pith. sign in

arxiv: 2607.02304 · v1 · pith:PSKQLOCZnew · submitted 2026-07-02 · 💻 cs.DC · cs.CR· cs.MA

Securing People and their Machines Against Major Faults

Pith reviewed 2026-07-03 05:47 UTC · model grok-4.3

classification 💻 cs.DC cs.CRcs.MA
keywords grassroots platformsfault recoverysocial graphidentity custodiansstate custodianskey lossdevice lossmultiagent transactions
0
0 comments X

The pith

A social graph with designated identity custodians lets agents recover from lost keys and devices without central servers.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper establishes a recovery protocol for grassroots platforms where people identified by public keys and their machines can survive the loss of private keys or smartphones. Recovery relies on a grassroots social graph in which each person designates identity custodians and friends act as state custodians. Given a willing supermajority of identity custodians, friends replace a lost public key across the graph and restore the friendships. The authors specify the secure social graph using guarded multiagent atomic transactions and implement it with communicating volitional agents; they prove that every run containing recoverable faults maps to a correct run of the specification. The same approach is applied to grassroots coins and bonds, recovering a single-writer log exactly while preventing double-spends.

Core claim

The implementation of the secure social graph maps every run that contains only recoverable faults onto a correct run of the guarded multiagent atomic-transaction specification; the same mapping holds for the coin and bond platforms, recovering each sovereign's single-writer log without double-spending.

What carries the argument

Identity custodians designated by each person plus the friends serving as state custodians for the social graph, which together authorize and execute public-key replacement and friendship restoration.

If this is right

  • Loss of a private key can be repaired by friends updating the social graph once identity custodians approve.
  • Loss of a device without loss of the key can be repaired solely by state custodians.
  • The same custodian mechanism recovers a currency's single-writer log exactly while preventing double-spends.
  • The proof technique applies uniformly to both the social graph and the coin/bond platforms.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

  • The protocol could be tested by simulating supermajority failures among identity custodians to measure recovery success rate.
  • The off-chain steps for choosing a new key and convincing custodians suggest that human coordination remains the practical bottleneck.
  • If the social graph is dense enough, the number of friends needed to act as state custodians may be small relative to the whole network.

Load-bearing premise

A willing supermajority of the identity custodians chosen by the person will cooperate to authorize a key change, and all friends will correctly serve as state custodians.

What would settle it

A concrete execution trace in the communicating volitional agents model in which a recoverable fault occurs yet the resulting state violates the guarded multiagent atomic-transaction specification for the social graph or allows double-spending in the coin platform.

read the original abstract

We consider grassroots platforms -- distributed systems of agents consisting of people identified by self-chosen public keys and their machines (smartphones) -- and wish to make them secure against \emph{major faults}: the loss of their private keys and/or their smartphones. As grassroots platforms have no global resource to rely on for recovery, our peer-based solution is based on: (\ia) \emph{a grassroots social graph} in which agents establish and maintain friendships; (\ib) \emph{identity custodians}, designated by each person, and (\ic) \emph{state custodians}, which are grassroots platform-specific. Upon a person experiencing identity loss, and given a willing supermajority of the identity custodians of the person, the friends of the person replace the old public key with the new one across the graph and restore friendships, where all friends serve as state custodians for the social graph. Choosing a new keypair, obtaining a new smartphone, and convincing identity custodians to will a change of key all happen ``off-chain''. Recovery from machine loss without loss of key (e.g. smartphone run over by truck, or its memory wiped) is simpler, requiring only the help of state custodians. We specify the social graph and its secure version as guarded multiagent atomic transactions, and implement the secure social graph via communicating volitional agents, an eventually synchronous message-passing model one step closer to implementation. We prove the implementation maps runs with recoverable faults to correct runs of the specification. We follow a similar path for grassroots coins and bonds, showing a common core as well as the platform-specific aspects of state recovery: a currency's single-writer log is recovered exactly, the recovered sovereign resuming without double-spending.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

0 major / 1 minor

Summary. The paper claims to provide a peer-based solution for securing grassroots platforms against major faults (private key loss and/or smartphone loss) without global resources. It relies on a grassroots social graph, identity custodians designated by each person, and state custodians; upon identity loss a willing supermajority of identity custodians authorizes an off-chain key change that friends (serving as state custodians) propagate across the graph. The social graph and its secure version are specified as guarded multiagent atomic transactions; the secure version is implemented by communicating volitional agents in an eventually synchronous message-passing model. The central result is a proof that the implementation maps runs containing recoverable faults to correct runs of the specification. An analogous development is given for grassroots coins and bonds, recovering single-writer logs exactly and resuming without double-spending.

Significance. If the mapping proof is correct, the work supplies a formal, assumption-explicit foundation for fault recovery in fully decentralized, social-trust-based systems. The explicit scoping to supermajority cooperation and the clean separation of off-chain key changes from modeled on-chain transactions are positive features. The identification of a common core across platforms together with platform-specific recovery details is a useful contribution to the design of grassroots distributed systems.

minor comments (1)
  1. The abstract introduces 'guarded multiagent atomic transactions' and 'communicating volitional agents' without a one-sentence gloss; a brief inline definition or forward reference to the section that defines them would improve accessibility for readers outside the immediate sub-area.

