| Internet-Draft | TRIP | February 2026 |
| Ayerbe Posada | Expires 12 August 2026 | [Page] |
This document specifies the Trajectory-based Recognition of Identity Proof (TRIP) protocol, a decentralized mechanism for establishing claims of physical-world presence through cryptographically signed, spatially quantized location attestations called "breadcrumbs." Breadcrumbs are chained into an append-only log, bundled into verifiable epochs, and distilled into a Trajectory Identity Token (TIT) that serves as a persistent pseudonymous identifier.¶
This revision introduces a formal trust-scoring framework grounded in statistical physics. A Criticality Engine evaluates the Power Spectral Density (PSD) of movement trajectories for the 1/f signature characteristic of biological Self-Organized Criticality (SOC). A mobility model based on truncated Levy flights and Markov anchor transition matrices enforces known constraints of human movement. A six-component Hamiltonian energy function detects anomalies in real time by combining spatial, temporal, kinetic, flock-alignment, contextual, and structural analysis of each breadcrumb against the identity's learned behavioral profile.¶
TRIP is designed to be transport-agnostic and operates independently of any particular naming system, blockchain, or application layer.¶
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.¶
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.¶
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."¶
This Internet-Draft will expire on 12 August 2026.¶
Copyright (c) 2026 IETF Trust and the persons identified as the document authors. All rights reserved.¶
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document.¶
Conventional approaches to proving that an online actor corresponds to a physical human being rely on biometric capture, government-issued documents, or knowledge-based challenges. Each technique introduces a centralized trust anchor, creates honeypots of personally identifiable information (PII), and is susceptible to replay or deepfake attacks.¶
TRIP takes a fundamentally different approach: it treats sustained physical movement through the real world as evidence of embodied existence. A TRIP-enabled device periodically records its position as a "breadcrumb" -- a compact, privacy- preserving, cryptographically signed attestation that the holder of a specific Ed25519 key pair was present in a particular spatial cell at a particular time. An adversary who controls only digital infrastructure cannot fabricate a plausible trajectory because doing so requires controlling radio-frequency environments (GPS, Wi-Fi, cellular, IMU) at many geographic locations over extended periods.¶
Version -01 of this specification adds a rigorous mathematical framework for distinguishing biological movement from synthetic trajectories. Drawing on Giorgio Parisi's Nobel Prize-winning work on scale-free correlations in complex systems [PARISI-NOBEL] and Albert-Laszlo Barabasi's research on the fundamental limits of human mobility [BARABASI-MOBILITY], the protocol now includes a Criticality Engine that evaluates whether a trajectory exhibits the statistical fingerprint of a living organism operating at the edge of criticality.¶
This document specifies the data structures, algorithms, and verification procedures that constitute the TRIP protocol. It intentionally omits transport bindings, naming-system integration, and blockchain anchoring, all of which are expected to be addressed in companion specifications.¶
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.¶
This section summarizes the substantive changes from draft-ayerbe-trip-protocol-00:¶
Proof-of-Trajectory requires demonstrated movement. A conforming implementation MUST reject a breadcrumb if the H3 cell is identical to the immediately preceding breadcrumb. Implementations SHOULD also enforce a cap (default 10) on the number of breadcrumbs recordable at any single H3 cell to prevent stationary farming.¶
Breadcrumbs SHOULD be collected at intervals of no less than 15 minutes. An implementation MAY allow shorter intervals during explicit "exploration" sessions but MUST NOT accept intervals shorter than 5 minutes.¶
A verifier MUST check:¶
An epoch seals a batch of breadcrumbs (default 100) under a Merkle root. The epoch record is a CBOR map containing:¶
| Key | Type | Description |
|---|---|---|
| 0 | uint | Epoch number |
| 1 | bstr (32) | Identity public key |
| 2 | uint | First breadcrumb index |
| 3 | uint | Last breadcrumb index |
| 4 | uint | Timestamp of first breadcrumb |
| 5 | uint | Timestamp of last breadcrumb |
| 6 | bstr (32) | Merkle root of breadcrumb hashes |
| 7 | uint | Count of unique H3 cells |
| 8 | bstr (64) | Ed25519 signature over fields 0-7 |
