Attested AI/Learn
Contact Us

Privacy-Preserving Verification

Privacy-preserving verification proves governance enforcement occurred without revealing sensitive operational data. Verifiers confirm structural integrity while actual payload content remains protected.

Why does privacy matter in verification?

Evidence bundles contain operational details that may be confidential: configuration values, telemetry readings, enforcement reasons. An auditor needs to verify governance occurred without necessarily seeing all underlying data.

  • Trade secrets: Configuration may reveal proprietary algorithms
  • Regulatory data: Telemetry may contain PII subject to GDPR/CCPA
  • Security posture: Detailed config exposes attack surface
  • Competitive intelligence: Operational metrics may be business-sensitive

What is structural metadata verification?

Structural metadata includes timestamps, counters, event types, and hash values—without the actual payload data. A verifier can confirm the chain is intact and properly signed without knowing what the receipts contain.

Structural (Revealed)

  • Receipt count and counter sequence
  • Timestamps (when events occurred)
  • Event types (DRIFT_DETECTED, ENFORCED)
  • Hash linkage (prev_hash, this_hash)
  • Signatures and key references

Payload (Redacted)

  • Actual configuration values
  • Telemetry readings
  • Detailed drift descriptions
  • Subject identities
  • Policy rule details

How does selective disclosure work?

Selective disclosure allows the bundle holder to reveal specific fields to specific verifiers while keeping others hidden. This uses cryptographic commitments that prove the redacted content exists without revealing it.

// Receipt with selective disclosure
{
  "receipt_id": "sha256:abc123...",
  "counter": 42,
  "timestamp": "2024-01-15T10:30:00Z",
  "event_type": "DRIFT_DETECTED",

  // Redacted fields replaced with commitment
  "decision": {
    "commitment": "sha256:def456...",
    "redacted": true
  },
  "measurement": {
    "commitment": "sha256:ghi789...",
    "redacted": true
  },

  // Proof that commitments match original
  "disclosure_proof": "...",

  // Chain and signature still verifiable
  "chain": { "prev_receipt_hash": "...", "this_receipt_hash": "..." },
  "signer": { "signature": "..." }
}

What are the disclosure levels?

The specification defines standard disclosure levels for different auditor needs.

Level 1: Chain Integrity Only

Verifies hash chain, signatures, and counter sequence. Proves governance boundary operated and produced a valid chain. No payload data revealed.

Level 2: Event Summary

Reveals event types and timestamps. Proves drift was detected and enforcement occurred, with timing. No configuration or measurement details.

Level 3: Enforcement Actions

Reveals what actions were taken (CONTINUE, BLOCK, TERMINATE) and reason codes. Proves appropriate response to drift. No raw measurements.

Level 4: Full Disclosure

Complete bundle with all payload data. Required for deep forensic analysis or regulatory examination with proper authorization.

How do we minimize metadata leakage?

Even structural metadata can leak information. Consider these protections:

  • Timing obfuscation: Round timestamps to reduce precision when full precision isn't needed
  • Batch disclosures: Reveal ranges of receipts rather than individual entries
  • Aggregate proofs: Prove "N drift events occurred in window" without revealing which
  • Key rotation frequency: Frequent rotation can reveal operational patterns

Frequently asked questions

Can redacted bundles still prove enforcement?

Yes. The chain integrity proves events occurred in sequence. Event types prove drift was detected and enforcement happened. Commitments prove redacted data exists and matches the signed content.

What if the auditor demands full disclosure?

That's a policy decision, not a technical one. The system supports both. You can provide redacted bundles for routine audits and full bundles under appropriate legal or contractual frameworks.

Is this zero-knowledge proof?

Not in the cryptographic sense. It's selective disclosure with hash commitments. True ZK proofs are possible but add significant complexity. The commitment scheme is simpler and sufficient for most enterprise use cases.

← Verification ChecklistBack to Offline Verification →