Gordian Clubs - HackMD

<style> .reveal { font-size: 28px; } .reveal h1, .reveal h2 { line-height: 0.95; } .reveal small { font-size: 0.7em; } .reveal ul { line-height: 1.25em; } .reveal p { line-height: 1.2em; } .reveal blockquote { font-size: 1.1em; line-height: 1.1em; } code { color: #aaf; font-size: 100%; } </style>  # Gordian Clubs <small>_(IIW 2025-10-21)_</small> _Christopher Allen — Trust Architect_<br/><small>Blockchain Commons</small> --- ## Five Human Stories <font size=6> **When infrastructure becomes a weapon:** * **The Journalist** when servers can be raided and sources exposed * **The Student** when institutions cascade into bankruptcy * **The Refugee** when identity papers no longer exist or can't be renewed. * **The Dissident** when identity itself becomes the weapon * **The Engineer** when family safety depends on pseudonymity </font> <p/> ### Not theoretical, but real.<br/>Real people. Real threats. <small>**Details:** [Journalist](#/journalist-scenario) • [Student](#/student-scenario) • [Refugee](#/refugee-scenario) • [Dissident](#/dissident-scenario) • [Engineer](#/engineer-scenario)</small> Note: Five human stories where platform dependency becomes existential threat. These aren't hypotheticals—they're real problems happening now that the five patterns you know from Bitcoin can solve. The journalist when servers can be raided and sources exposed. The student when institutions cascade into bankruptcy. The refugee when identity papers no longer exist or can't be renewed. The dissident when identity itself becomes the weapon The engineer when family safety depends on pseudonymity. Real people. Real threats. Note: You can present individual scenarios as time allows, or skip to the summary if time is tight. Each scenario has technical implementation details available as supplemental material. ---  ## What If Your Abilities Became Mathematical Rights Instead of Platform Privileges? <font size=6> Not just for money, but for: * **The Journalist:** sources protected by mathematics, not promises * **The Student:** learning that survives institutional collapse * **The Refugee:** identity that exists without state permission * **The Dissident:** reputation that crosses hostile borders * **The Engineer:** open source contribution without exposure </font> <p/> ### This is about exodus protocols for the<br/>full exercise of <u>human rights</u> in digital space. Note: What if we applied the same five architectural patterns beyond money? What if your abilities became mathematical rights instead of platform privileges? Sources protected by mathematics, not promises for the journalist. Learning that survives institutional collapse for the student. Identity that exists without state permission for the refugee. Reputation that crosses hostile borders for the dissident. Contribution to open source without exposure for the engineer. This is about exodus protocols for the full exercise of human rights in digital space. ----  ### The Journalist: Freedom of Press as Mathematical Right <font size=5.5> * **The problem:** Protecting whistleblowers under authoritarian pressure. Server location matters. Hosting provider matters. Payment processor matters. Each dependency is a vulnerability. * **Exodus protocol solution:** Source materials encrypted as a Gordian Club with SSKR threshold shares—any 3 of 5 editorial board members can access. Works via sneakernet in censored regions. No server to raid, no access logs to subpoena. * **Even better: [selective disclosure](https://www.blockchaincommons.com/musings/musings-data-minimization/).** Sensitive details elided for court review while maintaining cryptographic signatures that prove authenticity. Prove the document is genuine without revealing protected sources. </font> <p/> ### **Freedom of press becomes a mathematical right,<br/>not a corporate privilege.** <small>[← Back to Five Stories](#/five-stories) | **Technical:** [Implementation Details](#/journalist-technical)</small> Note: The journalist protecting whistleblowers under authoritarian pressure. Every dependency is a vulnerability. With exodus protocols: source materials as threshold-encrypted Gordian Clubs. Any 3 of 5 editorial board members can access. Works via sneakernet in censored regions. No server to raid, no access logs to subpoena. Even better: selective disclosure. In legal proceedings, prove the document is genuine without revealing protected sources. Elide sensitive details while maintaining cryptographic signatures. Freedom of press becomes a mathematical right, not a corporate privilege. ----  ### Journalist Scenario: Technical Implementation <font size=5> **Gordian Club Structure:** ``` ENCRYPTED_CONTENT: Whistleblower documents PERMITS: - SSKR (3-of-5 editorial board threshold) - Individual editor public keys (ongoing access) SIGNATURES: Threshold board approval PROVENANCE: Tamper-evident edition chain ``` **Cryptographic Properties:** * Content encrypted with symmetric key * SSKR shares distributed to 5 editors * Any 3 can reconstruct key offline * No coordination required for reconstruction * Selective disclosure via Gordian Envelope elision **Why This Protects:** * No central server to subpoena * No access logs exist * Works completely offline * Court can verify threshold without revealing participants </font> <small>[← Back to Journalist Scenario](#/journalist-scenario) | **See also:** [Pattern 1 (Envelope)](#/pattern-1-technical) • [Pattern 2 (FROST)](#/pattern-2-technical) • [Gordian Technical](#/gordian-clubs-technical)</small> Note: This shows the technical implementation for protecting whistleblower documents. Content is encrypted with a symmetric key. SSKR shares are distributed to five editors—any three can reconstruct the key offline with no coordination required. Selective disclosure via Gordian Envelope elision means you can prove authenticity in court while hiding protected sources. No central server to subpoena, no access logs, works completely offline. The threshold can be verified without revealing which specific editors participated. ----  ### The Student: When Institutions Vanish <font size=5.5> * **The problem:** Today, my former students struggle to get paper diplomas. Digital credentials? Impossible. The registrar has changed hands four times. Authentication systems gone. Verification portals vanished. - Bainbridge Graduate Institute → Pinchot University →<br/>Presidio → Dominican College * **Exodus protocol solution:** Diplomas as autonomous cryptographic objects, signed by threshold attestations from faculty. School issues a degree signed by any 5 of 9 faculty members and 2 of 3 administrators. * **Even better: [herd privacy](https://www.blockchaincommons.com/articles/Dangerous-Educational-Credentials/).** School publishes one elided root containing all of a year's graduate credentials. Individual students hold their unelided credential proving inclusion, but root reveals nothing about which credential belongs to which student. Students choose what to reveal to others, not institutions. </font> <p/> ### **Mathematical attestations endure<br/>when registrars don't.** <small>[← Back to Five Stories](#/five-stories)</small> Note: This is my story. Bainbridge Graduate Institute became Pinchot University. Pinchot merged with Presidio. Presidio closed, acquired by Dominican College. Today my former students struggle to get diplomas. Digital credentials are impossible. The registrar has changed hands four times. This isn't crisis—it's a respected US graduate institution. Institutional cascade failure produces the same result as state collapse: credentials that can't be verified. With exodus protocols, diplomas are autonomous cryptographic objects, signed by threshold attestations. Even better: combine with herd privacy. BGI publishes one elided root containing all graduates in a year. Students hold credentials proving inclusion without exposing individual data. Mathematical attestations endure when registrars don't. ----  ### The Refugee: Identity Without State Recognition <font size=5.5> * **The problem:** 40% of displaced Syrians lack family booklets needed for civil documents. Digital identities frozen in time. Border crossings demand papers that no longer exist. * **Exodus protocol solution:** Identity credentials as autonomous cryptographic objects with progressive disclosure. Prove age without revealing birthdate. Prove family relationship without exposing full identity. Works offline via Bluetooth at border crossings when networks unavailable. Works without state recognition—cryptography proves validity. * **Even better: credentials that outlive institutions.** A refugee Syrian nurse carries medical training attestations from a threshold of doctors. Faculty fled—two dead, two in Jordan, one in Germany. But the credentials still verify because the foundation is mathematical, not institutional. </font> <p/> ### **When states fail to recognize identity,<br/>human rights shouldn't vanish with the paperwork.