Cryptographic Security Engine

Tamper-proof AI governance

Every AI decision backed by cryptographic proof. Ed25519 signatures, canonical JSON serialization, and independently verifiable receipts make AI governance mathematically certain—not just procedural.

Technical DocumentationVerify This Site's Build

Cryptographic Foundations

Industry-standard primitives, zero proprietary magic

Ed25519 Signatures

Elliptic curve signatures (Curve25519) for every AI decision. FIPS 186-5 compliant, resistant to side-channel attacks.

256-bit security • 64-byte signatures

Canonical JSON (JCS)

RFC 8785 canonical JSON serialization ensures identical byte-level representation. Hash collisions mathematically impossible.

Deterministic • Sortable • Verifiable

SHA-256 Content Hashing

FIPS 180-4 secure hashing for request/response bodies. Detects any tampering down to a single bit.

2^256 collision resistance

Anatomy of a Proof Receipt

What's in Every Receipt

Request Fingerprint
SHA-256 hash of canonical request payload
Policy Decision
OPA evaluation result (allow/deny + reasoning)
Response Fingerprint
SHA-256 hash of AI provider's response
Timestamp (RFC 3339)
Precise UTC timestamp with nanosecond precision
Ed25519 Signature
64-byte signature over canonical JSON
Public Key ID
Key identifier for signature verification
Example Proof Receipt
{
  "version": "1.0",
  "id": "proof_2NvZvk9K3xRqJ8mP7nQwY",
  "timestamp": "2024-10-25T18:42:33.847Z",
  "request": {
    "method": "POST",
    "path": "/v1/chat/completions",
    "hash": "8f4a7c9d2e1b3f6a..."
  },
  "policy": {
    "decision": "allow",
    "policy_id": "ciso_v2_restricted",
    "rules_matched": ["pii_filter", "cost_limit"]
  },
  "response": {
    "status": 200,
    "hash": "3b2f8e1a9c4d7f2e...",
    "model": "gpt-4o"
  },
  "signature": {
    "algorithm": "Ed25519",
    "public_key_id": "railguard_prod_2024",
    "value": "A3F7E8D9C2B1F..."
  }
}

Independent Verification

Don't trust us—verify cryptographically. Use our CLI or any Ed25519 library.

CLI Verification (30 seconds)

1. Install the CLI
npm install -g @railguard/verify
2. Verify any receipt
railguard verify receipt.json
3. Get instant verification
✓ Signature valid
✓ Timestamp authentic
✓ Policy hash matches

Manual Verification (Any Language)

Use any Ed25519 library in your language of choice:

  • Python: cryptography
  • Node.js: tweetnacl
  • Go: crypto/ed25519
  • Rust: ed25519-dalek
Public keys published at:
https://railguard.ai/.well-known/public-keys/

What This Guarantees

Non-Repudiation

Once signed, neither you nor we can deny a decision occurred. Perfect for regulatory disputes.

Tamper Detection

Any modification to timestamp, decision, or policy invalidates the signature instantly.

Audit Independence

External auditors can verify receipts without access to our systems or databases.

Future-Proof

Receipts remain verifiable decades later—no proprietary formats or vendor lock-in.

Legal Weight

Cryptographic proofs accepted as evidence in EU courts under eIDAS regulation.

Zero Trust

Don't trust Railguard—verify every receipt independently. That's the point.

Standards & Compliance

Cryptographic Standards

  • RFC 8032: Edwards-Curve Digital Signature Algorithm (Ed25519)
  • RFC 8785: JSON Canonicalization Scheme (JCS)
  • FIPS 180-4: SHA-256 Secure Hash Standard
  • FIPS 186-5: Digital Signature Standard

Regulatory Frameworks

  • EU AI Act: Article 12 record-keeping requirements
  • GDPR: Article 12 explainability requirements
  • eIDAS: Electronic signatures regulation (EU 910/2014)
  • SOC 2 Type II: Security and availability controls

See cryptographic proofs in action

Deploy Railguard Gateway and start generating verifiable proof receipts in 15 minutes. Verify independently with our CLI or any Ed25519 library.

Read Technical DocsStart Free Pilot
Security Engine - Cryptographic Proofs | Railguard AI | Railguard AI