pith. sign in

arxiv: 2605.01210 · v1 · submitted 2026-05-02 · 💻 cs.CR

Write-Domain Separation and Non-Custodial Enforcement: A Structural Impossibility in Account-Based Ledgers, with a Commitment-Based Construction

Matthias Hauser This is my paper

Pith reviewed 2026-05-09 14:43 UTC · model grok-4.3

classification 💻 cs.CR
keywords non-custodial enforcementkey sovereigntyaccount-based ledgerscommitment schemesencumbrancenullifierssmart accountsblockchain access control
0
0 comments X

The pith

Account-based ledgers satisfying key sovereignty cannot enforce future asset disposition without custody or owner cooperation at enforcement time.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper establishes that standard account-based ledgers place the controlling key holder at the apex of authorization, making it impossible to impose irrevocable restrictions on asset movement without taking custody or requiring the owner's ongoing consent. It formalizes this target as Non-Custodial Enforced Encumbrance (NCEE), which requires self-custody, transition limits, irrevocability, and permissionless enforcement. The author proves that any ledger obeying the Key Sovereignty Axiom fails to meet NCEE, and that common designs like EOAs, ERC-4337 accounts, and EIP-7702 delegated accounts all satisfy the axiom for their usual asset paths. To show a positive path exists, the paper constructs envelopes on commitment-based ledgers that bind notes to condition trees through separate nullifiers, separating ordinary spends from encumbrance actions. This separation matters because it would let protocols impose binding future rules on assets while leaving the owner in sole possession until the condition triggers.

Core claim

Any ledger obeying the Key Sovereignty Axiom is structurally unable to realize Non-Custodial Enforced Encumbrance. The envelope primitive, which attaches a note, condition tree, and redistribution intent to protocol-maintained marker sets and derives an encumbrance-namespace nullifier from note randomness rather than the owner key, satisfies all four NCEE properties under the cryptographic assumptions and the immutability of the marker-set registry.

What carries the argument

The Key Sovereignty Axiom (KS), which states that asset authorization remains fully under the control of the private-key holder, together with the envelope construction that decouples ordinary spend nullifiers from encumbrance-namespace nullifiers.

If this is right

  • Standard EOAs, ERC-4337 smart accounts, and EIP-7702 delegated accounts cannot support NCEE for their primary asset paths.
  • Realizing NCEE requires Asset-Authorization Coupling, which forces authorization rules to be tied directly to the asset representation itself.
  • Protocols that need permissionless, irrevocable restrictions without custody must adopt commitment-based private-state ledgers rather than account-based models.
  • The envelope allows write-domain separation so that encumbrance enforcement can proceed without the owner's signature at settlement time.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

  • Designers of future ledgers could embed envelope-style marker sets to support decentralized vesting or escrow primitives that survive key loss or non-cooperation.
  • The necessity of Asset-Authorization Coupling suggests that hybrid account-commitment systems would need explicit dual-state representations to achieve similar enforcement.
  • Empirical gas and recursion benchmarks in the reference implementation indicate that the added verification cost remains within practical ranges for repeated encumbrance checks.

Load-bearing premise

The marker-set registry remains immutable after deployment, combined with the security of the envelope proofs and the assumption that assets are transfer-dichotomous.

What would settle it

A concrete demonstration that an owner can unilaterally remove or bypass an encumbrance on a standard EOA or ERC-4337 account without violating the ledger's access rules, or that the envelope system allows a key compromise to affect settled encumbrances.

