# Threat Model
## Forensic Provenance Protocol (FPP)
## 1. Purpose
This document defines the **adversarial, misuse, and failure model** for the Forensic Provenance Protocol (FPP).
The goal is to ensure that:
* Provenance results are **not misleading**
* Uncertainty is **explicit and bounded**
* The protocol cannot be repurposed into surveillance or identity inference
* Failure modes degrade **honestly**, not silently
This threat model applies to the **protocol layer only**, independent of implementation.
## 2. Adversary Classes
### 2.1 Passive Observer
Capabilities:
* Reads public ledger data
* Executes protocol-compliant traversals
* Performs statistical analysis on outputs
Constraints:
* Cannot alter ledger history
* Cannot influence protocol logic
* Cannot inject false ledger events
Risk:
* Misinterpretation of probabilistic outputs
Mitigation:
* Mandatory confidence propagation
* Explicit probabilistic edges
* No forced attribution or collapse
### 2.2 Active Obfuscator
Capabilities:
* Intentionally routes funds through:
* Mixers
* CoinJoin transactions
* Bridges
* Aggregation contracts
* Splits, recombines, and delays transfers
Constraints:
* Cannot falsify ledger events
* Cannot prevent protocol from observing events
Risk:
* Attribution dilution
* Branch explosion
* Confidence decay
Mitigation:
* Obfuscation modeled explicitly
* Confidence decay enforced
* No hidden heuristics or guesses
### 2.3 Infrastructure Adversary
Capabilities:
* Controls or influences:
* Indexers
* RPC providers
* Data availability layers
* Withholds or delays ledger data
Constraints:
* Cannot rewrite finalized ledger history
Risk:
* Incomplete graphs
* Missing edges or nodes
Mitigation:
* Protocol requires **complete data declaration**
* Incomplete inputs must be flagged
* Partial results are marked non-authoritative
### 2.4 Malicious Analyst (Misuse Threat)
Capabilities:
* Attempts to:
* Over-interpret confidence
* Present probabilistic links as facts
* Collapse branches improperly
* Claim identity inference
Risk:
* False certainty
* Legal or reputational harm
* Protocol misuse
Mitigation:
* Protocol forbids identity claims
* No default aggregation
* Attribution boundary defined separately
* Determinism without interpretation
## 3. Threats Explicitly Out of Scope
FPP does **not** defend against:
* Ledger-level fraud
* Consensus attacks
* Chain re-organizations
* False data injected at the ledger layer
* Legal misuse of results by third parties
These are upstream or downstream concerns.
## 4. Failure Modes
### 4.1 Data Incompleteness
Cause:
* Missing blocks
* Partial history
* Unavailable chain segments
Behavior:
* Traversal halts explicitly
* Confidence does **not** renormalize
* Output graph marked incomplete
Silent failure is forbidden.
### 4.2 Extreme Obfuscation
Cause:
* Large anonymity sets
* Deep mixing
* Exchange internal flows
Behavior:
* Branch count increases
* Confidence decays multiplicatively
* Attribution weakens naturally
The protocol **does not guess**.
### 4.3 Computational Exhaustion
Cause:
* Very deep traversal
* High fan-out graphs
* Supercomputer-scale exploration
Behavior:
* Traversal depth is user-bounded
* No implicit pruning
* Partial traversal must be declared
## 5. Non-Goals (Reaffirmed)
The protocol **must not**:
* Identify individuals
* Infer ownership
* Correlate off-chain behavior
* Use heuristics not declared in-spec
* Produce “likely owner” claims
Any implementation that does so is **non-compliant**.
## 6. Determinism Under Adversity
Even under adversarial conditions:
* Given identical inputs, outputs are identical
* No randomness is introduced to “smooth” results
* Uncertainty is surfaced, not hidden
This preserves forensic defensibility.
## 7. Abuse Resistance by Design
FPP resists abuse by:
* Making uncertainty unavoidable
* Forcing explicit confidence decay
* Refusing to collapse ambiguity
* Separating provenance from attribution
The protocol is **informational**, not accusatory.
## 8. Relationship to Other Documents
* PROTOCOL.md
→ Defines graph and traversal semantics
* INVARIANTS.md
→ Defines what must never break
* ATTRIBUTION\_BOUNDARY.md
→ Defines legal and ethical limits
* CONFIDENCE\_MODEL.md
→ Defines math used by probabilistic edges
## 9. Versioning
This threat model applies to **FPP v0.1**.
Any protocol change affecting:
* Traversal
* Confidence
* Node semantics
**requires threat model review**.