What is authenticity?
You can no longer tell the real from the fake by looking. Authenticity has moved from something you confirm by sight to something you confirm by proof.
Authenticity means that data or content is genuine, has not been altered since it was created, and comes from a verified origin (its provenance). A thing is authentic when you can trace who made it, when, and how it was handled afterward.
As generative AI spreads and fakes become indistinguishable from the real thing, authenticity has become a precondition everywhere information is handled. Across journalism, finance, government, healthcare, manufacturing, and the operation of AI agents, being able to confirm whether the data in front of you is real is the foundation of any decision.
Detection is not proof.
Detection — finding anomalies after the fact — is essential for grasping the damage. But it does not establish, before something happens, whether the data in front of you is real. Authenticity holds only when a layer verifies provenance independently, before execution.
Authenticity, integrity, and confidentiality
In information security, authenticity is often discussed alongside neighboring concepts. They are easy to confuse, so here is the distinction.
- Authenticity: being genuine — who made it, whether the origin is verified, and that it is not an impersonation.
- Integrity: being unaltered — that the content has not changed since creation.
- Confidentiality: being visible only to those permitted.
Integrity guarantees that the contents have not changed, but on its own it does not guarantee that the thing came from a genuine origin in the first place. Authenticity is the broader concept: integrity plus verification of origin (provenance).
Authenticity, legibility, and preservation — the three requirements for Japanese e-records
In Japanese regulation, authenticity is defined as a concrete requirement. The Electronic Books Preservation Act[1] and the Ministry of Health, Labour and Welfare's guidelines for medical information systems (electronic medical records)[2] require three properties of electronic records: authenticity, legibility, and preservation.
- Authenticity: the record is genuine, any alteration or deletion is traceable, and the author's responsibility is clear.
- Legibility: it can be output in a readable form when needed.
- Preservation: it stays readable throughout the retention period.
Of these, authenticity is upheld through electronic signatures, timestamps, and management of operation history (provenance). Lemma's provenance proof fixes exactly this — who created which version, when, and whether it was altered — in a cryptographically verifiable form. See Regulatory Attribute Proof (Pillar 04).
Where authenticity is at stake (by domain)
Authenticity is a single word, but what it requires changes with each setting.
- Regulation & e-records: electronic books, electronic medical records, contracts, and audit trails. You need to be able to prove later that a record is a genuine, unaltered original. → Regulatory Attribute Proof (Pillar 04); for operational adoption, a data foundation for delegating work to AI safely. Related case: Wirecard's forged bank balance confirmations (No.021).
- Media & content: that a photo, video, or article is genuine and unedited since capture. The industry standard C2PA (Coalition for Content Provenance and Authenticity)[3] and Content Credentials standardize the recording of origin and provenance. → Related cases: deepfakes generating real people (No.050/053/084).
- Finance & DeFi: that a transaction or cross-chain transfer is genuine and came from a legitimate origin. Without verifying the origin's provenance, unbacked issuance and illicit transfers follow directly. → Related case: a bridge infinite-mint (No.085).
- AI agents & AI output: that you can trace what an AI's referenced facts and generated output are backed by (their provenance). → Verifiable AI (Pillar 02).
- Supply chain & procurement: that parts, inspection records, and supplier qualifications are genuine and from a legitimate issuer. → Supply-chain ESG.
The domains differ, but the root is the same: can you independently verify where it came from, whose it is, and which version it is? That is the core of authenticity.
Authenticity data is handled differently by the issuer and the receiver
Authentic data is issued by the sender with provenance attached, and the receiver verifies that proof.
You want to show the other side that the photo, article, or video you made is genuine and unaltered.
- Decide what to prove (author, capture time, unedited, and so on)
- Issue with provenance and a signature attached, without handing over the source data
- Deliver only the proof to the receiver
Attaching provenance and issuing is Seal. It works alongside C2PA (Coalition for Content Provenance and Authenticity).
See how to start issuing →You want to confirm beforehand that the image or article you received is genuine and from a legitimate issuer.
- Receive the attached proof
- Verify the issuer and whether it was altered (without opening the contents)
- Use or distribute only what checks out
Verification is Verifiable AI (Pillar 02) and Verifiable Origin (Pillar 01). You receive only the proof.
See how to start verifying →for the technical detail, see “How to verify authenticity” below
Layer Lemma's cryptographic verification on top of the standards (C2PA / W3C VC). Issuing and verifying are a pair — the same provenance, handled from both sides.
How to verify authenticity
The technologies that support authenticity divide into several layers.
- Electronic signatures: show that the author is who they claim and that nothing was altered after signing.
- Timestamps: fix when something existed.
- Hashes: check whether contents match.
- Provenance: record the chain of who created or edited what, when, and where. C2PA is the standard for attaching this provenance to content.
- Zero-knowledge proofs (ZK proofs): prove only that a condition is met, without disclosing the underlying data.
The key point is that detection and proof are different things. Detection — finding anomalies after the fact — is indispensable for grasping damage. But detection does not establish, before the fact, whether the data in hand is genuine and came from a legitimate origin. Finding an anomaly afterward does not stop a process that has already gone through. Authenticity is upheld only when there is a layer that independently verifies provenance before execution (see detection is not proof).
Meet authenticity with Lemma's provenance proof
Lemma proves provenance without handing over the data. The source data never goes to Lemma; what you receive is only a proof that the provenance is traceable.
- Cryptographically verified provenance: fixes who created which version, when, and whether it was altered, as a tamper-proof proof.
- Prove without exposing data: zero-knowledge proofs show only authenticity without disclosing the source data. Selective disclosure reveals only the attributes you need, minimally.
- Works alongside standards: designed to cooperate with C2PA, MCP, A2A, and x402. It does not replace content provenance standards — it layers verification on top of them.
- Model-independent: even when AI models change, the provenance proof remains.
For the design, see Verifiable Origin (Pillar 01) and Seal; for verifying AI output, see Verifiable AI (Pillar 02) and Trust402.
Frequently asked questions
- What is the difference between authenticity and integrity?
- Integrity guarantees that the content has not been altered. Authenticity adds to that whether the origin is genuine — who made it and that it is not an impersonation — a broader concept.
- What does authenticity mean under e-record and medical-record rules?
- That a record is genuine, that any alteration or deletion is traceable, and that the author's responsibility is clear. It is upheld through electronic signatures, timestamps, and operation history (provenance). In Japanese e-records it is one of three requirements: authenticity, legibility, and preservation.
- How does C2PA relate to provenance proof?
- C2PA is an industry standard for attaching provenance information to content. Lemma's provenance proof works alongside it, providing the layer that cryptographically verifies the attached provenance. It is complementary, not a replacement.
- Can detection tools alone protect authenticity?
- Detection finds anomalies after the fact and is indispensable for grasping damage. But it does not establish, before execution, whether something came from a genuine origin. Authenticity needs a layer that independently verifies provenance beforehand.
- National Tax Agency — Electronic Books Maintenance system special site (電子帳簿保存法, in Japanese)
- Ministry of Health, Labour and Welfare — Guidelines for the Safety Management of Medical Information Systems, ed. 6.0 (in Japanese)
- C2PA (Coalition for Content Provenance and Authenticity) — official site & technical specifications