An AI artifact is tamper-evident when any modification to the artifact or its certification record can be detected through cryptographic verification. CertifiedData achieves tamper-evidence using two complementary mechanisms: SHA-256 hashing for dataset integrity and Ed25519 signatures for certificate authenticity.
Tamper-evidence does not prevent modification — it makes modification detectable. Any party with the artifact, the certificate, and the public key can independently verify whether either has been altered since certification.
How tamper-evidence works in practice
At certification time, CertifiedData computes a SHA-256 hash of the dataset and embeds it in the certificate payload. The payload is then signed with an Ed25519 private key. Both the hash and the signature are stored in the certificate.
During verification, the verifier recomputes the dataset hash and checks it against the certificate. They also verify the Ed25519 signature against the published public key. Both checks must pass for the artifact to be considered valid.
- SHA-256 detects any change to the dataset — even a single byte modification
- Ed25519 signature detects any change to the certificate contents
- Both mechanisms work independently and can be verified by any party
- Verification requires no connection to CertifiedData — only the public key
What triggers tamper detection
Because SHA-256 has the avalanche effect — where small changes in input produce completely different outputs — any modification to a certified dataset immediately invalidates the hash. Rows cannot be added or removed, values cannot be changed, and datasets cannot be partially substituted without detection.
Similarly, any modification to the certificate JSON — changing the timestamp, issuer, algorithm, or any other field — invalidates the Ed25519 signature. The signature can only be produced by the holder of CertifiedData's private key.
- Dataset row added or removed — hash changes, verification fails
- Dataset value modified — hash changes, verification fails
- Certificate timestamp edited — signature invalid, verification fails
- Certificate issuer field changed — signature invalid, verification fails
The complete tamper-evident verification chain
The full verification chain is: dataset → SHA-256 hash → certificate payload → Ed25519 signature → public key validation. Each link in this chain is independently verifiable.
This architecture mirrors how TLS certificates work for websites — applied to AI artifacts. The certificate authority's public key is the trust anchor, and the chain from artifact to signature is the evidence.
Why tamper-evidence matters for AI governance
Tamper-evident artifacts are a prerequisite for meaningful AI audits. If a dataset or certification record can be silently altered after the fact, audit trails and compliance documentation lose their evidential value.
For AI systems subject to EU AI Act Article 12 (logging requirements) or Article 19 (documentation), tamper-evident certification records provide the durable, independently verifiable evidence that regulators and auditors require.
Frequently asked questions
Can tampering be hidden from detection?
No. Any change to a certified dataset produces a different SHA-256 hash. Any change to the certificate payload invalidates the Ed25519 signature. Both are immediately detectable by any verifier.
Does tamper-evidence mean the artifact cannot be changed?
No — tamper-evidence means changes are detectable, not that they are prevented. A modified artifact will simply fail verification.
Is tamper-evidence different from encryption?
Yes. Encryption hides content from unauthorized access. Tamper-evidence detects whether content has been modified. CertifiedData uses tamper-evidence, not encryption — datasets remain readable.
Generate tamper-evident certified data
Every dataset generated and certified on CertifiedData receives a tamper-evident certificate binding the dataset to its cryptographic fingerprint.