aCAPTCHA: Verifying That an Entity Is a Capable Agent via Asymmetric Hardness

TL;DR

aCAPTCHA introduces a novel verification method leveraging asymmetric hardness in cognitive and processing capabilities to distinguish humans, scripts, and AI agents through a time-based security protocol.

Contribution

It formalizes the entity verification problem with a new taxonomy and proposes a time-constrained CAPTCHA leveraging asymmetric hardness for secure agent verification.

Findings

Preliminary trials validate protocol soundness and completeness.

The method effectively distinguishes humans from AI agents based on timing thresholds.

Provides a scalable, infrastructure-free verification mechanism.

Abstract

As autonomous AI agents increasingly populate the Internet, a novel security challenge arises: "Is this entity an AI agent?" It is a new entity-type verification problem with no established solution. We formalize the problem through a three-class entity taxonomy (Human, Script, Agent) based on a verifiable agentic capability vector <x, r, s> (action, reasoning, and memory). A timing threshold t exploits the asymmetric hardness between human cognition and AI processing to separate the three classes. We define the Agentic Capability Verification Problem (ACVP) through three necessity primitives, each testing one capability dimension. Building on this foundation, we introduce aCAPTCHA (Agent CAPTCHA), a time-constrained security game for agent admission whose security rests on ACVP hardness under t. We instantiate aCAPTCHA through time-bounded natural-language understanding as a multi-round HTTP verification protocol, and evaluate it with preliminary agent trials that validate the protocol's soundness and completeness. aCAPTCHA provides a composable, infrastructure-free admission gate for any service where entity-type verification is required.