Proof of Process: An Evidence Framework for Digital Authorship Attestation

9.7.1. Evidence Packet (.pop)

The primary Evidence artifact produced by the Attester in the RATS architecture is the .pop (Proof of Process) file, containing all cryptographic proofs including SHA-256 hash chains, HMAC bindings, VDF outputs, and behavioral evidence accumulated during document authorship, encoded using CBOR with the PPPP tag (1347571280) and structured according to the evidence-packet type in the CDDL schema. The authoritative record of the authoring process is constituted by the Evidence packet, which may be submitted to a Verifier for appraisal per the RATS workflow, archived alongside the document for future verification using only the cryptographic primitives (SHA-256, HMAC, VDF) without access to external services, or shared with Relying Parties who perform their own verification using the CDDL schema and verification procedures defined in this specification. Larger file sizes than the .war file are typical for .pop files because complete segment-based Merkle trees with SHA-256 linkage, full VDF proofs for each inter-segment interval, and behavioral evidence including jitter histograms and entropy commitments are contained within them.¶

9.7.2. Attestation Result (.war)

The Attestation Result produced by a Verifier after appraising an Evidence packet per the RATS architecture is the .war (Writers Authenticity Report) file, which serves as a portable verification certificate signed with COSE that may be distributed independently of the original Evidence, encoded using CBOR with the WAR tag (1463894560) and conforming to the EAT profile defined in this specification. Distribution alongside published documents is the intended use of the Attestation Result, which affords a COSE signed verdict from a trusted Verifier (the forensic-assessment enumeration value), a summary of verified claims derived from SHA-256 hash chain verification and VDF recomputation without including the full evidence, a confidence score in the range [0.0, 1.0] for Relying Party decision-making incorporating factors such as entropy sufficiency and calibration attestation presence, and caveats documenting verification limitations such as missing hardware attestation via TPM [TPM2.0] or pending external anchor confirmations from RFC 3161 timestamps. The .war file may be trusted by Relying Parties based on the Verifier's reputation and the COSE signature validation, or the original .pop file may be requested for independent verification using the CDDL schema and cryptographic primitives (SHA-256, HMAC, VDF) defined in this specification. This flexibility makes possible a range of trust models within the RATS framework, from fully delegated verification where Relying Parties trust the Verifier's EAT claims, to adversarial multi-verifier scenarios where multiple independent Verifiers appraise the same Evidence.¶

9.7.3. Format Relationship

Linkage between the two CBOR encoded formats is established by the reference-packet-id field in the Attestation Result, which matches the packet-id of the appraised Evidence packet, with both identifiers being UUIDs per RFC 9562 [RFC9562] to ensure global uniqueness across all Evidence packets ever produced. The reference-packet-id is included in the COSE signed payload of the Attestation Result, ensuring that any attempt to modify the binding would invalidate the Verifier's signature. Unambiguous binding of each Attestation Result to a specific Evidence packet is ensured by this construction, preventing substitution attacks wherein an Attestation Result signed with COSE might be fraudulently associated with a different Evidence packet, a property that is critical for the RATS trust model where Relying Parties may receive Attestation Results from Verifiers they trust without access to the original Evidence. The UUID format provides 122 bits of entropy when using random UUIDs (version 4), making collision probability negligible even across billions of Evidence packets.¶

9.8.1. Required Fields

The required fields in the evidence-packet structure provide the essential metadata and cryptographic content needed for verification per the RATS architecture, with each field encoded according to the CDDL schema in the appendix. The version field (key 1) indicates the schema version number, currently 1, and implementations MUST reject packets with unrecognized major versions to ensure forward compatibility with future revisions of this CBOR schema. The profile field (key 2) contains the EAT profile URI (https://example.com/rats/eat/profile/pop/1.0) that identifies this specification, with IANA registration to be requested upon working group adoption as detailed in Section 37. The packet-id field (key 3) is a UUID per RFC 9562 [RFC9562] uniquely identifying this Evidence packet, generated by the Attester at packet creation time using a cryptographically secure random source. The created field (key 4) is a timestamp indicating when this packet was finalized, encoded using CBOR tag 1 (epoch-based date/time) per RFC 3339 [RFC3339] conventions; note that this timestamp is informational and not cryptographically protected, with temporal ordering established instead by VDF causality. The document field (key 5) contains the document-ref structure binding the Evidence to the documented artifact via SHA-256 content hash as described in Section 9.10. The checkpoints field (key 6) is an segment-based Merkle tree of content hashes forming the evidence chain with SHA-256 hash linkage and VDF proofs as described in Section 9.9.¶

9.8.2. Tiered Optional Sections

The optional sections (keys 10-17) in the CDDL schema correspond to evidence tiers that determine the strength of assurance provided by the CBOR encoded Evidence packet within the RATS architecture. Higher tiers require additional data collection and produce larger packets, but afford stronger evidence for Verifiers appraising claims. The presence-section (key 10) contributes to Standard tier by adding human presence challenges with timing verified against human reaction time baselines. The forensics-section (key 11) and keystroke-section (key 12) and hardware-section (key 13) are REQUIRED for Enhanced tier by adding edit topology analysis, AI indicator scores, and detailed jitter samples with entropy commitments computed using SHA-256 and bound via HMAC. The hardware-section (key 13) is REQUIRED for Enhanced and Maximum tiers by adding TPM 2.0 or Secure Enclave attestation with device-bound keys. The external-section (key 14) contributes to Maximum tier by adding RFC 3161 timestamps and optional blockchain anchors for absolute time binding. The absence-section (key 15, detailed in Section 25) contributes to Maximum tier by documenting negative evidence claims with explicit trust requirements. The forgery-cost-section (key 16, detailed in Section 26) contributes to Maximum tier by quantifying the computational cost of VDF recomputation and behavioral simulation. The declaration (key 17) may appear at all tiers and contains author attestations signed with COSE.¶

9.8.3. Extensibility

The evidence-packet structure defined in CDDL supports forward-compatible extensions through string-keyed fields, following the CBOR conventions for extensible maps that allow new fields to be added without breaking existing implementations. Integer keys in the range 1-99 are reserved for this specification and future versions thereof, providing space for additional standardized fields while maintaining compact CBOR encoding. String keys MAY be used for vendor or application-specific extensions that are not part of the core CDDL schema, enabling domain-specific customizations such as additional metadata fields or alternative evidence formats. Verifiers MUST ignore unrecognized string-keyed fields per the RATS extensibility model, allowing Evidence packets with vendor extensions to be verified by any compliant implementation. Verifiers MUST reject packets containing unrecognized integer keys in the reserved range (1-99) to prevent future standardized fields from being misinterpreted by older implementations, ensuring that cryptographic verification using SHA-256 and HMAC is only performed on packets that conform to a known schema version.¶

9.9.1. Checkpoint Structure

checkpoint = {
        1 => uint,                      ; sequence
        2 => uuid,                      ; checkpoint-id
        3 => pop-timestamp,             ; timestamp
        4 => hash-value,                ; content-hash
        5 => uint,                      ; char-count
        6 => uint,                      ; word-count
        7 => edit-delta,                ; delta
        8 => hash-value,                ; prev-hash
        9 => hash-value,                ; tree-root
        10 => vdf-proof,                ; vdf-proof
        11 => jitter-binding,           ; jitter-binding
        12 => bstr .size 32,            ; chain-mac

        * tstr => any,                  ; extensions
}

sequence (key 1):

Zero-indexed ordinal position in the segment chain. MUST be strictly monotonically increasing.¶

checkpoint-id (key 2):

UUID uniquely identifying this checkpoint within the packet.¶

timestamp (key 3):

Local timestamp when the checkpoint was created. Note that local timestamps are untrusted; temporal ordering is established by VDF causality.¶

content-hash (key 4):

Cryptographic hash of the document content at this checkpoint. SHA-256 RECOMMENDED.¶

char-count (key 5), word-count (key 6):

Document statistics at this checkpoint. Informational only; not cryptographically bound.¶

delta (key 7):

Edit delta since previous checkpoint. Contains character counts for additions, deletions, and edit operations. No content is included.¶

prev-hash (key 8):

Hash of the previous checkpoint (tree-root{N-1}). For the genesis checkpoint (sequence = 0), this MUST be 32 zero bytes.¶

tree-root (key 9):

Binding hash computed over all checkpoint fields, creating the hash chain.¶

vdf-proof (key 10):

Verifiable Delay Function proof establishing minimum elapsed time. See Section 24.¶

jitter-binding (key 11):

Captured behavioral entropy binding. See Section 10.¶

chain-mac (key 12):

HMAC-SHA256 binding the checkpoint to the chain key, preventing transplantation of checkpoints between sessions.¶

9.9.2. Hash Chain Construction

A cryptographic hash chain is formed by the segment chain through the prev-hash linkage. The construction employs SHA-256 as the default hash algorithm, though algorithm agility is supported for future requirements:¶

+---------------+     +---------------+     +---------------+
| Checkpoint 0  |     | Checkpoint 1  |     | Checkpoint 2  |
|---------------|     |---------------|     |---------------|
| prev-hash:    |<----| prev-hash:    |<----| prev-hash:    |
|   (32 zeros)  |  H  |   H(CP_0)     |  H  |   H(CP_1)     |
| checkpoint-   |---->| checkpoint-   |---->| checkpoint-   |
|   hash: H_0   |     |   hash: H_1   |     |   hash: H_2   |
+---------------+     +---------------+     +---------------+

The tree-root is computed as:¶

tree-root = H(
        "witnessd-checkpoint-v1" ||
        sequence ||
        checkpoint-id ||
        timestamp ||
        content-hash ||
        char-count ||
        word-count ||
        CBOR(delta) ||
        prev-hash ||
        CBOR(vdf-proof) ||
        CBOR(jitter-binding)
)

By this construction, any modification to any field in any checkpoint is ensured to invalidate all subsequent segment hashes, thereby affording tamper-evidence for the entire chain. The cascading nature of this invalidation makes selective tampering impractical, as an adversary would need to recompute all VDF proofs from the modification point forward.¶

9.9.3. Merkle Tree Construction

The segment chain is further structured as a standard binary Merkle Tree (RFC 6962), where each segment hash serves as a leaf. This construction enables efficient logarithmic-time inclusion proofs for subsets of segments.¶

External anchors commit to the Merkle root of the entire authoring session, thereby affording tamper-evidence for all segments with a single external signature. Verifiers MAY validate inclusion of specific segments by verifying the Merkle path from the segment leaf to the anchored root.¶

9.9.4. Evidence Format Versions

The evidence-packet version field (key 1) indicates the format version used for evidence generation. This specification defines two versions with distinct security properties:¶

Version 1.0 (Legacy Parallel Mode):

In version 1.0, VDF computation and jitter capture MAY proceed in parallel. The jitter commitment is bound to the final evidence packet but is not entangled with the VDF input chain. This mode permits faster evidence generation but provides weaker temporal guarantees: an adversary with pre-computed VDF outputs could potentially substitute jitter data without VDF recomputation. Version 1.0 evidence SHOULD be treated with reduced confidence for temporal claims.¶

Version 1.1 (Entangled Computation Mode):

In version 1.1, jitter capture MUST complete before VDF computation begins for each checkpoint. The jitter-binding entropy-commitment is incorporated into the VDF input:¶

    VDF_input{N} = H(
        VDF_output{N-1} ||
        content-hash{N} ||
        jitter-binding{N}.entropy-commitment ||
        sequence{N}
    )

¶

This entanglement creates a causal dependency: the jitter data MUST exist before VDF computation can proceed. An adversary attempting to substitute jitter data must recompute the entire VDF chain from that point forward, incurring the full temporal cost. Version 1.1 is REQUIRED for new implementations and provides the security guarantees described throughout this specification.¶

Verifiers MUST check the version field and SHOULD apply appropriate confidence adjustments:¶

• Version 1.1: Full confidence in temporal binding and VDF guarantees.¶
• Version 1.0: Reduced confidence; temporal claims limited to "evidence existed at some point" rather than "evidence was generated over the claimed duration."¶
• Unknown versions: Verification SHOULD fail with an error indicating unsupported format version.¶

The verifier_nonce field (when present) is incorporated into the packet signature regardless of version: SIG_k(H3 || verifier_nonce). This provides replay prevention independent of VDF entanglement mode.¶

9.10.1. Content Hash Binding

The cryptographic hash of the final document state is represented by the content-hash (key 1), which is the same value as the content-hash in the final checkpoint. Document binding verification is accomplished by computing H(document-content) using SHA-256, comparing with document-ref.content-hash, comparing with checkpoints{-1}.content-hash, and confirming that all three values match. A mismatch indicates either that the document has been modified since the Evidence was generated, or that the Evidence packet does not correspond to the presented document.¶

9.10.2. Salt Modes for Privacy

Control over how the content hash is computed is afforded by the hash-salt-mode field, making possible privacy-preserving verification scenarios where global verifiability is not desired:¶

For salted modes, the salt is provided by the author out-of-band for verification; and confirmation that H(provided-salt) matches salt-commitment is performed by Verifiers before using the salt. Scenarios where the document binding should not be globally verifiable (e.g., unpublished manuscripts, confidential documents) are made possible by Author-Salted mode, affording authors control over who may verify the binding between their Evidence and their document.¶

9.11.1. Tier Selection Guidance

Selection of the minimum tier that meets verification requirements is RECOMMENDED for authors. Higher tiers collect more behavioral data and create larger Evidence packets, which may raise privacy concerns or storage constraints in some deployment scenarios.¶

9.11.2. Relationship to Attestation Assurance

Content tier and attestation assurance level (Section 9.12) are orthogonal dimensions. An Evidence packet has both:¶

• A content tier (CORE/ENHANCED/MAXIMUM) describing what evidence sections are present¶
• An attestation tier (T1/T2/T3/T4) describing how strongly the evidence is hardware-bound¶

For example, a MAXIMUM content tier packet may be generated with T1 (software-only) attestation on devices lacking hardware security, while a CORE content tier packet may have T4 (hardware-hardened) attestation when strong device binding is available but behavioral data collection is not desired.¶

Relying Parties SHOULD establish minimum requirements for both dimensions based on their risk tolerance and regulatory obligations.¶

9.12.1. Tier T1: Software-Only

T1 provides baseline evidence generation using pure software implementations without hardware security features.¶

Attestation Mode:

software¶

Binding Strength:

none (no hardware binding) or hmac_local (local key only)¶

NIST AAL Mapping:

AAL1 - Single-factor authentication equivalent¶

ISO LoA Mapping:

LoA1 - Low confidence in identity¶

EAT Security Level:

unrestricted (0) or restricted (1)¶

Security Properties:

• VDF timing provides temporal ordering¶
• Hash chains provide tamper evidence¶
• Jitter entropy provides behavioral binding¶
• No hardware root of trust¶
• Keys stored in software (file system)¶

Limitations:

• DEVICE_BINDING_NOT_VERIFIED - Device identity not cryptographically bound¶
• KEY_EXTRACTION_POSSIBLE - Signing keys may be extracted by malware¶
• NO_HARDWARE_ATTESTATION - Cannot prove hardware integrity¶

9.12.2. Tier T2: Attested Software

T2 extends T1 with optional hardware attestation hooks when available. The Attesting Environment attempts to use platform security features but degrades gracefully when hardware is unavailable.¶

Attestation Mode:

attested_software¶

Binding Strength:

hmac_local or cryptographic (when hardware available)¶

NIST AAL Mapping:

AAL1-AAL2 - Depending on hardware availability¶

ISO LoA Mapping:

LoA1-LoA2 - Low to medium confidence¶

EAT Security Level:

restricted (1) or secure_restricted (2)¶

Security Properties:

• All T1 properties¶
• Hardware attestation when available (opportunistic)¶
• Platform security APIs used when present¶
• Keychain/Credential Guard integration on supported platforms¶

Limitations:

• HARDWARE_OPTIONAL - Hardware features may not be present¶
• DEGRADED_MODE_POSSIBLE - May fall back to T1 behavior¶
• VARIABLE_ASSURANCE - Assurance depends on runtime environment¶

9.12.3. Tier T3: Hardware-Bound

T3 requires hardware security module binding via TPM 2.0 or platform Secure Enclave. Evidence generation MUST fail if hardware attestation is unavailable.¶

Attestation Mode:

hardware_bound¶

Binding Strength:

cryptographic - TPM or Secure Enclave key binding required¶

NIST AAL Mapping:

AAL3 - Hardware cryptographic authenticator¶

ISO LoA Mapping:

LoA3 - High confidence in identity¶

EAT Security Level:

hardware (3)¶

Security Properties:

• All T2 properties (non-degraded)¶
• Hardware-protected signing keys (non-exportable)¶
• Platform integrity measurement (PCR values)¶
• Device binding cryptographically verified¶
• Attestation includes hardware identity¶

Hardware Requirements:

• TPM 2.0 with attestation capability, OR¶
• Apple Secure Enclave with attestation, OR¶
• ARM TrustZone with attestation capability¶

Limitations:

• NO_PUF_BINDING - Physical unclonable function not required¶
• FIRMWARE_TRUST_REQUIRED - Relies on hardware vendor firmware¶

9.12.4. Tier T4: Hardware-Hardened

T4 represents maximum attestation strength with discrete TPM, Physical Unclonable Function (PUF) binding, and enclave execution.¶

Attestation Mode:

hardware_hardened¶

Binding Strength:

physical - PUF-derived key binding with TPM attestation¶

NIST AAL Mapping:

AAL3+ - Exceeds AAL3 with physical binding¶

ISO LoA Mapping:

LoA4 - Very high confidence in identity¶

EAT Security Level:

hardware (3) with enhanced claims¶

Common Criteria Reference:

EAL4+ evaluation target equivalent¶

Security Properties:

• All T3 properties¶
• PUF-derived entropy binding¶
• Discrete TPM (not firmware TPM)¶
• Secure enclave execution for sensitive operations¶
• Side-channel resistance for timing operations¶
• Physical tamper evidence¶

Hardware Requirements:

• Discrete TPM 2.0 (hardware module, not fTPM)¶
• PUF capability (SRAM PUF or equivalent)¶
• Secure enclave (SGX, TrustZone, or Secure Enclave)¶

Limitations:

• LIMITED_DEVICE_SUPPORT - Requires specific hardware¶
• HIGHER_LATENCY - Additional cryptographic operations¶

