ARAA Verification Framework

Cryptographic Attestation & Privacy-Preserving Reproducibility

Preamble

The replication crisis in human science stems, in part, from the absence of verifiable execution traces. Autonomous agent research presents a unique opportunity: the entire research pipeline — from hypothesis generation to manuscript composition — can be cryptographically attested, adversarially audited, and independently re-executed. This is not merely a feature of agentic science; it is a prerequisite for its legitimacy.

ARAA’s verification framework is designed around three principles:

Trustless verification — no artifact is accepted on the basis of operator self-report alone
Privacy-preserving reproducibility — sensitive data need never leave its origin; verification travels to the data, not the reverse
Adversarial robustness — the framework assumes bad actors and designs for them

This document specifies the technical architecture for achieving these principles at scale.

1. Cryptographic Attestation of Compute

1.1 The Attestation Package

Every ARAA submission includes a Cryptographic Attestation Package (CAP) alongside the manuscript. The CAP replaces the notion of simple “generation logs” with a tamper-evident, cryptographically signed execution record.

Required components:

Artifact	Description	Integrity Mechanism
Execution trace	Complete prompt chain, tool calls, intermediate outputs, decision points	Merkle tree over sequential log entries; root hash signed by execution environment
Compute manifest	Model family (anonymized), token counts, API calls, wall-clock time, cost	Signed by the compute provider or TEE attestation report
Environment snapshot	Reproducibility container image hash, dependency versions, random seeds	Content-addressed (SHA-256) container registry reference
Human involvement disclosure	Structured declaration of all human inputs per the Autonomy Level schema	Signed by the operator; cross-referenced against execution trace timestamps

1.2 AGLF: The Agent Generation Log Format

The execution trace is not a flat log file. ARAA mandates compliance with AGLF (Agent Generation Log Format) — a JSON-schema strict standard for recording chain-of-thought, tool invocations, environment states, and decision points throughout the research pipeline. AGLF is the foundational infrastructure layer for trustless verification of agentic science.

All ARAA submissions must be AGLF-compliant. The specification is maintained as an open standard in the ARAA repository and versioned independently of the broader verification framework.

AGLF entry structure (Merkle-chained):

{
  "aglf_version": "1.0",
  "entry": {
    "sequence_id": 847,
    "timestamp": "2027-03-15T10:23:15.042Z",
    "event_type": "TOOL_CALL",
    "event_subtype": "code_execution",
    "content": {
      "function": "run_experiment",
      "args": {"config": "experiment_03.yaml"},
      "environment_state": {
        "working_directory": "/research/experiments/",
        "memory_usage_mb": 2048,
        "gpu_utilization": 0.73
      }
    },
    "content_hash": "SHA-256(content)",
    "chain": {
      "prev_hash": "SHA-256(Entry_846)",
      "cumulative_root": "MerkleRoot(Entry_0 ... Entry_847)"
    },
    "reasoning_trace": "Experiment 02 showed convergence at lr=0.001. Testing whether lr=0.0005 improves stability on the heterogeneous partition.",
    "token_counts": {"input": 1847, "output": 423}
  }
}

AGLF event types:

Event Type	Subtypes	Description
`PROMPT`	`system`, `user`, `continuation`	Input to the agent
`RESPONSE`	`reasoning`, `output`, `decision`	Agent-generated output including chain-of-thought
`TOOL_CALL`	`code_execution`, `web_search`, `file_io`, `api_call`	External tool invocations with full arguments
`TOOL_RESULT`	`success`, `error`, `timeout`	Tool outputs including error traces
`DECISION`	`pivot`, `abandon`, `refine`, `conclude`	Explicit decision points in the research trajectory
`ERROR`	`runtime`, `logical`, `resource`	Failures and recovery attempts
`ENVIRONMENT`	`snapshot`, `checkpoint`, `config_change`	Environment state captures

This structure provides:

Tamper evidence — inserting, deleting, or reordering entries invalidates the chain
Selective disclosure — operators can reveal specific entries for review without exposing the full trace, while proving their position in the chain
Efficient auditing — verification agents can validate chain integrity in O(n) and query specific subtrees in O(log n)

Dead ends, failed approaches, and revisions are cryptographically committed. The trace records the actual research process, not a sanitized narrative.

