| Internet-Draft | PoP Protocol | February 2026 |
| Condrey | Expires 22 August 2026 | [Page] |
This document specifies the Proof of Process (PoP) Evidence Framework, a specialized profile of Remote Attestation Procedures (RATS) designed to validate the provenance of effort in digital authorship. Unlike traditional provenance, which tracks file custody, PoP attests to the continuous physical process of creation.¶
The protocol defines a cryptographic mechanism for generating Evidence Packets utilizing a composite Sequential Work Function (SWF) based on Proof of Biological Space-Time (PoBST) to enforce temporal monotonicity and Cross-Domain Constraint Entanglement (CDCE) to bind behavioral entropy (human jitter) and physical state to the document. Technical specifications for wire formats, sequential work functions, and hardware-anchored trust are provided.¶
This note is to be removed before publishing as an RFC.¶
Source for this draft and an issue tracker can be found at https://github.com/writerslogic/draft-condrey-rats-pop.¶
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.¶
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.¶
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."¶
This Internet-Draft will expire on 22 August 2026.¶
Copyright (c) 2026 IETF Trust and the persons identified as the document authors. All rights reserved.¶
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document.¶
The rapid proliferation of generative artificial intelligence has created an authenticity crisis in digital discourse. While traditional provenance tracks the "custody of pixels," it fails to attest to the human-driven process of creation. This document specifies the Proof of Process (PoP) protocol, which extends the RATS architecture [RFC9334] to validate the "provenance of effort."¶
Unlike traditional attestation which captures static system state, PoP attests to a continuous physical process. It introduces Proof of Biological Space-Time (PoBST) to enforce temporal monotonicity and Cross-Domain Constraint Entanglement (CDCE) to bind behavioral entropy (human jitter) and physical state (thermodynamics) to the document's evolution.¶
By entangling content hashes with these physical constraints, this protocol enables an Attester to generate an Evidence Packet (.pop) that imposes quantifiable cost on forgery of authorship claims, preserving privacy by design without disclosing document content.¶
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.¶
This section defines the PoP system model in terms of the RATS architecture [RFC9334] and identifies where PoP diverges from standard remote attestation assumptions.¶
PoP maps to RATS entity roles as follows:¶
PoP implements a specialized RATS profile with a critical trust inversion: in traditional remote attestation, the Attester is a device whose owner (Relying Party) wants assurance about its state. The adversary is typically external -- malware, network attackers, or supply chain threats.¶
In PoP, the Attester is operated by the author, and the Relying Party (publisher, reader) has no privileged access to the authoring environment. The primary adversary is the Attester operator themselves. This fundamental inversion shapes the entire security model:¶
Despite this inversion, PoP maintains compatibility with RATS message flows and data formats, enabling integration with existing RATS infrastructure where appropriate.¶
PoP extends the RATS framework beyond traditional device state attestation to process attestation — verifying that a physical process (human authorship) occurred as claimed. This extension is justified because the fundamental problem structure is identical: an Attester generates Evidence, conveys it to a Verifier, and the Verifier produces Attestation Results for Relying Parties. The RATS entity roles, message flows, and data format conventions apply directly.¶
The adversarial Attester model (see Section 5.1) inverts the standard RATS trust assumption. The RATS architecture accommodates this through its layered trust model and configurable Appraisal Policies ([RFC9334], Section 8). The Experimental category is appropriate for exploring this novel application of RATS.¶
This section provides an end-to-end overview of the PoP protocol, mapping the message flow to the RATS passport model and illustrating the lifecycle of an Evidence Packet from creation through appraisal.¶
PoP follows the RATS passport model ([RFC9334], Section 8.1; [RATS-Models]) in which Evidence flows directly from the Attester to the Verifier, and Attestation Results flow from the Verifier to the Relying Party:¶
