Specification and benchmarks.
Reference data behind the claims on the technology page: measured signing and verification cost, key and signature sizes, the governance cadence those numbers support, and the standard each primitive implements. Every figure here is reproducible from the published reference implementation. Hybrid figures describe the implemented, cross-verified composite profile, a first-class selectable profile; classical Ed25519 is AGA's zero-dependency operational default.
Test environment
Commodity laptop silicon, not server hardware. Production deployments on contemporary server CPUs see lower per-operation cost. The numbers below are the conservative case.
Signing and verification performance
| Operation | Algorithm | ns/op | B/op | allocs/op |
|---|---|---|---|---|
| Sign | Ed25519 | 33,850 | 0 | 0 |
| Sign | ML-DSA-65 | 202,800 | 3,906 | 4 |
| Sign | Hybrid | 264,300 | 3,814 | 4 |
| Verify | Ed25519 | 78,430 | 0 | 0 |
| Verify | ML-DSA-65 | 40,660 | 33,282 | 5 |
| Verify | Hybrid | 121,100 | 450 | 3 |
Ed25519 signs in roughly 34 microseconds with zero allocations. ML-DSA-65 carries the larger cost the post-quantum scheme implies, and the hybrid mode runs both, so its cost is close to the sum.
Key and signature sizes
| Component | Ed25519 | ML-DSA-65 | Hybrid | Ratio |
|---|---|---|---|---|
| Public key (raw) | 32 B | 1,952 B | 1,992 B | 62.3x |
| Signature (raw) | 64 B | 3,309 B | 3,381 B | 52.8x |
| Public key (hex) | 64 | 3,904 | 3,984 | 62.3x |
| Signature (hex) | 128 | 6,618 | 6,762 | 52.8x |
Post-quantum keys and signatures are roughly 50 to 60 times larger than their classical counterparts. That size, not speed, is the practical cost of the migration, and it informs bundle storage and transport planning.
Governance cadence feasibility
| Cadence | Window | Hybrid sign+verify | Decisions/window | Feasible |
|---|---|---|---|---|
| 100ms | 100,000 us | 385 us | 259 | Yes |
| 200ms | 200,000 us | 385 us | 519 | Yes |
| 500ms | 500,000 us | 385 us | 1,298 | Yes |
| 1000ms | 1,000,000 us | 385 us | 2,597 | Yes |
Hybrid sign-and-verify totals roughly 385 microseconds per governance decision. At the fastest supported cadence (100 ms), that overhead sits at about 0.4% of the measurement window, so the cryptography is never the bottleneck.
Standards and provenance
AGA introduces no new cryptography. Every primitive is a published standard, and the post-quantum scheme is pinned to NIST known-answer vectors with two independent implementations shown to agree byte-for-byte.
| Primitive | Standard | Role |
|---|---|---|
| SHA-256 | FIPS 180-4 | Artifact addressing and receipt chaining |
| Ed25519 | RFC 8032 | Classical signatures and the reference baseline |
| ML-DSA-65 | FIPS 204 | Post-quantum signatures at NIST Level 3 |
| Composite (ML-DSA-65 + Ed25519) | IETF LAMPS | Hybrid signing profile |
| JSON Canonicalization (JCS-lineage) | Vectors-defined | Byte-reproducible signature inputs |
| Merkle trees | No-prefix SHA-256 (RFC 6962 lineage) | Checkpoint anchoring; truncation-safe via the signed checkpoint |
| BLAKE2b-256 | RFC 7693 | Alternative hash for high-frequency measurement |
Receipt specification
The governance receipt schema, canonicalization rules, signing and chain-linking construction, the evidence-bundle format, and the steps a conformant verifier runs. This is the format the benchmarks above measure.
