certificate
a proof certificate is the output of a completed eidos proof. it attests that a specific kernel checked a specific proof term and accepted it. the certificate is a zheng STARK proof of that kernel execution. it enters the cybergraph as a cyberlink — globally memoized, zero-cost to re-verify.
what a certificate attests
a certificate for theorem P with proof π is evidence for:
check_kernel(Σ, [], π, P) = Ok
this is a nox execution. zheng certifies the execution trace, producing a STARK that anyone can verify with the zheng verifier — a short nox program running in ~825 constraints.
proof artifact
a proof artifact is the tuple:
ProofArtifact = {
claim : NounId, -- hemera hash of the claim noun: CLAIM(P)
proof : NounId, -- hemera hash of the proof noun: π
kernel : NounId, -- hemera hash of the kernel formula noun
stark : Bytes, -- zheng STARK certificate bytes
env_ref : NounId, -- hemera hash of the global environment Σ used
}
all NounIds are hemera hashes (4 × Goldilocks field elements = 32 bytes).
claim noun
the claim encodes the theorem being proved:
CLAIM(P) = cons(atom(0xC0), P) -- tag 0xC0 marks a claim; payload is the type term
the tag separates claims from arbitrary terms in the cybergraph.
proof noun
the proof term π is a kernel term (see terms) of type P. its NounId is hemera(encode(π)).
kernel noun
the kernel formula is the nox program that implements the type checker (see kernel). its NounId is fixed at genesis — it is the identity of the trusted kernel. a different kernel NounId means a different TCB.
KERNEL_ID is a protocol constant announced at eidos genesis and stored in bbg namespace 0.
axon computation
the axon is the content address of the proof event:
axon = hemera(KERNEL_ID || claim || proof)
this is a 32-byte hash. it uniquely identifies "kernel K checked proof π for claim P and accepted."
|| is concatenation of the 32-byte hemera representations. the hemera sponge absorbs all three inputs sequentially with domain separator 0xA1 (proof-event domain).
cyberlink encoding
the certificate enters the cybergraph as a cyberlink:
cyberlink: axon → OK
where OK = atom(0x4F4B) — the field element encoding of ASCII "OK". this is the canonical acceptance signal.
the cyberlink is signed by the prover's neuron key and staked with the prover's will, following standard cyberlink protocol. the cyberlink payload (stored as a particle in namespace 0) contains the full ProofArtifact encoded as a noun.
particle encoding
the ProofArtifact encodes as a noun for cybergraph storage:
artifact_noun =
cons(claim,
cons(proof,
cons(kernel,
cons(env_ref,
stark_atom))))
stark_atom = atom(hemera(stark_bytes)) -- the STARK is content-addressed; full bytes stored off-chain
the full STARK bytes are stored as a separate particle (content-addressed by their hemera hash). the artifact noun references the STARK by hash, keeping the on-chain footprint small.
zheng wrapping
the STARK certifies the nox execution of check(Σ_noun, CTX_EMPTY, π_noun, P_noun).
execution instance
the nox execution instance (public inputs) is:
instance = {
object_id : NounId, -- input noun: cons(cons(Σ_ref, CTX_EMPTY), cons(π, P))
formula_id : NounId, -- kernel formula noun id
result_id : NounId, -- expected result: atom(0x4F4B) = OK
status : 0x00, -- 0x00 = success
}
the STARK proves: "reducing object with formula produces result within budget."
STARK format
the STARK is a zheng Whirlaway proof:
ZhengProof = {
sumcheck_transcript : [Round], -- k rounds of sumcheck
brakedown_opening : Opening, -- polynomial evaluation at challenge point
claimed_evaluation : F, -- the evaluation claim
}
Round = {
poly_coeffs : [F; 3], -- round polynomial g_i(X) of degree ≤ 2
challenge : F, -- Fiat-Shamir challenge r_i
}
Opening = {
commitment : Hash, -- Brakedown commitment to the trace polynomial
path : [Hash], -- Merkle path for evaluation proof
leaf_value : F,
}
all field elements are Goldilocks elements (8 bytes each). the STARK is approximately 2–4 KB for typical kernel executions.
verifier algorithm
verify(instance, stark) → accept | reject:
1. initialize Fiat-Shamir transcript with instance fields
2. for i = 1..k:
absorb stark.sumcheck_transcript[i].poly_coeffs into transcript
r_i = squeeze transcript
check: g_i(0) + g_i(1) = claim_{i-1} -- sumcheck consistency
claim_i = g_i(r_i)
3. evaluate the constraint polynomial at r = (r_1, ..., r_k):
C_eval = constraint_eval(instance, r)
4. check: C_eval = claim_k
5. verify Brakedown opening at r against committed trace
the verifier runs as a nox program of ~825 constraint rows. verifier cost is O(log² N) in the trace size N.
memoization protocol
when a neuron wants to prove P and a cyberlink axon → OK already exists in the cybergraph:
memo_lookup(P, kernel_id) =
axon = hemera(kernel_id || CLAIM(P) || _) -- wildcard on proof
the cybergraph does not support wildcard queries directly. instead: query particles tagged with CLAIM(P) in namespace 0, check if any existing axon matches. if found: re-use the existing cyberlink. cost: one BBG lookup.
if the prover wants to verify the existing certificate: fetch the ProofArtifact particle, recover the STARK, run verify(instance, stark). this costs ~825 nox rows — constant time regardless of how complex the original proof was.
certificate pipeline
the end-to-end flow from completed tactic proof to cyberlink:
1. tactic engine produces: π (proof term noun)
2. kernel verifies: check(Σ, [], π, P) = Ok
3. compute:
claim = hemera(CLAIM(P))
proof = hemera(encode(π))
axon = hemera(KERNEL_ID || claim || proof)
4. run zheng prover on the kernel execution trace → stark_bytes
5. build ProofArtifact noun
6. publish particle: hemera(artifact_noun) → artifact_noun content
7. publish stark particle: hemera(stark_bytes) → stark_bytes
8. sign cyberlink: axon → OK
9. broadcast cyberlink to the network
steps 4–9 are performed by the untrusted shell. step 2 is the only trusted step (kernel). a bug in steps 4–9 produces a verifiable certificate that the verifier rejects — it cannot produce a certificate the verifier accepts for a false theorem.
global theorem database
every accepted certificate produces a cyberlink in the global cybergraph. the cybergraph is the universal theorem database for cyber:
hemera(KERNEL_ID || claim || proof) → OK— the specific proof was accepted- queries: given a claim noun, find all proofs of it
- inter-operability: any neuron (human, AI, sensor, program) can submit proofs and read certificates
the memoization invariant: if axon → OK exists in the cybergraph, then there exists a valid STARK attesting check_kernel(π, P) = Ok. re-proving the same theorem at the same kernel version costs zero network resources — the second prover reads the existing cyberlink.
versioning
the kernel NounId is pinned. a new kernel version (new NounId) produces different axons — old certificates remain valid under the old kernel. migration paths:
- upward compatibility: the new kernel accepts a superset of proofs; old certificates remain valid if the old kernel is still trusted
- explicit re-proof: submit the same proof π to the new kernel, produce a new certificate under the new KERNEL_ID
the protocol records the KERNEL_ID in every artifact noun, so certificates are self-describing with respect to which kernel version accepted them.