+------------+
| Endorser |
| (HW Mfg) |
+------+-----+
|
| Endorsements
| (TPM/SE certs,
| T3/T4 only)
v
+----------+ .pop file +-------+-------+ .war file +-----------+
| | Evidence | | Attestation| |
| Attester +------------>+ Verifier +------------>+ Relying |
| (Author | | | Results | Party |
| App/AE) | | | (WAR) |(Publisher,|
+----------+ +-------+-------+ | Reader) |
^ +-----------+
|
| Reference Values
| (behavioral patterns,
| SWF parameters)
+-------+-------+
| Reference |
| Value |
| Provider |
+---------------+
In this model:¶
Endorsers (hardware manufacturers) supply TPM endorsement certificates and Secure Element attestations that Verifiers use to validate hardware-bound claims in T3/T4 Evidence. Reference Value Providers supply the expected behavioral patterns, SWF difficulty parameters, and profile specifications that Verifiers use as appraisal baselines.¶
The following sequence illustrates the end-to-end lifecycle of a PoP attestation session:¶
Author Attester (AE) Verifier Relying Party
| | | |
| begin session | | |
+--------------->| | |
| |--+ sample physical | |
| | | freshness anchor | |
| |<-+ (entropy, thermal)| |
| | | |
| |--+ collect initial | |
| | | jitter sample | |
| |<-+ (32+ bytes) | |
| | | |
| keystrokes, | | |
| edits, pauses | | |
+--------------->| capture jitter, | |
| | semantic events | |
| | | |
| |--+ CHECKPOINT: | |
| | | compute SWF, | |
| | | bind jitter + | |
| | | physical state, | |
| | | extend hash chain| |
| |<-+ | |
| | | |
| ... (repeat per checkpoint interval) ... |
| | | |
| end session | | |
+--------------->| SEAL: sign chain, | |
| | emit .pop file | |
| | | |
| | .pop (Evidence) | |
| +-------------------->| |
| | | appraise: |
| | | chain, SWF, |
| | | entropy, CDCE |
| | | |
| | | .war (Result) |
| | +----------------->|
| | | | trust
| | | | decision
| | | |
Each checkpoint interval (default 30 seconds, MUST be between 10 and 120 seconds) produces one link in the hash chain. The SWF computation runs continuously during the interval, binding the author's behavioral entropy and the platform's physical state to the elapsed wall-clock time. At session end, the Attester seals the complete chain into a .pop Evidence Packet for conveyance to the Verifier.¶
This section defines the adversary model following the methodology of [RFC3552] and incorporating insights from RATS security analysis [Sardar-RATS]. The threat model assumes a Dolev-Yao style adversary [Dolev-Yao] with domain-specific constraints.¶
The PRIMARY threat in PoP is an adversarial Attester -- an author who controls the Attesting Environment and seeks to generate Evidence for content they did not authentically author. This inverts the standard RATS trust assumption where the Attester is trusted to report honestly.¶
The adversarial Attester has the following capabilities:¶
The adversary is constrained by:¶
PoP provides the following authentication properties, defined in terms of adversary advantage:¶
The following attacks are in scope for PoP defenses:¶
The canonical forgery attack against PoP: an adversary generates content using AI or other assistance, then retypes the pre-existing content while collecting "authentic" behavioral telemetry. This attack exploits the gap between typing existing text and composing original text.¶
PoP defends against retype attacks through:¶
Retype attacks remain economically viable for short documents. The forgery cost scales with document length and checkpoint frequency, providing graduated assurance rather than binary security.¶
Attempting to reuse previously valid Evidence for new claims. Defeated by Physical Freshness anchors that bind Evidence to non-reproducible physical state (thermal trajectories, kernel entropy samples).¶
Forwarding challenges or Evidence between a legitimate author and an adversary's session. In PoP, this manifests as claiming credit for another author's work. Defeated by hardware-bound signing (T3/T4) and out-of-band presence challenges that verify physical proximity.¶
Using specialized hardware to compute SWF proofs faster than consumer hardware. Mitigated by Argon2id's memory-hardness (computation bounded by memory bandwidth, not ALU throughput) and Hardware-Anchored Time in T3/T4 tiers.¶
Presenting a virtualized or modified Attesting Environment as genuine. In T1/T2 tiers, this is possible and Evidence should be weighted accordingly. T3/T4 tiers require hardware attestation that is difficult to spoof without physical access to the Secure Element.¶
