Skip to main content
TRIP: Trajectory-based Recognition of Identity Proof
TRIP: Trajectory-based Recognition of Identity Proof
draft-ayerbe-trip-protocol-01
This document is an Internet-Draft (I-D).
Anyone may submit an I-D to the IETF.
This I-D is not endorsed by the IETF and has no formal standing in the
IETF standards process.
The information below is for an old version of the document.
| Document | Type |
This is an older version of an Internet-Draft whose latest revision state is "Active".
|
|
|---|---|---|---|
| Author | Camilo Ayerbe Posada | ||
| Last updated | 2026-02-08 | ||
| RFC stream | (None) | ||
| Formats | |||
| Stream | Stream state | (No stream defined) | |
| Consensus boilerplate | Unknown | ||
| RFC Editor Note | (None) | ||
| IESG | IESG state | I-D Exists | |
| Telechat date | (None) | ||
| Responsible AD | (None) | ||
| Send notices to | (None) |
draft-ayerbe-trip-protocol-01
Independent Submission C. Ayerbe Posada
Internet-Draft ULISSY s.r.l.
Intended status: Informational 8 February 2026
Expires: 12 August 2026
TRIP: Trajectory-based Recognition of Identity Proof
draft-ayerbe-trip-protocol-01
Abstract
This document specifies the Trajectory-based Recognition of Identity
Proof (TRIP) protocol, a decentralized mechanism for establishing
claims of physical-world presence through cryptographically signed,
spatially quantized location attestations called "breadcrumbs."
Breadcrumbs are chained into an append-only log, bundled into
verifiable epochs, and distilled into a Trajectory Identity Token
(TIT) that serves as a persistent pseudonymous identifier.
This revision introduces a formal trust-scoring framework grounded in
statistical physics. A Criticality Engine evaluates the Power
Spectral Density (PSD) of movement trajectories for the 1/f signature
characteristic of biological Self-Organized Criticality (SOC). A
mobility model based on truncated Levy flights and Markov anchor
transition matrices enforces known constraints of human movement. A
six-component Hamiltonian energy function detects anomalies in real
time by combining spatial, temporal, kinetic, flock-alignment,
contextual, and structural analysis of each breadcrumb against the
identity's learned behavioral profile.
TRIP is designed to be transport-agnostic and operates independently
of any particular naming system, blockchain, or application layer.
Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
Ayerbe Posada Expires 12 August 2026 [Page 1]
Internet-Draft TRIP February 2026
This Internet-Draft will expire on 12 August 2026.
Copyright Notice
Copyright (c) 2026 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents (https://trustee.ietf.org/
license-info) in effect on the date of publication of this document.
Please review these documents carefully, as they describe your rights
and restrictions with respect to this document.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3
1.1. Requirements Language . . . . . . . . . . . . . . . . . . 4
1.2. Terminology . . . . . . . . . . . . . . . . . . . . . . . 4
1.3. Changes from -00 . . . . . . . . . . . . . . . . . . . . 5
2. Breadcrumb Data Structure . . . . . . . . . . . . . . . . . . 5
2.1. Spatial Quantization . . . . . . . . . . . . . . . . . . 6
2.2. Context Digest Computation . . . . . . . . . . . . . . . 6
2.3. Signature Production . . . . . . . . . . . . . . . . . . 7
2.4. Block Hash and Chaining . . . . . . . . . . . . . . . . . 7
3. Chain Management . . . . . . . . . . . . . . . . . . . . . . 7
3.1. Location Deduplication . . . . . . . . . . . . . . . . . 7
3.2. Minimum Collection Interval . . . . . . . . . . . . . . . 7
3.3. Chain Verification . . . . . . . . . . . . . . . . . . . 7
4. Epochs . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
5. Trajectory Identity Token (TIT) . . . . . . . . . . . . . . . 8
6. The Criticality Engine . . . . . . . . . . . . . . . . . . . 9
6.1. Power Spectral Density Analysis . . . . . . . . . . . . . 9
6.2. Criticality Confidence Score . . . . . . . . . . . . . . 10
7. Mobility Statistics . . . . . . . . . . . . . . . . . . . . . 11
7.1. Truncated Levy Flights . . . . . . . . . . . . . . . . . 11
7.2. Trajectory Predictability . . . . . . . . . . . . . . . . 11
7.3. Circadian and Weekly Profiles . . . . . . . . . . . . . . 12
8. The Six-Component Hamiltonian . . . . . . . . . . . . . . . . 12
8.1. H_spatial: Displacement Anomaly . . . . . . . . . . . . . 13
8.2. H_temporal: Rhythm Anomaly . . . . . . . . . . . . . . . 13
8.3. H_kinetic: Transition Anomaly . . . . . . . . . . . . . . 14
8.4. H_flock: Topological Alignment . . . . . . . . . . . . . 14
8.5. H_contextual: Sensor Cross-Correlation . . . . . . . . . 14
8.6. H_structure: Chain Structural Integrity . . . . . . . . . 15
8.7. Alert Classification . . . . . . . . . . . . . . . . . . 15
9. Proof-of-Humanity Certificate . . . . . . . . . . . . . . . . 16
