Blog

Introducing ZIP-SRA-EVENTS: Chain-of-Custody as Append-Only Record

Registries for real-world assets still depend on opaque databases and paper files that are hard to audit, easy to fragment, and trivial to quietly edit. ZIP-SRA-EVENTS replaces this with per-asset, append-only event logs anchored in Zcash's shielded pool.

ZIP Chain of Custody Events

From opaque databases to append-only logs

Each time a work changes hands -- from estate to dealer, dealer to auction house, auction house to collector, collector to museum -- trust must be re-purchased from scratch. Prior verification work leaves no reusable trace. This reset dynamic imposes a coordination tax that compounds over time: uncertainty discounts, institutional withdrawal, and the gradual devaluation of works whose documentary infrastructure cannot keep pace with their circulation.

ZIP-SRA-EVENTS addresses this by defining a protocol where the Registry Authority (RA) maintains per-asset Chain of Custody logs as append-only sequences of signed transactions in Zcash's Orchard shielded pool. Verification work becomes cumulative infrastructure rather than a repeated private expense.

Six event types and what they track

The specification defines six event types, each with a specific registrarial purpose. REGISTER anchors a new artwork into the protocol. TRANSFER records the RA's recognition that custodianship has changed. STATUS tracks operational changes (on loan, in conservation, stolen, lost, damaged, destroyed, deaccessioned). REVISION corrects or updates prior claims through addition, not deletion. DISPUTE flags contested claims as a visible, non-terminal response to uncertainty. DOSSIER_UPDATE commits to updated documentary evidence without changing other aspects of the record.

Together, these six types cover the full lifecycle of an artwork's stewardship record. The design is intentionally narrow: the protocol records who issued what and when, in a tamper-evident order. It does not attempt to settle disputes, enforce ownership, or replace curatorial judgment.

The Canonical Artwork ID

Every artwork in the protocol receives a Canonical Artwork ID (CAID) derived deterministically from the registry identifier via Blake2b-256. This derivation produces a per-asset viewing key and unified address through ZIP-32 child key derivation. The CAID is not a token of ownership; it is a semantic anchor that ensures referential continuity across institutional, scholarly, and market contexts.

It is recommended that the underlying registry identifier be non-semantic (e.g. a UUID) to minimize information disclosure if an unauthorized party obtains the viewing key. A human-readable identifier like "ERL-painting-042" would leak contextual information beyond the event log itself.

Why revision is addition, not deletion

A traditional database corrects error by overwriting the prior record. The previous claim disappears. While administratively efficient, this destroys the visible trace of intellectual evolution -- it collapses the historical path of inquiry into a single present-tense assertion.

The REVISION event preserves the chronological trace of knowledge growth. When new evidence changes the RA's understanding of an asset, the RA issues a REVISION that references the prior claim and anchors the updated understanding. The registry shows what was believed at time T1, what was later discovered at T2, and how interpretation evolved. Correction becomes a sign of epistemic strength rather than weakness.

The evidentiary taxonomy: beyond authentic vs. fake

The binary "authentic / fake" dichotomy is incompatible with the epistemic reality of art historical practice. Attribution exists on a spectrum of confidence. Provenance can be strong for some periods and weak for others. A registry that forces binary classification either produces false certainty or false exclusion.

ZIP-SRA-EVENTS defines four evidentiary levels: REGISTERED (fully verified and documented), PROVISIONAL (strong historical evidence but pending updated inspection), DISPUTED (actively contested), and UNVERIFIED (referenced in historical records but lacking current documentation). This taxonomy renders epistemic states visible and structured, replacing informal whisper networks with auditable procedural signals.

How Lamport clocks detect tampering

Every event carries a Lamport clock (monotonically increasing per asset) and a hash chain reference (Blake2b-256 of the previous event's payload). Together, they create a dual integrity mechanism: the clock enforces monotonicity, and the hash chain enforces content integrity.

A verifier who detects a gap in the clock sequence knows events have been omitted. A verifier who finds a hash mismatch knows content has been tampered with. The protocol cannot prevent an RA from censoring events -- but it guarantees that included events cannot be silently reordered or edited after publication.

Progressive anchoring: integrity before completeness

Conventional catalogues raisonnes often postpone publication until exhaustive documentation is achieved, which in resource-constrained estates can take decades. ZIP-SRA-EVENTS reverses this order: it prioritizes chronological integrity over immediate completeness.

The RA begins by registering works whose documentation is already robust (as REGISTERED), then progressively anchors works with weaker documentation (as PROVISIONAL or UNVERIFIED). This ensures the registry does not prematurely confer legitimacy, nor does it erase uncertainty. For estates where much of the oeuvre resides outside direct physical control, progressive anchoring functions as a formal invitation to the market: collectors are invited to submit documentation for integration into a durable integrity chain.

Key takeaways

Read the full specification