** <small>[← Back to Five Stories](#/five-stories)</small> Note: The refugee. Forty percent of displaced Syrians lack family booklets needed for civil documents. Border crossings demand papers that no longer exist. With exodus protocols, identity credentials are autonomous cryptographic objects with progressive disclosure. Prove age without revealing birthdate. Works offline via Bluetooth at border crossings. Works without state recognition because cryptography proves validity, not administrator approval. Even better: credentials that outlive institutions. A Syrian nurse carries medical training attestations with threshold signatures. Faculty fled—two dead, two in Jordan, one in Germany. But the credentials still verify because the foundation is mathematical, not institutional. When states fail to recognize identity, human rights shouldn't vanish with the paperwork. ----  ### The Dissident: When Freedom Requires Exit <font size=5.5> * **The problem:** Russian opposition activists flee Putin's regime. Physical freedom to leave—but bank accounts frozen. Credit cards canceled. Payment apps disabled. Not Russia blocking them—Western sanctions make no distinction between oligarch and activist. * **Exodus protocol solution:** Financial credentials proving identity without revealing nationality. Reputation that transfers across borders. Access to funds through threshold cryptography—cooperation of trusted contacts, not permission from institutions judging your passport. * **Even better: zero-knowledge proof of funds.** Prove financial capacity without revealing amounts or sources. Reputation attestations from trusted colleagues already in refuge. Progressive trust building across borders without nationality exposure. Enable peer-to-peer transactions when banking infrastructure refuses service. </font> <p/> ### **Mathematics doesn't check passports.** <small>[← Back to Five Stories](#/five-stories)</small> Note: The dissident. Russian opposition activists flee Putin's regime. Has Physical freedom to leave: visas, plane tickets, safe destinations. But bank accounts are frozen. This isn't Russia blocking them, it's Western sanctions that make no distinction between oligarch and activist. Freedom of movement becomes meaningless without economic capability. With exodus protocols: financial credentials proving identity without revealing nationality. Reputation transfers across borders. Access through threshold cryptography of trusted contacts, not institutions. Even better: zero-knowledge proof of funds. Prove financial capacity without revealing amounts or sources. Reputation attestations from colleagues already in refuge. Progressive trust building without nationality exposure. When economic infrastructure becomes enforcement for political control, autonomous alternatives become the difference between successful escape and economic imprisonment in exile. Mathematics doesn't check passports. ---  ### The Engineer: Contributing Without Exposure <font size=5.5> * **The problem:** Amira is a Syrian software engineer who wants to contribute to women's safety applications and exodus projects. Using her real identity could endanger her family still in Syria. Using anonymous accounts means no reputation, no trust, no meaningful contribution. * **Exodus protocol solution:** Creates pseudonymous identity "BWHacker" using XID—a stable cryptographic identifier that persists across projects. Demonstrates expertise through verifiable contributions. Earns peer endorsements cryptographically signed to BWHacker. Builds portable reputation that transfers across collaborations. * **Even better: progressive trust with key rotation.** If keys are compromised, she can rotate them while maintaining the same identity and reputation history. The XID persists even as the cryptographic keys change. Prove competence without exposing vulnerability. </font> <p/> ### **Contribution without exposure.<br/>Reputation without revelation.** <small>[← Back to Five Stories](#/five-stories) | **Technical:** [XIDs](#/xid-technical)</small> Note: Amira, a Syrian software engineer, wants to contribute to advocacy applications and exodus projects—tools that help people like her maintain autonomy under authoritarian pressure. Using her real name endangers family still in Syria. Anonymous contributions build no reputation or trust. With XIDs, she creates pseudonymous identity BWHacker—a stable cryptographic identifier. Through verifiable contributions, she earns peer endorsements cryptographically signed. Her reputation becomes portable across projects. If keys are compromised, she rotates them while maintaining identity history. This is the initial use case we're focused on: developers and power users supporting advocacy software, exodus projects, and human rights infrastructure. Dissidents, refugees, activists, professionals in hostile jurisdictions—anyone whose safety depends on separating identity from contribution. ---  ## Gordian Clubs <font size=5.5> **Applying Bitcoin's patterns of autonomy to coordination:** * Pure cryptographic objects (like UTXO model, but for shared documents) * Multiple access methods without servers (like script flexibility, but for permits) * Threshold governance without platforms (like multisig, but for group coordination) * Provenance chains without centralized witness (like blockchain, but for editions) * No phone home behaviors (like offline signing, but for all operations) * Store-carry-forward messaging without