An adversary redirects Evidence intended for one Verifier to a different Verifier or Relying Party context. PoP Evidence Packets do not inherently bind to a specific Verifier identity. To mitigate this, implementations SHOULD use the TLS Exported Keying Material (EKM) mechanism defined in [RFC9266] to bind Evidence to the transport session.¶
When the Attester conveys Evidence over TLS, it SHOULD populate the optional channel-binding field (key 11) in the evidence-packet structure as follows:¶
The EKM label "EXPORTER-PoP-channel-binding" is specific to this protocol. The empty context ensures the binding depends solely on the TLS session keys, which are unique per connection.¶
For offline verification (where no TLS session exists between Attester and Verifier), the channel-binding field is absent and Relying Parties MUST evaluate Evidence provenance through out-of-band channels.¶
When PoP Evidence is conveyed over an attested TLS channel, implementations MAY leverage the SEAT exported authenticator mechanism [SEAT-EXPAT] to combine platform attestation (proving the Attesting Environment's integrity) with PoP process attestation (proving the authorship process). The TLS channel binding described above is compatible with the SEAT evidence binding approach, which derives binding values from TLS exporters. At T3/T4 tiers, SEAT platform attestation provides the hardware trust anchor that corroborates PoP's Attesting Environment claims.¶
The following threats are explicitly out of scope:¶
Building on the threat model defined above, PoP operates on five primary constraints:¶
The Proof of Process (PoP) framework follows the RATS architecture while introducing domain-specific extensions for physical process attestation.¶
The Attesting Environment (AE) MUST implement the following formal state machine:¶
PoP Evidence Packets are classified by the depth of behavioral and forensic data collected:¶
PoP Evidence is classified along two orthogonal axes. Evidence Content Tier (CORE/ENHANCED/MAXIMUM) determines the depth of behavioral and forensic data collected. Attestation Assurance Level (T1-T4) determines the strength of hardware trust anchoring. These axes are independent: a T3 CORE packet provides hardware-bound signing with minimal behavioral data, while a T1 MAXIMUM packet provides rich behavioral data with software-only signing.¶
The attestation tier system maps to established assurance frameworks including NIST SP 800-63B Authenticator Assurance Levels (AAL), ISO/IEC 29115 Levels of Assurance (LoA), and Entity Attestation Token (EAT) security levels as defined in [RFC9711].¶
| PoP Tier | NIST AAL | EAT Security Level (RFC 9711) |
|---|---|---|
| T1: Software-Only | AAL1 | unrestricted (1) |
| T2: Attested Software | AAL2 | restricted (2) |
| T3: Hardware-Bound | AAL3 | hardware (4) |
| T4: Hardware-Hardened | LoA4 | hardware (4) |
T3 and T4 both map to EAT security level "hardware" (4) because the EAT specification does not distinguish PUF-level binding from standard TPM key binding.¶
T2 extends T1 with optional hardware attestation hooks. The AE attempts to use platform security features (Keychain, DeviceCheck) but degrades gracefully. Maps to AAL2.¶
Requires TPM 2.0 or platform Secure Enclave key binding. Evidence generation MUST fail if hardware is unavailable. Maps to AAL3.¶
Discrete TPM + PUF binding + Enclave execution. Anti-tamper evidence required. Exceeds AAL3 requirements; maps to ISO/IEC 29115 LoA4.¶
The PoP specification defines three implementation profiles that establish Mandatory-to-Implement (MTI) requirements for interoperability.¶
| Feature ID | Feature Name | CORE | ENHANCED | MAXIMUM |
|---|---|---|---|---|
| 1 | swf-argon2id-sha256 | M | M | M |
| 2 | content-binding | M | M | M |
| 4 | checkpoint-chain | M | M | M |
| 50 | behavioral-entropy | O | M | M |
| 60 | assistive-mode | O | O | O |
| 105 | hardware-attestation | O | O | M |
Feature IDs 1-9 are reserved for core protocol features. IDs 50-99 are reserved for behavioral features. IDs 100-199 are reserved for hardware features. Future revisions may define additional features within these ranges.¶
A conforming Attester MUST implement at least the CORE profile. A conforming Verifier MUST be capable of validating all three profiles. Verifiers encountering unknown fields MUST ignore them and proceed with validation of known fields. Verifiers receiving an Evidence Packet with version greater than 1 MUST reject the packet unless they implement the corresponding protocol version.¶
The profile-uri field in an Evidence Packet MUST be set to "urn:ietf:params:rats:eat:profile:pop:1.0" for Evidence conforming to this specification.¶