The Merkle tree MUST use SHA-256 and a canonical left-right ordering of breadcrumb block hashes. An epoch is sealed when the breadcrumb count reaches the epoch size threshold.¶
A TIT is the externally presentable identity derived from a TRIP trajectory. It consists of:¶
A TIT SHOULD be encoded as a CBOR map for machine consumption and MAY additionally be represented as a Base64url string for URI embedding.¶
The Criticality Engine is the core analytical component introduced in this revision. It evaluates whether a trajectory exhibits the statistical signature of biological Self-Organized Criticality (SOC) -- the phenomenon where living systems operate at the boundary between order and chaos, producing scale-free correlations that are mathematically distinct from synthetic or automated movement.¶
The theoretical foundation rests on Parisi's demonstration [PARISI-NOBEL] that flocking organisms such as starling murmurations exhibit scale-free correlations [CAVAGNA-STARLINGS] where perturbations propagate across the entire group regardless of size. Crucially, Ballerini et al. showed that these interactions are topological (based on nearest k neighbors) rather than metric (based on distance) [BALLERINI-TOPOLOGICAL]. Human mobility displays the same critical-state dynamics: movement is neither fully random nor fully deterministic, but exists at a characteristic point in between.¶
The primary diagnostic is the Power Spectral Density (PSD) of the displacement time series. Given a trajectory of N breadcrumbs with displacements d(i) between consecutive breadcrumbs, the PSD is computed via the Discrete Fourier Transform:¶
S(f) = |DFT(d)|^2 where d = [d(0), d(1), ..., d(N-1)] and d(i) = haversine_distance(cell(i), cell(i-1))¶
The PSD is then fitted to a power-law model:¶
S(f) ~ 1 / f^alpha¶
The exponent alpha (the "Parisi Factor") is the critical diagnostic:¶
| Alpha Range | Noise Type | Classification |
|---|---|---|
| 0.00 - 0.15 | White noise | Synthetic / automated script |
| 0.15 - 0.30 | Near-white | Suspicious (possible sophisticated bot) |
| 0.30 - 0.80 | Pink noise (1/f) | Biological / human |
| 0.80 - 1.20 | Near-brown | Suspicious (possible replay with drift) |
| 1.20+ | Brown noise | Drift anomaly / sensor failure |
A conforming implementation MUST compute the PSD alpha exponent over a sliding window of the most recent 64 breadcrumbs (minimum) to 256 breadcrumbs (recommended). The alpha value MUST fall within [0.30, 0.80] for the trajectory to be classified as biological.¶
The key insight is that automated movement generators lack the long-range temporal correlations ("memory") inherent in a system operating at criticality. A random walk produces white noise (alpha near 0). A deterministic replay produces brown noise (alpha near 2). Only a biological system operating at the critical point produces pink noise in the characteristic [0.30, 0.80] range.¶
The Criticality Confidence is a value in [0, 1] computed from the alpha exponent and the goodness-of-fit (R-squared) of the power-law regression:¶
alpha_score = 1.0 - |alpha - 0.55| / 0.25
criticality_confidence = alpha_score * R_squared
where:
0.55 is the center of the biological range
0.25 is the half-width of the biological range
R_squared is the coefficient of determination of the
log-log linear regression
¶
A criticality_confidence below 0.5 SHOULD trigger elevated monitoring. A value below 0.3 SHOULD flag the trajectory for manual review or additional verification challenges.¶
This section defines the mobility model that enforces known constraints of human movement, as established by Barabasi et al. [BARABASI-MOBILITY].¶
Human displacement between consecutive recorded locations follows a truncated power-law distribution:¶
P(delta_r) ~ delta_r^(-beta) * exp(-delta_r / kappa)
where:
delta_r = displacement distance (km)
beta = power-law exponent (typically 1.50 - 1.90)
kappa = exponential cutoff distance (km)
¶
The exponent beta captures the heavy-tailed nature of human movement: most displacements are short (home to office) but occasional long jumps (travel) follow a predictable distribution. The cutoff kappa is learned per identity and represents the characteristic maximum range.¶
A conforming implementation MUST maintain a running estimate of beta and kappa for each identity by fitting the displacement histogram using maximum likelihood estimation over the most recent epoch (100 breadcrumbs).¶
A new displacement that falls outside the 99.9th percentile of the fitted distribution MUST increment the spatial anomaly counter.¶
Research has demonstrated that approximately 93% of human movement is predictable based on historical patterns [SONG-LIMITS]. TRIP exploits this by maintaining a Markov Transition Matrix over anchor cells:¶
T[a_i][a_j] = count(transitions from a_i to a_j)
/ count(all departures from a_i)
where a_i, a_j are anchor cells.
