niklas/amduat-api
1
0
Fork 0
Code Issues Pull requests Actions Packages Projects Releases Wiki Activity
amduat-api/tier1/per-signature-1.md

2.5 KiB
Raw Blame History

PER/SIGNATURE/1 -- PER Signature Layout

Status: Draft Owner: Architecture Version: 0.1.0 SoT: No Last Updated: 2025-01-17 Tags: [per, signatures, determinism]

Document ID: PER/SIGNATURE/1 Layer: L2 -- Execution receipt signatures (no encoding)

Depends on (normative):

  • ASL/DAM/1
  • ASL/LOG/1

Informative references:

  • ASL/POLICY-HASH/1
  • TGK/1 -- linking signatures via edges

0. Conventions

The key words MUST, MUST NOT, REQUIRED, SHOULD, and MAY are to be interpreted as in RFC 2119.

PER/SIGNATURE/1 defines the logical signature payload and validation steps for PER artifacts. It does not define encodings.

1. Purpose

A PER signature certifies that a deterministic execution occurred under a specific snapshot, with specific inputs, producing a specific output.

2. Canonical Signing Payload

PERSignaturePayload {
    domain_id            : DomainID
    snapshot_id          : SnapshotID
    per_artifact_id      : ArtifactID
    input_artifact_ids[] : ArtifactID (sorted)
    program_id           : ProgramID
    logseq               : u64
    reserved0            : u32
}

3. Payload Validation (Normative)

  • reserved0 MUST be 0.
  • input_artifact_ids[] MUST be unique and sorted.
  • logseq MUST refer to the execution order in the domain log.

4. Canonicalization Rules (Normative)

  1. Byte order: big-endian
  2. Arrays: sorted lexicographically by ArtifactID
  3. No optional fields
  4. No timestamps or environment data

5. Signature Object

PERSignature {
    payload_hash : Hash
    public_key   : PublicKey
    signature    : Signature
    algorithm    : SigAlgorithm
}

6. Validation Procedure (Normative)

To validate a PER:

  1. Load snapshot
  2. Resolve DAM
  3. Recompute canonical payload
  4. Verify signature against public_key
  5. Verify public_key is in DAM and has execute role
  6. Verify snapshot_id and logseq match visibility constraints

If any step fails, the PER MUST be rejected as authoritative.

7. Failure Modes

Condition Result
Missing signature PER is informational only
Invalid signature Reject PER
Key not in DAM Reject PER
Snapshot mismatch Reject PER
Input mismatch Reject PER

8. Summary

PER/SIGNATURE/1 defines a minimal, deterministic signature payload and validation procedure for PER artifacts.