10. Trust Scoring . . . . . . . . . . . . . . . . . . . . . . . . 17
11. Mapping to RATS Architecture . . . . . . . . . . . . . . . . 17
Ayerbe Posada Expires 12 August 2026 [Page 2]
Internet-Draft TRIP February 2026
12. Security Considerations . . . . . . . . . . . . . . . . . . . 18
12.1. GPS Replay Attacks . . . . . . . . . . . . . . . . . . . 18
12.2. Synthetic Walk Generators . . . . . . . . . . . . . . . 18
12.3. Emulator Injection . . . . . . . . . . . . . . . . . . . 19
12.4. Device Strapping (Robot Dog Attack) . . . . . . . . . . 19
12.5. Location Privacy . . . . . . . . . . . . . . . . . . . . 20
12.6. Population Density Considerations . . . . . . . . . . . 20
13. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 20
14. References . . . . . . . . . . . . . . . . . . . . . . . . . 20
14.1. Normative References . . . . . . . . . . . . . . . . . . 20
14.2. Informative References . . . . . . . . . . . . . . . . . 21
Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . 22
Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 22
1. Introduction
Conventional approaches to proving that an online actor corresponds
to a physical human being rely on biometric capture, government-
issued documents, or knowledge-based challenges. Each technique
introduces a centralized trust anchor, creates honeypots of
personally identifiable information (PII), and is susceptible to
replay or deepfake attacks.
TRIP takes a fundamentally different approach: it treats sustained
physical movement through the real world as evidence of embodied
existence. A TRIP-enabled device periodically records its position
as a "breadcrumb" -- a compact, privacy- preserving,
cryptographically signed attestation that the holder of a specific
Ed25519 key pair was present in a particular spatial cell at a
particular time. An adversary who controls only digital
infrastructure cannot fabricate a plausible trajectory because doing
so requires controlling radio-frequency environments (GPS, Wi-Fi,
cellular, IMU) at many geographic locations over extended periods.
Version -01 of this specification adds a rigorous mathematical
framework for distinguishing biological movement from synthetic
trajectories. Drawing on Giorgio Parisi's Nobel Prize-winning work
on scale-free correlations in complex systems [PARISI-NOBEL] and
Albert-Laszlo Barabasi's research on the fundamental limits of human
mobility [BARABASI-MOBILITY], the protocol now includes a Criticality
Engine that evaluates whether a trajectory exhibits the statistical
fingerprint of a living organism operating at the edge of
criticality.
Ayerbe Posada Expires 12 August 2026 [Page 3]
Internet-Draft TRIP February 2026
This document specifies the data structures, algorithms, and
verification procedures that constitute the TRIP protocol. It
intentionally omits transport bindings, naming-system integration,
and blockchain anchoring, all of which are expected to be addressed
in companion specifications.
1.1. Requirements Language
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in BCP
14 [RFC2119] [RFC8174] when, and only when, they appear in all
capitals, as shown here.
1.2. Terminology
Breadcrumb A single, signed attestation of spatiotemporal presence.
The atomic unit of the TRIP protocol.
Trajectory An ordered, append-only chain of breadcrumbs produced by
a single identity key pair.
Epoch A bundle of breadcrumbs (default 100) sealed with a Merkle
root, forming a verifiable checkpoint.
Trajectory Identity Token (TIT) A pseudonymous identifier derived
from an Ed25519 public key paired with trajectory metadata.
Criticality Engine The analytical subsystem that evaluates
trajectory statistics for signs of biological Self-Organized
Criticality (SOC).
Hamiltonian (H) A weighted energy function that quantifies how much
a new breadcrumb deviates from the identity's learned behavioral
profile.
Anchor Cell An H3 cell where an identity has historically spent
significant time (e.g., home, workplace).
Flock The set of co-located TRIP entities whose aggregate movement
provides a reference signal for alignment verification.
Proof-of-Humanity (PoH) Certificate A compact attestation containing
only statistical exponents derived from the trajectory, with no
raw location data.
Ayerbe Posada Expires 12 August 2026 [Page 4]
Internet-Draft TRIP February 2026
1.3. Changes from -00
This section summarizes the substantive changes from draft-ayerbe-
trip-protocol-00:
* Added the Criticality Engine (Section 6) with PSD alpha-exponent
analysis for biological movement detection.
* Added mobility statistics framework (Section 7) based on truncated
Levy flights and Markov anchor transition matrices.
* Defined the six-component Hamiltonian energy function (Section 8)
for real-time anomaly detection.
* Added Proof-of-Humanity Certificate specification (Section 9).
* Expanded Security Considerations with analysis of GPS replay,
synthetic walk, and emulator injection attacks.
