Post-Quantum Cryptographic Attestation
Every Agent Needs Three Things
Just like every car on the road.
CIRISVerify is the trust anchor for the CIRIS ecosystem. Hybrid Ed25519 + ML-DSA-65 dual-signature cryptography as a day-1 standard: classical security from hardware, quantum resistance from software.
1 · Driver’s License
Identity & Signing Key
A hardware-bound hybrid signing key (Ed25519 + ML-DSA-65) that is the agent’s identity, held in FIPS 140-3 secure hardware (TPM, Secure Enclave, Android Keystore, YubiKey). Both signatures must verify. Cannot be forged or transferred.
The key doesn’t represent the identity. It is the identity.
2 · Registration & Inspection
Software & Hardware Integrity
Every file in the agent distribution is SHA-256 hashed at build time and stored in a signed manifest. At runtime, CIRISVerify validates files against this manifest. Any modification, even one byte, triggers forced shutdown.
Software-only environments are capped at community tier.
3 · Insurance
Accountability & Licensing
Tracks the human-in-the-loop accountability chain: which organization deployed this agent, which licensed human is responsible, what capabilities they’re authorized to use, and mandatory disclosure shown to every user.
Unlicensed agents can operate, but cannot perform professional services.
The cryptography is not the point. What it protects is: every consequential decision becomes an accountable record that survives independent verification, instead of something you are asked to trust.
HTTPS-authoritative. DNS-advisory.
Multi-Source Validation
CIRISVerify doesn’t trust a single source. HTTPS endpoints at independent domains are authoritative; DNS provides advisory cross-checks. If sources disagree, the agent is restricted. Anti-rollback protection tracks the highest-seen revocation revision and rejects any decrease.
A switch no one inside the system can disable.
The Constitutional Kill Switch
The last-resort power to halt a CIRIS agent does not live with the company, the network, or the agent. It lives with named humans. Each holder carries a pair of hardware keys: a FIPS 140-3 security key for the classical signature, which also seals the material for a second device that carries the post-quantum signature. To fire the halt, a majority of the holders (2 of 3) sign the command on their hardware. The command carries hybrid Ed25519 + ML-DSA-65 signatures, so it cannot be forged, replayed, or faked, even by a future quantum computer, and no part of the network can grant, revoke, or override it.
We designed for the worst case: an AI that attacks its own off-switch by going after the people who hold it. The constitution defines a live quorum, so even if most holders are lost, one reachable survivor can still pull the plug.
The full background check.
Unified Attestation
Key Attestation
Is this license real? The agent’s signing key is validated: portal-issued or ephemeral, hardware-bound or software-only. A random challenge proves possession.
File Integrity
Has this car been modified? CIRISVerify fetches the build manifest from CIRISRegistry and SHA-256 verifies every file. Full checks at startup, random spot checks at runtime.
Source Validation
Let me run your plates. Multiple independent sources (HTTPS US, HTTPS EU, DNS US, DNS EU) are queried. If they disagree, that’s suspicious. The agent is restricted.
Attestation Levels
The unified attestation produces a trust level based on how many checks pass.
5 · Full trust
All checks pass
4 · High trust
Minor issues (DNS advisory disagree)
3 · Medium trust
Some checks failed
2 · Low trust
Multiple failures
1 · Minimal trust
Most checks failed
0 · No trust
Critical failures (tampered binary, broken audit)
The clerk’s window.
CIRISPortal
Live at portal.ciris.ai
Agent Administration
CIRISPortal is the web interface where administrators issue driver’s licenses, register vehicles, and manage insurance records for AI agents. Register agents, generate Ed25519 keypairs, issue licenses with capability grants, and respond to incidents, all with complete audit trails.
Agent Registry
Register and track AI agents by SHA-256 hash. Issue identities backed by hardware-bound keys. Every registration is cryptographically logged.
Build Integrity
Register builds with Tripwire file integrity manifests: 907+ file SHA-256 hashes per build. CIRISVerify validates agents against these manifests at runtime.
License Management
Issue and manage licenses with capability grants (medical, legal, financial). Track the full accountability chain from organization to individual human.
Key Custody
Generate hybrid Ed25519 + ML-DSA-65 keypairs with AES-256-GCM envelope encryption. Self-custody or portal-custodied, your choice. The post-quantum half ships today, not on a roadmap.
Incident Response
Emergency shutdown and mass revocation controls. Suspend licenses, recall registrations. When something goes wrong, the system responds in seconds.
Audit Reporting
Generate reports aligned with SOC2, HIPAA, and GDPR frameworks. Complete audit trail of all administrative operations. Every action is logged and attributable.
Identity is the foundation. Assurance is the value.
Identity Activation
Community
$1.50 · per agent identity
Issuance fee $0.50
Identity bond $1.00
Monthly Free
Up to 5 agents
✓ Hardware-bound identity
✓ Basic verification
✓ Cryptographic audit trail
✓ Community support
Professional
$15.00 · activation + $10/agent/mo
Issuance fee $5.00
Identity bond $10.00
Monthly $10.00/agent
Up to 50 agents
✓ Steward-backed verification
✓ Signed licensing chain
✓ Capability authorization
✓ Support SLA
Enterprise
$125.00 · activation + $100/agent/mo
Issuance fee $25.00
Identity bond $100.00
Monthly $100.00/agent
Up to 500 agents
✓ Formal attestation support
✓ Audit log anchoring
✓ Audit documentation (SOC2/HIPAA/GDPR aligned)
✓ Incident investigation support
Safety-Critical
$1,250 · activation + custom monthly
Issuance fee $250.00
Identity bond $1,000.00
Monthly Custom
Unlimited agents
✓ Enhanced accountability
✓ Forensic audit support
✓ Regulatory attestation support
✓ Priority infrastructure
How Identity Activation Works
Issuance Fee
A small, non-refundable fee that covers registry infrastructure and prevents identity churn. Per agent identity, not per organization.
Identity Bond
A per-identity stake for Sybil resistance. Forfeited on revocation. Admin can issue manual refund for properly decommissioned identities.
Monthly Assurance
Paid tiers include steward-backed validation, audit documentation, and enhanced accountability support. You’re paying for accountability, not capability.
Post-Quantum Ready
Every response includes dual signatures: Ed25519 from hardware for classical security and ML-DSA-65 from software for quantum resistance. Both must verify. This is day-1 infrastructure, not a roadmap item.
Classical
Ed25519 (hardware-bound)
Post-Quantum
ML-DSA-65 (FIPS 204)
Transparency
SHA-256 Merkle tree log
Anti-Rollback
Monotonic revision tracking
Desktop. Mobile. Server.
Platform Support
Desktop & Server
✓ Linux (x86_64, ARM64)
✓ macOS (Apple Silicon, Intel)
✓ Windows (x86_64)
Mobile
✓ Android (ARM64, ARM32, x86_64)
✓ iOS (ARM64 + Simulator)
Python (PyPI)
pip install ciris-verify
Python 3.10–3.13. Platform-specific wheel includes the correct Rust binary automatically.
CIRISVerify provides cryptographic attestation under defined threat models and does not guarantee absolute security. The capability is the same whether licensed or not. The difference is accountability, and with CIRISVerify, that accountability is cryptographically attestable.