| Internet-Draft | TRIP | February 2026 |
| Ayerbe Posada | Expires 13 August 2026 | [Page] |
This document specifies the Trajectory-based Recognition of Identity Proof (TRIP) protocol, a decentralized mechanism for establishing claims of physical-world presence through cryptographically signed, spatially quantized location attestations called "breadcrumbs." Breadcrumbs are chained into an append-only log, bundled into verifiable epochs, and distilled into a Trajectory Identity Token (TIT) that serves as a persistent pseudonymous identifier.¶
The protocol employs a Criticality Engine grounded in statistical physics to distinguish biological movement from synthetic trajectories. Power Spectral Density analysis detects the 1/f signature of Self-Organized Criticality in human mobility. A six-component Hamiltonian energy function scores each breadcrumb against the identity's learned behavioral profile in real time.¶
This revision formalizes the mapping to the RATS Architecture (RFC 9334), clarifies the Verifier trust model including support for multiple independent Verifiers, introduces an active challenge-response verification protocol that binds Attestation Results to specific Relying Party requests with cryptographic freshness, and corrects the privacy model to accurately describe the flow of Evidence between Attester and Verifier.¶
TRIP is designed to be transport-agnostic and operates independently of any particular naming system, blockchain, or application layer.¶
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.¶
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.¶
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."¶
This Internet-Draft will expire on 13 August 2026.¶
Copyright (c) 2026 IETF Trust and the persons identified as the document authors. All rights reserved.¶
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document.¶
Conventional approaches to proving that an online actor corresponds to a physical human being rely on biometric capture, government-issued documents, or knowledge-based challenges. Each technique introduces a centralized trust anchor, creates honeypots of personally identifiable information (PII), and is susceptible to replay or deepfake attacks.¶
TRIP takes a fundamentally different approach: it treats sustained physical movement through the real world as evidence of embodied existence. A TRIP-enabled device periodically records its position as a "breadcrumb" -- a compact, privacy- preserving, cryptographically signed attestation that the holder of a specific Ed25519 key pair was present in a particular spatial cell at a particular time. An adversary who controls only digital infrastructure cannot fabricate a plausible trajectory because doing so requires controlling radio-frequency environments (GPS, Wi-Fi, cellular, IMU) at many geographic locations over extended periods.¶
Version -01 introduced a Criticality Engine grounded in Giorgio Parisi's Nobel Prize-winning work on scale-free correlations [PARISI-NOBEL] and Albert-Laszlo Barabasi's research on the fundamental limits of human mobility [BARABASI-MOBILITY].¶
This revision (-02) addresses three areas identified through expert review: it formalizes the mapping between TRIP components and the RATS Architecture [RFC9334], explicitly stating the Verifier trust model and multi-Verifier deployment assumptions; it introduces an active challenge-response verification protocol that provides cryptographic freshness guarantees for Attestation Results; and it corrects the privacy model to accurately describe that H3-quantized Evidence is transmitted to the Verifier, with privacy deriving from the lossy quantization transform rather than data locality.¶
This document specifies the data structures, algorithms, and verification procedures that constitute the TRIP protocol. It intentionally omits transport bindings, naming-system integration, and blockchain anchoring, all of which are expected to be addressed in companion specifications.¶
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.¶
Terms defined in the RATS Architecture [RFC9334] (Attester, Evidence, Verifier, Attestation Result, Relying Party) are used throughout this document with their RFC 9334 meanings. Additional terms specific to TRIP:¶
This section summarizes the substantive changes from draft-ayerbe-trip-protocol-01:¶