In the document-ref structure, byte-length is the length in bytes of the UTF-8 encoded document, and char-count is the number of Unicode scalar values (code points).¶
If the Evidence Packet omits the attestation-tier field, the Verifier MUST assess the tier from the evidence content: T1 if no hardware attestation is present, T2 if platform attestation hooks are detected, T3 if TPM key binding is verified, T4 if anti-tamper evidence and PUF binding are confirmed.¶
Evidence Packets are CBOR-encoded [RFC8949] and identified by semantic tag 1347571280. The CDDL notation [RFC8610] is used to define the wire format.¶
; CBOR tag wrappers
pop-evidence = #6.1347571280(evidence-packet)
pop-war = #6.1463894560(attestation-result)
; Primary structures
evidence-packet = {
1 => uint, ; version (MUST be 1)
2 => tstr, ; profile-uri
3 => uuid, ; packet-id
4 => pop-timestamp, ; created
5 => document-ref, ; document
6 => [3* checkpoint], ; checkpoints (min 3)
? 7 => attestation-tier, ; T1-T4
? 8 => [* tstr], ; limitations
? 9 => profile-declaration, ; profile
? 10 => [+ presence-challenge], ; QR/OOB proofs
? 11 => channel-binding, ; TLS EKM binding
; keys 14-17 reserved for future use
? 13 => content-tier, ; Evidence Content Tier
? 18 => physical-liveness, ; physical-liveness markers
* int => any, ; extension fields
}
checkpoint = {
1 => uint, ; sequence (monotonic)
2 => uuid, ; checkpoint-id
3 => pop-timestamp, ; timestamp (local)
4 => hash-value, ; content-hash
5 => uint, ; char-count
6 => edit-delta, ; delta
7 => hash-value, ; prev-hash
8 => hash-value, ; checkpoint-hash
9 => process-proof, ; SWF proof
? 10 => jitter-binding, ; behavioral-entropy (ENHANCED+)
? 11 => physical-state, ; CDCE Weave (ENHANCED+)
? 12 => bstr .size 32, ; entangled-mac (ENHANCED+)
* int => any, ; extension fields
}
document-ref = {
1 => hash-value, ; content-hash
? 2 => tstr, ; filename
3 => uint, ; byte-length
4 => uint, ; char-count
? 5 => hash-salt-mode, ; salting mode
? 6 => bstr .size 32, ; salt-commitment
}
process-proof = {
1 => proof-algorithm, ; algorithm id
2 => proof-params, ; SWF params
3 => bstr .size 32, ; input (seed)
4 => bstr .size 32, ; merkle-root
5 => [+ merkle-proof], ; sampled proofs
6 => float32, ; claimed-duration (seconds)
}
; Subsidiary type definitions
attestation-tier = &(
software-only: 1, ; T1: AAL1
attested-software: 2, ; T2: AAL2
hardware-bound: 3, ; T3: AAL3
hardware-hardened: 4, ; T4: LoA4
)
content-tier = &(
core: 1,
enhanced: 2,
maximum: 3,
)
proof-algorithm = &(
; 1 is reserved for future use
pobst-argon2id: 20,
)
hash-salt-mode = &(
unsalted: 0,
author-salted: 1,
)
proof-params = {
1 => uint, ; time-cost (t)
2 => uint, ; memory-cost (m, KiB)
3 => uint, ; parallelism (p)
4 => uint, ; iterations
}
jitter-binding = {
1 => [+ float32], ; intervals (ms)
2 => float32, ; entropy-estimate (bits)
3 => bstr .size 32, ; jitter-seal (HMAC)
}
merkle-proof = {
1 => uint, ; leaf-index
2 => [+ bstr .size 32], ; sibling-path
3 => bstr .size 32, ; leaf-value
}
edit-delta = {
1 => uint, ; chars-added
2 => uint, ; chars-deleted
3 => uint, ; op-count
? 4 => [* edit-position], ; positions
}
edit-position = [
uint, ; offset
int, ; change (+/-), MUST be non-zero
]
physical-state = {
1 => [+ float32], ; thermal (relative)
2 => int, ; entropy-delta (signed)
? 3 => bstr .size 32, ; kernel-commitment
}
physical-liveness = {
1 => [+ thermal-sample], ; thermal trajectory
2 => bstr .size 32, ; entropy-anchor
}
thermal-sample = [
pop-timestamp, ; sample time
float32, ; temperature delta
]
presence-challenge = {
1 => bstr .size (16..256), ; challenge-nonce (128+ bits)
2 => bstr, ; device-signature (MUST be COSE_Sign1)
3 => pop-timestamp, ; response-time
}
profile-declaration = {
1 => tstr, ; profile-id
2 => [+ uint], ; feature-flags
}
binding-type = &(
tls-exporter: 1,
)
channel-binding = {
1 => binding-type, ; binding-type
2 => bstr .size 32, ; binding-value (EKM output)
}
; Base types
uuid = bstr .size 16
pop-timestamp = #6.1(float32) ; CBOR tag 1 (epoch-based, float32)
hash-value = {
1 => hash-algorithm,
2 => bstr,
}
hash-algorithm = &(
sha256: 1,
sha384: 2,
sha512: 3,
)
¶
The attestation-result type used in the pop-war tag wrapper is defined in [PoP-Appraisal].¶
All floating-point fields in this specification MUST be encoded using 32-bit IEEE 754 binary32 format, regardless of whether a smaller encoding would suffice. This ensures deterministic encoding.¶
pop-timestamp values MUST use floating-point encoding with at least millisecond precision. Integer encoding (second granularity) MUST NOT be used. pop-timestamp values MUST be positive (greater than zero). Verifiers MUST reject Evidence containing negative or zero timestamps.¶
