arxiv: 2604.07695 · v1 · submitted 2026-04-09 · 💻 cs.CR · cs.AI

Recognition: no theorem link

AITH: A Post-Quantum Continuous Delegation Protocol for Human-AI Trust Establishment

Zhaoliang Chen

Authors on Pith no claims yet

Pith reviewed 2026-05-10 18:27 UTC · model grok-4.3

classification 💻 cs.CR cs.AI

keywords continuous delegationpost-quantum cryptographyAI trustboundary enforcementdelegation certificaterevocation protocolformal verificationprobabilistic agents

0 comments

The pith

AITH uses one post-quantum certificate and local boundary checks to let humans delegate continuously to probabilistic AI agents.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

Existing protocols such as TLS and OAuth assume deterministic software and break when AI agents act probabilistically inside shifting trust boundaries. AITH replaces repeated signing with a single Continuous Delegation Certificate signed once using ML-DSA-87, then hands enforcement to a six-check Boundary Engine that runs at 4.7 million operations per second with no cryptographic cost on the critical path. A push revocation mechanism invalidates the delegation in under one second, backed by a tamper-evident SHA-256 chain. The design is backed by five machine-checked theorems in the Dolev-Yao model and by adversarial auditing plus large-scale simulation.

Core claim

AITH supplies a continuous delegation protocol in which a human principal issues one ML-DSA-87-signed Continuous Delegation Certificate; a six-check Boundary Engine then enforces hard constraints, rate limits, and escalation rules locally at sub-microsecond latency while a push revocation protocol clears invalid delegations within one second.

What carries the argument

The Continuous Delegation Certificate plus the six-check Boundary Engine, which moves all constraint enforcement off the cryptographic path into constant-time local checks.

If this is right

79.5 percent of operations can complete without human intervention while still respecting declared boundaries.
Revocation information reaches all parties in one second without requiring per-operation signatures.
Zero cryptographic overhead appears on the critical path after the initial certificate check.
All claimed security properties hold under the Dolev-Yao model according to Tamarin verification.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

The same single-certificate-plus-boundary pattern could apply to other continuously operating probabilistic systems such as sensor swarms or automated trading agents.
Integration with existing OAuth flows would require only wrapping the boundary engine around the issued token rather than redesigning the entire stack.
The 4.7 million operations per second figure suggests the mechanism is fast enough for real-time decision loops where latency must stay below a millisecond.

Load-bearing premise

The Boundary Engine can enforce hard limits on a probabilistic AI agent without creating fresh vulnerabilities or misjudging variable trust boundaries.

What would settle it

A trace in which an AI agent violates a declared rate limit or hard constraint yet the Boundary Engine neither escalates nor triggers revocation within the claimed one-second window.

read the original abstract

The rapid deployment of AI agents acting autonomously on behalf of human principals has outpaced the development of cryptographic protocols for establishing, bounding, and revoking human-AI trust relationships. Existing frameworks (TLS, OAuth 2.0, Macaroons) assume deterministic software and cannot address probabilistic AI agents operating continuously within variable trust boundaries. We present AITH (AI Trust Handshake), a post-quantum continuous delegation protocol. AITH introduces: (1) a Continuous Delegation Certificate signed once with ML-DSA-87 (FIPS 204, NIST Level 5), replacing per-operation signing with sub-microsecond boundary checks at 4.7M ops/sec; (2) a six-check Boundary Engine enforcing hard constraints, rate limits, and escalation triggers with zero cryptographic overhead on the critical path; (3) a push-based Revocation Protocol propagating invalidation within one second. A three-tier SHA-256 Responsibility Chain provides tamper-evident audit logging. All five security theorems are machine-verified via Tamarin Prover under the Dolev-Yao model. We validate AITH through five rounds of multi-model adversarial auditing, resolving 12 vulnerabilities across four severity layers. Simulation of 100,000 operations shows 79.5% autonomous execution, 6.1% human escalation, and 14.4% blocked.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Desk Editor's Note private letter to a colleague

AITH puts post-quantum signatures and a boundary engine into a continuous delegation protocol with Tamarin proofs, but the proofs sit in a Dolev-Yao model that leaves out the probabilistic AI behavior the engine is supposed to control.

read the letter

The paper's core move is to replace repeated signing with a single Continuous Delegation Certificate under ML-DSA-87, then run a six-check Boundary Engine for constraints and rate limits at high speed, plus a push revocation scheme. It reports 4.7M ops/sec checks, one-second revocation, and 79.5% autonomous execution in a 100k-operation simulation. Five theorems are stated as machine-verified in Tamarin under Dolev-Yao. That combination of post-quantum primitives, continuous delegation framing, and formal verification is what is actually new here, and the verification step itself is concrete work worth noting rather than hand-waving claims.

Referee Report

2 major / 2 minor

Summary. The manuscript presents AITH, a post-quantum continuous delegation protocol for human-AI trust. It introduces a Continuous Delegation Certificate signed once with ML-DSA-87 enabling sub-microsecond boundary checks at 4.7M ops/sec, a six-check Boundary Engine enforcing hard constraints, rate limits and escalation triggers with zero cryptographic overhead, a push-based Revocation Protocol with one-second invalidation, and a three-tier SHA-256 Responsibility Chain for audit logging. All five security theorems are claimed to be machine-verified in Tamarin under the Dolev-Yao model, with simulations of 100,000 operations reporting 79.5% autonomous execution, 6.1% human escalation and 14.4% blocked.