Proof-of-Trajectory requires demonstrated movement. A conforming implementation MUST reject a breadcrumb if the H3 cell is identical to the immediately preceding breadcrumb. Implementations SHOULD also enforce a cap (default 10) on the number of breadcrumbs recordable at any single H3 cell to prevent stationary farming.¶
Breadcrumbs SHOULD be collected at intervals of no less than 15 minutes. An implementation MAY allow shorter intervals during explicit "exploration" sessions but MUST NOT accept intervals shorter than 5 minutes.¶
A Verifier MUST check:¶
An epoch seals a batch of breadcrumbs (default 100) under a Merkle root. The epoch record is a CBOR map containing:¶
| Key | Type | Description |
|---|---|---|
| 0 | uint | Epoch number |
| 1 | bstr (32) | Identity public key |
| 2 | uint | First breadcrumb index |
| 3 | uint | Last breadcrumb index |
| 4 | uint | Timestamp of first breadcrumb |
| 5 | uint | Timestamp of last breadcrumb |
| 6 | bstr (32) | Merkle root of breadcrumb hashes |
| 7 | uint | Count of unique H3 cells |
| 8 | bstr (64) | Ed25519 signature over fields 0-7 |
The Merkle tree MUST use SHA-256 and a canonical left-right ordering of breadcrumb block hashes. An epoch is sealed when the breadcrumb count reaches the epoch size threshold.¶
A TIT is the externally presentable identity derived from a TRIP trajectory. It consists of:¶
A TIT SHOULD be encoded as a CBOR map for machine consumption and MAY additionally be represented as a Base64url string for URI embedding.¶
The Criticality Engine is the core analytical component of the TRIP Verifier. It evaluates whether a trajectory exhibits the statistical signature of biological Self-Organized Criticality (SOC) -- the phenomenon where living systems operate at the boundary between order and chaos, producing scale-free correlations that are mathematically distinct from synthetic or automated movement.¶
The theoretical foundation rests on three pillars:¶
First, Parisi's demonstration [PARISI-NOBEL] that flocking organisms such as starling murmurations exhibit scale-free correlations [CAVAGNA-STARLINGS] where perturbations propagate across the entire group regardless of size. Crucially, Ballerini et al. showed that these interactions are topological (based on nearest k neighbors) rather than metric (based on distance) [BALLERINI-TOPOLOGICAL]. TRIP exploits this through Power Spectral Density analysis (Section 6.1): human movement produces characteristic 1/f pink noise that synthetic trajectories cannot replicate.¶
Second, Barabasi et al.'s discovery [BARABASI-MOBILITY] that human displacement follows truncated Levy flights with approximately 93% predictability [SONG-LIMITS]. TRIP learns each identity's mobility profile -- displacement distribution, anchor transition patterns, and circadian rhythms -- and detects deviations from these learned baselines (Section 7).¶
Third, a six-component Hamiltonian energy function (Section 8) that combines spatial, temporal, kinetic, flock-alignment, contextual, and structural analysis into a single anomaly score for each incoming breadcrumb. The Hamiltonian provides real-time detection while the PSD and mobility statistics provide aggregate trajectory assessment.¶
The primary diagnostic is the Power Spectral Density (PSD) of the displacement time series. Given a trajectory of N breadcrumbs with displacements d(i) between consecutive breadcrumbs, the PSD is computed via the Discrete Fourier Transform:¶
S(f) = |DFT(d)|^2 where d = [d(0), d(1), ..., d(N-1)] and d(i) = haversine_distance(cell(i), cell(i-1))¶
The PSD is then fitted to a power-law model:¶
S(f) ~ 1 / f^alpha¶
The exponent alpha (the "Parisi Factor") is the critical diagnostic:¶
| Alpha Range | Noise Type | Classification |
|---|---|---|
| 0.00 - 0.15 | White noise | Synthetic / automated script |
| 0.15 - 0.30 | Near-white | Suspicious (possible sophisticated bot) |
| 0.30 - 0.80 | Pink noise (1/f) | Biological / human |
| 0.80 - 1.20 | Near-brown | Suspicious (possible replay with drift) |
| 1.20+ | Brown noise | Drift anomaly / sensor failure |
A conforming implementation MUST compute the PSD alpha exponent over a sliding window of the most recent 64 breadcrumbs (minimum) to 256 breadcrumbs (recommended). The alpha value MUST fall within [0.30, 0.80] for the trajectory to be classified as biological.¶
