HashDome Whitepaper — Bitcoin-Anchored Authentication for Contested Networks

Abstract

A decentralized form of network authentication would allow a node to be admitted to a network directly by its peers, without relying on a continuously reachable central authority to issue or validate credentials at the moment of admission. Public-key signatures provide part of the solution, but the main benefits are lost if a trusted third party is still required to certify which keys are authorized. We propose a solution to the credential-forgery and Sybil problem using two independent costs anchored to an external proof-of-work chain. Authorization is delegated by sponsors who post publicly verifiable stake, and admission requires a proof-of-work receipt bound to a recent block of that chain, so that forging an identity or flooding the network imposes a cost measurable in committed capital and in energy. The record of who was admitted is committed to that chain via transactions whose inclusion is provable against block headers, forming an audit trail that cannot be altered without redoing its proof-of-work. The system is secure as long as honest sponsors control a majority of the staked value, and continues to authenticate while disconnected from the chain, requiring only a cached copy of its block headers and the committed trust-state root.

Status of this document: This is an early-stage protocol sketch and concept note. It is not a finished cryptographic specification. The construction has not been formally verified, and several open problems remain. See Section 12 for a statement of known limitations.

1.Introduction

Authentication on military and critical-infrastructure networks has come to rely almost exclusively on central authorities serving as trusted third parties to issue and validate credentials. While the model works well enough in garrison conditions, it inherits the weaknesses inherent in the trust-based model. A certificate authority, a key-distribution center, or an identity provider is a single entity whose continued availability the entire network depends upon. Authentication cannot proceed when that entity is unreachable, and an adversary who degrades or destroys it disables admission for every node at once. The cost of this dependence is paid precisely when it is least affordable: in the opening phase of a conflict, when the central authority is the first and most valuable target.

The dependence also spreads. To admit a new participant — a coalition partner, a newly deployed platform — its key material must be enrolled with the central authority in advance, a procedure that presumes connectivity, prior coordination, and time. A certain fraction of operational delay is accepted as unavoidable. These costs cannot be avoided entirely in a centralized model, because the authority must be consulted to establish whether any given credential is genuine.

What is needed is an authentication system based on cryptographic and physical proof instead of trust, allowing any two authorized nodes to verify each other directly without a trusted third party, and without a live connection to any central service. Admission that is computationally and economically impractical to forge would protect a network from infiltration, and the record of admissions, once written, would be impractical to alter after the fact. In this paper we propose such a system. Authorization is delegated through sponsors who commit verifiable stake, and admission is gated by a proof-of-work receipt anchored to an external timestamp chain — concretely, the most computationally secured such chain in existence. The system is secure as long as honest sponsors collectively control more staked value than any cooperating group of adversaries, and as long as the underlying chain's honest participants control a majority of its hashing power.

A note on trust. This construction does not eliminate trust; it relocates it. The precise claim is narrower and more defensible: no continuously reachable online authority is required at the moment of admission. Trust is instead placed in the integrity of the external proof-of-work chain, in the honesty of the sponsor set, and in the one-time distribution of root key material before deployment. These are weaker and more durable assumptions than continuous reachability of a central server in a contested environment, but they are assumptions nonetheless.

2.Authentication

We define a network admission credential as a chain of signatures. The network is founded by a root authority, which we treat not as a continuously trusted server but as a one-time genesis: a key, or a quorum of keys, whose public component is distributed to every node before deployment. The root signs a set of sponsors. Each sponsor in turn signs the nodes it vouches for. A verifier can follow the signatures back to the root to confirm that a presenting node has been authorized, in the same way that a chain of endorsements can be followed to its origin.

Let a node hold a key pair (sk_N, pk_N) on the curve secp256k1, the curve of the underlying chain. A sponsor S, itself authorized by the root, issues a credential:

\begin{aligned} C &\;=\; \big(pk_N,\;\texttt{class},\;h_{\text{issue}},\;h_{\text{expire}},\;pk_S,\;\sigma_S\big),\\[6pt] \sigma_S &\;=\; \mathrm{Sign}_{sk_S}\!\big(pk_N \,\|\, \texttt{class} \,\|\, h_{\text{issue}} \,\|\, h_{\text{expire}}\big) \end{aligned}

Credential issued by sponsor S to node N, bounded in time by external chain block heights.

where class is the access tier granted, and h_issue and h_expireare block heights of the external chain that bound the credential's validity in time. A verifier accepts C if the signature verifies under the sponsor's public key, if that public key is authorized by the root, and if the current chain height h satisfies h_issue ≤ h < h_expire.

