Trustless Provenance Trees: A Game-Theoretic Framework for Operator-Gated Blockchain Registries

TL;DR

This paper introduces a game-theoretic framework for trustless provenance trees on blockchain, resolving operator trust issues with cryptographic commitments and analyzing attack vectors to ensure integrity.

Contribution

It proposes a dual-layer cryptographic scheme to prevent false attributions and establishes a complete provenance integrity model with multiple mechanisms.

Findings

Proves correctness of the scheme under cryptographic assumptions.

Demonstrates the scheme's Nash equilibrium with honest behavior.

Analyzes attack vectors and necessary integrity mechanisms.

Abstract

We present a formal treatment of provenance trees, directed acyclic graphs of artifact registrations anchored immutably on a public blockchain, and introduce the operator trust problem: when a single privileged operator submits all on-chain registrations on behalf of users, the on-chain record alone cannot distinguish user-initiated registrations from unilateral operator actions. We resolve this through a dual-layer cryptographic commitment scheme in which two commitments derived from a single client-side secret key, binding the key to the tree root and to each unique registration identifier, make false attribution claims strictly dominated strategies. We prove correctness under standard cryptographic assumptions and establish honest behavior as the unique Nash equilibrium without relying on operator trust. We further introduce and analyze the tree poisoning problem: adversarial attacks on users' provenance trees via fraudulent root registration, malicious child attachment, and tree identity spoofing. We characterize the closure properties of each attack variant and prove that a complete provenance tree integrity model requires three distinct mechanisms: cryptographic priority, governance cascade, and contract enforcement, each necessary and none individually sufficient. The construction is deployed on Base (Ethereum L2) as AnchorRegistry, an immutable on-chain provenance registry. We provide gas complexity analysis demonstrating O(1) cost invariant to registry scale, and a trustless reconstruction algorithm recovering the complete registry from public event logs alone.