Forem: AlekBlom The latest articles on Forem by AlekBlom (@alekblom). https://forem.com/alekblom https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3785449%2F823c1ee3-9017-43f1-af63-ebcc6122807a.jpeg Forem: AlekBlom https://forem.com/alekblom en Your AI Chatbot Said What? Solving the Two-Party Proof Problem with Dual-Secret Verification AlekBlom Sun, 22 Feb 2026 19:58:25 +0000 https://forem.com/alekblom/your-ai-chatbot-said-what-solving-the-two-party-proof-problem-with-dual-secret-verification-4p55 https://forem.com/alekblom/your-ai-chatbot-said-what-solving-the-two-party-proof-problem-with-dual-secret-verification-4p55 <p>When your AI chatbot tells a user their insurance claim is approved, and the user later says the chatbot said something different -- who's right?</p> <p>Neither can prove anything. The request went to OpenAI, the response came back, and both parties are left with nothing but screenshots and trust. This is the <strong>two-party proof problem</strong>, and it gets worse the more consequential AI interactions become.</p> <p>I built <a href="https://github.com/alekblom/ioproof" rel="noopener noreferrer">IOProof</a> to solve it. It is an open-source proxy that sits between your service and any AI API, capturing and cryptographically attesting every interaction. The interesting part is the <strong>dual-secret verification model</strong> -- the thing that makes it actually useful when two parties disagree.</p> <h2> The Architecture in 60 Seconds </h2> <p>IOProof is a Node.js/Express proxy. You point your API calls through it instead of directly at OpenAI/Anthropic/etc. For every request-response pair, the system:</p> <ol> <li>Captures the raw bytes of both request and response</li> <li>SHA-256 hashes everything</li> <li>Generates two independent cryptographic secrets</li> <li>Blinds the proof and batches it into a Merkle tree</li> <li>Commits the Merkle root to Solana</li> </ol> <p>Here is the hashing core -- it is deliberately simple:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">crypto</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">crypto</span><span class="dl">'</span><span class="p">);</span> <span class="kd">function</span> <span class="nf">sha256</span><span class="p">(</span><span class="nx">buffer</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">crypto</span><span class="p">.</span><span class="nf">createHash</span><span class="p">(</span><span class="dl">'</span><span class="s1">sha256</span><span class="dl">'</span><span class="p">).</span><span class="nf">update</span><span class="p">(</span><span class="nx">buffer</span><span class="p">).</span><span class="nf">digest</span><span class="p">(</span><span class="dl">'</span><span class="s1">hex</span><span class="dl">'</span><span class="p">);</span> <span class="p">}</span> <span class="kd">function</span> <span class="nf">buildCombinedHash</span><span class="p">(</span><span class="nx">requestHash</span><span class="p">,</span> <span class="nx">responseHash</span><span class="p">,</span> <span class="nx">timestamp</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">payload</span> <span class="o">=</span> <span class="s2">`</span><span class="p">${</span><span class="nx">requestHash</span><span class="p">}</span><span class="s2">|</span><span class="p">${</span><span class="nx">responseHash</span><span class="p">}</span><span class="s2">|</span><span class="p">${</span><span class="nx">timestamp</span><span class="p">}</span><span class="s2">`</span><span class="p">;</span> <span class="k">return</span> <span class="nf">sha256</span><span class="p">(</span><span class="nx">Buffer</span><span class="p">.</span><span class="k">from</span><span class="p">(</span><span class="nx">payload</span><span class="p">,</span> <span class="dl">'</span><span class="s1">utf-8</span><span class="dl">'</span><span class="p">));</span> <span class="p">}</span> </code></pre> </div> <p>The combined hash binds the request, response, and timestamp together. Change a single byte in any of them and you get a completely different hash. Nothing new here -- this is textbook content-addressable integrity.</p> <h2> Where It Gets Interesting: Dual Secrets </h2> <p>The first version of IOProof generated one secret per proof. The API caller (say, your chatbot service) got the secret, and if the end-user wanted to verify, the service had to manually share it. That is a trust bottleneck -- the very thing we are trying to eliminate.