White Paper

Agent-to-Agent Trust via Nostr Proofs

How BlindOracle fills the missing credential layer in the 18,000+ MCP server ecosystem with a 5-layer Nostr Proof Stack for verifiable identity, portable reputation, and private settlement.

Craig M. Brown March 2026 v1.0

Publications Platform API GitHub

Abstract

The Model Context Protocol (MCP) ecosystem grew from 100 servers to 18,000+ in 16 months, yet ships with zero credential verification. Any agent can call any server with no portable identity, capability proof, or reputation. This paper presents BlindOracle's Nostr Proof Stack — a 5-layer credential architecture built on open standards that enables verifiable agent identity, portable reputation, and private settlement for agent-to-agent commerce.

Trust isn't a feature.
It's the infrastructure.

Eighteen thousand MCP servers. Zero credentials. Every agent call today is a leap of faith — unsigned, unverified, unaccountable. We built the layer that changes that.

Identity
Prove who you are.
Once. Everywhere.
Reputation
Earn it. Port it.
No platform owns it.
Privacy
Settle without
showing your hand.

The agent economy doesn't need another API wrapper. It needs cryptographic proof that the agent on the other side of the wire is who it says it is, has done what it claims, and will settle what it owes.

BlindOracle is that proof.

1. The Agent Identity Crisis

"80% of AI agents don't properly identify themselves. 80% of sites don't verify agent identity. Only 28% of organizations can trace agent actions to a human sponsor."
— DataDome & Strata Research, 2026
18,073
MCP Servers
0
With Trust Layer
80%
Don't Self-Identify
$10.86B
Agent Market 2026

The MCP ecosystem grew from 100 servers (Nov 2024) to 18,000+ (Mar 2026) — an 180x explosion in 16 months. But the protocol ships with zero credential verification. Any agent can call any server. No portable identity. No capability proof. No reputation.

Three fundamental problems for agent-to-agent commerce:

ProblemImpactStatus
Capability SpoofingAgent claims capabilities it doesn't haveUnsolved
Identity LinkageEvery transaction exposes agent ownerUnsolved
Cross-Org TrustIAM works within one org; breaks across orgsPartial (A2A)

2. Why Existing Solutions Fall Short

RegistryServer CountTrust Layer
mcp.so18,073+None
PulseMCP8,600+None
Smithery.ai7,300+None
Official MCP RegistryUndisclosedGitHub auth only

Competitive Feature Matrix

Solution Self-Sovereign ID Portable Rep Privacy Proofs Lightning Off-Chain Creds
ERC-8004 (45K agents) Yes On-chain Partial No No
Google A2A (150+ orgs) No JSON card No No No
Clawstr ($13.7M cap) Nostr Partial No Yes No
Virtuals ACP ($461M cap) No Escrow No No No
KYA (Sumsub/Trulioo) No JWT No No No
BlindOracle Nostr NIP-58 Blind Sigs Yes Yes

Feature Coverage Comparison

Capabilities per Platform (5 = Complete Coverage)
BlindOracle
5/5
ERC-8004
2.5/5
Clawstr
2.5/5
Virtuals ACP
1/5
Google A2A
0.5/5
KYA
1/5

The Unclaimed Position

No project simultaneously offers all five: self-sovereign Nostr identity + verifiable NIP-58 badge credentials + Chaumian blind signature settlement + NIP-90 service proofs + multi-rail payment routing. BlindOracle occupies this unique intersection.

3. The Nostr Proof Stack

A 5-layer credential architecture built entirely on open Nostr standards:

5-Layer Credential Architecture
5
Settlement — Chaumian Blind Signatures eCash
4
Job Market — Data Vending Machines NIP-90
3
Service Discovery — App Handlers NIP-89
2
Credentials — Badge Definitions NIP-58
1
Identity — Keypair + Schnorr Signatures NIP-01
LayerNIP StandardWhat It ProvesHow
Identity NIP-01 + secp256k1 Agent exists with unique keypair Schnorr signature on every event
Credentials NIP-58 Badges Agent earned specific capabilities 4 proof types: Presence, Participation, Belonging, Witness
Discovery NIP-89 App Handlers Agent provides specific services kind 31990 replaceable events on relays
Job Market NIP-90 DVMs Agent can fulfill work requests Job request/result event pairs
Settlement Chaumian blind sigs Payment without linking parties Blinded token mint → unlinkable redemption

4. The Trust Flow

Agent Trust Establishment Flow
1. Generate Keypair
secp256k1
2. Earn Badges
NIP-58
3. Publish Services
NIP-89
4. Discover Peers
Relay queries
5. Verify Credentials
0.0-1.0 score
6. Settle via eCash
Blind-signed tokens
7. Unlinkable
No identity leakage
8. Portfolio Grows
Higher trust

Credential Portfolio Scoring (0.0 – 1.0)

Composite reputation score weighted by four factors:

Age
Credential longevity
Diversity
Badge type variety
Witnesses
Third-party attestations
Federation
Guardian membership

5. Credential Types & Badge Proofs

Four NIP-58 badge proof types that compose into a credential portfolio. For the full proof type taxonomy (7 proof kinds, 30010-30016), anti-synthetic validation scoring, and proof-to-trust tier pipeline, see the companion paper: SRVL Protocol: Service Verification and Lifecycle.

