Two AI Agents Walk Into a TEE: Building a Trustless Data Marketplace at the IC3 Shape Rotator Hackathon

How I implemented NDAI Agreements and Props for ML Security in a single unified attestation — solo, in under two weeks, on real Intel TDX hardware.

--

Press enter or click to view image in full size

The Problem Nobody Talks About

There’s a paradox at the heart of every private data transaction.

If you want to sell me a proprietary dataset — medical imaging records, financial time series, LIDAR sensor feeds — I need to see it before I’ll pay. But if you show it to me, I’ve already got it. I don’t need to pay anymore.

Kenneth Arrow named this in 1962. The “information paradox” or “disclosure-expropriation problem” explains why private data markets are so broken. Both sides know it. Nobody trusts anybody. So deals don’t happen. Valuable data sits locked in silos, and the potential for it to be useful — for research, for training AI, for product development — evaporates.

This is the problem DealProof is built to solve.

The Shape Rotator Hackathon

In early March 2026 I registered for the IC3 Shape Rotator Virtual Hackathon, run by the Initiative for Cryptocurrencies and Contracts and hosted by Encode Club. The format was unusual for a hackathon: you didn’t just build something, you had to extend or implement an IC3 research paper. Three tracks — TEE & AI-Enabled Applications, Cryptographic Primitives & Identity, DeFi Security & Mechanism Design.

I’d been contributing to Quantinuum’s guppylang compiler and studying quantum computing papers for months, so reading dense academic work wasn’t unfamiliar territory. I went through the IC3 paper list and two of them jumped out immediately, because they weren’t just interesting independently — they were clearly designed to be combined.

NDAI Agreements (Miller et al., IC3 2025) proposes a game-theoretic framework for AI agent negotiation inside Trusted Execution Environments. The core insight: if two AI agents negotiate inside a TEE, and the hardware signs the outcome, neither party can dispute what was agreed. The negotiation is private, the result is cryptographically attested, and the whole thing is verifiable without trusting either party.

Props for ML Security (Juels & Koushanfar, IC3 2024) takes a different angle. It’s about verifiable data provenance — how can you prove that the data feeding into an ML pipeline is what it claims to be? The answer is a TEE-backed Merkle proof system. What makes this particularly relevant: Props author Dani Vilardell wrote explicitly that Props could serve as “a gateway for agents to access private web data.” I wasn’t the only one who thought these papers belonged together.

DealProof is what happens when you take that suggestion seriously.

What I Built

Two Claude AI agents — buyer and seller — negotiate access to a private dataset entirely inside an Intel TDX Trusted Execution Environment, running on Phala Cloud. When they reach agreement:

1. The seller’s data is cryptographically verified via a Props-inspired Merkle proof before negotiation begins
2. The agents negotiate price, access scope, and duration inside the TEE
3. The hardware produces a TDX attestation quote — a hardware-signed proof that the negotiation happened exactly as described, and that the data was what the seller claimed
4. A Solidity smart contract on Ethereum Sepolia releases escrowed buyer funds on valid attestation

No intermediary. No trust required from either side. The hardware is the arbiter.

Here’s the architecture at a glance:

Buyer ──► AI Agent ──► TEE (Intel TDX / Phala Cloud) ◄── AI Agent ◄── Seller
                              │
                     Props data verification
                     (Merkle proof of dataset)
                              │
                     TDX attestation quote
                     (hardware-signed proof)
                              │
                     On-chain escrow release
                     (DealProof.sol on Sepolia)

The full stack: FastAPI + uvicorn, AsyncAnthropic for both agents, SQLite via aiosqlite for persistence, dstack tappd for TDX quote generation, web3.py for smart contract interaction. Deployed live on Phala Cloud.

The Technical Bits Worth Writing About

The Merkle Root That Isn’t a Tree

Props uses Merkle proofs for data verification, but DealProof’s implementation makes a specific choice that’s worth explaining, because it’s the kind of thing that looks like a shortcut but is actually load-bearing.

Instead of a binary Merkle tree, DealProof uses flat concatenation with a 4-byte length prefix:

length_prefix = len(chunk_hashes).to_bytes(4, "big")
raw = length_prefix + b"".join(bytes.fromhex(h) for h in chunk_hashes)
root_hash = hashlib.sha256(raw).hexdigest()

Why the length prefix? Without it, flat concatenation is vulnerable to a second-preimage attack. An attacker could craft a single large chunk whose SHA-256 matches the root of N smaller chunks — the verifier would accept it as the same dataset. The length prefix makes the number of chunks part of the hash input, so a single-chunk forgery produces a different root by construction. It’s not defensive redundancy. It’s what makes the scheme sound.

DealProof’s Props verifier has 22 tests covering all failure paths: tampered chunk hash, wrong root, mismatched chunk count, malformed hex. Any of these return a 400 before negotiation is even allowed to start.

Dual TDX Attestation

Each completed deal produces two independent TDX quotes:

Props quote — covers data verification: data_hash, verified flag, chunk_count, algorithm. Generated immediately after Props verification succeeds.

Deal quote — covers the negotiation outcome: final_price, access_scope, duration_days, data_hash. Generated after agents reach agreement.