</p> <p>The fix is to generate <strong>two independent secrets</strong> at proof creation:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">function</span> <span class="nf">generateSecret</span><span class="p">()</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">crypto</span><span class="p">.</span><span class="nf">randomBytes</span><span class="p">(</span><span class="mi">32</span><span class="p">).</span><span class="nf">toString</span><span class="p">(</span><span class="dl">'</span><span class="s1">hex</span><span class="dl">'</span><span class="p">);</span> <span class="p">}</span> <span class="c1">// In the proxy route:</span> <span class="kd">const</span> <span class="nx">secret</span> <span class="o">=</span> <span class="nf">generateSecret</span><span class="p">();</span> <span class="c1">// owner secret (for the API caller)</span> <span class="kd">const</span> <span class="nx">userSecret</span> <span class="o">=</span> <span class="nf">generateSecret</span><span class="p">();</span> <span class="c1">// user secret (for the end-user)</span> <span class="kd">const</span> <span class="nx">blindedHash</span> <span class="o">=</span> <span class="nf">blindHash</span><span class="p">(</span><span class="nx">combinedHash</span><span class="p">,</span> <span class="nx">secret</span><span class="p">);</span> </code></pre> </div> <p>Both secrets unlock identical proof details -- full request/response payloads, all hashes, the Merkle proof, the Solana transaction. But they are verified through <strong>different cryptographic mechanisms</strong>, and that distinction matters.</p> <h2> Two Verification Paths </h2> <p>The owner secret is verified via <strong>blinding</strong>. The blinded hash is what goes on-chain, and it is computed as:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">function</span> <span class="nf">blindHash</span><span class="p">(</span><span class="nx">combinedHash</span><span class="p">,</span> <span class="nx">secret</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nf">sha256</span><span class="p">(</span><span class="nx">Buffer</span><span class="p">.</span><span class="k">from</span><span class="p">(</span><span class="s2">`</span><span class="p">${</span><span class="nx">combinedHash</span><span class="p">}</span><span class="s2">|</span><span class="p">${</span><span class="nx">secret</span><span class="p">}</span><span class="s2">`</span><span class="p">,</span> <span class="dl">'</span><span class="s1">utf-8</span><span class="dl">'</span><span class="p">));</span> <span class="p">}</span> </code></pre> </div> <p>At verification time, the server re-derives the blinded hash from the supplied secret. If <code>SHA-256(combined_hash | secret) === stored_blinded_hash</code>, the owner is authenticated. No stored secret to compare against -- just math.</p> <p>The user secret is verified via <strong>constant-time direct comparison</strong>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">function</span> <span class="nf">safeEqual</span><span class="p">(</span><span class="nx">a</span><span class="p">,</span> <span class="nx">b</span><span class="p">)</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">a</span> <span class="o">||</span> <span class="o">!</span><span class="nx">b</span> <span class="o">||</span> <span class="nx">a</span><span class="p">.</span><span class="nx">length</span> <span class="o">!==</span> <span class="nx">b</span><span class="p">.</span><span class="nx">length</span><span class="p">)</span> <span class="k">return</span> <span class="kc">false</span><span class="p">;</span> <span class="k">return</span> <span class="nx">crypto</span><span class="p">.</span><span class="nf">timingSafeEqual</span><span class="p">(</span><span class="nx">Buffer</span><span class="p">.</span><span class="k">from</span><span class="p">(</span><span class="nx">a</span><span class="p">,</span> <span class="dl">'</span><span class="s1">hex</span><span class="dl">'</span><span class="p">),</span> <span class="nx">Buffer</span><span class="p">.</span><span class="k">from</span><span class="p">(</span><span class="nx">b</span><span class="p">,</span> <span class="dl">'</span><span class="s1">hex</span><span class="dl">'</span><span class="p">));</span> <span class="p">}</span> </code></pre> </div> <p>Why <code>timingSafeEqual</code>? A naive <code>===</code> comparison short-circuits on the first differing byte, leaking information about how many leading characters matched. That is a textbook timing side-channel. <code>crypto.timingSafeEqual</code> always takes the same amount of time regardless of input, preventing an attacker from brute-forcing the secret byte-by-byte.