]> ULISSY s.r.l.

Via Gaetano Sacchi 16 Roma RM 00153 IT cayerbe@gmail.com

Security Independent Submission identity trajectory proof-of-trajectory geospatial criticality attestation This document specifies the Trajectory-based Recognition of Identity Proof (TRIP) protocol, a decentralized mechanism for establishing claims of physical-world presence through cryptographically signed, spatially quantized location attestations called "breadcrumbs." Breadcrumbs are chained into an append-only log, bundled into verifiable epochs, and distilled into a Trajectory Identity Token (TIT) that serves as a persistent pseudonymous identifier. This revision introduces a formal trust-scoring framework grounded in statistical physics. A Criticality Engine evaluates the Power Spectral Density (PSD) of movement trajectories for the 1/f signature characteristic of biological Self-Organized Criticality (SOC). A mobility model based on truncated Levy flights and Markov anchor transition matrices enforces known constraints of human movement. A six-component Hamiltonian energy function detects anomalies in real time by combining spatial, temporal, kinetic, flock-alignment, contextual, and structural analysis of each breadcrumb against the identity's learned behavioral profile. TRIP is designed to be transport-agnostic and operates independently of any particular naming system, blockchain, or application layer.

Introduction Conventional approaches to proving that an online actor corresponds to a physical human being rely on biometric capture, government-issued documents, or knowledge-based challenges. Each technique introduces a centralized trust anchor, creates honeypots of personally identifiable information (PII), and is susceptible to replay or deepfake attacks. TRIP takes a fundamentally different approach: it treats sustained physical movement through the real world as evidence of embodied existence. A TRIP-enabled device periodically records its position as a "breadcrumb" -- a compact, privacy- preserving, cryptographically signed attestation that the holder of a specific Ed25519 key pair was present in a particular spatial cell at a particular time. An adversary who controls only digital infrastructure cannot fabricate a plausible trajectory because doing so requires controlling radio-frequency environments (GPS, Wi-Fi, cellular, IMU) at many geographic locations over extended periods. Version -01 of this specification adds a rigorous mathematical framework for distinguishing biological movement from synthetic trajectories. Drawing on Giorgio Parisi's Nobel Prize-winning work on scale-free correlations in complex systems and Albert-Laszlo Barabasi's research on the fundamental limits of human mobility , the protocol now includes a Criticality Engine that evaluates whether a trajectory exhibits the statistical fingerprint of a living organism operating at the edge of criticality. This document specifies the data structures, algorithms, and verification procedures that constitute the TRIP protocol. It intentionally omits transport bindings, naming-system integration, and blockchain anchoring, all of which are expected to be addressed in companion specifications.

Requirements Language The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 when, and only when, they appear in all capitals, as shown here.

Terminology

Breadcrumb

A single, signed attestation of spatiotemporal presence. The atomic unit of the TRIP protocol.

Trajectory

An ordered, append-only chain of breadcrumbs produced by a single identity key pair.

Epoch

A bundle of breadcrumbs (default 100) sealed with a Merkle root, forming a verifiable checkpoint.

Trajectory Identity Token (TIT)

A pseudonymous identifier derived from an Ed25519 public key paired with trajectory metadata.

Criticality Engine

The analytical subsystem that evaluates trajectory statistics for signs of biological Self-Organized Criticality (SOC).

Hamiltonian (H)

A weighted energy function that quantifies how much a new breadcrumb deviates from the identity's learned behavioral profile.

Anchor Cell

An H3 cell where an identity has historically spent significant time (e.g., home, workplace).

Flock

The set of co-located TRIP entities whose aggregate movement provides a reference signal for alignment verification.

Proof-of-Humanity (PoH) Certificate

A compact attestation containing only statistical exponents derived from the trajectory, with no raw location data.

Changes from -00 This section summarizes the substantive changes from draft-ayerbe-trip-protocol-00:

• Added the Criticality Engine () with PSD alpha-exponent analysis for biological movement detection.
• Added mobility statistics framework () based on truncated Levy flights and Markov anchor transition matrices.
• Defined the six-component Hamiltonian energy function () for real-time anomaly detection.
• Added Proof-of-Humanity Certificate specification ().
• Expanded Security Considerations with analysis of GPS replay, synthetic walk, and emulator injection attacks.

