Same primitives. Complementary layers.
AITH is a post-quantum continuous delegation protocol — how an autonomous AI agent is granted, bounded, and revoked. Knox is a cryptographic audit-permanence layer — what the bounded agent actually did, recorded so that a third party can verify it years later. Both use ML-DSA-87 (NIST FIPS 204) and SHA-256. Both ship with formal verification. Together they cover the agent lifecycle end to end.
Bonis Systems Knox aligns architecturally with AITH.
- Same post-quantum signature primitive. AITH specifies ML-DSA-87 (NIST FIPS 204, Level 5). Knox Agent #11 Layer 4 ships ML-DSA-87 alongside ML-DSA-44/65 and SLH-DSA-128s/192s/256s via @noble/post-quantum.
- Same hash family. AITH’s three-tier Responsibility Chain is SHA-256. Every Knox anchor is a SHA-256 commitment, sequence-numbered and rolled to a Bitcoin Merkle anchor.
- Complementary layers. AITH bounds the agent’s authority in real time; Knox preserves the externally-anchored evidence record of what the bounded agent did. The two layers run together; neither replaces the other.
- Both layers formally verified. AITH theorems: Tamarin Prover under the Dolev-Yao model. Knox anchor pipeline: public TLA+ specification covering hash-link, sequence-monotonicity, and Merkle- root invariants.
- No relationship implied. This is an architectural compatibility statement against a published academic protocol. No joint research, coordination, or other relationship with the AITH author is implied or claimed.
Bonis Systems LLC declares architectural alignment with AITH as of 2026-04-27.
This page constitutes a formal architectural alignment statement between Bonis Systems Knox (the AAM audit-permanence layer) and the AITH (AI Trust Handshake) protocol described in the open-access academic paper arXiv:2604.07695. The alignment is published in the same convention used by vendors publishing compatibility statements against IETF drafts or NIST FIPS specifications.
Scope of alignment. Architectural compatibility on cryptographic primitives, hash family, formal-verification posture, and layer composition (delegation-time bounding via AITH + post-deployment evidence preservation via Knox). The alignment does not assert protocol-conformance certification, does not assert binding equivalence, and does not assert any relationship — joint research, coordination, partnership, employment, or otherwise — with the AITH author or any affiliated research group.
Maintenance. Bonis Systems will revise this alignment statement if (a) the AITH paper is materially revised, (b) the NIST FIPS 204 / 205 parameter sets are revised, or (c) the Knox Agent #11 Layer 4 PQC implementation is revised in a way that materially affects co-deployability. The alignment date above is the publication date of the current revision.
Signed. Bonis Systems LLC, Wyoming. UEI R2BPJDC5CBA3. CAGE 1TSP2. Inventor of record on USPTO Provisional 64/038,359 (Knox), Jonis Aaron Fields.
A post-quantum continuous delegation protocol.
AITH (AI Trust Handshake) is described in arXiv:2604.07695. It addresses a gap in existing trust frameworks like TLS and OAuth 2.0, which were not designed for probabilistic AI agents operating continuously with variable authorization boundaries.
Three protocol elements anchor the design. A Continuous Delegation Certificate is signed once at delegation time with ML-DSA-87, eliminating per-operation signing while preserving post-quantum security. A Boundary Engine enforces constraints, rate limits, and escalation triggers with zero cryptographic overhead on the critical path. A push-based Revocation Protocol propagates invalidation within one second. A three-tier SHA-256 Responsibility Chain provides tamper-evident audit logging within the protocol’s scope.
The published claim is that all five security theorems are machine-verified via the Tamarin Prover under the Dolev-Yao adversary model. Posture: math-checked, not vibes-checked.
A cryptographic audit-permanence layer.
Knox sits above any control plane, any agent runtime, and any orchestration framework. Each agent action is reduced to a SHA-256 commitment, sequence-numbered per stream, hash-linked to the prior anchor in the stream, and rolled into an hourly Merkle tree. The Merkle root is published to the Bitcoin blockchain via OpenTimestamps. The proof is portable: a regulator, a court, or a future operator can verify any anchor with public tooling alone.