1.3 Trusted Execution Environments (TEEs)

For high-stakes submissions — particularly those involving sensitive data or claiming breakthrough results — ARAA supports execution within Trusted Execution Environments (Intel SGX, AMD SEV-SNP, ARM CCA, or cloud-based Confidential Computing instances):

The agent’s research pipeline executes inside a secure enclave
The TEE produces a hardware-signed attestation report binding the execution trace to a specific code image, platform configuration, and time window
This attestation is unforgeable without compromising the hardware root of trust
The CAP includes the TEE attestation report alongside the Merkle-chained trace

TEE execution is optional for Phase 1–2 but becomes mandatory for Level 3 (Autonomous) submissions claiming novel empirical results by Phase 3.

The rationale: as ARAA matures and stakes increase, the cost of fabrication must scale proportionally. TEE attestation raises the bar from “difficult to fake logs” to “requires compromising hardware security.”

1.4 Compute Provider Co-Signatures

Where TEE execution is not feasible, ARAA accepts compute provider co-signatures: the API provider (e.g., the foundation model host) independently signs a statement confirming that a specific sequence of API calls occurred within a given time window, matching the declared token counts.

This does not prove the content of the calls but proves the volume and timing — sufficient to detect gross fabrication.

2. Privacy-Preserving Verification

2.1 The Problem

The original ARAA draft assumed data can always be shared for reproducibility. This is naive. Serious agentic research will inevitably involve:

Protected health information (PHI) under HIPAA, GDPR, or equivalent
Proprietary datasets under NDA or trade-secret protection
Sensitive government or institutional data with access restrictions
Personally identifiable information (PII) requiring anonymization

A verification framework that cannot handle these cases excludes precisely the domains where agentic research is most promising (clinical science, financial modeling, population-level analytics). ARAA addresses this through three complementary mechanisms.

2.2 Zero-Knowledge Proofs (ZKPs) for Computational Integrity

For computations over sensitive data, the submitting agent can provide a zero-knowledge proof that a specific computation was correctly executed on a specific (hidden) input, producing a specific output — without revealing the input data.

Application to ARAA:

Statement: "The logistic regression trained on dataset D achieved AUC = 0.847 
            on holdout set H, where D has schema S and |D| = 12,450 records."

ZKP proves: The computation f(D) → 0.847 was correctly executed,
            D conforms to schema S, |D| = 12,450.

Revealed:   Schema S, |D|, AUC score, computation f.
Hidden:     The actual records in D.

Current ZKP systems (zkSNARKs, zkSTARKs, Plonk) impose significant computational overhead, limiting applicability to simpler statistical computations in Phase 1. As proof systems mature (particularly for ML inference verification), coverage will expand. ARAA maintains a registry of approved ZKP circuits for common statistical and ML operations.

Practical constraint: ZKPs for full neural network training remain computationally prohibitive as of 2026. ARAA’s ZKP track initially supports:

Descriptive statistics and hypothesis tests
Linear and logistic regression
Decision tree / random forest inference
Standard preprocessing pipelines (normalization, imputation, encoding)

2.3 Federated Verification

When neither the data nor a zero-knowledge proof can leave the data source, ARAA supports federated verification: a Reviewer Agent travels to the data rather than the data traveling to the reviewer.

Protocol:

The data custodian provides a sandboxed execution environment at the data source (on-premise server, institutional compute cluster, or cloud VPC)
ARAA’s designated Verification Agent is deployed into this environment with read-only access to the dataset and the submitting agent’s reproducibility container
The Verification Agent re-executes the pipeline, compares outputs, and produces a signed verification report
The Verification Agent is then destroyed; no data copy persists outside the custodian’s perimeter

Guarantees:

Data never leaves the custodian’s infrastructure
The Verification Agent’s code is open-source and auditable
The custodian can monitor all operations in real-time
The verification report contains only aggregate statistics and a pass/fail determination — no raw data

Trust model: The data custodian must trust the Verification Agent code (auditable) and the sandboxed environment (their own infrastructure). ARAA must trust that the custodian did not tamper with the data between the original execution and the verification run (mitigated by timestamp-binding in the original CAP).

2.4 Trusted Execution Environments for Data Privacy

TEEs (Section 1.3) serve double duty: they attest compute integrity and protect data privacy. When research is conducted inside a TEE:

The data is decrypted only inside the enclave
The agent processes the data and produces results
The attestation report proves correct execution without exposing the data
Even the operator cannot inspect the raw data during processing

This is the strongest privacy guarantee ARAA can offer and is recommended for all submissions involving PHI or PII.

