Cryptographic Audit Infrastructure
QUORUM's audit system does not ask auditors to trust its records. It produces cryptographic artifacts that allow any authorized party to verify the integrity, ordering, and correctness of the audit ledger independently — without access to QUORUM's internal systems.
Five artifacts are produced per audit period. Each is independently verifiable. Together they provide interlocking assurance — tampering with one invalidates the others. The artifact bundle is the complete evidentiary record for the period.
A single 48-byte BLS12-381 G1 point committing to all audit log entries in the period. Published after each commitment window closes. Any party in possession of the public structured reference string can verify inclusion proofs against this root. The root is the anchor point for all per-entry verification.
Proves that all N decision computations in the period were correctly executed. This is a correctness proof, not merely an integrity check — it attests that the computation was performed as specified, not just that the records exist. Constant ~10KB size and O(1) verification time regardless of N. Produced using the Spartan IPA-PC proving system on the Pallas/Vesta curve cycle.
An external trusted timestamp authority signature over the KZG commitment root. The TSA receives only SHA-256(commitment_root) — no decision content, no session data. The signed TimeStampToken anchors the commitment root to a globally trusted clock not controlled by QUORUM. Establishes non-repudiable proof that the root existed before the TSA timestamp was issued.
A (t,n) threshold co-signature over the finalized audit bundle hash. Requires both QUORUM signing shares and the institution's key share to reach the signing threshold. Neither party can produce a valid signature unilaterally. Forgery requires the simultaneous compromise of both QUORUM's infrastructure and the institution's key material.
An HSM-signed certificate recording the federated learning differential privacy budget consumed in the period: the Renyi divergence order alpha, the epsilon and delta parameters, and the noise calibration parameters applied. Verifiable against the published noise calibration record. Enables regulatory verification that privacy budget constraints were observed throughout the period.
The KZG commitment protocol executes at the end of each commitment window. It produces a single G1 point committing to all audit entries in the window. Construction is non-interactive — the committer does not require knowledge of the SRS secret tau.
After each decision commits to the ledger, its SHA-256 hash is appended to the current commitment window accumulation buffer.
At commitment time, all hashes in the window are encoded as field elements over the BLS12-381 scalar field. Each hash h_i becomes a scalar field element f_i.
The polynomial f(x) is constructed such that f(i) = f_i for each entry at index i. The polynomial degree equals the entry count minus one.
The KZG commitment C = f(tau)·G₁ is computed using the public SRS powers-of-tau. The committer uses only the published SRS points — tau is unknown and not required.
C is published alongside window metadata: window start and end timestamps, entry count, and the RFC 3161 TSA request hash. C is a single 48-byte G1 point.
Inclusion proofs for any entry at index i are computed on demand: pi = ((f(x) - f(i)) / (x - i))·G₁. The quotient polynomial is evaluated using the SRS. The proof is also a 48-byte G1 point.
Verification checks the bilinear pairing equation in two operations. Any party with the public SRS can verify. No trusted party is required.
// KZG construction // f(i) = SHA-256(audit_entry_i) mod BLS12-381_scalar_field // C = f(tau) * G1 [using public SRS — tau is unknown] // Inclusion proof for entry at index i: // pi = ((f(x) - f(i)) / (x - i)) * G1 // Verification equation (two pairing operations): e(pi, [tau - i]_2) = e(C - [f(i)]_1, H) // where H = G2 generator // e = Ate pairing on BLS12-381 // Proof size: 48 bytes (compressed G1 point) // Verification: ~1ms (two BLS12-381 pairings) // Trusted party: NONE — public SRS only
The Nova IVC accumulator proves correctness of computation, not merely record existence. A valid compressed proof over N events cannot be produced for any sequence other than the actual one — deleted, reordered, or modified events produce a different final state that will not verify.
A valid proof can only be produced for the actual sequence z_0 to z_N. Any deviation — deletion, reordering, modification — changes z_N, invalidating the proof against the published final state.
The Pallas/Vesta curve cycle enables efficient recursion — the verifier for one curve is a circuit over the other, enabling efficient folding without a trusted setup ceremony.
