Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

VET Your Agent: Towards Host-Independent Autonomy via Verifiable Execution Traces

Artem Grigor, Christian Schroeder de Witt, Simon Birnbach, Ivan Martinovic

TL;DR

VET introduces Verifiable Execution Traces, a formal framework that shifts trust from hosting environments to agent configuration and verifiable execution, enabling host-independent authentication of agent outputs. It combines a formal Agent Identity Document with compositional proofs across agent cores and tools, instantiated via Web Proofs (TLS transcripts) for API-based components and complemented by TEE Proxies for public data. The framework is evaluated on realistic workloads and demonstrated through VeriTrade, a verifiable trading agent, showing practical overheads under 3x compared to direct API calls and the feasibility of host-agnostic authentication with current tech. While authentication of outputs is now robust, achieving full host-independent autonomy remains aspirational, requiring reductions in host influence, better notary trust distribution, and freshness guarantees. Together, these results lay a concrete foundation for securer, auditable autonomous agents and point to future work in distributed trust, replay protection, and more flexible agent architectures.

Abstract

Recent advances in large language models (LLMs) have enabled a new generation of autonomous agents that operate over sustained periods and manage sensitive resources on behalf of users. Trusted for their ability to act without direct oversight, such agents are increasingly considered in high-stakes domains including financial management, dispute resolution, and governance. Yet in practice, agents execute on infrastructure controlled by a host, who can tamper with models, inputs, or outputs, undermining any meaningful notion of autonomy. We address this gap by introducing VET (Verifiable Execution Traces), a formal framework that achieves host-independent authentication of agent outputs and takes a step toward host-independent autonomy. Central to VET is the Agent Identity Document (AID), which specifies an agent's configuration together with the proof systems required for verification. VET is compositional: it supports multiple proof mechanisms, including trusted hardware, succinct cryptographic proofs, and notarized TLS transcripts (Web Proofs). We implement VET for an API-based LLM agent and evaluate our instantiation on realistic workloads. We find that for today's black-box, secret-bearing API calls, Web Proofs appear to be the most practical choice, with overhead typically under 3$\times$ compared to direct API calls, while for public API calls, a lower-overhead TEE Proxy is often sufficient. As a case study, we deploy a verifiable trading agent that produces proofs for each decision and composes Web Proofs with a TEE Proxy. Our results demonstrate that practical, host-agnostic authentication is already possible with current technology, laying the foundation for future systems that achieve full host-independent autonomy.

VET Your Agent: Towards Host-Independent Autonomy via Verifiable Execution Traces

TL;DR

VET introduces Verifiable Execution Traces, a formal framework that shifts trust from hosting environments to agent configuration and verifiable execution, enabling host-independent authentication of agent outputs. It combines a formal Agent Identity Document with compositional proofs across agent cores and tools, instantiated via Web Proofs (TLS transcripts) for API-based components and complemented by TEE Proxies for public data. The framework is evaluated on realistic workloads and demonstrated through VeriTrade, a verifiable trading agent, showing practical overheads under 3x compared to direct API calls and the feasibility of host-agnostic authentication with current tech. While authentication of outputs is now robust, achieving full host-independent autonomy remains aspirational, requiring reductions in host influence, better notary trust distribution, and freshness guarantees. Together, these results lay a concrete foundation for securer, auditable autonomous agents and point to future work in distributed trust, replay protection, and more flexible agent architectures.

Abstract

Recent advances in large language models (LLMs) have enabled a new generation of autonomous agents that operate over sustained periods and manage sensitive resources on behalf of users. Trusted for their ability to act without direct oversight, such agents are increasingly considered in high-stakes domains including financial management, dispute resolution, and governance. Yet in practice, agents execute on infrastructure controlled by a host, who can tamper with models, inputs, or outputs, undermining any meaningful notion of autonomy. We address this gap by introducing VET (Verifiable Execution Traces), a formal framework that achieves host-independent authentication of agent outputs and takes a step toward host-independent autonomy. Central to VET is the Agent Identity Document (AID), which specifies an agent's configuration together with the proof systems required for verification. VET is compositional: it supports multiple proof mechanisms, including trusted hardware, succinct cryptographic proofs, and notarized TLS transcripts (Web Proofs). We implement VET for an API-based LLM agent and evaluate our instantiation on realistic workloads. We find that for today's black-box, secret-bearing API calls, Web Proofs appear to be the most practical choice, with overhead typically under 3 compared to direct API calls, while for public API calls, a lower-overhead TEE Proxy is often sufficient. As a case study, we deploy a verifiable trading agent that produces proofs for each decision and composes Web Proofs with a TEE Proxy. Our results demonstrate that practical, host-agnostic authentication is already possible with current technology, laying the foundation for future systems that achieve full host-independent autonomy.

Paper Structure

This paper contains 62 sections, 2 theorems, 16 equations, 10 figures, 7 tables.

Table of Contents

  1. Introduction
  2. Existing approaches.
  3. Paper organization.
  4. Background
  5. Identity and Authentication for Software Programs
  6. Verifiable Computation for Software Authentication
  7. Agent Identity and Authentication
  8. Agent Autonomy
  9. Summary.
  10. Threat Model
  11. System Model
  12. Security Goals
  13. (1) Authentication of outputs (achieved).
  14. (2) Host-independent autonomy (aspirational).
  15. Security Assumptions
  16. ...and 47 more sections

Key Result

Theorem 5.6

If each component proof system $(P,V)$ is complete and sound against its adversary class, then the compositional scheme $(\mathsf{Prove_{(\mathcal{A},\textsf{Adv}_\textsf{A})}}_\textsf{A},\mathsf{Verify_{(\mathcal{A},\textsf{Adv}_\textsf{A})}})$ is complete and sound against

Figures (10)

  • Figure 1: System model. The verifier, given an AID, checks that an output is consistent with the declared agent configuration, even if the host controlling execution is malicious.
  • Figure 2: Illustration of the agent's execution loop. The agent's cognitive $\mathsf{Core}$ iteratively processes execution transcripts $h^{(j)}$, produces plaintext outputs $y^{(j)}$, invokes specified tools ($t_1$, $t_2$), and incorporates their responses ($r_{t_i}$) into subsequent execution transcripts.
  • Figure 3: Sample Agent Identity Document (AID) for VeriTradeBot.
  • Figure 4: Web Proofs protocol overview. (1) Connection: The Prover initiates a TLS session with the Target Server. (2) Co-execution: An honest-but-curious Notary jointly executes the MPC-TLS handshake, attesting to exchanged bytes without accessing plaintext. (3) Transcript: The Notary outputs a signed commitment, allowing the Prover to selectively disclose signed transcript portions to the Verifier. (4) Verification: The Verifier checks the disclosed transcript against the Notary’s signature and the Server’s TLS public key, accepting if valid.
  • Figure 5: Instantiation of Web Proofs for API-based agent components. Naïve long-lived channel incurs large one-time setup costs and retransmission overhead.
  • ...and 5 more figures

Theorems & Definitions (12)

  • Definition 4.1: Tool
  • Definition 4.2: Core
  • Definition 4.3: LLM-based Agent
  • Definition 4.4: Execution Trace
  • Definition 5.1: Agent-Authentication Scheme
  • Definition 5.2: Completeness
  • Definition 5.3: Soundness
  • Definition 5.4: Minimal Disclosure
  • Definition 5.5: Zero-Knowledge
  • Theorem 5.6: Composition
  • ...and 2 more