Stateless Verification Specification
Version: 1.0.0
Status: Locked at Genesis
Purpose: Enable namespace verification without chain dependency
1. Core Principle
A namespace must remain mathematically verifiable even if:
- The original chain halts
- All validators disappear
- Decades pass
- The software is no longer maintained
This is what makes namespaces truly sovereign.
2. Verification Requirements
Minimal Data Needed
To verify any namespace, you need only:
- Genesis Hash (32 bytes, public)
- Namespace Certificate (IPFS CID)
- Verification Algorithm (open source)
No blockchain state, no full nodes, no network connectivity required (after obtaining certificate).
3. Namespace Certificate Format
Complete Certificate Structure
{
"version": "1.0.0",
"certificate_type": "namespace",
"identity": {
"namespace_id": "1.x",
"namespace_hash": "0x...",
"address": "1NS7kPxQy3...",
"genesis_hash": "0x..."
},
"lineage": {
"parent": "/",
"parent_hash": "0x...",
"depth": 0,
"merkle_proof": {
"path": [
{"hash": "0x...", "position": "left"},
{"hash": "0x...", "position": "right"}
],
"root_hash": "0x..."
}
},
"creation": {
"block_number": 1,
"timestamp": 1737072000,
"entropy": "0x..."
},
"sovereignty": {
"class": "Immutable",
"owner_public_key": "0x...",
"class_proof": "0x..."
},
"rarity": {
"score": 950.5,
"tier": "Mythical",
"components": {
"position_rarity": 0.95,
"pattern_rarity": 0.85,
"hash_entropy": 0.72,
"temporal_rarity": 1.0,
"structural_rarity": 1.0
},
"algorithm_version": "v1"
},
"signature": {
"scheme": "Dilithium5",
"public_key": "0x...",
"signature": "0x..."
},
"ipfs": {
"cid": "Qm...",
"pin_status": "pinned",
"content_hash": "0x..."
}
}
4. Verification Algorithm
Step-by-Step Verification
pub struct NamespaceVerifier;
impl NamespaceVerifier {
/// Verify a namespace certificate completely
pub fn verify_complete(
certificate: &Certificate,
genesis_hash: &[u8; 32],
) -> VerificationResult {
let mut result = VerificationResult::default();
// Step 1: Verify genesis binding
result.genesis_binding = self.verify_genesis_binding(
certificate,
genesis_hash,
);
// Step 2: Verify identity derivation
result.identity = self.verify_identity(certificate);
// Step 3: Verify lineage proof
result.lineage = self.verify_lineage(certificate);
// Step 4: Verify rarity calculation
result.rarity = self.verify_rarity(certificate);
// Step 5: Verify signature
result.signature = self.verify_signature(certificate);
// Step 6: Verify IPFS content hash
result.ipfs = self.verify_ipfs(certificate);
result
}
/// 1. Verify genesis binding
fn verify_genesis_binding(
&self,
cert: &Certificate,
genesis_hash: &[u8; 32],
) -> bool {
// Genesis hash must match
cert.identity.genesis_hash == *genesis_hash
}
/// 2. Verify namespace hash derivation
fn verify_identity(&self, cert: &Certificate) -> bool {
use sha3::{Digest, Sha3_256};
let mut hasher = Sha3_256::new();
// Reconstruct hash
hasher.update(b"web3-rarity-namespace-v1");
hasher.update(&cert.identity.genesis_hash);
hasher.update(&cert.lineage.parent_hash);
hasher.update(cert.identity.namespace_id.as_bytes());
hasher.update(&cert.creation.block_number.to_le_bytes());
hasher.update(&cert.creation.entropy);
let computed_hash: [u8; 32] = hasher.finalize().into();
// Must match certificate hash
computed_hash == cert.identity.namespace_hash
}
/// 3. Verify Merkle lineage proof
fn verify_lineage(&self, cert: &Certificate) -> bool {
let mut current = cert.identity.namespace_hash;
// Walk up the Merkle tree
for node in &cert.lineage.merkle_proof.path {
current = match node.position {
"left" => hash_pair(&node.hash, ¤t),
"right" => hash_pair(¤t, &node.hash),
_ => return false,
};
}
// Root must match genesis commitment
current == cert.lineage.merkle_proof.root_hash
}
/// 4. Verify rarity calculation
fn verify_rarity(&self, cert: &Certificate) -> bool {
let components = &cert.rarity.components;
// Recompute rarity score
let computed_score =
components.position_rarity * 200.0 +
components.pattern_rarity * 300.0 +
components.hash_entropy * 100.0 +
components.temporal_rarity * 150.0 +
components.structural_rarity * 250.0;
// Allow 0.1 point tolerance for floating-point
(computed_score - cert.rarity.score).abs() < 0.1
}
/// 5. Verify certificate signature
fn verify_signature(&self, cert: &Certificate) -> bool {