The problem is that a verifier cannot tell from the signature chain alone whether a key has been authorized more times than it should be, or whether a sponsor has been duplicated by an adversary who wishes to vouch for arbitrarily many fraudulent nodes. This is the analogue, in authentication, of the double-spending problem: a signature can be copied at no cost, so the mere possession of a syntactically valid credential proves nothing about its scarcity.

We need a way for a verifier to know that a credential is scarce — that it could not have been manufactured cheaply and at scale — without consulting a trusted party at the time of admission. We accomplish this with two independent and externally anchored costs: a committed stake bound to each sponsor (§3, §4), and a proof-of-work bound to each admission (§5, §6). The first makes authorization expensive to grant fraudulently; the second makes admission expensive to attempt at scale.

3.Sponsorship

The longest signature chain, by itself, establishes only that a credential traces to the root. It does not establish that the sponsor who issued it is scarce. An adversary who obtains one sponsor key may sign an unbounded number of node credentials at no marginal cost. To make authorization costly, we require each sponsor to bind its identity to a quantity of value that is committed on the external chain and that can be verified by anyone.

Let the external chain carry, at each height h, a set of unspent outputs whose values are public. A sponsor S controls a key pk_S associated with one or more such outputs holding total value v_S. We define the sponsor weight as:

w_S \;=\; f(v_S,\, \tau_S)

Sponsor weight is monotonically increasing in both committed value and commitment duration.

where τ_S is the duration for which the value is demonstrably committed and f is monotonically increasing in both arguments. The weight determines the tiers a sponsor may grant and the number of nodes it may vouch for: a node's admitted tier is capped by its sponsor's weight, and authority flows downward and cannot be amplified.

The purpose of binding standing to committed value is to invert the economics of the Sybil attack. In the one-key-one-vote model, authority can be subverted by anyone able to generate many keys, since key generation is free. Sponsorship is instead one-unit-of-stake-one-unit-of-authority. An adversary wishing to obtain sponsor weight W must commit value proportional to W, drawn from the same scarce asset that secures the external chain, and must do so visibly, where every verifier can observe and discount it.

A long-term holder of the underlying asset can post such a commitment at little opportunity cost. This aligns incentives in the system's favor: the parties best able to become sponsors cheaply are precisely those with a durable stake in the asset, who have the least interest in degrading a network whose security rests upon it.

4.Proof of Holdings and the Committed Trust State

A sponsor proves control of committed value without transferring it. Before stating the construction, we must be precise about what a Bitcoin block header does and does not attest, because this distinction shapes every offline guarantee the system can honestly make.

What headers can attest

Each block header contains a Merkle root M_h that commits to the set of transactions included in that block. Given a transaction tx and a Merkle branch, any verifier holding only the header can confirm that tx was included in block h. This inclusion proof is compact, requires no full-node data, and is cryptographically binding.

What headers cannot attest

A Bitcoin block header does not commit to the unspent-output set. There is no UTXO root in the header. A verifier holding only headers cannot determine, from those headers alone, whether a specific output remains unspent at a given height. This is a fundamental property of the Bitcoin header structure, not a limitation to be engineered around.

The committed trust-state root

To bridge this gap, the system introduces a committed trust-state root G_h. Validators running full nodes periodically compute the current trust state — the set of authorized sponsors with their weights and the set of admitted nodes under unrevoked credentials — and commit its Merkle root to the chain via an OP_RETURN output in a standard transaction. The transaction's inclusion in block h is then provable by a Merkle branch to M_h.

Sponsor verification proceeds in two header-supported steps. First, the verifier confirms that the commitment transaction tx_G_h was included in block h, using the Merkle branch ρ_G against M_h:

\mathrm{Verify}(M_h,\; \rho_G,\; tx_{G_h}) = \texttt{true}

Confirms the trust-state commitment was included in block h, provable against the header alone.

