Anonymity Ring
The off-chain validation layer that runs sanity and synthesis checks before a verification settles on-chain.
The Anonymity Ring is the off-chain layer between the device's capture and the on-chain settlement. Its job is to inspect the 134-feature behavioral summary that arrives from the SDK and decide whether the captured signal is plausibly human before the proof is allowed to settle.
What runs in the layer today
The check stack is implemented and runs against every verification on devnet. It is structured by tier, with each tier tightening the filter:
- Tier 1—feature-distribution sanity. Each captured feature's value is compared against the population envelope of real human captures. Out-of-distribution values, replay signatures, and entropy violations are rejected before the proof is even examined.
- Tier 2—cross-modal temporal coupling. Voice prosody, hand tremor, and touch dynamics must align across the same capture window. Real humans produce coupled signals—voice timing tracks with pointer micro-movement; pause envelopes correlate with motion variance. Captures whose modalities don't co-vary in human-plausible ways are rejected.
- Tier 3—proof-level invariants. These are enforced inside the on-chain Hamming circuit. The new fingerprint must sit within Hamming distance of the previous, and above the anti-replay floor.
- Tier 4—phrase content binding. The audio captured against the issued phrase challenge must transcribe to the issued phrase. Mismatched audio is rejected. Subsequent T4 waves extend this layer with synthesis-detection models trained against frontier voice generators.
Public adversarial waves T1 through T3 produced 14,000+ attempts, all rejected. The T4a voice-synthesis study ran in four waves to isolate each defense layer's contribution against one canonical attack class: Wave 1 (50 attempts, 100% pass with temporal coupling in log-only mode—the counterfactual baseline); Wave 2 (10 attempts, 10% pass with temporal enforcement at threshold 0.10); Wave 3 (20 attempts, 0% pass with temporal enforcement plus phrase content binding); Wave 4 (1,000 attempts, 0% pass at scale, 95% confidence interval [0%, 0.37%]). The combined three-layer stack drops T4a from 100% to 0%. Full results at entros.io/security.
What the layer sees and does not see
The validator receives only what the device transmits: the 134-number summary, the proof, the new commitment, and the audio for the phrase challenge. It does not receive raw motion or touch traces, and the audio is not retained after phrase validation completes. The transcription of the spoken phrase is logged for adversarial-wave debugging, since text alone carries no biometric content; raw audio waveforms are not.
What the proof attests, what the validator attests
Two complementary claims:
- The on-chain Groth16 proof attests that the new behavioral fingerprint sits within Hamming distance of the previous fingerprint, against the protocol's commitment scheme. It is the proof of consistency.
- The off-chain validator attests that the captured signal has the structure of human behavior—sane feature distributions, coupled modalities, matched phrase content. It is the proof of plausibility.
Both must hold for a verification to settle. The proof catches replay against a different Anchor; the validator catches synthesized captures and out-of-distribution submissions.
What "decentralized" means here, and what's deferred
Today the validator runs as a single off-chain service operated by the Entros team. The check stack itself—the engine that runs all of the above tiers—is implemented and live. What is not yet live is the multi-validator deployment topology around that engine: VRF-selected validator cohorts, BLS-aggregated signed sign-off, slashable stake.
The decentralization plan is to spin up a permissionless validator set in which each node runs the same check stack independently, signs its outcome, and aggregates with the rest of a selected cohort. This is post-mainnet work; the validator economics live in the registry program and activate when the multi-validator architecture comes online.
This is a deliberate sequencing. Iterating the check stack against newly discovered attack vectors is faster inside a single team than across a permissionless validator set. Once the stack reaches a maturity bar where iteration happens on a slower cadence, the multi-validator architecture comes online with the same engine running across the ring.
Where to look next
- Threat model—what the validation layer is the defense against
- Roadmap: Medium-term—the decentralization milestones
- Reference: Programs—the registry program that gates validator participation