Breadcrumb Data Structure A breadcrumb is encoded as a CBOR map with the following fields: Breadcrumb CBOR Fields

Key	CBOR Type	Description
0	uint	Index (sequence number)
1	bstr (32)	Identity public key (Ed25519)
2	uint	Timestamp (Unix seconds)
3	uint	H3 cell index
4	uint	H3 resolution (7-9)
5	bstr (32)	Context digest (SHA-256)
6	bstr (32) / null	Previous block hash
7	map	Meta flags
8	bstr (64)	Ed25519 signature

Spatial Quantization The H3 geospatial indexing system partitions the Earth's surface into hexagonal cells at multiple resolutions. TRIP employs resolutions 7 through 9: H3 Resolution Parameters

Resolution	Edge Length	Use Case
7	~1.22 km	Rural / low-density
8	~0.46 km	Default / suburban
9	~0.17 km	Urban / high-density

A conforming implementation MUST quantize raw GPS coordinates to an H3 cell before any signing or storage operation. Raw coordinates MUST NOT appear in breadcrumbs.

Context Digest Computation The context digest binds ambient environmental signals to the breadcrumb without revealing them. The digest is computed as follows:

1. Construct a pipe-delimited string of tagged components in the following order:
   • "h3:" followed by the H3 cell hex string
   • "ts:" followed by the timestamp bucketed to 5-minute intervals (floor(Unix_minutes / 5) * 5)
   • "wifi:" followed by the first 16 hex characters of SHA-256(sorted comma-joined BSSIDs), if Wi-Fi scan data is available
   • "cell:" followed by the first 16 hex characters of SHA-256(sorted comma-joined tower IDs), if cellular data is available
   • "imu:" followed by the first 16 hex characters of SHA-256(IMU vector string), if inertial sensor data is available
2. Compute SHA-256 over the UTF-8 encoding of the resulting string.

Absent components MUST be omitted entirely, not represented as empty strings.

Signature Production The breadcrumb fields at keys 0 through 7 are serialized as a canonical JSON object (keys sorted lexicographically). The Ed25519 signature is computed over the UTF-8 encoding of this JSON string and stored at key 8.

Block Hash and Chaining The block hash is SHA-256 over the concatenation of the canonical JSON representation and the hex-encoded signature, separated by a colon character. Each breadcrumb at index > 0 MUST carry the block hash of its immediate predecessor in field 6, forming an append-only hash chain.

Chain Management

Location Deduplication Proof-of-Trajectory requires demonstrated movement. A conforming implementation MUST reject a breadcrumb if the H3 cell is identical to the immediately preceding breadcrumb. Implementations SHOULD also enforce a cap (default 10) on the number of breadcrumbs recordable at any single H3 cell to prevent stationary farming.

Minimum Collection Interval Breadcrumbs SHOULD be collected at intervals of no less than 15 minutes. An implementation MAY allow shorter intervals during explicit "exploration" sessions but MUST NOT accept intervals shorter than 5 minutes.

Chain Verification A verifier MUST check:

1. Index values form a contiguous sequence starting at 0.
2. Timestamps are monotonically non-decreasing.
3. Each previousHash matches the block hash of the prior breadcrumb.
4. Each Ed25519 signature verifies against the identity public key and the canonical signed data.

Epochs An epoch seals a batch of breadcrumbs (default 100) under a Merkle root. The epoch record is a CBOR map containing: Epoch CBOR Fields

Key	Type	Description
0	uint	Epoch number
1	bstr (32)	Identity public key
2	uint	First breadcrumb index
3	uint	Last breadcrumb index
4	uint	Timestamp of first breadcrumb
5	uint	Timestamp of last breadcrumb
6	bstr (32)	Merkle root of breadcrumb hashes
7	uint	Count of unique H3 cells
8	bstr (64)	Ed25519 signature over fields 0-7

The Merkle tree MUST use SHA-256 and a canonical left-right ordering of breadcrumb block hashes. An epoch is sealed when the breadcrumb count reaches the epoch size threshold.

Trajectory Identity Token (TIT) A TIT is the externally presentable identity derived from a TRIP trajectory. It consists of:

• The Ed25519 public key (32 bytes).
• The current epoch count.
• The total breadcrumb count.
• The count of unique H3 cells visited.
• A trust score (see ).

A TIT SHOULD be encoded as a CBOR map for machine consumption and MAY additionally be represented as a Base64url string for URI embedding.

