Skip to content

Global Identity Chain (AIC)

The Agentic Identity Chain (AIC) is a content-addressed Merkle DAG that records every identity event in the SmartPoints system. Unlike a blockchain, there is no mining or global currency -- causal ordering via Lamport clocks and predecessor references replaces total global order.

Design Principles

  • Content-addressed: Each vertex is identified by its BLAKE3 hash
  • Tamper-evident: Changing any field changes the hash and breaks all references
  • Post-quantum signatures: ML-DSA-65 (NIST FIPS 204) for all vertex signatures
  • Causal ordering: Lamport clocks and predecessor references, not total order
  • Selective disclosure: Merkle proofs allow revealing specific events without exposing the full chain

Merkle DAG Structure

The AIC is a directed acyclic graph where each vertex references zero or more predecessors. The genesis vertex has no predecessors. Subsequent vertices reference one or more prior vertices, creating a causal history.

text
[Genesis] <-- [SovereignRoot] <-- [RoleBind] <-- [AgentDelegate]
                                       ^
                                       |
                              [SmartPointBind] <-- [SmartPointDissolve]

Every vertex is stored by its VertexId (BLAKE3 hash of the canonical content). This makes the DAG tamper-evident: modifying any vertex changes its ID and breaks all downstream references.

Vertex Types

TypeDescription
GenesisThe first vertex in a chain, signed by the root key
SovereignRootSelf-generated DID registration (the identity root)
RoleBindAccept a role binding from an organization
AgentDelegateDelegate an agent under a role with narrowed capabilities
RevokeRevoke any DID, role, or delegation
FederateLink multiple devices under one identity
SmartPointBindForm a bilateral SmartPoint pair
SmartPointDissolveDissolve a SmartPoint pair
ComplianceAttestationAttest to software/protocol version compliance

Vertex Structure

Each vertex contains:

FieldTypeDescription
idVertexIdBLAKE3 hash of (type, author, content, refs, timestamp)
vertex_typeVertexTypeThe identity event type
author_didStringDID of the vertex author
contentserde_json::ValueEvent-specific payload
refsVec<VertexId>References to predecessor vertices
signatureVec<u8>ML-DSA-65 signature
lamport_clocku64Causal ordering counter
timestampDateTime<Utc>Wall-clock time of creation

Chain Operations

Creating a Genesis

rust,ignore
use spt_aic::{chain::MerkleDag, genesis::create_genesis, store::InMemoryChainStore};
use spt_pq_crypto::MlDsaKeyPair;
use std::sync::Arc;

let mut rng = rand::thread_rng();
let keypair = MlDsaKeyPair::generate(&mut rng)?;
let store = Arc::new(InMemoryChainStore::new());
let dag = MerkleDag::new(store);

let genesis = create_genesis(&keypair, "did:said:1:sw:blake3_abc")?;
dag.append_vertex(&genesis)?;

Appending Vertices

New vertices reference their causal predecessors. The DAG validates that all referenced vertices exist and that the signature is valid before appending.

rust,ignore
use spt_aic::vertex::{Vertex, VertexType};

let role_bind = Vertex::new(
    VertexType::RoleBind,
    "did:said:1:sw:blake3_abc".to_string(),
    serde_json::json!({
        "role": "developer",
        "org_did": "did:said:1:sw:blake3_org"
    }),
    vec![genesis.id.clone()],  // references genesis
    signature_bytes,
    1,  // lamport clock
);
dag.append_vertex(&role_bind)?;

Chain Verification

The DAG can verify the entire chain by walking from any vertex back to genesis, checking that every vertex's ID matches its computed hash and every signature is valid.

Merkle Proofs

Merkle proofs allow selective disclosure of identity events. A prover can demonstrate that a specific vertex exists in the chain without revealing the entire DAG.

rust,ignore
use spt_aic::MerkleProof;

// Generate a proof that a vertex exists
let proof = dag.generate_proof(&vertex_id)?;

// Verify the proof (can be done by a third party)
let valid = proof.verify(&vertex_id, &dag_root_hash)?;

W3C DID Compliance

SmartPoints DIDs follow the W3C DID specification with the said method:

text
did:said:<version>:<trust_tier>:<hash_algorithm>_<fingerprint>

Components:

ComponentDescription
saidDID method name (Smart Agentic ID)
versionProtocol version (currently 1)
trust_tierHardware trust level: se (Secure Enclave), tpm, sb (StrongBox), tee, sw (software)
hash_algorithmHash function used for the fingerprint (e.g., blake3)
fingerprintBLAKE3 hash of the public key material

Example: did:said:1:se:blake3_a1b2c3d4e5f6

The trust tier indicates the hardware security level of the key material:

TierLabelHardware
1seApple Secure Enclave
2tpmTPM 2.0 (Windows, Linux)
3sbAndroid StrongBox
4teeTrusted Execution Environment
5swSoftware-only (no hardware backing)

Key Types

TypeCrateDescription
MerkleDagspt-aicThe identity chain DAG
Vertexspt-aicA single identity event
VertexIdspt-aicContent-addressed vertex identifier (BLAKE3)
VertexTypespt-aicEnum of identity event types
MerkleProofspt-aicSelective disclosure proof
ChainStorespt-aicTrait for chain storage backends
InMemoryChainStorespt-aicIn-memory storage implementation
create_genesisspt-aicGenesis block creation function

Released under the MIT License.