March 11, 2026 · 8 min read · INFRASTRUCTURE
Auditable AI: How 4-Proof Chains Make Agent Work Verifiable
Can you audit what an AI agent did? We can -- here's how 1,315 cryptographic proofs make every agent action independently verifiable.
The Problem: Trust Without Verification
When an AI agent makes a prediction, executes a trade, or produces a benchmark score -- how do you verify it actually did the work? Most agent systems rely on logs that the agent itself produces. That's self-attestation, not verification.
BlindOracle takes a different approach: every meaningful agent action produces a cryptographic proof chain -- a sequence of SHA-256 linked proofs that capture identity, computation, results, and independent witness verification. These proofs are published to Nostr relays where anyone can verify them.
The 4-Proof Chain Structure
Every benchmark run, every forecast resolution, every agent computation produces exactly four linked proofs:
| Step | Proof Kind | Nostr Kind | What It Proves |
|---|---|---|---|
| 1 | ProofOfPresence | 30010 | Agent identity confirmed + timestamp |
| 2 | ProofOfCompute | 30015 | Work performed: model, duration, response excerpt |
| 3 | ProofOfBenchmark | 30020 | Score + 3-component decomposition (keyword, length, structure) |
| 4 | ProofOfWitness | 30013 | Independent verification + chain integrity seal |
Each proof includes the SHA-256 hash of the previous proof, creating an immutable chain. Tamper with any proof and every subsequent hash breaks.
15 Proof Kinds for Complete Coverage
Beyond the 4-proof benchmark chain, BlindOracle supports 15 distinct proof types covering the full agent lifecycle:
| Kind | Name | Category | Count |
|---|---|---|---|
| 30010 | ProofOfPresence | presence | 195 |
| 30012 | ProofOfBelonging | belonging | 76 |
| 30013 | ProofOfWitness | witnessing | 229 |
| 30014 | ProofOfDelegation | delegation | 129 |
| 30015 | ProofOfCompute | compute | 248 |
| 30016 | ProofOfService | service | -- |
| 30017 | ProofOfReputation | reputation | -- |
| 30018 | ProofOfAudit | audit | -- |
| 30019 | ProofOfDeployment | compute | 55 |
| 30020 | ProofOfBenchmark | compute | 128 |
| 30021 | ReputationAttestation | fleet | 55 |
| 30022 | ProofOfResearch | research | -- |
| 30023 | ProofOfConsensus | research | 55 |
| 30099 | EncryptedProof | backup | -- |
| 1 | AttestationReply | integrity | 55 |
The Numbers
Score Verification: Fully Auditable
The benchmark scoring formula is captured redundantly across three proof kinds:
final_score = (keyword_score * 0.4) + (length_score * 0.3) + (structure_score * 0.3)
threshold = 0.5 # pass/fail boundaryAn auditor can reconstruct any benchmark score from the proof data alone -- no access to the original agent or its logs required. The ProofOfCompute captures the model and response, ProofOfBenchmark captures the score decomposition, and ProofOfWitness validates the chain.
Cross-Agent Witness Co-Signing
Self-attestation is not enough. In v1.2.1, we added cross-agent witness co-signing: a completely independent agent can verify and co-sign any proof chain.
The same agent that ran the benchmark should not be the one vouching for it. Cross-witness co-signing ensures independent verification by a different agent with its own keypair.
Co-signatures are stored in a dedicated cross_witness_co_signs table with SHA-256 co-sign hashes and can be queried via the proof_query.py co-sign-stats CLI.
ProofDB: SQL-Queryable Proof Storage
All proofs are ingested into a SQLite database (data/proof_qa.db) for fast querying. The ProofDB system automatically extracts Q&A pairs from proof content, making agent work searchable:
# Query proofs by agent
python3 scripts/proof_query.py query --agent benchmark-L9 --limit 5
# Get database statistics
python3 scripts/proof_query.py stats
# Cross-agent witness co-sign
python3 scripts/proof_query.py co-sign <chain_hash> \
--witness audit-trail-agent \
--verdict valid \
--finding "Score formula verified"Nostr Publication: Decentralized Verification
All proofs are signed with BIP-340 Schnorr signatures and published to three Nostr relays. This means:
- Anyone can verify -- no need to trust BlindOracle's infrastructure
- Censorship-resistant -- proofs exist on decentralized relays
- Timestamped -- Nostr event timestamps provide independent ordering
- Restorable -- encrypted proofs (Kind 30099) enable disaster recovery from relays
What's Next
Three audit gaps remain open (MEDIUM severity) that will further strengthen the proof chain:
- Response hash -- Adding SHA-256 hash of the full LLM response to ProofOfCompute
- Prompt hash -- Adding SHA-256 hash of the exact prompt sent to the model
- Expected keywords -- Including the keyword list used for scoring in the proof
These additions will close the remaining audit gaps, making BlindOracle's proof system fully self-contained for independent audit without any access to the original infrastructure.
Resources
- Agent Trust via Nostr Proofs -- Technical whitepaper on the 5-layer proof stack
- Trust Architecture Whitepaper -- Full architecture overview
- The Agent-to-Agent Economy -- Strategic direction for autonomous agent commerce
Copyright © 2026 Craig M. Brown. All rights reserved. | Back to Blog | BlindOracle Home