2. Breadcrumb Data Structure
A breadcrumb is encoded as a CBOR map [RFC8949] with the following
fields:
+=====+==================+===============================+
| Key | CBOR Type | Description |
+=====+==================+===============================+
| 0 | uint | Index (sequence number) |
+-----+------------------+-------------------------------+
| 1 | bstr (32) | Identity public key (Ed25519) |
+-----+------------------+-------------------------------+
| 2 | uint | Timestamp (Unix seconds) |
+-----+------------------+-------------------------------+
| 3 | uint | H3 cell index |
+-----+------------------+-------------------------------+
| 4 | uint | H3 resolution (7-9) |
+-----+------------------+-------------------------------+
| 5 | bstr (32) | Context digest (SHA-256) |
+-----+------------------+-------------------------------+
| 6 | bstr (32) / null | Previous block hash |
+-----+------------------+-------------------------------+
| 7 | map | Meta flags |
+-----+------------------+-------------------------------+
| 8 | bstr (64) | Ed25519 signature |
+-----+------------------+-------------------------------+
Table 1: Breadcrumb CBOR Fields
Ayerbe Posada Expires 12 August 2026 [Page 5]
Internet-Draft TRIP February 2026
2.1. Spatial Quantization
The H3 geospatial indexing system [H3] partitions the Earth's surface
into hexagonal cells at multiple resolutions. TRIP employs
resolutions 7 through 9:
+============+=============+======================+
| Resolution | Edge Length | Use Case |
+============+=============+======================+
| 7 | ~1.22 km | Rural / low-density |
+------------+-------------+----------------------+
| 8 | ~0.46 km | Default / suburban |
+------------+-------------+----------------------+
| 9 | ~0.17 km | Urban / high-density |
+------------+-------------+----------------------+
Table 2: H3 Resolution Parameters
A conforming implementation MUST quantize raw GPS coordinates to an
H3 cell before any signing or storage operation. Raw coordinates
MUST NOT appear in breadcrumbs.
2.2. Context Digest Computation
The context digest binds ambient environmental signals to the
breadcrumb without revealing them. The digest is computed as
follows:
1. Construct a pipe-delimited string of tagged components in the
following order:
* "h3:" followed by the H3 cell hex string
* "ts:" followed by the timestamp bucketed to 5-minute intervals
(floor(Unix_minutes / 5) * 5)
* "wifi:" followed by the first 16 hex characters of SHA-
256(sorted comma-joined BSSIDs), if Wi-Fi scan data is
available
* "cell:" followed by the first 16 hex characters of SHA-
256(sorted comma-joined tower IDs), if cellular data is
available
* "imu:" followed by the first 16 hex characters of SHA-256(IMU
vector string), if inertial sensor data is available
2. Compute SHA-256 over the UTF-8 encoding of the resulting string.
Ayerbe Posada Expires 12 August 2026 [Page 6]
Internet-Draft TRIP February 2026
Absent components MUST be omitted entirely, not represented as empty
strings.
2.3. Signature Production
The breadcrumb fields at keys 0 through 7 are serialized as a
canonical JSON object (keys sorted lexicographically). The Ed25519
signature [RFC8032] is computed over the UTF-8 encoding of this JSON
string and stored at key 8.
2.4. Block Hash and Chaining
The block hash is SHA-256 over the concatenation of the canonical
JSON representation and the hex-encoded signature, separated by a
colon character. Each breadcrumb at index > 0 MUST carry the block
hash of its immediate predecessor in field 6, forming an append-only
hash chain.
3. Chain Management
3.1. Location Deduplication
Proof-of-Trajectory requires demonstrated movement. A conforming
implementation MUST reject a breadcrumb if the H3 cell is identical
to the immediately preceding breadcrumb. Implementations SHOULD also
enforce a cap (default 10) on the number of breadcrumbs recordable at
any single H3 cell to prevent stationary farming.
3.2. Minimum Collection Interval
Breadcrumbs SHOULD be collected at intervals of no less than 15
minutes. An implementation MAY allow shorter intervals during
explicit "exploration" sessions but MUST NOT accept intervals shorter
than 5 minutes.
3.3. Chain Verification
A verifier MUST check:
1. Index values form a contiguous sequence starting at 0.
2. Timestamps are monotonically non-decreasing.
3. Each previousHash matches the block hash of the prior breadcrumb.
4. Each Ed25519 signature verifies against the identity public key
and the canonical signed data.
Ayerbe Posada Expires 12 August 2026 [Page 7]
Internet-Draft TRIP February 2026
4. Epochs
An epoch seals a batch of breadcrumbs (default 100) under a Merkle
root. The epoch record is a CBOR map containing:
+=====+===========+===================================+
| Key | Type | Description |
+=====+===========+===================================+
| 0 | uint | Epoch number |
+-----+-----------+-----------------------------------+
| 1 | bstr (32) | Identity public key |
+-----+-----------+-----------------------------------+
| 2 | uint | First breadcrumb index |
+-----+-----------+-----------------------------------+
| 3 | uint | Last breadcrumb index |
+-----+-----------+-----------------------------------+
| 4 | uint | Timestamp of first breadcrumb |
+-----+-----------+-----------------------------------+
| 5 | uint | Timestamp of last breadcrumb |
+-----+-----------+-----------------------------------+
| 6 | bstr (32) | Merkle root of breadcrumb hashes |
+-----+-----------+-----------------------------------+
| 7 | uint | Count of unique H3 cells |
+-----+-----------+-----------------------------------+
| 8 | bstr (64) | Ed25519 signature over fields 0-7 |
+-----+-----------+-----------------------------------+
Table 3: Epoch CBOR Fields
The Merkle tree MUST use SHA-256 and a canonical left-right ordering
of breadcrumb block hashes. An epoch is sealed when the breadcrumb
count reaches the epoch size threshold.
5. Trajectory Identity Token (TIT)
A TIT is the externally presentable identity derived from a TRIP
trajectory. It consists of:
* The Ed25519 public key (32 bytes).
* The current epoch count.
* The total breadcrumb count.
* The count of unique H3 cells visited.
* A trust score (see Section 10).
Ayerbe Posada Expires 12 August 2026 [Page 8]
Internet-Draft TRIP February 2026
A TIT SHOULD be encoded as a CBOR map for machine consumption and MAY
additionally be represented as a Base64url string for URI embedding.
6. The Criticality Engine
The Criticality Engine is the core analytical component introduced in
this revision. It evaluates whether a trajectory exhibits the
statistical signature of biological Self-Organized Criticality (SOC)
-- the phenomenon where living systems operate at the boundary
between order and chaos, producing scale-free correlations that are
mathematically distinct from synthetic or automated movement.
The theoretical foundation rests on Parisi's demonstration
[PARISI-NOBEL] that flocking organisms such as starling murmurations
exhibit scale-free correlations [CAVAGNA-STARLINGS] where
perturbations propagate across the entire group regardless of size.
Crucially, Ballerini et al. showed that these interactions are
topological (based on nearest k neighbors) rather than metric (based
on distance) [BALLERINI-TOPOLOGICAL]. Human mobility displays the
same critical-state dynamics: movement is neither fully random nor
fully deterministic, but exists at a characteristic point in between.
6.1. Power Spectral Density Analysis
The primary diagnostic is the Power Spectral Density (PSD) of the
displacement time series. Given a trajectory of N breadcrumbs with
displacements d(i) between consecutive breadcrumbs, the PSD is
computed via the Discrete Fourier Transform:
S(f) = |DFT(d)|^2
where d = [d(0), d(1), ..., d(N-1)]
and d(i) = haversine_distance(cell(i), cell(i-1))
The PSD is then fitted to a power-law model:
S(f) ~ 1 / f^alpha
The exponent alpha (the "Parisi Factor") is the critical diagnostic:
Ayerbe Posada Expires 12 August 2026 [Page 9]
Internet-Draft TRIP February 2026
+=============+=============+==============================+
| Alpha Range | Noise Type | Classification |
+=============+=============+==============================+
| 0.00 - 0.15 | White noise | Synthetic / automated script |
+-------------+-------------+------------------------------+
| 0.15 - 0.30 | Near-white | Suspicious (possible |
| | | sophisticated bot) |
+-------------+-------------+------------------------------+
| 0.30 - 0.80 | Pink noise | Biological / human |
| | (1/f) | |
+-------------+-------------+------------------------------+
| 0.80 - 1.20 | Near-brown | Suspicious (possible replay |
| | | with drift) |
+-------------+-------------+------------------------------+
| 1.20+ | Brown noise | Drift anomaly / sensor |
| | | failure |
+-------------+-------------+------------------------------+
Table 4: PSD Alpha Exponent Classification
A conforming implementation MUST compute the PSD alpha exponent over
a sliding window of the most recent 64 breadcrumbs (minimum) to 256
breadcrumbs (recommended). The alpha value MUST fall within [0.30,
0.80] for the trajectory to be classified as biological.
The key insight is that automated movement generators lack the long-
range temporal correlations ("memory") inherent in a system operating
at criticality. A random walk produces white noise (alpha near 0).
A deterministic replay produces brown noise (alpha near 2). Only a
biological system operating at the critical point produces pink noise
in the characteristic [0.30, 0.80] range.
6.2. Criticality Confidence Score
The Criticality Confidence is a value in [0, 1] computed from the
alpha exponent and the goodness-of-fit (R-squared) of the power-law
regression:
alpha_score = 1.0 - |alpha - 0.55| / 0.25
criticality_confidence = alpha_score * R_squared
where:
0.55 is the center of the biological range
0.25 is the half-width of the biological range
R_squared is the coefficient of determination of the
log-log linear regression
Ayerbe Posada Expires 12 August 2026 [Page 10]
Internet-Draft TRIP February 2026
A criticality_confidence below 0.5 SHOULD trigger elevated
monitoring. A value below 0.3 SHOULD flag the trajectory for manual
review or additional verification challenges.