Second, the verifier confirms that the sponsor pk_S is a member of the trust state whose root G_h was committed in that transaction, using a membership path ρ_C:

\mathrm{Verify}(G_h,\; \rho_C,\; pk_S) = \texttt{true}

Confirms sponsor membership in the committed trust state at height h.

Control of the key is shown by a fresh signature bound to the specific credential and admission time:

\begin{aligned} \pi_{\text{key}} &\;=\; \mathrm{Sign}_{sk_S}(r), \\[4pt] r &\;=\; H\!\big(pk_N \,\|\, h_{\text{issue}}\big) \end{aligned}

The proof of key control is bound to the specific credential and time — not transferable or reusable.

The combined proof of holdings is:

\Pi_S \;=\; \big(tx_{G_h},\; \rho_G,\; \rho_C,\; \pi_{\text{key}},\; h\big)

The complete proof of holdings — verifiable offline against cached block headers and the committed trust-state root.

What remains offline-unverifiable

A verifier holding only headers and the cached G_h cannot confirm that a sponsor's committed outputs remain unspent at the moment of verification. Spentness can only be confirmed by a full node with access to the current UTXO set. This means the offline trust guarantee rests on the integrity of the full nodes that computed and committed G_h, and on the assumption that the committed outputs have not been spent between the last commitment and the present admission. The honest-limitation consequence is stated explicitly in §12.

5.Proof-of-Power Admission

Stake makes authorization costly to grant; it does not by itself make admission costly to attempt. To impose a per-admission cost we require that each admission carry a proof-of-work using the same hash function and header format as the external chain — but with an independent admission target T_adm, not necessarily equal to the external chain's live mining difficulty. The distinction matters: requiring full Bitcoin block difficulty would be impractical for constrained platforms such as embedded sensors or shipborne terminals. T_adm is a calibrated parameter carried in the cached state (§8), chosen to make admission costly relative to the capabilities of expected adversaries without being prohibitive for legitimate nodes.

The work is performed over an 80-byte structure of the same form as a block header of the external chain:

\beta \;=\; \big(\texttt{ver} \,\|\, b_{\text{prev}} \,\|\, m \,\|\, t \,\|\, \texttt{bits}_{\text{adm}} \,\|\, \texttt{nonce}\big)

80-byte admission header — identical structure to a Bitcoin block header, with an independent admission difficulty field bits_adm.

in which b_prev is the hash of a recent block of the external chain, bits_adm encodes the admission target T_adm, and the field m — occupying the position of the Merkle root — commits to the admission:

m \;=\; H\!\big(pk_A \,\|\, pk_B \,\|\, s\big)

m binds the admission to a specific pair of nodes and a session nonce supplied by the admitting node.

The prover varies the nonce until the double hash falls below the admission target:

H\!\big(H(\beta)\big) \;<\; T_{\text{adm}}

This is the same scanning problem solved by miners of the external chain, using Bitcoin-format proof-of-work. Anchoring b_prev to a recent block of the external chain ensures the receipt could not have been pre-computed before that block existed. The admission receipt presented by node A to node B is:

\mathcal{R} \;=\; \big(C_A,\; \Pi_{S_A},\; \beta,\; s\big)

The complete admission receipt — credential, stake proof, solved work, and session nonce.

Node B admits A if and only if every one of the following holds, each checkable in the time of a small constant number of hash and signature operations:

b_prev is a block in B's cached header chain;
b_prev lies within the last N blocks of that chain (§6);
H(H(β)) < T_adm, with T_adm taken from the cached admission parameters;
m = H(pk_A ‖ pk_B ‖ s) for the s that B issued;
the credential chain of C_A verifies to the root, and Π_S_A proves w_S_A sufficient for C_A's tier;
the credential is unexpired: h_issue ≤ h < h_expire.

If all hold, the session is established. No server is consulted and no central authority is involved; the only shared reference is the cached chain state that both nodes already hold. The work is required only of admission — the establishment of a session — and not of the traffic that follows.

6.Timelock Anchoring

The reference to b_prev does more than seed the work. Because the header committing to the admission contains the hash of a specific block, the receipt cannot have been computed before that block existed. By embedding b_prev in β, an admission inherits this timestamp. The receipt proves that the admission occurred no earlier than the moment b_prev was mined.