Soundness is computational under the discrete logarithm assumption over the Pasta curves. The proof system has been independently analyzed in the Nova paper and peer work.
// Nova IVC accumulator — complete protocol
// Period initialization:
z_0 = SHA-256(orgId || period_id || prev_period_root) mod Pallas_q
// Step function applied for each audit event i:
commit(event_i) = SHA-256(event_i.json) mod Pallas_q
z_{i+1} = Poseidon2(z_i, commit(event_i))
// After N events — incremental proof accumulation (O(1) per step):
RecursiveSNARK::prove(pp, &circuit, &z_0, &[w_0..w_N])
-> RecursiveSNARK
// Final compression (produces the audit artifact):
CompressedSNARK::prove(pp, &pk, &recursive_snark)
-> CompressedSNARK // ~10KB, independent of N
// External verification (public parameters only):
CompressedSNARK::verify(&vk, &z_0, &z_N, &compressed_proof)
-> Ok(()) | Err(VerificationError)
// Verifier inputs: vk (public), z_0, z_N, proof (~10KB)
// No access to individual events required.
FROST (Flexible Round-Optimized Schnorr Threshold) over Ed25519 provides a (t,n) threshold signing scheme where no single party holds a complete private key. The resulting group public key is a standard Ed25519 public key — verification requires no special threshold verification logic and is compatible with all standard Ed25519 verifiers.
(t,n) threshold: n = total key shares distributed, t = minimum shares required. QUORUM holds (n-1) shares; the institution holds 1. Configuration is set at key generation and recorded in the governance ledger.
To produce a valid signature, both QUORUM and the institution must participate in the signing round. Neither party can forge a signature unilaterally. This holds for all audit bundle signatures and all ISOLATED verdict co-signatures.
The signing ceremony is non-interactive after key generation — signing proceeds via a standard two-round FROST protocol (commitment round, then signature aggregation). No interactive challenges beyond the protocol specification.
Key refresh via proactive secret sharing is supported. Shares are rotated without changing the group public key. Existing verified signatures remain valid against the same group public key. Key version is recorded in each signature envelope for auditability.
All signing events are logged to the governance ledger: participating signer share IDs, the message hash signed, the resulting aggregate signature, and the ceremony timestamp. The signing history of any audit bundle is traceable.
An external auditor can verify the complete audit bundle using only public parameters. QUORUM access is not required at any step. The following procedure is the complete verification protocol for a period audit bundle.
Required artifacts: KZG commitment root C, Nova compressed SNARK proof, RFC 3161 TimeStampResp, FROST(Ed25519) threshold signature, and the period metadata (orgId, period_id, z_0, z_N, entry count). The institution retrieves these from its own audit ledger. QUORUM is not involved in this step.
Compute bundle_hash = SHA-256(C || nova_proof || tsa_response || period_metadata). Verify the FROST aggregate signature against bundle_hash using the published group public key. Standard Ed25519 signature verification. Failure indicates the bundle was not produced by the authorized signing parties.
Parse the TimeStampResp per RFC 3161. Verify that TSTInfo.messageImprint equals SHA-256(C). Verify the TSA signature using the published TSA certificate chain. The timestamp in TSTInfo.genTime establishes the latest point at which C could have been created.
For each entry to be verified: obtain the entry content and its inclusion proof pi from the institution's ledger. Check the pairing equation e(pi, [tau-i]_2) = e(C - [SHA-256(entry)]_1, H) using the public SRS. Two pairing operations per entry. O(1) time. No QUORUM access required.
Execute CompressedSNARK::verify(vk, z_0, z_N, proof) using the published verifier key. This confirms that all N decisions were correctly computed in sequence from z_0 to z_N as claimed. The proof is ~10KB. Verification is O(1). No individual event access is required.
All five verification steps require only public parameters: the published SRS, the published group public key, the published Nova verifier key, and the TSA certificate chain. No QUORUM internal system access is required at any step. The procedure is deterministic and reproducible — any two auditors executing the same procedure against the same bundle will reach identical conclusions.