read the original abstract

Account-based ledgers -- standard externally-owned accounts (EOAs), ERC-4337 smart accounts, post-Pectra EIP-7702 delegated EOAs -- place the holder of the controlling key at the apex of asset authorization. We ask a structural question about ledger access control: under this authorization model, can a protocol enforce the future disposition of an asset without taking custody and without requiring the owner's cooperation at enforcement time? We formalize the target as Non-Custodial Enforced Encumbrance (NCEE), a four-property specification covering self-custody, transition restriction, irrevocability, and permissionless enforcement. We define the Key Sovereignty Axiom (KS) and prove that any ledger satisfying KS cannot realize NCEE; standard EOAs, ERC-4337 smart accounts, and EIP-7702 delegated EOAs satisfy KS for their standard asset paths. We define Asset-Authorization Coupling (AAC) and prove it necessary for NCEE in the transfer-dichotomous asset setting. To witness the positive side, we introduce the envelope, a primitive for commitment-based private-state ledgers that binds a note, a condition tree, and a redistribution intent to protocol-maintained marker sets, separating ordinary spend nullifiers from a new encumbrance-namespace nullifier derived from note randomness rather than the owner key. We prove the envelope realizes NCEE under stated cryptographic assumptions and a deployment assumption that the marker-set registry is immutable; three concrete deployment templates are given. We define games for encumbrance integrity, settlement security, key-compromise resilience, and encumbrance indistinguishability. A reference implementation in Noir and UltraHonk supports the empirical claims, with gas measurements, recursive aggregation benchmarks, and a practical-economics analysis.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

3 major / 2 minor

Summary. The paper claims that account-based ledgers (EOAs, ERC-4337 smart accounts, EIP-7702 delegated EOAs) satisfying the Key Sovereignty Axiom (KS) cannot realize Non-Custodial Enforced Encumbrance (NCEE), a four-property spec for self-custody, transition restriction, irrevocability, and permissionless enforcement. It proves KS holds for standard asset paths in these ledgers and shows Asset-Authorization Coupling (AAC) is necessary for NCEE under transfer-dichotomous assets. Positively, it introduces the envelope primitive for commitment-based private-state ledgers, binding notes, condition trees, and intents to marker sets with separated encumbrance-namespace nullifiers; this realizes NCEE under cryptographic assumptions plus an immutable marker-set registry deployment assumption. Security games for encumbrance integrity, settlement security, key-compromise resilience, and indistinguishability are defined, with a Noir/UltraHonk reference implementation providing gas and benchmark data.

Significance. If the impossibility result and envelope construction hold, the work supplies a structural explanation for why standard account models cannot support non-custodial future asset control without owner cooperation, while offering a write-domain separation mechanism via commitment primitives that could enable new protocols for encumbered assets in private ledgers. The explicit game definitions and reproducible implementation (with empirical measurements) strengthen the contribution by providing verifiable artifacts rather than purely informal arguments.

major comments (3)
  1. [Deployment assumption and security games] Deployment assumption (abstract and construction section): the claim that the envelope realizes NCEE depends on the marker-set registry being immutable, yet the encumbrance-integrity and settlement-security games do not model decentralized enforcement of this immutability or rule out new privileged write-domain paths for registry updates in a permissionless setting.
  2. [Key Sovereignty Axiom definition and application] KS impossibility proof: the reduction from KS to inability to realize NCEE is load-bearing for the negative result, but the manuscript should explicitly verify that EIP-7702 delegation and ERC-4337 account abstraction extensions cannot introduce non-KS paths for standard assets without violating the axiom definition.
  3. [AAC necessity proof] AAC necessity (transfer-dichotomous asset setting): the proof that AAC is required for NCEE is scoped to transfer-dichotomous assets; if the central claim is to apply broadly, the manuscript must state whether the necessity extends or identify the additional assumptions needed for generalization.
minor comments (2)
  1. [Deployment templates] The abstract states that three concrete deployment templates are given; the main text should include explicit security analysis for each template relative to the defined games.
  2. [Notation and definitions] Notation for nullifiers (ordinary spend vs. encumbrance-namespace) should be unified across the impossibility and construction sections to avoid reader confusion.

Simulated Author's Rebuttal

3 responses · 0 unresolved

We thank the referee for their constructive and detailed comments. We address each major comment point by point below, providing our responses and indicating planned revisions to the manuscript.

read point-by-point responses

  1. Referee: [Deployment assumption and security games] Deployment assumption (abstract and construction section): the claim that the envelope realizes NCEE depends on the marker-set registry being immutable, yet the encumbrance-integrity and settlement-security games do not model decentralized enforcement of this immutability or rule out new privileged write-domain paths for registry updates in a permissionless setting.

