Proof-of-Unchanged · Methodology · Ordinal 16
Proof-of-Unchanged
Custody-Boundary Verification Methodology
One-sentence summary: Proof-of-Unchanged is a custody-boundary verification methodology that deterministically answers one question: Has this evidence changed since the last verified checkpoint?
A non-interpretive visual pack summarizing the verification primitives (two-system architecture, PASS vs divergence, integrity vs membership, custody-boundary cycle, governance, and independent verification).
View Proof-of-Unchanged Visual Pack (PDF) →- Clinical trials & CRO inspection readiness
- Audit & assurance documentation frameworks
1) Purpose
Proof-of-Unchanged defines a domain-agnostic method for proving whether exported digital evidence has remained byte-unchanged across time and custody transitions, and for cryptographically enumerating divergence when it has not.
2) Scope
What it does
- Produces deterministic Proof-of-Unchanged via paired comparison of canonical checkpoints (Tk vs Tn).
- Detects byte-level divergence at both artefact and membership (ESF) layers.
- Returns informational divergence enumeration to bound proportional human investigation.
What it does not do
- Does not assess correctness, compliance, or intent.
- Does not prevent modification — it detects it.
- Does not operate inside source systems.
- Does not replace SOPs, audits, or regulatory judgment.
3) Core Definitions
Evidence Artefact: Any file or object treated as audit evidence once it exits a source system, immediately post-export.
Custody Boundary: Any transition where evidence moves between systems, storage tiers, custodians, jurisdictions, or sanctioned transformations.
Canonical State (Tk): A frozen, verifiable checkpoint represented by deterministic manifests, cryptographic digests, optional decentralized time attestation, and public hash-only anchoring.
4) Custody-Boundary Model
Verification occurs at custody boundaries, not inside systems.
This design avoids dependence on vendor APIs, platform trust, or internal system claims. Verification remains possible using retained evidence alone.
5) Canonical State Cycle (T₀ → Tₙ)
| Phase | Trigger | Action | Outcome |
|---|---|---|---|
| T₀ | Export from source system | Freeze → dual-hash → anchor | Canonical state |
| T₁ | Verification | Re-hash and compare | PASS or divergence |
| T₂ | Sanctioned transformation | Verify → transform → re-anchor | New canonical |
| Tₙ | Future challenge | Re-verify | Continuous provenance |
6) Interpretation Rule (Non-Accusatory)
Canonical claim: If bytes match the canonical state, the evidence is provably unchanged.
Divergence rule: Divergence is informational only. It does not imply error, misconduct, or non-compliance. It exists solely to direct proportional human effort.
PASS reduces reconstructive work. Divergence bounds reconstructive work.
7) Regulatory & Assurance Positioning
Proof-of-Unchanged operates within electronic records and audit documentation frameworks as mapped in C12 — AuditLog.AI Global Compliance Matrix.
- FDA 21 CFR Part 11
- EMA Annex 11 + GCP
- TGA / PIC/S PE 009-17
Additional assurance standards (PCAOB AS 1105 / AS 1215; ISA 230 / 500 / 240) are referenced in the full Compliance Matrix (C12).
This methodology is not clinical decision support and does not generate patient-level recommendations.
9) Operational Implementation
The workflow below summarises the post-export verification model. Each step is deterministic, custody-preserving, and verifiable using hash-only artefacts.
A QA-approved exported evidence bundle is selected for verification. No cryptographic commitments are published until the bundle is stable.
Each artefact is hashed locally: SHA-256 then RIPEMD-160(SHA-256). Sidecars (.hash, .2ha) and optional OTS proofs (.hash.ots) may be created.
Two independently anchored states (T₀ vs T₁) are compared using (sha256, r160) multiset parity and evidence-set membership checks. Paths and names are ignored.
Human oversight verifies the machine-deterministic outputs and, where relevant, confirms enumerated divergence against pre-anchored ground-truth keys.
A compact payload is anchored via OP_RETURN on Bitcoin L1 (e.g. SENTINEL|SESSION|<r160>|<sha8>) to provide a public timestamp commitment.
Hashing, OTS, and OP_RETURN payload
Verification uses cryptographic identifiers only:
- File-level digests:
SHA-256(bytes)→RIPEMD-160(SHA-256). - OpenTimestamps (OTS): optional
.hash.otsproofs can attest that a given hash existed before specific Bitcoin blocks. - Session-level payload: the frozen session log (hash-only) is reduced to a compact public commitment.
SENTINEL|SESSION|<ripemd160>|<sha8>
Anchoring provides a public timestamp commitment. Verification remains local: any verifier can recompute digests from retained exports and confirm whether an evidence state is unchanged relative to a reference state.
This page describes a public methodology. It does not constitute regulatory advice, legal opinion, or a determination by any authority.