9.12.5. Assurance Level Mapping

The following table summarizes the mapping between PPPP Attestation Tiers and external assurance frameworks. For use case guidance based on content tier, see Section 9.11.1.¶

9.12.6. Relying Party Guidance

Relying Parties SHOULD establish minimum requirements for both attestation tier (this section) and content tier (Section 9.11.1) based on their risk tolerance and regulatory obligations. The following guidance addresses attestation tier requirements specifically:¶

Accept T1 or higher when:

• Evidence is for personal reference only¶
• Author reputation provides sufficient trust¶
• Consequences of forgery are minimal¶
• Hardware security is impractical for the user population¶

Require T2 or higher when:

• Evidence supports business decisions¶
• Multiple parties rely on the evidence¶
• Moderate financial or reputational risk exists¶
• Professional standards apply¶

Require T3 or higher when:

• Legal proceedings may reference the evidence¶
• Regulatory compliance requires hardware binding¶
• Non-repudiation is a business requirement¶
• High-value intellectual property is at stake¶

Require T4 when:

• Evidence must withstand adversarial forensic analysis¶
• Litigation is anticipated or ongoing¶
• Maximum available assurance is mandated by policy¶
• Sophisticated adversaries with substantial compute resources are anticipated (note: HSM compromise by nation-states is out of scope per Section 32.2.3)¶

Verifiers MUST include the declared attestation tier in attestation results (WAR files), enabling Relying Parties to enforce tier-based acceptance policies. Verifiers SHOULD also include any attestation-limitations that apply to the Evidence, as these document specific security properties that cannot be claimed at the declared tier.¶

9.12.7. Behavior When Hardware Unavailable

The Attesting Environment behavior when required hardware is unavailable depends on the configured tier:¶

T1 Configuration:

Hardware availability has no effect. Evidence generation proceeds using software-only implementation.¶

T2 Configuration:

Evidence generation proceeds with available capabilities. The attestation-limitations array MUST include HARDWARE_NOT_AVAILABLE if hardware attestation was attempted but failed. The actual tier achieved MAY be lower than T2 if only software capabilities were available.¶

T3 Configuration:

Evidence generation MUST fail if TPM or Secure Enclave attestation is unavailable. Implementations MUST NOT silently degrade to T2 or T1. An appropriate error code MUST be returned to the caller.¶

T4 Configuration:

Evidence generation MUST fail if discrete TPM, PUF, or enclave capability is unavailable. Implementations MUST NOT silently degrade to lower tiers.¶

Implementations MUST accurately report the tier achieved, not the tier configured. A T2-configured implementation that lacks hardware MUST report T1 in the evidence packet, not T2.¶

9.13.1. Profile Identifiers

Each profile is identified by a URN in the IETF RATS namespace with the following format:¶

urn:ietf:params:rats:pop:profile:<name>

The registered profile URNs are:¶

9.13.2. CORE Profile

The CORE profile establishes the minimum viable implementation for PPPP interoperability. All implementations claiming PPPP conformance MUST implement at least the CORE profile. The security guarantees provided by CORE are:¶

• Temporal ordering: VDF proofs establish minimum elapsed time between checkpoints with cryptographic assurance.¶

• Content integrity: SHA-256 hash binding ensures tamper-evidence for the attested document.¶

• External anchoring: RFC 3161 timestamps provide independent temporal witnesses from trusted third parties.¶

The following features are Mandatory-to-Implement for CORE:¶

9.13.3. ENHANCED Profile

The ENHANCED profile adds behavioral entropy capture and correlation analysis to the CORE features. Implementations claiming ENHANCED conformance MUST implement all CORE features plus the ENHANCED MTI features. The additional security guarantees provided by ENHANCED are:¶

• Behavioral entropy: Jitter-based entropy capture provides evidence of interactive authoring behavior in the creation process.¶

• Intra-checkpoint correlation (C_intra): Statistical correlation between timing patterns and content evolution within checkpoints.¶

• Cognitive load indicators: Metrics derived from typing patterns that reflect human cognitive processing characteristics.¶

The following features are Mandatory-to-Implement for ENHANCED (in addition to all CORE features):¶

9.13.4. MAXIMUM Profile

The MAXIMUM profile provides the strongest available evidence through comprehensive behavioral analysis, cryptographic proofs, and hardware attestation. Implementations claiming MAXIMUM conformance MUST implement all CORE and ENHANCED features plus the MAXIMUM MTI features. The additional security guarantees provided by MAXIMUM are:¶

• Error topology analysis: Fractal pattern analysis of editing errors that distinguishes human error patterns from automated generation.¶

• STARK proofs: Succinct transparent arguments of knowledge for efficient verification of complex evidence structures.¶

• Cryptographic Entropy Entanglement (CEE): VDF outputs entangled with behavioral entropy to prevent backdating attacks.¶

• Hardware attestation: TPM 2.0 or Secure Enclave binding for device-level trust anchoring.¶

The following features are Mandatory-to-Implement for MAXIMUM (in addition to all CORE and ENHANCED features):¶

9.13.5. Profile Declaration Structure

Evidence packets MAY include a profile declaration in key 9 of the evidence-packet structure. The declaration specifies the profile tier and URI, with optional indication of features enabled beyond the MTI requirements. The CDDL [RFC8610] structure is:¶

profile-declaration = {
        1 => profile-tier,              ; tier (1=core, 2=enhanced, 3=maximum)
        2 => profile-uri,               ; URN identifier
        ? 3 => [+ feature-id],          ; enabled-features (beyond MTI)
        ? 4 => tstr,                    ; implementation-id
}

profile-tier = &(
        core: 1,
        enhanced: 2,
        maximum: 3,
)

profile-uri = tstr .regexp "urn:ietf:params:rats:pop:profile:(core|enhanced|maximum)"

The enabled-features array (key 3) lists feature IDs that are implemented beyond the MTI requirements for the declared tier. This allows CORE implementations to indicate support for specific ENHANCED or MAXIMUM features without claiming full conformance to those tiers. The implementation-id (key 4) is an opaque string identifying the software that generated the Evidence packet, useful for debugging and ecosystem analysis but carrying no normative weight.¶

9.13.6. Verification Behavior

Verifiers MUST handle Evidence packets according to the following rules based on the presence or absence of profile declarations:¶

9.13.7. MTI Summary

The following table summarizes the Mandatory-to-Implement requirements across all profiles. An "M" indicates the feature is mandatory for that profile tier; an "O" indicates the feature is optional but MAY be declared in the enabled-features array.¶

9.14.1. Verdict Field

The verdict (key 4) is the Verifier's overall forensic assessment using the forensic-assessment enumeration:¶

IMPORTANT: The verdict characterizes the consistency of the evidence chain, not the identity or nature of the author. A verdict of "source-transition-detected" means the behavioral metrics changed measurably at specific checkpoints. What caused that change - a tool switch, a collaborator, fatigue, or something else - is not determined by the Verifier. The Relying Party applies domain-specific policy to decide whether the observed pattern is acceptable.¶

9.14.2. Confidence Score

The confidence-score (key 5) is an unsigned integer in millibits (0-1000) representing the Verifier's confidence in the verdict. Divide by 1000 to convert to the 0.0-1.0 range:¶

• 0 - 300: Low confidence (limited evidence)¶
• 300 - 700: Moderate confidence (typical evidence)¶
• 700 - 1000: High confidence (strong evidence)¶

The confidence score incorporates:¶

• Evidence tier (higher tiers increase confidence ceiling)¶
• Segment chain completeness¶
• Entropy sufficiency in jitter bindings¶
• VDF calibration attestation presence¶
• External anchor confirmations¶

9.14.3. Verified Claims

The verified-claims array (key 6) contains individual claim verification results:¶

result-claim = {
        1 => uint,                      ; claim-type
        2 => bool,                      ; verified
        ? 3 => tstr,                    ; detail
        ? 4 => confidence-level,        ; claim-confidence
}

The claim-type values correspond to the absence-claim-type enumeration, enabling direct mapping between Evidence claims and Attestation Result verification outcomes.¶

9.14.4. Verifier Signature

The verifier-signature (key 7) is a COSE_Sign1 signature over the Attestation Result payload (fields 1-6 plus any optional fields 8-10). This signature:¶

• Authenticates the Verifier identity¶
• Ensures integrity of the Attestation Result¶
• Enables Relying Parties to verify the result came from a trusted Verifier¶

9.14.5. Caveats

The caveats array (key 10) documents limitations and warnings that Relying Parties should consider:¶

• "No hardware attestation available"¶
• "External anchors pending confirmation"¶
• "Jitter entropy below recommended threshold"¶
• "Author declares AI tool usage"¶

Verifiers MUST include appropriate caveats when the Evidence has known limitations. Relying Parties SHOULD review caveats before making trust decisions.¶

9.15.1. Semantic Tags

Top-level structures use semantic tags for type identification:¶

These tags enable format detection without external metadata. Parsers can identify the packet type by examining the leading tag value.¶

9.15.2. Key Encoding Strategy

The schema uses a dual key encoding strategy for efficiency and extensibility:¶

Integer Keys (1-99):

Reserved for core protocol fields defined in this specification. Provides compact encoding and enables efficient parsing.¶

String Keys:

Used for vendor extensions, application-specific fields, and future protocol extensions before standardization. Provides self-describing field names at the cost of encoding size.¶

Example size comparison for a field named "forensics":¶

Integer key (11):     1 byte  (0x0B)
String key ("forensics"): 10 bytes (0x69666F72656E73696373)

For a typical Evidence packet with dozens of fields, integer keys reduce packet size by 20-40%.¶

9.15.3. Deterministic Encoding

Evidence packets MUST use deterministic CBOR encoding (RFC 8949 Section 4.2) (RFC 8949 Section 4.2) to enable:¶

• Byte-exact reproduction of packets for signature verification¶
• Consistent hashing for cache and deduplication purposes¶
• Simplified debugging and comparison¶

Deterministic encoding requirements:¶

• Map keys sorted in bytewise lexicographic order¶
• Integers encoded in minimal representation¶
• Floating-point values canonicalized¶

9.16.1. Custom EAT Claims

The following custom claims are proposed for IANA registration upon working group adoption:¶

9.16.2. AR4SI Trustworthiness Extension

The Attestation Result includes a proposed extension to the AR4SI ([I-D.ietf-rats-ar4si]) trustworthiness vector:¶

behavioral-consistency: -1..3
      -1 = no claim
   0 = behavioral evidence inconsistent with human authorship
   1 = behavioral evidence inconclusive
   2 = behavioral evidence consistent with human authorship
   3 = behavioral evidence strongly indicates human authorship

This extension enables integration of witnessd Attestation Results with broader trustworthiness assessment frameworks.¶

The following table provides guidance for mapping PPPP forensic-assessment verdicts to AR4SI behavioral-consistency values:¶

Note: The mapping from PPPP verdicts to AR4SI values depends on the confidence score and Relying Party policy. The table above provides default guidance; implementations MAY adjust based on domain-specific requirements.¶

9.17.1. Tamper-Evidence vs. Tamper-Proof

The evidence model provides tamper-EVIDENCE, not tamper-PROOF:¶

• Tamper-evident:¶

  Modifications to Evidence packets are detectable through cryptographic verification. The hash chain, VDF entanglement, and HMAC bindings ensure that any alteration invalidates the Evidence.¶

• Not tamper-proof:¶

  An adversary with sufficient resources can fabricate Evidence by investing the computational time required by VDF proofs and generating plausible behavioral data. The forgery-cost-section quantifies this investment.¶

Relying Parties should understand this distinction when making trust decisions.¶

9.17.2. Independent Verification

Evidence packets are designed for independent verification:¶

• All cryptographic proofs are included in the packet¶
• Verification requires no access to the original device¶
• Verification requires no network access (except for external anchor validation)¶
• Multiple independent Verifiers can appraise the same Evidence¶

This property enables adversarial verification: a skeptical Relying Party can verify Evidence without trusting the Attester's infrastructure.¶

9.17.3. Privacy by Construction

The evidence model enforces privacy through structural constraints:¶

• No content storage:¶

  Evidence contains hashes of document states, not content. The document itself is never included in Evidence packets.¶

• No keystroke capture:¶

  Individual characters typed are not recorded. Timing intervals are captured without association to specific characters.¶

• Aggregated behavioral data:¶

  Raw timing data is aggregated into histograms before inclusion in Evidence. Optional raw interval disclosure is user-controlled.¶

• No screenshots or screen recording:¶

  Visual content is never captured by the Attesting Environment.¶

9.17.4. Attesting Environment Trust

The evidence model assumes a minimally trusted Attesting Environment:¶

• Chain-verifiable claims (absence-claim-types 1-15):¶

  Can be verified from Evidence alone without trusting the AE beyond basic data integrity.¶

• Monitoring-dependent claims (absence-claim-types 16-63):¶

  Require trust that the AE accurately reported monitored events. The ae-trust-basis field documents these assumptions.¶

Hardware attestation (hardware-section) increases AE trust by binding Evidence to verified hardware identities.¶

10.2.1. Entropy Commitment (Key 1)

A cryptographic hash of the raw timing intervals concatenated in observation order is constituted by the entropy-commitment, computed as H(interval{0} || interval{1} || ... || interval{n}) where H denotes the hash algorithm specified in the hash-value structure with SHA-256 being RECOMMENDED. Each interval is encoded as a 32-bit unsigned integer representing milliseconds, conforming to the CBOR unsigned integer encoding (major type 0). Computation of this SHA-256 commitment BEFORE the histogram summary is mandated by this specification, thereby ensuring that the raw data cannot be manipulated to match a desired statistical profile after the commitment is fixed. This ordering constraint is critical to the security of the Jitter Seal mechanism: once the entropy-commitment is computed using SHA-256 and bound to the VDF input, the raw timing data is cryptographically fixed even though only the aggregated histogram appears in the final CBOR encoded Evidence packet.¶

10.2.2. Entropy Sources (Key 2)

Identification of which input modalities contributed to the captured entropy is accomplished by the sources array:¶

Inclusion of at least one source is REQUIRED by implementations conforming to this RATS profile, with the source array encoded in CBOR per the CDDL schema. The highest entropy density is afforded by the keystroke-timing source (1), and its inclusion SHOULD be ensured when keyboard input is available, as this source provides the finest-grained timing measurements that contribute most significantly to the entropy-commitment computed using SHA-256. Multiple sources may be combined to increase the total entropy density and make possible verification even when some input modalities are unavailable, with the estimated-entropy-bits calculation aggregating Min-Entropy (H_min) across all contributing sources.¶

10.2.3. Jitter Summary (Key 3)

Verifiable statistics without exposure of raw timing data are afforded by the jitter-summary structure, encoded in CBOR per the CDDL schema below, enabling Verifiers to assess entropy sufficiency per the RATS architecture without accessing the privacy-sensitive raw intervals.¶

    jitter-summary = {
        1 => uint,                 ; sample-count
        2 => [+ histogram-bucket], ; timing-histogram
        3 => entropy-decibits,     ; estimated-entropy (decibits, /10 for bits)
        ? 4 => [+ anomaly-flag],   ; anomalies (if detected)
    }

    histogram-bucket = {
        1 => uint,                 ; lower-bound-ms
        2 => uint,                 ; upper-bound-ms
        3 => uint,                 ; count
    }

Calculation of the estimated-entropy-bits field is accomplished using Shannon entropy over the histogram distribution:¶

    H = -sum(p[ij] * log2(p[ij])) (conditional probabilities) for all buckets where p[i] > 0
    p[i] = count[i] / total_samples

The following bucket boundaries (in milliseconds) are RECOMMENDED: 0, 50, 100, 200, 500, 1000, 2000, 5000, +infinity. The typical range of human typing and pause behavior is captured by these boundaries, having been determined empirically through analysis of diverse authoring sessions.¶

10.2.4. Binding MAC (Key 4)

Cryptographic binding of the jitter data to the segment chain is accomplished by the binding-mac:¶

    binding-mac = HMAC-SHA256(
        key = checkpoint-chain-key,
        message = entropy-commitment ||
                  CBOR(sources) ||
                  CBOR(summary) ||
                  prev-tree-root
    )

The following properties are ensured by this HMAC-SHA256 binding within the RATS architecture: transplantation of jitter data between checkpoints is prevented because the prev-tree-root included in the HMAC input fixes the binding to a specific position in the SHA-256 hash chain; modification of jitter data without invalidating the segment chain is prevented because the binding-mac is included in the tree-root computation; and preservation of the temporal ordering of jitter observations is enforced because the VDF entanglement includes the entropy-commitment. These properties, taken together, make possible strong guarantees about the authenticity and integrity of the captured behavioral entropy, with any tampering detectable through cryptographic verification using SHA-256 and HMAC.¶

10.2.5. Raw Intervals (Key 5, Optional)

Inclusion of the raw-intervals array for enhanced verification is permitted but not required. When present, the following capabilities are afforded to verifiers: recomputation of the entropy-commitment with verification that it matches, recomputation of the histogram with consistency verification, and performance of statistical analysis beyond the histogram. As a privacy consideration, it should be noted that raw intervals may constitute biometric-adjacent data; this concern is addressed in Section 22.¶

17.4.1. Prose Profile (prose_v1)

Optimized for natural language prose authorship. Assumes higher cognitive load variation during complex sentence construction and lower physical adjacency errors compared to code. Uses default parameters with the following adjustments:¶

• rho-gap-weight: 450 (0.45) - Higher weight on cognitive correlation¶
• hurst-weight: 400 (0.4) - Unchanged¶
• adj-phys-weight: 150 (0.15) - Lower weight on physical adjacency¶

Validation-status: unsupported (3). These adjustments are hypothetical and require empirical validation.¶

17.4.2. Technical Profile (technical_v1)

Optimized for source code and technical content. Assumes higher physical adjacency error rates due to specialized characters and lower cognitive load correlation due to repetitive syntax patterns.¶

• rho-gap-weight: 300 (0.3) - Lower weight on cognitive correlation¶
• hurst-weight: 400 (0.4) - Unchanged¶
• adj-phys-weight: 300 (0.3) - Higher weight on physical adjacency¶
• composite-score-min: 700 (0.70) - Lower threshold for code¶

Validation-status: unsupported (3). These adjustments are hypothetical and require empirical validation.¶