The Criticality Engine The Criticality Engine is the core analytical component introduced in this revision. It evaluates whether a trajectory exhibits the statistical signature of biological Self-Organized Criticality (SOC) -- the phenomenon where living systems operate at the boundary between order and chaos, producing scale-free correlations that are mathematically distinct from synthetic or automated movement. The theoretical foundation rests on Parisi's demonstration that flocking organisms such as starling murmurations exhibit scale-free correlations where perturbations propagate across the entire group regardless of size. Crucially, Ballerini et al. showed that these interactions are topological (based on nearest k neighbors) rather than metric (based on distance) . Human mobility displays the same critical-state dynamics: movement is neither fully random nor fully deterministic, but exists at a characteristic point in between.

Power Spectral Density Analysis The primary diagnostic is the Power Spectral Density (PSD) of the displacement time series. Given a trajectory of N breadcrumbs with displacements d(i) between consecutive breadcrumbs, the PSD is computed via the Discrete Fourier Transform: The PSD is then fitted to a power-law model: The exponent alpha (the "Parisi Factor") is the critical diagnostic: PSD Alpha Exponent Classification

Alpha Range	Noise Type	Classification
0.00 - 0.15	White noise	Synthetic / automated script
0.15 - 0.30	Near-white	Suspicious (possible sophisticated bot)
0.30 - 0.80	Pink noise (1/f)	Biological / human
0.80 - 1.20	Near-brown	Suspicious (possible replay with drift)
1.20+	Brown noise	Drift anomaly / sensor failure

A conforming implementation MUST compute the PSD alpha exponent over a sliding window of the most recent 64 breadcrumbs (minimum) to 256 breadcrumbs (recommended). The alpha value MUST fall within [0.30, 0.80] for the trajectory to be classified as biological. The key insight is that automated movement generators lack the long-range temporal correlations ("memory") inherent in a system operating at criticality. A random walk produces white noise (alpha near 0). A deterministic replay produces brown noise (alpha near 2). Only a biological system operating at the critical point produces pink noise in the characteristic [0.30, 0.80] range.

Criticality Confidence Score The Criticality Confidence is a value in [0, 1] computed from the alpha exponent and the goodness-of-fit (R-squared) of the power-law regression: A criticality_confidence below 0.5 SHOULD trigger elevated monitoring. A value below 0.3 SHOULD flag the trajectory for manual review or additional verification challenges.

Mobility Statistics This section defines the mobility model that enforces known constraints of human movement, as established by Barabasi et al. .

Truncated Levy Flights Human displacement between consecutive recorded locations follows a truncated power-law distribution: The exponent beta captures the heavy-tailed nature of human movement: most displacements are short (home to office) but occasional long jumps (travel) follow a predictable distribution. The cutoff kappa is learned per identity and represents the characteristic maximum range. A conforming implementation MUST maintain a running estimate of beta and kappa for each identity by fitting the displacement histogram using maximum likelihood estimation over the most recent epoch (100 breadcrumbs). A new displacement that falls outside the 99.9th percentile of the fitted distribution MUST increment the spatial anomaly counter.

Trajectory Predictability Research has demonstrated that approximately 93% of human movement is predictable based on historical patterns . TRIP exploits this by maintaining a Markov Transition Matrix over anchor cells: An anchor cell is defined as any H3 cell where the identity has recorded 5 or more breadcrumbs. The transition matrix is rebuilt at each epoch boundary. The predictability score Pi for an identity is the fraction of observed transitions that match the highest-probability successor in the Markov matrix. Human identities converge toward Pi values in the range [0.80, 0.95] after approximately 200 breadcrumbs. Deviations below 0.60 are anomalous.

Circadian and Weekly Profiles The implementation SHOULD maintain two histogram profiles:

• A circadian profile C[hour] recording the probability of activity in each hour of the day (24 bins).
• A weekly profile W[day] recording the probability of activity on each day of the week (7 bins).

These profiles provide the temporal baseline for the Hamiltonian temporal energy component ().

The Six-Component Hamiltonian To assess each incoming breadcrumb, the Criticality Engine computes a weighted energy score H that quantifies how much the breadcrumb deviates from the identity's learned behavioral profile. High energy indicates anomalous behavior; low energy indicates normalcy. Default weights: Hamiltonian Component Weights

Component	Weight	Diagnostic Target
H_spatial	0.25	Displacement anomalies (teleportation)
H_temporal	0.20	Circadian rhythm violations
H_kinetic	0.20	Anchor transition improbability
H_flock	0.15	Misalignment with local human flow
H_contextual	0.10	Sensor cross-correlation failure
H_structure	0.10	Chain integrity and timing regularity

Weights are modulated by the profile maturity m, defined as min(breadcrumb_count / 200, 1.0). During the bootstrap phase (m < 1.0), all weights are scaled by m, widening the acceptance threshold for new identities.