¶
An anchor cell is defined as any H3 cell where the identity has recorded 5 or more breadcrumbs. The transition matrix is rebuilt at each epoch boundary.¶
The predictability score Pi for an identity is the fraction of observed transitions that match the highest-probability successor in the Markov matrix. Human identities converge toward Pi values in the range [0.80, 0.95] after approximately 200 breadcrumbs. Deviations below 0.60 are anomalous.¶
The implementation SHOULD maintain two histogram profiles:¶
These profiles provide the temporal baseline for the Hamiltonian temporal energy component (Section 8.2).¶
To assess each incoming breadcrumb, the Criticality Engine computes a weighted energy score H that quantifies how much the breadcrumb deviates from the identity's learned behavioral profile. High energy indicates anomalous behavior; low energy indicates normalcy.¶
H = w_1 * H_spatial
+ w_2 * H_temporal
+ w_3 * H_kinetic
+ w_4 * H_flock
+ w_5 * H_contextual
+ w_6 * H_structure
¶
Default weights:¶
| Component | Weight | Diagnostic Target |
|---|---|---|
| H_spatial | 0.25 | Displacement anomalies (teleportation) |
| H_temporal | 0.20 | Circadian rhythm violations |
| H_kinetic | 0.20 | Anchor transition improbability |
| H_flock | 0.15 | Misalignment with local human flow |
| H_contextual | 0.10 | Sensor cross-correlation failure |
| H_structure | 0.10 | Chain integrity and timing regularity |
Weights are modulated by the profile maturity m, defined as min(breadcrumb_count / 200, 1.0). During the bootstrap phase (m < 1.0), all weights are scaled by m, widening the acceptance threshold for new identities.¶
Given the identity's fitted truncated Levy distribution P(delta_r), the spatial energy for a displacement delta_r is the negative log-likelihood (surprise):¶
H_spatial = -log(P(delta_r)) where P(delta_r) = C * delta_r^(-beta) * exp(-delta_r / kappa) and C is the normalization constant.¶
Typical displacements yield H_spatial near the identity's historical baseline. A displacement that exceeds the identity's learned kappa cutoff by more than a factor of 3 produces an H_spatial value in the CRITICAL range.¶
Using the circadian profile C[hour] and weekly profile W[day]:¶
H_temporal = -log(C[current_hour]) - log(W[current_day])¶
Activity at 3:00 AM for an identity with a 9-to-5 circadian profile yields high H_temporal. Activity at 8:00 AM on a Tuesday for the same identity yields low H_temporal.¶
Using the Markov Transition Matrix T:¶
from_anchor = nearest anchor to previous breadcrumb to_anchor = nearest anchor to current breadcrumb H_kinetic = -log(max(T[from_anchor][to_anchor], epsilon)) where epsilon = 0.001 (floor to prevent log(0))¶
A home-to-office transition at 8:00 AM yields low H_kinetic. An office-to-unknown-city transition yields high H_kinetic.¶
Inspired by Parisi's finding that starlings track their k nearest topological neighbors (k approximately 6-7) rather than all birds within a metric radius [PARISI-NOBEL], the flock energy measures alignment between the identity's velocity vector and the aggregate velocity of co-located TRIP entities.¶
v_self = displacement vector of current identity
v_flock = mean displacement vector of k nearest
co-located identities (k = 7)
alignment = dot(v_self, v_flock)
/ (|v_self| * |v_flock|)
H_flock = 1.0 - max(alignment, 0)
¶
When flock data is unavailable (sparse network or privacy constraints), the implementation SHOULD fall back to comparing the current velocity against the identity's own historical velocity distribution at the same location and time-of-day.¶
H_flock defeats GPS replay attacks: an adversary replaying a previously recorded trajectory will find that the ambient flock has changed since the recording, producing a misalignment signal.¶
This component compares the IMU (accelerometer, gyroscope) signature against the claimed GPS displacement. A genuine device in motion produces correlated IMU and GPS readings. GPS injection on a stationary device is detected by the absence of corresponding IMU activity:¶
H_contextual = divergence(
observed_imu_magnitude,
expected_imu_magnitude_for(gps_displacement)
)
¶
Implementations that lack IMU access MUST set H_contextual = 0 and SHOULD increase the weights of other components proportionally.¶
This component evaluates the structural properties of the breadcrumb chain itself:¶
The total Hamiltonian H maps to an alert level. The baseline H_baseline is the rolling median of the identity's own recent energy values, making the threshold self-calibrating per identity:¶
| H Range | Level | Action |
|---|---|---|