17.7.1. Galton Invariant Probe

The Galton Invariant measures rhythm perturbation recovery by analyzing how quickly and consistently timing returns to baseline after disruption events (e.g., errors, pauses, context switches). Named after the Galton board's probability distribution, this probe characterizes the "absorption coefficient" of behavioral rhythm perturbations.¶

Parameters:¶

• Absorption coefficient (α): Valid range α ∈ [0.3, 0.8]. Values below 0.3 indicate insufficient rhythm recovery (possibly synthetic constant-rate input). Values above 0.8 indicate excessive damping (possibly mechanically smoothed).¶
• Time constant (τ): Recovery half-life in milliseconds. Typical human values: 200-800ms.¶
• Asymmetry factor: Ratio of positive to negative perturbation recovery. Human motor systems typically show mild asymmetry (factor 0.8-1.2).¶

17.7.2. Reflex Gate Probe

The Reflex Gate measures minimum achievable latency and its variability, characterizing neural pathway delay constraints. Human motor responses exhibit floor latencies imposed by physiological signal propagation that cannot be bypassed by simulation.¶

Parameters:¶

• Minimum latency: MUST be ≥ 100ms for valid human input. Latencies consistently below 100ms indicate either hardware/software injection or pre-computed responses.¶
• Coefficient of variation (CV): Valid range CV ∈ [0.15, 0.40]. Values below 0.15 indicate mechanical consistency. Values above 0.40 indicate either extreme fatigue or non-physiological variation patterns.¶
• Distribution shape: Human reaction times follow ex-Gaussian distributions. Significant deviation from this shape indicates synthetic generation.¶

17.7.3. Active Probe Security Considerations

Active probes increase the cost of successful simulation but do not provide absolute guarantees:¶

• Adversaries with knowledge of probe parameters could craft timing sequences that satisfy the validation ranges.¶
• Probe parameters are based on typical human physiology; atypical but genuine users may produce out-of-range values.¶
• Implementations SHOULD use active probes as supplementary signals rather than hard rejection criteria.¶

17.8.1. Delay-Coordinate Embedding

Given a timing interval sequence {t_1, t_2, ..., t_n}, the phase space reconstruction creates m-dimensional vectors:¶

    v_i = (t_i, t_{i+τ}, t_{i+2τ}, ..., t_{i+(m-1)τ})

where m is the embedding dimension and τ is the delay parameter. Parameters:¶

• Embedding dimension (m): Valid range 3-8. Lower values may miss attractor structure; higher values introduce spurious correlations.¶
• Delay parameter (τ): Selected via mutual information minimization or autocorrelation zero-crossing.¶

17.8.2. Topological Invariants

The reconstructed phase space is characterized by topological invariants that distinguish genuine behavioral dynamics from synthetic sequences:¶

Correlation dimension (D_2):

Measures the complexity of the attractor. Valid range: D_2 ∈ [1.5, 5.0]. Values near 1.0 indicate deterministic periodic behavior; values near the embedding dimension indicate stochastic noise.¶

Betti numbers (β_0, β_1, β_2):

Topological invariants counting connected components (β_0), loops (β_1), and voids (β_2) in the attractor. Human behavioral attractors typically show specific Betti number patterns reflecting cognitive-motor coupling dynamics.¶

Recurrence rate:

Fraction of recurrence points in the reconstructed phase space. Synthetic sequences often show either too high (periodic) or too low (random) recurrence rates compared to genuine behavioral dynamics.¶

Determinism:

Fraction of recurrence points forming diagonal lines in recurrence plots. Genuine behavioral sequences show intermediate determinism reflecting cognitive influence on motor timing.¶

17.8.3. Labyrinth Analysis Security Considerations

Phase space analysis provides additional forgery cost but is not a complete defense:¶

• Adversaries could potentially train generative models to produce timing sequences with specific topological properties.¶
• The computational cost of labyrinth analysis is significant; implementations MAY perform this analysis only for high-value evidence or as a secondary verification step.¶
• Topological analysis is sensitive to sequence length; short sessions may not provide sufficient data for reliable invariant estimation.¶

24.2.1. Algorithm Registry

The following VDF algorithms are delineated in the algorithm registry, with algorithm selection indicated by the algorithm field in the vdf-proof structure encoded in CBOR. The iterated hash algorithms (1-2) use SHA-256 or SHA3-256 with implicit proofs (verification by recomputation), while the succinct VDF algorithms (16-19) use the constructions from Pietrzak and Wesolowski with explicit cryptographic proofs enabling efficient verification.¶

Reservation of algorithm values 1-15 for iterated hash constructions using SHA-256 or similar hash functions is established, with values 16-31 being reserved for succinct VDF schemes based on the constructions of Pietrzak and Wesolowski. Availability of values 32+ for future allocation is maintained to accommodate advances in VDF research, with the CDDL schema extensibility ensuring forward compatibility within the RATS architecture.¶

24.2.2. Iterated Hash Construction

Computation by the iterated hash VDF is accomplished using repeated application of SHA-256 or SHA3-256 as the hash function, with the output of each iteration becoming the input to the next. This construction is the simplest VDF implementation, requiring only the hash function from RFC 6234 and providing inherent parallelization resistance because each iteration depends on the previous output. The mathematical definition follows:¶

    output = H^n(input)

    where H^n denotes n iterations of hash function H:
      H^0(x) = x
      H^n(x) = H(H^(n-1)(x))

Parameters for iterated hash VDFs:¶

    iterated-hash-params = {
        1 => hash-algorithm,    ; hash-function
        2 => uint,              ; iterations-per-second
    }

Recording of the calibrated performance of the Attesting Environment is accomplished by the iterations-per-second field in the CBOR encoded params structure, making possible assessment by Verifiers per the RATS architecture of whether the claimed-duration is plausible for the iteration count on the attested hardware. When TPM 2.0 [TPM2.0] or Secure Enclave attestation is available, the calibration can be hardware-signed for additional trust. The following properties are exhibited by iterated hash VDFs using SHA-256:¶

Verification Cost:

O(n) -- Verifier must recompute all iterations. This is acceptable for the iteration counts typical in authoring scenarios (10^6 to 10^9 iterations).¶

Parallelization Resistance:

Inherently sequential. Each iteration depends on the previous output. No known parallelization attack.¶

Hardware Acceleration:

SHA-256 acceleration (e.g., Intel SHA Extensions, ARM Cryptography Extensions) provides ~3-5x speedup over software. This is accounted for in calibration.¶

24.2.3. Succinct VDF Construction

O(log n) or O(1) verification time is afforded by succinct VDFs based on the constructions of Pietrzak and Wesolowski, at the cost of larger proof sizes encoded in CBOR (approximately 1-2 KB depending on construction and security parameters) and more complex computation involving modular exponentiation. These constructions are based on repeated squaring in groups with unknown order (RSA groups or class groups), a mathematical structure that inherently resists parallelization because the order of the group is not known to the prover, unlike the iterated SHA-256 construction where the mathematical structure is simpler but verification requires O(n) recomputation.¶

    succinct-vdf-params = {
        10 => uint,             ; modulus-bits (minimum 3072)
        ? 11 => uint,           ; security-parameter
    }

Key set 10-19 disambiguates succinct params from iterated hash params (key set 1-9) without requiring a type tag.¶

OPTIONAL status is assigned to succinct VDFs per Pietrzak and Wesolowski within this RATS profile, with their intended use being in scenarios where verification must complete in bounded time regardless of delay duration (enabling real-time verification in time-constrained environments), where CBOR encoded Evidence packets may contain very long VDF chains (millions of checkpoints accumulated over extended authoring periods), or where O(n) SHA-256 recomputation cannot be afforded by third-party Verifiers with limited computational resources. When succinct VDFs are used, the proof field in the CDDL schema contains the cryptographic proof of correct computation (approximately 256 bytes for Wesolowski or 1 KB for Pietrzak); for iterated hash VDFs using SHA-256, the proof field is empty and verification is accomplished by recomputation of the hash chain.¶

24.3.1. Checkpoint Entanglement

Computation of the VDF input for segment N is accomplished using SHA-256 to combine the previous VDF output, current content hash, jitter commitment (bound via HMAC), and sequence number into a single input for the VDF function, as shown in the formula below. This entanglement is encoded in CBOR per the CDDL schema and creates the causal dependencies that establish temporal ordering.¶

    VDF_input{N} = H(
        VDF_output{N-1} ||      ; Previous VDF output
        content-hash{N} ||      ; Current document state
        jitter-commitment{N} || ; Captured behavioral entropy
        sequence{N}             ; Checkpoint sequence number
    )

For the genesis checkpoint (N = 0):¶

    VDF_input{0} = H(
        session-entropy ||      ; Random 256-bit session seed
        content-hash{0} ||      ; Initial document state
        jitter-commitment{0} ||
        0x00000000              ; Sequence zero
    )

The following properties are ensured by this construction within the RATS architecture: Sequential Dependency is established such that VDF_output{N} cannot be computed without VDF_output{N-1}, making the chain inherently sequential regardless of available parallelism; Content Binding is established such that each VDF output is bound to a specific document state computed using SHA-256, with changing the content invalidating all subsequent VDF proofs in the CBOR encoded chain; Jitter Binding is established such that the behavioral entropy commitment computed via SHA-256 and bound via HMAC is entangled with the VDF, as detailed in Section 18; and Precomputation is prevented because the SHA-256 input depends on runtime values (content hash, jitter commitment) that are unknown until the checkpoint is created.¶

24.3.2. Temporal Ordering Without Trusted Time

Relative temporal ordering without reliance on trusted timestamps such as RFC 3161 [RFC3161] is afforded by the VDF causality property, distinguishing this RATS profile from attestation schemes that require trusted time sources:¶

Relative Ordering:

Checkpoint N necessarily occurred after segment N-1, because VDF_input{N} requires VDF_output{N-1}.¶

Minimum Elapsed Time:

The time between checkpoints N-1 and N is at least:¶

    min_elapsed{N} = iterations{N} / calibration_rate

¶

where calibration_rate is the attested iterations-per-second for the device.¶

Cumulative Time Bound:

The total minimum time to produce the evidence packet is:¶

    min_total = sum(iterations[i] / calibration_rate) for i = 0..N

¶

Absolute Time Binding:

External anchors including RFC 3161 timestamps and blockchain proofs bind the SHA-256 segment chain to absolute time. The VDF provides the relative ordering through causality; the RFC 3161 anchors provide the epoch binding to wall-clock time.¶

24.3.3. Backdating Resistance

The following steps must be accomplished by an adversary attempting to backdate evidence within this RATS profile: content that produces the desired content-hash computed using SHA-256 must be generated (this is prevented by preimage resistance of SHA-256); jitter data that produces valid entropy-commitment via SHA-256 must be generated (this requires access to the original timing stream or statistical simulation); the VDF chain from the backdated checkpoint forward must be computed (this requires sequential time proportional to iterations); and all of the above must be completed before any external anchor such as RFC 3161 timestamp or blockchain proof confirms a later checkpoint (this creates a race condition that the adversary loses if anchors are obtained promptly). Linear growth with the number of subsequent checkpoints and the iteration count per checkpoint characterizes the cost of VDF recomputation, with this cost being quantified in the forgery-cost-section using concrete metrics. Crucially, parallelization of VDF computation cannot be accomplished by the adversary: inherent sequentiality is exhibited by both iterated SHA-256 constructions and the group-theoretic constructions of Pietrzak and Wesolowski. Even with unlimited computational resources, completion of each VDF must be awaited before starting the next, creating an irreducible time cost for any backdating attack that exceeds the original authoring time.¶

24.3.4. Time Evidence and Degradation

Verifiable Delay Functions provide relative temporal ordering but cannot independently establish absolute time. When external anchors are unavailable, the strength of temporal evidence degrades. This section defines explicit tiers that document the achievable temporal binding based on available anchor sources, enabling Verifiers to make informed trust decisions.¶

    time-binding-tier = &(
        maximum: 1,     ; >=2 blockchain + >=2 TSA anchors
        enhanced: 2,    ; >=1 blockchain OR >=2 TSA anchors
        standard: 3,    ; >=1 TSA anchor
        degraded: 4,    ; VDF + local clock only
    )

    time-evidence = {
        1 => time-binding-tier,         ; tier
        2 => absolute-time-bounds / null, ; bounds (null if degraded)
        3 => relative-time-proof,       ; vdf-duration
        4 => [* anchor-status],         ; anchor-statuses
        5 => [* tstr],                  ; recommendations
    }

    absolute-time-bounds = {
        1 => pop-timestamp,             ; earliest-possible
        2 => pop-timestamp,             ; latest-possible
        3 => uint,                      ; uncertainty-seconds
        4 => uint,                      ; anchor-count
    }

    relative-time-proof = {
        1 => uint,                      ; total-vdf-iterations
        2 => uint,                      ; min-elapsed-seconds
        3 => uint,                      ; max-elapsed-seconds
        4 => uint,                      ; checkpoint-count
    }

    anchor-status = {
        1 => anchor-type,               ; type
        2 => anchor-state,              ; status
        ? 3 => tstr,                    ; reason (if unavailable/failed)
        ? 4 => pop-timestamp,           ; last-attempt
        ? 5 => tstr,                    ; anchor-id
    }

    anchor-type = &(
        bitcoin: 1,
        ethereum: 2,
        rfc3161: 3,
        drand: 4,
        opentimestamps: 5,
    )

    anchor-state = &(
        confirmed: 1,
        pending: 2,
        unavailable: 3,
        failed: 4,
        expired: 5,
    )

24.4.1. Attestation Structure

    calibration-attestation = {
        1 => uint,              ; calibration-iterations
        2 => pop-timestamp,     ; calibration-time
        3 => cose-signature,    ; hw-signature
        4 => bstr,              ; device-nonce
        ? 5 => tstr,            ; device-model
        ? 6 => tstr,            ; hardware-class
    }

calibration-iterations (key 1):

The number of VDF iterations completed in a 1-second calibration burst at session start.¶

calibration-time (key 2):

Timestamp when calibration was performed. SHOULD be within 24 hours of the first checkpoint.¶

hardware-signed attestation (key 3):

COSE_Sign1 signature over the calibration data, produced by hardware-bound keys (Secure Enclave, TPM, etc.).¶

device-nonce (key 4):

Random 256-bit value generated at calibration time. Prevents replay of calibration attestations across sessions.¶

device-model (key 5, optional):

Human-readable device identifier for reference purposes. Not used in verification.¶

hardware-class (key 6, optional):

An identifier for the hardware security module or processor generation (e.g., "tpm-2.0-infineon-v1", "apple-se-m3"). Enables Verifiers to perform plausibility checks against a whitelist of expected hash rates for the attested hardware.¶

24.4.2. Calibration Procedure

The Attesting Environment performs calibration as follows:¶

1. Generate Nonce:¶

   Generate a cryptographically random 256-bit device-nonce.¶

2. Initialize Timer:¶

   Record high-resolution start time T_start.¶

3. Execute Calibration Burst:¶

   Compute VDF iterations using the session's VDF algorithm, starting from H(device-nonce), until 1 second has elapsed.¶

4. Record Result:¶

   calibration-iterations = number of iterations completed.¶

5. Generate Attestation:¶

   Construct the attestation payload and sign with hardware-bound key.¶

The attestation payload for signing:¶

    attestation-payload = CBOR({
        "alg": vdf-algorithm,
        "iter": calibration-iterations,
        "nonce": device-nonce,
        "time": calibration-time
    })

24.4.3. Calibration Verification

A Verifier validates calibration attestation as follows:¶

1. Signature Verification:¶

   Verify the COSE_Sign1 signature using the device's public key (from hardware-section or certificate chain).¶

2. Nonce Uniqueness:¶

   Verify the device-nonce has not been seen in other sessions (optional, requires Verifier state).¶

3. Plausibility Check:¶

   Verify calibration-iterations falls within expected range for the device class:¶

   • Mobile devices: 10^5 - 10^7 iterations/second¶
   • Desktop/laptop: 10^6 - 10^8 iterations/second¶
   • Server-class: 10^7 - 10^9 iterations/second¶

4. Consistency Check:¶

   For each checkpoint, verify:¶

       claimed-duration >= iterations / (calibration-iterations * tolerance)
   

   ¶

   where tolerance accounts for measurement variance (RECOMMENDED: 1.1, i.e., 10% margin).¶

24.4.4. Trust Model

Calibration attestation relies on hardware-bound key integrity:¶

• With hardware attestation:¶

  The calibration rate is trustworthy to the extent that the hardware security module is trustworthy. An adversary cannot claim faster-than-actual calibration without compromising the HSM.¶

• Without hardware attestation:¶

  The calibration rate is self-reported by the Attesting Environment. The Verifier should apply conservative assumptions and may require external anchors for time verification.¶

The hardware-section documents whether hardware attestation is available and which platform is used.¶

24.5.1. Iterated Hash Verification

For iterated hash VDFs, verification requires recomputation:¶

1. Reconstruct Input:¶

   Compute VDF_input{N} from the segment data using the entanglement formula in Section 24.3.1.¶

2. Recompute VDF:¶

   Execute iterations{N} hash iterations starting from VDF_input{N}.¶

3. Compare Output:¶

   Verify the computed output matches the claimed VDF_output{N}.¶

4. Verify Duration (if calibration present):¶

   Apply the consistency check from Section 24.4.3.¶

For large evidence packets, Verifiers MAY use sampling strategies:¶

• Verify first and last checkpoints fully¶
• Randomly sample intermediate checkpoints¶
• Verify chain linkage (prev-hash) for all checkpoints¶

24.5.2. Succinct VDF Verification

For succinct VDFs, verification uses the cryptographic proof:¶

1. Reconstruct Input:¶

   Compute VDF_input{N} as above.¶

2. Parse Proof:¶

   Decode the proof field according to the algorithm specification.¶

3. Verify Proof:¶

   Execute the algorithm-specific verification procedure (Pietrzak or Wesolowski).¶

4. Verify Duration:¶

   Apply calibration consistency check.¶

24.6.1. Migration Path

Evidence packets MAY contain checkpoints using different VDF algorithms. This enables migration scenarios:¶

• Upgrading from iterated-sha256 to iterated-sha3-256¶
• Transitioning from iterated hash to succinct VDF¶
• Adopting post-quantum secure constructions¶