Simulated Author's Rebuttal

0 responses · 0 unresolved

We thank the referee for the careful summary of the manuscript and for the positive assessment of its significance. We are pleased that the explicit scoping, separation of off-chain and on-chain elements, and the common-core approach across platforms are viewed as useful contributions.

Circularity Check

0 steps flagged

No significant circularity; proof is self-contained

full rationale

The paper presents a specification of the social graph as guarded multiagent atomic transactions and an implementation via communicating volitional agents in an eventually synchronous model, followed by a proof that the implementation maps recoverable-fault runs to correct specification runs. The fault model, recovery assumptions (willing supermajority of identity custodians and friends as state custodians), and off-chain steps are stated explicitly and independently of the mapping proof. No fitted parameters, self-definitional reductions, or load-bearing self-citations are invoked in the derivation chain. The result for coins and bonds is presented as an extension with a common core, without reducing to prior self-citations or ansatzes. The central claim therefore stands as an independent formal argument.

Axiom & Free-Parameter Ledger

0 free parameters · 2 axioms · 2 invented entities

The approach rests on assumptions about agent cooperation and message delivery that are standard in distributed-systems modeling but are not independently verified in the abstract.

axioms (2)
  • domain assumption Eventually synchronous message-passing model for communicating volitional agents
    Invoked to define the implementation layer one step closer to real deployment.
  • domain assumption Friends serve as state custodians for the social graph
    Stated as part of the recovery process upon identity loss.
invented entities (2)
  • identity custodians no independent evidence
    purpose: Designated agents that authorize replacement of a lost public key given supermajority consent
    New role introduced to handle identity loss off-chain.
  • state custodians no independent evidence
    purpose: Agents that hold and restore platform-specific state after machine loss
    Introduced to separate state recovery from identity recovery.

pith-pipeline@v0.9.1-grok · 5854 in / 1343 out tokens · 22491 ms · 2026-07-03T05:47:21.542529+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Reference graph

Works this paper leans on

20 extracted references

  1. [1]

    Achange-volition transaction of agentp∈Pis a pairc→c′of agent configurations over{p},S,T, and∼such thatcv p̸=c′v p⊆T/∼andcm p =c′m p

  2. [2]

    Avolitional machine transactioninduced by a guarded machine transaction(t,Q′), for somet = (d→d′)∈Tover Q⊆Pand Q′⊆Q, is a pairc→c′where c̸=c′are agent configurations overP, S, T, and∼such that(t,Q′)is enabled inc (Definition B.3); c′m p =d′ p for everyp∈Q; cm p =c′m p for everyp∈P\Q; andc′v p =cv p\{[t]}for every p∈P

  3. [3]

    correct run

    Avolitional multiagent atomic transactionis a change-volition transaction or a volitional machine transaction. When a volitional machine transaction induced by(t,Q′)is taken, the class[t]is removed from every agent’s volitional state. Volitions are thus discharged upon satisfaction—a person wills a class of transactions, and once any transaction in the cl...

  4. [4]

    For a computationr′= c′ 1→c′ 2→···of TS′, σ(r′)is the computation σ(c′ 1)→σ(c′ 2)→···with everystutter transition c→cremoved

    = c0. For a computationr′= c′ 1→c′ 2→···of TS′, σ(r′)is the computation σ(c′ 1)→σ(c′ 2)→···with everystutter transition c→cremoved. The mapping need not preserve transitions: an implementation transition may map to a stutter, and several to a single specification transition. ▶ Definition B.6(Correct and Complete Implementation).An implementation(TS′,σ)of ...

  5. [5]

    no connection has ever been made

    = c0, so it is an implementation. If both are correct,τmaps a correct run ofTS′′to a correct run ofTS′, whichσmaps to a correct run ofTS, and stutter-removal composes, soσ◦τis correct. If both are complete, a correct run ofTS is σ(r′)for a correct runr′of TS′, itselfτ(r′′)for a correct runr′′of TS′′, so(σ◦τ)(r′′)is that run ofTS; thusσ◦τis complete.◀ ▶ De...

  6. [6]

    for everyr that is a sustained mutual friend ofp or ofq, epochr(p,q )is even, so( p,q ) does not appear in the friend-of-friend view atr. C.8 The Security Layer: Identity Records and Recovery We present the secure social graph as a CVA platform extending the social graph CVA implementation with identity-record transport on Befriend, storage of friends’ id...

  7. [7]

    a friend_request, accept, unfriend, or rebind message of epoch≥xbetweenp and q is in transit; 3.q has been replaced—q ran Replace to a new identityq′—and p has not yet integrated the rename, so anew_identity(q,q′,·)addressed topis in transit or inip. Eitan, Keidar, Shapiro 35 C.18.2 Implementation ▶ Definition C.29(Abstract Friend Set at CVA).At a secure ...