Governance Receipt (15 fields)
| Field | Type | Description |
|---|---|---|
| receipt_id | string | Unique receipt identifier (UUID) |
| receipt_version | string | Schema version ("1.0") |
| algorithm | string | Signing algorithm identifier |
| timestamp | string | ISO 8601 UTC timestamp |
| request_id | string | number | null | MCP request identifier (type preserved) |
| method | string | MCP method ("tools/call") |
| tool_name | string | Name of the tool being called |
| decision | string | PERMITTED or DENIED |
| reason | string | Human-readable decision rationale |
| policy_reference | string | SHA-256 hash of policy configuration |
| arguments_hash | string | SHA-256 of canonical arguments (tri-state) |
| previous_receipt_hash | string | Chain link to previous receipt |
| gateway_id | string | Signing gateway identifier |
| signature | string | Ed25519 signature (128 hex chars) |
| public_key | string | Ed25519 public key (64 hex chars) |
Canonicalization (JCS-lineage)
All JSON serialization uses a JCS-lineage JSON Canonicalization Scheme, defined by the conformance vectors rather than literal RFC 8785:
- Object keys sorted by Unicode code point order
- No whitespace outside string values
- ECMAScript Number.toString() for number serialization (1.0 becomes 1)
- Negative zero normalizes to positive zero
- Array element order preserved (not sorted)
Signing and Chain Linking
SigningDigest: Canonical JSON of receipt WITHOUT the signature field. Ed25519 signature computed over these bytes.
ChainDigest: SHA-256 of canonical JSON of receipt WITH the signature field. Used as previous_receipt_hash in the next receipt.
arguments_hash tri-state: absent arguments = empty string, empty object = SHA-256("{}"), content = SHA-256(canonicalize(arguments)).
Evidence Bundle Format
An evidence bundle packages a receipt chain with Merkle proofs for offline verification:
| Field | Description |
|---|---|
| schema_version | Bundle format version ("1.0") |
| bundle_id | Unique bundle identifier (UUID) |
| algorithm | Algorithm suite ("Ed25519-SHA256-JCS") |
| generated_at | ISO 8601 bundle creation timestamp |
| gateway_id | Signing gateway identifier |
| public_key | Ed25519 public key (64 hex chars) |
| policy_reference | SHA-256 of policy configuration |
| receipts | Ordered array of GovernanceReceipt objects |
| merkle_root | SHA-256 Merkle root of receipt leaf hashes |
| merkle_proofs | Inclusion proofs for each receipt |
| offline_capable | Boolean (always true) |
Six-Step Verification (SEP Gateway)
Verify the algorithm identifier ("Ed25519-SHA256-JCS"), public key well-formedness, and that every receipt matches the strict schema. Fail closed on unknown algorithms.
For each receipt: remove signature field, canonicalize, Ed25519 verify against public_key.
First receipt: previous_receipt_hash = "". Each subsequent: previous_receipt_hash = SHA-256(canonical(prev receipt WITH signature)); timestamps non-decreasing.
Walk each proof from leaf to root via sibling hashes; constant-time compare to merkle_root. Proof count = receipt count, leaf indices a bijection over 0..N-1.
Verify the gateway-signed checkpoint anchors the recomputed Merkle root, leaf_count, and chain head leaf hash.
The bundle's stated roots match what was recomputed. Each proof's leaf_hash = SHA-256(canonical(receipt WITH signature)).
A seventh check, gateway key match, runs only when the verifier is given a pinned issuer key: it confirms the bundle was signed by that key (provenance). Without a pin, the six checks prove integrity only.
Algorithm Identifiers
| ID | Signature | Hash | Canonicalization |
|---|---|---|---|
| Ed25519-SHA256-JCS | Ed25519 (64-byte signature) | SHA-256 (32-byte digest) | JCS-lineage |
Additional algorithm suites may be defined in future versions. Verifiers must reject unknown algorithm identifiers (fail closed).
Cross-Language Conformance
Implementations across three independent toolchains (JavaScript, Python, Go) are checked against a shared conformance suite, including a standalone verifier that uses no third-party cryptography:
TypeScript
MCP Gateway (Cloudflare Workers)
conformance + unit suite
Python
SDK (PyNaCl)
conformance + unit suite
Go
Verifier CLI
cross-verify all bundles
Independent Verifier
Standalone verification tool
cross-language conformance
57 classical cross-stack cases prove identical verdicts across six verifier configurations; the spec's canonical vectors pin byte-for-byte canonical output and matching Merkle roots; the post-quantum profile adds 28 composite cases across two independent-language oracles.