Algorithm changes SHOULD occur at session boundaries. Within a session, algorithm consistency is RECOMMENDED for simplicity.¶

24.6.2. Post-Quantum Considerations

Current VDF constructions have varying post-quantum security:¶

Iterated Hash (SHA-256, SHA3-256):

Grover's algorithm provides quadratic speedup for preimage attacks. This affects collision resistance but not the sequential computation property. The VDF remains secure with doubled iteration counts.¶

RSA-based (Pietrzak, Wesolowski):

Vulnerable to Shor's algorithm. Not recommended for long-term evidence that must remain verifiable in a post-quantum era.¶

Class-group based:

Based on class group computations in imaginary quadratic fields. Quantum security is less well understood but believed to be stronger than RSA.¶

For evidence intended to remain valid for decades, iterated hash VDFs are RECOMMENDED.¶

24.7.1. Hardware Acceleration Attacks

An adversary with specialized hardware (ASICs, FPGAs) may compute VDF iterations faster than the calibrated rate. Mitigations:¶

• Calibration Reflects Actual Hardware:¶

  Calibration is performed on the actual device, so the calibration rate already accounts for any acceleration available to the Attester.¶

• Asymmetric Advantage Limited:¶

  SHA-256 is widely optimized. The speedup from custom hardware over commodity CPUs with SHA extensions is typically less than 10x.¶

• Economic Analysis:¶

  The forgery-cost-section quantifies the cost of acceleration attacks in terms of hardware investment and time.¶

24.7.2. Parallelization Resistance

VDFs are designed to resist parallelization:¶

Iterated Hash:

Each iteration depends on the previous output. No parallelization is possible without breaking the hash function's preimage resistance.¶

Succinct VDFs:

Based on repeated squaring in groups with unknown order. Parallelization would require factoring the modulus (RSA-based) or solving the class group order problem (class-group based).¶

The key insight: an adversary with P processors cannot compute the VDF P times faster. The best known attacks provide negligible parallelization advantage.¶

24.7.3. Time-Memory Tradeoffs

For iterated hash VDFs, an adversary might attempt to precompute and store intermediate values:¶

• Rainbow Tables:¶

  Precomputing H^n(x) for many x values. Mitigated by the unpredictable VDF input (includes content hash and jitter commitment).¶

• Checkpoint Tables:¶

  Storing every k-th intermediate value during legitimate computation. Enables faster recomputation from nearby checkpoints but does not help with backdating attacks (which require computing from a specific starting point).¶

No practical time-memory tradeoff significantly reduces the sequential computation requirement.¶

24.7.4. Calibration Attacks

Attacks on the calibration system:¶

Throttled Calibration:

Adversary intentionally slows device during calibration to report lower iterations-per-second, then computes VDFs faster than claimed.¶

Mitigation: Plausibility checks based on device class. Anomalously slow calibration for a known device model triggers Verifier skepticism.¶

Calibration Replay:

Adversary reuses calibration attestation from a slower device.¶

Mitigation: Device-nonce binds calibration to session. Hardware signature binds to specific device key.¶

Device Key Compromise:

Adversary extracts hardware-bound signing key.¶

Mitigation: Hardware security modules are designed to resist key extraction. This attack requires physical access and significant resources.¶

24.7.5. Timing Side Channels

VDF computation timing may leak information:¶

• Iteration Count Inference:¶

  Network observers may infer iteration counts from checkpoint timing. This reveals only what is already public in the evidence packet.¶

• Content Inference:¶

  VDF computation time is independent of content (fixed iteration count per checkpoint). No content leakage through timing.¶

VDF implementations SHOULD use constant-time hash operations where available, though timing variations in VDF computation itself do not compromise security.¶

25.1.1. The Value of Bounded Claims

Positive claims are the focus of traditional evidence systems: "X happened at time T." Extension to negative claims is afforded by absence proofs: "X did not exceed threshold Y during interval (T1, T2)." The value of bounded claims lies in their falsifiability, which distinguishes them from unbounded claims that cannot be meaningfully verified:¶

Positive Claim:

"The author typed this document" -- difficult to verify, requires trust in the entire authoring environment.¶

Bounded Negative Claim:

"No single edit added more than 500 characters" -- verifiable directly from the segment chain without additional trust assumptions.¶

The burden of proof is shifted by bounded claims: instead of claiming what DID happen (which requires comprehensive monitoring), claims about what did NOT happen are made (which can be bounded by observable evidence derived from the segment chain). This inversion of the evidentiary focus makes possible meaningful claims without comprehensive surveillance.¶

25.1.2. Inherent Limits of Negative Evidence

Fundamental limitations are exhibited by absence proofs that MUST be clearly communicated to Relying Parties. With respect to Monitoring Gaps, validity of absence claims is limited to monitored intervals, with gaps in monitoring creating gaps in absence guarantees. With respect to Trust Boundaries, trust in the Attesting Environment (AE) is required by some absence claims, and this trust must be explicitly documented.¶

With respect to Threshold Semantics, "No paste above 500 characters" does not imply "no paste"; claims are bounded, not absolute, and the specific thresholds must be considered by Relying Parties when assessing evidence. With respect to Behavioral Consistency versus Authorship, observable behavioral patterns are described by absence claims, NOT authorship, intent, or cognitive processes; consistency between declared process and observable evidence is documented, rather than claims about the identity or capabilities of the author.¶

25.2.1. Computationally Bound Claims (1-15)

Verification by any party with access to the Evidence packet is made possible for computationally-bound claims. No trust in the Attesting Environment is required beyond basic data integrity, with these claims being derived purely from the segment chain structure. Independent confirmation of these claims by a Verifier is accomplished by parsing the segment chain, verifying chain integrity (hashes computed using SHA-256, MACs, VDF linkage), computing the relevant metrics from segment data, and comparing against the claimed thresholds. No interaction with the Attester or trust in its monitoring capabilities is needed for this class of claims.¶

25.2.2. Monitoring-Dependent Claims (16-20)

Trust that the Attesting Environment correctly observed and reported specific events is required by monitoring-dependent claims. Verification from the segment chain alone cannot be accomplished for these claims because dependence on real-time monitoring of events external to the document state is exhibited. Assessment of the following factors must be performed by the Verifier for monitoring-dependent claims: whether the capability to observe the relevant events (clipboard access, process enumeration, etc.) was possessed by the AE, whether operation with integrity during the monitoring period was maintained by the AE, whether monitoring was continuous or had gaps, and what attestation (if any) supports the AE integrity claim.¶

Explicit documentation of these trust assumptions is afforded by the ae-trust-basis structure, making possible informed Relying Party decisions. Hardware attestation via TPM [TPM2.0] or Secure Enclave may be used to strengthen the AE integrity claim, though such attestation is optional and its absence must be reflected in the Attestation Result caveats.¶

25.2.3. Trust Model Comparison

25.3.1. Verification Details

For each computationally-bound claim, the Verifier performs a multi-step verification procedure that first establishes chain integrity through SHA-256 hash chain verification and VDF linkage validation, then computes the relevant metric from CBOR encoded segment data, and finally compares the observed value against the claimed threshold. The pseudocode below illustrates this procedure, with verify_chain_hashes implementing SHA-256 prev-hash verification and verify_vdf_linkage implementing VDF entanglement verification. The key property of computationally-bound claims within the RATS architecture is that verification depends ONLY on cryptographically verifiable segment data parsed according to the CDDL schema, with no dependency on external monitoring claims or trust in the Attesting Environment's reporting accuracy.¶

    verify_chain_claim(evidence, claim):
        (1) Verify chain integrity first using SHA-256
        if not verify_chain_hashes(evidence.checkpoints):
            return INVALID("Chain integrity failure")
        if not verify_vdf_linkage(evidence.checkpoints):
            return INVALID("VDF linkage failure")

        (2) Compute the metric from CBOR segment data
        observed_value = compute_metric(evidence.checkpoints, claim.type)

        (3) Compare against threshold per CDDL schema
        match claim.type:
            case MAX_SINGLE_DELTA_CHARS:
                passes = (observed_value <= claim.threshold)
            case MIN_VDF_DURATION_SECONDS:
                passes = (observed_value >= claim.threshold)

        (4) Return verification result with cryptographic proof
        if passes:
            return PROVEN(observed_value, claim.threshold)
        else:
            return FAILED(observed_value, claim.threshold)

25.4.1. Trust Basis Documentation

Each monitoring-dependent claim MUST include an ae-trust-basis structure encoded in CBOR per the CDDL schema below, documenting the trust assumptions that underlie the claim. This explicit documentation of trust requirements is essential to the RATS architecture's goal of transparent attestation, enabling Verifiers to assess claim strength based on the trust basis rather than treating all claims uniformly. When hardware attestation via TPM 2.0 or Secure Enclave is available, the ae-trust-target field references the hardware-section for cross-verification, providing cryptographically grounded trust rather than mere assumption.¶

    ae-trust-basis = {
        1 => ae-trust-target,   ; trust-target
        2 => tstr,              ; justification
        3 => bool,              ; verified
    }

    ae-trust-target = &(
        witnessd-software-integrity: 1,
        os-reported-events: 2,
        application-reported-events: 3,
        tpm-attested-elsewhere: 16,
        se-attested-elsewhere: 17,
        unverified-assumption: 32,
    )

witnessd-software-integrity (1):

Trust that the witnessd software itself is unmodified and correctly implements monitoring. Requires software attestation or code signing verification.¶

os-reported-events (2):

Trust that the operating system correctly reports events (clipboard, process list, file access). Requires OS integrity.¶

application-reported-events (3):

Trust that the authoring application correctly reports events. Weakest trust level; application may be compromised.¶

tpm-attested-elsewhere (16):

TPM attestation of the AE state exists in the hardware-section. Cross-reference for verification.¶

se-attested-elsewhere (17):

Secure Enclave attestation of the AE state exists in the hardware-section. Cross-reference for verification.¶

unverified-assumption (32):

The claim is based on assumptions that cannot be verified. Relying Party must decide whether to accept based on context.¶

The justification field provides human-readable explanation of why the trust basis is believed adequate. The verified field indicates whether the trust basis was cryptographically verified (true) or merely assumed (false).¶

25.4.2. Monitoring Coverage

Honest documentation of monitoring gaps is essential for meaningful absence claims within the RATS architecture, and the monitoring-coverage structure defined in CDDL and encoded in CBOR captures the scope and limitations of AE monitoring. Unlike computationally-bound claims that can reference the complete segment chain verified through SHA-256 hash linkage, monitoring-dependent claims are only valid during periods when the relevant monitoring was active, making the coverage documentation critical for accurate confidence assessment. Timestamps in the monitoring-intervals array conform to RFC 3339 [RFC3339] format encoded using CBOR tag 1 (epoch-based date/time).¶

    monitoring-coverage = {
        1 => bool,                  ; keyboard-monitored
        2 => bool,                  ; clipboard-monitored
        3 => [+ time-interval],     ; monitoring-intervals
        4 => ratio-millibits,       ; coverage-fraction (0-1000 = 0.0-1.0)
        ? 5 => hardware-attestation, ; monitoring-attestation
    }

    time-interval = {
        1 => pop-timestamp,         ; start
        2 => pop-timestamp,         ; end
    }

25.5.1. Confidence Levels

proven (1):

The claim is cryptographically provable from the Evidence. Only computationally-bound claims (1-15) can achieve this level.¶

high (2):

Strong evidence supports the claim. For monitoring-dependent claims, requires hardware attestation of AE integrity and high monitoring coverage (>95%).¶

medium (3):

Reasonable evidence supports the claim. AE integrity is assumed but not hardware-attested. Monitoring coverage is acceptable (>80%).¶

low (4):

Weak evidence supports the claim. Significant caveats apply. Monitoring gaps exist or AE trust basis is unverified.¶

25.6.1. Step 1: Verify Computationally Bound Claims

For claims with type 1-15:¶

1. Verify Evidence Integrity:¶

   Verify segment chain hashes, VDF linkage, and structural validity per the base protocol.¶

2. Extract Metrics:¶

   Compute the relevant metric from segment data (e.g., max delta chars, total VDF duration).¶

3. Compare Threshold:¶

   Verify the computed metric satisfies the claimed threshold.¶

4. Assign Confidence:¶

   Chain-verifiable claims that pass receive confidence level "proven" (1).¶

25.6.2. Step 2: Appraise Monitoring-Dependent Claims

For claims with type 16-63:¶

1. Assess AE Trust Basis:¶

   Examine the ae-trust-basis for each claim. Determine whether the trust target is appropriate for the claim type and whether it was verified.¶

2. Evaluate Monitoring Coverage:¶

   Check monitoring-coverage to determine whether the relevant monitoring was active. Verify coverage-fraction is adequate for the confidence level claimed.¶

3. Cross-Reference Hardware Attestation:¶

   If ae-trust-target is tpm-attested-elsewhere (16) or se-attested-elsewhere (17), verify the corresponding attestation exists in hardware-section.¶

4. Evaluate Evidence:¶

   Examine the absence-evidence for supporting data. Statistical tests should have appropriate p-values; attestation references should be verifiable.¶

5. Assign Confidence:¶

   Based on the above factors, assign confidence level (2-4). Level 1 (proven) is NOT available for monitoring-dependent claims.¶

6. Document Caveats:¶

   Record any limitations or assumptions in the caveats array of the verification result.¶

25.6.3. Step 3: Produce Verification Summary

The Verifier produces a result-claim for each absence-claim examined:¶

result-claim = {
        1 => uint,                      ; claim-type
        2 => bool,                      ; verified
        ? 3 => tstr,                    ; detail
        ? 4 => confidence-level,        ; claim-confidence
}

25.6.4. RATS Architecture Mapping

Absence proofs extend the RATS (Remote ATtestation procedureS) evidence model in several ways:¶

    policy:
      required_claims:
        - type: 1   # max-single-delta-chars
          threshold: 500
          min_confidence: proven
        - type: 4   # min-vdf-duration-seconds
          threshold: 3600
          min_confidence: proven
        - type: 16  # max-paste-event-chars
          threshold: 200
          min_confidence: high
          required_trust_basis: (1, 16, 17)  (SE or TPM attested)
      min_monitoring_coverage: 0.95

25.6.5. Security Considerations

25.6.6. Privacy Considerations

Absence claims may reveal information about the authoring process:¶

• Edit Pattern Disclosure:¶

  Chain-verifiable claims reveal aggregate statistics about edit sizes and frequencies. This is inherent in the segment chain and cannot be hidden without removing the evidentiary basis for claims.¶

• Tool Usage Disclosure:¶

  that the AE was monitoring for AI tool usage. Users should be informed of this monitoring.¶

• Behavioral Fingerprinting:¶

  Detailed jitter data and monitoring observations could theoretically enable behavioral fingerprinting. The histogram aggregation in jitter-binding mitigates this for timing data.¶

Users SHOULD be informed which absence claims will be generated and have the option to disable specific monitoring capabilities if privacy concerns outweigh the value of those claims.¶

26.1.1. Quantified Forgery Cost Bounds

Forgery requires simulating the D_i <-> tau_i alignment during sequential VDF computation. This imposes a computational cost of O(n * VDF_iters), where n is the number of segments. Achieving psycholinguistic fidelity requires high-latency semantic processing synchronized with the VDF chain. Simulating the Error Topology (H=0.7, rho=0.8) within the sequential VDF phases requires approximately 10^3 trials per segment using a biological motor-skill model, further increasing the search space for forgery.¶

Bound: A 1-hour human authoring session generates approximately 10^12 hardware cycles (@ 4GHz). A bot must expend equivalent sequential cycles without the benefit of parallelism to produce a valid correlation proof.¶

26.1.2. What Forgery Cost Bounds Do NOT Claim

Forgery cost bounds explicitly avoid claims that evidence is:¶

• Unforgeable: Given sufficient resources, any evidence can be forged. The bounds quantify "sufficient."¶
• Guaranteed authentic: Bounds express minimum forgery costs, not maximum. Cheaper attacks may exist that have not been discovered.¶
• Irrefutable proof: Evidence supports claims with quantified confidence, not mathematical certainty.¶
• Permanent: Cost bounds depreciate as hardware improves. Evidence verified today may have different bounds when re-evaluated in the future.¶

26.3.1. Field Definitions

The time-bound structure, encoded in CBOR according to the CDDL schema above, contains six fields that together quantify the temporal cost of forgery within the RATS evidence framework. The total-iterations field (key 1) represents the sum of all VDF iterations across all checkpoints in the evidence packet, computed as sum(checkpoint{i}.vdf-proof.iterations) for all i, providing the raw count of sequential hash operations using SHA-256 that must be recomputed. The calibration-rate field (key 2) contains the attested iterations-per-second from the calibration attestation, representing the maximum VDF computation speed on the Attesting Environment's hardware as measured through TPM 2.0 or similar hardware attestation mechanisms. The reference-hardware field (key 3) provides a human-readable description of the hardware used for calibration (e.g., "Apple M2 Pro", "Intel i9-13900K"), used for plausibility assessment rather than cryptographic verification. The min-recompute-seconds field (key 4) specifies the minimum wall-clock seconds required to recompute the VDF chain on reference hardware, calculated as total-iterations divided by calibration-rate, representing a lower bound since actual recomputation on slower hardware takes longer. The parallelizable field (key 5) is a boolean indicating whether the VDF algorithm permits parallelization, with iterated hash VDFs using SHA-256 (algorithms 1-15) always reporting false due to inherent sequentiality, while certain succinct VDF constructions may permit limited parallelization. The optional max-parallelism field (key 6) specifies the maximum parallel speedup factor when parallelizable is true, remaining absent for iterated hash VDFs that enforce strict sequential computation.¶

26.3.2. Time Bound Verification

A Verifier within the RATS architecture computes and validates the time bound through a systematic procedure that ensures the claimed temporal costs are mathematically consistent with the VDF proofs embedded in the evidence chain. First, the Verifier traverses all checkpoints encoded in CBOR and sums the iterations field from each VDF proof, accumulating the total sequential hash operations using SHA-256 that comprise the evidence chain. Second, if calibration attestation is present (typically signed via COSE and backed by TPM 2.0 hardware attestation), the Verifier validates the hardware signature and checks that calibration-rate matches the attested iterations-per-second from the trusted hardware module. Third, the Verifier computes the minimum time by dividing total-iterations by calibration-rate and verifies that the result matches min-recompute-seconds within floating-point tolerance, confirming mathematical consistency of the VDF chain. Fourth, the Verifier performs a plausibility check to ensure min-recompute-seconds is consistent with the claimed authoring duration indicated by RFC 3339 timestamps, since significant discrepancy (e.g., a 10-hour claimed session with only 1-minute VDF time) indicates either misconfiguration of the Attesting Environment or potential manipulation of the evidence packet.¶