The key insight is that automated movement generators lack the long-range temporal correlations ("memory") inherent in a system operating at criticality. A random walk produces white noise (alpha near 0). A deterministic replay produces brown noise (alpha near 2). Only a biological system operating at the critical point produces pink noise in the characteristic [0.30, 0.80] range.¶
The Criticality Confidence is a value in [0, 1] computed from the alpha exponent and the goodness-of-fit (R-squared) of the power-law regression:¶
alpha_score = 1.0 - |alpha - 0.55| / 0.25
criticality_confidence = alpha_score * R_squared
where:
0.55 is the center of the biological range
0.25 is the half-width of the biological range
R_squared is the coefficient of determination of the
log-log linear regression
¶
A criticality_confidence below 0.5 SHOULD trigger elevated monitoring. A value below 0.3 SHOULD flag the trajectory for manual review or additional verification challenges.¶
This section defines the mobility model that enforces known constraints of human movement, as established by Barabasi et al. [BARABASI-MOBILITY].¶
Human displacement between consecutive recorded locations follows a truncated power-law distribution:¶
P(delta_r) ~ delta_r^(-beta) * exp(-delta_r / kappa)
where:
delta_r = displacement distance (km)
beta = power-law exponent (typically 1.50 - 1.90)
kappa = exponential cutoff distance (km)
¶
The exponent beta captures the heavy-tailed nature of human movement: most displacements are short (home to office) but occasional long jumps (travel) follow a predictable distribution. The cutoff kappa is learned per identity and represents the characteristic maximum range.¶
A conforming implementation MUST maintain a running estimate of beta and kappa for each identity by fitting the displacement histogram using maximum likelihood estimation over the most recent epoch (100 breadcrumbs).¶
A new displacement that falls outside the 99.9th percentile of the fitted distribution MUST increment the spatial anomaly counter.¶
Research has demonstrated that approximately 93% of human movement is predictable based on historical patterns [SONG-LIMITS]. TRIP exploits this by maintaining a Markov Transition Matrix over anchor cells:¶
T[a_i][a_j] = count(transitions from a_i to a_j)
/ count(all departures from a_i)
where a_i, a_j are anchor cells.
¶
An anchor cell is defined as any H3 cell where the identity has recorded 5 or more breadcrumbs. The transition matrix is rebuilt at each epoch boundary.¶
The predictability score Pi for an identity is the fraction of observed transitions that match the highest-probability successor in the Markov matrix. Human identities converge toward Pi values in the range [0.80, 0.95] after approximately 200 breadcrumbs. Deviations below 0.60 are anomalous.¶
The implementation SHOULD maintain two histogram profiles:¶
These profiles provide the temporal baseline for the Hamiltonian temporal energy component (Section 8.2).¶
To assess each incoming breadcrumb, the Criticality Engine computes a weighted energy score H that quantifies how much the breadcrumb deviates from the identity's learned behavioral profile. High energy indicates anomalous behavior; low energy indicates normalcy.¶
H = w_1 * H_spatial
+ w_2 * H_temporal
+ w_3 * H_kinetic
+ w_4 * H_flock
+ w_5 * H_contextual
+ w_6 * H_structure
¶
Default weights:¶
| Component | Weight | Diagnostic Target |
|---|---|---|
| H_spatial | 0.25 | Displacement anomalies (teleportation) |
| H_temporal | 0.20 | Circadian rhythm violations |
| H_kinetic | 0.20 | Anchor transition improbability |
| H_flock | 0.15 | Misalignment with local human flow |
| H_contextual | 0.10 | Sensor cross-correlation failure |
| H_structure | 0.10 | Chain integrity and timing regularity |
Weights are modulated by the profile maturity m, defined as min(breadcrumb_count / 200, 1.0). During the bootstrap phase (m < 1.0), all weights are scaled by m, widening the acceptance threshold for new identities.¶
Given the identity's fitted truncated Levy distribution P(delta_r), the spatial energy for a displacement delta_r is the negative log-likelihood (surprise):¶
H_spatial = -log(P(delta_r)) where P(delta_r) = C * delta_r^(-beta) * exp(-delta_r / kappa) and C is the normalization constant.¶
Typical displacements yield H_spatial near the identity's historical baseline. A displacement that exceeds the identity's learned kappa cutoff by more than a factor of 3 produces an H_spatial value in the CRITICAL range.¶
Using the circadian profile C[hour] and weekly profile W[day]:¶
H_temporal = -log(C[current_hour]) - log(W[current_day])¶
Activity at 3:00 AM for an identity with a 9-to-5 circadian profile yields high H_temporal. Activity at 8:00 AM on a Tuesday for the same identity yields low H_temporal.¶
Using the Markov Transition Matrix T:¶
from_anchor = nearest anchor to previous breadcrumb to_anchor = nearest anchor to current breadcrumb H_kinetic = -log(max(T[from_anchor][to_anchor], epsilon)) where epsilon = 0.001 (floor to prevent log(0))¶
A home-to-office transition at 8:00 AM yields low H_kinetic. An office-to-unknown-city transition yields high H_kinetic.¶
Inspired by Parisi's finding that starlings track their k nearest topological neighbors (k approximately 6-7) rather than all birds within a metric radius [PARISI-NOBEL], the flock energy measures alignment between the identity's velocity vector and the aggregate velocity of co-located TRIP entities.¶
v_self = displacement vector of current identity
v_flock = mean displacement vector of k nearest
co-located identities (k = 7)
alignment = dot(v_self, v_flock)
/ (|v_self| * |v_flock|)
H_flock = 1.0 - max(alignment, 0)
¶
When flock data is unavailable (sparse network or privacy constraints), the implementation SHOULD fall back to comparing the current velocity against the identity's own historical velocity distribution at the same location and time-of-day.¶
H_flock defeats GPS replay attacks: an adversary replaying a previously recorded trajectory will find that the ambient flock has changed since the recording, producing a misalignment signal.¶
This component compares the IMU (accelerometer, gyroscope) signature against the claimed GPS displacement. A genuine device in motion produces correlated IMU and GPS readings. GPS injection on a stationary device is detected by the absence of corresponding IMU activity:¶
H_contextual = divergence(
observed_imu_magnitude,
expected_imu_magnitude_for(gps_displacement)
)
¶
Implementations that lack IMU access MUST set H_contextual = 0 and SHOULD increase the weights of other components proportionally.¶
This component evaluates the structural properties of the breadcrumb chain itself:¶
The total Hamiltonian H maps to an alert level. The baseline H_baseline is the rolling median of the identity's own recent energy values, making the threshold self-calibrating per identity:¶
| H Range | Level | Action |
|---|---|---|
| [0, H_baseline * 1.5) | NOMINAL | Normal operation |
| [H_baseline * 1.5, 3.0) | ELEVATED | Increase sampling frequency, log |
| [3.0, 5.0) | SUSPICIOUS | Flag for review, require reconfirmation |
| [5.0, infinity) | CRITICAL | Freeze trust score, trigger challenge |
A PoH Certificate is a compact, privacy-preserving Attestation Result (in the RATS sense) asserting that an identity has demonstrated biological movement characteristics. It contains ONLY statistical exponents derived from the trajectory -- no raw location data, no GPS coordinates, no cell identifiers.¶
The certificate is encoded as a CBOR map:¶
| Key | Type | Description |
|---|---|---|
| 0 | bstr (32) | Identity public key |
| 1 | uint | Issuance timestamp |
| 2 | uint | Epoch count at issuance |
| 3 | float | PSD alpha exponent |
| 4 | float | Levy beta exponent |
| 5 | float | Levy kappa cutoff (km) |
| 6 | float | Predictability score Pi |
| 7 | float | Criticality confidence |
| 8 | float | Trust score T |
| 9 | uint | Unique cell count |
| 10 | uint | Total breadcrumb count |
| 11 | uint | Validity duration (seconds) |
| 12 | bstr (16) / null | Relying Party nonce (if active verification) |
| 13 | bstr (32) / null | Chain head hash at issuance |
| 14 | bstr (64) | Verifier Ed25519 signature |
Fields 12 and 13 are populated only when the certificate is issued in response to an Active Verification request (Section 12.3). In Passive mode, these fields MUST be null.¶
A Relying Party receiving a PoH Certificate can verify:¶
The certificate reveals NOTHING about where the identity has been -- only that it has moved through the world in a manner statistically consistent with a biological organism.¶
The trust score T is computed as a weighted combination of four factors:¶
T = 0.40 * min(breadcrumb_count / 200, 1.0)
+ 0.30 * min(unique_cells / 50, 1.0)
+ 0.20 * min(days_since_first / 365, 1.0)
+ 0.10 * chain_integrity
chain_integrity = 1.0 if chain verification passes, else 0.0
T is expressed as a percentage in [0, 100].
¶
The threshold for claiming a handle (binding a human-readable name to a TIT) requires breadcrumb_count >= 100 and T >= 20.¶
In the Parisi percolation model, the trust score also incorporates the criticality confidence from the PSD analysis. A trajectory that fails the criticality test (alpha outside [0.30, 0.80]) MUST have its trust score capped at 50, regardless of other factors.¶
TRIP implements the Remote ATtestation procedureS (RATS) architecture defined in [RFC9334]. This section provides the normative mapping between TRIP components and RATS roles.¶
| RATS Role | TRIP Component | Description |
|---|---|---|
| Attester | TRIP-enabled mobile device | Collects breadcrumbs, signs them with the identity Ed25519 private key, chains them into the append-only trajectory log, and transmits H3-quantized Evidence to the Verifier. |
| Evidence | Breadcrumbs and epoch records | H3-quantized spatiotemporal claims including cell identifiers, timestamps, context digests, chain hashes, and Ed25519 signatures. Evidence is transmitted from Attester to Verifier. |
| Verifier | Criticality Engine | Receives Evidence, performs chain verification, computes PSD alpha exponents, fits Levy flight parameters, evaluates the six-component Hamiltonian, and produces Attestation Results. |
| Attestation Result | PoH Certificate and trust score | Contains only statistical exponents (alpha, beta, kappa) and aggregate scores. No raw Evidence (cell IDs, timestamps, chain hashes) is included in the Attestation Result. |
| Relying Party | Any service consuming PoH Certificates | Evaluates the Attestation Result against its own policy. Does not receive or process raw Evidence. |
H3-quantized Evidence is transmitted from the Attester to the Verifier. This is an explicit design choice: the Verifier requires access to the full breadcrumb chain to compute PSD exponents, fit Levy flight parameters, and evaluate the Hamiltonian.¶
Privacy preservation derives from the H3 quantization transform applied by the Attester before any data leaves the device, NOT from data locality. Raw GPS coordinates MUST NOT be transmitted. The quantization transform is lossy and irreversible: given an H3 cell identifier, an observer can determine only that the Attester was within the cell's area, not the precise coordinates.¶
The Verifier receives cell identifiers, timestamps, context digests, and chain hashes. The Verifier MUST NOT forward raw Evidence to Relying Parties. Only the Attestation Result (PoH Certificate) is disclosed to Relying Parties.¶
The Relying Party MUST trust the Verifier that produced the Attestation Result. This trust relationship is analogous to the trust a TLS client places in a Certificate Authority: the protocol defines the verification procedures, but the selection of trusted Verifiers is a deployment policy decision.¶
The TRIP protocol supports multiple independent Verifiers. An Attester MAY submit Evidence to more than one Verifier. A Relying Party MAY accept Attestation Results from any Verifier it trusts. The set of trusted Verifiers is configured by the Relying Party and is outside the scope of this specification.¶
Each Verifier MUST have its own Ed25519 key pair. The Verifier signs PoH Certificates with its private key (field 14 of the PoH Certificate). Relying Parties verify this signature against the Verifier's published public key.¶
TRIP provides replay protection at two distinct layers: protection of the Evidence chain against tampering, and protection of Attestation Results against replay to Relying Parties.¶
The monotonically increasing index and the chaining via the previous block hash field provide replay protection within a single trajectory. A replayed breadcrumb will fail the chain integrity check. Cross-trajectory replay (injecting breadcrumbs signed by identity A into a chain belonging to identity B) will fail Ed25519 signature verification.¶
An attacker who obtains a copy of Evidence previously submitted to a Verifier cannot inject it into a different identity's chain because every breadcrumb is signed by the identity's private key and chained to the preceding breadcrumb via hash linkage.¶
Chain-level protection ensures Evidence integrity but does not prevent an attacker from replaying a previously issued PoH Certificate to a Relying Party. An attacker who intercepts a valid PoH Certificate could present it to a different Relying Party, or present it after the identity's trust state has changed.¶
TRIP defines two verification modes to address this:¶
The Active Verification Protocol provides cryptographic freshness guarantees by binding the Attestation Result to a Relying Party-supplied nonce, the current chain head, and the current time. The protocol proceeds as follows:¶
The Relying Party generates an unpredictable nonce (RECOMMENDED: 16 bytes from a cryptographically secure random number generator) and sends a Verification Request to the Verifier:¶
VerificationRequest = {
0 => bstr .size 32, ; identity public key
1 => bstr .size 16, ; nonce
2 => uint, ; request timestamp
3 => uint, ; requested freshness window (seconds)
}
¶
The Verifier delivers a Liveness Challenge to the Attester via a real-time channel (e.g., WebSocket push, push notification):¶
LivenessChallenge = {
0 => bstr .size 16, ; nonce (from Relying Party)
1 => bstr .size 32, ; verifier identity (public key)
2 => uint, ; challenge timestamp
3 => uint, ; response deadline (seconds)
}
¶
The Attester constructs and signs a Liveness Response binding the nonce to the current chain state:¶
LivenessResponse = {
0 => bstr .size 16, ; nonce echo
1 => bstr .size 32, ; chain_head_hash (hash of most
; recent breadcrumb)
2 => uint, ; response timestamp
3 => uint, ; current breadcrumb index
4 => bstr .size 64, ; Ed25519 signature over fields 0-3
; using identity private key
}
¶
The Verifier validates the Liveness Response by checking all of the following:¶
Upon successful validation, the Verifier produces a fresh PoH Certificate with field 12 set to the Relying Party's nonce and field 13 set to the chain_head_hash from the Liveness Response. The Verifier signs this certificate with its own Ed25519 key and returns it to the Relying Party.¶
The Relying Party verifies the PoH Certificate per Section 9, additionally confirming that field 12 matches its original nonce.¶
If the Attester does not respond within the response deadline, the Verifier MUST return an error to the Relying Party indicating that liveness could not be confirmed. The Verifier MUST NOT fall back to Passive mode when Active mode was explicitly requested.¶
The following CDDL [RFC8610] schema defines the Active Verification messages:¶
; Active Verification Protocol CDDL Schema
verification-request = {
0 => bstr .size 32, ; identity_key
1 => bstr .size 16, ; nonce
2 => uint, ; request_timestamp
3 => uint, ; freshness_window_seconds
}
liveness-challenge = {
0 => bstr .size 16, ; nonce
1 => bstr .size 32, ; verifier_key
2 => uint, ; challenge_timestamp
3 => uint, ; response_deadline_seconds
}
liveness-response = {
0 => bstr .size 16, ; nonce_echo
1 => bstr .size 32, ; chain_head_hash
2 => uint, ; response_timestamp
3 => uint, ; current_breadcrumb_index
4 => bstr .size 64, ; ed25519_signature
}
; The PoH Certificate (Section 9) with fields 12-13
; populated serves as the Attestation Result for
; Active Verification.