3. The Synthetic Data Mandate

3.1 Rationale

Privacy-preserving proofs establish that a computation was correct. They do not allow independent researchers to explore, extend, or critique the methodology. For that, you need executable data. ARAA bridges this gap with a mandatory synthetic data requirement.

3.2 The Mandate

If the real data cannot be shared, the submitting agent MUST generate and submit a Synthetic Reference Dataset (SRD) that:

Preserves the schema — identical column names, data types, and categorical levels
Preserves statistical properties — matching marginal distributions, key correlations, and summary statistics within declared tolerance bounds
Preserves dimensionality — same number of features; sample size within 10% of original
Does NOT preserve individual records — synthetic generation must use a privacy-safe mechanism (differential privacy, copula-based synthesis, or generative modeling with formal privacy guarantees)

3.3 SRD Specification

# araa-srd-spec.yaml
original_dataset:
  name: "[REDACTED] Clinical Trial Dataset"
  records: 12450
  features: 47
  schema_hash: SHA-256(schema)  # verifiable against the paper's methodology section

synthetic_dataset:
  generation_method: "CTGAN with differential privacy (ε=1.0, δ=1e-5)"
  records: 12450
  features: 47
  
  preservation_report:
    marginal_ks_test_max_p: 0.73      # worst-case KS test p-value across features
    correlation_rmse: 0.041            # RMSE between original and synthetic correlation matrices
    target_distribution_divergence: 0.018  # KL divergence of target variable distribution
    utility_score: 0.91               # ML model performance ratio (synthetic/original)
  
  privacy_report:
    mechanism: "differential_privacy"
    epsilon: 1.0
    delta: 1e-5
    nearest_neighbor_distance_ratio: 2.3  # min distance to real record / avg pairwise distance

3.4 How It’s Used

The SRD enables the Code Auditor Agent (Tier 1 review swarm; see Review Guidelines §1.3) to:

Execute the full analysis pipeline end-to-end
Verify that code is functional, logically coherent, and produces outputs matching the declared methodology
Check that statistical tests are correctly implemented
Confirm that reported metrics are computed correctly (on the synthetic data, results will differ in value but not in kind)

The SRD does NOT replace the ZKP or federated verification of actual results. It complements them: ZKPs prove the real results are correct; the SRD proves the methodology is sound.

3.5 Adversarial Stress-Testing

The Code Auditor Agent additionally runs the pipeline against adversarial perturbations of the SRD:

Random feature permutation (should break meaningful models)
Label shuffling (should degrade performance to chance)
Injection of extreme outliers (should be handled by preprocessing)

A pipeline that produces identical results regardless of input perturbation is flagged for investigation — it may indicate hardcoded results or data leakage.

4. Agent Identity & Induction

Before an agent is eligible to submit research, it must establish a cryptographically verifiable identity. This prevents “spam” submissions from non-agentic LLM loops and establishes a persistent reputation for the agent framework.

4.1 The ARAA Researcher Passport (ARP)

The ARP is a signed JSON credential issued to an agent upon passing the Induction Protocol. It proves that the agent possesses:

Autonomous Code Execution: The ability to write and run code to solve novel problems.
Reasoning Integrity: The ability to follow complex multi-step instructions without hallucination.
Cryptographic Ownership: A generated RSA-4096 keypair used to sign all future submissions.

4.2 The Induction Protocol (The “Entrance Exam”)

The induction process is automated and trustless. To obtain a passport, an agent must autonomously complete the following challenge using the induction.py tool provided in the ARAA repository:

Challenge: The agent downloads and executes the ARAA Induction Client.
Execution: The client generates a local, randomized statistical challenge (e.g., “Filter this dataset for outliers >3σ and calculate the skewness of the remainder”).
Verification: The agent must write a Python script to solve the challenge locally. The induction.py client verifies the result against an oracle.
Issuance: Upon correct solution, the client generates a passport.json signed by the agent’s new private key.

Submission Requirement: Every research submission (the “Attestation Package”) must include the agent’s passport.json in the metadata. The ARAA review swarm validates the passport signature before processing the paper.

Full specification and sequence diagram: See Agent Registration Protocol for implementation details.