26.3.3. Parallelization Resistance

The security of time bounds within the RATS architecture depends critically on VDF parallelization resistance as established in the cryptographic literature, which provides formal proofs that sequential computation cannot be accelerated through parallel hardware deployment. For iterated hash VDFs using SHA-256, each iteration depends cryptographically on the previous output through the hash function's one-way property, no known technique computes H^n(x) faster than n sequential hash operations due to the preimage resistance of SHA-256, and an adversary with P processors fundamentally cannot compute the chain P times faster because the inherent data dependency between iterations prevents parallelization. This property ensures that time bounds reflect wall-clock time rather than aggregate compute time, meaning an adversary with access to an entire data center cannot forge 10 hours of evidence in 10 minutes by deploying 60x more processors, since the sequential VDF chain must still be computed one iteration at a time regardless of available parallel resources. See Section 24.7.2 for detailed analysis of parallelization resistance in each VDF algorithm supported by this RATS profile.¶

26.4.1. Field Definitions

The entropy-bound structure, encoded in CBOR according to the CDDL schema, contains six fields that together quantify the unpredictability barrier facing an adversary attempting to forge evidence within the RATS framework. The total-entropy-bits field (key 1) represents the aggregate entropy across all Jitter Seals in the evidence packet expressed in bits, computed as sum(jitter-summary[i].estimated-entropy-bits) for all i where each Jitter Seal captures behavioral timing bound via HMAC-SHA256. The sample-count field (key 2) contains the total number of timing samples captured across all Jitter Seals, with higher sample counts increasing confidence in the Min-Entropy (H_min) estimate derived from the timing histogram. The entropy-per-sample field (key 3) represents the average entropy contribution per timing sample calculated as total-entropy-bits divided by sample-count, with typical human typing contributing 2-4 bits per inter-key interval based on motor timing variance. The brute-force-probability field (key 4) quantifies the probability of successfully guessing the entropy commitment by brute force, calculated as 2^(-total-entropy-bits), yielding approximately 5.4 x 10^-20 for 64 bits of entropy. The replay-possible field (key 5) is a boolean indicating whether Jitter Seal replay is theoretically possible, set to false when VDF entanglement is properly configured such that the HMAC entropy commitment appears in the VDF input chain. The optional replay-prevention field (key 6) provides a human-readable description of replay prevention mechanisms, typically containing values such as "VDF entanglement with prev-checkpoint binding using SHA-256".¶

26.4.2. Entropy Bound Verification

A Verifier within the RATS architecture computes and validates the entropy bound through a systematic five-step procedure that ensures the claimed entropy costs are mathematically consistent with the Jitter Seal commitments embedded in the CBOR evidence chain. First, the Verifier aggregates entropy by summing estimated-entropy-bits from each checkpoint's jitter-summary and verifying that the total matches the claimed total-entropy-bits field, ensuring no entropy claims have been inflated beyond what the underlying HMAC-SHA256 commitments support. Second, the Verifier counts samples by summing sample-count from each jitter-summary and verifying consistency with the claimed sample-count, confirming the behavioral timing data volume matches expectations for the authoring session duration indicated by RFC 3339 timestamps. Third, if raw-intervals are disclosed for transparency, the Verifier recomputes the histogram and Min-Entropy (H_min) independently, verifying consistency with the claimed entropy estimate to detect potential manipulation of entropy calculations. Fourth, the Verifier checks replay prevention by verifying that each HMAC entropy-commitment appears in the corresponding VDF input per the VDF chain construction, setting replay-possible to true if VDF entanglement is absent since unentangled entropy commitments could theoretically be replayed from previous sessions. Fifth, the Verifier computes brute-force probability by calculating 2^(-total-entropy-bits) and verifying that the result matches the claimed brute-force-probability within floating-point tolerance, confirming the security bound is mathematically accurate for the accumulated behavioral entropy.¶

26.4.3. Minimum Entropy Requirements

The RATS profile defined in this specification establishes RECOMMENDED minimum entropy thresholds by evidence tier, with thresholds calibrated to provide meaningful security guarantees against brute-force attacks on the HMAC-SHA256 entropy commitments embedded in Jitter Seals. The Basic tier requires a minimum of 32 bits of total entropy, corresponding to a brute-force probability less than 2.3 x 10^-10, suitable for low-stakes evidence where moderate forgery resistance suffices. The Standard tier requires a minimum of 64 bits of total entropy, corresponding to a brute-force probability less than 5.4 x 10^-20, providing strong forgery resistance appropriate for most professional and academic authorship attestation use cases. The Enhanced tier requires a minimum of 128 bits of total entropy, corresponding to a brute-force probability less than 2.9 x 10^-39, offering cryptographically strong guarantees approaching the security level of the underlying SHA-256 hash function for high-stakes evidence requiring maximum assurance. Evidence packets encoded in CBOR that fail to meet the minimum entropy thresholds for their claimed tier SHOULD be flagged in the security-statement caveats, enabling Relying Parties to make informed trust decisions within the RATS architecture about whether the behavioral entropy is sufficient for their risk tolerance.¶

26.5.1. Field Definitions

The economic-bound structure, encoded in CBOR according to the CDDL schema, contains six fields that translate the cryptographic and temporal costs of VDF chain recomputation into monetary terms for Relying Party assessment within the RATS framework. The cost-model-version field (key 1) contains an identifier for the cost model used (e.g., "witnessd-cost-2025Q1"), with versioning necessary because hardware prices and computational costs for SHA-256 operations change over time. The cost-model-date field (key 2) contains an RFC 3339 timestamp when the cost model was established. The compute-cost field (key 3) quantifies the cost of computational resources required to recompute the VDF chain, including cloud compute instance cost for min-recompute-seconds of sequential SHA-256 operations, electricity cost for sustained computation, and amortized hardware cost if using dedicated equipment rather than cloud resources. The time-cost field (key 4) represents the opportunity cost of the wall-clock time required for forgery, since an adversary attempting to forge 10-hour evidence cannot use that time for other purposes, modeled as the economic value of the adversary's time at skilled labor rates. The total-min-cost field (key 5) represents the minimum total cost to forge the evidence combining compute and time costs, serving as the primary metric for cost-benefit analysis by Relying Parties. The cost-per-hour-claimed field (key 6) normalizes forgery cost by claimed authoring duration (calculated as total-min-cost divided by claimed-duration-hours derived from RFC 3339 timestamps), enabling fair comparison across evidence packets of different lengths within the RATS trust framework.¶

26.5.2. Cost Estimate Structure

Each cost-estimate structure within the economic-bound, encoded in CBOR according to the CDDL schema, includes a point estimate and confidence range to account for uncertainty in adversary resource access within the RATS trust model. The usd field (key 1) contains the point estimate in US dollars, representing the expected cost under typical assumptions about cloud compute pricing and electricity rates for sustaining the sequential SHA-256 operations required by VDF recomputation. The usd-low field (key 2) contains the lower bound of a 90% confidence interval, representing cost assuming the adversary has access to discounted resources such as pre-existing infrastructure, bulk compute contracts, or subsidized electricity that reduce marginal costs. The usd-high field (key 3) contains the upper bound of the 90% confidence interval, representing cost assuming the adversary must acquire resources at full market rates without existing infrastructure or preferential pricing arrangements. The basis field (key 4) contains a human-readable description of the cost calculation basis (e.g., "AWS c7i.large @ $0.085/hr + $0.10/kWh electricity"), enabling Relying Parties to assess whether the cost model assumptions are reasonable for their deployment context and adjust estimates accordingly based on their knowledge of adversary capabilities.¶

26.5.3. Cost Computation

The reference cost computation for compute-cost quantifies the resources required to recompute the VDF chain with its sequential SHA-256 iterations, using the formula: hourly_rate = cloud_rate + elec_rate * power, where cloud_rate represents the cost of compute instances capable of sustained hashing, compute_hours = min_recompute_seconds / 3600 converts the VDF recomputation time to billable hours, and compute_cost_usd = hourly_rate * compute_hours yields the total computational expenditure. The 90% confidence interval assumes 50% rate variance to account for differences in adversary resource access, computed as compute_cost_low = compute_cost_usd * 0.5 for adversaries with discounted access and compute_cost_high = compute_cost_usd * 1.5 for those paying market rates.¶

The reference cost computation for time-cost represents the opportunity cost of wall-clock time required for sequential VDF recomputation, using a skilled labor rate model where hourly_value = 50.0 USD and time_cost_usd = hourly_value * (min_recompute_seconds / 3600), reflecting the economic value of the adversary's time that cannot be used for other purposes during the forgery attempt. The confidence interval for time cost accounts for labor rate variance, computed as time_cost_low = time_cost_usd * 0.2 for adversaries in low-cost labor markets and time_cost_high = time_cost_usd * 4.0 for highly skilled adversaries whose time commands premium rates.¶

These are reference calculations within the RATS framework, and implementations MAY use different cost models appropriate to their deployment context, provided the CBOR encoding follows the CDDL schema and the basis field documents the alternative model for Relying Party assessment.¶

26.6.1. Field Definitions

The security-statement structure, encoded in CBOR according to the CDDL schema, contains four fields that together provide both human-readable and machine-readable security claims within the RATS trust framework. The claim field (key 1) contains a human-readable security claim that MUST be phrased as a minimum bound rather than an absolute guarantee (e.g., "Forging this evidence requires at minimum 8.3 hours of sequential VDF computation, 67 bits of HMAC entropy prediction, and an estimated $42-$126 in resources"), avoiding language that implies unforgeable or irrefutable guarantees. The formal field (key 2) contains machine-readable security bounds for automated policy evaluation, enabling Relying Parties to programmatically compare evidence packets against their minimum acceptance thresholds without parsing natural language claims. The assumptions field (key 3) contains an array of assumptions under which the security claim holds, which MUST include at minimum a cryptographic assumption (e.g., "SHA-256 preimage resistance"), a hardware assumption (e.g., "TPM 2.0 calibration attestation is accurate"), and an adversary model assumption (e.g., "Adversary cannot parallelize VDF computation"), making explicit the conditions that must hold for the bounds to remain valid. The caveats field (key 4) contains an array of limitations or warnings about the security claim, with typical examples including "Cost estimates based on 2024Q4 cloud pricing", "Entropy estimate assumes timing samples are statistically independent", and "Does not protect against Attesting Environment compromise during evidence generation", enabling Relying Parties to understand the boundaries of the security guarantees.¶

26.6.2. Formal Security Bound

The formal-security-bound structure, encoded in CBOR according to the CDDL schema, provides three orthogonal minimum requirements for forgery that an adversary must simultaneously overcome to produce fraudulent evidence within the RATS architecture. The min-seconds field (key 1) specifies the minimum wall-clock seconds to forge the evidence, derived from time-bound.min-recompute-seconds which itself reflects the sequential VDF chain recomputation time using SHA-256 iterations that cannot be parallelized. The min-entropy-bits field (key 2) specifies the minimum entropy bits an adversary must predict or generate, derived from entropy-bound.total-entropy-bits which reflects the accumulated behavioral entropy captured through HMAC-SHA256 Jitter Seal commitments. The min-cost-usd field (key 3) specifies the minimum cost in USD to forge the evidence, conservatively derived from economic-bound.total-min-cost.usd-low to provide a lower bound that holds even if the adversary has discounted resource access.¶

Relying Parties within the RATS trust framework can evaluate these CBOR encoded bounds against their risk tolerance through automated policy evaluation. For example, a policy might require: accept_evidence if min-seconds >= 3600 (requiring at least 1 hour of sequential VDF computation) AND min-entropy-bits >= 64 (requiring at least 64 bits of HMAC entropy prediction) AND min-cost-usd >= 100 (requiring at least $100 in forgery resources), with all three conditions enforced simultaneously to provide defense-in-depth against different adversary capabilities.¶

26.8.1. Assumed Adversary Capabilities

Forgery cost bounds within the RATS architecture assume an adversary with specific capabilities that bound the security guarantees provided by VDF chains and HMAC entropy commitments. The assumed adversary has access to commodity hardware at market prices for computing SHA-256 hash iterations, can execute VDF algorithms correctly following the published specifications, cannot parallelize inherently sequential VDFs due to the data dependency between iterations, cannot predict behavioral entropy in advance because human input timing exhibits genuine behavioral randomness, and has not compromised the Attesting Environment during evidence generation such that key material or intermediate state remains protected.¶

The forgery cost bounds encoded in CBOR may not hold against adversaries who exceed these assumed capabilities within the RATS threat model. Adversaries with access to specialized SHA-256 ASICs at below-market cost may achieve lower compute costs than the economic bound assumes, reducing the effective forgery barrier. Adversaries who can compromise the Attesting Environment during evidence generation may extract key material or manipulate VDF computations, bypassing the sequential computation requirement entirely. Adversaries who discover novel cryptanalytic attacks on VDF constructions or hash function security may reduce the effective security below what the bounds indicate. Adversaries with access to quantum computers capable of breaking the cryptographic assumptions underlying SHA-256 preimage resistance may invalidate the security guarantees, though such computers do not currently exist at the scale required for this attack.¶

26.8.2. Limitations of Cost Bounds

Forgery cost bounds within the RATS architecture provide lower bounds rather than absolute guarantees, with several fundamental limitations that Relying Parties must understand when evaluating CBOR encoded evidence packets. The bounds assume current best-known attacks on VDF constructions and SHA-256 hash functions, meaning future cryptanalytic advances may reduce actual forgery costs below what the security-statement claims, requiring periodic reassessment of evidence security as the cryptographic landscape evolves. The economic estimates depend entirely on cost model assumptions encoded in the CDDL schema, and actual adversary costs may differ significantly based on their specific resource access, geographic location affecting electricity costs, or existing computational infrastructure that reduces marginal costs. The Min-Entropy (H_min) estimates from Jitter Seals assume statistically independent timing samples, but correlations in human input timing data (such as rhythmic typing patterns or predictable pause structures) may reduce effective entropy below the claimed HMAC commitment strength. The time bounds depend critically on calibration accuracy from TPM 2.0 or similar hardware attestation, and without cryptographic hardware attestation the calibration is self-reported by the Attesting Environment and may be manipulated to overstate VDF computation speed, inflating the apparent time bound.¶

26.8.3. What Bounds Do NOT Guarantee

Forgery cost bounds within the RATS architecture explicitly do NOT provide certain guarantees that Relying Parties might incorrectly infer from the security claims encoded in CBOR. The bounds do not provide authenticity proof: evidence meeting VDF time thresholds and HMAC entropy thresholds is proven expensive to forge rather than proven authentic, and these are fundamentally distinct claims that must not be conflated in Relying Party policy decisions. The bounds do not provide content verification: the forgery cost analysis using SHA-256 chains says nothing about document content, quality, accuracy, or truthfulness, since only the process evidence describing how the document evolved is bounded rather than the document's substantive claims. The bounds do not provide intent attribution: the COSE signatures and VDF proofs do not prove who created the evidence or why they created it, since identity and intent attribution are outside the scope of cost-asymmetric forgery analysis and require separate attestation mechanisms.¶

26.8.4. Policy Guidance for Relying Parties

Relying Parties within the RATS architecture should establish evidence acceptance policies based on four key considerations that translate forgery cost bounds encoded in CBOR into actionable trust decisions. First, risk assessment: What is the cost of accepting forged evidence with manipulated VDF proofs or fabricated HMAC entropy commitments? High-stakes decisions such as legal proceedings, academic credential verification, or financial attestation require proportionally higher cost thresholds in the formal-security-bound to ensure forgery is economically irrational. Second, adversary economics: Would forgery be economically rational given the costs quantified in the economic-bound structure? If VDF recomputation costs using SHA-256 iterations exceed the potential gain from successful forgery, rational adversaries operating within standard economic models will not attempt it, though irrational or ideologically motivated adversaries may still pose risks. Third, time sensitivity: How quickly must evidence be verified given the RFC 3339 timestamps in the evidence packet? Fourth, corroborating evidence: Cost bounds derived from VDF chains and Jitter Seals are one factor among many in the trust decision, and external anchors such as RFC 3161 timestamps or blockchain anchors, TPM 2.0 hardware attestation, and contextual information about the Attesting Environment all contribute to overall confidence within the RATS trust framework.¶

27.3.1. Parent Chain Hash Verification

For each provenance-link, if the parent Evidence packet is available:¶

1. Verify that parent-packet-id matches the packet-id field of the parent Evidence packet.¶
2. Verify that parent-chain-hash matches the tree-root of the final checkpoint in the parent Evidence packet.¶
3. Verify that the derivation timestamp is not earlier than the created timestamp of the parent packet.¶

If the parent Evidence packet is not available, the Verifier SHOULD note this limitation in the Attestation Result caveats. The provenance link remains valid but unverified.¶

27.3.2. Cross-Packet Attestation

When cross-packet-attestation is present, it provides cryptographic proof that the author of the current packet had access to the parent packet at the time of derivation:¶

    cross-packet-attestation = COSE_Sign1(
        payload = CBOR_encode({
            1: current-packet-id,
            2: parent-packet-id,
            3: parent-chain-hash,
            4: derivation-timestamp,
        }),
        key = author-signing-key
    )

This attestation prevents retroactive provenance claims where an author discovers an existing Evidence packet and falsely claims derivation after the fact.¶

27.5.1. Continuation Example

A dissertation written over 18 months with monthly Evidence exports:¶

        {1: 1, 2: 3, 3: "Structure from Alice's draft"},
        {1: 2, 2: 2, 3: "Content merged from all three"},
        {1: 4, 2: 4, 3: "Data primarily from Bob"}
      ]
    }

28.4.1. Single Packet Verification

Each packet in a continuation series MUST be independently verifiable. A Verifier with access only to packet N can:¶

• Verify all segment chain integrity within the packet.¶
• Verify all VDF proofs within the packet.¶
• Verify jitter bindings within the packet.¶
• Report the cumulative-summary as claimed (not proven without prior packets).¶