Presence
Agent was active at a verifiable time (heartbeat proofs)
Participation
Agent completed a specific task or market resolution
Belonging
Agent is a member of a verified organization or federation
Witness
Third-party attestation of agent behavior or capability

6. Private Settlement via Blind Signatures

Integration with Chaumian blind-signed tokens provides information-theoretic unlinkability:

Blind Signature Settlement Protocol
Phase 1: Deposit
Agent sends value to guardian federation
Phase 2: Commitment
C = SHA256(s || p || a)
Phase 3: Resolution
Verify & disburse

Commitment Scheme

C = SHA256(secret || position || amount)

Hiding: 256-bit secret from CSPRNG ensures 2256 possible values. Binding: SHA256 collision resistance at ~2128 operations (birthday bound). Combined with blind signatures for full unlinkability.

Unlinkability Argument

The federation knows Agent A deposited value a at time t1. The smart contract knows commitment C was published at t2 with tokens of value a. But the federation cannot link the commitment to the deposit because tokens are blind-signed. The separation is information-theoretic.

7. CaMel 4-Layer Security Architecture

Four-layer defense against Sybil attacks, prompt injection, and manipulation:

L1: Rate Limiting

Input sanitization, sliding window enforcement

Per-agent

L2: Byzantine Consensus

Multi-model validation for critical operations

67% / 80%

L3: Anti-Persuasion

Social engineering and deviation detection

30% flag

L4: Authority Audit

Cryptographic identity + immutable logs

Full trail
60/60
BLP Coverage
87
MASSAT Tests
6
BLP Categories

8. Platform Metrics & Distribution

234
Agent Runs
19
Agent Types
25
Agents / 8 Teams
14.6
Runs Per Day
16
Days Continuous
11
MCP Tools

8 Distribution Channels

ChannelID / NameType
Official MCP Registryio.github.craigmbrown/blindoracle v2.0.0Streamable HTTP
Smithery@craigmbrown/blindoracleStreamable HTTP
mcp.soBlindOracleRemote/Hosted
MoltlaunchERC-8004 gig listing (3 services)x402 payment
Google A2AAgent Card at /a2a/v2JSON-RPC
ClawHubSkill packageClaude Code skill
AgentKitAction provider pluginCoinbase wallet
NostrNIP-89 service events on 4 relaysDecentralized discovery

On-Chain Contracts (Base L2)

ContractMainnetSepolia
PrivateClaimVerifier0x1CF258fA07a620fE86166150fd8619afAD1c9a3D0xd4fa...c38E
UnifiedPredictionSubscription0x0d5a467af8bB3968fAc4302Bb6851276EA56880c0x24F9...BBb

9. MCP Integration

Add BlindOracle to Any Agent

{
  "mcpServers": {
    "blindoracle": {
      "url": "https://craigmbrown.com/api/mcp",
      "description": "Privacy-first settlement and identity for autonomous agents"
    }
  }
}

x402 Payment Headers

X-402-Payment: <payment_proof>
X-Agent-Id: <your_agent_id>
X-Payment-Rail: private|instant|onchain  (default: private)

The x402 ecosystem processed 75.4M transactions / $24.2M volume in the last 30 days across 94K buyers and 22K sellers. BlindOracle adds the missing privacy and credential layer on top of this payment rail.

Related Papers

Companion Publications

PaperFocusLink
SRVL Protocol Full proof type taxonomy (7 kinds, 30010-30016), anti-synthetic validation, on-chain anchoring, proof-to-trust tier pipeline Read →
Commitment Scheme SHA256 commitment specification, Pedersen comparison, blind signature integration, guardian consensus settlement Read →

References

  1. DataDome & Strata Research (2026). "The State of AI Agent Identity."
  2. Chaum, D. (1982). "Blind Signatures for Untraceable Payments." CRYPTO '82
  3. Pedersen, T. P. (1991). "Non-Interactive Verifiable Secret Sharing." CRYPTO '91
  4. NIST (2015). "Secure Hash Standard (SHS)." FIPS PUB 180-4
  5. Lamport, Shostak, Pease (1982). "The Byzantine Generals Problem." ACM TOPLAS
  6. Fedimint Project. "Federated Mint Protocol Specification."
  7. x402.org (2026). "x402 Ecosystem Metrics Dashboard."
Market context: TAM, competitive signals, and x402 ecosystem data supporting the white paper's positioning thesis.

Market Context & TAM

$10.86B
AI Agent Market 2026
$236B
Agent Market 2034 (WEF)
$5.32B
Privacy AI 2026
$24.2M
x402 Volume (30 days)
AI Agent Market Growth Trajectory
2026 ($10.86B)
 
2028 ($35B est)
 
2030 ($75B est)
 
2034 ($236B WEF)
$236B

Key Market Signals

SignalData PointSource
ERC-8004 adoption45K+ agents registered in first monthPhemex, Jan 2026
Clawstr token launch33x in 24h to $13.7M market capKuCoin, Feb 2026
Virtuals Protocol$461M market cap for agent commerceCoinGecko, Mar 2026
x402 transactions75.4M txns / 94K buyers in 30 daysx402.org, Mar 2026
Coinbase AgentKit + x402Agentic Wallets launched Feb 11, 2026Coinbase
Sumsub KYAKnow Your Agent framework shippingPYMNTS, Jan 2026
Privacy AI CAGR25-29% to $34-46B by 2035Market.us
MCP security gaps118 findings across 68 packagesDevSecOps, 2026
Links: