CPHAR separates physical-state evidence from reserve accounting.

At the physical layer, a cryptographic seal can prove that it still controls an internal signing key. If the seal is designed so that tampering destroys the key, successful challenge-response attestation becomes evidence that the seal has not been broken under the device's threat model.

At the accounting layer, a verifier can check whether currently attested seals correspond to registered reserve lots.

At the privacy layer, a zero-knowledge proof can optionally prove aggregate statements about those lots without revealing each lot identity.

Example claim

This claim may reveal the threshold amount while hiding individual lot identifiers, warehouse locations, or supplier relationships.

Assumptions this proof relies on

Non-goals

See What CPHAR Does Not Prove for more details on claims that CPHAR is not designed to support.

What data is public

  • Seal public keys, or equivalent identifiers
  • Lot commitments and registry status (subject to disclosure policy)
  • Revocation lists, when published by the operator or auditor
  • Aggregate reserve claims, when the prover chooses to publish them

What data can remain private

  • Individual lot identifiers
  • Warehouse locations
  • Supplier and counterparty identities
  • Detailed material composition reports
  • Symmetric keys or other secrets used in zero-knowledge proofs

Zero-knowledge proofs and commitment schemes give the prover fine-grained control over which fields appear in each verifier-facing claim. See ZK integration.