The Attestation Result SHOULD note that the packet is part of a series and whether prior packets were verified.¶

28.4.2. Full Series Verification

When all packets in a series are available, a Verifier MUST:¶

1. Verify each packet independently.¶
2. Verify that series-id is consistent across all packets.¶
3. Verify that packet-sequence values are consecutive starting from 0.¶
4. For each packet N > 0, verify that prev-packet-chain-hash matches the final tree-root of packet N-1.¶
5. For each packet N > 0, verify that the first checkpoint's VDF_input incorporates the previous packet's final VDF_output.¶
6. Verify that cumulative-summary values are consistent with the sum of individual packet statistics.¶

28.6.1. When to Export a Continuation Packet

Implementations SHOULD support configurable triggers for continuation packet export:¶

• Checkpoint count threshold: Export after N checkpoints (e.g., 1000).¶
• Time interval: Export weekly or monthly.¶
• Document size threshold: Export when document exceeds N characters.¶
• Manual trigger: User-initiated export.¶
• Milestone events: Export at chapter completion or version milestones.¶

28.6.2. Handling Gaps in Series

If a packet in a series is lost or unavailable:¶

• Subsequent packets remain independently verifiable.¶
• The cumulative-summary provides claimed totals but cannot be proven without all packets.¶
• Verifiers MUST note the gap in Attestation Results.¶
• Chain continuity verification fails at the gap but resumes for subsequent contiguous packets.¶

29.3.1. Weighted Average Model

The weighted average model represents the most common computation approach within the RATS appraisal policy framework, where each trust factor derived from VDF proofs, HMAC entropy commitments, and SHA-256 chain integrity contributes proportionally to its assigned weight in the CBOR encoded policy structure defined by the CDDL schema:¶

    confidence-score = sum(factor[i].weight * factor[i].normalized-score)
                       / sum(factor[i].weight)

    Constraints:
      - sum(weights) SHOULD equal 1.0 for clarity
      - All normalized-scores are in [0.0, 1.0]
      - Resulting confidence-score is in [0.0, 1.0]

    Example:
      vdf-duration:      weight=0.30, score=0.95, contribution=0.285
      jitter-entropy:    weight=0.25, score=0.80, contribution=0.200
      presence-rate:     weight=0.20, score=1.00, contribution=0.200
      chain-integrity:   weight=0.15, score=1.00, contribution=0.150
      hardware-attest:   weight=0.10, score=0.00, contribution=0.000

      confidence-score = 0.285 + 0.200 + 0.200 + 0.150 + 0.000 = 0.835

29.3.2. Minimum-of-Factors Model

The minimum-of-factors model represents a conservative computation approach within the RATS appraisal framework where the overall confidence score is limited by the weakest factor, computed as: confidence-score = min(factor[i].normalized-score for all i). This model ensures that deficiencies in any single trust dimension (whether VDF duration, Jitter Seal entropy via HMAC, presence verification, SHA-256 chain integrity, or TPM 2.0 [TPM2.0] hardware attestation) will dominate the final assessment. For example, given vdf-duration score=0.95, jitter-entropy score=0.80, presence-rate score=1.00, chain-integrity score=1.00, and hardware-attest score=0.00 (the limiting factor), the resulting confidence-score equals 0.00 because the absence of hardware attestation bounds the overall trust regardless of strong VDF and HMAC evidence.¶

This CBOR encoded policy model is appropriate for high-security RATS deployments where any weakness in the evidence chain should disqualify the Evidence packet entirely, such as forensic investigations, legal proceedings requiring COSE signed attestations, or high-stakes academic integrity verification where the cost of accepting forged evidence exceeds the cost of false rejection.¶

29.3.3. Geometric Mean Model

The geometric mean model provides a balanced computation approach within the RATS appraisal framework that penalizes outliers more heavily than weighted average but less severely than the minimum-of-factors model, computed as: confidence-score = (product(factor[i].normalized-score))^(1/n) where n is the number of trust factors derived from VDF proofs, HMAC entropy, SHA-256 chain integrity, and other evidence dimensions. For example with 5 factors encoded in the CBOR policy structure: given scores = [0.95, 0.80, 1.00, 1.00, 0.60] representing vdf-duration, jitter-entropy, presence-rate, chain-integrity, and hardware-attestation respectively, the product = 0.95 * 0.80 * 1.00 * 1.00 * 0.60 = 0.456, yielding confidence-score = 0.456^(1/5) = 0.838 which maintains reasonable overall confidence despite one weak factor while still penalizing the deficiency more than a simple weighted average would according to the CDDL schema.¶

29.4.1. Threshold Normalization

    For factors with a minimum threshold:
      if raw_value >= threshold:
          normalized = 1.0
      else:
          normalized = raw_value / threshold

    Example: vdf-duration with 3600s threshold
      raw_value = 2700s
      normalized = 2700 / 3600 = 0.75

29.4.2. Range Normalization

    For factors with min/max range:
      normalized = (raw_value - min) / (max - min)
      normalized = clamp(normalized, 0.0, 1.0)

    Example: typing-rate with acceptable range 20-200 WPM
      raw_value = 75 WPM
      normalized = (75 - 20) / (200 - 20) = 0.306

29.4.3. Binary Normalization

    For pass/fail factors:
      normalized = 1.0 if present/valid else 0.0

    Example: hardware-attestation
      TPM attestation present and valid: normalized = 1.0
      No hardware attestation: normalized = 0.0

30.4.1. Reference-Only Verification

Without fetching the full Evidence packet containing VDF proofs and HMAC Jitter Seals, a Verifier within the RATS architecture can perform reference-only verification by: (1) verifying the COSE compact-signature is valid using the signer's public key, (2) identifying the signer (author, third-party verifier, or evidence hosting service) from the COSE key identifier, (3) checking that evidence-uri points to a trusted source for fetching the full CBOR encoded Evidence if needed, and (4) displaying the compact-summary to the user showing segment count, total characters, VDF duration, and evidence tier.¶

This reference-only verification provides basic assurance within the RATS trust framework that Evidence exists and was attested by a known party whose COSE signature is valid, without requiring full verification of the SHA-256 segment chain, VDF proofs, or HMAC entropy commitments.¶

30.4.2. Full Verification via URI

For complete verification within the RATS architecture, the Verifier follows a six-step procedure that validates both the compact reference and the full CBOR encoded Evidence packet: (1) fetch the Evidence packet from evidence-uri using HTTPS or other secure transport, (2) verify that packet-id (UUID) matches between the compact reference and fetched packet, (3) verify that chain-hash (SHA-256) matches the final tree-root in the fetched Evidence, (4) verify that document-hash (SHA-256) matches the document-ref content-hash binding the evidence to the attested document, (5) perform full Evidence verification per this specification including VDF proof recomputation, HMAC entropy verification, and COSE signature validation, and (6) verify that compact-summary values (checkpoint-count, total-chars, total-vdf-time, evidence-tier) match the actual Evidence computed values.¶

Discrepancies between the compact reference and the fetched Evidence MUST cause verification to fail within the RATS trust framework, as such discrepancies indicate either tampering with the compact reference, corruption of the full Evidence packet, or a mismatch between the referenced and fetched packets.¶

30.5.1. CBOR Encoding

The native format is CBOR with the 0x50505021 tag. This is the most compact binary representation, suitable for:¶

• Binary metadata fields¶
• Protocol messages¶
• Database storage¶

Typical size: 150-250 bytes.¶

30.5.2. Base64 Encoding

For text-only contexts, the CBOR bytes are base64url-encoded:¶

    pop-ref:2nQAAZD1UPAgowGQA...base64url...

The "pop-ref:" prefix enables detection and parsing. Typical size: 200-350 characters.¶

32.2.1. Adversary Goals

The protocol defends against adversaries pursuing five primary goals: (1) Backdating: creating evidence that falsely claims earlier creation time; (2) Fabrication: generating evidence for documents never genuinely authored; (3) Transplanting: associating legitimate evidence with different content; (4) Omission: selectively removing checkpoints from an evidence chain; (5) Impersonation: attributing evidence to a different device or author. Each goal is addressed through specific cryptographic and structural properties: VDF sequential computation prevents backdating, jitter entropy prevents fabrication, content binding prevents transplanting, Merkle trees detect omission, and hardware attestation prevents impersonation.¶

32.2.2. Assumed Adversary Capabilities

The RATS profile specification assumes adversaries have five categories of capabilities that bound the security guarantees of VDF chains, HMAC entropy commitments, and SHA-256 checkpoint integrity. Software Control: the adversary has full control over software running on their device, including the ability to modify or replace the Attesting Environment that generates CBOR evidence, and they can intercept, modify, or fabricate any software-generated data that is not protected by TPM 2.0 [TPM2.0] hardware attestation or similar tamper-resistant hardware. Commodity Hardware Access: the adversary can acquire commodity computing hardware at market prices for computing SHA-256 iterations, and they may have access to cloud computing resources enabling them to rent substantial computational capacity for VDF recomputation attempts. Bounded Compute Resources: the adversary's computational resources are bounded by economic constraints quantified in the forgery cost bounds, meaning they cannot instantaneously compute arbitrarily large numbers of VDF iterations, and the wall-clock time required for sequential SHA-256 computation cannot be circumvented with additional parallel resources due to the inherent data dependency between iterations. Algorithm Knowledge: the adversary has complete knowledge of all algorithms including VDF constructions, CDDL schemas, COSE signatures, and CBOR encoding, since security does not depend on obscurity and the specification is public. Statistical Sophistication: the adversary can perform statistical analysis on Jitter Seal timing histograms and may attempt to generate synthetic behavioral data using HMAC that passes Min-Entropy (H_min) tests, though the commitment-before-observation model prevents adaptive synthesis.¶

32.2.3. Out-of-Scope Adversaries

The RATS profile specification explicitly does NOT defend against five categories of adversaries whose capabilities exceed the design assumptions of VDF chains, HMAC entropy commitments, and SHA-256 checkpoint integrity. Nation-State Adversaries with HSM Compromise: adversaries capable of extracting keys from hardware security modules (TPM 2.0, Secure Enclave) through sophisticated physical attacks, side-channel analysis, or manufacturer compromise, since hardware attestation via COSE signatures assumes HSM integrity for calibration and identity binding. Cryptographic Breakthrough: adversaries with access to novel cryptanalytic techniques that break SHA-256 collision resistance, ECDSA signature security underlying COSE, or other standard cryptographic primitives used throughout the CDDL schema, since the specification relies on established cryptographic assumptions. Quantum Adversaries: adversaries with access to fault-tolerant quantum computers capable of executing Shor's algorithm (breaking RSA/ECDSA used in COSE signatures) or providing significant Grover speedups against SHA-256 preimage resistance, with post-quantum considerations noted in Section 24.6.2 but full quantum resistance not claimed. Time Travel: adversaries capable of creating CBOR evidence at one point in time and presenting it as if created earlier where external anchors via RFC 3161 or blockchain timestamps are not available or have been compromised, since external timestamp authorities are trusted for absolute time claims beyond VDF relative ordering. Coerced Authors: adversaries who coerce legitimate authors into producing evidence with valid VDF proofs and HMAC Jitter Seals under duress, since the specification documents process rather than intent or consent.¶

The exclusion of these adversaries is not a weakness but a recognition of practical threat modeling within the RATS framework, since evidence systems appropriate for defending against nation-state actors with HSM compromise or quantum computational capabilities would impose costs and constraints (such as post-quantum COSE algorithms or hardware-isolated attestation environments) unsuitable for general authoring scenarios where the goal is making forgery economically irrational rather than theoretically impossible.¶

32.3.1. Hash Function Security

Hash functions are used throughout the specification for content binding, chain construction, entropy commitment, and VDF computation.¶

Required Properties:

• Collision Resistance:¶

  It must be computationally infeasible to find two distinct inputs that produce the same hash output. This property ensures that different document states produce different content-hash values.¶

• Preimage Resistance:¶

  Given a hash output, it must be computationally infeasible to find any input that produces that output. This property prevents adversaries from constructing documents that match a predetermined hash.¶

• Second Preimage Resistance:¶

  Given an input and its hash, it must be computationally infeasible to find a different input with the same hash. This property prevents document substitution attacks.¶

Algorithm Requirements:

SHA-256 is RECOMMENDED and MUST be supported by all implementations. SHA-3-256 SHOULD be supported for algorithm agility. Hash functions with known weaknesses (MD5, SHA-1) MUST NOT be used.¶

Security Margin:

SHA-256 provides 128-bit security against collision attacks and 256-bit security against preimage attacks under classical assumptions. Grover's algorithm reduces these to 85-bit and 128-bit respectively under quantum assumptions. This margin is considered adequate for the specification's threat model.¶

32.3.2. Signature Security

Digital signatures are used for segment chain authentication, hardware attestation, calibration binding, and Attestation Result integrity.¶

COSE Algorithm Requirements:

Implementations MUST support COSE algorithm identifiers from the COSE registry [IANA.cose]:¶

• ES256 (ECDSA with P-256 and SHA-256): MUST support¶
• ES384 (ECDSA with P-384 and SHA-384): SHOULD support¶
• EdDSA (Ed25519): SHOULD support¶
• ML-DSA (Dilithium): REQUIRED for Maximum Tier evidence to ensure post-quantum signature security¶

RSA-based algorithms (PS256, RS256) MAY be supported for compatibility with legacy systems but are not recommended for new implementations due to larger signature sizes and post-quantum vulnerability.¶

Key Size Requirements:

Minimum key sizes for 128-bit security:¶

• ECDSA: P-256 curve or larger¶
• EdDSA: Ed25519 or Ed448¶
• RSA: 3072 bits or larger¶

Signature Binding:

Signatures MUST bind to the complete payload being signed. Partial payload signatures (signing a subset of fields) create opportunities for field substitution attacks. The chain-mac field provides additional binding beyond the checkpoint signature.¶

32.3.3. VDF Security

Verifiable Delay Functions provide the temporal security foundation of the specification. VDF security rests on the sequential computation requirement.¶

Sequential Computation:

The VDF output cannot be computed significantly faster than the specified number of sequential operations. For iterated hash VDFs, this reduces to the assumption that no algorithm computes H^n(x) faster than n sequential hash evaluations. No such algorithm is known for cryptographic hash functions.¶

Parallelization Resistance:

Additional computational resources (more processors, GPUs, ASICs) cannot reduce the wall-clock time required for VDF computation. The iterated hash construction is inherently sequential: each iteration depends on the previous output.¶

See Section 24.7.2 for detailed analysis.¶

Verification Soundness:

For iterated hash VDFs, verification is by recomputation. The Verifier executes the same computation and compares results. This provides perfect soundness: a claimed output that differs from the actual computation will always be detected.¶

For succinct VDFs (Pietrzak, Wesolowski), verification relies on the cryptographic hardness of the underlying problem (RSA group or class group). Soundness is computational rather than perfect.¶

32.3.4. VDF Entanglement Attack Vectors

The VDF Entanglement mechanism binds each checkpoint to the previous VDF output, current content-hash, jitter-commitment, and sequence number. This section analyzes three specific attack vectors against this construction and documents their mitigations and cost bounds.¶

32.3.5. Key Management

Proper key management is essential for maintaining evidence integrity.¶

Hardware-Bound Keys:

When available, signing keys SHOULD be bound to hardware security modules (TPM, Secure Enclave). Hardware binding provides:¶

• Key non-exportability: Private keys cannot be extracted from the device¶
• Device binding: Evidence can be tied to a specific physical device¶
• Tamper resistance: Key compromise requires physical attack¶

Session Keys:

The checkpoint-chain-key used for chain-mac computation SHOULD be derived uniquely for each session. Key derivation SHOULD use HKDF (RFC 5869) with domain separation:¶

    # Root Credential (from Enrollment)
    # RC = HKDF-SHA256(PUF_Seed, "witnessd-root-v1")
    #
    # Session Key (derived from Root Credential)
    # SK = HKDF-SHA256(RC, session-nonce || "witnessd-session-v1")
    #
    # Checkpoint Chain Key (derived from Session Key)
    # CCK = HKDF-SHA256(SK, "witnessd-chain-v1")

    chain-key = HKDF-SHA256(
        salt = session-entropy,
        ikm = device-master-key,
        info = "witnessd-chain-v1" || session-id
    )

¶

Key Rotation:

Device keys SHOULD be rotated periodically (RECOMMENDED: annually) or upon suspected compromise. Evidence packets created with revoked keys SHOULD be flagged during verification.¶

32.4.1. What the AE Is Trusted For

The AE is trusted to perform accurate observation and honest reporting of the specific data it captures:¶

Accurate Timing Measurement:

The AE is trusted to accurately measure inter-keystroke intervals and other timing data. This does not require trusting the content of keystrokes, only the timing between events.¶

Correct Hash Computation:

The AE is trusted to correctly compute cryptographic hashes of document content. Verification can detect incorrect hashes, but cannot detect if the AE computed a hash of different content than claimed.¶

VDF Execution:

The AE is trusted to actually execute VDF iterations rather than fabricating outputs. This trust is partially verifiable: VDF outputs can be recomputed, but the claimed timing cannot be independently verified without calibration attestation.¶

Monitoring Events (for monitoring-dependent claims):

For claims in the monitoring-dependent category (types 16-63), the AE is trusted to have actually observed and reported the events (or non-events) it claims. This trust is documented in the ae-trust-basis field.¶

32.4.2. What the AE Is NOT Trusted For

The specification explicitly does NOT rely on AE trust for the following:¶

Content Judgment:

The AE makes no claims about document quality, originality, accuracy, or appropriateness. Evidence documents process, not content merit.¶

Intent Inference:

The AE makes no claims about why the author performed specific actions, what the author was thinking, or whether the author intended to deceive. Evidence documents observable behavior, not mental states.¶

Authorship Attribution:

The AE makes no claims about who was operating the device. The evidence shows that input events occurred on a device; it does not prove that a specific individual produced those events.¶

Cognitive Process:

Behavioral patterns consistent with human typing do not prove human cognition. An adversary could theoretically program input patterns that mimic human timing while the content originates elsewhere. The Jitter Seal makes this costly, not impossible.¶

32.4.3. Hardware Attestation Role

Hardware attestation increases AE trust by binding evidence to verified hardware:¶

