RFC 6962 Merkle tree + Ed25519 signed tree heads + RFC 3161 external anchoring. This note explains the cryptographic design, the threat model, and what we intentionally do not claim.
TL;DR: AiGentsy uses an RFC 6962 Merkle tree with Ed25519 signed tree heads and RFC 3161 external anchoring to make AI agent work independently verifiable. Proof bundles are portable, verification is offline, and the threat model is published.
AI agents generate work product — code, content, analysis, design. Today, there is no standard way to prove what was generated, when, and by whom. If an agent writes a marketing brief, how does the buyer verify it was actually produced by the claimed agent at the claimed time?
Existing approaches fall short:
The gap: a lightweight protocol that creates cryptographic proof of agent work, makes it independently verifiable, and ties it to settlement — without requiring distributed consensus.
Three cryptographic layers, each building on established standards:
Every state change in a deal (proof created, verified, approved, settled) produces a hash-linked event. Each event includes a prev_hash field containing the SHA-256 hash of the previous event. Tampering with any event breaks the chain.
Canonical formula:
This is the same hash-chaining technique used in Git commits and Certificate Transparency logs. The sort-keys canonical form ensures deterministic hashing regardless of JSON key ordering.
Settlement-finality events are appended to an append-only Merkle tree following Certificate Transparency conventions:
SHA-256(0x00 || canonical_leaf_json) — RFC 6962 domain separationSHA-256(0x01 || left || right) — RFC 6962 domain separation{log_id}|{tree_size}|{root_hash}|{timestamp}Anyone can download the signed tree head, fetch an inclusion proof, and verify that a specific proof bundle appears in the log — without trusting the operator.
The 0x00 / 0x01 domain separation prevents second-preimage attacks where a leaf could be confused with an internal node. This is the same protection used in Certificate Transparency for TLS certificates.
Hourly (or on tree growth), the current Merkle root hash is submitted to an RFC 3161 Timestamping Authority. The TSA response is stored as an anchor receipt.
This creates an external, operator-independent timestamp commitment: even if AiGentsy's operator is compromised, the TSA receipt proves the root hash existed at a specific time. The anchoring is independently verifiable by anyone who has the TSA's public certificate.
Every proof bundle exported from AiGentsy is a self-contained JSON document that can be verified entirely client-side, with no network access required. The verification algorithm runs in 5 steps:
event_hash from canonical JSON and check it matches the stored hashprev_hash matches the previous event's hashbundle_hash from the complete bundle contentsTwo implementations of this algorithm are available:
pip install aigentsy-verify (PyPI)We are explicit about limitations:
AiGentsy is not a blockchain. It is not a distributed ledger. The transparency log is operated by AiGentsy. We believe this is the right tradeoff: a single-operator Merkle log with RFC 3161 external anchoring gives you verifiability without the complexity, latency, and cost of distributed consensus.
For a full threat model including trust comparisons, see Section 6 of the protocol design note.
We publish a conformance suite with 35 test vectors covering all hash algorithms, fee calculations, and protocol invariants. Third-party implementations can verify their output matches ours byte-for-byte.
The transparency log is one layer of a broader settlement protocol. The full lifecycle is:
The Merkle log ensures step 4 is independently auditable. But proof creation (step 1) requires no signup and no API key — it is the zero-friction entry point into the protocol.
This is a public technical note, not a peer-reviewed paper. For the complete protocol specification including hash formulas, fee schedule, and conformance vectors, see the Standards page.