Papers
Topics
Authors
Recent
Search
2000 character limit reached

Write-Domain Separation and Non-Custodial Enforcement: A Structural Impossibility in Account-Based Ledgers, with a Commitment-Based Construction

Published 2 May 2026 in cs.CR | (2605.01210v1)

Abstract: Account-based ledgers -- standard externally-owned accounts (EOAs), ERC-4337 smart accounts, post-Pectra EIP-7702 delegated EOAs -- place the holder of the controlling key at the apex of asset authorization. We ask a structural question about ledger access control: under this authorization model, can a protocol enforce the future disposition of an asset without taking custody and without requiring the owner's cooperation at enforcement time? We formalize the target as Non-Custodial Enforced Encumbrance (NCEE), a four-property specification covering self-custody, transition restriction, irrevocability, and permissionless enforcement. We define the Key Sovereignty Axiom (KS) and prove that any ledger satisfying KS cannot realize NCEE; standard EOAs, ERC-4337 smart accounts, and EIP-7702 delegated EOAs satisfy KS for their standard asset paths. We define Asset-Authorization Coupling (AAC) and prove it necessary for NCEE in the transfer-dichotomous asset setting. To witness the positive side, we introduce the envelope, a primitive for commitment-based private-state ledgers that binds a note, a condition tree, and a redistribution intent to protocol-maintained marker sets, separating ordinary spend nullifiers from a new encumbrance-namespace nullifier derived from note randomness rather than the owner key. We prove the envelope realizes NCEE under stated cryptographic assumptions and a deployment assumption that the marker-set registry is immutable; three concrete deployment templates are given. We define games for encumbrance integrity, settlement security, key-compromise resilience, and encumbrance indistinguishability. A reference implementation in Noir and UltraHonk supports the empirical claims, with gas measurements, recursive aggregation benchmarks, and a practical-economics analysis.

Authors (1)

Summary

  • The paper establishes that non-custodial enforced encumbrance is structurally impossible in standard account-based ledgers due to inherent key sovereignty limitations.
  • It formalizes the necessity of asset-authorization coupling and introduces an envelope primitive that enforces protocol-level restrictions using cryptographic proofs.
  • The study presents detailed ledger analyses and benchmarks, demonstrating the envelope construction’s practical feasibility for L1 and L2 implementations in DeFi.

Structural Impossibility and Commitment-Based Enforcement in Account-Based Ledgers

Formalization and Structural Separation

The paper rigorously addresses the question of whether it is feasible to enforce future asset disposition in account-based ledger systems without resorting to custodial solutions or requiring the asset holder’s cooperation at enforcement time. The main model-level contribution is the identification and formalization of a structural barrier to non-custodial enforced encumbrance (NCEE).

NCEE is defined by four properties: self-custody (no required co-signer), transition restriction (assets move only via protocol-defined paths during encumbrance), irrevocability (owners cannot unilaterally remove encumbrance), and permissionless enforcement (any third party can trigger enforcement on condition satisfaction). The work distinguishes two critical abstractions:

  • Key Sovereignty (KS): The holder of the controlling key can always authorize a transition that weakens any active protocol-imposed restriction. KS is ubiquitous in standard EOAs, ERC-4337 smart accounts (single-key configuration), and EIP-7702 delegated EOAs.
  • Asset-Authorization Coupling (AAC): Valid asset transitions are cryptographically coupled to the mechanism’s restraining state, disabling unilateral owner escape without consulting mechanism state.

The central theorems demonstrate that any ledger satisfying KS cannot realize NCEE; conversely, AAC is necessary (in transfer-dichotomous asset classes) for achieving NCEE.

Concrete Ledger Analysis

The paper substantiates KS-impossibility across major Ethereum account abstractions:

  • Standard EOAs: The owner’s key can always bypass protocol-level restrictions by transferring assets to a fresh address.
  • ERC-4337 Smart Accounts: Owner re-instantiation or rule modification by the controlling key preserves unilateral escape.
  • EIP-7702 Delegated EOAs: Protocol-level reauthorization is uninterceptable at the delegate code layer; the controlling key can always overwrite restrictions.

These analyses are realized with detailed, code-level proofs, providing categorical exclusion of NCEE for these asset paths.