Significance. If the central security claims hold, particularly the Boundary Engine's enforcement on probabilistic AI agents, AITH could provide a practical foundation for bounded autonomous delegation that existing deterministic protocols (TLS, OAuth, Macaroons) do not address. The post-quantum signature choice, high claimed throughput, and machine-checked theorems would be notable strengths for a protocol paper in this area.

major comments (2)

[Formal Verification] Formal Verification section: The statement that all five security theorems are machine-verified via Tamarin under the Dolev-Yao model is load-bearing for the central claim, yet Dolev-Yao models only deterministic protocol steps and perfect cryptography. No description is given of how the Tamarin model incorporates nondeterministic AI transitions, probabilistic outputs, or dynamic trust boundaries required by the six-check Boundary Engine; therefore the verification does not establish correctness of the enforcement mechanism for the AI-specific part of the protocol.
[Simulation Results] Simulation Results section: The reported outcomes (79.5% autonomous execution, 6.1% human escalation, 14.4% blocked) from 100,000 operations are presented as validation of the Boundary Engine, but the manuscript provides no methodology, AI behavior model, or implementation details for the simulation. This leaves open whether the results actually test the claimed hard-constraint enforcement under variable probabilistic conditions.

minor comments (2)

[Abstract] Abstract: The performance figure '4.7M ops/sec' and 'sub-microsecond boundary checks' are stated without a corresponding benchmark table, experimental setup, or reference to a results section.
[Introduction] Introduction: The comparison to TLS, OAuth 2.0 and Macaroons is brief; a more detailed table contrasting how each handles (or fails to handle) probabilistic agents and continuous delegation would strengthen the novelty argument.

Simulated Author's Rebuttal

2 responses · 0 unresolved

We thank the referee for the constructive and detailed feedback. The comments identify important areas where additional clarity is needed to strengthen the presentation of our formal verification and simulation results. We address each point below and will incorporate revisions in the next version of the manuscript.

read point-by-point responses

Referee: [Formal Verification] Formal Verification section: The statement that all five security theorems are machine-verified via Tamarin under the Dolev-Yao model is load-bearing for the central claim, yet Dolev-Yao models only deterministic protocol steps and perfect cryptography. No description is given of how the Tamarin model incorporates nondeterministic AI transitions, probabilistic outputs, or dynamic trust boundaries required by the six-check Boundary Engine; therefore the verification does not establish correctness of the enforcement mechanism for the AI-specific part of the protocol.

Authors: We appreciate the referee's careful reading. The Tamarin model is constructed to verify the cryptographic protocol steps (Continuous Delegation Certificate issuance, boundary check enforcement, and revocation) under the standard Dolev-Yao assumptions of perfect cryptography and adversarial control of the network. AI agent actions are modeled as nondeterministic choices that are constrained by the deterministic six-check Boundary Engine; the theorems establish that no sequence of such choices can violate the hard constraints, rate limits, or escalation triggers once the certificate is valid. However, we agree that the manuscript does not provide the Tamarin model specification or describe how nondeterminism and trust boundaries are encoded. We will revise the Formal Verification section to include the relevant Tamarin rules, lemmas, and modeling choices for the AI-specific nondeterminism. This will make explicit that the verification covers the protocol's enforcement guarantees while treating the AI's internal probabilistic decisions as external nondeterministic transitions. revision: yes
Referee: [Simulation Results] Simulation Results section: The reported outcomes (79.5% autonomous execution, 6.1% human escalation, 14.4% blocked) from 100,000 operations are presented as validation of the Boundary Engine, but the manuscript provides no methodology, AI behavior model, or implementation details for the simulation. This leaves open whether the results actually test the claimed hard-constraint enforcement under variable probabilistic conditions.

Authors: We acknowledge that the current manuscript summarizes the simulation outcomes without sufficient methodological detail. The 100,000 operations were generated from the five rounds of multi-model adversarial auditing described in the paper, using AI behavior models that include probabilistic decision-making within the defined trust boundaries. We will expand the Simulation Results section to include: (1) the AI agent models and their probabilistic parameters, (2) how the 100,000 operations were sampled to exercise hard constraints, rate limits, and escalation triggers, and (3) the simulation implementation (including how blocked vs. escalated outcomes were determined). These additions will demonstrate that the reported percentages reflect testing of the Boundary Engine's enforcement under variable conditions. revision: yes

Circularity Check

0 steps flagged

No circularity detected; protocol claims and Tamarin verification are independent contributions

full rationale

The provided text presents AITH as a direct protocol design with three explicit components (Continuous Delegation Certificate using ML-DSA-87, six-check Boundary Engine, push-based Revocation Protocol) plus external machine verification of five theorems in Tamarin under the standard Dolev-Yao model. No equations, derivations, or self-referential definitions appear that would reduce any result to its own inputs by construction. No self-citations are invoked as load-bearing premises, no parameters are fitted then renamed as predictions, and no ansatz or uniqueness claims are smuggled in. The adversarial auditing and simulation results are presented as separate validation steps rather than circularly derived from the protocol itself. The derivation chain is therefore self-contained against external benchmarks.