  8. [9]

    A completed Restore in CVA, after a state loss atp, realises the abstract Recover(p,q ): it sets ˜Fp to the friends that still recordp, which at quiescence is the full set of friendships recorded atpbefore the state loss. ▶ Corollary 6.2(The CVA Implementation Securely Realises the Social Graph).The secure social graph CVA implementation securely realises...

  9. [11]

    If p and q are mutual friends that retain their identities, thenunreachablep[q] = false infinitely often, henceq∈friendsp infinitely often. The two cases are asymmetric: the vanished friend is dropped permanently—its abandoned key sends no checkpoint to clear the flag—whereas a live friend is reported only recurrently, Eitan, Keidar, Shapiro 37 restored o...

  10. [12]

    Participants{p}∪S

    Form currency(p,S ): whereS⊆Fp and p has not yet formed its currency.S′ p :=S; for eachr∈S:Lr p :=ε. Participants{p}∪S. Guarded byp

  11. [13]

    For each r∈Sp: Lr′ p := L′ p

    Mint(p,k,t ): B′ p := Bp∪¢k p,t, L′ p := Lp·[mint(k,t )]. For each r∈Sp: Lr′ p := L′ p. Participants{p}∪Sp. Guarded byp

  12. [14]

    B′ q := Bq\x, B′ r := Br∪x, L′ s := Ls·[pay(q,r,x )]

    Pay(q,r,x ): where x⊆Bq is a set ofs-coins for some sovereigns. B′ q := Bq\x, B′ r := Br∪x, L′ s := Ls·[pay(q,r,x )]. For each u∈Ss: Lu′ s := L′ s. Participants {q,r,s}∪Ss. Guarded byq. 38 Securing People and Machines

  13. [15]

    B′ q := (Bq\{¢s})∪{¢r,t}, B′ s := (Bs\ {¢r,t})∪{¢s}, L′ s :=Ls·[redeem(q,¢ s,¢ r,t)]

    Redeem(q,s ): where ¢s∈Bq and ¢r,t∈Bs. B′ q := (Bq\{¢s})∪{¢r,t}, B′ s := (Bs\ {¢r,t})∪{¢s}, L′ s :=Ls·[redeem(q,¢ s,¢ r,t)]. For eachu∈Ss: Lu′ s :=L′ s. Participants {q,s}∪Ss. Guarded byq

  14. [16]

    both odd, so equal

    Swap(p,q,x,y ): wherex⊆Bp, y⊆Bq. B′ p := (Bp\x)∪y, B′ q := (Bq\y)∪x. For each sovereigns whose coins appear inx∪y: L′ s :=Ls·[swap(p,q,x s,y s)], and for eachu∈Ss: Lu′ s :=L′ s. Participants{p,q}together with each such sovereigns and its custodiansSs. Guarded by{p,q}. In each transaction inp-coins, the sovereignp is a participant:p’s log grows, and all st...

  15. [17]

    Proof.Without loss of generalitypdoes not want to befriendqat any time≥t

    for everyr that is a sustained mutual friend ofp or ofq, epochr(p,q )is even, so( p,q ) does not appear in the friend-of-friend view atr. Proof.Without loss of generalitypdoes not want to befriendqat any time≥t. (1).Suppose epochp(q)were odd at somet′′≥t, that isq∈˜Fp. By Friend List Soundness (Theorem C.16),p wants to befriendq at somet1≤t′′, with no End...

  16. [18]

    a friend_request, accept, unfriend, or rebind message of epoch≥xbetweenp and q is in transit; 3.q has been replaced—q ran Replace to a new identityq′—and p has not yet integrated the rename, so anew_identity(q,q′,·)addressed topis in transit or inip. Proof. By Friendship Monotonicity (Lemma C.7),epochp(q)is non-decreasing; let T be the last transition up ...

  17. [19]

    A completed Replace cascade in CVA (Vouch, Announce new identity, Integrate new identity, Integrate rebind) realises the abstract Replace(p,p′)on every friendship it reaches; on a friendship-preserving run (Definition 4.8) it reaches every recoverable friend. The one unrecoverable friendship—recorded, at the fault, only by the two friends, the identity of...

  18. [20]

    A completed Restore in CVA, after a state loss atp, realises the abstract Recover(p,q ): it sets ˜Fp to the friends that still recordp, which at quiescence is the full set of friendships recorded atpbefore the state loss. Proof. The configuration is read against the abstract friend set˜F (Definition C.29), each live agent’s own reported friend list, with ...

  19. [21]

    If q records an abandoned keyp that the Replace cascade never reached (Section C.17), then for somet∗≥tL and allt≥t∗,unreachable q[p] =trueandp /∈friendsq

  20. [22]

    If p and q are mutual friends that retain their identities, thenunreachablep[q] = false infinitely often, henceq∈friendsp infinitely often. Proof. (1).In this case the abandoned keyp is retired and the fresh identityp′holds no record of q, so aftertL no checkpoint from p or p′ever reachesq, and missq[p]is never reset by Integrate checkpoint. Since epochq(...