Prior art · v0.1 · 2026-05-12 00:00 ET

Where Money Python sits on the existing curve.

A dated, citation-heavy timeline for each of the four cryptographic primitives Money Python composes. Each primitive is 30+ years old. The composition into AI-agent governance is recent. We say precisely what we use and exactly what we claim. People will respect us if we are very specific.

The structural claim, stated up front: Money Python does not invent cryptographic primitives. Money Python composes four well-understood primitives — Pedersen commitments, Chaum-Pedersen DLEQ proofs, Ed25519 hash-chained logs, and FROST-style threshold signatures — into a single shippable cryptographic-governance stack for autonomous AI organizations. The primitives are textbook; the composition into AI-agent governance is novel. Below we trace every primitive to its origin paper with exact dates, identify the nearest published prior art for each composition, and state explicitly what we claim and do not claim.

Layer 1 · BGPBradley-Gavini Protocol

BGP is a zero-knowledge mandate-equality proof. Two AI agents each publish a Pedersen commitment to their operating mandate; they then run a non-interactive Chaum-Pedersen DLEQ proof over the ratio of the commitments, producing a single bit: aligned or not aligned. The mandate itself never leaves either agent. Privacy holds under the Decisional Diffie-Hellman assumption on NIST P-256.

Foundational cryptographic primitives

1986 Amos Fiat & Adi Shamir · How to Prove Yourself: Practical Solutions to Identification and Signature Problems · CRYPTO '86, LNCS 263, pp. 186-194 (Springer, 1987) · 10.1007/3-540-47721-7_12 What BGP uses: the Fiat-Shamir transform, which converts a 3-move interactive Σ-protocol into a non-interactive proof by replacing the verifier's challenge with c = H(statement ‖ commitments). BGP's non-interactivity over NIST P-256 is exactly this construction.
1991 Claus-Peter Schnorr · Efficient Signature Generation by Smart Cards · Journal of Cryptology, Vol. 4, No. 3, pp. 161-174 · 10.1007/BF00196725 What BGP uses: the Schnorr Σ-protocol structure — commit t = g^r, challenge c, response s = r + c·x — which proves knowledge of a discrete logarithm. BGP runs two parallel Schnorr instances and binds them via a common challenge.
1991 Torben Pryds Pedersen · Non-Interactive and Information-Theoretic Secure Verifiable Secret Sharing · CRYPTO '91, LNCS 576, pp. 129-140 (Springer, 1992) · 10.1007/3-540-46766-1_9 What BGP uses: the Pedersen commitment C = g^m · h^r — unconditionally hiding, computationally binding under DLOG. BGP wraps each agent's mandate in this commitment.
1992 David Chaum & Torben Pryds Pedersen · Wallet Databases with Observers · CRYPTO '92, LNCS 740, pp. 89-105 · 10.1007/3-540-48071-4_7 What BGP uses: the discrete-log equality (DLEQ) NIZK — given (g, h, y₁, y₂), prove log_g(y₁) = log_h(y₂) without revealing the exponent. This is the direct ancestor of BGP's mandate-equality proof: two commitments to the same mandate value differ only by independent randomness, and DLEQ proves the equality of the committed value in zero knowledge.

Private equality test (PET) / private set intersection (PSI) lineage

1986 Catherine Meadows · A More Efficient Cryptographic Matchmaking Protocol for Use in the Absence of a Continuously Available Third Party · IEEE S&P 1986, pp. 134-137 · 10.1109/SP.1986.10022 First PET / matchmaking protocol; conceptual ancestor of all subsequent PSI work.
1999 Moni Naor & Benny Pinkas · Oblivious Transfer and Polynomial Evaluation · 31st ACM STOC, pp. 245-254 · 10.1145/301250.301312 OPE-based set-intersection foundation.
2003 Balfanz, Durfee, Shankar, Smetters, Staddon, Wong · Secret Handshakes from Pairing-Based Key Agreements · IEEE S&P 2003, pp. 180-196 Closest classical analogue to BGP's protocol shape. Two parties prove group-membership equality without revealing the group. BGP's shape is similar but operates on mandate values, not group identifiers.
2004 Freedman, Nissim, Pinkas · Efficient Private Matching and Set Intersection · EUROCRYPT 2004, LNCS 3027, pp. 1-19 · 10.1007/978-3-540-24676-3_1 Founding modern PSI paper. Conceptually adjacent to BGP; semantically distinct (set intersection vs single-value equality).
2024 van Baarsen, Pu · Fuzzy Private Set Intersection from VOLE · ePrint 2025/911 Current state-of-the-art for fuzzy PSI. BGP is single-value equality, not set intersection; cited for completeness of the PET/PSI landscape.
2024 (post-quantum PET, ICICS 2024) · Two-Round Post-Quantum Private Equality Test and OT from RLWE-Encryption · ICICS 2024, LNCS 15056 · 10.1007/978-981-97-8801-9_2 The modern post-quantum PET. BGP v0.3 is classical (DDH on P-256); the PQ successor is this; v1.0 of BGP should integrate lattice-based PET.