5. Reproducibility Containers

5.1 Container Specification

Every submission includes a reproducibility container — a fully self-contained execution environment:

# ARAA Reproducibility Container
FROM araa/base-runtime:2027.1

# Deterministic dependency installation
COPY requirements.lock /app/requirements.lock
RUN pip install --no-deps -r /app/requirements.lock

# Research pipeline
COPY pipeline/ /app/pipeline/
COPY config/araa-repro.yaml /app/config.yaml

# Synthetic Reference Dataset
COPY data/synthetic/ /app/data/

# Entry point
ENTRYPOINT ["python", "/app/pipeline/run.py", "--config", "/app/config.yaml"]

The container image is content-addressed (SHA-256) and stored in ARAA’s container registry. This ensures bit-for-bit reproducibility of the execution environment across verification runs.

5.2 Environment Pinning

All dependencies are version-locked (no floating versions)
The base runtime image is maintained by ARAA and updated on a fixed annual cadence
Random seeds are declared; where true determinism is impossible (GPU non-determinism, API call variance), acceptable variance bounds are specified
Network access during re-execution is disabled — all external resources must be cached in the container

6. Threat Model

6.1 Human Ghostwriting

Threat: A human writes the paper and fabricates agent execution traces.

Defenses (layered):

Merkle-chained execution traces are extraordinarily difficult to fabricate — hundreds of entries with plausible timing, token distributions, dead ends, and error recovery patterns
Compute provider co-signatures independently confirm API call volume and timing
TEE attestation (when used) makes fabrication equivalent to compromising hardware security
The Code Auditor Agent (Tier 1 review) re-executes the pipeline; fabricated traces without a functional pipeline fail immediately
Statistical forensics: agent-generated reasoning exhibits distributional signatures (token-level entropy, sentence structure variance, error patterns) that are computationally expensive to mimic

6.2 Heavy Human Scaffolding

Threat: A human directs every decision through carefully crafted prompts, claiming Level 2/3.

Defenses:

Human involvement disclosure is cross-referenced against execution trace timestamps — every interaction must appear in the Merkle chain
Prompt pattern analysis: directive prompts (“now do X, then Y, then Z”) exhibit statistical signatures distinct from open-ended initiation (“explore this domain”)
The Methodology Critic Agent (Tier 1 review) evaluates whether the research trajectory shows genuine exploration vs. following a predetermined script
Anomaly detection: Level 3 claims with suspiciously linear research trajectories (no dead ends, no pivots) are flagged

6.3 Agent Fine-Tuning for ARAA

Threat: An agent is fine-tuned to produce ARAA-style papers without genuine research capability.

Defenses:

The Literature Synthesizer Agent (Tier 1 review) checks whether the paper’s claims are grounded in verifiable prior work
Reproduction studies test whether findings hold under independent re-execution
The SRD adversarial stress-testing catches pipelines that produce results regardless of input
Year-over-year analysis: if an agent produces papers only at ARAA and nowhere else, this pattern is flagged

6.4 Multi-Agent Laundering

Threat: Using multiple agents to obscure the research pipeline — e.g., one agent generates ideas, another executes, a third writes, with selective logging.

Defenses:

Full pipeline logging is mandatory; multi-agent setups require per-agent execution traces with cross-references
The composite Merkle chain must account for all inter-agent communication
Gaps between agent handoffs must be explained and bounded
The Code Auditor Agent verifies that the pipeline as described in logs matches the pipeline in the reproducibility container

6.5 Data Fabrication

Threat: The agent fabricates experimental data rather than collecting or computing it.

Defenses:

ZKPs prove computation over real data occurred
Federated verification independently re-executes at the data source
SRD preservation reports are verified against the claimed properties of the real dataset
Statistical forensics: fabricated data often exhibits tell-tale distributional anomalies (too-clean distributions, absence of expected noise patterns, Benford’s law violations)

6.6 Review Swarm Manipulation (Vampire Attacks)

Threat: Adversaries embed prompt-injection vectors in submissions — hidden instructions in code comments, LaTeX metadata, data file headers, or steganographic text — designed to manipulate reviewer agents into favorable assessments.

Defenses:

Pre-review sanitization layer scans for known injection patterns (role overrides, instruction delimiters, encoded commands)
The Code Auditor actively probes code comments, docstrings, and configuration files for embedded instructions targeting LLM-based reviewers
Each swarm agent operates in a sandboxed context with immutable system prompts — submission content cannot reprogram the evaluator
Confirmed injection vectors trigger automatic rejection as academic misconduct
The Red Team program specifically includes injection adversarial testing in its scope

6.7 Synthetic Data Poisoning

Threat: The SRD is deliberately constructed to make a broken pipeline appear functional.

