This section defines the frozen reference implementation semantics for confidence propagation in FPP v0.1.
This boundary is normative for the Rust reference implementation and overrides any broader interpretive language below for v0.1 code.
Confidence propagation in the reference implementation is a pure, deterministic function operating exclusively on deterministic traversal output.
Rules:
- Initial confidence = 1.0
- Multiplicative decay per hop only
- No renormalization
- No guessing or inference
- No thresholds applied internally
- No mutation
- No access to graph structure
- No path collapsing or aggregation
Confidence depends solely on path length and a configured decay factor.
Any logic beyond this (edge justification, ε cutoffs, aggregation, interpretation) is explicitly out of scope for v0.1 implementation and belongs to external consumers or future protocol versions.
This implementation logic is frozen as of FPP v0.1.
# Confidence Model
## Forensic Provenance Protocol (FPP)
*(This is the **authoritative** version. If your current file differs, it should be replaced.)*
## 1. Purpose
This document defines how **uncertainty is represented, propagated, and bounded** within the Forensic Provenance Protocol (FPP).
Confidence values express **linkage certainty between provenance graph nodes**, not truth, identity, or ownership.
Confidence exists to **prevent false precision**, not to create it.
## 2. Scope and Non-Scope
### In Scope
* Confidence assignment to edges
* Confidence propagation along paths
* Explicit decay under uncertainty
* Deterministic computation
### Out of Scope
* Identity likelihood
* Ownership probability
* Behavioral inference
* Legal or compliance conclusions
## 3. Confidence Domain
All confidence values MUST satisfy:
0 < confidence ≤ 1
* 1.0 = deterministic, provable linkage
* Values < 1.0 = probabilistic or ambiguous linkage
* 0 is forbidden (absence of edge must be explicit)
This enforces **Invariant I-10 (Confidence Monotonicity)**.
## 4. Edge-Level Confidence Assignment
### 4.1 Deterministic Edges
Confidence MUST be exactly:
confidence = 1.0
Examples:
* Direct transfers
* Single-input → single-output transactions
* Verified lock/mint bridge pairs
Assigning < 1.0 here is forbidden.
### 4.2 Probabilistic Edges
Confidence MUST be < 1.0 and explicitly justified.
Examples:
* Mixers
* CoinJoin
* Exchange custody aggregation
* Obfuscated smart contracts
The protocol **does not mandate** a specific numeric value, but **does mandate**:
* Reproducibility
* Declared rationale
* Determinism
Hidden heuristics are forbidden
(see Invariant I-11).
## 5. Path-Level Confidence Propagation
For a path P composed of edges e₁ … eₙ:
confidence(P) = Π confidence(eᵢ)
Properties:
* Confidence strictly decreases or remains equal
* No renormalization
* No smoothing
* No averaging
This enforces **Invariant I-10** and **I-7 (Deterministic Traversal)**.
## 6. Multiple Paths and Branching
When multiple paths exist between two nodes:
* Each path retains its **own confidence**
* Paths are NOT collapsed by default
* Aggregation is an **explicit, opt-in operation**
The protocol core **never selects a “best” path**.
This prevents analyst-driven bias.
## 7. Obfuscation-Induced Decay
Obfuscation mechanisms cause:
* Branch explosion
* Confidence decay
* Attribution weakening
The protocol MUST:
* Model this explicitly
* Never “skip over” obfuscation
* Never compensate decay
Encountering obfuscation is **not failure**
(see Invariant I-12).
## 8. Halting Conditions Related to Confidence
Traversal MAY halt when:
confidence(path) < ε
Where:
* ε is user-defined
* ε MUST be declared in output metadata
Implicit thresholds are forbidden
(see Invariant I-9).
## 9. Incomplete Data Interaction
When ledger data is incomplete:
* Confidence MUST NOT be renormalized
* Missing regions MUST be visible
* Confidence decay reflects uncertainty, not absence
Confidence inflation under missing data is forbidden.
## 10. Determinism Requirement
Given:
* Same graph
* Same confidence assignment rules
* Same traversal parameters
Confidence results MUST be identical.
Random sampling, Monte Carlo methods, or probabilistic guessing are forbidden at the protocol layer.
## 11. Prohibited Confidence Uses
Confidence MUST NOT be used to:
* Claim ownership likelihood
* Infer identity
* Rank suspects
* Assert intent
Any implementation that does so is **non-compliant**.
## 12. Relationship to Other Documents
* INVARIANTS.md
→ Governs monotonicity, fabrication, determinism
* PROTOCOL.md
→ Defines where confidence attaches (edges, paths)
* THREAT\_MODEL.md
→ Defines misuse risks of overconfidence
* ATTRIBUTION\_BOUNDARY.md
→ Defines legal/ethical limits of interpretation
## 13. Versioning
This confidence model applies to **FPP v0.1**.
Any change affecting:
* Confidence math
* Decay behavior
* Aggregation semantics
**requires invariant and threat model review**.