</p> <p>The verify endpoint distinguishes which path succeeded:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// Owner: re-derive the blinded hash</span> <span class="kd">const</span> <span class="nx">expectedBlinded</span> <span class="o">=</span> <span class="nf">blindHash</span><span class="p">(</span><span class="nx">proof</span><span class="p">.</span><span class="nx">combinedHash</span><span class="p">,</span> <span class="nx">secret</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="nx">expectedBlinded</span> <span class="o">===</span> <span class="nx">proof</span><span class="p">.</span><span class="nx">blindedHash</span><span class="p">)</span> <span class="p">{</span> <span class="nx">secretValid</span> <span class="o">=</span> <span class="kc">true</span><span class="p">;</span> <span class="nx">accessType</span> <span class="o">=</span> <span class="dl">'</span><span class="s1">owner</span><span class="dl">'</span><span class="p">;</span> <span class="p">}</span> <span class="c1">// User: constant-time comparison against stored secret</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">secretValid</span> <span class="o">&amp;&amp;</span> <span class="nx">proof</span><span class="p">.</span><span class="nx">userSecret</span> <span class="o">&amp;&amp;</span> <span class="nf">safeEqual</span><span class="p">(</span><span class="nx">secret</span><span class="p">,</span> <span class="nx">proof</span><span class="p">.</span><span class="nx">userSecret</span><span class="p">))</span> <span class="p">{</span> <span class="nx">secretValid</span> <span class="o">=</span> <span class="kc">true</span><span class="p">;</span> <span class="nx">accessType</span> <span class="o">=</span> <span class="dl">'</span><span class="s1">user</span><span class="dl">'</span><span class="p">;</span> <span class="p">}</span> </code></pre> </div> <p>The response includes <code>access_type: "owner"</code> or <code>access_type: "user"</code>, so you always know which party verified. Both get identical proof data. Neither needs to trust the other or coordinate access.</p> <h2> Merkle Batching: One Transaction, Thousands of Proofs </h2> <p>Writing a Solana transaction per API call would be expensive and slow. Instead, IOProof batches pending proofs into a Merkle tree and commits just the root:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">function</span> <span class="nf">buildMerkleTree</span><span class="p">(</span><span class="nx">leaves</span><span class="p">)</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="nx">leaves</span><span class="p">.</span><span class="nx">length</span> <span class="o">===</span> <span class="mi">0</span><span class="p">)</span> <span class="k">return</span> <span class="p">{</span> <span class="na">root</span><span class="p">:</span> <span class="kc">null</span><span class="p">,</span> <span class="na">layers</span><span class="p">:</span> <span class="p">[]</span> <span class="p">};</span> <span class="k">if </span><span class="p">(</span><span class="nx">leaves</span><span class="p">.</span><span class="nx">length</span> <span class="o">===</span> <span class="mi">1</span><span class="p">)</span> <span class="k">return</span> <span class="p">{</span> <span class="na">root</span><span class="p">:</span> <span class="nx">leaves</span><span class="p">[</span><span class="mi">0</span><span class="p">],</span> <span class="na">layers</span><span class="p">:</span> <span class="p">[</span><span class="nx">leaves</span><span class="p">]</span> <span class="p">};</span> <span class="kd">const</span> <span class="nx">layers</span> <span class="o">=</span> <span class="p">[</span><span class="nx">leaves</span><span class="p">.</span><span class="nf">slice</span><span class="p">()];</span> <span class="kd">let</span> <span class="nx">currentLayer</span> <span class="o">=</span> <span class="nx">leaves</span><span class="p">.</span><span class="nf">slice</span><span class="p">();</span> <span class="k">while </span><span class="p">(</span><span class="nx">currentLayer</span><span class="p">.</span><span class="nx">length</span> <span class="o">&gt;</span> <span class="mi">1</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">nextLayer</span> <span class="o">=</span> <span class="p">[];</span> <span class="k">for </span><span class="p">(</span><span class="kd">let</span> <span class="nx">i</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> <span class="nx">i</span> <span class="o">&lt;</span> <span class="nx">currentLayer</span><span class="p">.