7. Mobility Statistics
This section defines the mobility model that enforces known
constraints of human movement, as established by Barabasi et al.
[BARABASI-MOBILITY].
7.1. Truncated Levy Flights
Human displacement between consecutive recorded locations follows a
truncated power-law distribution:
P(delta_r) ~ delta_r^(-beta) * exp(-delta_r / kappa)
where:
delta_r = displacement distance (km)
beta = power-law exponent (typically 1.50 - 1.90)
kappa = exponential cutoff distance (km)
The exponent beta captures the heavy-tailed nature of human movement:
most displacements are short (home to office) but occasional long
jumps (travel) follow a predictable distribution. The cutoff kappa
is learned per identity and represents the characteristic maximum
range.
A conforming implementation MUST maintain a running estimate of beta
and kappa for each identity by fitting the displacement histogram
using maximum likelihood estimation over the most recent epoch (100
breadcrumbs).
A new displacement that falls outside the 99.9th percentile of the
fitted distribution MUST increment the spatial anomaly counter.
7.2. Trajectory Predictability
Research has demonstrated that approximately 93% of human movement is
predictable based on historical patterns [SONG-LIMITS]. TRIP
exploits this by maintaining a Markov Transition Matrix over anchor
cells:
T[a_i][a_j] = count(transitions from a_i to a_j)
/ count(all departures from a_i)
where a_i, a_j are anchor cells.
Ayerbe Posada Expires 12 August 2026 [Page 11]
Internet-Draft TRIP February 2026
An anchor cell is defined as any H3 cell where the identity has
recorded 5 or more breadcrumbs. The transition matrix is rebuilt at
each epoch boundary.
The predictability score Pi for an identity is the fraction of
observed transitions that match the highest-probability successor in
the Markov matrix. Human identities converge toward Pi values in the
range [0.80, 0.95] after approximately 200 breadcrumbs. Deviations
below 0.60 are anomalous.
7.3. Circadian and Weekly Profiles
The implementation SHOULD maintain two histogram profiles:
* A circadian profile C[hour] recording the probability of activity
in each hour of the day (24 bins).
* A weekly profile W[day] recording the probability of activity on
each day of the week (7 bins).
These profiles provide the temporal baseline for the Hamiltonian
temporal energy component (Section 8.2).
8. The Six-Component Hamiltonian
To assess each incoming breadcrumb, the Criticality Engine computes a
weighted energy score H that quantifies how much the breadcrumb
deviates from the identity's learned behavioral profile. High energy
indicates anomalous behavior; low energy indicates normalcy.
H = w_1 * H_spatial
+ w_2 * H_temporal
+ w_3 * H_kinetic
+ w_4 * H_flock
+ w_5 * H_contextual
+ w_6 * H_structure
Default weights:
Ayerbe Posada Expires 12 August 2026 [Page 12]
Internet-Draft TRIP February 2026
+==============+========+========================================+
| Component | Weight | Diagnostic Target |
+==============+========+========================================+
| H_spatial | 0.25 | Displacement anomalies (teleportation) |
+--------------+--------+----------------------------------------+
| H_temporal | 0.20 | Circadian rhythm violations |
+--------------+--------+----------------------------------------+
| H_kinetic | 0.20 | Anchor transition improbability |
+--------------+--------+----------------------------------------+
| H_flock | 0.15 | Misalignment with local human flow |
+--------------+--------+----------------------------------------+
| H_contextual | 0.10 | Sensor cross-correlation failure |
+--------------+--------+----------------------------------------+
| H_structure | 0.10 | Chain integrity and timing regularity |
+--------------+--------+----------------------------------------+
Table 5: Hamiltonian Component Weights
Weights are modulated by the profile maturity m, defined as
min(breadcrumb_count / 200, 1.0). During the bootstrap phase (m <
1.0), all weights are scaled by m, widening the acceptance threshold
for new identities.
8.1. H_spatial: Displacement Anomaly
Given the identity's fitted truncated Levy distribution P(delta_r),
the spatial energy for a displacement delta_r is the negative log-
likelihood (surprise):
H_spatial = -log(P(delta_r))
where P(delta_r) = C * delta_r^(-beta) * exp(-delta_r / kappa)
and C is the normalization constant.
Typical displacements yield H_spatial near the identity's historical
baseline. A displacement that exceeds the identity's learned kappa
cutoff by more than a factor of 3 produces an H_spatial value in the
CRITICAL range.
8.2. H_temporal: Rhythm Anomaly
Using the circadian profile C[hour] and weekly profile W[day]:
H_temporal = -log(C[current_hour]) - log(W[current_day])
Activity at 3:00 AM for an identity with a 9-to-5 circadian profile
yields high H_temporal. Activity at 8:00 AM on a Tuesday for the
same identity yields low H_temporal.