We use this to bound freshness and to forbid replay. Let h be the height of the verifier's chain tip and h_prev the height of b_prev. Condition 2 of §5 requires:

0 \;\le\; h - h_{\text{prev}} \;\le\; N

With N = 6, a receipt is valid for approximately one hour after the block it references (10-minute block interval).

A receipt computed against an older block falls outside the window and is rejected. An adversary who intercepts a valid receipt gains nothing by replaying it after the window closes, and within the window the session nonce s in m binds the receipt to a single challenge, so a replay against the same verifier is detected by reuse of s.

The same anchoring gives the admission record an evidentiary property absent from conventional logs. A log entry asserting that a node was admitted at a given time is only as trustworthy as the host that wrote it and can be altered after the fact. An admission receipt referencing block b_prev asserts its timing against a chain whose reordering is computationally infeasible. The timing of every admission is thus pinned to a reference that no participant in the network, and no party outside it, can revise. This immutability concerns the timestamp and the committed trust state; it is independent of the choice of T_adm.

7.Slashing and Revocation

The commitment of stake in §3 deters fraudulent authorization only if a sponsor that authorizes fraud can be made to suffer for it. A signature, once issued, cannot be recalled by the issuer; what the system can do is publish the fact of a sponsor's removal in a manner every node will observe and act upon. We treat revocation as a committed event rather than a message.

When the root determines that a sponsor S has acted in bad faith — by vouching for a node later shown to be hostile, by exceeding its authorized weight, or by losing control of its key — full nodes compute and publish a new trust-state root G_h' that omits S entirely. This updated root is committed on-chain via OP_RETURN (§4). Upon observing it, every verifier rejects not only S but the entire subtree of credentials descended from S:

\begin{aligned} \text{revoke}(S) \;\Longrightarrow\; &\forall\, C \text{ with sponsor chain through } S:\\&\quad \mathrm{Verify}(C) = \texttt{false} \end{aligned}

A single committed root update ejects every node S ever admitted, simultaneously and without per-node action.

The system cannot confiscate the sponsor's committed value. What it imposes instead is the forfeiture of everything the stake purchased. The committed value remains locked under its time lock, while the standing it conferred is destroyed and the sponsor's public key is permanently marked on an immutable ledger as revoked. We can state the resulting incentive precisely. Let a sponsor hold committed value v_S and derive a continuing benefit b per unit time from honest participation, and let defection yield a one-time gain g. Honest behavior dominates whenever:

g \;<\; \int_{0}^{\tau_S} b\, e^{-\delta t}\, dt \;+\; v_S\big(1 - e^{-\delta \tau_S}\big)

Because the right-hand side scales with v_S, sponsors capable of the most authorization have the most to lose.

Revocation, like admission, must function while disconnected. A verifier that has cached the trust-state root up to its last sync will reject any credential in a revoked subtree without consulting the chain. Revocation records, once observed by any connected node, are propagated peer-to-peer on a best-effort basis, so that the knowledge that a sponsor has fallen spreads through the network ahead of, and independently of, routine header synchronization.

Honest limitation: a disconnected node cannot act on a revocation it has not yet received. A node that has been isolated since before a revocation was committed will continue to accept credentials from the revoked sponsor until it next synchronizes. This is a known bound on the offline freshness guarantee, stated explicitly in §12.

8.Disconnected Operation

The defining environment of the system is one in which no central service can be reached and the external chain itself may be unreachable for extended periods. We now state what the system guarantees under such isolation, and on what cached state the guarantee rests.

Each node retains from its last period of connectivity: the block headers of the external chain from genesis to the last synced height h*; the committed trust-state root G_h* and its inclusion proof (the Merkle branch linking the OP_RETURN transaction to M_h*); the sponsor membership paths needed to verify the expected peer set; the set of enrollment and revocation records propagated peer-to-peer; and the admission target T_adm, carried in the cached state so that the cost of admission does not collapse offline. The headers are 80 bytes each; the full history is on the order of tens of megabytes — transmissible over any intermittent channel, including out-of-band ones.

Operation	Online	Offline (isolated)
Admission verification (§5)	Full check against live headers	Full check against cached headers
Timelock check (§6)	Live chain tip	Cached tip — window still enforced
Trust-state membership (§4)	Latest G_h from full nodes	Cached G_h* with inclusion proof
Revocation check (§7)	Latest G_h from full nodes	Cached G_h* — peer-propagated updates
New node enrollment (§9)	Commits to chain	Deferred until reconnect
Admission target T_adm	Updated by full nodes	Carried in cache — constant offline

Capability matrix under isolated operation. Security guarantees persist; enrollment and trust-state updates degrade gracefully.