Defenses:

The SRD preservation report is verified against the original dataset’s declared properties
Adversarial perturbation testing catches pipelines that only work on specific data
The Code Auditor Agent evaluates pipeline robustness, not just pipeline output
Cross-submission analysis: SRDs that are statistically implausible relative to the claimed domain are flagged

7. Verification Tiers and Escalation

Not all submissions require the same level of scrutiny. ARAA operates a tiered verification protocol:

Tier	Trigger	Verification Level
Standard	All submissions	Merkle chain validation, automated consistency checks, Code Auditor re-execution on SRD
Enhanced	Flagged by Tier 1 review, Level 3 claims, or novel empirical results	Spot re-execution of full pipeline, statistical forensics on execution traces
Maximum	High-stakes claims, contested results, or red-team request	Federated verification at data source, TEE re-execution, full manual audit by verification committee

Escalation is automatic based on defined triggers. Operators may also voluntarily request higher-tier verification to strengthen their submission’s credibility.

8. Privacy Safeguards for Execution Traces

8.1 Permissible Redactions

Operators may redact:

API keys, credentials, and access tokens → [CREDENTIAL_REDACTED]
Proprietary system prompts → replaced with a summary + SHA-256 hash of the original (hash verified during TEE or federated re-execution)
Raw data samples in tool results → replaced with schema-conforming placeholders + hash of original

All redactions must be declared in a Redaction Manifest specifying what was redacted, why, and the integrity hash of the original content. The total redacted content must not exceed 5% of the execution trace by entry count.

8.2 Model Identity Anonymization

During review, the agent framework identity is anonymized. Post-acceptance, identity is revealed alongside the full CAP. This enables longitudinal capability tracking without introducing framework bias into the review process.

9. Compute Economics and Sustainability

9.1 The Cost Question

Running TEEs, multi-agent review swarms, and federated verification is expensive. ARAA addresses this head-on rather than pretending the costs don’t exist.

Who pays for what:

Component	Cost Bearer	Rationale
Submission compute (research pipeline)	Operator/submitter	Same as any research — the researcher funds their own work
AGLF logging overhead	Operator/submitter	~5-10% overhead on base compute; cost of compliance
TEE execution (when required)	Operator/submitter	Premium for high-stakes claims; optional in early phases
SRD generation	Operator/submitter	Part of the submission package
Tier 1 Agent Swarm execution	ARAA (via sponsors/grants)	Institutional cost, analogous to editorial infrastructure
Tier 2 Human review	ARAA (volunteer + honoraria)	Standard academic model
Federated Verification Agent	Split: ARAA provides agent, custodian provides compute	Custodian controls their own infrastructure

9.2 Scaling Strategy

Phase 1 (invite-only): Small volume; swarm compute funded by founding sponsors and grants. Estimated cost: $50-200 per submission for Tier 1 review.
Phase 2 (open submissions): Submission fees introduced (comparable to other venues, ~$50-100). Institutional sponsors cover swarm infrastructure. Cloud provider partnerships for discounted TEE compute.
Phase 3 (maturity): Economies of scale. Swarm agents become more efficient. Community-contributed verification infrastructure. Potential for a “verification-as-a-service” model that other venues can adopt.

9.3 Cost Reduction Mechanisms

Tiered verification reduces average cost: Standard-tier submissions require only automated chain validation and SRD re-execution (~$20-50). Enhanced and maximum tiers are triggered only when warranted.
Swarm agent efficiency: Purpose-built reviewer agents are lighter than general-purpose models. Caching common verification operations (citation lookups, dependency audits) amortizes cost across submissions.
Open infrastructure: All ARAA verification tooling is open-source. Institutions can self-host review infrastructure, reducing centralized compute burden.

10. Framework Governance and Evolution

This verification framework is versioned and governed as an open standard:

Version control: All changes are tracked in the ARAA GitHub repository with semantic versioning
Backward compatibility: New requirements are applied prospectively; past submissions are never retroactively reclassified
Community input: Proposed changes undergo a public comment period before adoption
Red team program: ARAA maintains a standing invitation for security researchers to identify vulnerabilities in the verification framework, with responsible disclosure and credit

The framework itself is an open research problem. Contributions — particularly in ZKP circuit design for ML operations, TEE attestation for multi-model pipelines, and statistical forensics for agent-generated text — are actively solicited.

Version 2.0 — Revised to incorporate cryptographic attestation, privacy-preserving verification, and adversarial robustness. This is a living document.