¶
An adversary records a legitimate trajectory and replays the GPS coordinates on a different device. TRIP detects this through multiple channels:¶
An adversary uses software to generate plausible-looking GPS coordinates. The Criticality Engine defeats this:¶
An adversary runs the TRIP client on an Android/iOS emulator with spoofed GPS. Detection relies on:¶
An adversary straps a phone to a mobile robot or drone. This is the most sophisticated attack because it produces real GPS, Wi-Fi, cellular, and IMU data from actual physical movement. Mitigation relies on:¶
This attack remains an active area of research. The protocol's defense-in-depth approach through multiple independent Hamiltonian components makes it progressively more expensive to defeat all channels simultaneously.¶
A compromised Verifier could issue fraudulent PoH Certificates. Mitigations include:¶
An attacker can generate large numbers of Verification Requests or breadcrumb submissions to consume Verifier resources. Verifiers SHOULD rate-limit requests per identity and per Relying Party. The Active Verification Protocol's real-time requirement (Attester must respond within the deadline) provides an inherent rate limit on valid completions.¶
TRIP's privacy model is based on lossy spatial quantization, not on data locality. H3-quantized Evidence (cell identifiers, timestamps, context digests, and chain hashes) is transmitted from the Attester to the Verifier. Raw GPS coordinates MUST NOT be transmitted and MUST NOT be stored by the Attester after quantization.¶
The H3 quantization transform is lossy and irreversible. Given an H3 cell identifier, an observer learns only that the Attester was within the cell's area at the stated time. At the default resolution 10, each cell covers approximately 15,000 m^2 (~0.015 km^2), providing meaningful ambiguity in populated areas.¶
H3 resolution is a configurable protocol parameter that controls the privacy-precision tradeoff. Deployments operating under strict privacy regulations (e.g., GDPR) MAY mandate lower resolutions. Users SHOULD be informed of the selected resolution and its privacy implications.¶
The Verifier receives and processes H3-quantized Evidence to compute trust scores and PoH Certificates. The Verifier:¶
The PoH Certificate is designed for maximum data minimization. A Relying Party learns:¶
A Relying Party does NOT learn: which cities, countries, or specific locations the identity has visited; the identity's home or workplace locations; the identity's daily schedule; or any raw trajectory data.¶
A trajectory is intrinsically linkable: all breadcrumbs share the same identity key. This is by design, as trust accumulation requires identity continuity, and Proof-of-Humanity requires a durable binding between one physical entity and one cryptographic identity.¶
A single physical entity operating multiple TRIP identities simultaneously constitutes a Sybil attack. TRIP raises the cost of such attacks through multiple mechanisms: each identity requires a separate physical device, weeks of sustained movement, and independent trajectory accumulation. The H_flock component (Section 8.4) provides a detection mechanism: co-located trajectories with identical displacement vectors produce a correlated-movement signal that Verifiers MAY use to flag suspected Sybil identities.¶
Cross-trajectory correlation analysis (detecting that two identities may be operated by the same physical entity) is a Verifier-side heuristic and is outside the scope of this specification. However, Verifiers SHOULD implement such heuristics and MAY reduce trust scores for trajectories that exhibit sustained co-movement with other identities.¶
In sparsely populated areas, even cell-level granularity may narrow identification to very few individuals. Implementations SHOULD use lower resolution (larger cells) in rural areas and MAY allow users to override to a lower resolution at any time.¶
The TRIP architecture supports multiple independent Verifier deployments. Any entity that implements the verification procedures defined in this specification (chain verification, PSD analysis, Levy flight fitting, Hamiltonian evaluation) MAY operate as a TRIP Verifier.¶
An Attester MAY submit Evidence to more than one Verifier simultaneously or sequentially. Each Verifier maintains its own independent view of the trajectory and produces its own Attestation Results.¶
A Relying Party MAY accept Attestation Results from any Verifier it trusts. The mechanism for establishing and managing Verifier trust (e.g., trust lists, certificate pinning, reputation systems) is a deployment policy decision outside the scope of this specification.¶
All conforming Verifiers MUST implement the base verification procedures: chain integrity (Section 3.3), PSD alpha classification (Section 6.1), and the PoH Certificate format (Section 9).¶
