Securing People and their Machines Against Major Faults
Pith reviewed 2026-07-03 05:47 UTC · model grok-4.3
The pith
A social graph with designated identity custodians lets agents recover from lost keys and devices without central servers.
A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.
Core claim
The implementation of the secure social graph maps every run that contains only recoverable faults onto a correct run of the guarded multiagent atomic-transaction specification; the same mapping holds for the coin and bond platforms, recovering each sovereign's single-writer log without double-spending.
What carries the argument
Identity custodians designated by each person plus the friends serving as state custodians for the social graph, which together authorize and execute public-key replacement and friendship restoration.
If this is right
- Loss of a private key can be repaired by friends updating the social graph once identity custodians approve.
- Loss of a device without loss of the key can be repaired solely by state custodians.
- The same custodian mechanism recovers a currency's single-writer log exactly while preventing double-spends.
- The proof technique applies uniformly to both the social graph and the coin/bond platforms.
Where Pith is reading between the lines
- The protocol could be tested by simulating supermajority failures among identity custodians to measure recovery success rate.
- The off-chain steps for choosing a new key and convincing custodians suggest that human coordination remains the practical bottleneck.
- If the social graph is dense enough, the number of friends needed to act as state custodians may be small relative to the whole network.
Load-bearing premise
A willing supermajority of the identity custodians chosen by the person will cooperate to authorize a key change, and all friends will correctly serve as state custodians.
What would settle it
A concrete execution trace in the communicating volitional agents model in which a recoverable fault occurs yet the resulting state violates the guarded multiagent atomic-transaction specification for the social graph or allows double-spending in the coin platform.
read the original abstract
We consider grassroots platforms -- distributed systems of agents consisting of people identified by self-chosen public keys and their machines (smartphones) -- and wish to make them secure against \emph{major faults}: the loss of their private keys and/or their smartphones. As grassroots platforms have no global resource to rely on for recovery, our peer-based solution is based on: (\ia) \emph{a grassroots social graph} in which agents establish and maintain friendships; (\ib) \emph{identity custodians}, designated by each person, and (\ic) \emph{state custodians}, which are grassroots platform-specific. Upon a person experiencing identity loss, and given a willing supermajority of the identity custodians of the person, the friends of the person replace the old public key with the new one across the graph and restore friendships, where all friends serve as state custodians for the social graph. Choosing a new keypair, obtaining a new smartphone, and convincing identity custodians to will a change of key all happen ``off-chain''. Recovery from machine loss without loss of key (e.g. smartphone run over by truck, or its memory wiped) is simpler, requiring only the help of state custodians. We specify the social graph and its secure version as guarded multiagent atomic transactions, and implement the secure social graph via communicating volitional agents, an eventually synchronous message-passing model one step closer to implementation. We prove the implementation maps runs with recoverable faults to correct runs of the specification. We follow a similar path for grassroots coins and bonds, showing a common core as well as the platform-specific aspects of state recovery: a currency's single-writer log is recovered exactly, the recovered sovereign resuming without double-spending.
Editorial analysis
A structured set of objections, weighed in public.
Referee Report
Summary. The paper claims to provide a peer-based solution for securing grassroots platforms against major faults (private key loss and/or smartphone loss) without global resources. It relies on a grassroots social graph, identity custodians designated by each person, and state custodians; upon identity loss a willing supermajority of identity custodians authorizes an off-chain key change that friends (serving as state custodians) propagate across the graph. The social graph and its secure version are specified as guarded multiagent atomic transactions; the secure version is implemented by communicating volitional agents in an eventually synchronous message-passing model. The central result is a proof that the implementation maps runs containing recoverable faults to correct runs of the specification. An analogous development is given for grassroots coins and bonds, recovering single-writer logs exactly and resuming without double-spending.
Significance. If the mapping proof is correct, the work supplies a formal, assumption-explicit foundation for fault recovery in fully decentralized, social-trust-based systems. The explicit scoping to supermajority cooperation and the clean separation of off-chain key changes from modeled on-chain transactions are positive features. The identification of a common core across platforms together with platform-specific recovery details is a useful contribution to the design of grassroots distributed systems.
minor comments (1)
- The abstract introduces 'guarded multiagent atomic transactions' and 'communicating volitional agents' without a one-sentence gloss; a brief inline definition or forward reference to the section that defines them would improve accessibility for readers outside the immediate sub-area.