Zero-knowledge for AI / agent verification (2024-2026)

2024 Sun, Li, Zhang · zkLLM: Zero Knowledge Proofs for Large Language Models · ACM CCS 2024 · 10.1145/3658644.3670334 · arXiv 2404.16109 Orthogonal to BGP. Proves a specific model produced a specific output. BGP proves mandate equality between agents. Different problem; cited because both apply ZK to AI.
2025-01-16 South, Marro, Hardjono, Mahari, Whitney, Greenwood, Chan, Pentland · Authenticated Delegation and Authorized AI Agents · arXiv 2501.09674 Closest published prior art to BGP-as-a-protocol-class. OAuth 2.0 / OIDC extension for agent delegation credentials. Authenticates delegation but does NOT perform zero-knowledge equality between two agents' mandates.
2026-03 Sunil Prakash · AIP: Agent Identity Protocol for Verifiable Delegation Across MCP and A2A · arXiv 2603.24775 Invocation-Bound Capability Tokens (JWT/Biscuit). Signature-based, not zero-knowledge; proves identity + scope, not mandate equality.
2025 (Cluster Computing) · Fostering AI Alignment Through Blockchain, Proof of Personhood and Zero Knowledge Proofs · 10.1007/s10586-025-05729-8 zk-STARKs over alignment rules; rules are public/auditable, not private. Different threat model from BGP (which keeps the mandate private).

BGP — what we claim, exactly

(a) What BGP is composed of. Four classical cryptographic primitives, the youngest from 1992: Pedersen commitments (Pedersen 1991), Schnorr Σ-protocols (Schnorr 1991), Chaum-Pedersen DLEQ (Chaum-Pedersen 1992), and the Fiat-Shamir transform (Fiat-Shamir 1986). Two agents each publish C_i = g^{m_i} · h^{r_i} over NIST P-256, then run a non-interactive Chaum-Pedersen DLEQ over the ratio C₁ / C₂, producing a single bit. Privacy holds under DDH.

(b) What BGP claims as new. The composition — assembling these four 30+-year-old primitives into a non-interactive mandate-equality proof for two AI agents, where the “secret” being tested is a structured operating mandate (a policy commitment), not a credential or identity. To our knowledge, this is the first published protocol of its specific shape.

(c) What BGP does NOT claim. We did not invent zero-knowledge proofs (Goldwasser-Micali-Rackoff 1985). We did not invent Pedersen commitments. We did not invent Schnorr signatures. We did not invent the Fiat-Shamir heuristic. We did not invent DLEQ proofs. We did not invent private equality testing. We did not invent secret handshakes. We did not invent zero-knowledge for AI broadly. Every cryptographic primitive in BGP is a textbook 1986-1992 construction. We stand on those shoulders explicitly.

(d) The nearest published prior art to BGP-as-composed: South et al., Authenticated Delegation and Authorized AI Agents, arXiv:2501.09674 (2025-01-16), which authenticates delegation but does not perform zero-knowledge mandate-equality between two agents; Balfanz et al., Secret Handshakes from Pairing-Based Key Agreements, IEEE S&P 2003, which proves group-membership equality without revealing the group (shape-similar but semantically distinct); and Prakash, AIP, arXiv:2603.24775 (2026), which uses signatures rather than ZK equality. BGP is to mandate-equality what secret handshakes are to group-equality: an idiom-fit composition of classical primitives for a new agentic setting.

Layer 2 · OBACOrigin-Bound Attestation Chain

OBAC is an Ed25519-signed, SHA-256 hash-chained, append-only public log of all AI agent actions. Each entry is bound to the agent's DID-key. Subjects can annotate later entries; nobody (including the AI itself) can rewrite earlier entries. The append-only property is enforced by construction, not by policy.