When hash-salt-mode is author-salted (1), the author generates a random salt of at least 16 bytes. The salt-commitment field MUST contain SHA-256(salt). To verify content binding, the author discloses the salt to the Verifier, which checks that SHA-256(disclosed_salt) matches the salt-commitment. The salt-commitment field MUST be constrained to 32 bytes (.size 32).¶
SHA-256 (value 1) is mandatory-to-implement. Conforming Attesters and Verifiers MUST support SHA-256. Support for SHA-384 and SHA-512 is OPTIONAL.¶
The hash digest length MUST match the algorithm output length: 32 bytes for SHA-256, 48 bytes for SHA-384, and 64 bytes for SHA-512.¶
All hash-value fields within a single Evidence Packet MUST use the same hash algorithm. Verifiers MUST reject Evidence Packets containing mixed hash algorithms.¶
Encoders MUST NOT use CBOR preferred float serialization (which may encode values like 0.0 as float16) for PoP fields. All floating-point values MUST be encoded as 4-byte IEEE 754 binary32 (CBOR major type 7, additional info 26) regardless of the value.¶
Extension keys in evidence-packet and checkpoint structures MUST use integer values 100 or greater. Keys 0-99 are reserved for use by this specification and future revisions.¶
The op-count field in edit-delta counts the number of discrete editing operations (insertions, deletions, and replacements) during the checkpoint interval. A single paste operation counts as one operation regardless of character count.¶
In edit-position entries, the change value MUST be non-zero. Positive values indicate insertion of characters at the offset; negative values indicate deletion. A zero change value is semantically meaningless and MUST NOT appear.¶
The device-signature in a presence-challenge MUST be a COSE_Sign1 structure [RFC9052] covering the challenge-nonce. The signing key MUST be hardware-bound on the secondary device. The Verifier obtains the corresponding public key through prior device registration (the registration mechanism is out of scope for this document).¶
Per-checkpoint physical-state (checkpoint key 11) captures instantaneous thermal and entropy measurements. Packet-level physical-liveness (evidence-packet key 18) provides a session-wide thermal trajectory for replay detection. physical-liveness SHOULD be included in ENHANCED and MAXIMUM profiles. When both are present, Verifiers MUST verify that per-checkpoint thermal values are consistent with the session-wide trajectory.¶
The checkpoint-hash field MUST be computed as follows:¶
checkpoint-hash = SHA-256(
prev-hash ||
content-hash ||
CBOR-encode(edit-delta) ||
CBOR-encode(jitter-binding) ||
CBOR-encode(physical-state) ||
process-proof.merkle-root
)
¶
Where || denotes concatenation and CBOR-encode produces deterministic CBOR per Section 4.2.1 of [RFC8949].¶
For the first checkpoint in a chain (sequence = 1), prev-hash MUST be set to SHA-256(CBOR-encode(document-ref)). This anchors the chain to the document identity.¶
When jitter-binding and physical-state fields are absent (CORE profile), the checkpoint-hash MUST be computed without those terms: checkpoint-hash = SHA-256(prev-hash || content-hash || CBOR-encode(edit-delta) || process-proof.merkle-root).¶
All components except process-proof.merkle-root are either fixed-length hashes (32/48/64 bytes per algorithm) or CBOR-encoded (self-delimiting). The merkle-root (32 bytes, fixed length) is appended last. This concatenation is unambiguous and does not require additional domain separation.¶
The fields within a checkpoint MUST be computed in the following order:¶
This ordering ensures that each subsequent computation can reference the outputs of prior steps. Implementations MUST follow this order to produce interoperable checkpoints.¶
For T3 and T4 Attestation Tiers, Evidence Packets MUST be wrapped in a COSE_Sign1 envelope. For T1 and T2 tiers, COSE_Sign1 wrapping is RECOMMENDED. The COSE_Sign1 envelope [RFC9052] provides cryptographic protection during transport. The COSE_Sign1 structure provides:¶
For T3/T4 tiers, the signing key MUST be bound to a hardware Secure Element (TPM or platform SE). For T1/T2 tiers, a software-managed key is acceptable.¶
When COSE_Sign1 wrapping is not used (e.g., offline file-based conveyance), the Evidence Packet's integrity relies solely on the internal hash chain. Relying Parties MUST evaluate the trust implications of unwrapped Evidence.¶