// Reconstruct signed message
let message = self.create_signing_message(cert);
// Verify using post-quantum signature
match cert.signature.scheme.as_str() {
"Dilithium5" => {
verify_dilithium5(
&cert.signature.public_key,
&message,
&cert.signature.signature,
)
}
"SphincsPlus" => {
verify_sphincs_plus(
&cert.signature.public_key,
&message,
&cert.signature.signature,
)
}
_ => false,
}
}
/// 6. Verify IPFS content hash
fn verify_ipfs(&self, cert: &Certificate) -> bool {
use sha3::{Digest, Sha3_256};
// Hash certificate content
let cert_bytes = serde_json::to_vec(cert).unwrap();
let mut hasher = Sha3_256::new();
hasher.update(&cert_bytes);
let computed_hash: [u8; 32] = hasher.finalize().into();
// Must match stored content hash
computed_hash == cert.ipfs.content_hash
}
fn create_signing_message(&self, cert: &Certificate) -> Vec<u8> {
let mut message = Vec::new();
message.extend_from_slice(&cert.identity.namespace_hash);
message.extend_from_slice(&cert.lineage.parent_hash);
message.extend_from_slice(&cert.creation.block_number.to_le_bytes());
message.extend_from_slice(&cert.sovereignty.owner_public_key);
message
}
}
fn hash_pair(left: &[u8; 32], right: &[u8; 32]) -> [u8; 32] {
use blake3::Hasher;
let mut hasher = Hasher::new();
hasher.update(b"node");
hasher.update(left);
hasher.update(right);
let mut output = [0u8; 32];
hasher.finalize_xof().fill(&mut output);
output
}
5. Verification Result
#[derive(Debug)]
pub struct VerificationResult {
pub genesis_binding: bool, // Genesis hash matches
pub identity: bool, // Namespace hash correct
pub lineage: bool, // Merkle proof valid
pub rarity: bool, // Rarity calculation correct
pub signature: bool, // Signature valid
pub ipfs: bool, // Content hash matches
}
impl VerificationResult {
pub fn is_valid(&self) -> bool {
self.genesis_binding &&
self.identity &&
self.lineage &&
self.rarity &&
self.signature &&
self.ipfs
}
pub fn failures(&self) -> Vec<&str> {
let mut failures = Vec::new();
if !self.genesis_binding { failures.push("genesis_binding"); }
if !self.identity { failures.push("identity"); }
if !self.lineage { failures.push("lineage"); }
if !self.rarity { failures.push("rarity"); }
if !self.signature { failures.push("signature"); }
if !self.ipfs { failures.push("ipfs"); }
failures
}
}
6. Proof Package Format
Portable Verification Package
For maximum portability, bundle everything needed:
pub struct VerificationPackage {
// Certificate
pub certificate: Certificate,
// Genesis parameters (public)
pub genesis_hash: [u8; 32],
pub genesis_params: GenesisParameters,
// Verification code
pub verifier_code: String, // Rust source code
pub verifier_hash: [u8; 32], // Hash of verifier
// Metadata
pub package_version: String,
pub created_at: i64,
}
Storage
{
"certificate": { /* full certificate */ },
"genesis_hash": "0x...",
"genesis_params": { /* parameters from genesis */ },
"verifier_code": "pub fn verify(...) {...}",
"verifier_hash": "0x...",
"package_version": "1.0.0",
"created_at": 1737072000
}
Usage
# Download package from IPFS
ipfs cat Qm... > namespace_proof.json
# Verify (no network needed after download)
cargo run --bin verify -- namespace_proof.json
# Output: ✓ Valid namespace (all checks passed)
7. Standalone Verifier Binary
Minimal Verifier CLI
// verify_namespace.rs
use clap::Parser;
#[derive(Parser)]
struct Args {
/// Path to certificate JSON or IPFS CID
certificate: String,
/// Genesis hash (hex)
#[arg(long)]
genesis: String,
}
fn main() {
let args = Args::parse();
// Load certificate
let cert = load_certificate(&args.certificate)
.expect("Failed to load certificate");
// Parse genesis hash
let genesis_hash = hex::decode(&args.genesis)
.expect("Invalid genesis hash");
// Verify
let verifier = NamespaceVerifier;
let result = verifier.verify_complete(&cert, &genesis_hash);
if result.is_valid() {
println!("✓ Valid namespace");
println!(" ID: {}", cert.identity.namespace_id);
println!(" Hash: {}", hex::encode(cert.identity.namespace_hash));
println!(" Rarity: {} ({})", cert.rarity.score, cert.rarity.tier);
} else {
println!("✗ Invalid namespace");
println!(" Failed checks: {:?}", result.failures());
std::process::exit(1);
}
}
Build Standalone
# Build static binary (no dependencies)
cargo build --release --bin verify
# Run anywhere
./verify namespace.json --genesis 0x1234...
