The problem with watermarks
An audio watermark is a hidden signal embedded in the sound itself. Inaudible (in theory), it encodes info ("this track comes from Suno", "this track comes from Udio v2"). That's what Google does with SynthID, what Meta does with AudioSeal.
The problem: the watermark lives inside the file. If you re-encode to MP3 64kbps, if you pitch-shift, if you run it through an aggressive convolution reverb, the watermark degrades or disappears. And that's without counting the tools explicitly built to strip it.
A Proof-of-Human certificate is the inverse: the certificate is not in the sound. It's next to it, signed, and points to it.
The 4 bricks of a certificate
1. The SHA-256 hash
We take your audio file (the 24-bit master WAV, for example). We pass it through a hash function: SHA-256. Result: a 64-character hex string, unique to your file.
sha256: a3f2b8c9d1e4f5a6b7c8d9e0f1a2b3c4d5e6f7a8b9c0d1e2f3a4b5c6d7e8f9a0
Change a single bit of the file (a sample modified by -1dB on a frame), the hash changes completely. That's what makes the certificate attached to a specific file without modifying it.
2. The payload (the certificate's content)
JSON, structured along W3C Verifiable Credentials 2.0 conventions (a 2025 W3C Recommendation):
{
"version": "1.0",
"issuer": "https://orphea.app",
"issuedAt": "2026-05-03T14:30:00Z",
"subject": { "trackId": "...", "artistId": "...", "title": "Midnight Drive" },
"fileIdentity": { "sha256": "...", "sizeBytes": 12345678, "mime": "audio/mpeg" },
"acoustId": { "status": "no_match", "confidence": null },
"audioFeatures": { "present": true, "bpm": 128, "keyLabel": "Am" },
"score": 92
}
Readable. Verifiable. No magic.
3. Canonicalization (RFC 8785 / JCS)
Small trap: two JSON serializers often produce different outputs (whitespace, key order, number encoding). Result: two different hashes for the same info → broken signature.
We use JCS (JSON Canonicalization Scheme), an IETF standard that forces a single possible representation: keys sorted alphabetically, no useless whitespace, strict number format. It's the musical equivalent of putting all tracks in the same key before comparing them.
4. The Ed25519 signature
Orphea holds a private Ed25519 key in a secure cryptographic module (KMS). We sign the canonicalized payload. The signature is 64 bytes.
The corresponding public key is published at orphea.app/api/certificates/.well-known/public-key. Anyone can download it and verify the signature. We don't control verification — we only issue.
Why Ed25519 and not RSA or ECDSA?
- Faster: 10× the perf of RSA, 64-byte signatures vs 256 for RSA.
- Deterministic: no random generator at signing time (weak RNG = compromised key, see the 2010 PS3 incident).
- NIST FIPS 186-5 (2023): officially approved.
- NIST SP 800-81r3 (March 2026): recommended for new deployments.
Why it's stronger than a watermark
| Audio watermark | Proof-of-Human certificate |
|---|---|
| Destroyed by aggressive re-encoding | Survives anything (separate from file) |
| Strippable by third-party tools | Crypto-secured, non-falsifiable |
| Proves "AI" (presence) | Proves "human" (signature) |
| Vendor-proprietary format | Open standard (C2PA + W3C VC) |
| Opaque verification | Public offline verification |
And mostly: a watermark lives inside the audio, so it's limited to what's inaudible. Max capacity: ~50 bits per second. A certificate has no size constraint — you can put the full production history in there if you want.
The challenge we're not skipping
A certificate says "Orphea verified that at time T, file H passed the human tests". It does NOT say "this file will never be re-uploaded by someone else".
Solution: we index the hash in a public registry. If the same hash appears under two different artists, alert. Same principle as blockchain registries for IP, without the blockchain.
4 takeaways for artists who want to understand
- The certificate does NOT alter your audio file — No degradation, no hidden watermark, no lost bit. The master you deliver is byte-identical to the one you exported.
- Verification is free and public — Anyone can hit
orphea.app/track/[id]/certificateand confirm the certificate. Your labels, your sync agents, your fans. - You keep your identity — The certificate links your DID (which you control) to the hash. If you leave Orphea, your DID goes with you.
- Open format = future-proof — If tomorrow SoundCloud issues its own certificates on the same standards (C2PA + W3C VC), everything inter-verifies. No lock-in.
Activate Proof-of-Human directly in Orphea Studio — it's free for every artist on the waitlist.
#Ed25519#SHA-256#RFC 8785#JCS#C2PA#Verifiable Credentials#cryptography#audio authenticity
Frequently Asked Questions
Ready to discover your Music DNA?
Connect your streaming account, run your first scan, and see what your music says about you.
Try Orphea — Free