For online conveyance, COSE_Sign1-wrapped Evidence Packets can be encapsulated within a Conceptual Message Wrapper (CMW) for transport via the SEAT cmw_attestation TLS extension [SEAT-EXPAT]. This enables PoP Evidence to be delivered alongside platform attestation evidence in a single post-handshake authentication exchange, which is the preferred attestation timing model [SEAT-Timing]. The SEAT use cases [SEAT-UseCases] identify runtime attestation and operation-triggered re-attestation as key requirements, both of which PoP's continuous checkpoint model satisfies.¶
PoP uses a composite Sequential Work Function (SWF) combining Argon2id [RFC9106] for memory-hardness with iterated SHA-256 for sequential ordering. This construction is NOT a Verifiable Delay Function in the formal sense [Boneh2018]; it does not provide efficient public verification of the delay claim from the output alone.¶
Instead, verification relies on Merkle-sampled audit proofs: the Attester commits to a Merkle tree over intermediate states, and the Verifier checks a random subset of state transitions. This provides probabilistic verification in O(k * log n) time where k is the sample count and n is the iteration count.¶
The SWF is computed as follows:¶
state_0 = Argon2id(seed, salt=SHA-256("PoP-salt" || seed), t=1, m=65536, p=1, len=32)
for i in 1..iterations:
state_i = SHA-256(state_{i-1})
merkle_root = MerkleTree(state_0, state_1, ..., state_iterations).root
¶
The salt for Argon2id MUST be derived from the seed: salt = SHA-256("PoP-salt" || seed). This ensures domain separation between the password and salt inputs per RFC 9106 best practices.¶
The merkle-root field (process-proof key 4) MUST contain the Merkle tree root computed over all intermediate states. The final iteration state (state_iterations) is verified as the leaf at index "iterations" in the Merkle tree.¶
The Verifier MUST:¶
A minimum of 20 sampled proofs is REQUIRED for CORE profile. ENHANCED profile requires 50 proofs. MAXIMUM profile requires 100 proofs.¶
Merkle proof sample positions MUST be derived deterministically using a Fiat-Shamir transform to prevent the Attester from selectively including only honestly-computed leaves:¶
sample_seed = SHA-256(merkle_root || process-proof.input)
for j in 0..k-1:
okm_j = HKDF-Expand(sample_seed, I2OSP(j, 4), 4)
index_j = OS2IP(okm_j) mod (iterations + 1)
¶
Where k is the number of required samples (20 for CORE, 50 for ENHANCED, 100 for MAXIMUM). HKDF-Expand is used with SHA-256 as the underlying hash function per [RFC5869]. I2OSP and OS2IP are the Integer-to-Octet-String and Octet-String-to-Integer primitives as defined in [RFC8017]. The Attester MUST include Merkle proofs for exactly these indices. The Verifier recomputes the sample positions from the committed root and seed, then verifies only those proofs.¶
If the derivation produces duplicate indices (index_j equal to a previously derived index), the Attester MUST continue generating additional indices by incrementing j beyond k-1 until k distinct indices are obtained. The Verifier MUST verify that all k sample indices are distinct.¶
Sample indices are in the range [0, iterations] inclusive. Padded Merkle tree leaves (indices greater than iterations) are never sampled by this derivation.¶
The SWF seed for each checkpoint MUST be derived as:¶
seed = SHA-256(
prev-hash ||
CBOR-encode(jitter-binding.intervals) ||
CBOR-encode(physical-state)
)
¶
For the first checkpoint (sequence = 1):¶
seed = SHA-256(
CBOR-encode(document-ref) ||
initial-jitter-sample
)
¶
Where initial-jitter-sample is a minimum 32-byte sample of behavioral entropy collected before the first checkpoint. When jitter-binding and physical-state are absent (CORE profile without behavioral data), the seed MUST incorporate at least the prev-hash and a locally-generated 32-byte random nonce: seed = SHA-256(prev-hash || local-nonce). For the first checkpoint, the nonce provides non-determinism when initial-jitter-sample is unavailable. Implementations MUST NOT use a fully deterministic seed derivation.¶
NOTE: The test vectors in Appendix "SWF Test Vectors" use a simplified fixed seed for implementation validation. Production implementations MUST use the derivation specified above.¶
The SWF Merkle tree is constructed over all intermediate states as follows:¶
The final iteration state (state_iterations) is the leaf at index "iterations" and is verified by checking its Merkle proof against the committed root.¶
Conforming Attesters MUST use the following minimum SWF parameters for each Evidence Content Tier:¶
| Parameter | CORE | ENHANCED | MAXIMUM |
|---|---|---|---|
