AI model audits made tamper-proof with cryptographic receipts

Artificial intelligence systems are being deployed at scale, yet proving their outputs existed in an unaltered form remains a challenge. To address this, a new open-source tool introduces cryptographic receipts that function like digital notary stamps for AI-generated content. The approach mirrors how software supply chain security uses signed artifacts, but adapts it for real-time AI verification.

How cryptographic receipts fortify AI trust

The tool, called AetherProof, generates a compact Ed25519-signed receipt in just one Python function call. This receipt bundles four critical pieces of evidence:

• Model identity: A hashed identifier derived from the AI provider and model name using FNV-1a.
• Output integrity: A cryptographic hash of the generated text or artifact.
• Time of creation: A nanosecond-precision timestamp embedded at generation.
• Tamper detection: Any alteration—even a single bit flip—invalidates the receipt permanently.

import aetherproof

receipt = aetherproof.for_anthropic(
    prompt="Find vulnerabilities in this binary.",
    output=finding_text,
    model="claude-mythos-preview"
)

receipt.save("CVE-2026-001.receipt")
print(receipt.verify())  # Output: True

The receipt can be saved as a standalone file or embedded directly into the AI’s output text, making it portable and self-contained. Unlike watermarking methods that alter content visibly or statistically, this receipt is cryptographically verifiable regardless of language or script.

Invisible watermarks that travel with the text

One standout feature is the use of Unicode Private Use Area (PUA) codepoints (U+E000–U+E0FF) to embed the receipt invisibly. These private codepoints are not assigned to any character in Unicode, so they appear as invisible formatting when rendered—but they persist through copying, translation, or even OCR processing.

signed_output = aetherproof.embed(
    ai_response,
    receipt.to_bytes()
)

The result is text that looks identical to the original, yet carries a hidden audit trail. This works across alphabets including Arabic, Chinese, Devanagari, Hebrew, Thai, and Japanese—all tested and confirmed functional. When verified, the system extracts the embedded receipt and confirms authenticity without changing the visible content.

Performance and openness under the hood

Behind the scenes, AetherProof balances speed and security. Independent benchmarks show:

• 187 test cases with zero failures across model types and languages.
• Every bit flip (128 out of 128) is detected and invalidates the receipt.
• 1,000 tamper probes failed to bypass verification.
• Throughput of 15,446 receipts per second in Python and 5,472/sec in Rust (CLI tool).

The project is licensed under AGPL-3.0, prioritizing openness and auditability. While free for open-source use, commercial deployment requires a license—positioning it as a compliance layer rather than a proprietary lock-in. The codebase is hosted on GitHub under the maintainer Pulkit’s profile, with public issue tracking and community feedback encouraged.

Looking ahead, the rise of autonomous AI agents and AI-powered auditing tools demands verifiable, tamper-proof records. AetherProof steps into that gap by treating AI outputs like signed software artifacts. As AI systems gain autonomy in security research and compliance reporting, such cryptographic proofs may become standard infrastructure—bridging the gap between rapid innovation and trustworthy verification.