Verification
BitGraph verification is deterministic and runs offline. No network calls, no API keys, no accounts.
Six-step algorithm
Input: a proof (BitGraphProof), the original bytes (Uint8Array), and an optional verification policy.
1.Structural validation
Check that all required fields are present with correct types. version must be "bitgraph/1", hashAlg must be "sha256", enforcement must be one of the valid tiers, all base64 fields must decode correctly.
2.Artifact digest verification
Compute SHA-256 of the provided bytes. Compare against proof.artifact.digestB64 using constant-time comparison. If they don't match, the proof does not apply to these bytes.
3.Signed body reconstruction
Build the SignedBody object from the proof fields (including actor identity from agency, attribution, and attestation format when present). Canonicalize to sorted-key JSON, encode as UTF-8 bytes. This is what the Ed25519 signature covers.
4.Ed25519 signature verification
Decode publicKeyB64 (must be 32 bytes) and signatureB64 (must be 64 bytes). Verify the Ed25519 signature against the canonical bytes. If invalid, the proof has been tampered with.
5.Attestation binding (measured-tee)
For measured-tee proofs, verify the AWS Nitro attestation in environment.attestation. Parse the COSE_Sign1 document (ES384) and validate the embedded certificate chain from the enclave leaf to the pinned AWS Nitro Enclaves root, verifying each certificate is signed by its parent. Confirm PCR0 equals environment.measurement. Then confirm the binding to this exact proof: the attestation's user_data must equal proofHash. The public_key field is intentionally null, the binding runs through user_data, not public_key. Because proofHash is the SHA-256 of the canonical SignedBody, which commits to signer.publicKeyB64, this ties the genuine enclave to this proof and to the exact key that signed it. The chain is bundled in the proof and validates offline; only certificate revocation (CRL) status requires network and is outside this algorithm.
6.Policy checks
If a VerificationPolicy is provided, enforce its constraints: enforcement tier, allowed measurements, allowed public keys, attestation requirements, counter range, time range, epoch requirements.
Step 5 confirms PCR0 matches the measurement the proof claims, and the certificate chain proves that measurement came from genuine Nitro hardware. To confirm the measurement itself corresponds to the open enclave source, the build is bit-for-bit reproducible: rebuild it and re-derive the exact PCR0 yourself, trusting no one. See reproducible builds.
Verification policy
interface VerificationPolicy {
requireEnforcement?: "stub" | "hw-key" | "measured-tee";
allowedMeasurements?: string[]; // exact match
allowedPublicKeys?: string[]; // exact match
requireAttestation?: boolean;
requireAttestationFormat?: string[];
minCounter?: string; // BigInt-safe
maxCounter?: string;
minTime?: number; // Unix ms
maxTime?: number;
requireEpochId?: boolean;
// Actor-bound proof policy
requireActor?: boolean; // reject proofs without agency
allowedActorKeyIds?: string[]; // exact match
allowedActorProviders?: string[]; // e.g. ["apple-secure-enclave"]
}Trust anchor hierarchy
requireEnforcementalone - prevents in-transit downgrade onlyrequireEnforcement + allowedMeasurements- pins to specific enclave image+ requireAttestation- full trust (vendor-attested hardware boundary)What the verifier does NOT check
| Item | Why |
|---|---|
| Attestation revocation status | Offline verification validates the bundled certificate chain and attestation binding; network CRL checks are outside this algorithm. |
| prevB64 chain integrity | Chain traversal is application-layer logic |
| Counter continuity | Gap detection is application-layer logic |
| Slot allocation validity | Slot signature and hash binding are structural checks; application can verify slotHashB64 matches canonicalized slot body |
| Key provenance | Requires attestation verification |
| Batch context completeness | Verifying all proofs in a batch is application-layer logic |