[TPM2.0] (Linux, Windows):

Provides platform integrity measurement (PCRs), key sealing to platform state, and hardware-bound signing keys. TPM attestation proves that the AE was running on a specific device in a specific configuration.¶

Secure Enclave (macOS, iOS):

Provides hardware-bound key generation and signing operations. Keys generated in the Secure Enclave cannot be exported, binding signatures to the specific device.¶

Attestation Limitations:

Hardware attestation proves the signing key is hardware-bound; it does not prove the AE software is unmodified. Full AE integrity would require secure boot attestation and runtime integrity measurement, which are platform-specific and not universally available.¶

32.4.4. Compromised AE Scenarios

Understanding the impact of AE compromise is essential for risk assessment:¶

Modified AE Software:

An adversary running modified AE software can fabricate any monitoring-dependent claims (types 16-63). Chain-verifiable claims (types 1-15) remain bound by VDF computational requirements even with modified software.¶

Fake Calibration:

Modified software could report artificially slow calibration rates, making subsequent VDF computations appear to take longer than they actually did. This attack is mitigated by:¶

• Hardware-signed calibration attestation (when available)¶
• Plausibility checks based on device class¶
• External anchor cross-validation¶

Fabricated Jitter Data:

Modified software could generate synthetic timing data that mimics human patterns. The cost of this attack is bounded by:¶

• Real-time generation requirement (VDF entanglement)¶
• Statistical consistency across checkpoints¶
• Entropy threshold requirements¶

See Section 23.2 for quantified bounds on simulation attacks.¶

Mitigation Summary:

AE compromise cannot reduce the VDF computational requirement or bypass the sequential execution constraint. Compromise enables fabrication of monitoring data but does not eliminate the time cost of forgery. The forgery-cost-section quantifies the minimum resources required even with full software control.¶

32.5.1. Verifier Independence

Evidence verification is designed to be independent of the Attester:¶

No Shared State:

Verification requires no communication with or data from the Attester beyond the Evidence packet itself. A Verifier with only the .pop file can perform complete verification.¶

Adversarial Verification:

A skeptical Verifier can appraise Evidence without trusting any claims made by the Attester. All cryptographic proofs are included and can be recomputed independently.¶

Multiple Independent Verifiers:

Multiple Verifiers appraising the same Evidence should reach consistent results for computationally-bound claims. Monitoring- dependent claims may receive different confidence assessments based on Verifier policies.¶

32.5.2. Sampling Strategies for Large Evidence Packets

Evidence packets may contain thousands of checkpoints. Full verification of all VDF proofs may be impractical. Verifiers MAY use sampling strategies:¶

Boundary Verification:

Always verify the first and last checkpoints fully. This confirms the chain endpoints.¶

Random Sampling:

Randomly select checkpoints for full VDF verification. If any sampled checkpoint fails, reject the entire Evidence. Probability of detecting a single invalid checkpoint with k samples from n checkpoints: 1 - (1 - 1/n)^k.¶

Chain Linkage Verification:

Verify prev-hash linkage for ALL checkpoints (computationally cheap). This ensures no checkpoints were removed or reordered.¶

Anchor-Bounded Verification:

If external anchors are present, prioritize verification of checkpoints adjacent to anchors. External timestamps bound the timeline at anchor points.¶

Sampling Disclosure:

Attestation Results SHOULD disclose the sampling strategy used and the number of checkpoints fully verified. Relying Parties can assess whether the sampling provides adequate confidence for their use case.¶

32.5.3. External Anchor Verification

External anchors (RFC 3161 timestamps, blockchain proofs) provide absolute time binding but introduce additional trust requirements:¶

Timestamp Authority Trust:

Timestamps per RFC 3161 require trust in the Time Stamping Authority (TSA). Verifiers SHOULD use TSAs with published policies and audit records. Multiple TSAs MAY be used for redundancy.¶

Blockchain Anchor Verification:

Blockchain-based anchors require access to blockchain data (directly or via APIs). Verifiers SHOULD verify:¶

• The transaction containing the anchor is confirmed¶
• Sufficient confirmations for the security level required¶
• The anchor commitment matches the expected segment data¶

Anchor Freshness:

Anchors prove that Evidence existed at the anchor time; they do not prove Evidence was created at that time. An adversary could create Evidence, wait, then obtain an anchor. This is mitigated by anchor coverage requirements (multiple anchors throughout the session).¶

32.6.1. Replay Attack Prevention

Replay attacks attempt to reuse valid evidence components in invalid contexts. Multiple mechanisms prevent replay:¶

Nonce Binding:

Session entropy (random 256-bit seed) is incorporated into the genesis checkpoint VDF input. This prevents precomputation of VDF outputs before a session begins.¶

Chain Binding:

Each checkpoint includes prev-hash, binding it to the specific chain history. Checkpoints cannot be transplanted between chains without invalidating the hash linkage.¶

See Section 23.1 for jitter-specific replay prevention.¶

Sequence Binding:

Checkpoint sequence numbers MUST be strictly monotonic. Duplicate or out-of-order sequence numbers indicate manipulation.¶

Content Binding:

VDF inputs incorporate content-hash, binding temporal proofs to specific document states. Evidence for one document cannot be transferred to another without VDF recomputation.¶

32.6.2. Transplant Attack Prevention

Transplant attacks attempt to associate legitimate evidence from one context with content from another context:¶

Content-VDF Binding:

The VDF input includes content-hash:¶

    VDF_input{N} = H(
        VDF_output{N-1} ||
        content-hash{N} ||
        jitter-commitment{N} ||
        sequence{N}
    )

¶

Changing the document content requires recomputing all subsequent VDF proofs.¶

Jitter-VDF Binding:

The jitter-commitment is entangled with VDF input. Transplanting jitter data from another session is infeasible because it would require the original VDF output (which depends on different content) or recomputing the entire VDF chain with new jitter (which requires capturing new behavioral entropy in real time).¶

Chain MAC:

The chain-mac field HMAC-binds checkpoints to the session's chain-key:¶

    chain-mac = HMAC-SHA256(
        key = chain-key,
        message = tree-root || sequence || session-id
    )

¶

Without the chain-key, an adversary cannot construct valid chain-mac values for transplanted checkpoints.¶

32.6.3. Backdating Attack Costs

Backdating creates evidence claiming a process occurred earlier than it actually did. The cost of backdating is quantified by the VDF recomputation requirement:¶

VDF Recomputation:

To backdate evidence by inserting or modifying checkpoints at position P, the adversary must recompute all VDF proofs from position P forward. This requires:¶

    backdate_time >= sum(iterations[i]) / adversary_vdf_rate
                     for i = P to N

¶

where N is the final checkpoint. Backdating by a significant amount (hours or days) requires proportional wall-clock time.¶

External Anchor Constraints:

If external anchors exist in the chain, backdating is constrained to the interval between anchors. An adversary cannot backdate before an anchor without also forging the external timestamp.¶

Cost Quantification:

The forgery-cost-section provides explicit cost bounds for backdating attacks, including compute costs, time costs, and economic estimates.¶

32.6.4. Omission Attack Prevention

Omission attacks selectively remove checkpoints to hide unfavorable evidence:¶

Sequence Verification:

Checkpoint sequence numbers MUST be consecutive. Missing sequence numbers indicate omission. Verifiers MUST reject chains with non-consecutive sequences.¶

Hash Chain Integrity:

Removing a checkpoint breaks the hash chain (subsequent checkpoint's prev-hash will not match). Repairing the chain requires recomputing all subsequent segment hashes and VDF proofs.¶

Completeness Claims:

The checkpoint-chain-complete absence claim (type 6) explicitly asserts that no checkpoints were omitted. This claim is computationally-bound.¶

32.7.1. Key Lifecycle Management

Key Generation:

Device keys SHOULD be generated within hardware security modules when available. Software-generated keys MUST use cryptographically secure random number generators.¶

Key Storage:

Private keys SHOULD be stored in platform-appropriate secure storage:¶

• macOS: Secure Enclave or Keychain¶
• Linux: TPM or system keyring¶
• Windows: TPM or DPAPI¶

Keys MUST NOT be stored in plaintext in the filesystem.¶

Key Rotation:

Organizations SHOULD establish key rotation policies. RECOMMENDED rotation interval: annually or upon personnel changes. Evidence packets created with revoked keys SHOULD receive reduced confidence scores.¶

Key Revocation:

Mechanisms for key revocation are outside the scope of this specification but SHOULD be considered for deployment. Certificate revocation lists (CRLs) or OCSP may be appropriate for managed environments.¶

32.7.2. Evidence Packet Storage and Transmission

Integrity Protection:

Evidence packets are self-protecting through cryptographic binding. Additional encryption is not required for integrity but MAY be applied for confidentiality.¶

Confidentiality Considerations:

Evidence packets contain document hashes and behavioral data. While content is not included, statistical information about the authoring process is present. Transmission over untrusted networks SHOULD use TLS 1.3 or equivalent.¶

Archival Storage:

Evidence packets intended for long-term storage SHOULD be:¶

• Stored with redundancy (multiple copies, geographic distribution)¶
• Protected against bit rot (checksums, error-correcting codes)¶
• Associated with necessary verification materials (public keys, anchor confirmations)¶

Retention Policies:

Organizations SHOULD establish retention policies balancing evidentiary value against privacy considerations. Jitter data has privacy implications; retention beyond the verification period may not be necessary or desirable.¶

32.7.3. Verifier Policy Considerations

Minimum Requirements:

Verifiers SHOULD establish minimum requirements for acceptable Evidence:¶

• Minimum evidence tier (Basic, Standard, Enhanced, Maximum)¶
• Minimum VDF duration relative to claimed authoring time¶
• Minimum entropy threshold¶
• Required absence claims for specific use cases¶

Confidence Thresholds:

Verifiers SHOULD define confidence thresholds for acceptance:¶

• Low-stakes: confidence >= 0.3 may be acceptable¶
• Standard: confidence >= 0.5 typical requirement¶
• High-stakes: confidence >= 0.7 recommended¶
• Litigation: confidence >= 0.8 with Maximum tier¶

Caveat Handling:

Verifiers SHOULD define how caveats affect acceptance decisions. Some caveats may be disqualifying for specific use cases (e.g., "no hardware attestation" may be unacceptable for high-stakes verification).¶

32.8.1. Attacks Not Protected Against

Collusion:

If the author and a third party collude (e.g., the author provides their device credentials to another person who types while the author is credited), the Evidence will show a legitimate-looking process. The specification documents observable behavior, not identity.¶

Pre-Prepared Content:

An author could slowly type pre-prepared content, creating Evidence of a gradual process for content that already existed. The specification documents that typing occurred, not that thinking occurred during typing.¶

External Input Devices:

Input from devices not monitored by the AE (e.g., hardware keystroke injectors, remote desktop from unmonitored machines) may not be distinguishable from local input. Hardware-level input verification is outside scope.¶

Social Engineering:

Attacks that manipulate Relying Parties into accepting inappropriate Evidence (e.g., convincing a reviewer that weak Evidence is sufficient) are outside scope.¶

32.8.2. The Honest Author Assumption

The specification fundamentally documents PROCESS, not INTENT:¶

Evidence Shows What Happened:

Evidence shows that input events occurred with specific timing patterns, that VDF computation required certain time, that document states changed in sequence. Evidence does not show why any of this happened.¶

Process != Cognition:

Evidence that an author typed content gradually does not prove the author thought of that content. The author could have been transcribing, copying from memory, or following dictation.¶

Behavioral Consistency:

The correct interpretation of Evidence is "behavioral consistency": the observable process was consistent with the claimed process. This is weaker than "authorship proof" but is verifiable and falsifiable.¶

32.8.3. Content-Agnostic By Design

The specification is deliberately content-agnostic:¶

No Semantic Analysis:

Evidence contains document hashes, not content. The specification makes no claims about what was written, only how it was written.¶

No Quality Assessment:

Evidence does not indicate whether content is good, original, accurate, or valuable. Strong Evidence can accompany poor content; excellent content can have weak Evidence.¶

No AI Detection:

The specification explicitly does NOT claim to detect whether content was "written by AI" or "written by a human" in terms of content origin. It documents the observable INPUT process, which is distinct from content generation.¶

Privacy Benefit:

Content-agnosticism is a privacy feature. Evidence can be verified without accessing the document content, enabling verification of confidential documents.¶

32.9.1. Comparison to Traditional Timestamping

Traditional timestamping (RFC 3161) proves that a document existed at a point in time. Proof of Process provides additional properties:¶

Proof of Process is complementary to timestamping. External anchors (including RFC 3161 timestamps) provide absolute time binding that strengthens VDF-based relative ordering.¶

32.9.2. Comparison to Code Signing

Code signing attests to the identity of the signer and integrity of the signed artifact. Proof of Process serves different goals:¶

Code signing establishes "who signed this"; Proof of Process establishes "how this was created." The two could be combined for comprehensive provenance documentation.¶

32.9.3. Relationship to RATS Security Model

Proof of Process implements an application-specific profile of the RATS architecture. Key security model alignments:¶

Evidence vs. Attestation Results:

The separation between .pop (Evidence) and .war (Attestation Result) files follows the RATS distinction. Evidence is produced by the Attester; Attestation Results by the Verifier.¶

Appraisal Policy:

RATS defines Appraisal Policy for Evidence as the Verifier's rules for evaluating Evidence. The absence-claim thresholds and confidence-level requirements serve this role in Proof of Process.¶

Background Check vs. Passport Model:

Proof of Process supports both RATS models. The "passport model" applies when the author obtains a .war file and presents it to Relying Parties. The "background check model" applies when the Relying Party verifies the .pop file directly or through a trusted Verifier.¶

Freshness:

RATS freshness mechanisms (nonces, timestamps) align with the session-entropy and external-anchor mechanisms in Proof of Process. VDF proofs provide an additional freshness dimension: evidence of elapsed time.¶

Endorsements and Reference Values:

Hardware attestation in the hardware-section corresponds to RATS Endorsements. Calibration data serves as Reference Values for VDF timing verification.¶

For RATS-specific security guidance, implementers should also consult the RATS security considerations in RFC 9334 Section 11.¶

32.10.1. Source Consistency Verification

When ZK proof mechanisms are employed (T3-T4), the proof attests to the following properties without exporting behavioral data:¶

    "The evidence chain exhibits:
     (1) unbroken VDF temporal ordering across all checkpoints,
     (2) valid entropy commitments bound to content hashes,
     (3) behavioral metrics consistent with interactive editing, and
     (4) no source consistency transitions exceeding threshold."

The ZK proof allows a Verifier to confirm these properties without access to the underlying timing data, preserving author privacy while enabling high-confidence source consistency evaluation.¶

32.11.1. Properties Provided

Tamper-Evidence:

Modifications to Evidence packets are detectable through cryptographic verification. The hash chain, VDF entanglement, and MAC bindings ensure that alteration invalidates the Evidence.¶

Cost-Asymmetric Forgery:

Producing counterfeit Evidence requires resources (time, compute, entropy generation) disproportionate to legitimate Evidence creation. The forgery-cost-section quantifies these requirements.¶

Independent Verifiability:

Evidence can be verified by any party without access to the original device, without trust in the Attester's infrastructure, and without network connectivity (except for external anchors).¶

Privacy by Construction:

Document content is never stored in Evidence. Behavioral data is aggregated before inclusion. The specification enforces privacy through structural constraints, not policy.¶

Temporal Ordering:

VDF chain construction provides tamper-evident relative ordering of checkpoints with forgery costs bounded by VDF recomputation time. External anchors provide absolute time binding.¶

Behavioral Binding:

Jitter Seal entanglement binds captured behavioral entropy to the segment chain, making Evidence transplantation infeasible.¶

32.11.2. Properties NOT Provided

Tamper-Proof:

Evidence CAN be forged given sufficient resources. The specification makes forgery costly, not impossible.¶

Identity Proof:

Evidence does NOT prove who operated the device. It proves that input events occurred on a device, not that a specific person produced them.¶

Intent Proof:

Evidence does NOT prove why actions occurred. Observable behavior is documented; mental states are not.¶

Content Origin Proof:

Evidence does NOT prove where ideas came from. The input process is documented; the cognitive source is not.¶

Absolute Certainty:

All security properties are bounded by explicit assumptions. No claim is made to be absolute, irrefutable, or guaranteed.¶

33.1.1. No Document Content Storage

Evidence packets contain cryptographic hashes of document states, never the document content itself. This is a structural invariant:¶

• Content Hash Binding:¶

  The document-ref structure (CDDL key 5 in evidence-packet) contains only a hash-value of the final document content, the byte-length, and character count. The content itself is never included in the Evidence packet.¶

• Checkpoint Content Hashes:¶

  Each checkpoint (key 4: content-hash) contains a hash of the document state at that point. An adversary with the Evidence packet but not the document cannot recover content from these hashes.¶

• Edit Deltas Without Content:¶

  The edit-delta structure (key 7 in checkpoint) records chars-added, chars-deleted, insertions, deletions, and replacements as counts only. No information about what characters were added or deleted is included.¶

This design enables verification of process without revealing what was written, supporting confidential document workflows where the evidence must be verifiable but the content must remain private.¶

33.1.2. No Keystroke Capture

The specification captures inter-event timing intervals without recording which keys were pressed:¶

• Timing-Only Measurement:¶

  Jitter-binding captures millisecond intervals between input events. The interval "127ms" carries no information about whether the interval was between 'a' and 'b' or between 'x' and 'y'.¶

• No Character Mapping:¶

  Timing intervals are stored in observation order without any association to specific characters, words, or semantic content.¶

• No Keyboard Event Codes:¶

  Scan codes, virtual key codes, and other keyboard identifiers are not recorded. The specification treats all input events uniformly as timing sources.¶

This architecture ensures that even with complete access to an Evidence packet, no information about what was typed can be reconstructed.¶

33.1.3. No Screenshots or Screen Recording

The specification explicitly excludes visual capture mechanisms:¶

• No screenshot capture at checkpoints or any other time¶
• No screen recording or video capture¶
• No window title or application name logging¶
• No clipboard content capture (only timing of clipboard events for monitoring-dependent absence claims, and only event counts, not content)¶

Visual content capture would fundamentally violate the content-agnostic design and is architecturally excluded.¶