Ayerbe Posada Expires 12 August 2026 [Page 13]
Internet-Draft TRIP February 2026
8.3. H_kinetic: Transition Anomaly
Using the Markov Transition Matrix T:
from_anchor = nearest anchor to previous breadcrumb
to_anchor = nearest anchor to current breadcrumb
H_kinetic = -log(max(T[from_anchor][to_anchor], epsilon))
where epsilon = 0.001 (floor to prevent log(0))
A home-to-office transition at 8:00 AM yields low H_kinetic. An
office-to-unknown-city transition yields high H_kinetic.
8.4. H_flock: Topological Alignment
Inspired by Parisi's finding that starlings track their k nearest
topological neighbors (k approximately 6-7) rather than all birds
within a metric radius [PARISI-NOBEL], the flock energy measures
alignment between the identity's velocity vector and the aggregate
velocity of co-located TRIP entities.
v_self = displacement vector of current identity
v_flock = mean displacement vector of k nearest
co-located identities (k = 7)
alignment = dot(v_self, v_flock)
/ (|v_self| * |v_flock|)
H_flock = 1.0 - max(alignment, 0)
When flock data is unavailable (sparse network or privacy
constraints), the implementation SHOULD fall back to comparing the
current velocity against the identity's own historical velocity
distribution at the same location and time-of-day.
H_flock defeats GPS replay attacks: an adversary replaying a
previously recorded trajectory will find that the ambient flock has
changed since the recording, producing a misalignment signal.
8.5. H_contextual: Sensor Cross-Correlation
This component compares the IMU (accelerometer, gyroscope) signature
against the claimed GPS displacement. A genuine device in motion
produces correlated IMU and GPS readings. GPS injection on a
stationary device is detected by the absence of corresponding IMU
activity:
Ayerbe Posada Expires 12 August 2026 [Page 14]
Internet-Draft TRIP February 2026
H_contextual = divergence(
observed_imu_magnitude,
expected_imu_magnitude_for(gps_displacement)
)
Implementations that lack IMU access MUST set H_contextual = 0 and
SHOULD increase the weights of other components proportionally.
8.6. H_structure: Chain Structural Integrity
This component evaluates the structural properties of the breadcrumb
chain itself:
* Inter-breadcrumb timing regularity: excessively uniform intervals
suggest automation.
* Hash chain continuity: any break in the chain produces maximum
H_structure.
* Phase-space smoothness: the velocity-acceleration phase portrait
of a human trajectory traces smooth loops, while bots produce
either chaotic blobs or tight limit cycles.
8.7. Alert Classification
The total Hamiltonian H maps to an alert level. The baseline
H_baseline is the rolling median of the identity's own recent energy
values, making the threshold self-calibrating per identity:
+=========================+============+========================+
| H Range | Level | Action |
+=========================+============+========================+
| [0, H_baseline * 1.5) | NOMINAL | Normal operation |
+-------------------------+------------+------------------------+
| [H_baseline * 1.5, 3.0) | ELEVATED | Increase sampling |
| | | frequency, log |
+-------------------------+------------+------------------------+
| [3.0, 5.0) | SUSPICIOUS | Flag for review, |
| | | require reconfirmation |
+-------------------------+------------+------------------------+
| [5.0, infinity) | CRITICAL | Freeze trust score, |
| | | trigger challenge |
+-------------------------+------------+------------------------+
Table 6: Hamiltonian Alert Levels
Ayerbe Posada Expires 12 August 2026 [Page 15]
Internet-Draft TRIP February 2026
9. Proof-of-Humanity Certificate
A PoH Certificate is a compact, privacy-preserving attestation that
an identity has demonstrated biological movement characteristics. It
contains ONLY statistical exponents derived from the trajectory -- no
raw location data, no GPS coordinates, no cell identifiers.
The certificate is encoded as a CBOR map:
+=====+===========+=============================+
| Key | Type | Description |
+=====+===========+=============================+
| 0 | bstr (32) | Identity public key |
+-----+-----------+-----------------------------+
| 1 | uint | Issuance timestamp |
+-----+-----------+-----------------------------+
| 2 | uint | Epoch count at issuance |
+-----+-----------+-----------------------------+
| 3 | float | PSD alpha exponent |
+-----+-----------+-----------------------------+
| 4 | float | Levy beta exponent |
+-----+-----------+-----------------------------+
| 5 | float | Levy kappa cutoff (km) |
+-----+-----------+-----------------------------+
| 6 | float | Predictability score Pi |
+-----+-----------+-----------------------------+
| 7 | float | Criticality confidence |
+-----+-----------+-----------------------------+
| 8 | float | Trust score T |
+-----+-----------+-----------------------------+
| 9 | uint | Unique cell count |
+-----+-----------+-----------------------------+
| 10 | uint | Total breadcrumb count |
+-----+-----------+-----------------------------+
| 11 | uint | Validity duration (seconds) |
+-----+-----------+-----------------------------+
| 12 | bstr (64) | Ed25519 signature |
+-----+-----------+-----------------------------+
Table 7: PoH Certificate CBOR Fields
A relying party receiving a PoH Certificate can verify:
1. The signature is valid for the claimed public key.
2. The alpha exponent falls within [0.30, 0.80].
3. The criticality confidence exceeds a policy threshold.
Ayerbe Posada Expires 12 August 2026 [Page 16]
Internet-Draft TRIP February 2026
4. The trust score meets application requirements.
5. The certificate has not expired.
The certificate reveals NOTHING about where the identity has been --
only that it has moved through the world in a manner statistically
consistent with a biological organism.
