GateSolutionsAssuranceProtocolProofDocsPricingRequest pilot
Open challenge · 0 confirmed external breaks

Break the ceremony.

EMILIA is the authorization-receipt layer for irreversible AI-agent actions: no valid human-signed receipt, no execution — and afterward, anyone can verify who approved exactly what, without trusting us. This page is where you try to prove that wrong.

We claim EMILIA’s authorization ceremony cannot be replayed, forged, self-approved, or reversed — and we proved it with a model checker. Don’t take our word for it. The protocol is open. The receipts are public. Try to break it.

Safety infrastructure earns trust by surviving attack in the open. Every confirmed break — and its fix — gets published here, with credit.

The four guarantees

What counts as a break

A signed authorization can be consumed exactly once. Replay it and it must be rejected.
ConsumeOnceSafety
BREAK IF: You consume the same authorization twice and both succeed.
You cannot fabricate a committed decision outside the ceremony — no write bypasses the protocol.
WriteBypassSafety
BREAK IF: You produce a record the verifier accepts that was never issued by the ceremony.
No actor can approve, consume, or contest its own action. Separation of duties holds.
SelfContestImpossible
BREAK IF: The same identity both initiates and approves a high-risk action and it commits.
Once an action is committed or refused, that outcome is terminal — it cannot be silently flipped.
TerminalStateIrreversibility
BREAK IF: You move a committed or refused action back to a pending/allowed state.
Bounded claims

What a receipt proves — and what it doesn’t

The honesty is the credential. Here is exactly where the guarantee starts and stops.

What it proves
  • A named human — or a quorum of distinct humans — signed THIS exact action (amount, payee, target), not a session and not a scope.
  • Anyone can verify it offline, with no account and no trust in the operator or in EMILIA.
  • Tamper with one byte of the authorized action and verification fails.
  • The authorization is consumable exactly once — replays are rejected.
  • Missing, invalid, expired, or wrong-approver → the action does not proceed. Fail-closed by default.
What it does not prove
  • That the decision was correct or wise. EP proves authorization, not judgment.
  • Real-world identity beyond the enrollment layer. A receipt proves the enrolled key signed; identity proofing is a separate, stated layer.
  • The negative of an absence you were never handed. One-time-use and revocation freshness are server-state — ask the operator for the consumption record and any signed revocation (itself offline-verifiable).
The attack matrix

Attacks we reject — and what backs each claim

Replay a captured authorization
One-time consume enforced under a row lock; the second attempt is rejected.
TLA+ ConsumeOnceSafety · binding_already_consumed vectors
Forge a receipt the verifier accepts
Asymmetric signature over the canonical action hash — no trusted issuer key, no acceptance.
tri-language negative conformance vectors
Tamper with the approved action
The signature covers SHA-256(JCS(action)); any altered field breaks challenge_binding.
verifier conformance suite (JS/Py/Go)
Attach your signoff to someone else’s receipt
Signoff requests are bound to the receipt creator — a leaked receipt_id is not an approval attachment point.
creator-bound signoff (see “what we caught”)
Approve with the wrong human
Approvals bind to the intended approver; a quorum requires distinct, enrolled humans.
481 security/adversarial tests
Proceed with no receipt
The consume gate refuses any governed action without a valid bound approval. Fail-closed.
consume-gate tests
Satisfy a quorum with the wrong set
Quorum re-verified at consume: distinct humans, roles, order, window, action-binding, signatures.
EP-QUORUM cross-language conformance

Run the negative cases yourself: npx @emilia-protocol/crash-test issues a genuine receipt, verifies it offline, then shows the forged copy being rejected.

What we caught — and closed

A real authority-binding bug, found in red-team and fixed

In an adversarial pass we found that a leaked receipt_id could let another authenticated actor attach their own signoff flow to someone else’s receipt and self-approve it. The cryptography was sound; the authority-binding glue was not.