servers (like mempool relay, but for sealed dead-drops) </font> <small>**Learn more:** [Anatomy](#/gordian-club-anatomy) • [Technical Architecture](#/gordian-clubs-technical) • [XIDs](#/xid-technical) • [Permits](#/permits-detail) • [Hubert](#/hubert-detail)</small> Note: Let me show one implementation—not to promote a product, but to make the patterns concrete. Gordian Clubs apply Bitcoin's autonomy to coordination. They're pure cryptographic objects like Bitcoin's UTXO model, but for shared documents. They have threshold governance like multisig, but for group coordination. They include provenance chains like blockchain, but for document editions. ---  ### Gordian Club: Autonomous Cryptographic Object <font size=5> **Four-Part Structure:** 1. **Public Metadata:** Visible to everyone - Club name, purpose, version - No encryption required 2. **Encrypted Content:** Protected data - Strong symmetric encryption (ChaCha20-Poly1305) - Decryption key accessed via permits 3. **Multiple Permits:** Different access paths to same key - Passwords (simple), Public Keys (individual), SSKR (threshold) - FROST/MuSig2 (governance), XIDs (portable identity) - Each permit unlocks same content 4. **Provenance Chain:** Cryptographic audit trail - Each edition references previous - Write group signatures prove authorization - No central timestamp server needed **Key Property:** Club is a single file. Copy it anywhere, works offline indefinitely. </font> <small>[← Back to Gordian Intro](#/gordian-intro) | **See also:** [Technical Architecture](#/gordian-clubs-technical) • [XIDs](#/xid-technical) • [Permits](#/permits-detail)</small> ---  ### Gordian Clubs: Technical Architecture <font size=4.5> * **Gordian Envelope:** Nested, deterministic encryption structure supporting selective disclosure - Multiple access paths to content - CBOR-based canonical encoding - Enables verifiable, minimal disclosure * **Permit System:** Multiple access methods for the same encrypted data - **Passwords:** Simple shared access *(current edition only)* - **Public Keys:** Individual member access *(ongoing)* - **SSKR:** Social recovery shares *(offline threshold reconstruction)* - **FROST/MuSig2:** Threshold governance *(online signing ceremonies)* * **XIDs:** Portable, rotatable, cryptographically rooted identifiers - Derived from an inception key; persist through rotation - Enable pseudonymous reputation and cross-organization continuity * **Provenance Marks:** Tamper-evident chains that order and authenticate editions - Cryptographic sequencing and verification - No trusted timestamp server required * **Read / Write Model:** Cryptographically enforced permissions for data access and updates - **Read:** Decrypt content with any valid permit - **Write:** Requires signatures from a threshold of the prior edition’s write group * **Hubert Transport:** Asynchronous, high-latency-tolerant “dead-drop” layer for coordination - Store-carry-forward message delivery *(like mempool gossip, but for encrypted data)* </font> Note: Each layer here plays a distinct building block for autonomy. Gordian Envelope provides structure, Permits define access, XIDs provide continuity for portable identity, Provenance Marks preserve history, the Read/Write model establishes authority, and Hubert connects it all through asynchronous, high-latency dead-drop delivery that tolerates delay, disconnection, or censorship. Together, they form a self-sufficient coordination architecture—no servers, no databases, no single points of failure. <small>[← Back to Gordian Intro](#/gordian-intro) | **See also:** [Anatomy](#/gordian-club-anatomy) • [XIDs](#/xid-technical) • [Permits](#/permits-detail) • [Hubert](#/hubert-detail)</small> ---  ### XIDs: Stable Pseudonymous Identity <font size=5> * **XID = eXtensible IDentifier** - 32-byte identifier derived from inception key (SHA-256 hash) - Remains stable even as keys rotate - Portable across organizations * **Key Rotation Without Identity Change:** 1. XID derived from initial "inception" key 2. Additional keys added/removed without affecting XID 3. Original key can be rotated out entirely 4. Identifier stays consistent → reputation travels with you * **Why This Matters for AMIRA:** - Build reputation through pseudonym - Keys can be upgraded, compromised keys rotated - Identity persists across contexts - Progressive trust through stable identifier - Exit preserved: reputation isn't locked to one platform </font> <small>[← Back to Gordian Intro](#/gordian-intro) | **See also:** [Relational Identity](#/relational-identity) • [Engineer Scenario](#/engineer-scenario) • [Technical Architecture](#/gordian-clubs-technical) • [Permits](#/permits-detail)</small> Note: XIDs are eXtensible IDentifiers—32-byte identifiers derived from an inception key. They remain stable even as cryptographic keys