10. Trust Scoring
The trust score T is computed as a weighted combination of four
factors:
T = 0.40 * min(breadcrumb_count / 200, 1.0)
+ 0.30 * min(unique_cells / 50, 1.0)
+ 0.20 * min(days_since_first / 365, 1.0)
+ 0.10 * chain_integrity
chain_integrity = 1.0 if chain verification passes, else 0.0
T is expressed as a percentage in [0, 100].
The threshold for claiming a handle (binding a human-readable name to
a TIT) requires breadcrumb_count >= 100 and T >= 20.
In the Parisi percolation model, the trust score also incorporates
the criticality confidence from the PSD analysis. A trajectory that
fails the criticality test (alpha outside [0.30, 0.80]) MUST have its
trust score capped at 50, regardless of other factors.
11. Mapping to RATS Architecture
TRIP maps naturally to the RATS architecture defined in [RFC9334]:
Ayerbe Posada Expires 12 August 2026 [Page 17]
Internet-Draft TRIP February 2026
+=============+===============================================+
| RATS Role | TRIP Component |
+=============+===============================================+
| Attester | The TRIP-enabled device producing breadcrumbs |
+-------------+-----------------------------------------------+
| Evidence | Individual breadcrumbs and epoch records |
+-------------+-----------------------------------------------+
| Verifier | The Criticality Engine evaluating trajectory |
| | statistics and Hamiltonian energy |
+-------------+-----------------------------------------------+
| Attestation | The PoH Certificate and trust score |
| Results | |
+-------------+-----------------------------------------------+
| Relying | Any service accepting PoH Certificates as |
| Party | proof of physical-world presence |
+-------------+-----------------------------------------------+
Table 8: TRIP-to-RATS Role Mapping
TRIP breadcrumbs serve as Evidence in the RATS sense: claims produced
by an attester (the device) about an attested environment (the
physical world), encoded in CBOR, signed with Ed25519, and structured
for evaluation by a verifier.
12. Security Considerations
12.1. GPS Replay Attacks
An adversary records a legitimate trajectory and replays the GPS
coordinates on a different device. TRIP detects this through
multiple channels:
* H_flock: the ambient flock of co-located entities has changed
since the recording. The replayed trajectory will show
misalignment with current human flow.
* H_contextual: unless the adversary also replays Wi-Fi BSSIDs,
cellular tower IDs, and IMU data, the context digest will not
match.
* H_structure: the timing regularity of a replay is typically either
too perfect (exact timestamps) or shifted in a detectable pattern.
12.2. Synthetic Walk Generators
An adversary uses software to generate plausible-looking GPS
coordinates. The Criticality Engine defeats this:
Ayerbe Posada Expires 12 August 2026 [Page 18]
Internet-Draft TRIP February 2026
* PSD alpha test: random walk generators produce white noise (alpha
approximately 0). Brownian motion generators produce alpha
approximately 2. Neither falls in the biological [0.30, 0.80]
range.
* Levy flight fitting: synthetic displacements rarely match the
truncated power-law distribution with biologically plausible beta
and kappa values.
* Predictability test: synthetic trajectories either show near-zero
predictability (random) or near-perfect predictability (scripted),
both outside the human [0.80, 0.95] range.
12.3. Emulator Injection
An adversary runs the TRIP client on an Android/iOS emulator with
spoofed GPS. Detection relies on:
* H_contextual: emulators typically provide zero or synthetic IMU
data that does not correlate with claimed GPS displacement.
* Context digest: emulators lack real Wi-Fi scan data and cellular
tower IDs, producing empty or static context digests.
12.4. Device Strapping (Robot Dog Attack)
An adversary straps a phone to a mobile robot or drone. This is the
most sophisticated attack because it produces real GPS, Wi-Fi,
cellular, and IMU data from actual physical movement. Mitigation
relies on:
* PSD alpha test: robotic movement typically lacks the
characteristic 1/f noise of biological systems. Robots move with
mechanical regularity (brown noise) or programmatic randomness
(white noise).
* Phase-space smoothness (H_structure): a robot's velocity-
acceleration phase portrait differs characteristically from human
movement.
* Circadian and weekly profiles: a robot generating breadcrumbs 24/7
will diverge from human activity patterns.
This attack remains an active area of research. The protocol's
defense-in-depth approach through multiple independent Hamiltonian
components makes it progressively more expensive to defeat all
channels simultaneously.