Verifiers MAY implement additional analysis beyond the base specification (e.g., machine-learning-based anomaly detection, additional Hamiltonian components). Such extensions MUST NOT alter the PoH Certificate format but MAY influence the trust score and criticality confidence values.¶
Two Verifiers processing the same Evidence SHOULD produce consistent alpha, beta, and kappa values (within numerical precision bounds) because these are derived from deterministic mathematical operations on the same input data. Trust scores MAY differ if Verifiers apply different weighting policies.¶
This specification does not mandate a specific transport for Evidence submission, Liveness Challenges, or Verification Requests. Implementations MAY use HTTPS, WebSocket, CoAP, or any transport that provides confidentiality and integrity protection.¶
The Active Verification Protocol (Section 12.3) requires a real-time channel between the Verifier and Attester for Liveness Challenge delivery. Implementations SHOULD use persistent connections (e.g., WebSocket) or mobile push notification services to minimize latency.¶
TRIP operates on Ed25519 public keys and TITs. The binding of human-readable names (handles) to TRIP identities is explicitly outside the scope of this specification and is expected to be addressed in a companion document. TRIP provides the trust foundation (PoH Certificates) upon which naming systems can make registration and access-control decisions.¶
TRIP does not require geographic travel. It requires sustained physical existence over time, which is a fundamentally different property. This section clarifies how the protocol accommodates users with limited or no physical mobility, addressing concerns raised during review [ZHANG-REVIEW].¶
A person who remains in a single H3 cell for an extended period still generates a valid trajectory. The trust scoring formula (Section 10) assigns 20% weight to temporal continuity (days_since_first) and 40% weight to breadcrumb count, both of which accumulate regardless of spatial diversity. A homebound user who collects breadcrumbs over 365 days achieves 60% of the maximum trust score from time and volume alone.¶
The context digest (Section 2.2) provides environmental diversity even without movement. Wi-Fi access points in a neighborhood change over time as devices are added, removed, or replaced. Cellular tower assignments shift with network load. IMU sensors detect micro-movements (hand tremor, breathing, device repositioning) that produce non-trivial context variation. These ambient changes ensure that breadcrumbs collected from a fixed location are not identical, defeating simple replay attacks.¶
The Hamiltonian (Section 8) is self-calibrating per identity: the baseline H_baseline is the rolling median of the identity's own energy values. A user with limited mobility develops a low-energy baseline that reflects their actual movement pattern. Anomalies are detected relative to the individual's own profile, not against a global expectation of travel.¶
The PSD alpha exponent (Section 6.1) may require adaptation for stationary users. When the displacement time series has very low variance, the PSD analysis degrades. Implementations SHOULD supplement spatial PSD with temporal PSD (analyzing inter-breadcrumb timing patterns) for identities whose unique cell count is below a configurable threshold (default: 5 cells over the most recent 200 breadcrumbs). Circadian rhythms in collection timing exhibit the same 1/f characteristics as spatial displacement, providing an alternative criticality signal.¶
Deployments MUST NOT impose minimum spatial diversity requirements that would exclude users with mobility limitations. The trust scoring formula MAY be adjusted by deployment policy to increase the weight of temporal factors for identities that self-declare reduced mobility, provided that the overall security model remains sound.¶
This document has no IANA actions at this time. Future revisions may request:¶
The TRIP protocol builds upon foundational work in cryptographic identity systems, geospatial indexing, statistical physics, and network science. The author thanks the contributors to the H3 geospatial system, the Ed25519 specification authors, and the broader IETF community for establishing the standards that TRIP builds upon. The Criticality Engine framework is inspired by the work of Giorgio Parisi on scale-free correlations in biological systems and Albert-Laszlo Barabasi on the fundamental limits of human mobility.¶
The author thanks Muhammad Usama Sardar for detailed review of -01 that identified the need for explicit RATS role mapping, attestation-result replay protection, and privacy model corrections. These contributions substantially improved the rigor of this specification. The author also thanks Jun Zhang for raising critical questions about accessibility and the applicability of mobility models to users with limited physical mobility, leading to the Accessibility and Low-Mobility Users section.¶