| time-cost (t) | 1 | 1 | 1 |
| memory-cost (m, KiB) | 65536 | 65536 | 131072 |
| parallelism (p) | 1 | 1 | 1 |
| iterations | 10000 | 50000 | 100000 |
| Merkle samples (k) | 20 | 50 | 100 |
Verifiers MUST reject Evidence where declared proof-params are below the mandatory minimums for the claimed content tier. Expected wall-clock times for the Argon2id phase on reference hardware (DDR4, approximately 25 GB/s memory bandwidth): CORE approximately 50-100ms, ENHANCED approximately 50-100ms, MAXIMUM approximately 100-200ms. The subsequent SHA-256 iterations add approximately 0.1ms per 1000 iterations.¶
When present, the entangled-mac field (checkpoint key 12) MUST be computed as HMAC-SHA-256 [RFC2104] with the following inputs:¶
mac-key = HKDF-Expand(process-proof.merkle-root,
"PoP-entangled-mac", 32)
mac-input = prev-hash || content-hash ||
CBOR-encode(jitter-binding) ||
CBOR-encode(physical-state)
entangled-mac = HMAC-SHA-256(mac-key, mac-input)
¶
Where HKDF-Expand is defined in [RFC5869], || denotes concatenation, and CBOR-encode produces deterministic CBOR per Section 4.2.1 of [RFC8949].¶
NOTE: In the adversarial Attester model, the Attester generates the SWF output and therefore knows the MAC key. The entangled-mac provides internal consistency binding but does NOT prevent forgery by a malicious Attester (see Section 15.8).¶
When present, the jitter-seal field (jitter-binding key 3) MUST be computed as HMAC-SHA-256 with the following inputs:¶
seal-key = HKDF-Expand(process-proof.merkle-root,
"PoP-jitter-seal", 32)
seal-input = CBOR-encode(jitter-binding.intervals)
jitter-seal = HMAC-SHA-256(seal-key, seal-input)
¶
The jitter-seal binds the timing measurements to the checkpoint's SWF computation, preventing transplantation of jitter data from a different session. It is subject to the same adversarial Attester limitation as the entangled-mac (Section 15.8).¶
NOTE: In the adversarial Attester model, the Attester generates both the SWF output (from which the MAC key is derived) and the MAC input data. The entangled-mac and jitter-seal therefore provide data integrity binding but do not prevent an adversarial Attester from computing MACs over fabricated data. Their security value is limited to ensuring internal consistency within an honestly-generated checkpoint. See Section 15.¶
An adversary who skips fraction f of iterations will be detected with probability 1-(1-f)^k where k is the number of sampled proofs. With k=20 and f=0.1, detection probability exceeds 0.878. With k=100 and f=0.05, detection probability exceeds 0.994.¶
This bound holds under the random oracle model for SHA-256. The Attester commits to the Merkle root before sample positions are derived via the Fiat-Shamir transform. Finding a root that biases all k samples away from skipped iterations requires inverting SHA-256, which is computationally infeasible under standard assumptions.¶
In T3/T4 tiers, the AE MUST anchor the SWF seed to the TPM Monotonic Counter. This prevents "SWF Speed-up" attacks by ensuring that the temporal proof is bound to the hardware's internal perception of time.¶
This document requests the following IANA registrations:¶
No SMI Private Enterprise Number is required by this specification's wire format. WritersLogic Inc has requested PEN 65074 for organizational identification purposes only.¶
Registration of the EAT profile URI: urn:ietf:params:rats:eat:profile:pop:1.0¶
This document requests registration of the following media types per RFC 6838:¶
application/vnd.writerslogic-pop+cbor:¶
application/vnd.writerslogic-war+cbor:¶
This section provides security analysis following [RFC3552] guidelines. The threat model is defined in Section 5 with the adversarial Attester as the primary threat actor. Detailed forensic security analysis is provided in [PoP-Appraisal].¶
Unlike traditional remote attestation where external adversaries threaten system integrity, PoP's primary threat is the Attester operator themselves. The author controls the Attesting Environment and has incentive to claim authenticity for AI-generated or assisted content.¶
This threat model inversion has fundamental implications:¶
The retype attack (see Section 5.3.1) is the canonical forgery vector. Defenses are layered:¶
Relying Parties should be aware that retype attacks remain viable for short documents or high-value targets willing to invest real time. PoP provides graduated assurance proportional to document length and checkpoint density.¶
As defined in Section 5.3.2 and Section 5.3.3, these attacks are defeated through Physical Freshness anchors binding Evidence to non-reproducible physical state:¶