rotate. This is crucial for Amira's use case. She builds reputation through her pseudonym BWHacker. If keys are compromised, she can rotate them without losing her identity or reputation history. The XID persists across organizations and projects. Progressive trust builds through the stable identifier. Her reputation isn't locked to any single platform—it travels with her. ---  ### Permits: One Door, Many Keys <font size=5.5> - `Password` • `Public Key` / `XID` • `SSKR` threshold • - *(future)* `MuSig2` / `FROST` variants - All unlock the **same symmetric key** → same plaintext `Edition` via different assurance/recovery paths - **Selective disclosure:** reveal only what’s needed via Envelope **elision** - **Offline by design:** QR / Bluetooth / sneaker-net; fetch later via **dead-drops** - **Exit preserved:** permits are portable; **no phone-home** or platform dependency </font> Note: For instance, with a permission you can open the same Edition twice (e.g., once via XID permit, once via 2-of-3 SSKR) to reveal identical plaintext and signatures. <small>[← Back to Gordian Intro](#/gordian-intro) | **See also:** [Anatomy](#/gordian-club-anatomy) • [Technical Architecture](#/gordian-clubs-technical) • [XIDs](#/xid-technical)</small> ---  ### Hubert: Cryptographic Dead-Drop Transport <font size=5.5> An **asynchronous transport layer** using a **cryptographic dead-drop model**<br/>instead of client-server or publish-subscribe architectures. - **Pattern:** sealed message → `ARID` drop → later retrieval *(no sessions, no broker)* - **ARIDs as capabilities:** each ARID is a **private capability**—a secret location in public networks - **Write-once immutability:** messages cannot be modified or deleted once published—integrity guaranteed - **Resilient delivery:** **store-carry-forward** across time, outage, or censorship - **Where it lives:** **DHT** (≤1 KB control) • **IPFS** (large payloads) • **Hybrid** • **Emerging secure networks** - **Privacy:** observers see only encrypted **GSTP** envelopes + derived keys *(ARIDs never exposed)* - **Bidirectional flow:** request embeds **response `ARID`** → responder posts reply there - **Group coordination:** **FROST** enables multiparty consensus → single cryptographic result <p/> #### A **mesh of sealed rendezvous points**—<br/>coordination built on **mathematics + persistence**, not **servers + brokers** </font> Note: Hubert operates as an asynchronous, **high-latency-tolerant** cryptographic **dead-drop** network using **store-carry-forward** semantics. Messages can traverse long delays, offline periods, or censorship events while remaining verifiable and retrievable once connectivity returns. It turns unreliable networks into durable coordination channels. </font> Note: Think of Hubert as a cryptographic **dead-drop** with **store-carry-forward** resilience. Messages are sealed, capability-addressed (`ARID`), and retrievable without live connections or brokers. <small>[← Back to Gordian Intro](#/gordian-intro) | **See also:** [Technical Architecture](#/gordian-clubs-technical) • [Pattern 5 (Offline)](#/pattern-5)</small> ---  ### What Autonomous Cryptographic Objects Enable <font size=5.5> When information becomes a **self-contained object** with its own keys, rules, and history: - **Unstoppable access** (like UTXOs, but for knowledge) — copies verify anywhere, even offline - **Perfect privacy** (like cold storage, but for communication) — no logs, no tracking, no servers - **Disaster resilience** (like hardware wallets, but for coordination) — works through outages and time gaps - **Censorship resistance** (like consensus rules, but for governance) — math replaces administrative approval - **True ownership** (like private keys, but for data) — control shared through **permits**, not platforms **Principle:** _If a server can deny it, it’s not autonomous._ </font> Note: Autonomous cryptographic objects carry their own authority—keys, rules, and provenance—so they remain valid and accessible wherever copies exist. Each property here mirrors one of the five Exodus patterns: self-sufficiency, mathematical enforcement, load-bearing constraints, portability, and offline continuity. They make coordination, identity, and collaboration as unstoppable as Bitcoin transactions. ---  ## Progress on Gordian Clubs **Current status:** Working CLI app proof-of-concept.<br/>FROST integration in progress. **Honest assessment:** Cryptographic primitives mature.<br/>Novel part is applying them to autonomous coordination. _**Needs formal security audits before production.**_ Note: We have a working command-line proof-of-concept with FROST integration in progress. Most of the underlying cryptographic primitives are mature. The novel part is applying them to autonomous coordination. We need formal security audits before production.