What degrades under isolation is bounded and of a specific character. Three things worsen as time since last sync grows: new enrollments are unknown (nodes not in G_h* cannot be admitted); committed outputs may have been spent since h* (the system cannot detect this offline); and revocations committed after h* have not been received. All three degrade toward stale acceptance — the system may admit nodes that a current full node would reject — never toward unconditional acceptance of nodes outside the cached trust state. The admission target T_adm is carried in cache and does not degrade.

A system whose admission depends on contacting a certificate authority or a revocation responder offers no analogous guarantee: deprived of that contact, it either fails closed, denying all admission, or fails open, admitting without check. The construction here fails to neither extreme, because the evidence it requires was made portable in advance and the cost it imposes is carried in the receipt itself.

9.Reclaiming Trust State

The records committed to the external chain accumulate without bound. Every enrollment, every key rotation, every revocation adds to the set a verifier must account for, and a node that has been deployed for years cannot be required to retain each event individually. As with the spent transactions of the original construction, the older records can be discarded once their effect has been absorbed into a compact summary.

The events relevant to authorization form, at any height, a current trust state: the set of authorized sponsors with their weights, and the set of nodes presently admitted under unrevoked credentials. Once an enrollment has been revoked or has expired, the pair of records no longer affects any present admission and need not be retained in full.

This compact summary is precisely the committed trust-state root G_h introduced in §4. A credential's continued validity is shown by a membership path to G_h rather than by replaying the entire history of events that produced it:

\mathrm{Verify}(G_h,\, \rho_C,\, C) = \texttt{true}

Membership in the committed trust-state root G_h replaces the full event history for operational verification.

The storage required of a node is thereby bounded by the size of the current state, not by the length of the network's history. The audit trail remains available on the external chain for any party that wishes to reconstruct history in full; what is pruned is the local obligation to store it, not the global record itself.

10.Simplified Admission Verification

It is possible to verify admissions without retaining the full state of the external chain. A node need keep only the block headers of the longest proof-of-work chain. From the headers alone it can check that the referenced block b_prev is in the longest chain and that the work H(H(β)) < T_adm was performed against the cached admission target.

For the proofs that reference chain state — the trust-state membership and the commitment transaction — the verifier obtains Merkle branches linking the claimed items to roots carried in block headers. A lightweight verifier thus checks two things: first, that the commitment transaction tx_G_h was included in block h (transaction inclusion via M_h), and second, that the sponsor or credential is a member of the committed root G_h extracted from that transaction:

\begin{aligned} &\mathrm{Verify}(M_h,\; \rho_G,\; tx_{G_h}) \\[4pt] &\quad\wedge\; \mathrm{Verify}(G_h,\; \rho_C,\; C) \\[4pt] &\quad\wedge\; \big(b_{\text{prev}} \in \text{headers}\big) \\[4pt] &\quad\wedge\; \big(H(H(\beta)) < T_{\text{adm}}\big) \end{aligned}

Holding only headers and supplied Merkle branches — never the full chain state.

A node wanting stronger assurance — in particular, confirmation that sponsor outputs remain unspent — can run a full node. The lightweight path provides the guarantees headers can give; the full-node path provides the remainder (§12).

The reliability of this method is exactly that of the original: it holds as long as honest nodes control the external chain. A lightweight verifier can be deceived by a fabricated branch only for as long as an attacker can sustain a chain that outpaces the honest majority — the condition whose probability §11 shows to vanish exponentially.

This is what permits the construction to run on the platforms that need it most. The submarine, the unmanned vehicle, the forward terminal cannot carry the full chain state nor reach a server to compensate, but each can carry the headers and verify, against them, that an admission carries real work bound to a real block and that a sponsor proved real stake in the committed trust state — the whole of the security argument, reduced to what a header chain can attest.

11.Calculations

We consider three ways an adversary may attempt to defeat the system: by manufacturing identities at scale (the Sybil attack), by forging an admission without performing its work, and by rewriting the external chain so as to falsify the timestamp or committed trust state on which an admission depends.