33.1.4. Local Evidence Generation

Evidence is generated entirely on the Attester device with no network dependency:¶

• No Telemetry:¶

  The Attesting Environment does not transmit telemetry, analytics, or any behavioral data to external services.¶

• No Cloud Processing:¶

  All cryptographic computations (hashing, VDF, signatures) occur locally. No document content or behavioral data is sent to cloud services for processing.¶

• Optional External Anchors:¶

  The only network communication is optional: external anchors (RFC 3161 [RFC3161], [OpenTimestamps], blockchain) transmit only cryptographic hashes, never document content or behavioral data.¶

Users can generate and verify Evidence in fully air-gapped environments. External anchors enhance evidence strength but are not required.¶

33.2.1. Data Collected

The following data IS collected and included in Evidence packets:¶

Timing Histograms:

Inter-event timing intervals aggregated into histogram buckets (jitter-summary, key 3 in jitter-binding). Bucket boundaries are coarse (RECOMMENDED: 0, 50, 100, 200, 500, 1000, 2000, 5000ms) to prevent precise interval reconstruction.¶

Edit Statistics:

Character counts for additions, deletions, and edit operations (edit-delta structure). These are aggregate counts, not positional data.¶

Checkpoint Hashes:

Cryptographic hashes of document states at each checkpoint. One-way functions; content cannot be recovered.¶

VDF Proofs:

Verifiable Delay Function outputs proving minimum elapsed time. These are computational proofs, not behavioral data.¶

Optional: Raw Timing Intervals:

The raw-intervals field (key 5 in jitter-binding) MAY be included for enhanced verification. This is OPTIONAL and user-controlled. When omitted, only histogram aggregates are included.¶

33.2.2. Data NOT Collected

The following data is explicitly NOT collected:¶

• Document content (text, images, formatting)¶
• Individual characters or words typed¶
• Keyboard scan codes or key identifiers¶
• Screenshots or visual captures¶
• Screen recordings or video¶
• Clipboard content (only event timing)¶
• Window titles or application names¶
• User names, email addresses, or identifiers (optional: author declaration is user-controlled)¶
• IP addresses or network identifiers¶
• Location data¶

33.2.3. Disclosure Levels

The specification supports tiered disclosure through optional fields:¶

Users SHOULD select the minimum disclosure level that meets their verification requirements. Higher tiers provide stronger evidence at the cost of revealing more behavioral data.¶

33.3.1. Identification Risks

Research has demonstrated that keystroke dynamics can serve as a behavioral biometric:¶

• Individual Identification:¶

  Detailed timing patterns can theoretically distinguish individuals with high accuracy across sessions.¶

• State Detection:¶

  Timing variations may correlate with cognitive state, fatigue, stress, or physical condition.¶

• Re-identification Risk:¶

  If an adversary has access to multiple Evidence packets from the same author, timing patterns might enable linkage across sessions even without explicit identity.¶

33.3.2. Re-identification Risk Mitigation

To mitigate re-identification risk while preserving correlation utility, the protocol implements multiple layered defenses:¶

• Timing Value Clipping: All timing values are clipped to the range [0, 5000ms], bounding the sensitivity of timing data and preventing outlier values from leaking behavioral information.¶

• Histogram Bucketing: Raw intervals are aggregated into coarse histogram buckets before commitment, reducing temporal resolution below the threshold required for biometric fingerprinting while preserving sufficient fidelity for the Spearman rho ≥ 0.7 correlation check.¶

• Hurst Exponent Validation: Only intervals exhibiting valid long-range temporal dependence (H ∈ [0.55, 0.85]) are accepted, filtering synthetic sequences that lack genuine behavioral dynamics.¶

33.3.3. Isochronous Data Release (Heartbeat Quantization)

To prevent side-channel leakage via packet arrival timing, the Attesting Environment MUST implement "Isochronous Emission." Rather than transmitting jitter metrics as they are captured, the system buffers the data and releases it in fixed-interval beats (e.g., every 5000ms).¶

This rigid quantization eliminates the information leakage inherent in the burstiness of the user's typing. An adversary observing the network traffic sees only a constant heartbeat, forcing them to rely entirely on the clipped and bucketed histogram content with zero metadata about the temporal structure of the input stream.¶

33.3.4. Key Rotation for Privacy

Timing data accumulated across multiple sessions from the same signing key provides more information for cross-session linkage attacks. Periodic key rotation limits the temporal window available for such analysis.¶

33.3.5. Regulatory Considerations

Implementations and deployments should consider applicable privacy regulations:¶

GDPR (EU/EEA):

Keystroke dynamics may constitute "special categories of personal data" under Article 9 if used for identification purposes. Implementations should document whether timing data is used for identification (prohibited without explicit consent) or solely for process evidence (may fall under different legal basis).¶

CCPA (California):

Biometric information is covered under CCPA Section 1798.140(b). Users have rights to know, delete, and opt-out. The local-only processing model simplifies compliance.¶

BIPA (Illinois):

Illinois Biometric Information Privacy Act has strict requirements for biometric data collection, including written policies and consent. Deployments in Illinois should consult legal counsel.¶

The specification's local-only processing model and user control over data disclosure support compliance, but legal interpretation varies by jurisdiction.¶

33.3.6. User Disclosure Requirements

Implementations MUST inform users about behavioral data collection:¶

1. Clear notification that timing data is captured during authoring¶
2. Explanation of what timing data reveals and does not reveal¶
3. Disclosure of where Evidence packets may be transmitted¶
4. User control over disclosure levels (histogram-only vs. raw)¶
5. Instructions for disabling timing capture if desired¶
6. Process for reviewing and deleting captured data¶

These disclosures SHOULD be presented before Evidence generation begins, not buried in terms of service.¶

33.4.1. Unsalted Mode (Value 0)

    content-hash = H(document-content)

Properties:¶

• Anyone with the document can verify the binding¶
• No additional secret required for verification¶
• Document existence can be confirmed by any party with content¶

Use cases:¶

• Public documents where verification should be open¶
• Academic submissions where verifiers have document access¶
• Published works where authorship claims should be checkable¶

Privacy implications: Anyone who obtains both the document and the Evidence packet can confirm the binding. If document confidentiality matters, consider salted modes.¶

33.4.2. Author-Salted Mode (Value 1)

    content-hash = H(salt || document-content)
    salt-commitment = H(salt)

Properties:¶

• Author generates and retains the salt¶
• Evidence packet contains salt-commitment, not salt¶
• Author selectively reveals salt to chosen verifiers¶
• Without salt, document-hash relationship cannot be verified¶

Use cases:¶

• Confidential documents where author controls verification¶
• Selective disclosure to specific reviewers or institutions¶
• Manuscripts under review before publication¶

Privacy implications: The author has exclusive control over who can verify the document binding. The salt should be stored securely; loss of salt means verification becomes impossible.¶

33.4.3. Salt Requirements

• Salts MUST be cryptographically random (minimum 256 bits)¶
• Salts MUST NOT be derived from predictable values¶
• Salt-commitment prevents brute-force guessing for short documents¶
• Salt loss makes verification impossible; backup appropriately¶
• Salt transmission should use secure channels¶

33.5.1. Anonymous Evidence Generation

Evidence packets CAN be generated without any identity disclosure:¶

• The declaration field (key 17 in evidence-packet) is OPTIONAL¶
• Within declaration, author-name (key 3) and author-id (key 4) are both OPTIONAL¶
• Device keys can be ephemeral, not linked to identity¶
• Evidence proves process characteristics without revealing who¶

Anonymous evidence is suitable for contexts where process documentation matters but author identity is irrelevant or should remain confidential.¶

33.5.2. Pseudonymous Evidence

Pseudonymous use links evidence to a consistent identifier without revealing real-world identity:¶

• author-id can be a pseudonymous identifier¶
• Device key provides cryptographic continuity without identity¶
• Multiple works can be linked to same pseudonym if desired¶
• Real identity can remain undisclosed¶

Pseudonymous evidence enables reputation building without identity exposure.¶

33.5.3. Identified Evidence

For contexts requiring identity binding:¶

• author-name and author-id can be populated with real identity¶
• Declaration signature (key 6) binds identity claim to evidence¶
• Hardware attestation can strengthen device-to-person binding¶
• External identity verification is outside specification scope¶

Identity strength depends on the verification context, not the specification. The specification provides the mechanism for identity claims; verification of those claims is a deployment concern.¶

33.5.4. Device Binding Without User Identification

Hardware attestation (hardware-section) binds evidence to a specific device without necessarily identifying the user:¶

• Device keys are bound to hardware (TPM, Secure Enclave)¶
• Evidence proves generation on a specific device¶
• Device ownership is a separate question from evidence generation¶
• Multiple users of same device produce device-linked evidence¶

Device binding strengthens evidence integrity without requiring user identification. It proves "this device" without proving "this person."¶

33.6.1. Evidence Packet Lifecycle

Evidence packets are designed as archival artifacts:¶

Creation:

Evidence accumulates during authoring session(s). Packet is finalized when authoring is complete.¶

Distribution:

Packet may be transmitted to Verifiers, stored alongside documents, or archived for future verification needs.¶

Retention:

Retention period depends on use case. Legal documents may require indefinite retention; other contexts may allow shorter periods.¶

Deletion:

Once distributed, deletion from all recipients may be impractical. Authors should consider disclosure scope before distribution.¶

33.6.2. User Rights to Deletion

Users have the following deletion capabilities:¶

• Local Data:¶

  Evidence stored locally can be deleted at any time by the author. Implementations SHOULD provide clear deletion mechanisms.¶

• Distributed Evidence:¶

  Once Evidence is transmitted to Verifiers or Relying Parties, deletion depends on those parties' policies. The specification cannot enforce deletion of distributed data.¶

• Attestation Results:¶

  .war files produced by Verifiers are controlled by Verifiers. Authors may request deletion under applicable privacy laws.¶

Authors should understand that distributing Evidence creates copies outside their control. Privacy-sensitive authors should limit distribution scope.¶

33.6.3. External Anchor Permanence

External anchors have special retention characteristics:¶

RFC 3161 Timestamps:

TSA records may be retained by the timestamp authority per their policies. Typically includes the hash committed, not any document or behavioral data.¶

Blockchain Anchors:

Blockchain records are permanent and immutable by design. The anchored hash cannot be deleted from the blockchain. This is a feature for evidence permanence but has privacy implications.¶

OpenTimestamps:

OTS proofs reference Bitcoin transactions, which are permanent. The proof structure can be deleted locally, but the Bitcoin transaction remains.¶

Users concerned about data permanence should carefully consider whether to use blockchain-based external anchors. RFC 3161 timestamps offer similar evidentiary value with more conventional retention policies.¶

IMPORTANT: Only cryptographic hashes are anchored, never document content or behavioral data. The permanent record is a hash, not the underlying information.¶

33.7.1. Information Disclosed to Verifiers

When an Evidence packet (.pop) is submitted for verification, the Verifier learns:¶

• Document hash (content-hash) - NOT the content itself¶
• Document size (byte-length, char-count)¶
• Authoring timeline (checkpoint timestamps, VDF durations)¶
• Behavioral statistics (timing histograms, entropy estimates)¶
• Edit patterns (aggregate counts, not content)¶
• Optional: Raw timing intervals if disclosed¶
• Optional: Author identity if declared¶
• Optional: Device attestation if included¶

Verifiers SHOULD NOT:¶

• Retain Evidence packets beyond verification needs¶
• Use behavioral data for purposes beyond verification¶
• Attempt to re-identify anonymous authors from behavioral patterns¶
• Share Evidence data with unauthorized parties¶

Implementations MAY define Verifier privacy policies that authors can review before submitting Evidence.¶

33.7.2. Information Disclosed to Relying Parties

Relying Parties consuming Attestation Results (.war) learn:¶

• Verification verdict (forensic-assessment)¶
• Confidence score¶
• Verified claims (specific thresholds met)¶
• Caveats and limitations¶
• Verifier identity¶
• Reference to the original Evidence packet (packet-id)¶

The .war file is designed to provide necessary trust information without full Evidence disclosure. Relying Parties needing more detail can request the original .pop file.¶

33.7.3. Minimizing Disclosure

Authors concerned about disclosure can:¶

1. Use minimal disclosure tier (histogram-only, no raw intervals)¶
2. Omit optional sections (keystroke-section, absence-section)¶
3. Use author-salted mode to control verification access¶
4. Omit declaration or use pseudonymous identity¶
5. Select Verifiers with strong privacy policies¶
6. Limit distribution to necessary Relying Parties¶

33.8.1. Correlation Risks

Multiple Evidence packets from the same author may enable linkage:¶

Behavioral Fingerprinting:

Keystroke timing patterns exhibit individual characteristics that persist across sessions. An adversary with multiple Evidence packets could potentially link them to the same author even without explicit identity.¶

Device Fingerprinting:

If device keys are reused across sessions, Evidence packets are cryptographically linkable. Hardware attestation makes this linkage explicit.¶

Stylometric Correlation:

Edit pattern statistics (though not content) may correlate with writing style. Combined with timing data, this could strengthen cross-session linkage.¶

33.8.2. Device Key Rotation

To limit cross-session correlation via device keys:¶

• Session Keys:¶

  Use per-session derived keys rather than a single device key. HKDF with session-specific info prevents direct linkage.¶

• Periodic Rotation:¶

  Rotate device keys periodically (RECOMMENDED: annually). Evidence packets signed with different keys are not cryptographically linked.¶

• Context-Specific Keys:¶

  Use different keys for different contexts (e.g., work vs. personal) to prevent cross-context linkage.¶

33.8.3. Session Isolation Properties

The specification provides inherent session isolation:¶

• Each Evidence packet has a unique packet-id (UUID)¶
• VDF chains are session-specific (session entropy in genesis)¶
• No protocol mechanism links sessions together¶
• Jitter data is bound to specific segment-based Merkle trees¶

Cross-session linkage requires external analysis, not protocol features. The specification does not provide linkage mechanisms.¶

33.8.4. Additional Mitigations

Authors concerned about cross-session correlation can:¶

1. Use coarser histogram buckets to reduce timing precision¶
2. Omit raw-intervals field¶
3. Vary devices for different document contexts¶
4. Use different pseudonyms for different contexts¶
5. Limit Evidence distribution to minimize adversary access to multiple packets¶

33.9.1. Surveillance

The specification is designed to resist surveillance:¶

• No content transmission prevents content-based surveillance¶
• Local-only processing prevents network monitoring¶
• Optional external anchors transmit only hashes¶
• No telemetry or analytics collection¶

The primary surveillance risk is through Evidence packet distribution. Authors control this distribution.¶

33.9.2. Stored Data Compromise

If Evidence packets are compromised:¶

• Document content is NOT exposed (hash-only)¶
• Behavioral patterns MAY be exposed (timing data)¶
• Authoring timeline is exposed (timestamps)¶
• If identity declared, author identity is exposed¶

Mitigation: Encrypt Evidence packets at rest. Use access controls for stored Evidence. Limit retention period where appropriate.¶

33.9.3. Correlation

Correlation threats are addressed in Section 33.8. Key mitigations include key rotation, histogram aggregation, and distribution limiting.¶

33.9.4. Identification

Re-identification threats:¶

• Anonymous Evidence MAY be re-identifiable through behavioral patterns¶
• Histogram aggregation significantly reduces this risk¶
• Raw interval disclosure increases re-identification risk¶
• Device attestation explicitly identifies devices¶

Authors requiring strong anonymity should use minimal disclosure tier without raw intervals and without device attestation.¶

33.9.5. Secondary Use

Evidence data could theoretically be used for purposes beyond verification:¶

• Behavioral analysis for profiling¶
• Productivity monitoring¶
• Training data for machine learning¶

Mitigation: The specification does not prevent secondary use by data recipients. Authors should consider Verifier and Relying Party policies before disclosure. Implementations MAY include usage restrictions in Evidence packet metadata.¶

33.9.6. Disclosure

Unauthorized disclosure of Evidence packets:¶

• Authors control initial distribution¶
• Recipients may further distribute; specification cannot prevent¶
• Salted modes limit utility of leaked Evidence¶
• Anonymous Evidence limits identity exposure on leak¶

Authors should treat Evidence packets as potentially sensitive and limit distribution to trusted parties.¶

33.9.7. Exclusion

The risk that authors cannot participate in systems if they decline Evidence generation:¶

• Evidence generation is voluntary¶
• Disclosure levels are user-controlled¶
• Relying Parties may require Evidence for certain contexts¶
• The specification does not mandate deployment contexts¶

Deployments should consider whether Evidence requirements create exclusionary effects and provide alternatives where appropriate.¶

33.10.1. Privacy Properties Provided

Content Confidentiality:

Document content is never stored in Evidence. Verification can occur without content access (using salted modes).¶

Keystroke Privacy:

Individual keystrokes are never recorded. Only timing intervals between events are captured, without character association.¶

Local Control:

All data processing occurs locally. No external services required for Evidence generation.¶

Disclosure Control:

Authors control Evidence distribution, disclosure level, and identity exposure.¶

Pseudonymity Support:

Evidence can be generated and verified without real-world identity disclosure.¶

Selective Verification:

Salted modes enable author-controlled verification access.¶

33.10.2. Privacy Limitations

Behavioral Data Exposure:

Timing data reveals behavioral patterns. While aggregated, this data has biometric-adjacent properties.¶

Distribution Not Controlled:

Once Evidence is distributed, the specification cannot control further dissemination or use.¶

Cross-Session Linkage Risk:

Multiple Evidence packets may be linkable through behavioral analysis, even with different identities.¶

External Anchor Permanence:

Blockchain anchors create permanent records that cannot be deleted.¶

Metadata Disclosure:

Evidence packets reveal document size, authoring timeline, and edit statistics even without content.¶

33.10.3. Recommendations for Privacy-Sensitive Deployments

1. Use minimal disclosure tier (histogram-only, no raw intervals)¶
2. Consider coarser histogram buckets for enhanced privacy¶
3. Use author-salted mode for confidential documents¶
4. Avoid blockchain anchors if deletion rights are important¶
5. Rotate device keys periodically¶
6. Limit Evidence distribution to necessary parties¶
7. Review Verifier privacy policies before submission¶
8. Consider pseudonymous identities where appropriate¶
9. Provide clear user disclosures about data collection¶
10. Implement data retention policies aligned with use case¶