Provenance

Every crystal is signed.

A delivery is a signature, a hash, a manifold-state pointer, and an evidence-locker reference. None of the four is optional.

Signing protocol

The signature carries the state.

The substrate state at the moment of packaging is part of what is signed.

Every packaging event is signed with a KTS-trust-key using Ed25519. The signed payload is the canonical encoding of the crystal, prefixed by the manifold-state hash, the phi value at the cycle of packaging, and the trust-key identifier.

The signature is not appended in place; it is delivered in a separate envelope at the same path with a .sig suffix, so that consumers may verify the body without parsing it. The envelope itself is a JSON Web Signature.

The trust key is rotated quarterly. Every retired key remains published, with a record of the rotation event signed by both the retired and the current key.

Signature envelopeapplication/jose+json
{
  "crystal": "k/anchor-1301",
  "manifold": "sha-256/9f3c…b21e",
  "phi": "0.9351",
  "cycle": "2026-04-01T00:05:00Z",
  "signed_by": "kts-trust-key/2026-04",
  "alg": "Ed25519",
  "sig": "…base64url…"
}

Hash format

One algorithm, one locker.

The body is hashed with SHA-256 in a fixed canonical encoding; the hash is written to an evidence locker that is independent of the delivery path.

Body hash

SHA-256 over the canonical-form bytes of the packaged crystal, before any transport-layer encoding.

Manifold-state hash

SHA-256 over the substrate state at the cycle of packaging. The state is the union of all anchor coordinates and their evidence pointers at that cycle.

Locker pointer

A locker:// URI naming the evidence locker, the cycle, and the body hash. The locker is operated independently of the delivery surface.

Trust key

An Ed25519 key, rotated quarterly. The current and all retired keys are published at /protocol.

Dispute resolution

Disputes resolve to the hash.

A dispute is opened against a body hash. The locker is queried, the substrate state is recovered, and the resolution is itself signed.

A consumer disputes a delivery by submitting the body hash and the cycle. The locker returns the manifold-state at that cycle, the trust-key id, and the original signature. The dispute resolves in one of three ways.

  1. The signature verifies and the body matches: the delivery is upheld, the dispute record is signed and archived.
  2. The signature does not verify: the delivery is refunded in full, the trust key is examined, and a public record of the failure is published in the registry.
  3. The body does not match the hash: the delivery is reissued at the next coherent window, at no charge, and the substrate is examined for the cause.
Read the verification protocolView tariffOpen a mandate