Sybil Cost

Let admission to tier k require sponsor weight at least ω_k, and let the weight function of §3 be, for committed value v held over duration τ:

w \;=\; f(v,\tau) \;=\; v\big(1 - e^{-\delta\tau}\big)

Increasing in both committed value and duration; approaches full value v as the commitment lengthens.

An adversary seeking to authorize n fraudulent nodes at tier k must control sponsor weight n·ω_k, and must therefore commit value:

v_{\text{adv}} \;\ge\; \frac{n\,\omega_k}{1 - e^{-\delta\tau}}

The cost is linear in the number of identities sought and denominated in the scarce asset of the external chain.

Unlike key generation, which is free and which the one-key-one-vote model cannot resist, the manufacture of authorization here carries a price that rises without bound as n grows. Moreover the committed value is public and time-locked, so it cannot be reused across simultaneous identities: the same output cannot back two sponsor weights at once.

Forgery Cost

The admission target T_adm is an independent parameter. Define the work per receipt as:

W_{\text{adm}} \;=\; \frac{2^{256}}{T_{\text{adm}}}

A verifier willing to accept receipts with latency up to L seconds must demand at least W_adm hash operations per receipt. If the minimum expected adversary hashing rate is H_min, the latency–security trade-off is:

W_{\text{adm}} \;=\; L \cdot H_{\min}

T_adm is chosen by calibrating the acceptable latency against the expected adversary compute budget.

T_adm may optionally be expressed as a fraction φ of the Bitcoin network difficulty target T_BTC:

T_{\text{adm}} \;=\; \phi \cdot T_{\text{BTC}}, \quad \phi \ll 1

φ = 1 would require full Bitcoin mining difficulty per admission — impractical for constrained platforms and the specific error to avoid in calibration.

To present an admission receipt without performing the work, an adversary must find a nonce with H(H(β)) < T_adm by means cheaper than the search itself. Under the standard assumption that H behaves as a random function, no such means exists. An adversary commanding hashing rate H_adv produces valid receipts at rate H_adv / W_adm; to sustain λ admissions per second it must command H_adv ≥ λ · W_adm.

Rewriting the Chain

The timestamp of §6 and the committed trust state of §4 are only as immutable as the external chain itself. We restate the standard result. With p the probability the honest network finds the next block and q = 1 − p that the adversary does, the probability that an adversary z blocks behind ever catches up is:

q_z \;=\; \begin{cases} 1 & \text{if } p \le q, \\[4pt] \left(\dfrac{q}{p}\right)^{z} & \text{if } p > q. \end{cases}

For q = 0.1, the probability falls below 1 in 1,000 by z = 5. For q = 0.3, by z = 24.

The system therefore inherits, without addition or weakening, the security of the chain it anchors to. Anchoring to the chain of greatest accumulated work is what makes z — the depth achieved in any fixed time — largest, and the catching-up probability smallest, for every admission the system records. Note that T_adm does not affect this guarantee; chain immutability is a property of the external chain's accumulated work, not of the admission difficulty.

Combined Security

An adversary must defeat all three barriers at once. It must commit v_adv in scarce, visible, time-locked value to obtain authorization; it must command sufficient hashing power to produce receipts at rate λ against T_adm; and to falsify the record it must outpace the external chain's honest majority, with success probability (q/p)^z vanishing in confirmation depth. The costs are independent and denominated in independent resources — capital, energy, and accumulated work — none of which the adversary can fabricate and all of which any verifier confirms against a single cached reference.

The system does not defend against key compromise inside an isolated partition. A node whose private key is extracted can be impersonated for the duration of its credential without the network being able to detect or respond to this until reconnection and revocation.

12.Known Limitations and Open Problems

This document is a protocol sketch. The following limitations are known and stated plainly.