    Authors: The security games are defined under the explicit deployment assumption of an immutable marker-set registry, as stated in the construction section and the three deployment templates. This mirrors standard assumptions in blockchain protocol analyses where contract immutability is a prerequisite rather than a property enforced inside the cryptographic games. We will revise the manuscript to clarify this scoping in the security definitions and add a brief discussion noting that, in a permissionless setting, the assumption relies on correct initial deployment without subsequent privileged update paths (e.g., via one-time deployment followed by control relinquishment). revision: partial

  2. Referee: [Key Sovereignty Axiom definition and application] KS impossibility proof: the reduction from KS to inability to realize NCEE is load-bearing for the negative result, but the manuscript should explicitly verify that EIP-7702 delegation and ERC-4337 account abstraction extensions cannot introduce non-KS paths for standard assets without violating the axiom definition.

    Authors: The KS axiom is defined with respect to standard asset paths, and the manuscript already states that EOAs, ERC-4337 accounts, and EIP-7702 delegated EOAs satisfy KS for those paths. Any delegation or abstraction mechanism that introduced non-KS paths for standard assets would, by definition, violate the axiom. We will add an explicit verification paragraph in the KS section confirming that the cited extensions preserve key sovereignty on standard paths and do not create bypasses without redefining the underlying ledger authorization model. revision: yes

  3. Referee: [AAC necessity proof] AAC necessity (transfer-dichotomous asset setting): the proof that AAC is required for NCEE is scoped to transfer-dichotomous assets; if the central claim is to apply broadly, the manuscript must state whether the necessity extends or identify the additional assumptions needed for generalization.

    Authors: The necessity proof is deliberately scoped to the transfer-dichotomous asset setting, which models standard fungible assets. We will revise the manuscript to explicitly note this scoping and state that generalization to non-dichotomous assets would require additional assumptions on asset-specific authorization rules and transfer semantics. revision: yes

Circularity Check

0 steps flagged

Derivation chain is self-contained; no load-bearing reductions to self-citations, fitted inputs, or definitional loops.

full rationale

The paper defines the Key Sovereignty Axiom (KS) as an external axiom and applies it directly to the authorization model of standard account-based ledgers (EOAs, ERC-4337, EIP-7702) to derive the impossibility of NCEE. It separately defines Asset-Authorization Coupling (AAC) and proves necessity in the transfer-dichotomous setting. The positive construction introduces a new envelope primitive with commitment-based marker sets, nullifier separation, and explicit deployment assumptions (immutable registry) plus cryptographic assumptions; these are stated as premises rather than derived from the target result. No equations or proofs reduce by construction to prior self-citations, fitted parameters renamed as predictions, or smuggled ansatzes. The security games (encumbrance integrity, settlement security, etc.) are defined independently and support the claims without circular reference back to the NCEE definition.

Axiom & Free-Parameter Ledger

0 free parameters · 2 axioms · 1 invented entities

The impossibility result rests on the Key Sovereignty Axiom and the necessity of Asset-Authorization Coupling; the positive result rests on the newly introduced envelope entity plus cryptographic assumptions and the immutability of the marker-set registry.

axioms (2)
  • domain assumption Key Sovereignty Axiom (KS)
    States that the holder of the controlling key is at the apex of asset authorization in account-based ledgers.
  • domain assumption Asset-Authorization Coupling (AAC)
    Proved necessary for realizing NCEE in the transfer-dichotomous asset setting.
invented entities (1)
  • envelope no independent evidence
    purpose: Binds a note, condition tree, and redistribution intent to protocol-maintained marker sets, separating ordinary spend nullifiers from encumbrance-namespace nullifiers derived from note randomness.
    New primitive introduced to achieve NCEE in commitment-based private-state ledgers.

pith-pipeline@v0.9.0 · 9748 in / 1543 out tokens · 65962 ms · 2026-05-09T14:43:18.305468+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Reference graph

Works this paper leans on

20 extracted references · 20 canonical work pages

  1. [1]

    An analysis of Uniswap markets

    Guillermo Angeris, Hsien-Tang Kao, Rex Chiang, Charlie Noyes, and Tarun Chitra. An analysis of Uniswap markets. Cryptoeconomic Systems, 2020

    work page 2020

  2. [2]