Axiom & Free-Parameter Ledger

0 free parameters · 1 axioms · 0 invented entities

The central claim rests on the Dolev-Yao threat model for formal verification and standard assumptions of post-quantum signature security; no free parameters or new entities are introduced in the abstract.

axioms (1)

domain assumption Dolev-Yao model accurately captures the attacker capabilities for the security theorems
Invoked for the machine verification of the five security theorems as stated in the abstract.

pith-pipeline@v0.9.0 · 5535 in / 1347 out tokens · 56859 ms · 2026-05-10T18:27:44.020658+00:00 · methodology

discussion (0)

Forward citations

Cited by 2 Pith papers

Reviewed papers in the Pith corpus that reference this work. Sorted by Pith novelty score.

MAGIQ: A Post-Quantum Multi-Agentic AI Governance System with Provable Security
cs.LG 2026-05 unverdicted novelty 6.0

MAGIQ introduces a post-quantum secure system for policy definition, enforcement, and accountability in multi-agent AI using novel cryptographic protocols and UC framework proofs.
Authorization Propagation in Multi-Agent AI Systems: Identity Governance as Infrastructure
cs.AI 2026-05 unverdicted novelty 5.0

Multi-agent AI creates an authorization propagation problem not solved by prompt injection defenses or classical access control, requiring identity governance as continuously enforced infrastructure.

Reference graph

Works this paper leans on

16 extracted references · 1 canonical work pages · cited by 2 Pith papers

[1]

Artificial Intelligence (AI) in the Securities Industry,

FINRA, “Artificial Intelligence (AI) in the Securities Industry,” Regulatory Notice, March 2026

2026
[2]

Remarks on AI Agent Deployment in Fund Manage- ment,

SEC Division of Investment Management, “Remarks on AI Agent Deployment in Fund Manage- ment,” February 2026

2026
[3]

Module-Lattice-Based Digital Signature Standard (ML-DSA),

NIST, “Module-Lattice-Based Digital Signature Standard (ML-DSA),” FIPS 204, August 2024

2024
[4]

On lattices, learning with errors, random linear codes, and cryptography,

O. Regev, “On lattices, learning with errors, random linear codes, and cryptography,” inProc. STOC, 2005

2005
[5]

Agent Payments Protocol (AP2),

Google, “Agent Payments Protocol (AP2),”https://google-agentic-commerce.github.io/ AP2/, September 2025

2025
[6]

Agent Identity Protocol (AIP): Verifiable Delegation for AI Agent Systems,

A. Prakash et al., “Agent Identity Protocol (AIP): Verifiable Delegation for AI Agent Systems,” IETF Internet-Draft, draft-prakash-aip-00, March 2026

2026
[7]

Cryptographic agent authentication and intent delegation system,

A. Goswami, “Cryptographic agent authentication and intent delegation system,” U.S. Patent Ap- plication 19/315,486, August 2025. 9

2025
[8]

CA-MCPQ: A Context-Aware Post-Quantum Protocol for AI Agent Integrity,

S. Yoon et al., “CA-MCPQ: A Context-Aware Post-Quantum Protocol for AI Agent Integrity,” IACR ePrint 2025/1790, 2025

2025
[9]

The TAMARIN prover for the symbolic analysis of security protocols,

S. Meier et al., “The TAMARIN prover for the symbolic analysis of security protocols,” inProc. CAV, 2013

2013
[10]

An efficient cryptographic protocol verifier based on Prolog rules,

B. Blanchet, “An efficient cryptographic protocol verifier based on Prolog rules,” inProc. CSFW, 2001

2001
[11]

Open Quantum Safe Project, “liboqs,”https://openquantumsafe.org/liboqs/
[12]

Macaroons: Cookies with contextual caveats for decentralized authorization in the cloud,

A. Birgisson et al., “Macaroons: Cookies with contextual caveats for decentralized authorization in the cloud,” inProc. NDSS, 2014

2014
[13]

Attribute-based signatures,

H. K. Maji et al., “Attribute-based signatures,” inProc. CT-RSA, 2011

2011
[14]

Regulation (EU) 2024/1689 (AI Act),

European Parliament, “Regulation (EU) 2024/1689 (AI Act),” June 2024

2024
[15]

Authenticated Delegation and Authorized AI Agents,

S. South et al., “Authenticated Delegation and Authorized AI Agents,” arXiv:2501.09674, January 2025

work page arXiv 2025
[16]

Trapdoors for hard lattices and new cryptographic constructions,

C. Gentry et al., “Trapdoors for hard lattices and new cryptographic constructions,” inProc. STOC, 2008. 10 Supplementary Materials (Extended Version) The following appendices are available in the extended arXiv version: •Appendix A: Formal Proofs.Full mathematical reductions for Theorems 1–5, including the complete EUF-CMA→M-LWE reduction for Certificate...

2008