Works best when
- Germany or eWpG applies and a licensed crypto-register is required.
Avoid when
- You can legally replace the register on day one.
Post-quantum exposure
Risk · medium- Vector
- Attestation signatures rely on standard ECDSA and inherit PQ exposure. Hashes anchored on-chain are PQ-safe.
- Mitigation
- Migrate attestation signatures to PQ-safe schemes as ecosystem standards mature. See Post-Quantum Threats.
Components
- Licensed crypto-register under eWpG holds the legal records, PII, and signed notarial documents off-chain. It is the sole source of legal truth.
- Registrar API integration layer exposes signed records for each legal event (issuance, transfer, lien) to downstream systems.
- On-chain attestation schema defines the structure of mirrored facts: event type, record hash, registrar identifier, timestamp. PII never appears on-chain.
- Middleware attester reads the registrar's signed records, computes the hash, and posts an attestation on-chain under the schema.
- Reconciliation and audit tooling matches the on-chain anchor to the off-chain registrar record and flags drift.
Protocol
- operator Registrar records the legal event in the off-chain register and emits a signed record containing the event details and a record hash.
- operator Middleware consumes the signed record, verifies the registrar's signature, and constructs an attestation containing the record hash, event type, and timestamp.
- contract The attestation is posted on-chain under the agreed EAS schema. No PII is included.
- auditor Later audits match the on-chain anchor to the registrar record: retrieve the registrar's plaintext record under NDA, recompute the hash, and confirm it equals the anchored attestation.
- auditor Discrepancies trigger the incident runbook: the registrar remains legally authoritative, but a mismatch is evidence of tampering in one of the two systems.
Guarantees & threat model
Guarantees:
- Legal compliance with eWpG is preserved; the licensed registrar remains the authoritative record keeper.
- On-chain anchor provides tamper-evident linkage between the registrar's private ledger and a public timestamp.
- Mirrored facts are cryptographically verifiable without requiring regulator access to the plaintext.
Threat model:
- Trust in the registrar as sole gatekeeper. The registrar can refuse or delay any registration with no on-chain bypass.
- Middleware attester key compromise allows forged anchors. Multi-attester cross-validation mitigates this.
- Collusion between the registrar and the middleware can produce consistent but fraudulent records on both sides. Independent attesters reduce but do not eliminate this risk.
- PII exposure is out of scope for the on-chain layer by design; the registrar's access controls govern all PII handling.
Trade-offs
- Two sources of truth require ongoing reconciliation. Drift between the registrar and the on-chain anchor must be detected and resolved operationally.
- Strong incident and runbook discipline is required. A mismatch is not self-resolving; it triggers a manual investigation.
- Registrar dependency limits availability. Downtime at the registrar halts new anchors even if the on-chain side is healthy.
- The pattern is explicitly transitional: it assumes a future regulatory regime where the register itself can move on-chain and automation can replace the middleware.
Example
- An issuer records a bond issuance with the licensed registrar under eWpG.
- The registrar emits a signed record.
- The middleware hashes the record and posts an EAS attestation on Ethereum.
- A year later, an auditor retrieves the registrar's plaintext record under NDA, recomputes the hash, and confirms it matches the on-chain attestation, establishing integrity.