quote ML-DSA-65 Merkle Polygon
+ hardware root of trust (TEE)
test4
0.80
HW ATTESTED
sa-xxxxxxxx ↗ verify
NVML ≥10 samples RAPL CPU+DRAM Signed Exporter (+ FP in payload) TEE Quote (SEV-SNP / Nitro) ML-DSA-65 Merkle Polygon
test5
0.85
HW ATTESTED
sa-xxxxxxxx ↗ verify
NVML ≥10 samples RAPL CPU+DRAM Signed Exporter (+ FP in payload) TEE Quote (SEV-SNP / Nitro) ML-DSA-65 (FIPS 204) Merkle Polygon
+ append-only log · public blockchain anchor
test6
1.00
HW ATTESTED
sa-xxxxxxxx ↗ verify
NVML ≥10 samples RAPL CPU+DRAM Signed Exporter Machine Fingerprint v2 TEE Quote (SEV-SNP / Nitro) ML-DSA-65 (FIPS 204) Merkle Inclusion Proof Polygon Anchor (≥1 block)

What each layer proves

Layer Points What it proves Adversary required to fake
NVML +0.20 Physical GPU power at ≥10 Hz. Cannot be fabricated in software without a compromised NVML driver. Kernel-level driver compromise
RAPL CPU+DRAM +0.25 Two physically independent hardware domains: CPU package (+0.15) and DRAM (+0.10). Each is a separate MSR interface — forging both requires ring-0 MSR write access across independent subsystems. Ring-0 + MSR write access (both domains)
Signed Exporter +0.15 Ed25519 signature over raw bytes at capture time. Machine fingerprint is captured inside the signed payload — binding cert to hardware without a separate layer. Ed25519 key theft or quantum break
Machine Fingerprint +0.00 Folded into Signed Exporter. DMI + CPU identity is signed inside the same payload. Not independently scored — present in evidence field for auditing only. n/a — covered by Signed Exporter
TEE Quote +0.20 Hardware-rooted attestation (AMD SEV-SNP, AWS Nitro, Intel TDX). Operator cannot forge without breaking silicon. AMD / Intel / AWS silicon break
ML-DSA-65 +0.05 Post-quantum second signature (FIPS 204). Survives a quantum break of Ed25519 / ECDSA. Classical break + quantum break
Merkle Proof +0.05 Certificate's position in append-only log is fixed at issuance. Cannot be backdated. Retroactive Merkle tree recomputation
Polygon Anchor +0.10 Merkle root recorded on Polygon mainnet. Immutable once confirmed. Independent of Serial Alice. 51% attack on Polygon
MAXIMUM 1.00 All eight independent layers active simultaneously.

Posture thresholds

score < 0.40
self_reported
Single energy source, no cross-check. Better than a spreadsheet — not independently verifiable at hardware level.
score ≥ 0.40
cross_checked
Multiple independent energy sources. Significantly stronger than self-reported but no hardware root of trust.
score ≥ 0.80
hardware_attested
TEE quote active. Forging the certificate requires simultaneous control of hardware, CPU, and the Ethereum network.

Verify any certificate

No account. No API key. No dependency on Serial Alice.

curl https://api.serialalice.pt/v1/certificates/{cert_id}/verify \
  | jq '.trust_score, .trust_posture, .layers_active'
Open public verifier →
Full specification: Serial Alice Trust Score Spec v1.0