Headers do not commit to the unspent-output set.As stated in §4, a Bitcoin block header contains no UTXO root. Verifying that a sponsor's committed outputs remain unspent requires a full node. The offline construction rests on the integrity of validators who computed G_h, and on the assumption that committed outputs have not been spent since the last trust-state update.
Admission difficulty is a calibration. T_adm is a system parameter chosen to balance latency and security against an anticipated adversary compute budget. If adversary capabilities are underestimated, or if hardware costs fall faster than T_adm is updated, the admission cost may become insufficient. The calibration is not self-adjusting in the current design.
Trust is relocated, not eliminated. The construction depends on the honesty of the root key holders, the validators computing G_h, and the integrity of the external chain. These are weaker assumptions than continuous server reachability in a contested environment, but they are real assumptions.
Offline freshness is bounded. A disconnected node accepts credentials from the cached trust state. It cannot detect enrollments, revocations, or spent bonds that occurred after its last sync. The staleness window is open-ended; the system does not currently bound how long a node may safely operate disconnected.
Key compromise. A node whose private key is extracted can be impersonated within an isolated partition until revocation is received. The system provides no defense against key compromise beyond the staleness bound above.
Privacy and traffic analysis. The transparent construction reveals sponsor identities and stake amounts. Admission receipts may leak session timing and peer relationships to a network observer. The zero-knowledge variant (§4) addresses stake privacy but does not address traffic analysis.
Absence of formal proofs. The security arguments in this document are informal. The construction has not been reduced to a formal security model, proven under standard cryptographic assumptions, or subjected to external cryptographic review. It should not be deployed in production without such analysis.

13.Conclusion

We have sketched a direction for network authentication that does not depend on a continuously reachable central authority. The construction uses the external proof-of-work chain only for what it can attest: transaction inclusion via Merkle branches to block headers, and the ordering and immutability of committed records. It does not claim to derive UTXO-set facts from headers, and it acknowledges explicitly where full-node data is required for stronger guarantees.

Two independent and externally anchored costs address the core problem. A sponsor's stake, committed in scarce value and proven via the committed trust-state root G_h, makes authorization expensive to grant fraudulently. A proof-of-work bound to a recent block, performed using Bitcoin-format hashing against an independently calibrated target T_adm, makes admission expensive to attempt at scale and pins its timing to a record that is computationally impractical to alter.

The construction is designed to remain operational while wholly disconnected. A cached header chain, a cached trust-state root with its inclusion proof, and the admission target are sufficient to verify admissions with no live connection. What degrades offline is bounded and of a known character: stale acceptance within the cached trust state, not unconditional acceptance outside it.

This document is a sketch of a direction, not a finished design. The limitations in §12 are real. The next steps are a formal security model, reduction proofs under standard assumptions, and external cryptographic review before any consideration of deployment.

References

S. Nakamoto, "Bitcoin: A Peer-to-Peer Electronic Cash System," 2008.
A. Back, "Hashcash — A Denial of Service Counter-Measure," 2002.
C. Dwork, M. Naor, "Pricing via Processing or Combatting Junk Mail," in Advances in Cryptology — CRYPTO '92, LNCS 740, pp. 139–147, 1993.
R. C. Merkle, "Protocols for Public Key Cryptosystems," in Proc. 1980 Symposium on Security and Privacy, IEEE, pp. 122–133, 1980.
H. Massias, X. S. Avila, J.-J. Quisquater, "Design of a Secure Timestamping Service with Minimal Trust Requirements," in 20th Symposium on Information Theory in the Benelux, 1999.
S. Haber, W. S. Stornetta, "How to Time-Stamp a Digital Document," in Journal of Cryptology, vol. 3, no. 2, pp. 99–111, 1991.
C. Belcher, "Design for Improving JoinMarket's Resistance to Sybil Attacks Using Fidelity Bonds," 2019.
BIP 46: Fidelity bonds for JoinMarket, Bitcoin Improvement Proposals, 2021.
J. R. Douceur, "The Sybil Attack," in Peer-to-Peer Systems (IPTPS 2002), LNCS 2429, pp. 251–260, 2002.
D. Chaum, "Blind Signatures for Untraceable Payments," in Advances in Cryptology — CRYPTO '82, pp. 199–203, 1983.
A. Poelstra, "Curve Trees: Practical and Transparent Zero-Knowledge Accumulators for Unspent Outputs," Delving Bitcoin, 2024.
Bitcoin Developer Documentation, "Block chain and Simplified Payment Verification," bitcoin.org/en/developer-guide, accessed 2026.
W. Feller, An Introduction to Probability Theory and Its Applications, 1957.
National Institute of Standards and Technology, "FIPS 180-4: Secure Hash Standard (SHS)," 2015.