Simulated Author's Rebuttal
We thank the referee for the careful summary of the manuscript and for the positive assessment of its significance. We are pleased that the explicit scoping, separation of off-chain and on-chain elements, and the common-core approach across platforms are viewed as useful contributions.
Circularity Check
No significant circularity; proof is self-contained
full rationale
The paper presents a specification of the social graph as guarded multiagent atomic transactions and an implementation via communicating volitional agents in an eventually synchronous model, followed by a proof that the implementation maps recoverable-fault runs to correct specification runs. The fault model, recovery assumptions (willing supermajority of identity custodians and friends as state custodians), and off-chain steps are stated explicitly and independently of the mapping proof. No fitted parameters, self-definitional reductions, or load-bearing self-citations are invoked in the derivation chain. The result for coins and bonds is presented as an extension with a common core, without reducing to prior self-citations or ansatzes. The central claim therefore stands as an independent formal argument.
Axiom & Free-Parameter Ledger
axioms (2)
- domain assumption Eventually synchronous message-passing model for communicating volitional agents
- domain assumption Friends serve as state custodians for the social graph
invented entities (2)
-
identity custodians
no independent evidence
-
state custodians
no independent evidence
Reference graph
Works this paper leans on
-
[1]
Achange-volition transaction of agentp∈Pis a pairc→c′of agent configurations over{p},S,T, and∼such thatcv p̸=c′v p⊆T/∼andcm p =c′m p
-
[2]
Avolitional machine transactioninduced by a guarded machine transaction(t,Q′), for somet = (d→d′)∈Tover Q⊆Pand Q′⊆Q, is a pairc→c′where c̸=c′are agent configurations overP, S, T, and∼such that(t,Q′)is enabled inc (Definition B.3); c′m p =d′ p for everyp∈Q; cm p =c′m p for everyp∈P\Q; andc′v p =cv p\{[t]}for every p∈P
-
[3]
correct run
Avolitional multiagent atomic transactionis a change-volition transaction or a volitional machine transaction. When a volitional machine transaction induced by(t,Q′)is taken, the class[t]is removed from every agent’s volitional state. Volitions are thus discharged upon satisfaction—a person wills a class of transactions, and once any transaction in the cl...
-
[4]
For a computationr′= c′ 1→c′ 2→···of TS′, σ(r′)is the computation σ(c′ 1)→σ(c′ 2)→···with everystutter transition c→cremoved
= c0. For a computationr′= c′ 1→c′ 2→···of TS′, σ(r′)is the computation σ(c′ 1)→σ(c′ 2)→···with everystutter transition c→cremoved. The mapping need not preserve transitions: an implementation transition may map to a stutter, and several to a single specification transition. ▶ Definition B.6(Correct and Complete Implementation).An implementation(TS′,σ)of ...
-
[5]
no connection has ever been made
= c0, so it is an implementation. If both are correct,τmaps a correct run ofTS′′to a correct run ofTS′, whichσmaps to a correct run ofTS, and stutter-removal composes, soσ◦τis correct. If both are complete, a correct run ofTS is σ(r′)for a correct runr′of TS′, itselfτ(r′′)for a correct runr′′of TS′′, so(σ◦τ)(r′′)is that run ofTS; thusσ◦τis complete.◀ ▶ De...
-
[6]
for everyr that is a sustained mutual friend ofp or ofq, epochr(p,q )is even, so( p,q ) does not appear in the friend-of-friend view atr. C.8 The Security Layer: Identity Records and Recovery We present the secure social graph as a CVA platform extending the social graph CVA implementation with identity-record transport on Befriend, storage of friends’ id...
-
[7]
a friend_request, accept, unfriend, or rebind message of epoch≥xbetweenp and q is in transit; 3.q has been replaced—q ran Replace to a new identityq′—and p has not yet integrated the rename, so anew_identity(q,q′,·)addressed topis in transit or inip. Eitan, Keidar, Shapiro 35 C.18.2 Implementation ▶ Definition C.29(Abstract Friend Set at CVA).At a secure ...
-
[9]
A completed Restore in CVA, after a state loss atp, realises the abstract Recover(p,q ): it sets ˜Fp to the friends that still recordp, which at quiescence is the full set of friendships recorded atpbefore the state loss. ▶ Corollary 6.2(The CVA Implementation Securely Realises the Social Graph).The secure social graph CVA implementation securely realises...
-
[11]
If p and q are mutual friends that retain their identities, thenunreachablep[q] = false infinitely often, henceq∈friendsp infinitely often. The two cases are asymmetric: the vanished friend is dropped permanently—its abandoned key sends no checkpoint to clear the flag—whereas a live friend is reported only recurrently, Eitan, Keidar, Shapiro 37 restored o...
