AITH: A Post-Quantum Continuous Delegation Protocol for Human-AI Trust Establishment

Abstract: The rapid deployment of AI agents acting autonomously on behalf of human principals has outpaced the development of cryptographic protocols for establishing, bounding, and revoking human-AI trust relationships. Existing frameworks (TLS, OAuth 2.0, Macaroons) assume deterministic software and cannot address probabilistic AI agents operating continuously within variable trust boundaries. We present AITH (AI Trust Handshake), a post-quantum continuous delegation protocol. AITH introduces: (1) a Continuous Delegation Certificate signed once with ML-DSA-87 (FIPS 204, NIST Level 5), replacing per-operation signing with sub-microsecond boundary checks at 4.7M ops/sec; (2) a six-check Boundary Engine enforcing hard constraints, rate limits, and escalation triggers with zero cryptographic overhead on the critical path; (3) a push-based Revocation Protocol propagating invalidation within one second. A three-tier SHA-256 Responsibility Chain provides tamper-evident audit logging. All five security theorems are machine-verified via Tamarin Prover under the Dolev-Yao model. We validate AITH through five rounds of multi-model adversarial auditing, resolving 12 vulnerabilities across four severity layers. Simulation of 100,000 operations shows 79.5% autonomous execution, 6.1% human escalation, and 14.4% blocked.

• The paper introduces a protocol enabling continuous, granular, and revocable human-to-AI delegation using post-quantum certificates.
• It employs a six-check boundary engine that enforces policies at sub-microsecond speeds, achieving over 4.7M operations per second per core.
• The push-based revocation scheme and responsibility chain ensure immediate, auditable responses to credential compromises and policy violations.

AITH: Formalizing Post-Quantum Continuous Delegation for Human-AI Authorization

Introduction and Motivation

The increasing operational autonomy of AI agents across high-stakes domains—financial trading, infrastructure management, contract negotiation—presents acute challenges for authorization protocols. Established credential mechanisms (TLS, OAuth 2.0, SPIFFE, Macaroons) were built for deterministic service architectures and fail to address the continuous, high-throughput, probabilistic action space of AI agents. These failings extend to constrained expressivity for policy, lack of scalable and immediate revocation strategies, and inadequate responsibility attribution.

This paper introduces AITH (AI Trust Handshake), defined as a post-quantum, continuous delegation protocol permitting granular, revocable, and auditable human-to-AI trust relationships. The protocol is architected to operate at machine timescales while retaining legal-grade cryptographic guarantees—an essential requirement for the transition towards economically active AI agents.

Protocol Design

AITH’s architecture is characterized by three major technical innovations:

1. Continuous Delegation Certificate: This certificate, signed with ML-DSA-87 (NIST Level 5, post-quantum), encapsulates multi-criteria constraints, escalation triggers, semantic auditing keys, and validity periods. Critically, the delegation relationship is established with a single cryptographic operation, amortizing all signing cost to setup and supporting subsequent operation at wire speed. After issuance, boundary enforcement introduces zero cryptographic overhead per operation.
2. Six-Check Boundary Engine: A deterministic sequence of stateless checks (certificate validity, delegation level, constraints, rate limits, anomaly detection, escalation) enforces policy at sub-microsecond timescales (mean 0.21 μs per operation, >4.7M ops/sec per core), directly enabling low-latency, high-throughput AI autonomy. The check sequence is formally specified, enabling machine-verified guarantees and blocking out-of-policy actions with no opportunity for bypass via operation sequencing or splitting.
3. Push-Based Revocation Protocol: Upon revocation, updates are proactively propagated to all registered verifiers within sub-second bounds (experimental median <1s), sharply limiting adversary window following credential compromise or principal intent change. Revocation is supported in immediate, graceful, and partial modes.

A supplementary Responsibility Chain—a three-deep SHA-256 hash chain spanning autonomous actions, human interventions, and system effects—ensures evidentiary integrity for post-incident analysis and legal disputes.

Security Analysis

AITH’s protocol claims are substantiated through five theorems, each mechanized and machine-verified using the Tamarin Prover under the Dolev-Yao threat model. The results guarantee the following properties:

• Certificate Unforgeability: Only the principal with knowledge of $sk_H$ can issue valid credentials under ML-DSA-87.
• Boundary Inviolability: Out-of-policy operations are provably blocked at the enforcement layer.
• Revocation Timeliness: All connected systems are bound to enforce revocation within a fixed, network-bounded delay.
• Chain Integrity: Tampering with any responsibility-record log is computationally infeasible.
• Delegation Scope Separation: Management operations remain strictly principal-only.

A distinctive feature is the protocol’s demonstrated cryptographic agility. All security claims generalize to alternative EUF-CMA primitives, ensuring resilience against future cryptanalytic advances without breaking enforcement or audit layers.

Practical Evaluation

A reference Python implementation validates operational performance. In simulation, 100,000 operations across diverse financial actions demonstrate the following:

• 79.5% proceed autonomously within policy bounds
• 6.1% require human escalation
• 14.4% are blocked due to out-of-bound attempts

This distribution highlights the protocol’s suitability for high-frequency AI agency, while retaining oversight and control through escalation and automated boundary enforcement.

Comparative latency and throughput benchmarks against Macaroons, OAuth 2.0/JWT, and per-operation ML-DSA signatures confirm AITH's technical superiority for the intended use case: AITH’s boundary checks register a 500× throughput gain relative to Ed25519 credentialing (AIP) and two orders of magnitude over HMAC-based schemes (Macaroons).

Adversarial Validation

AITH’s robustness is tested through a multi-model, adversarial security audit employing four state-of-the-art LLMs in red-blue team interactions across five rounds. The protocol matured from v1 to v5.1 through identification and remediation of 12 vulnerabilities (spanning parameterization, cryptographic primitives, protocol logic, rate limiting, and escalation flows). The process emphasized the complementary strengths of human strategic oversight and machine-driven vulnerability discovery, culminating in a decisive architectural shift to continuous delegation.

Limitations of the auditing approach are recognized: collusion in LLM knowledge bases, inability to test physical or social attack surfaces, and residual reliance on human analysis.

Broader Implications and Future Work

AITH crystallizes the design pattern of treating the human-AI trust relationship as a first-class, revocable, and parameterized cryptographic object. Its minimal operational intrusion—deployable as an overlay—favors practical adoption in risk-averse, regulated environments without overhauling underlying authentication stacks.

Legally, AITH’s Delegation Certificate resembles established financial constructs (limit orders, auto-debit mandates) but adds cryptographically enforced bounding, immediate revocation, and evidentiary audit—a necessary evolution for AI-managed principal-agent relationships. Conceptually, it positions itself as a universal “AI passport” infrastructure with individualized, cryptographically bound authority per agent.

Several architectural priorities remain open: hardware root-of-trust integration, enforcing boundary compliance in TEE/sealed environments, automated certificate rotation, hierarchical and federated revocation logic, and advanced policy expressivity. Continuous formal verification, especially of implementation artifacts beyond protocol specification, is flagged as a high priority.

Conclusion

AITH delivers a protocolic response to the emerging need for scalable, formally rigorous, and operationally efficient authorization between humans and AI agents. Its continuous delegation, boundary enforcement, rapid revocation, and machine-verifiable security properties constitute a defensible substrate for future AI-mediated economic and social interactions. The protocol’s compositional agility and layered defense model anticipate evolving adversary capabilities and regulatory demands as individual and institutional AI agency becomes ubiquitous.