Verifiers MUST reject Evidence where physical freshness markers are stale, inconsistent with timestamps, or exhibit patterns suggesting simulation.¶
As analyzed in Section 5.3.4, specialized hardware attacks are mitigated by:¶
Relying Parties should interpret Evidence according to its Attestation Tier:¶
Implementations SHOULD report quantified forgery cost estimates in Attestation Results. For CORE profile (10,000 iterations, m=65536 KiB):¶
These costs are low for individual checkpoints. Security derives from the conjunctive requirement across many checkpoints: an adversary must sustain consistent behavioral entropy, temporal ordering, and physical state data across the entire chain. The forgery cost scales superlinearly with checkpoint count due to session consistency requirements.¶
SWF verification is asymmetric: Merkle-sampled proofs verify in O(k * log n) versus O(n) generation. Verifiers cannot be overwhelmed by expensive verification requests. Implementations SHOULD implement rate limiting on Evidence submission.¶
The entangled-mac and jitter-seal fields are HMAC values keyed from the SWF output. In the adversarial Attester model, the Attester generates the SWF output and therefore knows the MAC key. An adversarial Attester can compute valid MACs over fabricated data (synthetic jitter, manufactured physical state). These fields provide internal consistency checking but do NOT prevent forgery by the Attester. Their value is limited to:¶
In T1 (Software-Only) and T2 (Attested Software) tiers, the Attester controls all software including the operating system. Physical state readings (thermal trajectories, kernel entropy deltas) are obtained from OS interfaces that the adversarial Attester can intercept or fabricate. Verifiers MUST NOT treat physical-state or physical-liveness fields as evidence of physical freshness in T1/T2 Evidence Packets. Their value in these tiers is limited to increasing the dimensionality of data that an adversary must fabricate consistently.¶
Physical freshness provides meaningful anti-replay protection only in T3/T4 tiers where hardware attestation binds physical state readings to a trusted execution environment.¶
Conforming implementations MUST:¶
T3/T4 implementations MUST additionally:¶
This section addresses privacy in accordance with [RFC6973].¶
PoP Evidence Packets do not contain document content. Content binding uses cryptographic hashes (SHA-256) which are computationally irreversible. The author-salted mode (hash-salt-mode=1) provides additional protection by preventing rainbow-table correlation across documents.¶
Jitter sequences in ENHANCED and MAXIMUM profiles constitute behavioral biometrics. To protect author privacy, Verifiers are expected to:¶
Attesters SHOULD quantize jitter values to reduce fingerprinting precision while preserving statistical validity. A minimum quantization of 5ms is RECOMMENDED.¶
Thermal trajectories and kernel entropy deltas in the physical-state field may reveal information about the Attester's hardware configuration. Implementations SHOULD normalize thermal data to relative deltas rather than absolute values to prevent device fingerprinting.¶
Authors who wish to remain pseudonymous SHOULD use per-document signing keys and the author-salted content binding mode to prevent cross-document linkage.¶
The following test vectors validate SWF implementations.¶
NOTE: These test vectors use the construction from this specification revision. The salt is derived as SHA-256("PoP-salt" || seed). Implementers should verify their Argon2id output matches state_0 before proceeding with SHA-256 iterations.¶
Seed: "witnessd-genesis-v1"
Seed (hex): 7769746e657373642d67656e657369732d7631
Salt: SHA-256("PoP-salt" || seed)
Argon2id Parameters:
Time Cost (t): 1
Memory Cost (m): 65536 KiB
Parallelism (p): 1
Output Length: 32 bytes
Iterations: 10,000
Salt (hex): c5de0ba53fa83ab477ead9013bfca978
339e5072882cafb3d0efc8cc40299155
Intermediate States:
state_0 (Argon2id):
a40e0f73832f88dc8bfe5f8956fff4a0
ad2fc4de5455e9d85497c6083b3b1802
state_1000:
c727ead9631eef95ca9a5976a947f71a
6f4f29a5c80aa2dc7f120f9a4193d7b4
state_5000:
d6cba1225d1a2d25dddecfcf2d473020
a19df736878f40ccdfb9334df5af58a5
state_9999:
d7482a780c9e89c787f1ff1e2c566b7b
536260e37d24c539e46de1598321aea2
state_10000 (final):
e445a3cdc8152d66c71366d22b2c5975
cff4d0c8ee6ec0e76515b04d143bd148
¶
The author thanks the participants of the RATS working group for their ongoing work on remote attestation architecture and security considerations that informed this specification.¶