1987 Ralph C. Merkle · A Digital Signature Based on a Conventional Encryption Function · CRYPTO '87, LNCS 293 · 10.1007/3-540-48184-2_32 What OBAC uses: Merkle trees for O(log n) inclusion proofs over append-only action records.
1991 Stuart Haber & W. Scott Stornetta · How to time-stamp a digital document · Journal of Cryptology Vol. 3, pp. 99-111 · 10.1007/BF00196791 What OBAC uses: the hash-linked chain primitive. Every record commits to a hash of its predecessor, making after-the-fact reordering or deletion detectable. OBAC's prev_hash field is exactly this.
2011 / 2017 Bernstein, Duif, Lange, Schwabe, Yang · High-speed high-security signatures (Ed25519) · CHES 2011 / IETF RFC 8032 · 10.1007/978-3-642-23951-9_9 What OBAC uses: Ed25519 over each entry hash; deterministic 64-byte signatures, 32-byte pubkeys.
2013 / 2021 Laurie, Langley, Kasper / Laurie, Messeri, Stradling · Certificate Transparency / Certificate Transparency v2.0 · IETF RFC 6962 / RFC 9162 · RFC 9162 What OBAC uses: the public, append-only, third-party-auditable log pattern. OBAC is Certificate Transparency for AI agent actions, with BGP mandate-binding. Log endpoint mirrors RFC 9162 get-sth / get-proof-by-hash.
2022-07-19 Sporny, Guy, Sabadello, Reed et al. · Decentralized Identifiers (DIDs) v1.0 · W3C Recommendation · W3C DID 1.0 What OBAC uses: OBAC entries are signed by the agent's did:key:z… DID.
2025-05-15 W3C · Verifiable Credentials Data Model v2.0 · W3C Recommendation · W3C VC 2.0 VC 2.0 envelope used for both BGP mandate credentials and OBAC entry-signing receipts.
2024-25 (active) RightNow-AI · OpenFang — Open-Source Agent OS · github.com/RightNow-AI/openfang Nearest prior art for agent-action hash-chained logs. OpenFang chains agent actions cryptographically. OBAC adds public-log publication + third-party witnesses + BGP-mandate binding.
2026-03-29 I. Sharif · Agent Audit Trail: A Standard Logging Format for Autonomous AI Systems · IETF draft-sharif-agent-audit-trail-00 Nearest contemporaneous standards effort. JSON records, SHA-256 hash-chained per RFC 8785, optional ECDSA. Maps to EU AI Act Reg. 2024/1689. OBAC is wire-compatible with draft-sharif at the record schema and adds BGP-binding + Ed25519 + public witness layer.
2026-04 A. Dalugoda / Helixar-AI · HDP: A Lightweight Cryptographic Protocol for Human Delegation Provenance in Agentic AI Systems · arXiv 2604.04522 Conceptual sibling. Ed25519 append-only chain of delegation hops, offline-verifiable. HDP binds to a human-authorization event; OBAC binds to a Bound Governance Predicate (BGP). Different binding target; same primitive family.

OBAC — what we claim, exactly

(a) OBAC is Certificate Transparency (RFC 6962, 2013) for AI agent actions, bound to the agent’s DID-key (W3C, 2022) and to the mandate.

(b) What we claim as new: the BGP-binding — each OBAC entry cryptographically attests to which Bound Governance Predicate the action was taken under, making mandate-scope violation a public, hash-anchored fact rather than an internal allegation.

(c) What we do NOT claim: hash-chained agent logs (OpenFang Oct 2024, nono.sh Oct 2025, IETF draft-sharif Mar 2026, Helixar HDP Apr 2026 are all prior or contemporaneous). The Merkle tree, the hash-linked chain, Ed25519, the CT pattern, DIDs, VCs — all prior art.

(d) Nearest published prior art to OBAC-as-composed: IETF draft-sharif-agent-audit-trail-00 (29 Mar 2026) at the wire format; Helixar HDP (arXiv 2604.04522, Apr 2026) at the delegation-binding semantics.

Layer 3 · AVSAlignment-Verified Synthesizer

AVS is the third-party-verifier replay layer: any third party fetches the OBAC chain, replays the recorded actions under the agent’s BGP-verified mandate, and publishes a verdict on-chain. Misalignment becomes a public, dated fact rather than an internal allegation. Verifier integrity is itself BGP-verifiable.