| [0, H_baseline * 1.5) | NOMINAL | Normal operation |
| [H_baseline * 1.5, 3.0) | ELEVATED | Increase sampling frequency, log |
| [3.0, 5.0) | SUSPICIOUS | Flag for review, require reconfirmation |
| [5.0, infinity) | CRITICAL | Freeze trust score, trigger challenge |
A PoH Certificate is a compact, privacy-preserving attestation that an identity has demonstrated biological movement characteristics. It contains ONLY statistical exponents derived from the trajectory -- no raw location data, no GPS coordinates, no cell identifiers.¶
The certificate is encoded as a CBOR map:¶
| Key | Type | Description |
|---|---|---|
| 0 | bstr (32) | Identity public key |
| 1 | uint | Issuance timestamp |
| 2 | uint | Epoch count at issuance |
| 3 | float | PSD alpha exponent |
| 4 | float | Levy beta exponent |
| 5 | float | Levy kappa cutoff (km) |
| 6 | float | Predictability score Pi |
| 7 | float | Criticality confidence |
| 8 | float | Trust score T |
| 9 | uint | Unique cell count |
| 10 | uint | Total breadcrumb count |
| 11 | uint | Validity duration (seconds) |
| 12 | bstr (64) | Ed25519 signature |
A relying party receiving a PoH Certificate can verify:¶
The certificate reveals NOTHING about where the identity has been -- only that it has moved through the world in a manner statistically consistent with a biological organism.¶
The trust score T is computed as a weighted combination of four factors:¶
T = 0.40 * min(breadcrumb_count / 200, 1.0)
+ 0.30 * min(unique_cells / 50, 1.0)
+ 0.20 * min(days_since_first / 365, 1.0)
+ 0.10 * chain_integrity
chain_integrity = 1.0 if chain verification passes, else 0.0
T is expressed as a percentage in [0, 100].
¶
The threshold for claiming a handle (binding a human-readable name to a TIT) requires breadcrumb_count >= 100 and T >= 20.¶
In the Parisi percolation model, the trust score also incorporates the criticality confidence from the PSD analysis. A trajectory that fails the criticality test (alpha outside [0.30, 0.80]) MUST have its trust score capped at 50, regardless of other factors.¶
TRIP maps naturally to the RATS architecture defined in [RFC9334]:¶
| RATS Role | TRIP Component |
|---|---|
| Attester | The TRIP-enabled device producing breadcrumbs |
| Evidence | Individual breadcrumbs and epoch records |
| Verifier | The Criticality Engine evaluating trajectory statistics and Hamiltonian energy |
| Attestation Results | The PoH Certificate and trust score |
| Relying Party | Any service accepting PoH Certificates as proof of physical-world presence |
TRIP breadcrumbs serve as Evidence in the RATS sense: claims produced by an attester (the device) about an attested environment (the physical world), encoded in CBOR, signed with Ed25519, and structured for evaluation by a verifier.¶
An adversary records a legitimate trajectory and replays the GPS coordinates on a different device. TRIP detects this through multiple channels:¶
An adversary uses software to generate plausible-looking GPS coordinates. The Criticality Engine defeats this:¶
An adversary runs the TRIP client on an Android/iOS emulator with spoofed GPS. Detection relies on:¶
An adversary straps a phone to a mobile robot or drone. This is the most sophisticated attack because it produces real GPS, Wi-Fi, cellular, and IMU data from actual physical movement. Mitigation relies on:¶
This attack remains an active area of research. The protocol's defense-in-depth approach through multiple independent Hamiltonian components makes it progressively more expensive to defeat all channels simultaneously.¶
TRIP provides location privacy through multiple layers:¶
H3 resolution selection SHOULD account for population density. In sparsely populated areas, even cell-level granularity may narrow identification to very few individuals. Implementations SHOULD use lower resolution (larger cells) in rural areas and MAY allow users to override to a lower resolution at any time.¶
This document has no IANA actions at this time. Future revisions may request CBOR tag assignments for breadcrumb, epoch, and PoH Certificate structures.¶
The TRIP protocol builds upon foundational work in cryptographic identity systems, geospatial indexing, statistical physics, and network science. The author thanks the contributors to the H3 geospatial system, the Ed25519 specification authors, and the broader IETF community for establishing the standards that TRIP builds upon. The Criticality Engine framework is inspired by the work of Giorgio Parisi on scale-free correlations in biological systems and Albert-Laszlo Barabasi on the fundamental limits of human mobility.¶