H_spatial: Displacement Anomaly Given the identity's fitted truncated Levy distribution P(delta_r), the spatial energy for a displacement delta_r is the negative log-likelihood (surprise): Typical displacements yield H_spatial near the identity's historical baseline. A displacement that exceeds the identity's learned kappa cutoff by more than a factor of 3 produces an H_spatial value in the CRITICAL range.

H_temporal: Rhythm Anomaly Using the circadian profile C[hour] and weekly profile W[day]: Activity at 3:00 AM for an identity with a 9-to-5 circadian profile yields high H_temporal. Activity at 8:00 AM on a Tuesday for the same identity yields low H_temporal.

H_kinetic: Transition Anomaly Using the Markov Transition Matrix T: A home-to-office transition at 8:00 AM yields low H_kinetic. An office-to-unknown-city transition yields high H_kinetic.

H_flock: Topological Alignment Inspired by Parisi's finding that starlings track their k nearest topological neighbors (k approximately 6-7) rather than all birds within a metric radius , the flock energy measures alignment between the identity's velocity vector and the aggregate velocity of co-located TRIP entities. When flock data is unavailable (sparse network or privacy constraints), the implementation SHOULD fall back to comparing the current velocity against the identity's own historical velocity distribution at the same location and time-of-day. H_flock defeats GPS replay attacks: an adversary replaying a previously recorded trajectory will find that the ambient flock has changed since the recording, producing a misalignment signal.

H_contextual: Sensor Cross-Correlation This component compares the IMU (accelerometer, gyroscope) signature against the claimed GPS displacement. A genuine device in motion produces correlated IMU and GPS readings. GPS injection on a stationary device is detected by the absence of corresponding IMU activity: Implementations that lack IMU access MUST set H_contextual = 0 and SHOULD increase the weights of other components proportionally.

H_structure: Chain Structural Integrity This component evaluates the structural properties of the breadcrumb chain itself:

• Inter-breadcrumb timing regularity: excessively uniform intervals suggest automation.
• Hash chain continuity: any break in the chain produces maximum H_structure.
• Phase-space smoothness: the velocity-acceleration phase portrait of a human trajectory traces smooth loops, while bots produce either chaotic blobs or tight limit cycles.

Alert Classification The total Hamiltonian H maps to an alert level. The baseline H_baseline is the rolling median of the identity's own recent energy values, making the threshold self-calibrating per identity: Hamiltonian Alert Levels

H Range	Level	Action
[0, H_baseline * 1.5)	NOMINAL	Normal operation
[H_baseline * 1.5, 3.0)	ELEVATED	Increase sampling frequency, log
[3.0, 5.0)	SUSPICIOUS	Flag for review, require reconfirmation
[5.0, infinity)	CRITICAL	Freeze trust score, trigger challenge

Proof-of-Humanity Certificate A PoH Certificate is a compact, privacy-preserving attestation that an identity has demonstrated biological movement characteristics. It contains ONLY statistical exponents derived from the trajectory -- no raw location data, no GPS coordinates, no cell identifiers. The certificate is encoded as a CBOR map: PoH Certificate CBOR Fields

Key	Type	Description
0	bstr (32)	Identity public key
1	uint	Issuance timestamp
2	uint	Epoch count at issuance
3	float	PSD alpha exponent
4	float	Levy beta exponent
5	float	Levy kappa cutoff (km)
6	float	Predictability score Pi
7	float	Criticality confidence
8	float	Trust score T
9	uint	Unique cell count
10	uint	Total breadcrumb count
11	uint	Validity duration (seconds)
12	bstr (64)	Ed25519 signature

A relying party receiving a PoH Certificate can verify:

1. The signature is valid for the claimed public key.
2. The alpha exponent falls within [0.30, 0.80].
3. The criticality confidence exceeds a policy threshold.
4. The trust score meets application requirements.
5. The certificate has not expired.

The certificate reveals NOTHING about where the identity has been -- only that it has moved through the world in a manner statistically consistent with a biological organism.

Trust Scoring The trust score T is computed as a weighted combination of four factors: The threshold for claiming a handle (binding a human-readable name to a TIT) requires breadcrumb_count >= 100 and T >= 20. In the Parisi percolation model, the trust score also incorporates the criticality confidence from the PSD analysis. A trajectory that fails the criticality test (alpha outside [0.30, 0.80]) MUST have its trust score capped at 50, regardless of other factors.