Knox Agent #11 Layer 4 ships post-quantum signatures covering ML-DSA-44 / 65 / 87 (NIST FIPS 204) and SLH-DSA-128s / 192s / 256s (NIST FIPS 205) via the @noble/post-quantum library. ML-DSA-87 is the same parameter set AITH specifies for its Continuous Delegation Certificate.
The pipeline ships a public TLA+ specification covering hash-link, sequence-monotonicity, and Merkle-root invariants. Anchors resolve to court-ready affidavits architected for FRE 902(13) and 902(14) self-authentication. Admissibility in any given matter is determined by the presiding court; the structural requirements are met by construction.
Where AITH and Knox meet, and where they extend.
Each row below summarizes one architectural axis. The AITH column reflects the published academic specification; the Knox column reflects the shipping primitive. Where the primitives line up directly, co-deployment is mechanical. Where they extend in different directions, the protocols cover different problems and run together cleanly.
ML-DSA-87 (NIST FIPS 204, Level 5) signs the Continuous Delegation Certificate once at delegation time, eliminating per-operation signing while preserving post-quantum strength.
Knox Agent #11 Layer 4 ships ML-DSA-87 alongside ML-DSA-44 and 65 (NIST FIPS 204) and SLH-DSA-128s / 192s / 256s (NIST FIPS 205) via @noble/post-quantum. Same parameter set, same standard, immediately co-deployable.
Three-tier SHA-256 Responsibility Chain provides tamper-evident logging within the AITH protocol's scope.
Every Knox anchor is a SHA-256 commitment over a content-addressable artifact; the chain is sequence-numbered per stream and rolled into hourly Merkle trees published to the Bitcoin blockchain via OpenTimestamps.
Five security theorems machine-verified via Tamarin Prover under the Dolev-Yao adversary model.
The Knox anchor pipeline ships a public TLA+ specification of its hash-link, sequence-monotonicity, and Merkle-root invariants. Source and verifier are public. Different prover families, same posture: math-checked, not vibes-checked.
Push-based revocation protocol invalidates a delegation certificate within one second, propagating cleanly to every boundary check downstream.
Revocation events are anchored in their own stream — `agent_authority_revoked`, `agent_key_rotation`, `agent_policy_revocation` — so the revocation itself, including its precise moment, is preserved in tamper-evident form even if the runtime that handled the revocation is no longer available years later.
Boundary Engine enforces constraints, rate limits, and escalation triggers in real time, with zero cryptographic overhead on the critical path.
Knox does not enforce in real time. Knox records, in a way that survives the runtime, the operator, the network, and the vendor. Boundary enforcement and evidence preservation are different problems; both are required.
Internal Responsibility Chain delivers tamper-evidence within the protocol's deployment.
External Bitcoin anchoring delivers tamper-evidence verifiable without cooperation from any party to the deployment, including Bonis. The two scopes nest: AITH internal evidence + Knox external evidence covers both insider and outsider trust models.
Internal logging suitable for engineering audit; admissibility in court is not a stated design target of the academic specification.
Every Knox anchor resolves to a court-ready affidavit architected for FRE 902(13) and 902(14) self-authentication. Admissibility in any given matter is determined by the presiding court; the structural requirements are met by construction.
What Knox implements, what Knox extends, what Knox does not undertake.
The honest scope discipline of an alignment statement — authoritative where the firm owns the source, explicit delegation where another layer owns it.
ML-DSA-87 signing
Knox Agent #11 Layer 4 ships ML-DSA-87 (NIST FIPS 204, Level 5) via @noble/post-quantum, the same parameter set AITH cites for the Continuous Delegation Certificate.
SHA-256 commitment chain
Every Knox event becomes a SHA-256 commitment, sequence-numbered per stream, hash-linked to the predecessor anchor. Same hash family as AITH's Responsibility Chain.
