Global Identity Chain (AIC)
The Agentic Identity Chain (AIC) is a content-addressed Merkle DAG that records every identity event in the SmartPoints system. Unlike a blockchain, there is no mining or global currency -- causal ordering via Lamport clocks and predecessor references replaces total global order.
Design Principles
- Content-addressed: Each vertex is identified by its BLAKE3 hash
- Tamper-evident: Changing any field changes the hash and breaks all references
- Post-quantum signatures: ML-DSA-65 (NIST FIPS 204) for all vertex signatures
- Causal ordering: Lamport clocks and predecessor references, not total order
- Selective disclosure: Merkle proofs allow revealing specific events without exposing the full chain
Merkle DAG Structure
The AIC is a directed acyclic graph where each vertex references zero or more predecessors. The genesis vertex has no predecessors. Subsequent vertices reference one or more prior vertices, creating a causal history.
[Genesis] <-- [SovereignRoot] <-- [RoleBind] <-- [AgentDelegate]
^
|
[SmartPointBind] <-- [SmartPointDissolve]Every vertex is stored by its VertexId (BLAKE3 hash of the canonical content). This makes the DAG tamper-evident: modifying any vertex changes its ID and breaks all downstream references.
Vertex Types
| Type | Description |
|---|---|
Genesis | The first vertex in a chain, signed by the root key |
SovereignRoot | Self-generated DID registration (the identity root) |
RoleBind | Accept a role binding from an organization |
AgentDelegate | Delegate an agent under a role with narrowed capabilities |
Revoke | Revoke any DID, role, or delegation |
Federate | Link multiple devices under one identity |
SmartPointBind | Form a bilateral SmartPoint pair |
SmartPointDissolve | Dissolve a SmartPoint pair |
ComplianceAttestation | Attest to software/protocol version compliance |
Vertex Structure
Each vertex contains:
| Field | Type | Description |
|---|---|---|
id | VertexId | BLAKE3 hash of (type, author, content, refs, timestamp) |
vertex_type | VertexType | The identity event type |
author_did | String | DID of the vertex author |
content | serde_json::Value | Event-specific payload |
refs | Vec<VertexId> | References to predecessor vertices |
signature | Vec<u8> | ML-DSA-65 signature |
lamport_clock | u64 | Causal ordering counter |
timestamp | DateTime<Utc> | Wall-clock time of creation |
Chain Operations
Creating a Genesis
use spt_aic::{chain::MerkleDag, genesis::create_genesis, store::InMemoryChainStore};
use spt_pq_crypto::MlDsaKeyPair;
use std::sync::Arc;
let mut rng = rand::thread_rng();
let keypair = MlDsaKeyPair::generate(&mut rng)?;
let store = Arc::new(InMemoryChainStore::new());
let dag = MerkleDag::new(store);
let genesis = create_genesis(&keypair, "did:said:1:sw:blake3_abc")?;
dag.append_vertex(&genesis)?;Appending Vertices
New vertices reference their causal predecessors. The DAG validates that all referenced vertices exist and that the signature is valid before appending.
use spt_aic::vertex::{Vertex, VertexType};
let role_bind = Vertex::new(
VertexType::RoleBind,
"did:said:1:sw:blake3_abc".to_string(),
serde_json::json!({
"role": "developer",
"org_did": "did:said:1:sw:blake3_org"
}),
vec![genesis.id.clone()], // references genesis
signature_bytes,
1, // lamport clock
);
dag.append_vertex(&role_bind)?;Chain Verification
The DAG can verify the entire chain by walking from any vertex back to genesis, checking that every vertex's ID matches its computed hash and every signature is valid.
Merkle Proofs
Merkle proofs allow selective disclosure of identity events. A prover can demonstrate that a specific vertex exists in the chain without revealing the entire DAG.
use spt_aic::MerkleProof;
// Generate a proof that a vertex exists
let proof = dag.generate_proof(&vertex_id)?;
// Verify the proof (can be done by a third party)
let valid = proof.verify(&vertex_id, &dag_root_hash)?;W3C DID Compliance
SmartPoints DIDs follow the W3C DID specification with the said method:
did:said:<version>:<trust_tier>:<hash_algorithm>_<fingerprint>Components:
| Component | Description |
|---|---|
said | DID method name (Smart Agentic ID) |
version | Protocol version (currently 1) |
trust_tier | Hardware trust level: se (Secure Enclave), tpm, sb (StrongBox), tee, sw (software) |
hash_algorithm | Hash function used for the fingerprint (e.g., blake3) |
fingerprint | BLAKE3 hash of the public key material |
Example: did:said:1:se:blake3_a1b2c3d4e5f6
The trust tier indicates the hardware security level of the key material:
| Tier | Label | Hardware |
|---|---|---|
| 1 | se | Apple Secure Enclave |
| 2 | tpm | TPM 2.0 (Windows, Linux) |
| 3 | sb | Android StrongBox |
| 4 | tee | Trusted Execution Environment |
| 5 | sw | Software-only (no hardware backing) |
Key Types
| Type | Crate | Description |
|---|---|---|
MerkleDag | spt-aic | The identity chain DAG |
Vertex | spt-aic | A single identity event |
VertexId | spt-aic | Content-addressed vertex identifier (BLAKE3) |
VertexType | spt-aic | Enum of identity event types |
MerkleProof | spt-aic | Selective disclosure proof |
ChainStore | spt-aic | Trait for chain storage backends |
InMemoryChainStore | spt-aic | In-memory storage implementation |
create_genesis | spt-aic | Genesis block creation function |