FAQ

Status
Draft

Frequent questions about CPHAR — what it is, what it is not, and how it compares to other reserve-proof approaches.

Is CPHAR a zero-knowledge proof?

No. CPHAR is a protocol pattern based on hardware-attested cryptographic seals. Zero-knowledge proofs are an optional aggregation tool layered on top, used when selective disclosure is required. Describing CPHAR itself as "zero-knowledge" is inaccurate.

Is CPHAR a blockchain?

No. CPHAR is registry-agnostic. The registry can be implemented as a centrally operated append-only log, a federated transparency log, or a permissioned ledger. The protocol does not require a public blockchain.

What does a valid seal attestation prove?

It proves that, at the time the response was signed, a device controlling the registered private key was alive, was running firmware matching its registered measurement, and responded to the verifier's fresh challenge — under the seal vendor's stated tamper-response threat model.

What does CPHAR not prove?

That inspection was honest, that material measurement was correct, that the seal hardware cannot be compromised by a determined adversary, that the operator has disclosed all their reserves, or that legal ownership is uncontested. See What CPHAR Does Not Prove.

Why not use just an audit?

Audits are infrequent, slow, and produce evidence that ages quickly. CPHAR is not a replacement for audit; it shrinks the evidence gap between audits by providing continuous cryptographic evidence that physical sealing has not been broken since the last inspection.

What commodities does CPHAR apply to?

Any commodity that can be sealed into a discrete unit and physically inspected — fertilizer, refined metals, grain in sealed silos, fuel in sealed containers. The protocol is commodity-neutral; the inspection and sealing details vary per commodity. See Examples.

What if a seal alarm fires?

The seal destroys or disables its signing key. The corresponding lot is removed from the active reserve set until it is re-inspected and re-sealed. Operators should publish broken-seal events promptly so verifiers cannot reasonably claim the lot in subsequent reserve claims.

Can a seal be cloned?

A well-designed seal cannot be cloned without crossing the tamper-response threshold. No real device achieves this absolutely. CPHAR records the device's firmware measurement and manufacturer attestation at registration so that deviations from the registered state can be detected, and recommends rotation and re-attestation schedules tuned to the vendor's certified tamper level.

How is privacy handled?

CPHAR supports three disclosure levels:

  1. Full disclosure — per-lot data revealed.
  2. Public aggregates with commitments — per-lot fields hidden but aggregates revealed.
  3. Zero-knowledge threshold proofs — only a threshold and snapshot reference revealed.

See ZK integration.

What does "trustless" mean here? Should I use that word?

Avoid "trustless" unless you define it precisely. CPHAR shifts trust — from periodic auditors to seal vendors, registry operators, and the inspection process — rather than eliminating it. Call the system hardware-attested or tamper-evident instead.

Where can I read the protocol spec?

The Specification section is being written. For now, the canonical message formats appear in Seal Attestation.