Forensic Continuity
QUORUM's forensic architecture treats every decision as a cryptographically provable event in a verifiable sequence. The system produces artifacts that allow any authorized party to reconstruct the complete causal chain of a decision — without trusting QUORUM's word. The proof is in the math.
Every decision produces five layers of cryptographic evidence. Each layer is independently verifiable. Together, they form a chain of custody that covers the decision from raw signal ingestion through audit commitment — without a single trusted intermediary.
SHA-256 hash of the raw ingested signal vector, recorded at intake before any transformation. This creates a tamper-evident anchor — any modification to the source data will invalidate all downstream artifacts.
Serialized directed acyclic graph of all evaluation nodes traversed during the decision pipeline. Each node records its input, output, and rule or model reference. The trace is hash-chained — each node contains the hash of the prior node.
A 48-byte G1 polynomial commitment proving the decision exists in the audit ledger at a specific index. Verification requires two pairing operations against the published structured reference string. O(1) verification time regardless of ledger size. No trusted verifier needed.
A recursive incrementally verifiable computation proof that accumulates all decisions since accumulator initialization. The CompressedSNARK is O(1) size regardless of step count. It proves that the entire sequence of decisions was correctly computed — not just that they exist in a log.
An external trusted timestamp authority (FreeTSA / DigiCert) witness anchoring the accumulator root to a globally trusted clock. The TSA signs the hash of the accumulator root — not decision content. Non-repudiable proof of existence at a specific time, not controlled by QUORUM.
Any historical decision can be reconstructed in full. The replay protocol is a deterministic five-step procedure. It does not require access to QUORUM's live systems — only the audit ledger, the public SRS, and the published rule and model version repositories.
The event block contains: raw signal vector (encrypted under the institutional key), active rule version snapshot hash, model weight version identifier, arbitration DAG reference hash, and the original verdict with its FROST signature.
Compute e(π, [τ - i]₂) = e(C - [v]₁, H). If verification fails, the ledger at position i has been modified since the commitment root was published. Verification failure is definitive evidence of tampering.
where: π = inclusion_proof, C = commitment_root,
v = claimed_value, i = ledger_index
Rules are versioned and immutable. Each rule version is stored with its signed hash. The exact rule set active at decision time is recoverable from the version snapshot hash — it cannot have been retroactively modified.
The pipeline is deterministic. Given identical inputs and an identical rule and model configuration, it will produce identical outputs on every execution. There is no stochastic element in the production verdict path — randomness is seeded at session initialization from a deterministic seed recorded in the event block.
Verify that the reconstructed verdict matches the ledger entry. Verify the FROST(Ed25519) threshold signature on the original verdict. Verify that the Nova IVC step for this event was correctly folded into the accumulator. All three checks must pass for the decision record to be considered forensically intact.
The audit ledger is committed as a polynomial over the BLS12-381 scalar field. Each log entry is encoded as a field element. The commitment is a single 48-byte G1 point. Inclusion proofs are also G1 points and verify in constant time using two pairing operations against the published structured reference string. No trusted party is required for verification.
Audit entries in the window are SHA-256 hashed and encoded as field elements over the BLS12-381 scalar field.
The polynomial f(x) is constructed such that f(i) = hash_i for each entry at index i.
The KZG commitment is computed as C = f(τ)·G₁ using the public SRS — the secret τ is never required by the committer.
C is a single 48-byte G1 point published alongside the window metadata.
A proof π for entry at index i is: π = ((f(x) - f(i)) / (x - i))·G₁
Verification uses two pairing operations against the published SRS: e(π, [τ-i]₂) = e(C - [hash_i]₁, H)
Verification succeeds if and only if hash_i was committed at index i in the polynomial.
Verification is O(1) regardless of ledger size — proof and verification cost do not scale with N.
// KZG Verification equation // π = inclusion proof (G1 point, 48 bytes) // C = commitment root (G1 point, 48 bytes, published) // v = claimed value (SHA-256 hash of audit entry) // i = ledger index (position claimed) // H = G2 generator // τ = toxic waste (unknown after SRS ceremony — not needed) e(π, [τ - i]₂) = e(C - [v]₁, H) // Two pairing operations. No trusted party. Public SRS only. // Failure = ledger tampered at index i.
QUORUM uses the Nova folding scheme (Kothapalli et al., 2022) to produce a constant-size proof that accumulates N audit events. This is not a log integrity check — it is a proof of correct computation. The verifier can confirm that all N decisions were computed correctly without replaying any of them.
Each audit period begins with genesis state z₀ = SHA-256(orgId ∥ period ∥ nonce) mod Pallas q. The nonce is derived from the prior period's final accumulator root.
Each decision event folds into the accumulator via the step circuit: z_{i+1} = Poseidon2(z_i, commit(event_i)) where commit(event) = SHA-256(event_json) mod Pallas q.
After N events, CompressedSNARK::prove() produces a proof over Spartan IPA-PC on the Pallas/Vesta curve cycle. Output is ~10KB constant regardless of N. Verification is O(1).
// Nova IVC step circuit
// z_0 = SHA-256(orgId || period || nonce) mod Pallas_q [genesis]
// w_i = audit_event_i (decision record)
// commit(w) = SHA-256(w.json) mod Pallas_q
z_{i+1} = Poseidon2(z_i, commit(w_i))
// After N steps:
// CompressedSNARK::prove(pp, pk, recursive_snark) -> ~10KB proof
// CompressedSNARK::verify(vk, z_0, z_N, proof) -> O(1)
// Security: computationally infeasible to produce a valid proof
// for any sequence other than the actual z_0 → z_N computation.
// Curve cycle: Pallas / Vesta (Pasta curves, no trusted setup)
Any modification to any ledger entry invalidates the KZG commitment root for that period. The tampered entry cannot be re-committed without generating a new root that will not match the RFC 3161 timestamp witness already issued for the original.
The Nova IVC accumulator proves the correct ordering and computation of all events in the period. It is not sufficient to have correct individual events — the folding sequence must match exactly. Out-of-order or deleted events produce a different final accumulator state.
The RFC 3161 TSA witness provides an external time anchor not controlled by QUORUM. The TSA signature over the commitment root establishes that the root existed before the timestamp was issued — QUORUM cannot backdate or alter this record.
Any party in possession of the public SRS can verify KZG inclusion proofs and Nova compressed proofs without access to QUORUM's internal systems, live data, or any private key material. Verification requires only the published artifacts.
The decision pipeline is fully deterministic. Identical inputs under an identical frozen rule set and model version will always produce identical verdicts on any execution. Replay results can be compared bitwise to the original ledger entry.
Forensic artifacts are structured for regulatory submission and legal discovery. The artifact bundle — signal commitment, decision trace, KZG proof, Nova proof, TSA witness, FROST signature — constitutes a complete, self-contained evidentiary record. No supplementary attestation from QUORUM is required.