Authority-lifecycle anchoring
Revocation, key rotation, and policy revocation each become Knox events (agent_authority_revoked, agent_key_rotation, agent_policy_revocation). The revocation moment is preserved tamper-evidently regardless of whether the AITH runtime is online years later.
Bitcoin-anchored Merkle aggregation
Knox rolls hourly Merkle trees of every anchored stream and publishes the root to the Bitcoin chain via OpenTimestamps. AITH's internal Responsibility Chain delivers tamper-evidence within the deployment; the Bitcoin anchor extends that to any third party.
TLA+ formal specification
The Knox anchor pipeline ships a public TLA+ specification covering hash-link, sequence-monotonicity, and Merkle-root invariants. Different prover family from AITH's Tamarin verification, same posture: math-checked.
FRE 902 architectural fit
Each Knox anchor resolves to a court-ready affidavit architected for Federal Rules of Evidence 902(13) and 902(14) self-authentication. Admissibility in any given matter is a determination of the presiding court.
Continuous Delegation Certificate signing
Knox does not issue or sign delegation certificates. That is AITH's job. Knox anchors the certificate identifier (or its hash) when the operator's emit path supplies it.
Real-time Boundary Engine
Knox is cold-path evidence preservation, not hot-path policy enforcement. Boundary checks, rate limits, escalation triggers — those are AITH-side or operator-side. Knox records what was attempted and what happened, not what was permitted.
Push-based revocation propagation
Knox does not propagate revocation messages through a deployment. AITH's Revocation Protocol does that. Knox anchors the revocation event so the moment of revocation is preserved long after the AITH runtime has been retired.
AITH bounds the agent. Knox preserves the record.
An AITH-instrumented agent receives a Continuous Delegation Certificate at the start of its assignment. The Boundary Engine constrains every subsequent action against the certificate’s authorized scope. The Revocation Protocol can pull authority back within one second. Inside the protocol, a SHA-256 Responsibility Chain logs the constrained behavior for engineering audit.
Knox runs alongside that loop. Every action the agent takes — every tool call, every commitment, every transaction, every memory mutation, every revocation event — is reduced to a SHA-256 commitment, hash-linked into a stream, and Merkle-rolled into a Bitcoin anchor. The internal Responsibility Chain proves tamper-evidence within the deployment; the Knox anchor proves tamper-evidence to any third party with public Bitcoin tooling, with no requirement to trust Bonis, the operator, the AITH deployment, or any vendor in the stack.
The separation of concerns is clean. Boundary enforcement is hot-path; evidence preservation is cold-path. Both must be present for a deployment to survive scrutiny years after the agent has been retired and the operator has been acquired or wound down.
What this gives you.
No primitive translation
AITH and Knox both rely on ML-DSA-87 and SHA-256. Co-deployment does not require a translation layer between two cryptographic vocabularies; the same signatures and the same hashes appear on both sides.
Post-quantum from day one
Both layers were designed against post-quantum threat models. Long-lived audit records produced by Knox remain verifiable under the same assumptions AITH uses to bound real-time delegation.
Formal verification on both sides
AITH is machine-verified via Tamarin Prover. Knox ships a public TLA+ specification of its anchor pipeline invariants. Different prover families, same posture — the math is checked, not assumed.
External auditability
Knox extends AITH’s internal Responsibility Chain with Bitcoin anchoring. Verification is portable to a regulator, a court, or a counter-party with no access to the AITH deployment or the Bonis stack.
Defensive only
Knox produces evidence; lawful authority decides what to do with it. Bonis does not access third-party AITH deployments, does not operate counter-agents, and does not undertake any offensive action.
Vendor-neutral
Knox sits above any control plane and any runtime. AITH may be deployed in any environment that supports ML-DSA signing. The alignment is architectural; no particular vendor of either layer is presupposed.
Public endpoints, public verifier, public chain.
The Knox primitives that align with AITH are already shipping on bonissystems.com, with public endpoints, a public verifier, and a public formal specification. The AITH paper itself is open-access on arXiv.