We closed it by binding signoff requests to the receipt creator and approvals to the intended approver — now row four of the matrix above. We publish this on purpose: the danger zone for systems like this is authority binding and deployment semantics, not the math, and finding it in the open is the point of this page.

Why this is different

Anyone can copy a schema. They cannot copy a security case by changing the logo.

EMILIA’s differentiation is not proprietary cryptography. It is a composed, machine-rerunnable argument that the whole path holds together: challenge, canonical action, human ceremony, issuer and authority pins, revocation, one-time consumption, and execution.

10
verified Tamarin lemmas
2
deliberately weakened attack traces
26
executable security claims
121
hashed evidence files
The composed path
challenge
↓ canonical action
↓ human ceremony
↓ issuer + authority
↓ revocation
↓ consumption
↓ execution

Tamarin tests this as one symbolic protocol under a Dolev-Yao attacker with full network control, rather than assuming separately checked pieces compose safely.

Named Tamarin lemmas
execution_requires_full_compositionVERIFIED · ALL TRACES

Execution requires challenge, exact action, approvals, pinned authority, revocation, and consumption to compose.

no_issuer_launderingVERIFIED · ALL TRACES

A presenter cannot turn its own key into an accepted issuer by relabeling the artifact.

no_cross_action_profile_or_audience_replayVERIFIED · ALL TRACES

Valid evidence cannot be transplanted to another action, profile, or relying party.

initiator_cannot_self_approveVERIFIED · ALL TRACES

The actor initiating an action cannot fill the human-approval seat.

strict_registry_view_is_exactVERIFIED · ALL TRACES

Authority evidence must match the exact registry checkpoint pinned by the relying party.

injective_execution_with_consumptionVERIFIED · ALL TRACES

One consumed authorization maps to at most one checked execution.

The model is allowed to prove us wrong

We deliberately remove controls and ask Tamarin to find the failure.

unchecked_composition_is_injective
FALSIFIED · CONCRETE TRACE FOUND

Remove one-time consumption and Tamarin finds a same-receipt replay.

unchecked_registry_view_is_current
FALSIFIED · CONCRETE TRACE FOUND

Remove exact registry-view binding and Tamarin accepts a stale or equivocating authority view.

What compounds

Open does not mean interchangeable.

Nothing prevents another team from implementing the open format. That is the distribution strategy. But a compatible envelope is not an equivalent system. Equivalence means reproducing the composed proof, strict verifier behavior, negative vectors, durable consumption, release evidence, and every assumption and exclusion. Each discovered failure becomes a permanent, machine-rerunnable obligation. That body of evidence compounds with every release.

Broader executable evidence: 26 TLA+ invariants · 35 Alloy facts + 32 assertions · 6,719 automated cases · 251 current conformance vectors.

Scope remains explicit: TLA+ and Alloy model bounded state and relational properties; Tamarin uses symbolic perfect cryptography and pinned-root assumptions. These are not proofs of AI behavior, WebAuthn internals, parser correctness, legal compliance, or deployment completeness.

Inspect the engineering evidence →Read the spec →How the verification works →
Our commitment

The transparency contract

  • Every confirmed break is published here within 7 days, with the attacker’s credit (or anonymous, your call).
  • Every fix is published alongside it — the spec change, the code, and the new passing proof.
  • The running tally above (confirmed breaks) is never silently reset.
  • In scope: the authorization ceremony, the signed-receipt format, the consume gate, the verifier.
  • Out of scope: DDoS, social engineering, third-party infra (Vercel/Supabase), and anything against production tenant data.
Get started

Start swinging

The protocol, the SDK, and a public demo receipt are live now — attack those directly. Scoped challenge keys against an isolated instance open shortly; report anything you find to the address below in the meantime.

Inspect a live receipt →Read the spec

Report a break: team@emiliaprotocol.ai

Break the Ceremony — Red-Team Challenge & Attack Matrix — EMILIA Protocol | EMILIA