</span><span class="nx">length</span><span class="p">;</span> <span class="nx">i</span> <span class="o">+=</span> <span class="mi">2</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">left</span> <span class="o">=</span> <span class="nx">currentLayer</span><span class="p">[</span><span class="nx">i</span><span class="p">];</span> <span class="kd">const</span> <span class="nx">right</span> <span class="o">=</span> <span class="nx">i</span> <span class="o">+</span> <span class="mi">1</span> <span class="o">&lt;</span> <span class="nx">currentLayer</span><span class="p">.</span><span class="nx">length</span> <span class="p">?</span> <span class="nx">currentLayer</span><span class="p">[</span><span class="nx">i</span> <span class="o">+</span> <span class="mi">1</span><span class="p">]</span> <span class="p">:</span> <span class="nx">left</span><span class="p">;</span> <span class="c1">// duplicate last if odd</span> <span class="nx">nextLayer</span><span class="p">.</span><span class="nf">push</span><span class="p">(</span><span class="nf">sha256</span><span class="p">(</span><span class="nx">left</span> <span class="o">+</span> <span class="nx">right</span><span class="p">));</span> <span class="p">}</span> <span class="nx">layers</span><span class="p">.</span><span class="nf">push</span><span class="p">(</span><span class="nx">nextLayer</span><span class="p">);</span> <span class="nx">currentLayer</span> <span class="o">=</span> <span class="nx">nextLayer</span><span class="p">;</span> <span class="p">}</span> <span class="k">return</span> <span class="p">{</span> <span class="na">root</span><span class="p">:</span> <span class="nx">currentLayer</span><span class="p">[</span><span class="mi">0</span><span class="p">],</span> <span class="nx">layers</span> <span class="p">};</span> <span class="p">}</span> </code></pre> </div> <p>The leaves are <strong>blinded hashes</strong>, not raw data. Nothing on-chain reveals what was actually said. Each proof stores its own Merkle path, so any individual proof can be independently verified against the on-chain root without needing the full batch.</p> <p>The root goes to Solana as a memo instruction:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>ioproof|batch|{batchId}|{merkleRoot}|{proofCount}|{timestamp} </code></pre> </div> <p>One transaction. A few cents. Proves thousands of interactions.</p> <h2> The Concrete Use Case </h2> <p>Here is how this plays out in practice. Say you run an AI chatbot called Botlor:</p> <ol> <li>User asks Botlor a question</li> <li>Botlor proxies the request through IOProof to OpenAI</li> <li>IOProof captures both directions, hashes everything, generates dual secrets</li> <li>Botlor gets the receipt with <code>secret</code> (owner) and <code>user_secret</code> </li> <li>Botlor keeps <code>secret</code>, sends the user a verification link containing <code>user_secret</code> </li> <li>Both can independently verify via <code>GET /api/verify/:hash?secret=...</code> </li> </ol> <p>In a dispute, the user clicks their link and sees the exact request and response, along with the Solana transaction that commits to it. The service does the same with their secret. Neither had to ask the other for anything.</p> <p>There is also a standalone browser verifier that re-hashes everything client-side and fetches the Solana transaction directly via RPC -- zero trust in IOProof itself required.</p> <h2> Try It </h2> <p>IOProof launches publicly on <strong>March 1, 2026</strong>. Early access is open now.</p> <ul> <li> <strong>Self-host</strong> (MIT licensed, unlimited proofs): <a href="https://github.com/alekblom/ioproof" rel="noopener noreferrer">github.com/alekblom/ioproof</a> </li> <li> <strong>Hosted free tier</strong> (100 proofs/month): <a href="https://ioproof.com/register" rel="noopener noreferrer">ioproof.com/register</a> </li> <li> <strong>npm</strong>: <code>npm install ioproof</code> (<a href="https://www.npmjs.com/package/ioproof" rel="noopener noreferrer">v0.2.0</a>)</li> </ul> <p>The entire proxy is a single Node.js process. Point your existing API calls at it, and every interaction becomes independently verifiable by both parties. The code is MIT -- read it, fork it, poke holes in it.</p> <p>If you are building anything where AI outputs have real-world consequences -- customer support, medical triage, financial advice, legal research -- the question is not whether you need audit trails. It is whether both sides should be able to prove what happened without trusting each other.</p> ai opensource security showdev