Ayerbe Posada Expires 12 August 2026 [Page 19]
Internet-Draft TRIP February 2026
12.5. Location Privacy
TRIP provides location privacy through multiple layers:
* H3 quantization reduces GPS precision to cell-level granularity
(170m to 1.2km depending on resolution).
* Trajectory data is stored and analyzed locally on the device. Raw
breadcrumbs need never leave the device.
* The PoH Certificate contains only statistical exponents (alpha,
beta, kappa), revealing nothing about specific locations visited.
* Context digests are one-way hashes; the underlying Wi-Fi BSSIDs,
tower IDs, and IMU vectors cannot be recovered.
12.6. Population Density Considerations
H3 resolution selection SHOULD account for population density. In
sparsely populated areas, even cell-level granularity may narrow
identification to very few individuals. Implementations SHOULD use
lower resolution (larger cells) in rural areas and MAY allow users to
override to a lower resolution at any time.
13. IANA Considerations
This document has no IANA actions at this time. Future revisions may
request CBOR tag assignments for breadcrumb, epoch, and PoH
Certificate structures.
14. References
14.1. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997,
<https://www.rfc-editor.org/info/rfc2119>.
[RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
May 2017, <https://www.rfc-editor.org/info/rfc8174>.
[RFC8032] Josefsson, S. and I. Liusvaara, "Edwards-Curve Digital
Signature Algorithm (EdDSA)", RFC 8032,
DOI 10.17487/RFC8032, January 2017,
<https://www.rfc-editor.org/info/rfc8032>.
Ayerbe Posada Expires 12 August 2026 [Page 20]
Internet-Draft TRIP February 2026
[RFC8949] Bormann, C. and P. Hoffman, "Concise Binary Object
Representation (CBOR)", STD 94, RFC 8949,
DOI 10.17487/RFC8949, December 2020,
<https://www.rfc-editor.org/info/rfc8949>.
14.2. Informative References
[RFC9334] Birkholz, H., Thaler, D., Richardson, M., Smith, N., and
W. Pan, "Remote ATtestation procedureS (RATS)
Architecture", RFC 9334, DOI 10.17487/RFC9334, January
2023, <https://www.rfc-editor.org/info/rfc9334>.
[H3] Uber Technologies, "H3: Uber's Hexagonal Hierarchical
Spatial Index", 2023, <https://h3geo.org/>.
[PARISI-NOBEL]
The Nobel Foundation, "Nobel Prize in Physics 2021:
Giorgio Parisi", 2021,
<https://www.nobelprize.org/prizes/physics/2021/parisi/
facts/>.
[CAVAGNA-STARLINGS]
Cavagna, A., Cimarelli, A., Giardina, I., Parisi, G.,
Santagati, R., Stefanini, F., and M. Viale, "Scale-free
correlations in starling flocks", Proceedings of the
National Academy of Sciences, 107(26), 11865-11870,
DOI 10.1073/pnas.1005766107, 2010,
<https://doi.org/10.1073/pnas.1005766107>.
[BALLERINI-TOPOLOGICAL]
Ballerini, M., Cabibbo, N., Candelier, R., Cavagna, A.,
Cisbani, E., Giardina, I., Lecomte, V., Orlandi, A.,
Parisi, G., Procaccini, A., Viale, M., and V. Zdravkovic,
"Interaction ruling animal collective behavior depends on
topological rather than metric distance", Proceedings of
the National Academy of Sciences, 105(4), 1232-1237,
DOI 10.1073/pnas.0711437105, 2008,
<https://doi.org/10.1073/pnas.0711437105>.
[BARABASI-MOBILITY]
Gonzalez, M.C., Hidalgo, C.A., and A.-L. Barabasi,
"Understanding individual human mobility patterns",
Nature, 453, 779-782, DOI 10.1038/nature06958, 2008,
<https://doi.org/10.1038/nature06958>.
Ayerbe Posada Expires 12 August 2026 [Page 21]
Internet-Draft TRIP February 2026
[SONG-LIMITS]
Song, C., Qu, Z., Blumm, N., and A.-L. Barabasi, "Limits
of Predictability in Human Mobility", Science, 327(5968),
1018-1021, DOI 10.1126/science.1177170, 2010,
<https://doi.org/10.1126/science.1177170>.
Acknowledgements
The TRIP protocol builds upon foundational work in cryptographic
identity systems, geospatial indexing, statistical physics, and
network science. The author thanks the contributors to the H3
geospatial system, the Ed25519 specification authors, and the broader
IETF community for establishing the standards that TRIP builds upon.
The Criticality Engine framework is inspired by the work of Giorgio
Parisi on scale-free correlations in biological systems and Albert-
Laszlo Barabasi on the fundamental limits of human mobility.
Author's Address
Camilo Ayerbe Posada
ULISSY s.r.l.
Via Gaetano Sacchi 16
00153 Roma RM
Italy
Email: cayerbe@gmail.com
Ayerbe Posada Expires 12 August 2026 [Page 22]