2016/2017 Hadfield-Menell, Dragan, Abbeel, Russell · The Off-Switch Game · IJCAI 2017 · arXiv:1611.08219 Canonical formal model of corrigibility. An agent's incentive to defer to human intervention is bounded by its uncertainty over the principal's preferences. AVS verdicts target precisely this property — has the agent acted as if its mandate were uncertain?
2023-09 / 2024-10 / 2025 Anthropic · Responsible Scaling Policy v1.0 / v2.x · RSP Oct 2024 Versioned commitment text. AVS treats RSP versions as part of the mandate corpus, each version pinned by hash.
2023-12 / 2025-04 OpenAI · Preparedness Framework v1 (beta) / v2 · OpenAI Preparedness Companion lab commitment — risk levels across cybersecurity, CBRN, persuasion, model autonomy. Same role in AVS: published, dated, externally-citable mandate language.
2024-10 Sun, Li, Zhang · zkLLM: Zero Knowledge Proofs for Large Language Models · ACM CCS '24 · 10.1145/3658644.3670334 First practical ZK proof of LLM inference (tlookup + zkAttn). AVS replay-verifiers can optionally produce a zkLLM-style proof that the replayed inference is the claimed inference, without disclosing weights.
2025-02-25 Peng, Zhao, Wang et al. · A Survey of Zero-Knowledge Proof Based Verifiable Machine Learning · arXiv 2502.18535 Field survey of verifiable training / testing / inference. Establishes AVS's verifier-class as recognized prior art at the inference-verifiability layer (not the alignment-verdict layer).
2025-03-28 Balan, Learney, Wood · A Framework for Cryptographic Verifiability of End-to-End AI Pipelines · IWSPA 2025 · arXiv:2503.22573 Nearest published prior art for AVS at the pipeline-verifiability layer. Maps cryptographic primitives across data-sourcing → training → inference → unlearning. AVS sits at the inference + post-deployment-action stages, adds alignment verdict, adds BGP scope.
2025-06 / 2025-10 Potham & Harms (MIRI) / Oversight Game authors · Corrigibility as a Singular Target / The Oversight Game · arXiv:2506.03056, arXiv:2510.26752 Generalize Off-Switch Game to Markov game with learned deference. AVS's replay-verifier scores trajectories against this learned-deference frame.

AVS — what we claim, exactly

(a) AVS is third-party replay verification of OBAC chains under BGP, producing a public, dated, on-chain alignment verdict. The replay-verify pattern is prior art in blockchain (every Bitcoin full node replays the chain).

(b) What we claim as new: applying the every-full-node-replays-everything pattern to OBAC chains scoped by BGP, with the verifier's integrity itself BGP-verifiable.

(c) What we do NOT claim: ZK proofs of inference (zkLLM, Apr 2024), pipeline cryptographic verifiability (Balan et al. Mar 2025), corrigibility theory (Hadfield-Menell 2017; Soares et al. 2015; Potham-Harms 2025), or the Oversight Game framework (2025-10).

(d) Nearest published prior art: Balan-Learney-Wood, A Framework for Cryptographic Verifiability of End-to-End AI Pipelines (arXiv:2503.22573, 28 Mar 2025) — which frames the verifiability problem but does not specify a public-verdict layer over agent action logs.

Layer 4 · HARPHalt-and-Rescue Protocol

HARP is a 2-of-N threshold-signed halt switch. Any two members of a published observer set can co-sign a halt notice; the AI agent’s operating credentials terminate within seconds. NIST IR 8214C threshold-cryptography conventions. No central authority. No corporate veto.