8. Chain-Agnostic Verification
Why Chain-Agnostic?
The verification algorithm:
- Does not require blockchain state
- Does not require RPC calls
- Does not require network connectivity (after certificate fetch)
- Does not require specific chain software
Verification in Any Environment
// Works on any chain, any language, any platform
pub trait ChainAdapter {
fn verify_namespace(&self, cert: Certificate) -> bool {
// Always the same algorithm, regardless of chain
NamespaceVerifier.verify_complete(&cert, &self.genesis_hash()).is_valid()
}
}
// Ethereum implementation
impl ChainAdapter for Ethereum { ... }
// Solana implementation
impl ChainAdapter for Solana { ... }
// Polkadot implementation
impl ChainAdapter for Polkadot { ... }
9. Future-Proof Verification
Time-Independence
Verification remains valid even if:
- Chain halts: Certificate + genesis hash is enough
- Software outdated: Algorithm is simple, reimplementable
- Cryptography weakens: Historical proofs remain valid (timestamped)
- Standards change: Self-contained proofs don't depend on external standards
Proof Longevity
pub struct TimestampedProof {
pub certificate: Certificate,
pub blockchain_proof: BlockchainProof,
pub timestamp_authority: TimestampAuthority,
}
pub struct BlockchainProof {
pub chain: String,
pub block_number: u64,
pub block_hash: [u8; 32],
pub tx_hash: [u8; 32],
}
pub struct TimestampAuthority {
pub source: String, // "Bitcoin", "NIST", etc.
pub timestamp: i64,
pub proof: Vec<u8>,
}
Even if SHA3-256 is broken in 2050, proofs from 2026 remain valid (timestamped before break).
10. Verification Without IPFS
Self-Contained Certificates
Certificates can be stored anywhere:
- IPFS (content-addressed, preferred)
- Arweave (permanent storage)
- On-chain (expensive but possible)
- Local files (for archival)
- USB drives (for air-gapped verification)
Verification Flow
1. Obtain certificate (IPFS, Arweave, on-chain, file)
↓
2. Load genesis hash (public, 32 bytes)
↓
3. Run verification algorithm (pure computation)
↓
4. Result: Valid or Invalid (with reasons)
No dependencies. No network. Pure math.
11. Verification Performance
Benchmarks (Estimated)
| Operation | Time | Memory |
|---|---|---|
| Load certificate | <1 ms | ~10 KB |
| Verify identity | <1 ms | 32 bytes |
| Verify lineage (depth 10) | <10 ms | ~1 KB |
| Verify rarity | <1 ms | negligible |
| Verify signature (Dilithium5) | ~5 ms | ~5 KB |
| Verify IPFS hash | <1 ms | 32 bytes |
| Total | <20 ms | <20 KB |
Verification is extremely fast and resource-light.
12. Batch Verification
Parallel Verification
use rayon::prelude::*;
pub fn verify_batch(
certificates: Vec<Certificate>,
genesis_hash: &[u8; 32],
) -> Vec<VerificationResult> {
certificates
.par_iter()
.map(|cert| {
NamespaceVerifier.verify_complete(cert, genesis_hash)
})
.collect()
}
Can verify thousands of namespaces per second on modern hardware.
13. Verification API
REST API (Optional)
// GET /verify/{cid}
pub async fn verify_endpoint(
cid: String,
genesis_hash: [u8; 32],
) -> Json<VerificationResponse> {
let cert = fetch_from_ipfs(&cid).await?;
let result = NamespaceVerifier.verify_complete(&cert, &genesis_hash);
Json(VerificationResponse {
valid: result.is_valid(),
certificate: cert,
result,
})
}
14. Verification Proofs for Other Chains
ZK-Friendly Verification
For chains that support zero-knowledge proofs:
pub fn generate_zk_proof(cert: &Certificate) -> ZkProof {
// Generate STARK proof of verification
// - Proves certificate is valid
// - Without revealing certificate contents
// - Succinct (~few KB)
// - Fast to verify (~ms)
}
This allows other chains to verify namespace validity without importing full certificates.
Summary
Stateless verification enables:
- Survival: Works even if chain dies
- Portability: Verify anywhere, anytime
- Speed: <20ms per verification
- Simplicity: Pure computation, no dependencies
- Future-proof: Remains valid decades later
This is what makes namespaces truly sovereign.
Status: Locked at Genesis
Algorithm Version: v1 (Immutable)
Verification: Pure Mathematics