Academic Overview¶
This document describes the formal properties and cryptographic foundations of Diogenes for researchers and academics evaluating the system's theoretical underpinnings.
System Model¶
Diogenes is a distributed attestation system that constructs a directed acyclic graph (DAG) of cryptographic attestations over document manifests, supported by a hash-chained transparency log, an endorsement-based trust network, and Bitcoin-anchored temporal proofs.
The system operates under the following assumptions:
- Honest majority of endorsers. The trust model assumes that a majority of endorsing participants are honest. Sybil defense mechanisms limit the impact of dishonest minorities.
- Cryptographic hardness. Security relies on the computational hardness of SHA-256 preimage/collision resistance, the discrete logarithm problem (Ed25519, ECDSA), and integer factorization (RSA).
- Authenticated channels. Client-server communication occurs over TLS. The protocol does not provide its own transport security.
Formal Properties¶
Attestation Integrity¶
Property: Given an attestation A = (manifest, signature, public_key), any party can verify that signature is a valid signature of canonical(manifest) under public_key, where canonical is the deterministic JSON serialization function JSON.dumps(manifest, sort_keys=True, separators=(",", ":")).
Guarantee: An attestation cannot be forged without knowledge of the corresponding private key, assuming the underlying signature scheme is existentially unforgeable under chosen-message attacks (EUF-CMA).
Log Append-Only Property¶
Property: The transparency log forms a hash chain where each entry E_i contains previous_hash = H(E_{i-1}) and entry_hash = H(payload_i || previous_hash_i). Inserting, deleting, or modifying an entry without detection requires finding a SHA-256 collision.
Guarantee: Any party can verify the chain by recomputing all hashes from the genesis entry. Temporal anchoring via OpenTimestamps provides an external commitment to the log state at a specific Bitcoin block height.
Non-Repudiation¶
Property: Once an attestation is recorded on the transparency log with a valid signature and a Bitcoin-anchored timestamp, the signer cannot deny having made the attestation at or before the anchored time, provided:
- The signature verifies under their registered public key.
- The key was active at the time of attestation.
- The log entry's hash chain is intact.
- The OpenTimestamps proof is valid.
Trust Subjectivity¶
Property: Layer 3 verification is explicitly subjective. Each verifier defines their own trust function T(signer, verifier_config) -> [0, 1] based on:
- Trust anchor set
A - Maximum depth
d - Decay function
f(depth)(typically exponential or linear) - Required endorsement categories
Two verifiers may reach different trust conclusions for the same attestation. This is by design: there is no single "trusted" or "untrusted" verdict.
Data Structures¶
Attestation DAG¶
The attestation DAG is a directed acyclic graph G = (V, E) where:
- Each vertex
v in Vrepresents an attestation (a signature over a manifest by a specific key). - Each edge
(v_i, v_j) in Erepresents a temporal or role dependency (e.g., an editorial review references an authorship attestation).
The DAG is acyclic by construction: attestation timestamps are monotonically increasing, and each attestation references a manifest that includes all prior attestations.
Endorsement Graph¶
The endorsement graph is a directed graph G_e = (K, E_e) where:
- Vertices
Kare registered keys. - Edges
E_eare endorsed-by relationships, labeled with category and timestamp.
Trust traversal is a depth-limited breadth-first search from a signer key to the verifier's trust anchors, with trust decaying at each hop.
Hash Chain¶
The transparency log is a sequence L = [E_1, E_2, ..., E_n] with the invariant:
E_i.previous_hash = E_{i-1}.entry_hash (for i > 1)
E_1.previous_hash = null
E_i.entry_hash = SHA256(canonical(E_i.payload) || E_i.previous_hash)
Cryptographic Schemes¶
Signature Schemes¶
| Scheme | Curve/Parameters | Security Level | Reference |
|---|---|---|---|
| Ed25519 | Curve25519 | 128-bit | RFC 8032 |
| ECDSA P-256 | NIST P-256 | 128-bit | FIPS 186-4 |
| RSA-2048 | 2048-bit modulus | 112-bit | PKCS#1 v2.2 |
Hash Functions¶
| Function | Output | Usage |
|---|---|---|
| SHA-256 | 256-bit | Content hashing, fingerprints, log chain, Merkle trees |
| Argon2id | Variable | Password hashing (time=2, memory=19456, parallelism=1) |
Temporal Anchoring¶
OpenTimestamps (OTS) is used to anchor log entry hashes to the Bitcoin blockchain. An OTS proof is a Merkle path from the data hash to a value committed in a Bitcoin transaction's OP_RETURN output. Verification requires only a Bitcoin header chain (no full node needed).
Sybil Resistance¶
The endorsement model includes several mechanisms to resist Sybil attacks:
-
Capacity scaling. A key's endorsement capacity is proportional to the trust it has accumulated. New keys with no endorsements have limited capacity.
-
Activation delay. Endorsements enter a pending state and activate only after a configurable delay (
ACTIVATION_DELAY_DAYS). This provides a window for detecting compromised keys. -
Privilege threshold. Keys must reach a minimum trust score (
PRIVILEGE_THRESHOLD) before they can issue endorsements. -
Over-capacity discounting. When a key issues more endorsements than its capacity allows, all its endorsements are proportionally discounted.
-
Vouching decay. Endorsement weight decreases over time and with chain length, preventing long chains of low-trust endorsements from accumulating.
Comparison with Related Work¶
| System | Trust Model | Temporal Proof | Content Privacy | Multi-Party Attestation |
|---|---|---|---|---|
| PGP Web of Trust | Decentralized | None | N/A (key trust only) | No |
| Certificate Transparency | CA-rooted | SCT promises | N/A (cert trust only) | No |
| Keybase | Centralized + social proof | Merkle tree | N/A | No |
| Blockchain notarization | Decentralized consensus | Block time | Typically no | Limited |
| Diogenes | Endorsement-based | Bitcoin (OTS) | Yes (hash only) | Yes (DAG) |
References¶
- Bernstein, D.J. et al. (2012). "High-speed high-security signatures." Journal of Cryptographic Engineering.
- Laurie, B., Langley, A., Kasper, E. (2013). "Certificate Transparency." RFC 6962.
- Todd, P. (2016). "OpenTimestamps: Scalable, Trust-Minimized, Distributed Timestamping with Bitcoin."
- Syta, E. et al. (2017). "Keeping Authorities Honest or Bust with Decentralized Witness Cosigning." IEEE S&P.