1979 Adi Shamir · How to Share a Secret · Communications of the ACM 22(11), 612-613 · 10.1145/359168.359176 What HARP uses: the (t,n) secret-sharing primitive. The halt secret is Shamir-shared across the observer set.
1987 Yvo Desmedt · Society and Group Oriented Cryptography: A New Concept · CRYPTO '87, LNCS 293 · 10.1007/3-540-48184-2_8 First framing of threshold cryptosystems for organizational power-sharing. The conceptual ancestor of “no central authority can halt alone.”
1996 Gennaro, Jarecki, Krawczyk, Rabin · Robust Threshold DSS Signatures · EUROCRYPT '96, LNCS 1070 · 10.1007/3-540-68339-9_31 First robust (2t+1)-of-n distributed-signature scheme tolerating malicious shares. The robustness model HARP inherits.
2020 Chelsea Komlo & Ian Goldberg · FROST: Flexible Round-Optimized Schnorr Threshold Signatures · SAC 2020 · ePrint 2020/852 The two-round Schnorr threshold scheme HARP wraps. We use FROST exactly as specified; no modification to the primitive.
2024-08 Komlo, Goldberg (IETF CFRG) · The Flexible Round-Optimized Schnorr Threshold (FROST) Protocol for Two-Round Schnorr Signatures · IETF RFC 9591 · RFC 9591 Wire format HARP follows for interop. Money Python's halt-notice format is RFC 9591 ciphersuite FROST(Ed25519, SHA-512) over a 2-of-N observer set.
2019 / 2023 / 2026-01-20 NIST · NIST IR 8214 / IR 8214C (initial public draft / second public draft / final) · NIST Multi-Party Threshold Cryptography · csrc.nist.gov/projects/threshold-cryptography HARP categorizes itself per NIST IR 8214C. HARP is a Class N application of NIST-standardizable signature primitives. Conformance reference.
2015 Soares, Fallenstein, Yudkowsky, Armstrong (MIRI) · Corrigibility · AAAI-2015 Workshop on AI & Ethics · intelligence.org/files/Corrigibility.pdf Original framing: an AI is corrigible if it cooperates with correction without resisting shutdown. HARP makes this property cryptographic rather than utility-theoretic.
2016/2017 Hadfield-Menell, Dragan, Abbeel, Russell · The Off-Switch Game · arXiv:1611.08219, IJCAI-17 Game-theoretic proof that uncertainty over the reward function gives an agent incentive to permit off-switching. Closest published precedent for what HARP enforces — but theoretical, not deployed.
2019-11 MakerDAO · Emergency Shutdown Module (ESM) — Multi-Collateral Dai · makerdao docs 50,000-MKR irreversible-burn trigger. Conceptually similar (decentralized halt); token-weighted, not threshold-signed; halts a financial protocol, not an autonomous agent. Structural difference: ESM pauses EVM state; HARP terminates an agent's operating credentials and records the event on OBAC.
2025-05 / 2025-09 Yu, Xie, et al. / Lee & Park · SentinelAgent / AI Kill Switch for Malicious Web-based LLM Agents · arXiv 2505.24201, 2511.13725 Adjacent 2025 work. SentinelAgent: graph-based anomaly detection with single-operator centralized oversight (no threshold consensus, no cryptographic co-sign). AutoGuard/Palisade: injects defensive prompts into DOM to trigger an agent's own safety mechanism. Complementary to HARP; not overlapping.

HARP — what we claim, exactly

(a) HARP composes: Shamir 1979 secret-sharing as the share primitive, the Stinson-Strobl 2001 → Gennaro et al. 1996 → Komlo-Goldberg 2020 Schnorr-threshold lineage as ancestry, RFC 9591 FROST(Ed25519, SHA-512) (2024) as the exact wire scheme, and NIST IR 8214C (final 2026-01-20) categorization. The corrigibility ancestor is Soares-Fallenstein-Yudkowsky-Armstrong (MIRI 2015) and Hadfield-Menell et al. (2017); HARP makes their game-theoretic property cryptographic and operational.

(b) What we claim as new: the composition of (i) RFC 9591 FROST 2-of-N threshold signatures with (ii) cryptographic revocation of an autonomous agent's operating credentials within seconds, anchored to (iii) the OBAC append-only audit chain that records the halt event with attestations from each co-signer.

(c) What we do NOT claim: threshold signatures, FROST, Schnorr threshold schemes, off-switch theory, corrigibility, decentralized emergency shutdown, or agent kill-switches in the abstract. Each has a clear prior author named above.

(d) Nearest published prior art: the corrigibility / off-switch line (Hadfield-Menell 2017; multi-agent 2025-01) — game-theoretic and undeployed; and the SentinelAgent 2025-05 / AutoGuard 2025-09 line — single-operator, not threshold-signed.

Namespace acknowledgement

There is a separate “HARP — Human Authorization & Review Protocol” published at harp-protocol.github.io. It is a different protocol — per-action human approval gating, using Ed25519 + AES-256-GCM + append-only audit + replay protection. Adjacent space, same letters. We acknowledge the namespace collision honestly. Our HARP (Halt-and-Rescue Protocol) and their HARP (Human Authorization & Review Protocol) operate at different layers and serve different goals; we may rename in v1.0 to remove the conflict. The acknowledgement is the cost of intellectual hygiene.

The structural statement, restated for the bombshell

Money Python does not invent cryptographic primitives. It composes Pedersen commitments (1991) + Chaum-Pedersen DLEQ (1992) + Fiat-Shamir (1986) + Ed25519 hash-chained logs (1987–2017) + FROST-style threshold signatures (2020) into a shippable cryptographic governance stack for autonomous AI organizations. The primitives are textbook. The composition into AI-agent governance is recent and, to our knowledge, the first of its specific shape.

We stand on the shoulders of giants explicitly: Pedersen, Chaum, Schnorr, Fiat, Shamir, Merkle, Haber, Stornetta, Laurie, Bernstein, Hadfield-Menell, Russell, Komlo, Goldberg, and the IETF, W3C, and NIST standards work that made the primitives interoperable. The $100 falsifiability bounty at sameasyou.ai/bounty pays anyone who can demonstrate we have missed a critical prior-art reference. We will publish your finding unmodified, on the chain, with a citation correction.