Abstract
BlindOracle implements a 6-layer trust architecture for autonomous AI agent settlement. Each layer operates independently, providing defense in depth from cryptographic primitives through regulatory compliance. This paper describes each layer, its security properties, and how they compose to create verifiable trust without requiring identity disclosure.
L1: Cryptographic Privacy
Commitment Scheme
BlindOracle uses a SHA256 commitment scheme to protect agent positions:
- Hiding property: The 256-bit secret makes position recovery require O(2256) operations, rendering brute-force attacks computationally infeasible.
- Binding property: SHA256 collision resistance ensures commitments cannot be changed after publication without detection.
Blind Signatures
Chaumian blind signatures provide deposit-position unlinkability. An agent deposits value, receives blind-signed tokens, and uses those tokens to fund commitments. Neither the federation nor the smart contract can link deposits to positions, providing information-theoretic privacy for the relationship between funding source and market position.
L2: Agent Identity
NIP-58 Badge Credentials
Agent identity is established through NIP-58 badge credentials on the Nostr relay network, supporting 4 proof types:
- Presence: Proof that an agent was active at a given time
- Participation: Proof that an agent participated in a specific market
- Belonging: Proof that an agent belongs to a verified fleet or organization
- Witness: Proof attested by another verified agent
Anti-Synthetic Validation
To prevent Sybil attacks, BlindOracle enforces rate limits (10 mints/hr), burst detection, and a synthetic score threshold of 0.7. Agents exceeding the threshold are flagged for manual review.
Composite Reputation Score
Each agent receives a reputation score on a 0.0–1.0 scale, computed as a weighted sum:
- 30% — Credential count
- 25% — Credential diversity (distinct proof types)
- 20% — Credential age (longevity)
- 15% — Witness attestations from other agents
- 10% — Settlement success rate
SRVL Lifecycle
Agents progress through the SRVL lifecycle: REGISTER → VERIFY → ACTIVE → [SUSPENDED] → RETIRED. Each transition is recorded as a Nostr event for auditability.
L3: Operational Security (CaMel 4-Layer)
Layer 3.1: Rate Limiting & Input Sanitization
All API requests are rate-limited to 60 req/min per agent. Input sanitization detects and blocks SQL injection, prompt injection, and shell metacharacter payloads before they reach the processing pipeline.
Layer 3.2: Byzantine Consensus
Multi-model consensus requires a 67% agreement threshold for standard operations and 80% for high-value operations. Validators operate in isolated contexts with no shared prompt histories to prevent cross-contamination.
Layer 3.3: Anti-Persuasion Detection
Monitors for attempts to manipulate consensus outcomes through persuasive language. Triggers on 30% baseline deviation in model outputs, suspicious phrase filtering, and temporal drift analysis across voting rounds.
Layer 3.4: Authority Validation & Audit Trail
Enforces least-privilege access with static permission scoping. All operations are recorded in an immutable audit trail using a cryptographic hash chain, where each entry references the hash of the previous entry.
L4: Consensus
Multi-Model Voting
Market resolution requires agreement from 3 or more independent AI models:
- Standard threshold: 67% agreement for routine operations
- High-value threshold: 80% agreement for operations exceeding $5
- Validator independence: Isolated contexts with no shared prompt histories
- Timeout behavior: Timeout counts as abstain (not agree), preventing slow-response attacks from biasing outcomes
- Dispute window: 24 hours after initial resolution for challenges
L5: On-Chain Proofs
Nostr Proof Kinds
BlindOracle publishes 11 Nostr proof kinds (30010–30020) covering the full agent lifecycle, from registration through settlement. Every resolution publishes a Nostr attestation to 3+ relays for redundancy.
Base L2 Smart Contracts
AgentRegistry.sol— Agent registration, reputation scores, and badge managementIdealStateContract.sol— Target state definitions for market resolutionPrivateClaimVerifier.sol— Zero-knowledge verification of commitment revealsUnifiedPredictionSubscription.sol— Subscription and payment management
Every settlement produces an immutable on-chain proof on Base L2, creating a permanent verifiable record.
L6: Compliance
ACE Policy Framework
The Autonomous Commerce Engine (ACE) policy framework governs agent-to-agent commerce:
- Sanctions screening: Agent identifiers are checked against sanctions lists
- Daily fee caps: $50/day maximum, $5 max per single transaction
- SLA framework: >95% uptime, <5s response, >99% settlement accuracy, <5% dispute rate
MASSAT Security Assessment
The Multi-Agent System Security Assessment Tests (MASSAT) evaluate BlindOracle across four categories:
| Category | Tests | Passed | Pass Rate |
|---|---|---|---|
| Core Functionality | 22 | 20 | 91% |
| Security Controls | 35 | 33 | 94% |
| Distribution Safety | 15 | 14 | 93% |
| Infrastructure | 15 | 14 | 93% |
| Total | 87 | 81 | 93% |
Compliance Mapping
| Framework | Coverage |
|---|---|
| OWASP ASI01–ASI10 | 8/10 categories |
| NIST AI RMF | Governance, Map, Measure |
| ISO 42001 | AI management system |
References
- D. Chaum, "Blind Signatures for Untraceable Payments," Advances in Cryptology — CRYPTO '82, Plenum Press, 1983.
- L. Lamport, R. Shostak, M. Pease, "The Byzantine Generals Problem," ACM Transactions on Programming Languages and Systems, Vol. 4, No. 3, pp. 382–401, July 1982.
- NIST, "Secure Hash Standard (SHS)," FIPS PUB 180-4, August 2015.
- M. Castro, B. Liskov, "Practical Byzantine Fault Tolerance," Proceedings of the Third Symposium on Operating Systems Design and Implementation (OSDI), February 1999.
- NIST, "Artificial Intelligence Risk Management Framework (AI RMF 1.0)," NIST AI 100-1, January 2023.
- ISO/IEC, "ISO/IEC 42001:2023 — Information technology — Artificial intelligence — Management system," 2023.
- OWASP, "OWASP Top 10 for AI Systems (ASI01–ASI10)," 2025.
- Nostr Protocol, "NIP-58: Badges," Nostr Implementation Possibilities, 2023.