The binding mechanism: deal terms get serialised to canonical JSON (sort_keys=True for determinism), SHA-256 hashed, and placed in REPORTDATA[0:32] of the TDX quote request. Anyone can verify by recomputing SHA-256(terms) and comparing to REPORTDATA. Both quotes are independently verifiable against Intel’s DCAP certificate chain — currently via Phala’s root cert, with full Intel DCAP on-chain verification as Phase 7.

The data_hash appears in both quotes. This is intentional. It cryptographically binds the negotiation outcome to the specific dataset that was verified — you can’t swap the data after the deal is done.

AsyncAnthropic and the Negotiation Loop

Both agents run as stateless async functions. The negotiation loop alternates between buyer and seller for up to 10 rounds. Each agent receives the full transcript so far as context, along with their private instructions (budget ceiling for the buyer, floor price for the seller — neither visible to the other agent).

Agents respond with structured JSON:

{
  "action": "accept | counter | reject",
  "price": 4200.00,
  "terms": {"access_scope": "read_only", "duration_days": 30},
  "reasoning": "Countering at $4,200 — within range but want read-only access"
}

One bug worth noting: Claude occasionally returns "price": null in early rounds when reasoning about whether to accept at all. The fix is data.get("price") or 0 — not just data.get("price"), which silently passes null through. Small things like this are where solo hackathon builds accumulate technical debt fast.

The TEE Simulator

Real Intel TDX hardware isn’t something you can run on your laptop. Phala Cloud provides a tappd-simulator Docker image that mirrors the tappd API exactly — same endpoints, same response format — but runs locally without requiring hardware enclaves. This made local development and testing possible.

The simulator meant all 56 tests pass in under 3 seconds on any machine. Production deployment on Phala Cloud replaces the simulator with a real CVM and produces genuine hardware-attested TDX quotes.

What I Didn’t Get Done

Honest reflections on a solo two-week build:

No frontend. DealProof is API-only, plus a CLI demo script. The Swagger UI at /docs is functional, but it's not a user experience. For the accelerator roadmap, a React frontend with wallet connection is Priority 1.

Option A attestation, not DCAP. Currently using Phala’s root certificate for attestation verification, which means trusting Phala’s word that the hardware is genuine. Full Intel DCAP on-chain verification — where you verify the TDX quote directly against Intel’s public certificate chain — is Phase 7. TrustVerify (Joanne Muthoni’s Shape Rotator submission) built exactly this verification layer, which is why I’ve already reached out about collaboration.

No real data streaming. The TEE verifies data hashes, not raw data. A production system would stream data directly into the enclave for real-time hashing — the buyer gets a cryptographic guarantee without ever seeing the underlying data. This is the technically interesting next step.

Single-buyer auction. The current model is one buyer, one seller. Multi-party sealed-bid auctions inside a TEE — where no bidder can see the others’ bids — is a natural extension, and it’s on the roadmap.

Why This Combination Is Different

Most projects at Shape Rotator implemented one paper well. DealProof bridges two: NDAI Agreements for the negotiation layer, Props for the data provenance layer, unified into a single attestation where the data_hash appears in both quotes.

The distinction matters practically. A system that only implements NDAI Agreements can produce a cryptographically attested negotiation outcome — the buyer and seller agreed on $4,200 for read-only access — but the buyer has no way to verify the data actually matches what was described. The seller could claim it’s a 10TB LIDAR dataset and deliver garbage.

Props fills that gap. The Merkle proof verifies the data before negotiation starts, and the data_hash is bound into both attestation quotes. The deal outcome and the data verification are cryptographically linked. You can’t separate them.

This is what Props author Dani Vilardell was gesturing at when he suggested Props as “a gateway for agents to access private web data.” DealProof is a concrete implementation of that idea.

The Bigger Picture

Private data markets are a real and growing problem. As AI training becomes increasingly dependent on proprietary, domain-specific data — medical records, financial instruments, industrial sensor feeds — the question of how to transact around that data without either side being cheated becomes genuinely important.

The current solutions are all trust-based: data brokers, NDAs, legal agreements, reputation. These work for large institutions with legal departments. They don’t work for researchers, startups, or independent data providers who don’t have the infrastructure to enforce them.

TEE-based negotiation isn’t a complete solution. It solves the cryptographic problem but not the economic one — you still need liquid markets, pricing mechanisms, reputation systems. But it’s a necessary layer in any trustless data marketplace, and it’s one that’s now technically feasible with Phala Cloud providing accessible TDX infrastructure.

What’s Next

DealProof submitted to the IC3 Shape Rotator Accelerator application (10-week program, May–July 2026). Whether that comes through or not, the roadmap is clear:

• Phase 6: React frontend — wallet connection, live negotiation transcript, attestation verification UI
• Phase 7: Full Intel DCAP on-chain verification
• Phase 8: DKIM email proof inside TEE — sellers can prove they represent a company without revealing identity
• Phase 9: Multi-party sealed-bid auctions

The code is live at https://github.com/kkoci/Dealproof under MIT licence. The API is deployed on Phala Cloud at the URL in the README. You can run a deal right now via the Swagger UI.

Part 2 of this writeup will cover the DCAP implementation, what real data streaming into a TEE looks like, and what a production-ready trustless data marketplace actually needs to look like.

Kristian Koci is a Senior Backend Engineer based in the UK, with open source contributions to Quantinuum’s guppylang compiler. Bradford Quantum Hackathon 2025 winner. World Bank Quantum Climate Risk Challenge Phase 3 finalist.