Commitment-Based Construction in Extended Private-State Ledgers

On the positive side, the work introduces an envelope primitive in an extended private-state ledger model (PSLM), where asset spendability is cryptographically bound to protocol-maintained marker sets—namely, the active and consumed encumbrance markers. This construction achieves domain separation between ordinary spends (nullifiers tied to owner key) and encumbrance nullifiers (derived from note randomness), facilitating permissionless enforcement without owner key material exposure.

The envelope binds the asset note, condition tree (public trigger predicate), and redistribution intent (destination/action at enforcement). Transitions within the envelope model require zero-knowledge proofs, on-chain marker-set membership, and enforceable restriction checks; all NCEE properties are rigorously shown to hold, subject to cryptographic and deployment assumptions (notably registry immutability).

Security Analysis and Proof-of-Enforcement Guarantees

Security is analyzed via explicit game definitions, covering encumbrance integrity, settlement security, key-compromise resilience, and indistinguishability. The envelope construction’s security reductions rely on knowledge soundness (SNARK), Poseidon2 collision resistance and indifferentiability (heuristic), and discrete log hardness (for signature-based settlement). All implementation-dependent and heuristic claims are separated from theorem-level results.

Key security claims include:

  • Encumbrance integrity: Spend is blocked for actively encumbered notes except under collision or soundness failure.
  • Double-encumbrance prevention: Active envelope uniqueness per note is enforced.
  • Enforcement is both permissionless and safe: Any party may trigger enforcement, and protocol-level condition evaluation is deterministic.
  • Privacy: Nullifier separation and blinded position commitments provide operational privacy, subject to residual linkability.

The paper also discusses deployment recipes (strict immutability, timelock-parameter governance, quorum-frozen exits) required to satisfy registry immutability assumptions.

Practical Economics and Implementation

The reference implementation (Noir/UltraHonk) demonstrates practical feasibility, reporting gas and aggregation benchmarks for envelope operations. On L1, the construction is economical for mid-to-large asset positions ($\$10k - \$1M+$), and on L2s, it is cost-effective even for consumer-scale positions. Recursive proof aggregation further reduces amortized costs, broadening applicability.

The envelope paradigm is directly suitable for non-custodial collateralized lending, providing DeFi protocols with enforceable, non-custodial liquidation guarantees under public (oracle-fed) conditions. This design fundamentally changes the asset custody risk profile, exchanging it for cryptographic and operational reliability assumptions.

Comparative Analysis and Limitations

The paper differentiates its contributions from prior work (Hawk, Zcash/Penumbra/Veri-Zexe, ERC-4337/7710/7715, Bitcoin covenants, intent frameworks, keeper networks), demonstrating that none jointly achieves both impossibility and commitment-based NCEE realization in the account-based asset setting. Privacy is partial and residual linkability remains; post-quantum security is not provided; cross-transaction oracle manipulation and hybrid asset class analysis are delegated to future work.

Conclusion

This work solidly establishes that in standard account-based ledgers, non-custodial enforced encumbrance is structurally impossible so long as asset movement remains under unilateral owner control (KS), irrespective of policy-language or wallet-level refinements. Commitment-based ledger models with cryptographically coupled authorization can realize NCEE, and the envelope primitive provides a concrete, security-analyzed construction. The separation between KS and AAC is sharp, formal, and ledger-independent for transfer-dichotomous asset classes, providing a rigorous foundation for future protocol and asset-control designs.

Future directions include richer hybrid asset analysis, stronger implementation verification, removal of heuristic cryptographic dependencies, improved keeper-incentive mechanisms, and post-quantum variants. The structural separation and formal framework here will guide such development.

Reference: "Write-Domain Separation and Non-Custodial Enforcement: A Structural Impossibility in Account-Based Ledgers, with a Commitment-Based Construction" (2605.01210).

Paper to Video (Beta)

No one has generated a video about this paper yet.

Whiteboard

No one has generated a whiteboard explanation for this paper yet.

Open Problems

We haven't generated a list of open problems mentioned in this paper yet.

Collections

Sign up for free to add this paper to one or more collections.

Tweets

Sign up for free to view the 1 tweet with 0 likes about this paper.