    Veri-Zexe: Decentralized private computation with universal setup, 2022

    Sean Bowe et al. Veri-Zexe: Decentralized private computation with universal setup, 2022

    work page 2022

  3. [3]

    Zexe: Enabling decentralized private computation

    Sean Bowe, Alessandro Chiesa, Matthew Green, Ian Miers, Pratyush Mishra, and Howard Wu. Zexe: Enabling decentralized private computation. In IEEE S&P, 2020

    work page 2020

  4. [4]

    Anoma protocol specification

    Adrian Brink, Maciej Mazur, et al. Anoma protocol specification. Technical Report, Heliax. https://anoma.net/papers/, 2022

    work page 2022

  5. [5]

    CoW protocol: A meta DEX aggregator

    CoW Protocol. CoW protocol: A meta DEX aggregator. https://cow.fi, 2022

    work page 2022

  6. [6]

    EIP-2537: Precompile for BLS12-381 curve operations

    Ethereum. EIP-2537: Precompile for BLS12-381 curve operations. Ethereum Improvement Proposal, 2020

    work page 2020

  7. [7]

    ERC-4337: Account abstraction using alt mempool

    Ethereum. ERC-4337: Account abstraction using alt mempool. ERC Standard, 2021

    work page 2021

  8. [8]

    EIP-7702: Set EOA account code

    Ethereum. EIP-7702: Set EOA account code. Ethereum Improvement Proposal, 2024

    work page 2024

  9. [9]

    ERC-7683: Cross-chain intent standard

    Ethereum. ERC-7683: Cross-chain intent standard. ERC Standard, 2024

    work page 2024

  10. [10]

    ERC-7710: Smart contract delegation interfaces

    Ethereum. ERC-7710: Smart contract delegation interfaces. ERC Standard, 2024

    work page 2024

  11. [11]

    ERC-7715: Grant permissions from wallets

    Ethereum. ERC-7715: Grant permissions from wallets. ERC Standard, 2024

    work page 2024

  12. [12]

    Zcash protocol specification

    Daira Hopwood, Sean Bowe, Taylor Hornby, and Nathan Wilcox. Zcash protocol specification. Electric Coin Company, 2024

    work page 2024

  13. [13]

    Hawk: The blockchain model of cryptography and privacy-preserving smart contracts

    Ahmed Kosba, Andrew Miller, Elaine Shi, Zikai Wen, and Charalampos Papamanthou. Hawk: The blockchain model of cryptography and privacy-preserving smart contracts. In IEEE S&P, 2016

    work page 2016

  14. [14]

    Merklized abstract syntax trees

    Gregory Maxwell. Merklized abstract syntax trees. Bitcoin Technical Discussion, 2013

    work page 2013

  15. [15]

    TWAP oracle attacks: Easier done than said? In IEEE ICBC, 2022

    Tobias Mackinga, Tejaswi Nadahalli, and Roger Wattenhofer. TWAP oracle attacks: Easier done than said? In IEEE ICBC, 2022

    work page 2022

  16. [16]

    Indifferentiability, impossibility results on reductions, and applications to the random oracle methodology

    Ueli Maurer, Renato Renner, and Clemens Holenstein. Indifferentiability, impossibility results on reductions, and applications to the random oracle methodology. In TCC, 2004

    work page 2004

  17. [17]

    Private staking and DeFi on Cosmos

    Penumbra. Private staking and DeFi on Cosmos. https://penumbra.zone, 2024

    work page 2024

  18. [18]

    Private DeFi on Ethereum

    Railgun. Private DeFi on Ethereum. https://railgun.org, 2021

    work page 2021

  19. [19]

    Algorithms for quantum computation: Discrete logarithms and factoring

    Peter W.\ Shor. Algorithms for quantum computation: Discrete logarithms and factoring. In FOCS, 1994

    work page 1994

  20. [20]

    Non-custodial Ethereum mixer

    Tornado Cash. Non-custodial Ethereum mixer. https://tornado.cash, 2019

    work page 2019