Mapping to RATS Architecture TRIP maps naturally to the RATS architecture defined in : TRIP-to-RATS Role Mapping

RATS Role	TRIP Component
Attester	The TRIP-enabled device producing breadcrumbs
Evidence	Individual breadcrumbs and epoch records
Verifier	The Criticality Engine evaluating trajectory statistics and Hamiltonian energy
Attestation Results	The PoH Certificate and trust score
Relying Party	Any service accepting PoH Certificates as proof of physical-world presence

TRIP breadcrumbs serve as Evidence in the RATS sense: claims produced by an attester (the device) about an attested environment (the physical world), encoded in CBOR, signed with Ed25519, and structured for evaluation by a verifier.

Security Considerations

GPS Replay Attacks An adversary records a legitimate trajectory and replays the GPS coordinates on a different device. TRIP detects this through multiple channels:

• H_flock: the ambient flock of co-located entities has changed since the recording. The replayed trajectory will show misalignment with current human flow.
• H_contextual: unless the adversary also replays Wi-Fi BSSIDs, cellular tower IDs, and IMU data, the context digest will not match.
• H_structure: the timing regularity of a replay is typically either too perfect (exact timestamps) or shifted in a detectable pattern.

Synthetic Walk Generators An adversary uses software to generate plausible-looking GPS coordinates. The Criticality Engine defeats this:

• PSD alpha test: random walk generators produce white noise (alpha approximately 0). Brownian motion generators produce alpha approximately 2. Neither falls in the biological [0.30, 0.80] range.
• Levy flight fitting: synthetic displacements rarely match the truncated power-law distribution with biologically plausible beta and kappa values.
• Predictability test: synthetic trajectories either show near-zero predictability (random) or near-perfect predictability (scripted), both outside the human [0.80, 0.95] range.

Emulator Injection An adversary runs the TRIP client on an Android/iOS emulator with spoofed GPS. Detection relies on:

• H_contextual: emulators typically provide zero or synthetic IMU data that does not correlate with claimed GPS displacement.
• Context digest: emulators lack real Wi-Fi scan data and cellular tower IDs, producing empty or static context digests.

Device Strapping (Robot Dog Attack) An adversary straps a phone to a mobile robot or drone. This is the most sophisticated attack because it produces real GPS, Wi-Fi, cellular, and IMU data from actual physical movement. Mitigation relies on:

• PSD alpha test: robotic movement typically lacks the characteristic 1/f noise of biological systems. Robots move with mechanical regularity (brown noise) or programmatic randomness (white noise).
• Phase-space smoothness (H_structure): a robot's velocity-acceleration phase portrait differs characteristically from human movement.
• Circadian and weekly profiles: a robot generating breadcrumbs 24/7 will diverge from human activity patterns.

This attack remains an active area of research. The protocol's defense-in-depth approach through multiple independent Hamiltonian components makes it progressively more expensive to defeat all channels simultaneously.

Location Privacy TRIP provides location privacy through multiple layers:

• H3 quantization reduces GPS precision to cell-level granularity (170m to 1.2km depending on resolution).
• Trajectory data is stored and analyzed locally on the device. Raw breadcrumbs need never leave the device.
• The PoH Certificate contains only statistical exponents (alpha, beta, kappa), revealing nothing about specific locations visited.
• Context digests are one-way hashes; the underlying Wi-Fi BSSIDs, tower IDs, and IMU vectors cannot be recovered.

Population Density Considerations H3 resolution selection SHOULD account for population density. In sparsely populated areas, even cell-level granularity may narrow identification to very few individuals. Implementations SHOULD use lower resolution (larger cells) in rural areas and MAY allow users to override to a lower resolution at any time.

IANA Considerations This document has no IANA actions at this time. Future revisions may request CBOR tag assignments for breadcrumb, epoch, and PoH Certificate structures.

References Normative References Informative References Uber Technologies The Nobel Foundation Proceedings of the National Academy of Sciences, 107(26), 11865-11870 Proceedings of the National Academy of Sciences, 105(4), 1232-1237 Nature, 453, 779-782 Science, 327(5968), 1018-1021

Acknowledgements The TRIP protocol builds upon foundational work in cryptographic identity systems, geospatial indexing, statistical physics, and network science. The author thanks the contributors to the H3 geospatial system, the Ed25519 specification authors, and the broader IETF community for establishing the standards that TRIP builds upon. The Criticality Engine framework is inspired by the work of Giorgio Parisi on scale-free correlations in biological systems and Albert-Laszlo Barabasi on the fundamental limits of human mobility.