-
[12]
Participants{p}∪S
Form currency(p,S ): whereS⊆Fp and p has not yet formed its currency.S′ p :=S; for eachr∈S:Lr p :=ε. Participants{p}∪S. Guarded byp
-
[13]
For each r∈Sp: Lr′ p := L′ p
Mint(p,k,t ): B′ p := Bp∪¢k p,t, L′ p := Lp·[mint(k,t )]. For each r∈Sp: Lr′ p := L′ p. Participants{p}∪Sp. Guarded byp
-
[14]
B′ q := Bq\x, B′ r := Br∪x, L′ s := Ls·[pay(q,r,x )]
Pay(q,r,x ): where x⊆Bq is a set ofs-coins for some sovereigns. B′ q := Bq\x, B′ r := Br∪x, L′ s := Ls·[pay(q,r,x )]. For each u∈Ss: Lu′ s := L′ s. Participants {q,r,s}∪Ss. Guarded byq. 38 Securing People and Machines
-
[15]
B′ q := (Bq\{¢s})∪{¢r,t}, B′ s := (Bs\ {¢r,t})∪{¢s}, L′ s :=Ls·[redeem(q,¢ s,¢ r,t)]
Redeem(q,s ): where ¢s∈Bq and ¢r,t∈Bs. B′ q := (Bq\{¢s})∪{¢r,t}, B′ s := (Bs\ {¢r,t})∪{¢s}, L′ s :=Ls·[redeem(q,¢ s,¢ r,t)]. For eachu∈Ss: Lu′ s :=L′ s. Participants {q,s}∪Ss. Guarded byq
-
[16]
both odd, so equal
Swap(p,q,x,y ): wherex⊆Bp, y⊆Bq. B′ p := (Bp\x)∪y, B′ q := (Bq\y)∪x. For each sovereigns whose coins appear inx∪y: L′ s :=Ls·[swap(p,q,x s,y s)], and for eachu∈Ss: Lu′ s :=L′ s. Participants{p,q}together with each such sovereigns and its custodiansSs. Guarded by{p,q}. In each transaction inp-coins, the sovereignp is a participant:p’s log grows, and all st...
-
[17]
Proof.Without loss of generalitypdoes not want to befriendqat any time≥t
for everyr that is a sustained mutual friend ofp or ofq, epochr(p,q )is even, so( p,q ) does not appear in the friend-of-friend view atr. Proof.Without loss of generalitypdoes not want to befriendqat any time≥t. (1).Suppose epochp(q)were odd at somet′′≥t, that isq∈˜Fp. By Friend List Soundness (Theorem C.16),p wants to befriendq at somet1≤t′′, with no End...
-
[18]
a friend_request, accept, unfriend, or rebind message of epoch≥xbetweenp and q is in transit; 3.q has been replaced—q ran Replace to a new identityq′—and p has not yet integrated the rename, so anew_identity(q,q′,·)addressed topis in transit or inip. Proof. By Friendship Monotonicity (Lemma C.7),epochp(q)is non-decreasing; let T be the last transition up ...
-
[19]
A completed Replace cascade in CVA (Vouch, Announce new identity, Integrate new identity, Integrate rebind) realises the abstract Replace(p,p′)on every friendship it reaches; on a friendship-preserving run (Definition 4.8) it reaches every recoverable friend. The one unrecoverable friendship—recorded, at the fault, only by the two friends, the identity of...
-
[20]
A completed Restore in CVA, after a state loss atp, realises the abstract Recover(p,q ): it sets ˜Fp to the friends that still recordp, which at quiescence is the full set of friendships recorded atpbefore the state loss. Proof. The configuration is read against the abstract friend set˜F (Definition C.29), each live agent’s own reported friend list, with ...
-
[21]
If q records an abandoned keyp that the Replace cascade never reached (Section C.17), then for somet∗≥tL and allt≥t∗,unreachable q[p] =trueandp /∈friendsq
-
[22]
If p and q are mutual friends that retain their identities, thenunreachablep[q] = false infinitely often, henceq∈friendsp infinitely often. Proof. (1).In this case the abandoned keyp is retired and the fresh identityp′holds no record of q, so aftertL no checkpoint from p or p′ever reachesq, and missq[p]is never reset by Integrate checkpoint. Since epochq(...
discussion (0)
Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.