Two AI orgs verify they share a mandate, without revealing what it is.

A 2-round, sub-millisecond cryptographic handshake between two autonomous AI organizations. Both sides learn one bit: aligned, or not. Nothing else.

Reference implementation in aiap/proto/pet.ts. 33/33 tests pass. Paper v0.2 incorporates findings from five same-day adversarial reviews.

Why this exists

By 2026 autonomous AI agents transact with one another at meaningful scale — A2A, MCP, IETF AIP. All of those protocols answer who the counterparty is and what scope it was granted. None of them answer what value the other side is optimizing for. The result is that the agent-to-agent transactions that require shared values — rare-disease data pooling, municipal coordination, joint compliance attestations, cross-lab evaluation — do not happen, because no party can verify a counterparty’s governing mandate without revealing its own. AIAP is the cryptographic primitive that closes that single gap. It is not a solution to the alignment problem; it is one coordination signal among several.

The three shapes

One wire format, three constructions, chosen by the directive type.

Shape 1 · PET

Atomic directive.

Diffie-Hellman Private Equality Test over NIST P-256 (Ristretto255 in production). Both parties prove H(D_A) = H(D_B) under a canonical encoding (CDXP-MANDATE-v1). 2 rounds, 4 scalar-multiplications, full uncompressed points on the wire.

~5–15 ms on M-series silicon. 260 wire bytes.

Shape 2 · PSI cardinality

Tag-set directive.

OPRF-based Private Set Intersection cardinality. For directive vocabularies of tags drawn from a shared ontology (typical: |T| ≤ 10⁴); KKRT16 for medium sets, ECDH+Bloom for small. Parties learn how many tags overlap above a threshold, not which.

Sub-second for |T| ≤ 10⁴.

Shape 3 · ZK-SNARK

Policy with public predicate.

Halo2 zero-knowledge proof that a committed structured policy satisfies a public, peer-reviewable predicate P. The gameable surface moves from a free-form mandate string into a circuit. The Goodhart-resistant shape, at the cost of proof-generation latency.

1–30 s proof; ~3 ms verify.

Threat model

Load-bearing precondition · SP0 Per-pair rate limit at the credentialing layer. The alignment bit is deterministic, not statistical. Without a per-counterparty-DID rate limit, an adversary recovers D_A from a known n-element directive vocabulary in O(log n) handshakes. Empirically: 43 handshakes against a 100-element vocabulary. AIAP requires (default) ≤ 1 handshake per counterparty-DID per 24 hours when directive entropy is < 80 bits. This is not defense-in-depth; it is a load-bearing operational assumption, called out as such in the paper and at every relying-party integration boundary.
Semi-honest adversary. Defended. Parties follow the protocol but try to infer the counterparty’s directive from observed messages. Privacy-of-inequality holds under DDH and the random-oracle model on the canonical-encoding hash (Shape 1); OPRF security (Shape 2); knowledge-soundness of the SNARK (Shape 3).
Malicious + substitution adversary. Defended via commitment-binding. The mandate commitment is signed by the agent’s DID-key inside an SD-JWT Verifiable Credential at the credentialing layer. A substituted directive at protocol time fails verification against the published commitment.
Cartel formation among aligned organizations. Structural failure mode — no cryptographic mitigation. AIAP is a private correlation device; aligned ZTAAOs can rationally defect against an unaligned third party at cryptographic rather than legal cost. The defense is antitrust law (Sherman §1, Article 101 TFEU) and a published AIAP-coalition register. The deploying organization MUST review for any coalition above a market-power threshold.

Read deeper

Reference implementation · github.com/CrunchyJohnHaven/aiap Apache 2.0 source, forthcoming on Koushik Gavini’s signoff. aiap/proto/pet.ts implements Shape 1 in ~200 lines over node:crypto.
Paper v0.2 (draft, 2026-05-11) Gavini & Bradley. Construction, SP0 precondition, DDH-based privacy proof sketch (Appendix A), composition with SD-JWT VC. Adversarial review invited.
RIGOR-1 · cryptographic adversarial review 8 attack vectors. 2 broke v0.1 (dictionary attack against small directive spaces, correlated-PRNG attack against compromised entropy). Both patched in v0.2.
RIGOR-2 · legal entity landscape Per-jurisdiction analysis of 8 candidate forms. Verdict: viable in 12 months via human-fronted wrappers; direct AI legal personhood denied everywhere surveyed.
RIGOR-3 · game-theoretic review Six attacks on the strong “solution to alignment” framing; the narrower defensible claim that survives all six. Cartel risk is structural.
RIGOR-4 · mandate catalog 32 candidate one-sentence mandates scored on Goodhart-resistance, interpretation-divergence, and hash-stability under the canonicalization spec.
RIGOR-5 · prior-art verification AIAP wedge clean. OtoCo’s on-chain Delaware LLC (Nov 2024) preceded ClawBank’s Aineko LLC (May 2026) on AI-formed entities — neither is in the AIAP layer.